Faithworthy Collaborative Spectrum Sensing Based on Credibility and Evidence Theory for Cognitive Radio Networks

Cognitive radio (CR) has become a tempting technology that achieves significant improvement in spectrum utilization. To resolve the hidden terminal problem, collaborative spectrum sensing (CSS), which profits from spatial diversity, has been studied intensively in recent years. As CSS is vulnerable to the attacks launched by malicious secondary users (SUs), certain CSS security schemes based on the Dempster–Shafer theory of evidence have been proposed. Nevertheless, the available works only focus on the real-time difference of SUs, like the difference in similarity degree or SNR, to evaluate the credibility of each SU. Since the real-time difference is unilateral and sometimes inexact, the statistical information comprised in SUs’ historical behaviors should not be ignored. In this paper, we propose a robust CSS method based on evidence theory and credibility calculation. It is executed in four consecutive procedures, which are basic probability assignment (BPA), holistic credibility calculation, option and amelioration of BPA and evidence combination via the Dempster–Shafer rule, respectively. Our scheme evaluates the holistic credibility of SUs from both the real-time difference and statistical sensing behavior of SUs. Moreover, considering that the transmitted data increase with the number of SUs increasing, we introduce the projection approximation approach to adjust the evidence theory to the binary hypothesis test in CSS; on this account, both the data volume to be transmitted and the workload at the data fusion center have been reduced. Malicious SUs can be distinguished from genuine ones based on their historical sensing behaviors, and SUs’ real-time difference can be reserved to acquire a superior current performance. Abounding simulation results have proven that the proposed method outperforms the existing ones under the effect of different attack modes and different numbers of malicious SUs.


Introduction
The frequency spectrum is treated as a valuable resource in the wireless communication field and is rendered inadequate for the increasing number of wireless services.In terms of the spectrum task report from the Federal Communication Commission (FCC), the usage of authorized spectrum alters according to geographic and temporal circumstances [1].Cognitive radio (CR) arises as a tempting solution to the spectrum congestion problem by enabling opportunistic access to underutilized licensed bands that are lightly occupied by a licensed user (LU).CR is characterized by the fact that it adapts to the actual environment by transforming its transmitting parameters, such as frequency, modulation, frame format, etc. [2,3].A precondition of secondary access is the absence of interference for the primary system.Spectrum sensing thereby plays an essential role in cognitive radio networks (CRNs).
Among fundamental spectrum sensing techniques, energy detection is predominant due to its simple implementation, as well as low computational complexity [4,5].However, spectrum sensing conducted by a single node is hindered by uncertainty originating from channel randomness, such as multipath fading and shadow effect [6].To combat these adverse impacts, collaborative spectrum sensing (CSS) schemes have been proposed to achieve spatial diversity in CRNs [7][8][9].In CSS, messages reported from different SUs are combined at the data fusion center (DFC); DFC subsequently makes a global decision on the absence/presence of the LU.
There exists abundant literature that has established the optimality of likelihood ratio test (LRT) concerning detection issues, such as [10][11][12] and the references therein; yet, the computation complexity of LRT is quite high, and the closed form expressions of detection probability and false alarm probability cannot be derived.Quan et al. [13] have put forward an optimal linear CSS method, which makes the final decision over a linear weighted combination of the local measurements.The computational complexity has been reduced, and the performance compared favorably with LRT-based optimal fusion rules, which can be achieved, as well; but the DFC requires specific report channels to acquire and update a priori information.In recent years, plenty of algorithms have been proposed owing to the unique advantages of the Dempster-Shafer (D-S) theory of evidence in terms of uncertainty representation [14][15][16][17][18][19].In [14], Dempster-Shafer theory is first applied in the data fusion of CSS.This method quantifies the channel condition between LU and SUs with credibility parameter and adopts D-S theory to fuse the local measurements with relevant credibility.Nhan and Insoo [15] came up with an enhanced CSS scheme based on D-S theory and reliability source evaluation.It exploits the signal-to-noise ratios (SNRs) to assess the reliability degree for SUs.The reliability weight of SUs is then applied to adjust their observational information before making the global decision.However, it uses much bandwidth to transmit the sensing data with the number of SUs increasing.
Although the participation of multiple SUs in CSS contributes to the improvement of detection accuracy, the global decision making may be misguided when SUs intentionally or unintentionally send falsified sensing information to the DFC during cooperation.This sort of attack in CSS, called the spectrum sensing data falsification (SSDF) attack, has significantly degraded collaborative detection correctness.Hence, effective security mechanisms are fundamentally demanded in an opponent wireless environment.Han et al. [16] propose an enhanced evidence theory-based CSS method to resist the SSDF attack.This scheme uses the similarity degree to evaluate the credibility of evidence and removes the evidence with low similarity degree from the combination.Facing the problem of faulty nodes in CRN, the CSS method in [17] adopts a mutually supportive degree among different sensor nodes to support adapted decision.Another evidence theory-based secure CSS scheme is proposed in [18], which employs robust statistics to calculate the distribution parameters of LU's activity and estimates the SUs' credibility with a simple counting technique.In addition, several detection approaches are adopted to counter distinct sorts of malicious SUs.In [19], a trusted CSS method for mobile CRNs is proposed, which improves malicious SU detection utilizing both location reliability and D-S theory.Wang et al. [20] take advantage of the "soft update" approach and evaluate the trustworthiness degree of SUs for enhancing the robustness of the CSS system.
However, these existing evidence theory-based CSS methods are not specifically suited for CRNs communications.This is basically because they are generally designed without considering challenges posed by the framework of resource-constrained nodes of CRNs; such as hardware limitations and low power budget.In addition, the majority of these CSS methods only consider SUs' current difference, for instance the SNR difference or similarity degree diversity, to estimate the credibility of each SU.Although this current difference tends to reflect SUs' reliability to some extent, it is unilateral and sometimes inexact, by virtue of the dynamic characteristic of wireless channels.Apart from real-time information, the statistical information about SUs' historical sensing behavior reflecting their past credibility should also be taken into account in the evaluation of sensing credibility.Therefore, in this paper, we propose a robust CSS scheme based on D-S evidence theory and credibility calculation.It is executed in four consecutive procedures, which are basic probability assignment (BPA), holistic credibility calculation, option and amelioration of BPA and evidence combination via the Dempster-Shafer rule, respectively.The major contributions of this paper can be summarized as follows: A. Considering transmitted data rises with the increase of the number of nodes and the power restriction of SUs, we introduce projection approximation approach to half decrease the amount of required transmitted data from SUs to the DFC.This is achieved by adapting the D-S evidence theory to the binary hypothesis test of the cognitive radio context.
B. Instead of evaluating the SUs only with their current measurements, we propose to evaluate the credibility of each SU from both statistical reputation and the real-time difference.The proposed method can not only effectively distinguish malicious SUs from genuine ones based on their past sensing behaviors, but also hold the current sensing difference for SUs to realize superior real-time performance.
C. No prior knowledge such as the average SNR of each SU is demanded at DFC, which reduces the communication cost.Moreover, our proposed method is simple to implement.The reputation value maintenance can be conducted in an iterative manner, which requires no additional computational complexity or storage overhead.
The remainder of the paper is organized as follows.In Section 2, we describe the system model with the energy detection and D-S theory; the attack models are introduced, as well.The robust Dempster-Shafer theory collaborative spectrum sensing method is proposed in Section 3, which elaborates the holistic credibility calculation in detail.Simulations and conclusions are respectively presented in Sections 4 and 5. Section 4 presents numerical simulation results.Finally, the conclusions are drawn in Section 5.

System Description
As a key technology for achieving opportunistic spectrum access, spectrum sensing aims to detect the presence of PUs accurately and quickly.In this article, we consider two processes for spectrum sensing, which the local spectrum sensing at each SU and the data fusion at the DFC.The CSS scenario in CRNs and two patterns of attack are described in this section.

Collaborative Spectrum Sensing
The network architecture we consider is a centralized network entity, such as a base-station in infrastructure-based networks, as showed in Figure 1.Assume that the CR network consists of one licensed user base station, which may be active with probability P H 1 or idle with probability P H 0 in a sensing time slot, n secondary users and one data fusion center.Firstly, the individual SU conducts local spectrum sensing independently, the process of which can be formulated as a binary hypothesis testing problem [6]: where s(t) represents the signal transmitted by LU and y i (t) denotes the received signal at the i-th SU.The signal s(t) is distorted by the channel gain h i (t), which is assumed to be constant during the sensing interval, and is further corrupted by the zero-mean additive white Gaussian noise (AWGN) n i (t), i.e., n i (t) ∼ N (0, σ 2 i ).Hypothesis H 0 indicates that the spectrum is currently occupied by PU, and hypothesis H 1 indicates that spectrum is available for SUs; and t represents time.Without loss of generality, n i (t) and s(t) are assumed to be independent of each other.
Due to its applicability to a wide range of signals and mathematical amenity compared to other detectors, energy detection is adopted by each SU in the local spectrum sensing stage; the input signal energy is measured by the energy detector within a specific time interval.By applying a band-pass filter, the received energy at SU i can be expressed as [4]: where y ij is the j-th sample of the received signal at SU i and N = 2TW with T and W being detection time and channel bandwidth, respectively.Naturally, TW is the time-bandwidth product.When N is relatively large (e.g., N > 10), y Ei can be approximated as a Gaussian random variable under both hypotheses and denoted as [20]: where µ 0i , σ 2 0i , µ 1i and σ 2 1i are the means and variances under hypotheses H 0 and H 1 , respectively.
Here, γ i is the average signal-to-noise ratio (SNR) at SU i .In the CSS scheme, SUs send their local measurements to DFC, which is in charge of further information processing.These measurements can either be the received energy y Ei or its function (like a one-bit hard decision or a double threshold decision), depending on the specific fusion rule utilized by DFC.
At the H-th sensing slot, the report of SU i can be denoted as u H i .Then, all of the reports received by DFC can be denoted as u H = [u H 1 , . . ., u H i , . . ., u H n ], and the DFC makes a final global decision u H 0 about LU's activity.

SSDF Attack Models
As illustrated in Figure 1, certain compromised SUs exist among all SUs in CRNs.They report falsified results to DFC and expect DFC to make an incorrect global decision u H 0 under their misguidance.The means to tamper reports of malicious SUs can be multifold.This paper considers that malicious users (MUs) first distort their received energy accumulation and send the distorted energy to the DFC afterwards.We investigate two SSDF attack models, the false alarm and miss detection (FAMD) attack and the false alarm (FA) attack, as presented in [21].Both can be described by three parameters, including the attack threshold (η), the attack intensity factor (ξ) and the attack probability (P a ).Specifically, these two attacks can be modeled as follows: A. FAMD attack: For sensing slot H, the FAMD attacker launches an attack with probability P a .If it intends to attack during this round, it will compare y Ei with η.If the sensed energy y Ei exceeds the attack threshold η, it will report y Ei + ξ; otherwise, the attacker reports y Ei − ξ.If the attacker chooses not to attack, it will just report y Ei .This attack model tends to increase the misdetection and false alarm probability, which results in both the inequitable utility of the available spectrum and more damaging disturbances to the LU.
B. FA attack: For sensing slot H, if sensed energy y Ei exceeds the attack threshold η, the attack will not be launched, and the energy will hold at y Ei .On the contrary, it will attack with probability P a by reporting y Ei + ξ.This attack model is inclined to cause false alarm probability increase and the available spectrum underutilization or the exclusive usage of it by FA attackers.
Under each of the two attack models, the distorted energy y Ei is utilized to produce local measurements, which are subsequently delivered to DFC.In this paper, the energy used by SU i to create reports at the H-th sensing slot is expressed as y L Ei , which is either the original y Ei for genuine SUs or the distorted y Ei for malicious SUs.

Faithworthy Collaborative Spectrum Sensing Based on Credibility and Evidence Theory for Cognitive Radio Networks
In this article, we propose a faithworthy CSS method based on credibility and evidence theory for CR networks.As first introduced by Dempster and later extended by Shafer, Dempster-Shafer (D-S) theory allows one to combine evidence from different sources and evaluate the credibility of the system state [22], which is regarded as an effective approach for decision making, as well.Due to its capability of merging results reported by SUs under the effect of uncertainty, D-S theory is quite suitable for collaborative spectrum sensing in CRNs.
Figure 2 shows that the proposed faithworthy CSS method is executed in four consecutive procedures, which are basic probability assignment with the PA approach, holistic credibility calculation, option and amelioration for BPA and evidence combination via the Dempster-Shafer rule, respectively.We give the specific discussions in detail as follows.

SUi
Process description of the faithworthy collaborative spectrum sensing (CSS) scheme based on credibility and evidence theory in cognitive radio networks.

Basic Probability Assignment with the PA Approach
Detecting LU's state is a binary hypothesis testing problem in the context of spectrum sensing, and the recognition framework is Ω = {H 1 , H 0 }.Naturally, 2 Ω is the set of all subsets of Ω, including the empty set ∅. SUs act as the information source and provide a set of elementary evidences.For SU i , the evidence theory under the form of elementary masses assigns a belief mass to each element of the set 2 Ω .These masses are defined as function m, which maps the power set of Ω (i.e., (Ω)) to the interval of [0, 1] and satisfies the following conditions: m(∅) = 0 and ∑ Ω} in the framework, and | (Ω)| is the cardinality of (Ω) [19].For A k , m(A k ) represents that one believes to pledge exactly to set A k , when a certain piece of evidence is given [23].The set A k satisfying m(A k ) > 0 is called the focal set, and in the D-S theory of evidence, the plausibility and belief function are expressed as follows: where B ∈ (Ω).Bel(B) evaluates the minimum or definitive support for hypothesis B, whereas Pl(B) evaluates the maximum or possible support that could be put in hypothesis B if more evidence became available.In the binary hypothesis test problem of CSS, in fact, Bel(H 0 ) = m(H 0 ) and Bel(H 1 ) = m(H 1 ).Therefore, in the following discussion, BPA function m is constantly utilized to denote the belief of hypotheses H 0 and H 1 .
After the process of energy accumulation, the BPA function for each sensing node SU i can be acquired according to the following equations [19]: )dx (7) )dx (8) where i ∈ {1, 2, . . ., n}; SUs then send the BPAs to DFC.That is to say, the report of SU i at the H-th sensing slot is Considering the power limitation of sensor nodes, the transmitting data from each SU to DFC need to be reduced.Under this circumstance, we propose to adjust BPA functions ) by utilizing a projection approximation (PA) technique.On the basis of the fact that only hypotheses H 0 and H 1 are related to spectrum sensing, for the sake of ensuring that the modified BPA function is suitable for the D-S theory and has no impact on the performance of combination, we introduce the projection approximation approach to improve local BPA masses.At first, orthogonal decomposition is employed to project m H i (X) onto the coordinate axes of hypotheses H 0 and H 1 , then the projection of m H i (X) can be denoted as: Afterwards, adding the original BPAs under two hypotheses to their projections on the corresponding coordinate axis and carrying out normalization, the modified BPA function mH i (H 0 ), mH i (H 1 ) can thereby be obtained: Due to mH i (H 0 ) + mH i (H 1 ) = 1, rendering m H i (X) = 0, consequently, in accordance with the PA approach in ( 14) and (15), not only the transmitting data from SU i to the DFC are half reduced, but also the bandwidth cost is deceased.This can be attributed to the fact that SU i only requires transmitting mH i (H 0 ), while other existing methods need to report both m H i (H 1 ) and m H i (H 0 ).The PA approach enables one to almost half reduce the transmission data for n SUs.This means a great advantage if there exists a high number of SUs, especially when the transmitting and the receiving accounting for the most power consuming part of the SUs are obliged to be considered; this PA approach is capable of achieving a long operational life span of sensor battery.In addition, the situation of the limited spectrum resources is quite urgent in wireless communication; in this case, the PA method also possesses an extremely high benefit of bandwidth owing to the reduction in transmitting data.

Holistic Credibility Calculation
In order to remove or mitigate the harmful effect on the performance caused by the attack behaviors of MUs, the reports from distinct nodes are supposed to be treated with dissimilarity.In the proposed scheme, the credibility of each SU is evaluated by its holistic credibility, which contains two factors, i.e., the real-time reliability and the statistical reputation.Specifically, the real-time reliability of SU i represents the credibility of BPAs from SU i at the H-th sensing round, whilst the statistical reputation of SU i represents the credibility of historical reports from SU i .Through combining these two factors, both current and historical information about the credibility of each SU can be well exploited.

Real-Time Reliability
Since the local sensing results from the malicious SU will be distorted at some sensing slots, its evidence is not consistent with others' all of the time.In other words, if the evidence of one SU is similar to other SUs, this SU acquires a higher supportive degree from other SUs.Otherwise, if single SU's evidence is obviously different from others, it gets a less supportive degree from others.Then, it will be considered as untrustworthy and removed before fusing evidence at the DFC.Therefore, we can evaluate the real-time reliability of SU i based on its reports' similarity with other SUs at each sensing round.Specifically, the similarity degree of reported BPAs between SU i and SU j can be represented by the following formulation [16]: Afterwards, the similarity degree matrix can be shown as: The diagonal entries of the similarity degree matrix are all equal to one, and according to Equation ( 14), the value of each similarity degree is less than or equal to one.Consequently, the similarity degree matrix evidently possesses a convergence property, which ensures the effectiveness and validity of the proposed sensing method under the harmful attack behavior launched by malicious SUs.Through adding up the general similarity degree of SU i with regard to other SUs, the support to the BPAs from SU i at the H-th sensing slot is written as: As a consequence, the real-time reliability of SU i can be acquired by normalizing the support and denoted as: Nevertheless, CR networks have open and dynamic characteristics; there exist numerous possible factors that cause relatively low real-time reliability.Besides, the randomness of wireless channels (i.e., shadowing, fading effects and noise uncertainty) results in inaccurate BPA acquired by SUs at local sensing.Under the impact of all sorts of randomness, the performance of an honest SU can deteriorate severely at certain sensing slots.At that moment, its reported results have a great difference from others' reports or even have high similarity with the reports from MUs.In addition, if the number of malicious SUs in the network increases, the malicious SUs will support mutually and falsify the evaluation of real-time reliability remarkably.Therefore, only with the assistance of real-time reliability, we can neither arrive at a conclusion that an SU is genuine or malicious precisely.To resolve this issue, we introduce a reputation mechanism into the proposed scheme.

Statistical Reputation
Although statistical reputation cannot evaluate SU's credibility in a real-time manner, it is capable of obtaining the deduction concerning the historical reliability of SUs in line with their reported local results previously.Moreover, the statistical reputation is more stable due to its statistic characteristics; it is less likely to be affected by random interference.Therefore, statistical reputation and real-time reliability become mutually complementary; both factors should be jointly utilized to calculate the holistic credibility of cognitive users.
In most existing reputation-based CSS mechanisms [24][25][26], the reputation values of SUs are computed by simple counting rules.If the transmitted result of one SU is consistent with the global result made by DFC, then the reputation of this node is increased by one; otherwise, reducing the reputation by one.Two main drawbacks exist in this method: Firstly, this way of reputation updating is based on the global decision made by DFC and updating via the strategy of "same increase and decrease".When the correctness of the final decision cannot be guaranteed under the attack behavior of malicious SUs, the reference value of SU's reputation acquired by this approach declines to some degree.Secondly, the computing mode of the counting rule only cares about the consistency between local reports and the global decision.However, the BPA forwarded by SUs are dissimilar at each sensing round, which contains different messages with regard to the operating state of the LU.The process mode "black or white" leads to unnecessary losses of useful information.
In order to overcome the above shortcomings, we consider the imperfection of the global decision made by DFC and utilize the BPA reported from SU i and the BPA merged by DFC at the (H − 1)-th slot to update the statistical reputation of SU i at the H-th slot.Specifically, for the sake of distinguishing with different situations when DFC makes final decisions, two parameters are defined: the self-evaluated faith f i and the center-evaluated faith f , respectively.The higher self-evaluated faith f i is, the more convinced that SU i is of its reported BPA.Similarly, higher center-evaluated faith f means a higher degree of conviction that the DFC feels about its combined BPA.Both the self-evaluated faith f i and the center-evaluated faith f are calculated by the DFC.
At the (H − 1)-th sensing round, the center-evaluated faith and the self-evaluated faith can be respectively expressed as: where m H−1 (H 0 ) and m H−1 (H 1 ) represent the combined BPAs calculated by the DFC at the (H − 1)-th slot (the computational formula is given in Section 3.4).Obviously, . Hence, the statistical reputation of SU i can be calculated as follows: where r H i represents the statistical reputation of SU i at the (H − 1)-th sensing slot, u H−1 0 denotes the one-bit global decision made by the DFC, w H−1 i denotes the suppositional local decision of SU i inferred by the DFC and l is the decay factor.It is worth noting that there is no need for SU i to make a decision or transmit its local decision result (in order to reduce network overhead).The DFC can deduce the local judgment that will be made by SU i from its forwarded BPA (i.e., the reported BPA from SU i contains this information).The suppositional local decision of SU i inferred by the DFC can be denoted as: where the decision threshold is determined by the DFC in terms of the different performance requirements of the spectrum sensing system.
The fundamental principle of the update mode of statistical reputation can be explained by Formula (24).In the first place, the variation tendency of statistical reputation r H i depends on the one-bit global decision u H−1 0 of DFC and the suppositional local decision , statistical reputation r H i increases; otherwise, it decreases.This signifies that the cognitive user who makes the same decision result as DFC will obtain a higher statistical reputation.In the next place, the amplitude of variation of statistical reputation is decided by the center-evaluated faith f H−1 and the self-evaluated faith f H−1 i jointly.If f H−1 and f H−1 i are both close to one (here, SU i and DFC are both convinced of their BPAs), the change size of statistical reputation is also close to one.If the DFC (or SU i ) lacks faith in its BPA, then f H−1 (or f H−1 i ) will decrease, which leads to the changed size of r H i diminishing correspondingly.Therefore, statistical reputation is capable of performing updating with a flexible increase/decrease and changeable size according to the transmitted BPAs from SUs and the combined BPA made by DFC in the last sensing round.
Furthermore, although the global decision made by DFC may have errors at some sensing round, it is still more reliable than the reported decision of a single node (due to diversity gain).In view of this fact, we introduce amendatory parameters α, β to adjust the relative position between DFC and a single node.Generally speaking, β > α > 0 is set to ensure the center-evaluated faith f H−1 plays an important role in the update of r H i ; otherwise, the updating amplitude is basically decided by the self-evaluated faith f H−1 i of SU i ; hence, the changeable size of r H i of each SU will become consistent basically, and the reputation assessment mechanism loses its function, as well.β > α also reflects the difference in credibility degree between DFC and the single node.In practical application, parameters α and β can be adjusted by empirical data in the CSS system or be determined by experimental results when the number of malicious SUs and attack patterns are known.
The single SU may possess distinct sensing performance at different sensing rounds due to human factors or objective factors; the reference value of the reported results a long time ago is relatively low and cannot reasonably reflect the current performance of SU.Therefore, the decay factor l is introduced to make the quality of the results reported recently accounting for a larger proportion.l should not be set too small, otherwise the historical behavior information cannot be brought into sufficient usage; on the other hand, remaining sensitive to the potential behavior change of SUs requires that l should not be set too large, either.
Different SUs have different reported history; generally, only part of SUs' statistical reputation values exceeds zero.We normalize the statistical reputations of these SUs, and r H i of SU i at the H-th sensing slot can be denoted as: In the initial stage, r 1 i = ∆, i = 1, 2, . . ., n. Apparently, manifold feasible modes can be utilized to combine the real-time reliability and statistical reputation effectively.Here, an easy and practicable mode is taken to acquire the holistic credibility by normalizing the sum of these two factors: Consequently, the holistic credibility calculation can differentiate malicious SUs from genuine ones on account of their historical behaviors; besides, it can hold the current difference for SUs to realize better real-time performance, as well.

Option and Amelioration for BPA
In terms of the holistic credibility of SUs, the DFC is able to choose competent SUs to take part in the subsequent procedure of evidence combination.Concretely, we compare the holistic credibility Cre H i of SU i with a determined credibility threshold ς.If Cre H i < ς, then it will be treated as a malicious user and abandoned at time slot H; conversely, if Cre H i exceeds threshold ς, the BPAs of SU i will be ameliorated by the DFC with the homologous holistic credibility:

Evidence Combination via the Dempster-Shafer Rule
All of the adjusted BPAs are appropriately merged to obtain the combined BPAs in accordance with the D-S evidence theory [22]: where λ is the same decision threshold as utilized in Equation (25).Once the DFC make the global decision, the statistical reputation can be updated for the detection of the next round of collaborative spectrum sensing.

Simulation Results
Numerous simulation experiments are provided in this section to evaluate the performance of the proposed faithworthy CSS scheme and compare it with several existing schemes, which are presented in Figures 3-8.Here, we presented four CSS schemes based on D-S evidence theory: 'D-S Cre' (Cre is the abbreviation for Credibility) represents our proposed faithworthy CSS scheme; the curve of 'D-S Men' (Men represents the author in [17]) shows the robust CSS method with mutually supportive degree presented in [17]; another enhanced scheme with similarity degree calculation proposed in [16] is shown as 'D-S Han'; and 'D-S Nhan' represents the enhanced scheme with reliability source evaluation proposed in [15].Besides, 'OPT LIN' shows the optimal linear CSS scheme proposed in [13], and 'SINGLE' shows the spectrum sensing scenario of single SU.The effect of both FAMD and FA attack models is explored with different numbers of malicious SUs.

Simulation Parameter Setting
The simulation experiments are conducted in a CRN with one LU, n = 6 SUs and one DFC, which are considered to run for 10,000 rounds.We assume the LU signal is the Digital Television (DTV) signal as in [14], and the probabilities of the presence and absence of LU are P H 1 = P H 0 = 0.5.The time-bandwidth product TW is set to be 20.The initial reputation value ∆ of each SU is six, and the credibility threshold ς is 0.75.In the statistical reputation, the decay factor l is set to be 0.9; the amendatory parameters α = 1, β = 3.As for attack parameters, the attack with probabilities P a = 0.8, and the attack intensity factors ξ = 0.6.We select the attack thresholds η as an right intersection point of two probability density functions (PDFs) under hypotheses H 1 and H 0 .In addition, the average received SNR values of six nodes are set to be −5, −4, −3, −2, −1 and 0 dB, respectively.

Performance Evaluation
Under the situation that no malicious SUs exist in the CR network, Figure 3 illustrates the sensing performance of the aforementioned six CSS schemes through receiver operating characteristics (ROC) curves.We take the sensing performance of single node (the second SU with average SNR γ 2 = −4 dB) as a reference curve, which is presented in the rest of the simulations, as well.As can be seen from the figure, each of the sensing schemes achieves superior performance under the absence of SSDF attackers in the network.It should be admitted that although our proposed scheme obviously outperforms the D-S Han and D-S Men schemes, it is slightly inferior to the OPT LIN and D-S Nhan algorithms.However, these two schemes need a priori information that the DFC is required to possess the average SNR of each SU in order to achieve limited performance advantage.Contrarily, in our proposed D-S Cre algorithm, only cognitive nodes need to utilize their own average SNR information in the phase of local evidence extraction, while the DFC does not need such a priori information.Accordingly, the implementation requirements for the proposed D-S Cre scheme are lower; meanwhile, it is easier to realize in actual CRNs.Furthermore, owing to the aid of the PA approach, half of the transmitted data volume has been reduced, which greatly saves the valuable resources of the control channel.Figures 4 and 5 show the sensing performance when there is only one malicious SU in the network; among which, Figure 4 illustrates the sensing performance when the MU adopts the FAMD attack model, and Figure 5 shows the detection performance when the FA attack model is employed by the malicious SU.In both cases, the worst network circumstance has been considered, i.e., the cognitive node with the highest average SNR SU 6 (γ 6 = −0 dB) is the only MU.The performance of a single node is considered the same as above.We can see from Figure 4 that, under the impact of one FAMD attacker, the sensing performance of our proposed faithworthy CSS scheme performs spectrum sensing in a robust manner, and it is obviously superior to all o the algorithms that have been taken into account.This means that the proposed D-S Cre scheme has the strongest ability for defense against FAMD attack from malicious SUs.The performance of all of the other CSS schemes suffer varying degrees of damage, especially for the OPT LIN method, which has extremely weak capability to counter the FAMD attacker.As illustrated in Figure 5, the performance of the proposed secure scheme has a slight advantage over the D-S Han and D-S Nhan schemes and outperforms the D-S Men and OPT LIN methods under the influence of a single FA attacker.Both the D-S Han and D-S Nhan methods performs equivalently under the presence of this sort of MU.The performance superiority of our faithworthy CSS scheme benefits from taking full advantage of the holistic credibility of SUs, meanwhile opting and ameliorating the forwarded basic probability assignment, as elaborated in Section 3.
Figures 6-8 have presented the performance comparison of each scheme when there exist two malicious SUs in the CRN.Without loss of generality, we consider the worst attack circumstance in the network, i.e., the cognitive node with the highest average SNR γ 6 = −0 dB (SU 6 ) and the node with average SNR γ 5 = −1 dB (SU 5 ) are assumed to be the two malicious users.In Figure 6, both SU 5 and SU 6 appear as FAMD attackers, whilst these two users adopt the FA attack pattern to launch the attack in the scenario in Figure 7. SU 5 in Figure 8 works as an FA attacker, while SU 6 employs the FAMD attack model to compromise the performance of the cognitive system.Under the impact of two FAMD attackers, as shown in Figure 6, the performance of all of the schemes within the scope of consideration have been seriously compromised, except for our proposed scheme.The performance of the comparison algorithm is even worse than that of the single node, which leads to an extremely detrimental effect on the cognitive system.On the contrary, the proposed D-S Cre scheme shows robust sensing capability, even under the situation of a destructive and powerful attack from MUs.This enables the CSS system to resist SSDF attack successfully.
Figure 7 evaluates the sensing performance of each scheme when there are two FA attackers in the network.It can be clearly seen that our proposed D-S Cre scheme possesses the most excellent performance compared to other CSS methods.The performance of the D-S Han scheme degrades dramatically in the presence of two FA attack users, and the OPT LIN method can maintaining relatively robust spectrum sensing performance.
In addition, the scenario of one FA attacker and one FAMD attacker existing in CRN is illustrated in Figure 8. Again, a sharp fall occurs in the contrast algorithms.The sensing performance of the D-S Men and OPT LIN schemes has a slight advantage over the D-S Han and D-S Nhan methods.However, none of them is capable of countering this sort of combined attack mode.Our proposed CSS scheme can still achieve preferable detection performance, i.e., detecting the LU signal and restraining malicious users in an effective and robust manner.
Ultimately, by comparing the performance of CSS schemes in Figures 6-8 with that in Figures 4 and 5, we can see that all CSS algorithms have different degrees of overall performance degradation with the increase of the number of malicious SUs.Therefore, the proposed D-S Cre method has obvious performance advantage both in detecting the licensed user and the malicious cognitive users; moreover, it has the strongest ability to defend against the typical SSDF attack behaviors.

Conclusions
In order to effectively defense against SSDF attack behaviors from malicious SUs, in this article, we propose a faithworthy CSS scheme based on the Dempster-Shafer theory of evidence and holistic credibility, including four consecutive procedures, which are basic probability assignment (BPA) with the PA approach, holistic credibility calculation, option and amelioration for BPA and evidence combination via the Dempster-Shafer rule, respectively.The projection approximation approach is introduced in this article to modify local BPA masses, which successfully reduces half of the required data volume transmitted from SUs to the DFC.Consequently, the transmitting bandwidth has been decreased, and the workload at DFC has been alleviated.Furthermore, through evaluating the credibility of SUs from both real-time difference and statistical sensing behavior, malicious SUs can be effectively distinguished from genuine ones.Abundant simulation experiments have been conducted and corroborated that the proposed scheme outperforms the existing ones under the influence of different attack modes and different numbers of malicious SUs.In the days ahead, more complex attack modes will be taken into account, meanwhile more effective approaches for holistic credibility calculation will be investigated.

Figure 4 .Figure 5 .
Figure 4. Detection performance comparison of each scheme when there is one false alarm and miss detection (FAMD) attacker in the network.

Figure 6 .Figure 7 .Figure 8 .
Figure 6.Detection performance comparison of each scheme when there are two FAMD attackers in the network.
2, . . ., p H and p H represents the number of sensing nodes whose BPAs are opted and ameliorated to take part in the center data fusion at time round H. Finally, in accordance with the following decision rule, the combined BPAs m H (H 1 ) and m H (H 0 ) are utilized to make the final global decision.The DFC compares m H (H 1 ) m H (H 0 ) with the decision threshold λ.If m H (H 1 )