Competitive Sharing of Spectrum : Reservation Obfuscation and Verification Strategies

Sharing of radio spectrum between different types of wireless systems (e.g., different service providers) is the foundation for making more efficient usage of spectrum. Cognitive radio technologies have spurred the design of spectrum servers that coordinate the sharing of spectrum between different wireless systems. These servers receive information regarding the needs of each system, and then provide instructions back to each system regarding the spectrum bands they may use. This sharing of information is complicated by the fact that these systems are often in competition with each other: each system desires to use as much of the spectrum as possible to support its users, and each system could learn and harm the bands of the other system. Three problems arise in such a spectrum-sharing problem: (1) how to maintain reliable performance for each system-shared resource (licensed spectrum); (2) whether to believe the resource requests announced by each agent; and (3) if they do not believe, how much effort should be devoted to inspecting spectrum so as to prevent possible malicious activity. Since this problem can arise for a variety of wireless systems, we present an abstract formulation in which the agents or spectrum server introduces obfuscation in the resource assignment to maintain reliability. We derive a closed form expression for the expected damage that can arise from possible malicious activity, and using this formula we find a tradeoff between the amount of extra decoys that must be used in order to support higher communication fidelity against potential interference, and the cost of maintaining this reliability. Then, we examine a scenario where a smart adversary may also use obfuscation itself, and formulate the scenario as a signaling game, which can be solved by applying a classical iterative forward-induction algorithm. For an important particular case, the game is solved in a closed form, which gives conditions for deciding whether an agent can be trusted, or whether its request should be inspected and how intensely it should be inspected.


Introduction
Cognitive radio (CR) networks are being explored as a powerful tool to improve spectrum efficiency by allowing unlicensed (secondary) users (SUs) to use spectrum belonging to a licensed (primary) user (PU) as long as they do not cause interference.Towards this end, the concept of a spectrum server has been introduced to improve the sharing of spectrum [1][2][3].Spectrum servers coordinate the sharing of spectrum between different wireless services by taking in resource requests (i.e., an amount of bands needed), and then allocating resource assignments to these services.
Unfortunately, the open and dynamic nature of CR platforms and their software, which allow for opportunistic access to the licensed spectrum by potentially unknown users, makes the operation of CR networks and their associated dynamic spectrum access protocols vulnerable to exploitation and interference.In particular, transmission reservation protocols, by which services (or users) request spectrum from a spectrum server and thereby support the opportunistic usage of spectrum by secondary users, assume that the entities involved in the protocols are honest.These protocols can fail if malicious services/users aim to undermine the rules and etiquette surrounding these protocols.Such malicious manipulation is unfortunately easy and, for this reason, CR security has attracted considerable research attention recently.A reader can find comprehensive surveys of such threats in [4][5][6][7].
A curious reader might also ask: if opportunistic access to licensed spectrum by unknown users can be dangerous to the network, why not to restrict such access?The issue is that such access, as pointed out in the the National Broadband Plan [8] and in the President's Council of Advisors on Science and Technology (PCAST) report [9], represents an important economic growth engine in the United States.In particular, this report recommended the sharing of underutilized federal spectrum and identified 1000 MHz of spectrum as part of an ambitious endeavor to create "the first shared-use spectrum superhighways".Consequently, it is very important to develop a foundational understanding of the interference implications associated with spectrum access, and how spectrum bands can be assigned so as to mitigate intentional interference caused by malicious participants exploiting the information shared in a spectrum assignment.
In many scenarios involving spectrum sharing, the underlying spectrum resources (which might be spectral bands, or spectro-temporal slots) might originally be assigned to one entity (as in the case of TV white space spectrum), and it is the role of a spectrum server to support the sharing of spectrum with a second untrusted entity.The spectrum server, which might be administered by the government or a neutral third party, receives resource requests from both a primary/incumbent entity as well as the second entity, and aims to re-assign the spectrum so as to support an improved, combined benefit for both entities.Since the entities do not trust each other, the sharing of spectrum inherently becomes a competitive scenario that encounters numerous security risks as each system desires to use as much spectrum as possible to support its users, and each system could learn and cause harm (interference) to the bands assigned to the other system.Consequently, there are three main problems that arise in such a spectrum sharing problem: (1) how to maintain reliable performance for each system-shared resource (licensed spectrum); (2) whether to believe the resource requests announced by each agent; and (3) if they do not believe, how much effort should be devoted to inspecting spectrum so as to prevent possible malicious activity.In this paper, we present analysis that is focused on improving the security and assurability of the spectrum sharing problem by applying the notion of decoy tasks, i.e., obfuscating spectrum resource requests.Through our analysis, we show that it is possible to determine the expected damage that might result from a potential malicious activity, and arrive at an estimate for the probability of detecting the malicious activity by employing "spectrum inspection".Based on these probabilities, we then formulate a signaling game that allows one to determine whether to believe the second agent or not, and then how to engage in spectrum inspection.Since this type of problem can arise in many different scenarios involving spectrum sharing, such as the sharing of spectrum in cognitive radio networks or the sharing of unlicensed bands between two wireless carriers/technologies or the sharing between radar and communication systems [10][11][12], we formulate the problem abstractly as one involving two agents and a set of spectrum bands.
When considering dynamic spectrum sharing in a potentially adversarial setting, there is an underlying competitive problem to consider: multiple users compete for the spectrum resources and, regardless of whether they are malicious or not, there may not be any incentive for them to communally cooperate and remain within the bands that have been assigned to them.Game theory is an appropriate tool to analyze such competitive problems.In [13], the readers can find a comprehensive overview of game theoretical techniques for dynamic spectrum sharing problems, which maps out the problem of primary users sharing spectrum with well-intentioned secondary users, with a focus on the auctioning of spectrum.An excellent reference book involving game theory for wireless and communication networks is [14].Our work differs from the problems outlined in both of these surveys as our problem involves a secondary user that has two objectives (a beneficial and an adversarial intent), and thus our formulation will involve adversarial rewards involving the harm inflicted upon the primary user.Since our work explores the sharing of information between different organizations while facing attacks, one of the most relevant examples game-theoretical methods to model security problems is [15], where a Cournot-type model based on a contest success function was suggested to model investments into information security technologies where the firms share information resources.While information sharing can, on one hand, can increase economic benefits, on the other hand, it also creates new possibilities for adversaries aimed to perform security threats such as cyber attacks.While this work considers many motivating scenarios for two firms exchanging information, it is specifically focused on cyber security threats originating from an external, third agent and the impact that third agent can have upon the sharing of information between two firms.Our problem, on the other hand, considers one of the two participants having both a beneficial and harmful objective, and consequently its models do not extend directly to our communication problem where the secondary user can inflict wireless interference.In [16], a signaling game was proposed to model defense against attacks in honeypot-enabled networks.In this game, the attacker may try to deceive the defender by employing different types of attacks, ranging from suspicious to seemingly normal activity, while the defender in turn can make use of honeypots as a deception tool to trap the attacker.In our paper, a spectrum server announces decoys as a means to protect the primary user from interference attacks from a secondary user that may or may not choose to attack, but these decoys are not used as a means to dupe the adversary into attacking.In [17], a repeated spectrum-sharing game with cheat-proof strategies was investigated.By using a punishment-based repeated game, users are incentivized to share the spectrum in a cooperative way; and through mechanism-design-based and statistics-based approaches, user honesty is further enforced.Our work differs from this paper in that the objective of the secondary user is two-fold: both to acquire an appropriate amount of channels to support its users, and to increase its ability to launch an interference attack against the primary user.In this regard, our work includes interference as a reward metric for the secondary user system.In [18], the authors explore the problem of a coalition of users communicating in the presence of an adversary that may apply different types of jamming strategies, and whether it is possible to learn the adversary type.A game-theoretical approach is used to show that it is possible to learn the adversary's strategy in a finite number of steps.This work involves a general fading channel and power allocation formulation and does not involve a spectrum server allocating channels, and the objective of the communicating nodes is to identify the adversary's strategy.In [19], using a fictitious game for analyzing the defense of cognitive radio networks against an unknown jamming attacker was proposed, and the defense strategy employed is to switch channels in order to evade the jammer.Our work differs in that their adversary is separate from the secondary users (as opposed to being a secondary user), and the primary user is considered apart from the conflict.In particular, they do not consider aspects related to sharing between the primary and secondary user, nor that secondary users may have malicious intentions against the primary user.In [20] a game, where a SU shares time between law-obedient message transmission and noise-transmission to jam the PU, was suggested.This work is similar to our work in that it considers a secondary user that has both a benevolent and an interference objective.However, this work differs in two key aspects: first, the overall objectives are to maximize data rates; and, second, the secondary user employs jamming (noise forwarding) not to harm the primary user, but to nudge the primary user to adjust its power allocation to allow the secondary user to achieve a minimum data rate.Our work, however, explicitly considers that the secondary user has an adversarial intent underlying the use of interference.In [21], the resilience of LTE networks against smart jamming attacks was modeled, and represents an important example of where spectrum sharing is being proposed.A one-time spectrum coexistence problem in dynamic spectrum access when the secondary user may be malicious was investigated in our prior work in [22].While that work is similar to the work presented here, an important difference in the current work is that the current work includes the introduction of additional functions that legitimate agents can use to defend themselves against the false announcements and interference introduced by the adversary.In particular, the current work goes beyond the interference tradeoffs explored in [22], to include in the game the potential for each agent to believe/dis-believe the information being shared, and to give the primary user the ability to inspect the spectrum activities of a secondary user.Notably, in the current work, the costs associated with inspecting and the fine/penalty for the secondary user to be caught making a fraudulent resource request are integrated into the interference formulation, leading to the determination of the equilibria with respect to the amount of channels being shared and underlying costs for both sides associated with protecting and attacking spectrum sharing.
It must be recognized that the objective behind an adversaries strategy depends significantly on the objective of the adversary, and such knowledge can lead to better defenses.For example, the detection of the intruder with uncertainty about the application being used was investigated in [23].Packet-dropping attacks were studied in [24].As further examples of game theory being applied to security and communication problems, we briefly mention [25] as a reference involving modeling malicious users in collaborative networks , [26] as a reference in which entities share information while engaged in information warfare, [27] for modeling attack-type uncertainty in a network, [28] for security threats involving multiple users in ad hoc networks, and [29] for resource attacks in networks using the ALOHA protocol.How secret communication can be affected by the fact that an adversary's capability to eavesdrop on a collection of communications from a base station to a set of users may be restricted and unknown to the transmitter was investigated in [30].Problems related to spectrum scanning have been presented in [31,32], where the objective is to develop spectrum-scanning strategies that support the detection of a user illicitly using spectrum, and [33] for detecting attacks aimed at reducing the size of spectrum opportunities in a dynamic spectrum-sharing problem.[34] studied the interactions between a user and a smart jammer regarding their respective choices of transmit power in a general wireless setting, while [35,36] considered problems related to game theory and network security, While these references are not directly relevant to the spectrum allocation problem explored in this paper, these references help motivate the work that we present in this paper.
The organization of this paper is as follows: in Section 2 and in two its subsections, we introduce the tradeoff that exists between supporting the PU's communication's reliability and the cost of such reliability.We formulate this tradeoff as two-step game and obtain an explicit solution to the game.In Section 2, we formulate and solve a signaling game that examines a different trade-off problem, namely, whether it is too costly/risky to believe the spectrum request originating from the potentially malicious SU and, if not, then to engage in verification of the SU request.In Section 4, conclusions are presented.

Trade off between Communication Reliability and Its Cost
We begin by presenting a general, universal dynamic access problem through which many practical coordinated spectrum sharing cases may be examined.Our universal dynamic spectrum access problem is depicted in Figure 1.In this scenario, there are n spectrum resources, which we shall refer to as bands (e.g., these may be actual frequency bands, or time-frequency slots in the context of radio resource scheduling) that are available for usage by two different players, the primary user (PU) and the secondary user (SU).These n bands are administered by a spectrum owner SO, whose objective is two-fold: first, it aims to support the improved usage of the n bands collectively by both the PU and SU; and, second, it is responsible for supporting the reliable communication of the PU in the presence of a SU, who might be malicious.The PU wants to reliably communicate with a set of n P users using n P bands, where the PU uses a single band for each user.The SU, similarly, must support reliable communication with a set of n T users using n T bands, where n T + n P < n and n is the total number of bands available for sharing.The SU, similarly, needs to only use a single band for each of its users.A universal spectrum access scenario that will be used to generically model the information obfuscation problem associated with spectrum sharing.Here, the coordination between a primary user (PU) and a secondary user (SU) is administered through a spectrum owner (SO) that acts as a spectrum server.
In the context of our problem, the SO may be thought of as a spectrum server that takes information related to each side's resource requests, and appropriately shares such information with other participants.The conduit of information being shared between the PU and the SO, and the SU and SO is an example of a spectrum underlay, and many practical approaches have been proposed for implementing such a spectrum coordination system.For example, in the context of coordinating between two different LTE providers aiming to share spectrum, the X2 interface is a peer-to-peer channel that supports inter-cell interference coordination (ICIC) in LTE, and one could propose extensions to X2 and ICIC standard that would support coordination between different LTE systems and a spectrum server.Alternatively, one could employ the operations, administration and management (OAM) interface that has been used as the basis for building a connection between self-organizing network controllers and eNB scheduling agent software to gain access to schedule and MAC layer functions.Similar approaches to cellular coordination have already been prototyped and validated using software-defined networking interfaces, such as that presented in [37].The SU might be law-obedient (with probability q 0 ) and then he will use only the bands reserved for him, or he might be malicious (with probability q 1 = 1 − q 0 ) and, in this case he could try to harm the PU's communication (e.g., by jamming).The SO has limited knowledge of the SU's interference capabilities.To reflect this, the SO only knows that the SU can interfere with n A signals.The SO has to reserve bands for use by the PU and the SU.The SU knows which bands are reserved for him and which are reserved for the PU.Without loss of generality we can assume that the SO reserves bands [n − n T + 1, n] for the SU's communication.Thus, the SO has to reserve a set of bands for the PU within [1, n − n T ] bands.The number of bands reserved for the PU's usage should be larger than n P in order to reduce the probability that the SU can interfere with the PU's legitimate signals-in essence, the PU's real allocation has been privacy-enhanced with the announcement of additional, decoy channels.
To reflect the fact that there might be a cost associated with introducing uncertainty in order to maintain communication reliability, we present a cost model that we will use in this paper for introducing uncertainty.We assume that when the SO reserves extra bands as decoys for the PU (beyond what it needs to support its users), such reservation costs C U per band.The SO is thus faced with a dilemma: on one hand, more bands reserved for the PU increase communication reliability (it becomes harder for the SU to guess successfully interfere with actual communication signals).On the other hand, the costs associated with maintaining this higher level of communication reliability are increased.Thus, the SO has to make a tradeoff between the PU communication reliability and its cost.We will formulate and solve this problem as a two-step game between the SO and the SU in the following two subsections.

First Step of the Game: To Make the Trade off between Communication's Reliability and Its Cost
In the first step of the game, to establish the tradeoff between communication reliability and the cost of obfuscation associated with increasing communication reliability, we assume the number of bands (decoys) c, reserved for increasing the domain of uncertainty, is fixed.Without loss of generality we can assume that bands [1, n P + c] are reserved for the PU, and the SU knows these bands.The PU has to support reliable communication with n P users.The actual band assigned to each such user is fixed and known only to the PU.Without loss of generality we can assume that the bands for these n P users are allocated within the bands [1, n − n T ], and there is no way for the SU to ascertain whether an announced channel will be used or whether it will be a decoy channel.Further, we suppose that the SU is malicious and could try to interfere with the PU's communication by using a jamming capacity of n A signals, where each interference signal can reside in only a single band.
A (pure) strategy Y of the SU is a subset of n A bands out of the set of [1, n P + c] bands reserved for the PU's communication purposes, i.e., |Y| = n A .Then, a (pure) strategy X of the SO is a subset of n P bands from the bands [1, n P + c], i.e., |X| = n P , which were assigned to the PU for transmitting communication signals.The payoff to the SO is the number of successfully transmitted (un-jammed)PU signals namely bands that the PU employed that were not also selected by the SU.We look for a saddle point (an equilibrium strategy) [38], i.e., for a pair of strategies (X * , Y * ) such that, where v = v SO (X * , Y * ) is the value of the game.
Since n T + n A < n, for each SU strategy Y * there is an SO strategy X such that X ∩ Y * is the empty set.Thus, by (1) and ( 2), the value of the game is greater or equal to n P .On the other hand, for each SO strategy X * there is an SU strategy Y such that X * ∩ Y is not empty.Thus, by (1) and ( 2), the value of the game is smaller than n P .This implies that the game does not have an equilibrium involving pure equilibrium strategies, i.e., where specific sets are chosen.To solve for an equilibrium, we have to employ mixed strategies, which involves randomizing the selection of pure strategies.The following proposition gives the value of the game and equilibrium strategies.Proposition 1.The value of the first step of the considered game is, and a saddle point is ( X n P ,[1,n P +c] is a (mixed) strategy of the SO in which the SO chooses to assign to the PU n P bands at random with equal probability from the total set of [1, n P + c] bands reserved for the PU's communication.
There are ( n P +c n P ) subsets of n P + c bands consisting of n P bands.Thus, the strategy X n P ,[1,n P +c] chooses each such subset with probability 1/( n P +c n P ). ((n p ) = n! (n−p)!p! is the number of combinations of p objects selected out of n objects.)(2) Y n A ,[1,n P +c] is a (mixed) strategy of the SU that involves choosing at random n A bands with equal probability from the full set of [1, n P + c] bands.There are ( n P +c n A ) subsets of n P + c bands consisting of n A bands.Thus, the strategy Y n A ,[1,n P +c] chooses each such subset with probability 1/( n P +c n A ).
Also, we note that X n P ,[1,n P +c] and Y n A ,[1,n P +c] are equalizing strategies, i.e., for any SU's pure strategy Y and SO's pure strategy X the following equalities hold: The expected number of successfully interfered bands is, Proof.Let the SO apply a mixed strategy X n P , [1,m] , where m = n P + c and the SU applies a (pure) strategy Y that involves assigning n A fixed bands for the purpose of interfering with the PU.Then, the expected number of successfully transmitted signals is, where n PA := min{n P , n A }. Now, look at the SU.Let the SO apply a (pure) strategy X, i.e., a set of n P bands for the PU's transmission is fixed, and the SU apply a mixed strategy Y n S , [1,m] .Then, the expected number of successfully transmitted signals is, Since, Now we prove (3) by induction by m.Let n A ≤ n P .For m = n A the result is obvious.Let it hold for a m ≥ n A .We prove that then it also holds for m + 1.Since ( m+1 k ) = ( m k ) + ( m k−1 ) for any k we have that, follows.The case n A > n P can be considered similarly.

Second Step of the Game: To Make the Tradeoff between Communication's Reliability and Its Cost
In the second step of the game, to make the tradeoff between communication reliability and the cost of such reliability, the SO, knowing the equilibrium strategy for the first step, wants to appropriately choose an appropriate amount of obfuscation, c, so as to specify the domain of uncertainty with the objective of maximizing the difference between reliable PU communication (i.e., unjammed communication signals) and the cost to maintain this reliability.Thus, by Proposition 1, the expected payoff to the SO is given as follows: The goal of the SO is to maximize his payoff v U (c), i.e., to find such c that, Proposition 2. In the second step of the game, to achieve the optimal trade-off between communication reliability and the cost of this reliability, the SO has to announce n P + c bands that are reserved for the PU's usage, where, with ( ξ and ξ being the floor and ceiling functions mapping a real number to the largest previous to ξ or the smallest integer following ξ, respectively.) Thus, v U is strictly a concave function, and it has a unique maximum in [0, n − n P − n T ] which is given as follows: Since we have to maximize v U only within integer points of the interval [0, n − n P − n T ], the result follows.
Figure 2a illustrates how the number of bands reserved by the SO depends on the cost of uncertainty C U and the number of user communications the PU has to maintain n P , where the scenario and adversarial profile was set to n A = 30, n T = 60, q 1 = 0.5 and n = 200.Figure 2b,c illustrates how the number of extra reserved bands and the payoff to the SO depends on the cost for introducing uncertainty, C U , and the probability q 1 that the SU is malicious when n P = 50.This figure shows that in some cases there is a tradeoff between the cost of uncertainty and the probability of the threat, in which case it is possible to increase communication reliability.Finally, we note that, in this section, in Proposition 1, the basic formula for the expected number of jammed signals was derived in closed form.This allows one to find the tradeoff between communication reliability and the cost of such reliability if the SU might be malicious, which is maintained by means of introducing obfuscation.In the next section, we apply this formula to evaluate: (1) whether to believe in the announced purpose or size of the SU's requests for spectrum resources; and (2) if one does not believe the SU, the intensity with which one should employ inspection of his spectrum activity so as to prevent possible malicious activity.

Signaling Game: Whether It is Worth Believing the Potentially-Malicious SU or Not to Believe and Then Inspect His Request
The malicious SU requests bands that he will supposedly use for legitimate purposes, but in doing so faces a dilemma.On the one hand, by requesting more bands under the pretext of legitimate use, the SU will actually support his malicious activity by reducing the amount of bands available to the SO to use to obfuscate the PU's actual channel need (and thus increase the likelihood that the SU will be able to interfere with the PU).On the other hand, requesting too many extra bands can make the SO suspicious of the request, which might then lead to the SO inspecting the request by actively engaging additional resources (at a cost) to verify the truth of the request.
We now examine the scenario from the SO perspective.Since the SO is not sure about whether the SU is malicious, upon observing the SU request, the SO also faces a dilemma: either to believe or not believe the request.Not believing the request will then lead to the SO inspecting the veracity of the request to check whether the SU is trying to deceive.This can reduce the likelihood of possible SU malicious activity if the inspection detects the deception, but it also introduces an extra expense for the SO.In this section we formulate this problem as a signaling game [38], and then, to obtain insight into the problem, we give an explicit solution for a basic subcase in the next subsection.
Signaling games deal with the situation where one player knows some information that the other player does not.The first player (the sender), who possesses some private information, might try to manipulate the situation by sharing some altered version of that information to his rival.The first player may be motivated to deceive his rival, for example, in order to gain a higher payoff from the game.The second player (the receiver), who does not possess this private information, has to make a decision based on the information shared by the sender and, in particular, must decide how to take any actions given the potential that the information exchanged was false.We note that signaling games are widely employed for modeling different aspects of malicious activity in networks, for example, in multi-step attack-defense scenarios [39], for intrusion detection in wireless sensor networks [40], for cyber security [41], for intrusion detection in mobile ad hoc networks [42], for investigation of deception in network security [43], for honeypot selection in computer networks [44], for studying the impact of uncertain cooperation among well-behaved and socially selfish nodes on the performance of data forwarding [45], and for achieving an always best connected service in vehicular networks [46].
In the model we now consider, we assume that there is no cost associated with introducing uncertainty, i.e., C U = 0, and in this case the SO will allocate the maximal domain of uncertainty based on the SU's request, i.e., the PU bands will be [1, n − n T ].We assume that n T ∈ {1, . . ., N T }, where N T corresponds to an upper bound on the possible bands the SU could request for legitimate purposes.We assume that the SO has knowledge of N T , and that he has statistical knowledge characterizing the SU's needs and behavior.Specifically, he knows that, with probability q 0i , the SU is law-obedient and n T = i, and with probability q 1i the SU is malicious and n T = i, where i = 1, . . ., N T .
The SU knows its own true n T , and, having knowledge of n T , can submit a reservation for either n T or n T + 1, . . ., up to N T bands if he is malicious.If the SU is law-obedient, he requests the correct number of bands.As noted earlier, requesting more bands is better for a malicious SU's jamming objective, but the SO can choose to inspect the bands to see whether that band is actually in use (or historically has been in use).If the SO finds that some bands are not in use, then the SU is fined C S per falsely-claimed, unused band.Meanwhile, however, we assume that there is an inspection cost C P per band that is inspected by the SO.The payoff to the SU is the expected number of interfered users, weighted by R times the number of successful transmission minus the expected fine.The payoff for the SO is the expected number of successful transmissions by the PU minus inspection expenses.This situation is well-modeled by a signaling game, where the SU is the sender.The SU can be one of 2N T types: type-(1, i) which occurs with probability q 1i and occurs when the SU is malicious and must support n T = i users; or type-(0, i) which occurs with probability q 0i and occurs when the SU is law-obedient and must support n T = i users, where i = 1, . . ., N T .Let b be the requested number of bands by the SU.The malicious SU, knowing its n T , submits a reservation for at least n T bands, and at most N T bands.Of course, for n T = N T , (so, the SU has type-(1, N T )), the only strategy he can apply is to request for N T bands, but for n T < N T , he has N T − n T + 1 strategies, and thus he may request for either b = n T or b = n T + 1, . . .or N T bands to be reserved.The law-obedient SU, submits a reservation without deception, so type-(0, i) SU has the only strategy to request b = i bands, i = 1, . . ., N T .with the posterior SO beliefs µ(•|b) given by Bayes's rule, This is a signaling game with a finite sets of (pure) strategies, and generally to solve it randomized strategies have to be employed.To deal numerically with such problem an iterative forward induction algorithm for solving signaling games based on a rationalizability approach suggested in [47] can be used.An alternative approach is to use the Gambit software package [48] for solving signaling games.To obtain insight into the problem and to see how the solution explicitly depends the parameters associated with the scenario, in the next section, we directly find the solution for a particular baseline case.
Explicit Solution for a Basic Case, N T = 2 In this section to get insight of the problem we present explicit solution for a particular case N T = 2. Let α = α 1,2 be the detection probability of an unused band when there is one unused band among two requested bands.Note that, since N T = 2, if an unused band is detected (and hence a false request is being made) then there is no need to engage the full set of bands in an inspection.In Figure 3, the diagram for making decisions in this signaling game is presented.
To describe the main result, let us introduce the following notations: • Let b = b(τ, b) be the probability that the malicious SU of type-(1, τ) requests b bands.

•
Let a(i, ξ) be the conditional probability that the SO employs strategy ξ when observing a request for i bands.
Thus, b and a can be interpreted as randomized behaviour strategies for the malicious SU and for the SO.q 11 α(T n−1 n P ,n A − T n−2 n P ,n A ) q 02 + q 12 + q 11 , then the equilibrium strategy for the SO is to always believe (i.e., strategy B), while the equilibrium strategy for the SU is always to request two bands.(b) If the inspection cost is small, C P < q 11 α(T n−1 n P ,n A − T n−2 n P ,n A ) q 02 + q 12 + q 11 , then two subcases arise: then, the equilibrium strategy for the SU is always to request two bands, and the SO always should inspect; then in equilibrium both rivals apply mixed strategies, namely: . Then, by the definition of b, the marginal probability γ i of observing a request for i bands is given as follows: The SO can build his belief about the SU based on the SU's request by considering the conditional probability µ(t, τ|j) that the SU of type-(t, τ) requests j bands, as follows: Let E b u SO (ξ, b) be the expected payoff for the SO when the SU applies strategy b and the SO employs strategy ξ and observes a request for b bands.Then, For a fixed SU strategy, the best response SO strategy is BR b SO (b) = arg ξ max E b u SO (ξ, b).By ( 8) and ( 9), we have that, BR with, Note that, for the following inequality holds for any b(1, 2) ∈ [0, 1]: Thus, if (12) holds, then BR 2 SO (b) = B. Since (10) also holds, (12) implies that the SO equilibrium strategy is to believe independent on the SU's request.Then, the SU equilibrium strategy is always to request two bands.
Let us now suppose that (12) does not hold.Thus, is the unique root by b(1, 2) of the equation, Then, (14) implies that b(1, 2) given by ( 15) is within (0, 1).Thus, by (11), if (14) holds, then (15) defines a SU strategy that is indifferent to the beliefs of the SO and his best response, and thus it is another possible candidate for the SU equilibrium strategy.
Since a(i, ξ) is the conditional probability that the SO employs strategy ξ when observing a request for i bands, it is clear that a(1, B) = 1, a(1, I) = 0 and a(2, B) + a(2, I) = 1.Then a is uniquely defined by its one component a(2, B).
If a is such that the payoff to the SU of type-(1,1) is insensitive to all of his requests, then a is the equilibrium.This condition is met when the expected values at the end of branches in the decision tree (Figure 3) are equal, i.e., Solving the last equation by a(2, B) yields: Then, this a jointly with b given by ( 15) give an equilibrium.
If 16), the following inequality holds for any a: R + H n−2 n P ,n A a(2, B) + R + αH n−1 n P ,n A + ᾱH n−2 n P ,n A − αC S a(2, I) > R + H n−1 n P ,n A .
The left side of this inequality obtains its minimum for a(2, B) = 0 and a(2, I) = 1.Also, by ( 14) and (11), the best response to b(1, 2) = 1 is to inspect.Thus, in this situation, requesting two bands and inspecting the request combine to give the equilibrium, and this implies the result.Thus, we have shown in Proposition 3 that the game has either a pooling or a mixed equilibrium.The pooling equilibrium assumes that all the malicious SU types request the same number of bands.In our particular case this corresponds to two bands.In the pooling equilibrium the SO learns nothing from the SU's request.
Figure 4 illustrates threshold lines for switching between the equilibrium strategies as a function of the number of bands with α = 0.5.with scenario parameters: C P = 0.005, C S = 0.7, n A = 10, n P = 30, α = 0.5, q 01 = 0.1, q 02 = 0.3 and q 11 + q 12 = 0.6.Figure 5c illustrates how taking into account information about the nature of the SU can improve the SO's payoff.Also, it is very interesting to note that the optimal strategy for the SO, as well as its payoff, are discontinuous in the information describing the SU.

Conclusions
In this paper, we have presented a new game-theoretic framework that can be useful in designing a dynamic spectrum access channel management protocol when there is the potential of an untrustworthy secondary participant.The new framework incorporates statistical information describing whether the SU is malicious and intends to interfere with primary communications.Using two Bayesian game-theoretical models, we have shown that such a paradigm can lead to protocols that can improve communication reliability.We have noted the interesting observation that the optimal strategy for the SO, as well as its payoff in this model, can be discontinuous in the statistical information describing the behavior characteristics of the SU.This implication of this discontinuity means that having precise knowledge of the statistical characterization of the SU is important since in some regimes there is a threshold behavior in the communication reliability, while in other situations the characterization produces only a minimal impact on the decisions being made.In particular, the practical interpretation of our analysis reveals that if one is operating in a channel-limited scenario, then using obfuscation (i.e., decoy channels) detracts too much from the objective of improving the combined performance (notably, obfuscation will impact the SU's legitimate performance).On the other hand, if the SU cannot afford to engage in verifying whether the announced schedule is accurate (e.g., such verification would involve deploying infrastructure that is too costly), then the PU should maximize its use of a decoy strategy while meeting its own needs.

Figure 1 .
Figure1.A universal spectrum access scenario that will be used to generically model the information obfuscation problem associated with spectrum sharing.Here, the coordination between a primary user (PU) and a secondary user (SU) is administered through a spectrum owner (SO) that acts as a spectrum server.

Figure 2 .
Figure 2. (a) Number of extra bands reserved for the PU as a function of the cost of uncertainty C U and number of users the PU has to maintain (i.e., n P ); (b) number of extra reserved bands for the PU;and (c) the payoff to the SO as a function of the cost of uncertainty and the probability q 1 that the SU is malicious.

Figure 3 .
Figure 3. Diagram for how decisions are made.

Figure 4 .
Figure 4. Threshold lines for switching between the equilibrium strategies as a function of the number of bands.

Figure
Figure 5a,b illustrates the probability of believing in the request for two bands a(2, B) and the probability for requesting two bands, if only one legitimate communication has to be supported, i.e., b(1, 2), as functions of the number of bands n and the probability that the malicious SU is of type-(1, 1) with scenario parameters: C P = 0.005, C S = 0.7, n A = 10, n P = 30, α = 0.5, q 01 = 0.1, q 02 = 0.3 and

Figure 5 .
Figure 5. (a) Probability of believing in the request of two bands, a(2, B); (b) probability of requesting two bands, if only one connection has to be supported, b(1, 2); and (c) the payoff to the SO as functions of the number of bands n and the probability that the malicious SU is of type-(1, 1).