Multi-Hypothesis Sequential Testing for IllegitimateAccess and Collision based Attack Detection in

Wireless IoT NetworksBikalpa Upadhyaya1, Sumei Sun1,2, and Biplab Sikdar1

1Department of Electrical and Computer Engineering, National University of Singapore2 Institute for Infocomm Research, Agency for Science, Technology and Research

Email: u.bikalpa@u.nus.edu, sunsm@i2r.a-star.edu.sg, bsikdar@nus.edu.sg

Abstract—Jamming or illegitimate wireless network accessinterferes with legitimate communication sessions by mimickingthe legitimate transmissions and degrades the network perfor-mance. In this paper, we propose a methodology to detect suchattacks by implementing a multiple hypotheses sequential test-ing based detection framework with variance and Channel StateInformation (CSI) based algorithms. The detection frameworkfocuses on distinguishing between legitimate and illegitimatetransmissions and the nature of illegitimate transmissions with aquaternary hypotheses test. The quaternary hypotheses includeno transmission, legitimate node transmission, illegitimate nodetransmission, and collision based attack. We first devise asequential testing problem on a ternary hypothesis problem andthen tackle the remaining hypothesis with both variance basedapproach and CSI based approach. We devise algorithms basedon the same and compare their performance. We also com-pare our approach with generalized Neyman-Pearson approachbased on detection speed. In addition, we present a multiplesensor-based approach to further improve the detection perfor-mance through soft and hard decision combining. We conductextensive performance evaluations based on both simulated andmeasurement data. The numerical results show fewer samplesize requirement for the proposed algorithms, leading to fasterdetection.

Index Terms—Multi-Hypothesis Test, Sequential Testing,Spectrum Sensing, Illegitimate Access, Collision-based attack

I. INTRODUCTION

A. Background and Motivation

Internet of Things (IoT) is getting more and more widelyused for applications such as automation networks, trans-portation networks, power grids, industrial processes, en-vironment monitoring, etc. [1]. The security concerns fornetworks have escalated with the rising popularity of wirelessIoT networks. Wireless networks are more vulnerable tomalicious security threats because of their innate open nature.The security concerns are not limited to data theft but open toa wide range of network attacks including jamming attacks,illegitimate spectrum access, rogue nodes, etc., which disruptthe network communication and degrade the throughput ofthe network without the need to break into or authenticateinto the network [2], [3]. These attacks are gaining pop-ularity with their simplistic operation and ability to causehigh damage and disruption, particularly on time-constrainedapplications.

An attacker can launch a Denial of Service (DoS) at-tack either by occupying the channel (illegitimate access)or transmitting at the same time as a legitimate node andcreating a collision at the receiver. Keeping the channel busywill restrain the legitimate nodes from transmitting, thus,increasing the delay. Creating a collision attack will result ina re-transmission for the legitimate node, thus wasting energyand creating delay [3]. However, launching such attackscontinuously will expose the attacker easily. Therefore, theattacker may prefer to be stealthy by causing a DoS attackintermittently. Furthermore, the attacker can also emulatethe characteristics of a legitimate transmitter to transmitinformation to the receiver, widely known as Primary UserEmulation Attack (PUEA) in Cognitive Radio Networks oralso as illegitimate access [4]. Since the traffic is random, thelegitimate node may not have data to transmit at all times andtherefore, may not transmit continuously. The adversary maymimic the transmission pattern of legitimate node.

Reliable communication in dynamically varying environ-ments such as industrial communication requires an intelli-gent radio access network to monitor the network and thespectrum, detect interference and disturbances, and adaptitself accordingly. Spectrum sensing networks can not only belimited to finding spectrum holes for secondary transmissionsand spectrum management but can also be used to deter-mine the transmitter locations and nature of transmissions(legitimate, illegitimate, and interferers) to safeguard itselffrom interference and attacks. Spectrum sensing networkscan be utilized to define such transmissions (illegitimate andinterferers) by constructing an interference map and enablingthe communication network to take intelligent decisions forRadio Resource Management (RRM) [5], [6]. An activeapproach where the neighboring nodes participate in con-tributing towards making an intelligent decision for RadioEnvironment Map (REM) for the observed area results inhigher communication overhead. This paper focuses on anon-node centric approach (passive approach) to define thenature of transmission and detect illegitimate access andcollision based attacks. With the proposed approach, weuse physical layer attributes to define a REM for IndustrialIoT environments. The detection approach is focused on thephysical layer so as to employ a non-node centric approach

by placing anchor nodes within the network to monitor thenetwork and passively collect information. The anchor nodesdo not communicate with the legitimate nodes and are onlyresponsible for collecting data in the network to monitor it.

The objective of this paper is to detect illegitimate accessand collision based attacks on IoT networks. Towards thisend, we use an approach based on spectrum sensing andsequential hypothesis testing.

B. Related Works

Increasing the robustness of the legitimate nodes or fre-quency hopping techniques can be used to alleviate jammingattacks [7]. However, frequency hopping techniques can beeasily counteracted if the adversary uses a higher powerover the bandwidth. In addition, frequency hopping is notalways a suitable option due to its low spectral efficiency.There are a few solutions provided in the literature forillegitimate access detection [8]–[11]. The detection problemfor illegitimate access in [8] is analyzed using statisticalsignificance tests, where the problem is formulated based onnormal and abnormal usage. The normal usage is defined asonly one transmitter working in each channel, and therefore,this solution fails to account for the scenario when onlythe illegitimate user transmits. A spectrum policy makerbased detection mechanism is introduced in [9]. The pro-posed detection mechanism determines the idle and busystate of the legitimate user. A crowd-sourced enforcementbased detection mechanism is introduced in [10], wherea crowd of mobile users collectively make detection deci-sions for spectrum-misuse behavior by analyzing the relatedcharacteristics, e.g., signal strength. An optimal combiningscheme for cooperative spectrum sensing when the nature ofthe illegitimate node (illegitimate access) is known aprioriis proposed in [11]. A fingerprint-power-belief based non-central detection algorithm assuming that only one node,either legitimate or illegitimate, can transmit on a singletime slot is proposed in [12]. The proposed solution employspower estimation and compatibility computation for detec-tion, using distributed detection. A machine learning basedjamming attack detection solution is provided in [13], wherejamming is detected using both RSSI and multi-path profileswith machine learning algorithms. A machine learning basedmulti-layer data-driven attack detection solution is proposedin [14], where the data are collected by simulating differentattacks on a real-time test bed. These solutions do notconsider the fact that the nature of the illegitimate accesscan be random and stealthy. The information regarding thesame may not have a specific behavior and therefore cannotbe assumed to be known.

In this paper, a multi-hypothesis test based on sequentialtesting is employed to simultaneously detect illegitimateaccess and collision based attacks. To the best of ourknowledge, there are no works that focus on sequentialtesting based multiple hypotheses that include: no transmis-sion, legitimate transmission, illegitimate access and collisionbased attacks simultaneously, though these attacks have been

considered separately in the literature. Illegitimate accessand collision based attacks can be launched by the sameadversary. Therefore, it is necessary to detect such attackssimultaneously. To this end, a generalized Neyman-Pearsonbased mechanism to detect spectrum sensing and illegitimateaccess over a multi-hypotheses based perspective is proposedin [15]. However, the solution cannot detect attacks in thecase where the illegitimate node uses the same power aslegitimate nodes and hence, ends up with the same varianceas that of the legitimate node. In [16] the same problem hasbeen studied for practical case against PUEA for IoT applica-tions. The authors provide a comprehensive study of detectionand defense approaches. However, [16] considers a node-centric approach for constructing a cooperative informationprocessing paradigm. A multi-hypothesis test is consideredto detect the existence of a signal and its power-level basedon maximum a posterior rule in [17]. Similarly, consideringa multi-power problem, a sequential detection mechanismbased on the modified Neyman-Pearson rule is proposedin [18]. The multi-hypotheses analyzed in the solutions arefairly simple as the power-levels for the sensors are known.However, in [19], a generalized Rao test is derived whileconsidering a two-sided parameter testing problem. In [20],sparse coding of the received signal over a channel dependentdictionary is utilized to distinguish between primary user em-ulation attacks and jamming attacks using machine learningalgorithms. This paper formulates a sequential based testingapproach with variance based and Channel State Information(CSI) based algorithms by employing a passive approach withthe use of anchor nodes placed in the network.

C. Contribution

In this paper, sequence based testing is employed todesign a detection framework with three variations on itsimplementation. Furthermore, a centralized as well as adistributed version of the detection framework are proposed.In the distributed detection framework, every anchor nodefirst makes a local decision based on the testing algorithmemployed. Then, based on the decisions collected from theanchor nodes, the fusion center performs decision fusionand makes a global decision. For the centralized detectionframework, the samples collected by each of the anchornodes are sent to the fusion center. The fusion center usethese data samples to make a global decision. The main goalhere is to determine whether the channel is occupied or not,and if occupied, the nature of occupancy (i.e., whether itis legitimate or illegitimate). Furthermore, we also detectthe nature of the illegitimate transmission, i.e., whether itis illegitimate access or a collision based attack. The maincontributions of the paper are summarized as follows:• We first formulate the multi-hypothesis problem under

no transmission, legitimate transmission, illegitimate ac-cess and collision based attack scenarios. We devise alog likelihood ratio test to determine the threshold foreach of the decisions. Since the nature of the adversary(illegitimate node) is unknown, we cannot differentiate

between legitimate and illegitimate transmissions usingenergy based sensing mechanisms when only one de-vice is transmitting, and therefore, we define a tertiaryhypothesis, merging the two into one. We implementa maximum-likelihood estimation for the adversary’spower pertaining to an unknown attacker power sce-nario.

• We propose a sequential testing approach for the tertiaryhypothesis followed by a variance based test or a CSIbased test, thereby differentiating the detection mech-anisms into three algorithms. The difference in perfor-mance for the three algorithms is analyzed theoreticallyand validated with numerical results. We compare thesequential testing approach with generalized Neyman-Pearson based approach using the sample size requiredas a metric in order to validate the quicker decisionmaking of our approach.

• We design centralized and distributed fusion scenarioswith multiple anchor nodes and analyze their perfor-mance.

• We present in-depth simulations with design of a 3Dray tracing framework to validate the accuracy of theresults. We present simulations to verify the complexitycomparison between the algorithms for single as well asmultiple anchor nodes and for the performance compar-ison between CSI based detection and variance baseddetection.

Considering that current works focus on either one of the twoattacks, our proposed method can handle both illegitimateaccess and collision attack in addition to internal attacks suchas rogue power emission. The proposed algorithm performsthe detection with considerably lower number of sampleswith sequential testing, which ensures its high performanceand efficiency.

D. Organization

The rest of the paper is organized as follow: SectionII summarizes the system model. We present the proposeddetection framework in Section III. Section IV describes thesystem performance. Section V presents the simulation setupand performance comparison. We summarize the detectionframework using multiple anchor nodes in Section VI, fol-lowed by conclusions and future work in Section VII.

II. SYSTEM MODEL

We consider a large IoT network distributed over alarge area which contains a set of legitimate IoT nodesL = {L1, L2, · · · , Lr} and a set of anchor nodes A ={A1, A2, · · · , AS}. Each legitimate IoT node transmits witha fixed power Pt with an omni-directional antenna using areservation based protocol so as to avoid collisions amongthe nodes. Therefore, we consider scenario where only asingle legitimate node may transmit in a slot. Such scenariosare mainly prevalent in industrial IoT networks using Wire-lessHART as the link layer.

Fig. 1: System model and detection framework. Dashed lines denotethe samples collected by anchor nodes, while the solid lines denotethe data or decision reports to the detection center.

To illustrate the proposed technique, consider a singlelegitimate node, an illegitimate node, a few anchor nodesand a detection center placed in the network, where thetransmissions in the network are monitored by the anchornodes. The samples collected by each of the anchor nodesare passed to the detection center for a centralized detectionscenario, whereas, local decisions made by each of the anchornodes are passed to the detection center for a distributeddetection scenario. The network setup is shown in Figure 1.The dashed lines indicate the samples collected at the anchornodes and the solid lines indicate the data or decision reportssent to the detection center. The locations of the anchor nodesand that of the legitimate nodes do not change once theyare deployed. Considering the scenarios of no transmission,legitimate node’s transmission, illegitimate node’s transmis-sion and collision attack, we can formulate the problem asa quaternary hypothesis test corresponding to each case, asfollows:

H0: y(k) = n(k)H1: y(k) = w1h(k)s(k) + n(k)H2: y(k) = w2g(k)u(k) + n(k)H3: y(k) = w1h(k)s(k) + w2g(k)u(k) + n(k)

where, y(k) is the sample received by the anchor nodes atany time k, s(k) and u(k) represent complex signals andare assumed to be zero mean and unit power, w1 and w2

represent the received power (related with transmit powerand path loss), n(k) is complex Gaussian noise with n(k)∼ CN (0, σ2), and h(k) and g(k) are zero mean complexGaussian-distributed small scale fading channel coefficientswith h(k) ∼ CN (0, σ2

ch) and g(k) ∼ CN (0, σ2ch). It is

assumed that the signal power and the noise variance (σ2)are known. The legitimate node transmits with fixed power.

An intermittent stealthy jammer that is not associated orauthenticated is considered as an attacker in the network. Theillegitimate node disrupts the transmission of the legitimatenodes either by transmitting simultaneously with the legiti-mate node to cause disruptions in the receiver, thus forcing are-transmission, or imitates the transmission of a legitimatenode, termed as illegitimate access. Both of these attacks are

addressed in cases H3 and H2, respectively. The attacker isassumed to be mobile with adjustable transmission power.

III. PROPOSED FRAMEWORK

A. Preliminary Model: Quaternary Hypothesis Tests

Considering the previously stated quaternary hypothesistest, for each hypothesis, y(k) can be modeled as a Gaussianas follows:

H0: y(k) ∼ CN (0, A0 + σ2)H1: y(k) ∼ CN (0, A1 + σ2)H2: y(k) ∼ CN (0, A2 + σ2)H3: y(k) ∼ CN (0, A3 + σ2)

where, A0, A1, A2 and A3 are representations obtained frompropagation loss, channel coefficients, and signal power, andare represented as: A0 = 0, A1 = w2

1σ2ch, A2 = w2

2σ2ch and

A3 = A1 + A2 = w21σ

2ch + w2

2σ2ch. For all the hypotheses,

we can collectively represent y(k) as:Hi: y(k) ∼ CN (0, βi)

where, i ∈ {0, 1, 2, 3} and βi = Ai + σ2. We need to findthe hypothesis that maximizes

p(y|Hi)Pr(Hi), i ∈ {0, 1, 2, 3}.We can compute the decision boundary over any two

hypotheses, Hi and Hj , ∀ i, j ∈ {0, 1, 3}, i 6= j and i > j.We decide in favor of Hi over Hj if:

p(y|Hi)Pr(Hi)

p(y|Hj)Pr(Hj)

Hi≷Hj

1 (1)

where,

p(y|Hi) =

N∏n=1

1

π(βi)exp[−y[n]H(βi)

−1y[n]]. (2)

where, N is the number of samples.From (1) and (2) and taking the logarithm on both sides,

we decide in favor of Hi if:N∑n=1

y[n]H [β−1j − β−1i ]y[n]+N ln(βj)−N ln(βi) > ln

Pr(Hj)

Pr(Hi)

N∑n=1

[||y[n]||2(β−1j − β−1i )]+N ln(βj)−N ln(βi) > ln

Pr(Hj)

Pr(Hi)

N∑n=1

||y[n]||2 > βiβj(βi − βj)

[lnPr(Hj)

Pr(Hi)+N ln(βi)−N ln(βj)].

Considering, βi−βj > 0, ∀ ∈ {0, 1, 3}, i 6= j and i > j, thetest statistic, T (y) is then given as:

⇒ T (y) =1

N

N∑n=1

||y[n]||2 > γi,j (3)

where, γi,j is the threshold represented as

γi,j =βiβj

(βi − βj)

[1

NlnPr(Hj)

Pr(Hi)+ ln(βi)− ln(βj)

]. (4)

The above decision boundary is devised for decisionmaking on every sample individually (i.e., N = 1), as

the attacker is assumed to be smart and may or may nottransmit in all consecutive samples. However, we need todetermine the value of βi and βj to calculate γi,j . We canconsider the value of β0 to be known and that of β1 to beβ1 = A1 +σ2 to ease our analysis. However, the value of β3is not known, mainly due to A2, as β3 = A1 + A2 + σ2.Typically, we do not have any information regarding theattacker. Therefore, we need to estimate the average powerof the attacker (A2) under hypothesis H3. We estimate theattacker power A2 considering the case where all the otherparameters are known. Considering hypothesis H3;H3: y(k) = w1h(k)s(k) + w2g(k)u(k) + n(k)

where, A1 = w1σ2chs

2 and A3 = w1σ2ch + w2σ

2ch = A1 +

A2. Taking log of H3, the Maximum Likelihood Estimationproblem becomes,

A3 = arg maxA3≥0

f(A3)

f(A3) = −N∑n=1

||y[n]||2(A3 + σ2)−1 −N ln(A3 + σ2)

−N ln(π).

To obtain the maximum value, we take the derivative off(A3) and equate it to zero:

f ′(A3) =

N∑n=1

||y[n]||2(A3 + σ2)−2 −N(A3 + σ2)−1 = 0

⇒ A3 =1

N

N∑n=1

||y[n]||2 − σ2

⇒ A2 =1

N

N∑n=1

||y[n]||2 − σ2 −A1. (5)

We can then substitute the value of A3 = A1 + A2 inour previous equations to obtain a more practical scenariopertaining to unknown attacker power (A2).

B. Sequential Testing: Tertiary Hypothesis Test

As differentiating H1 and H2 is difficult with the abovetest statistic, we decompose the hypotheses into 3 hypothesesby combining H1 and H2 into one hypotheses and then laterdeciding between legitimate and illegitimate signals. Thus,the hypotheses are represented as:

H0: y(k) ∼ CN (0, σ2)H1: y(k) ∼ CN (0, A1 +σ2) or y(k) ∼ CN (0, A2 +σ2)H3: y(k) ∼ CN (0, A3 + σ2).

Now, we decide between the three hypothesis using thefollowing:

T (y) < γ1,0γ1,0 ≤ T (y) < γ2,1T (y) ≥ γ2,1

Accept H0

Accept H1

Accept H3.

Deciding on a hypothesis based on a single sample resultsin higher false alarms. Therefore, we consider a numberof samples using sequential testing. We introduce anotherboundary within the decision threshold such that γ1,0 ∈

[a1, a2] and γ2,1 ∈ [a3, a4]. More samples are needed whenthe test statistic lies within these boundaries because it iscloser to the threshold. To contain the miss-detection prob-ability and false alarms, we require more samples in theseregions. Therefore, now, the decision statistic is representedas:

T (y) < a1a1 ≤ T (y) < a2a2 ≤ T (y) < a3a4 ≤ T (y) < a4T (y) ≥ a4

Accept H0

Take another sampleAccept H1

Take another sampleAccept H3.

Considering two sequential binary hypothesis testing be-tween (a1 and a2) as R1, and (a3 and a4) as R2, the decisionmade by the sequential hypothesis R is then given as:

If R1 accepts a1 and R2 accepts a3 then R accepts H0

If R1 accepts a2 and R2 accepts a3 then R accepts H1

If R1 accepts a2 and R2 accepts a4 then R accepts H3

.

The probability of making a correct decision for theintervals for the combined sequential hypothesis testing Ris then given as [21]:

H0 : P (H0|T (y), R)H0 or H1 : P (H0|T (y), R)+

P (H1|T (y), R)H1 : P (H1|T (y), R)H1 or H3 : P (H1|T (y), R)+

P (H3|T (y), R)H3 : P (H3|T (y), R)

T (y) ≤ a1a1 < T (y) < a2

a2 ≤ T (y) ≤ a3a3 < T (y) < a4

a4 ≤ T (y)

where,

P (H0|T (y), R) = P (Ha1 |T (y), R1)

=Bh1(T (y))0 − 1

Bh1(T (y))0 −Bh1(T (y))

1

,

P (Ha3 |T (y), R2) =

ˆBh1(T (y))0 − 1

ˆBh2(T (y))0 − ˆ

Bh2(T (y))1

,

P (H3|T (y), R) = P (Ha4 |T (y), R2)

= 1− P (Ha3 |T (y), R2)

=1− ˆ

Bh2(T (y))0

ˆBh2(T (y))1 − ˆ

Bh2(T (y))0

,

P (H1|T (y), R) = 1− P (H0|T (y), R)− P (H3|T (y), R)

=1−Bh1(T (y))

0

Bh1(T (y))1 −Bh1(T (y))

0

− 1− ˆBh2(T (y))0

ˆBh2(T (y))1 − ˆ

Bh2(T (y))0

.

In the expressions above, B0, B0, B1 and B1 are constantsdefined with respect to the probability of missed detection

and false alarm probability. B0, B0, B1, B1, h1 and h2 aredefined as [22]:

B1 =1− PM1,0

PFA1,0

, B0 =PM1,0

1− PFA1,0

,

B1 =1− PM2,1

PFA2,1

, B0 =PM2,1

1− PFA2,1

,

h1(z) =a1 + a2 − 2z

a2 − a1,

h2(z) =a3 + a4 − 2z

a4 − a3. (6)

where, PMi,j and PFAi,j are the probability of misseddetection and probability of false alarm for sequential binaryhypothesis between Hi and Hj .

Considering the average number of samples for the twotests to be N1 and N2, the average number of samples forthe whole test can be defined as: N = max(N1, N2) [21],[22]. The overall probability of false alarm and probability ofdetection for intrusion detection (i.e., H3) are then expressedas:

PD,R = P (H3|a4, R) =1− B0

h2(a4)

B1h2(a4) − B0

h2(a4), (7)

PFA,R = P (H3|a3, R) =1− B0

h2(a3)

B1h2(a3) − B0

h2(a3). (8)

The false alarm probability for H3 is given by the probabilityP (H3|a3, R). When R2 accepts a3, it incorporates all falsealarm cases for H3, since, acceptance of a1 and a4 cannotco-exist and acceptance of a3 for R2 takes into account boththe cases for R1.

1) Choice of constants for lower bound on false alarmprobability: To obtain a lower bound on the false alarmprobability given in (8), we choose the value of B0, B0,B1 and B1 such thatP (T (y), R) ≥ 1− θ1 when T (y) ≤ α1,P (T (y), R) ≥ 1− θ2 when α4 ≤ T (y) ≤ α1 and,P (T (y), R) ≥ 1− θ3 when T (y) ≥ α4.

Now, we can write [21],P (α1, R) = 1− θ1 = P (H0|α1, R),P (α2, R) = P (α3, R) = 1 − θ2 = P (H1|α2, R) =

P (H1|α3, R),andP (α4, R) = 1− θ3 = P (H3|α4, R).

Now, we get,

θ1 =1−B1

B0 −B1, θ2 =

B1(B0 − 1)

B0 −B1+

[1− Bh2(α2)

B0h2(α2) − B1

h2(α2)

]

θ2 =1− B1

B0 − B1+

[Bh1(α3)1 (B

h1(α3)0 − 1)

Bh1(α3)0 −Bh1(α3)

1

], θ3 =

B1(B0 − 1)

B0 − B1

Considering h2(α2) and h1(α3) to be sufficiently large, weneglect the bracketed terms and therefore, we can write,

B1 =θ2

1− θ1, B0 =

1− θ2θ1

B1 =θ3

1− θ2, B0 =

1− θ3θ2

.

If θ1 = θ2 = θ3 = θ, then B0 = B0 = 1B1

= 1B1

.

C. Variance Based Detection

Now, we can proceed towards differentiating between H1

and H2 in the quaternary hypotheses, when H1 is decidedin the previous test. To perform this binary test, R, wetake into account the same number of samples required forthe previous ternary test, denoted as NR. The extension fortesting between H1 and H2 can then be done by comparingthe obtained sample variance (σ2) with the legitimate signal’svariance (β1). We use the binary hypothesis test H1 and H2

(as defined below) and perform a two-tailed chi-square testfor the given binary hypothesis, with the degrees of freedomequal to NR − 1:

H1: σ2 = β1H2: σ2 6= β1.

The test statistic, TR is then given as:

TR = (NR − 1)σ2

β1.

The missed detection probability and the probability ofdetection can be expressed as:

PMD,R = χ2

(β1σ2

(F−1χ21−FA

R/2,NR−1

)− χ2(β1σ2

(F−1χ2FAR/2,NR−1

)PD,R = 1− PMD,R (9)

where, F−1(·) represents the inverse chi-square cumulativedistribution function and FAR represents the false alarmprobability.

D. CSI Based Detection

In the CSI based method to differentiate between H1

or H2, the anchor node (A) uses a simple hypothesis test(RCSI ), to determine whether the transmitted signal is froma legitimate node (L) or an attacker (J). We assume that theprevious transmission was legitimate and the anchor node hasthe past channel estimate HLA, which is the noisy version ofthe channel HLA. We represent the current channel estimateas Ht, which is yet to be validated. Then, from [23],

HLA = HLAejφ1 +N1

Ht = Htejφ2 +N2

where, N1 and N2 are complex Gaussian noise which areindependent and are represented as Nc(0, σ2). φ1 and φ2 de-note lack of phase coherence between the two transmissions.

Considering our original multiple hypotheses testing prob-lem, the current CSI based detection mechanism can be usedto represent the original hypothesis as:

Algorithm 1: Using Sequential Energy Sensing andSignal Variance

Compute two binary sequential tests R1 and R2;Initialize N1, N2, Nif R1 accepts a1 then

Choose H0 ;else if R1 accepts a2 then

Check for R2 result ;else

N1 ← N1 + 1 (Take another sample);endif R2 accepts a4 then

Choose H3 ;else if R2 accepts a3 then

Check for R1 result ;else

N2 ← N2 + 1 (Take another sample) ;endif R1 accepts a2 and R2 accepts a3 then

Choose H1 ;NR = N = max(N1, N2);Compute binary testing R to choose either H1 orH2 ;

H1: y(k) ∼ CN (0, A1 + σ2)H2: y(k) ∼ CN (0, A2+σ2) or y(k) ∼ CN (0, A3+σ2).

The binary hypothesis testing problem established to detectthe legitimate node (L) is then given as:

H1 : Ht = HLA

H2 : Ht 6= HLA.We know that, HLA ∼ CN (HLA, σ

2) and Ht ∼CN (Ht, σ

2). Ht can also be represented as Ht ∼ CN (HLA+δHLA, σ

2) [24] where δHLA represents the change in thechannel from the previous transmission. Under H1, we canassume δHLA tends to zero, but in practical scenarios, it isnot in fact zero. We choose the test statistic parameter as thesquare of the channel difference parameter:

T =1

σ2

M∑m=1

∣∣∣(Htm − HLAm)∣∣∣2 H2

≷H1

κ. (10)

We can write,

T =1

σ2

( M∑m=1

(δHLArm)2 +

M∑m=1

(δHLAim)2)

where, δHLArm and δHLAim are the real and imaginary partsof (Ht− ˆHLA). We know that δHLA ≈ 0 under H1 and δHLA

is non-zero, under H2. Thus, under H1, the test statistic canbe represented as a chi-square distribution with 2M degreesof freedom, where M represents the number of multipathcomponents. Under H2, the test statistic is a non-central chi-squared distribution with 2M degrees of freedom and non-centrality parameter µ. Thus, under H1: T ∼ χ2

2M,0 and

under H2: T ∼ χ22M,µ. The non-centrality parameter µ is

represented as µ = 1σ2

∑Mm=1

∣∣∣(Htm − ˆHLAm)∣∣∣2.

Algorithm 2: Using Sequential Testing first and thenCSI

Compute two binary sequential tests R1 and R2;if R1 accepts a1 then

Choose H0 ;else if R1 accepts a2 then

Check for R2 result ;else

Take another sample ;endif R2 accepts a4 then

Choose H3 ;else if R2 accepts a3 then

Check for R1 result ;else

Take another sample ;endif R1 accepts a2 and R2 accepts a3 then

Choose H1 ;Compute CSI based testing RCSI to choose eitherH1 or H2 ;

if RCSI accepts H1 thenChoose H1;

elseChoose H2;

endend

The probability of false alarm and probability of detectionis then given as:

PFA,CSI = 1− Fχ22M,0

(κ),

PD,CSI = 1− Fχ22M,µ

(κ). (11)

where, k is the threshold for the test statistic to determine H1

or H2 and FX(·) represents the CDF for a random variableX .

E. Decision Fusion

The proposed framework detects attacks in a single anchornode based scenario. However, we can use multiple anchornodes for decision making while considering communicationcost, complexity and performance tradeoffs. Soft-decisioncombining and hard-decision combining can be used formultiple anchor node based detection with data transmissionand decision transmission, respectively.

1) Soft Decision Combining: In soft-decision combining,we consider the centralized scenario where all the localsamples collected at the anchor nodes are passed to thecentralized fusion center. The centralized multi-sensor testis similar to that of the single sensor test, where multiple

Algorithm 3: Using CSI first and then SequentialTesting

if CSI is absent thenChoose H0 ;

elseCompute CSI based detection H1 and H2;Initialize ˆHLA

if RCSI accepts H1 thenChoose H1 ;

elseCompute binary sequential test R2;if R2 accepts a3 then

Choose H2 ;else if R2 accepts a4 then

Choose H3 ;else

Take another sample ;end

endend

samples are observed at a time instant instead of one. Further-more, weights can be assigned to the samples observed fromsome particular anchor nodes to increase their contributionin the detection. The only difference from the single anchornode based model is that the decision maker would beworking with multiple sensors at any time-instant.

For the centralized detection approach, we employ a sim-ilar test as in Section III.B for tertiary hypothesis testingbetween H0, H1 and H3. The tertiary hypothesis test Rglobal

is divided into two sub-problems R1,global and R2,global asdone before. Furthermore, we normalize each of the observedsamples at their respective anchor nodes to further simplifythe centralized scenario. The global test statistic can then berepresented as:

T (y)global =

S∑k=1

wkyk = wTT (y) (12)

with wk ≥ 0 and∑Sk=1 wk = 1, where w =

[w1, w2, w3, · · · , wS ]T represents the weight vector for eachanchor node, T (y) = [y(k)1, y(k)2, · · · , y(k)S ]T representsthe normalized test statistics vector from each anchor node,and S represents the number of anchor nodes in the network.y(k)i represents the normalized version of the received signaly(k)i, where i = 1, 2, · · · , S. The weights can be determinedbased on the SNR received by each of the anchor nodes orby a belief system in the network. Decision boundaries a1,a2, a3 and a4 are computed in a manner similar to the singleanchor node scenario. The decision statistic is also similar tothat of Section III.A.

2) Hard Decision Combining: In hard-decision combin-ing, we consider the distributed detection scenario, wherethe local detection decisions are made at the respective

anchor nodes and the global decision is made at the fusioncenter. Each anchor node makes a local decision based onits received local samples and passes along its decision tothe fusion center. The fusion center then revisits each anchornode’s decision and makes a global decision using decisionfusion techniques.

For the distributed detection approach, each anchornode makes a decision, uk = 0, 1, 2, 3, where k =1, 2, · · · , S, based on Algorithms 1,2 and 3. The fusioncenter then arranges these local decisions in the order D =[d0, d1, d2, d3]T representing the four hypotheses. Since eachanchor node has one decision, the sum of d0, d1,d2 and d3is equal to S (the number of anchor nodes). Each decisionmay be either 0, 1, 2 or 3 for the four hypotheses, and thetotal number of combinations is thus 4S . However, if weconsider equal weights for each anchor node, then we candefine the number of possible combinations of the decisionsto be (S+3)(S+2)(S+1)

3! . Now, the global decision to choosebetween the four hypothesis for a certain D can be given as:

Pr(D|Hi) =

(S

d0

)Pr(H0|Hi)

d0

(S − d0d1

)Pr(H1|Hi)

d1(S − d0 − d1

d2

)Pr(H2|Hi)

d2

(S − d0− d1 − d2

d3

)Pr(H3|Hi)

d3 ,

=S!∏3

n=0 dn!

3∏j=0

Pr(Hj |Hi)dj .

Initially, we have di = 0, where i = 0, 1, 2, 3. For eachlocal decision received, we add 1 to the corresponding di inthe matrix D. If any number in the matrix D is greater thanη, then we choose the corresponding index as the chosenhypothesis, Hi. The factor η can be chosen to be dS/2e toensure that at least half of the anchor nodes are in favor ofthe decision. The details are depicted in the hard decisioncombining algorithm, labeled as Algorithm 4. Furthermore,instead of using dS/2e, we can also use the maximum valueconsidering that majority of the anchor nodes are favoringthe decision. However, there may arise a situation where twoindices have the maximum value. This can be resolved bytaking more samples before reaching a decision. The choiceof the decision process can be determined based on thetolerable false alarm and miss-detection probability. The useof the maximum rule helps in making a faster decision, withfewer samples and communication cost, for cases where theη value is not reached. This occurs when the anchor nodesdecide almost equally in favor of each of the hypotheses,leading to max(D) < η. The maximum rule can then beapplied to prevent taking further samples to reach a globaldecision. However, such instances occur rarely as the decisionmade by the anchor nodes rely on the tertiary sequential testas shown in Section III.B, where the test is performed for agiven Pd and Pfa value. In normal scenarios, the maximumrule requires all S decisions to determine the maximum valuebut using the majority rule, a minimum of dS/2e samples are

required. A combination of both the rules can be implementedas well. The average number of decisions necessary can becalculated using the total probability theorem as:

NHDC|Hj =

S∑k=η−1

kPr(max(Dk) = η|Hj) (13)

where Pr(max(Dk) = η|Hj) is the probability that a de-cision is made after receiving the kth local decision and isgiven by

Pr(max(Dk) = η|Hj) =Pr(Dk|Hi)[S=k]∑S

k=η−1 Pr(Dk|Hi)[S=k].

(14)

Algorithm 4: Hard Decision Combining

Initialize di = 0, where, i = 0, 1, 2, 3 ;Initialize D = [d0, d1, d2, d3]T ;Collect decision from kth anchor node (uk) ;if uk = i then

di = di + 1;endNummax ← (

∑(D(:) = max(D(:))))

if max(D) ≥ η thenChoose max(D);Choose Hi

else if∑

(D))=S and Nummax=1 thenChoose max(D);Choose Hi

elseTake another sample;

end

IV. SYSTEM PERFORMANCE

A. Error Probabilities

The overall system for detecting illegitimate access andcollision based attacks can be defined using three algo-rithms: using sequential energy sensing and signal variance,labeled as Algorithm 1; using sequential testing first andthen CSI, labeled as Algorithm 2; and using CSI first andthen sequential testing, labeled as Algorithm 3. The overallsystem performance for the proposed mechanism to detectillegitimate access and collision based attacks can be definedwith hypotheses H2 and H3, where H2 represents illegitimateaccess and H3 represents collision attacks in the network. Theoverall attack detection can be characterized by the detectionof hypotheses H2 and H3, which can further be defined withthe overall system false alarm probability and miss-detectionprobability expressed as follows:

Algorithm 1: Using Sequential Energy Sensing and SignalVariance

PD,sys1 = P (H2, H3|H2, H3)

= P (H2|H2, H3) + P (H3|H2, H3)

− P (H2|H2, H3)P (H3|H2, H3),

PFA,sys1 = P (H2, H3|H0, H1)

= P (H2|H0, H1) + P (H3|H0, H1)

− P (H2|H0, H1)P (H3|H0, H1),

where,

P (H2|H2, H3) = PD,R(1 + PM2,1 − PM2,1PD,R),

P (H3|H2, H3) = PFA2,1PD,R + PD,R − PFA2,1

PD,RPD,R,

P (H2|H0, H1) = PFA1,0PD,R + PFA,R − PFA1,0PD,RPFA,R,

P (H3|H0, H1) =PFA,R − PFA2,1

PD,R

1− PFA2,1PD,R

.

Algorithm 2: Using Sequential Testing first and then CSI

PD,sys2 = P (H2, H3|H2, H3)

= P (H2|H2, H3) + P (H3|H2, H3)

− P (H2|H2, H3)P (H3|H2, H3),

PFA,sys2 = P (H2, H3|H0, H1)

= P (H2|H0, H1) + P (H3|H0, H1)

− P (H2|H0, H1)P (H3|H0, H1),

where,

P (H2|H2, H3) = PD,CSI(1 + PM2,1 − PM2,1PD,CSI),

P (H3|H2, H3) = PFA2,1PD,CSI + PD,R − PFA2,1PD,CSIPD,R,

P (H2|H0, H1) = PFA1,0PD,CSI + PFA,CSI−PFA1,0PD,CSIPFA,CSI,

P (H3|H0, H1) =PFA,R − PFA2,1PD,CSI

1− PFA2,1PD,CSI

.

Algorithm 3: Using CSI first and then Sequential Testing

PD,sys3 = PD,CSI,

PFA,sys3 = PFA,CSI.

B. Algorithm Complexity

The number of computations required for calculation ofT (y) in (3) is in the order of O(N), where N is thenumber of samples. The sequential testing occurs with twobinary sequential test both of which which have complexityin the order of O(1). This results in the total complexityfor sequential testing to be in the order of O(N). Thenumber of computations for variance based detection andCSI based detection is not affected by N . However, thenumber of multipaths M affects the number of computationsin CSI based detection. Therefore, the order of complexityfor Algorithm 1, Algorithm 2 and Algorithm 3 are in theorder of O(N), O(M +N), and O(M +N), respectively.

V. SIMULATION RESULTS

This section presents simulation results to evaluate theeffectiveness of the proposed algorithms using a 3D raytracing model in simulation and real measurement data.

Fig. 2: Network Model

Fig. 3: Comparison of CSI based detection and Variance baseddetection (Legitimate node and Anchor node distance: 25.8118m;Attacker and Anchor node distance: 26.6693m)

A. 3D Ray Tracing Model Simulation

A 3D ray tracing model [25] is implemented to define theenvironment of the network model, which comprises of anarea of 95m x 120m x 5m as shown in Figure 2. The areaconsists of multiple walls and scattering objects of variousdimensions. There are 80 transmitters and 9 anchor nodesplaced at different positions in the area. The floor layout andthe positions of the anchor nodes (Rx1, · · · , Rx9) are shownin Figure 2. Signal strengths and CSI values were calculatedbased on the 3D ray tracing model.

We consider the transmission power and noise power forour simulations to be 10 dBm and -130 dBm, respectively.We consider a network where the transmitter and the an-chor nodes are fixed once they are deployed. We assumethe signal channel to be 20 MHz such that the simulatednetwork model matches the real data model. However, weallow the adversary to be mobile in our simulations. Wefirst present simulations for the scenario where only onetransmitter is transmitting at a time with only one anchornode (Rx1) taking into account single anchor node baseddetection. For a distributed detection scenario, each anchornode is responsible for making a local decision. Each anchornode follows the same algorithm to reach a decision. Thedifference in decision from one anchor node to the otherdoes not rely on change in algorithm but on change in signaland noise values.

We consider the adversary to be considerably close to thelegitimate node Tx1 as shown in Figure 2 with only 1 meterdifference in distance so that the algorithm employing CSImechanism can be evaluated properly. For a single anchornode based detection, we have employed Tx1 and Rx1 fromthe network model in our simulations.

The three algorithms presented earlier can be used formultiple hypotheses testing. However, they differ in theirsolution quality and runtime. Algorithm 1 uses two sequentialtests to decide between H0, H1 and H3. To make thisdecision, Algorithm 1 requires a few samples. More sampleswill be needed if the test statistic lies in the non-decisionregion, i.e., between a1 and a2 or a3 and a4. Same is thecase for Algorithm 2 as well. Furthermore, either a variancebased test for Algorithm 1 or CSI based test for Algorithm2 is needed to distinguish between H1 and H2. Algorithm2 has a superior performance than Algorithm 1, as it isable to detect the attack even though the attacker uses thesame transmission power as the legitimate node, as shownin Figure 3. In Figure 3, the red ’-o’ dashed line and theblue ’-*’ dashed lines indicate the probability of detectionof the variance-based detection (Algorithm 1) and CSI baseddetection (Algorithm 2 and 3) respectively.

As shown in Figure 3, variance based detection performspoorly when the legitimate node and the adversary havesimilar power levels at the anchor node. This means that,using only sequential testing and variance based detection,we cannot differentiate between a legitimate node and anillegitimate node, if the illegitimate node’s power matchesthat of the legitimate node. Algorithm 1 closely evaluatesthe generalized Neyman-Pearson framework devised in [15],where the provided algorithm also cannot differentiate be-tween legitimate and illegitimate nodes, when they have sim-ilar power. However, Algorithm 1 performs better than that of[15] from the perspective of detection latency, requiring fewersamples as shown in Figure 4 but with the same limitationregarding differentiation. In Figure 4, the rightmost plotshows that the Generalized Likelihood Ratio Test (GLRT),Rao test and their asymptotic performance presented in [15]requires a large number of samples when the illegitimate

node’s power approaches the legitimate signal’s power. Theasymptotic performance is obtained through asymptotic anal-ysis for both GLRT [15] and Rao tests [15], which depicts abetter performance than GLRT and Rao individually in [15](Figure 5 of [15]). Furthermore, the minimum number ofsamples required is greater than that of Algorithm 1, 2 and3, which shows that the proposed algorithms have a quickerdecision making performance for the given algorithms than[15].

Fig. 4: Number of samples needed in Sequential Testing Phase forR1 and R2 tests and for GLRT, Rao and Asymptotic Performance[15]. The vertical lines in the figure represent a1, γ1,0, a2, a3, γ2,1,a4 and legitimate signal’s power respectively. The plot is generatedto satisfy Pfa = 0.01 and Pd = 0.99. The plot is generated for 20MHz channel bandwidth.

Fig. 5: Number of samples needed in Sequential Testing Phase forR1 and R2 tests and for GLRT, Rao and Asymptotic Performance[15]. The vertical lines in the figure represent a1, γ1,0, a2, a3, γ2,1,a4 and legitimate signal’s power respectively. The plot is generatedto satisfy Pfa = 0.01 and Pd = 0.99. The plot is generated for 3MHz channel bandwidth.

The limitation of [15] and Algorithm 1 can be overcome byAlgorithm 2 and Algorithm 3 through use of CSI based de-tection. Algorithm 3 compares the CSI on every sample and

first decides on legitimate and ill-legitimate transmissions,which makes it faster to detect an attack in the network.The choice of computing R1 and R2 in Algorithm 3, is toclarify the nature of the attack after detection. Compared toAlgorithm 1 and Algorithm 2, Algorithm 3 is faster and alsorequires fewer number of samples in comparison, as shown inFigure 4, and detects the nature of the attack. However, thisadvantage of differentiating H1 and H2 even with similarvariance, comes with an overhead cost. In comparison toAlgorithm 1, Algorithm 2 and Algorithm 3 use (M − 1)times more signaling overhead for CSI based testing, whereM is the number of multipath components.

The network model in Figure 4 considers a channelbandwidth of 20 MHz to match that of the real networkdata. However, the algorithms can be evaluated for differentchannel bandwidths as well. A simulation run for a 3 MHzchannel bandwidth is illustrated in Figure 5. The nature ofthe results are similar to the case of 20 MHz channel.

B. Real Measurement Data

We present the measurement data collected from a 10m× 18m indoor office environment which contains a smallmeeting room surrounded by concrete walls and varioustables, chairs and cabinets around the area, provided by [26].There are computers, documents, common office equipmentand tools on the tables and cabinets. We use the data collectedat the anchor node from the 6 APs as shown in Figure 6.6 Dell Optiplex 9020 desktops that are equipped with Intel5300 NICs are used as APs. The data is collected and pre-processed using the Linux CSI-Tool [27].

Fig. 6: Floor Plan for Real Measurement Data

The experimentation is done by using one of the deployedAPs (AP4) as an attacker node and the rest as legitimatenodes in the network. One anchor node is placed to monitorthe network. Considering each AP as a legitimate nodeand transmitting data, we employ the previously definedalgorithms to reach a decision based on the initial quadruplehypotheses. The comparison of performance for the threealgorithms and asymptotic performance [15] based on re-quired sample size is presented in Figure 7. The graphclearly indicates that the expected sample size for the threealgorithms is much lower than that of [15]. We can see

Soft Decision Hard DecisionAverage Sample Number ∼ N/S NHDC ∗ NTotal Samples Processed ∼ (N1 + N2)/S (N1 + N2) ∗ SCommunication Cost N NHDC

TABLE I: Comparison of Soft Decision Combining and HardDecision Combining

from the figure that Algorithm 3 has the least sample sizerequirement followed by Algorithm 2 and Algorithm 1, withAsymptotic Performance [15] with both P-GLRT [15] andP-Rao [15] test having the highest sample size requirement.

Fig. 7: Expected Sample Size for Algorithm 1, Algorithm 2,Algorithm 3, Asymptotic Performance [15], P-GLRT [15] and P-Rao [15] to satisfy Pfa = 0.01 and Pd = 0.99

C. Detection Using Multiple Anchor Nodes

This section presents a comparison of distributed andcentralized implementations of the detection framework. Thisincludes comparison of the complexity and performancetradeoffs. The average number of required samples decreasesconsiderably with an increase in the number of anchor nodes,as shown in the Figure 8. The simulation is done consideringequal weights for each anchor node. The total number ofsamples processed is considerably less for Algorithm 3, as itonly uses one binary sequential test compared to Algorithm1 and 2, which use two binary sequential tests.

In soft decision combining, all the local samples collectedare passed to the centralized fusion center. This resultsin a higher communication cost of approximately N =max(N1, N2), which is equivalent to the average number ofsamples required for a single anchor node as shown in Figure8.

As shown in Table I and Figure 8, the communicationcost is considerably decreased for hard decision combining.We denote the cost by NHDC , where NHDC represents theaverage number of samples required by the hard decisioncombining algorithm. The communication cost is very lowcompared to N in soft decision combining. However, thetotal number of samples processed to reach the decision isvery high for hard decision combining as compared to soft

Fig. 8: Expected Sample Size vs Number of Anchor Nodes for Softand Hard Decision Combining (Pd=0.99 and Pfa=0.01)

decision combining. There exists a trade off in the number ofsamples to process and communication cost while choosingsoft decision combining or hard decision combining.

VI. CONCLUSIONS AND FUTURE WORK

In this paper, we investigated the problem of detectingDoS attacks brought upon by illegitimate access and collisionattacks at the receiver. We proposed a sequential testing basedapproach to identify idle and busy states of the transmitter,attacks, and the nature of the attacks. We devised variance-based test and CSI-based test to tackle the problem. In partic-ular, we devised the CSI based test algorithms to overcomethe limitation imposed by transmissions with similar power.To validate the approach, we devised a 3D ray tracing modelto create realistic simulation environments. The proposedsequential testing approach can reach a decision faster withfewer number of samples compared to the fixed number ofsamples approach. Furthermore, soft-combining and hard-combining schemes were devised for multiple anchor nodesin the network, providing a better performance with muchfewer samples needed for detection.

The sequential testing procedure used is a non-truncatedapproach. Our future work includes a truncated approach forfurther reduction in sample size, aiming for much faster de-tection with performance bounds on average sample number,false alarm probability and algorithm efficiency.

VII. ACKNOWLEDGMENT

The authors would like to acknowledge the support fromSingapore International Graduate Award (SINGA) schol-arship from Agency for Science, Technology and Re-search (A*STAR) and A*STAR Industrial Internet of Things(IIoT) Research Program under the RIE2020 IAF-PP GrantA1788a0023, for funding this research, and the support fromProf. Wai Choong Lawrence Wong and Miss Tianyi Feng forsharing the measurement data.

REFERENCES

[1] A. Al-Fuqaha, M. Guizani, M. Mohammadi, M. Aledhari, andM. Ayyash, “Internet of things: A survey on enabling technologies,protocols, and applications,” IEEE communications surveys & tutorials,vol. 17, no. 4, pp. 2347–2376, 2015.

[2] Y. Yang, L. Wu, G. Yin, L. Li, and H. Zhao, “A survey on security andprivacy issues in internet-of-things,” IEEE Internet of Things Journal,vol. 4, no. 5, pp. 1250–1258, 2017.

[3] J. Sengupta, S. Ruj, and S. D. Bit, “A comprehensive survey on attacks,security issues and blockchain solutions for iot and iiot,” Journal ofNetwork and Computer Applications, vol. 149, p. 102481, 2020.

[4] H. Li and Z. Han, “Dogfight in spectrum: Combating primary useremulation attacks in cognitive radio systems, part i: Known channelstatistics,” IEEE Transactions on Wireless Communications, vol. 9,no. 11, pp. 3566–3577, 2010.

[5] H. B. Yilmaz and T. Tugcu, “Location estimation-based radio environ-ment map construction in fading channels,” Wireless communicationsand mobile computing, vol. 15, no. 3, pp. 561–570, 2015.

[6] K. Sato and T. Fujii, “Kriging-based interference power constraint: In-tegrated design of the radio environment map and transmission power,”IEEE Transactions on Cognitive Communications and Networking,vol. 3, no. 1, pp. 13–25, 2017.

[7] S. Vadlamani, B. Eksioglu, H. Medal, and A. Nandi, “Jamming attackson wireless networks: A taxonomic survey,” International Journal ofProduction Economics, vol. 172, pp. 76–94, 2016.

[8] S. Liu, L. J. Greenstein, W. Trappe, and Y. Chen, “Detecting anoma-lous spectrum usage in dynamic spectrum access networks,” Ad HocNetworks, vol. 10, no. 5, pp. 831–844, 2012.

[9] S. Liu, Y. Chen, W. Trappe, and L. J. Greenstein, “Aldo: An anomalydetection framework for dynamic spectrum access networks,” in IEEEINFOCOM 2009. IEEE, 2009, pp. 675–683.

[10] A. Dutta and M. Chiang, “See something, say something- crowd-sourced enforcement of spectrum policies,” IEEE Transactions onWireless Communications, vol. 15, no. 1, pp. 67–80, 2015.

[11] C. Chen, H. Cheng, and Y.-D. Yao, “Cooperative spectrum sensing incognitive radio networks in the presence of the primary user emulationattack,” IEEE Transactions on Wireless Communications, vol. 10, no. 7,pp. 2135–2141, 2011.

[12] N. Gao, X. Jing, H. Huang, and J. Mu, “Robust collaborative spec-trum sensing using phy-layer fingerprints in mobile cognitive radionetworks,” IEEE Communications Letters, vol. 21, no. 5, pp. 1063–1066, 2017.

[13] B. Upadhyaya, S. Sun, and B. Sikdar, “Machine learning-based jam-ming detection in wireless iot networks,” in 2019 IEEE VTS AsiaPacific Wireless Communications Symposium (APWCS). IEEE, 2019,pp. 1–5.

[14] F. Zhang, H. A. D. E. Kodituwakku, J. W. Hines, and J. Coble,“Multilayer data-driven cyber-attack detection system for industrialcontrol systems based on network, system, and process data,” IEEETransactions on Industrial Informatics, vol. 15, no. 7, pp. 4362–4369,2019.

[15] L. Zhang, G. Ding, Q. Wu, and Z. Han, “Spectrum sensing underspectrum misuse behaviors: A multi-hypothesis test perspective,” IEEETransactions on Information Forensics and Security, vol. 13, no. 4, pp.993–1007, 2017.

[16] S.-C. Lin, C.-Y. Wen, and W. A. Sethares, “Two-tier device-basedauthentication protocol against puea attacks for iot applications,” IEEETransactions on Signal and Information Processing over Networks,vol. 4, no. 1, pp. 33–47, 2017.

[17] F. Gao, J. Li, T. Jiang, and W. Chen, “Sensing and recognition whenprimary user has multiple transmit power levels,” IEEE Transactionson signal Processing, vol. 63, no. 10, pp. 2704–2717, 2015.

[18] Z. Li, S. Cheng, F. Gao, and Y.-C. Liang, “Sequential detection forcognitive radio with multiple primary transmit power levels,” IEEETransactions on Communications, vol. 65, no. 7, pp. 2769–2780, 2017.

[19] D. Ciuonzo, P. S. Rossi, and P. Willett, “Generalized Rao test for decen-tralized detection of an uncooperative target,” IEEE Signal ProcessingLetters, vol. 24, no. 5, pp. 678–682, 2017.

[20] H. M. Furqan, M. A. Aygul, M. Nazzal, and H. Arslan, “Primaryuser emulation and jamming attack detection in cognitive radio viasparse coding,” EURASIP Journal on Wireless Communications andNetworking, vol. 2020, no. 1, pp. 1–19, 2020.

[21] M. Sobel and A. Wald, “A sequential decision procedure for choosingone of three hypotheses concerning the unknown mean of a normaldistribution,” The annals of mathematical statistics, vol. 20, no. 4, pp.502–522, 1949.

[22] A. Wald, Sequential analysis. Courier Corporation, 2004.[23] L. Xiao, L. Greenstein, N. Mandayam, and W. Trappe, “Fingerprints in

the ether: Using the physical layer for wireless authentication,” in 2007IEEE International Conference on Communications. IEEE, 2007, pp.4646–4651.

[24] J. K. Tugnait and H. Kim, “A channel-based hypothesis testingapproach to enhance user authentication in wireless networks,” in2010 Second International Conference on COMmunication Systemsand NETworks (COMSNETS 2010). IEEE, 2010, pp. 1–9.

[25] S. Hosseinzadeh, “3D ray tracing for indoor radio propagation(https://www.mathworks.com/matlabcentral/fileexchange/64695-3d-ray-tracing-for-indoor-radio-propagation),” MATLAB CENTRAL FileExchange, May, 2019.

[26] Y. Zhao, W.-C. Wong, H. K. Garg, T. Feng, Z. Zhang, and L. Tang, “In-door position recognition and interference classification with a nestedlstm network,” in 2019 IEEE Global Communications Conference(GLOBECOM). IEEE, 2019, pp. 1–6.

[27] D. Halperin, W. Hu, A. Sheth, and D. Wetherall, “Tool release:Gathering 802.11 n traces with channel state information,” ACMSIGCOMM Computer Communication Review, vol. 41, no. 1, pp. 53–53, 2011.

Bikalpa Upadhyaya received theB.Eng degree in Electrical andElectronics Degree from KathmanduUniversity, Dhulikhel, Nepal in 2014.He is currently pursuing the PhDdegree in statistical and machinelearning based IoT security withNational University of Singapore(NUS), Singapore. His researchinterests include wireless and mobilenetworks, security for Internet ofThings and cyber physical systems

and network security.

Sumei Sun is currently Head ofthe Communications and NetworksCluster at the Institute for InfocommResearch (I2R), Agency for Science,Technology and Research (A*STAR),Singapore. She is also a Professorwith the Infocomm TechnologyCluster, Singapore Institute ofTechnology (SIT), Singapore. Shereceived the B.Sc. degree fromPeking University, Beijing, China,the M.Eng. degree from Nanyang

Technological University, Singapore, and the Ph.D. degreefrom the National University of Singapore, Singapore. Hercurrent research interests are in Industrial Internet of Thingsand next-generation machine-type communications. She isa Distinguished Speaker of the IEEE Vehicular TechnologySociety 2018-2021, Vice Director of IEEE CommunicationsSociety Asia Pacific Board, and Chapter Coordinator of AsiaPacific Region in the IEEE Vehicular Technologies Society.

She is currently a Editor-in-Chief of IEEE Open Journal ofVehicular Technology.

Biplab Sikdar (S’98–M’02–SM’09)received the B.Tech. degree in elec-tronics and communication engineer-ing from North Eastern Hill Uni-versity, Shillong, India, in 1996, theM.Tech. degree in electrical engi-neering from the Indian Institute ofTechnology Kanpur, Kanpur, India, in1998, and the Ph.D. degree in electri-cal engineering from Rensselaer Poly-technic Institute, Troy, NY, USA, in2001. He was a faculty at the Rens-

selaer Polytechnic Institute, from 2001 to 2013, first as anAssistant Professor and then as an Associate Professor. Heis currently an Associate Professor with the Department ofElectrical and Computer Engineering, National University ofSingapore, Singapore. He serves as the Vice dean of Graduateprogram and as the Area director of Communications andNetworks lab at NUS. His current research interests includewireless network, and security for Internet of Things andcyber physical systems. Dr. Sikdar served as an AssociateEditor for the IEEE Transactions on Communications from2007 to 2012. He currently serves as an Associate Editor forthe IEEE Transactions on Mobile Computing. He has servedas a TPC in various conferences such as IEEE LANMAN,GLOBECOM, BROADNETS and ICC to name a few. He isa member of Eta Kappa Nu and Tau Beta Pi.