SPECIAL SECTION ON RECENT ADVANCES IN COMPUTATIONAL INTELLIGENCE PARADIGMS

FOR SECURITY AND PRIVACY FOR FOG AND MOBILE EDGE COMPUTING

Received May 24, 2017, accepted June 12, 2017, date of publication June 21, 2017, date of current version August 8, 2017.
Digital Object Identifier 10.1109/ACCESS.2017.2717852

A Survey on C-RAN Security

FENGYU TIAN1 , PENG ZHANG1 , AND ZHENG YAN1,2 , (Senior Member, IEEE)
1 State Key Laboratory on Integrated Services Networks, School of Cyber Engineering, Xidian University, Xi’an 710071, China
2 Department of Communications and Networking, Aalto University, 02150 Espoo, Finland
Corresponding author: Zheng Yan (zhengyan.pz@gmail.com)
This work was supported in part by the National Key Research and Development Program of China under Grant 2016YFB0800700, in part
by NSFC under Grant 61672410 and Grant U1536202, in part by the Natural Science Basic Research Plan in Shaanxi Province of China
under Program 2016ZDJC-06, in part by the 111 Project under Grant B08038 and Grant B16037, and in part by the Academy of Finland
under Grant 308087.

ABSTRACT While 4G is speeding up its steps toward global markets, 5G has initiated its full development
to satisfy an increasing demand on mobile data traffic and big data bandwidth. Centralized data processing,
collaborative radio, real-time cloud infrastructure, and cloud radio access network (C-RAN), along with
their excellent advantages are being sought by more and more operators to meet end-user requirements. As a
promising mobile wireless network architecture, compared with traditional RAN, C-RAN has incomparable
advantages in terms of low power consumption, reduced base station (BS) numbers, and economic capital
and operating expenditure. It can also improve network capacity and BS utilization rate. Recently, C-RAN
security has aroused special attention and concern. However, the literature still lacks an overall review on it
in order to guide current and future research. In this paper, we first overview the architecture, deployment
scenarios, and special characteristics of C-RAN. We then provide a thorough review on the existing security
studies in the field of C-RAN based on its three logic layers and corresponding security threats and attacks.
Particularly, we discuss whether the current literature can satisfy the expected security requirements in
C-RAN. Based on this, we indicate open research issues and propose future research trends.

INDEX TERMS Cloud radio access network (C-RAN), security, security threats, 5G, trust.

I. INTRODUCTION For 2G, 3G or 4G, the Base Stations (BSs) in RANs

The consumption of wireless terminal data traffic has dra- are independent from each other. Each BS is located in a
matically increased in recent years. According to a study small area consisting of a set of sub-systems, e.g., cool-
conducted by Cisco, the global average mobile traffic con- ing, stand-by power, backhaul network, monitoring system,
sumption per user has jumped from 30 mega bytes per etc. A RAN connects hundreds of mobile devices, receives
month in 2012 to 2000 mega bytes per month in 2017 [1]. and processes signals from an Optical Transmission Net-
The number of mobile devices has tremendously increased work (OTN). Despite its wide deployment, a traditional RAN
as well globally, with average yearly increase at 8.3% implies serious waste of wireless spectrum resources [3].
Compound Annual Growth Rate (CAGR) from 7 billions Moreover, a mobile device is often inter-cell interfered by
in 2012 to 10.3 billions in 2017. Due to the shortage of nearby BSs. To overcome the problems of the traditional
bandwidth and frequency spectrum, traditional Radio Access RANs, IBM defined an initiative concept of Cloud Radio
Networks (RAN) has such shortcomings as high capital Access Network (C-RAN), which was called Wireless Net-
expenditure (CAPEX)/operating expenditure (OPEX), poor work Cloud (WNC) at the beginning [4]. Since then C-RAN
user experience, and low spectral efficiency. Thus, it cannot has drawn world-wide attention since it has potential to
meet increasing demands of both mobile users and mobile solve the shortcomings of the traditional RAN. The next
network operators. For example, the research in [2] and [3] generation mobile communication networks and wireless sys-
indicated that a growing number of mobile network operators tems (5G) chose C-RAN as a typical RAN architecture for
are becoming more and more cautious about Total Cost of supporting new mobile communications and services in year
Ownership (TCO) in order to keep their core network prof- 2020 horizon [5]. A C-RAN system consists of a virtualized
itable and competitive despite the rate of Average Revenue BSs pool, Remote Radio Heads (RRHs), and a front-haul
Per User (ARPU) dropping every year. network connecting RRHs to the BSs pool. In C-RAN, all

2169-3536
2017 IEEE. Translations and content mining are permitted for academic research only.
13372 Personal use is also permitted, but republication/redistribution requires IEEE permission. VOLUME 5, 2017
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
F. Tian et al.: Survey on C-RAN Security

BaseBand Units (BBUs) together form a virtualized BSs unauthorized entities from accessing sensitive data and
pool; RRHs collect the wireless signals of all wireless resources; (3) integrity that ensures the accuracy and reliabil-
devices; the front-haul network achieves radio signal level ity of the information transmitted over the wireless network
cooperative transmission. Through a general processor and throughout its lifecycle, which means the information cannot
Digital Signal Processor (DSP) controller located in the be falsified or modified by any malicious users; (4) availabil-
BBUs pool, the C-RAN system can efficiently and dynam- ity that offers users the possibility to acquire their required
ically reassign the front-haul network to address changing network resources at anytime and anywhere, while the net-
traffic needs of mobile devices [7]–[11]. Compared with the work should prevent the violation of availability, e.g., caused
traditional RAN, C-RAN has the following advantages. First, by Denial-of-Service (DOS) attacks.
based on the concept of centralization and virtualization of Mitola creatively put forward the concept of Software
the BBUs pool, C-RAN manages multiple individual BS Defined Radio (SDR) [14] and created such a new research
cells together as a whole in order to share their physical- direction of communication technology. Until it was com-
layer resources (e.g., frequency spectrum, time and physi- pletely defined by European Telecommunication Standards
cal location). Second, through real-time cloud computing, Institute (ETSI), it had attracted great attention. In 1999,
C-RAN can effectively balance non-uniform traffic, imple- Mitola first proposed the concept of Cognitive Radios (CRs)
ment load balancing, process aggregation and dynamic allo- [15], CRs is a new type of radio, based on SDR, which can
cation during different timeframes, which solves the ’tidal reliably sense a spectrum environment over a wide frequency
effect’ problem [6]. Third, C-RAN can greatly reduce inter- band, detect the presence of a legitimate authorized user
cell interference. The C-RAN architecture can support high (primary user), adaptively use the under-utilized part of the
scalability, which can easily add or subtract BBUs. It is a new spectrum at the same time without causing harmful interfer-
architecture by applying various open network technologies ence to the primary user throughout its communication pro-
(e.g., cognitive radio, wireless sensor and multiple input mul- cess. Cognitive Radio Networks (CRNs) consisting of CRs,
tiple output technology, etc.). By building BBUs in one pool, as a new wireless network, inherite not only the threats of
C-RAN can not only decrease site and bandwidth acquisition, the aforementioned wireless networks (e.g., eavesdropping,
but also make it possible to avoid inter-cell interference by MAC spoofing, identity-theft attack, etc.), but also faces new
applying joint transmission and reception or joint processing security threats and challenges. Due to its unique network
and coordinated beamforming technologies. characteristics, two basic CRNs research directions were pro-
However, the security and trust problem of C-RAN is posed [16]: cognitive capability and reconfigurability. In both
becoming more and more important and serious, which has directions, CRNs face a number of new and specific secu-
aroused special concern. In a wireless network, due to its rity threats and attacks, such as Primary User Emulation
open broadcast nature, a user either authorized or illegitimate, Attack (PUEA), Spectrum Sensing Data Falsification (SSDF)
can access it [13]. From the perspective of Open System attacks, Common Control Channel (CCC) attacks, Beacon
Interconnection (OSI) network protocol architecture, mali- Falsification (BF) attacks, Cross-layer attacks aimed at mul-
cious attacks can take place in different layers. For exam- tiple layers and Software Defined Radio (SDR) attacks. Cor-
ple, the two main primary attacks in physical layer (PHY) respondingly, At the same time, the literature [17] defined the
are eavesdropping and jamming attacks (a type of denial of security requirements in SDR and CRNs as follows: (1) con-
service attacks); in Media Access Control (MAC) layer, the fidentiality that ensures controlled access to resources; (2)
attackers’ focus is more of using MAC spoofing, identity- robustness that when the system is severely attacked, it cannot
theft attack, Man-in-the-Middle (MITM) attacks and network completely crash and can also provide basic communication
injection to impact Network Interface Controller (NIC) of services according to previous established communication
multiple network nodes assigned MAC addresses; in network protocol or strategy; (3) integrity that includes the protection
layer, attacks mainly include IP spoofing, IP hijacking and of system integrity and data integrity; (4) compliance to reg-
Smurf attack; transport-layer attacks mainly include TCP ulatory frameworks that means a system should be designed
flooding attacks and sequence number prediction attacks, by following local operator regulatory standards or frame-
as well as UDP flooding; particularlly, application layer is the works; (5) non-repudiation that implies the system can inves-
most vulnerable layer. Such attacks as malware attack, Struc- tigate any users’ actions, which cannot be denied, also
tured Query Language (SQL) injection, cross-site scripting called accountability; (6) verification of identities that means
attack, File Transfer Protocol (FTP) bounce attack and Simple authenticity.
Message Transfer Protocol (SMTP) attack can easily happen. C-RAN is inherited from CRNs and is in essence a
From the networking point of view, C-RAN could face vari- wireless network. Obviously, it also faces many common
ous malicious attacks and security threats as described above. security threats, such as PUEA, SSDF attacks, etc. As a
Zuo et al. [13] defined a number of security require- novel network architecture, due to its transmission and self-
ments in wireless networks: (1) authenticity that allows the deploying nature, it is facing more serious security threats and
user or device only confirmed by a true network node can trust problems than traditional wireless networks and CRNs,
be authorized to access restricted network resources via so security protection and trust management becomes very
a unique MAC address; (2) confidentiality that prevents important in C-RAN applications. Besides those enumerated

VOLUME 5, 2017 13373

 F. Tian et al.: Survey on C-RAN Security

above, there are also extra and new security threats and chal- II. C-RAN ARCHITECTURE AND CHARACTERISTICS
lenges that we need to explore and overcome when logging A. C-RAN ARCHITECTURE
into such a new wireless network architecture environment. Based on the collaboration between the virtualized BBUs
For example, security and trust should be considered with pool and RRHs, C-RAN has lower network delays com-
regard to the virtualized BBUs pool. C-RAN is a distributed pared to other cellular networks. According to a LTE pro-
network services architecture, its ultimate goal is to use joint tocol stack [3], there are L1, L2, and L3 layers in C-RAN.
processing and scheduling of radio resources to achieve high Among them, L1 is the physical layer (PHY), which mainly
traffic capacity and to reduce interference of a cellular sys- provides a data transmission service to the higher layers,
tem. Most of existing literature mainly focused on the design channel coding, rate matching and Multiple Input Multiple
of multi-point processing algorithms, which can take advan- Output (MIMO) technology, etc. L2 is the layer responsible
tage of special channel information and cooperation among for Media Access Control (MAC), Radio Link Control (RLC)
multiple antennas in different physical areas to achieve joint and Packet Data Convergence Protocol (PDCR) that mainly
processing and scheduling. Nevertheless, the real-time multi- provides data link control. L3 is the Radio Resource Con-
point processing, the transmission of the terminal device data trol (RRC) layer that mainly provides signalling and radio
and special channel information or dynamic traffic capacity resource control. In order to introduce the C-RAN into the
allocation are done in the virtualized BSs pool. So, the secu- traditional RANs and make them compatible with each other,
rity of the virtualized BSs pool and the trust of coopera- China mobile research institute proposed two C-RAN system
tion among resources located in different trusted domains architectures [6]. The first is called ‘‘full centralization’’, and
are essentially crucial in the C-RAN. However, the existing it integrates L1, L2, and L3 fully into a virtualized BBUs pool.
research of C-RAN still lacks a comprehensive overview on The other is ‘‘partial centralization’’, which separates the
C-RAN security and trust in order to guide current work and L1 and integrates it into RRHs. Figure 1 shows the difference
direct future research. between these two solutions, and Figure 2 shows the two
In this paper, we perform a thorough survey on C-RAN C-RAN architectures. The common ground between both is
security by reviewing the existing security schemes of wire- a front-haul link (e.g., digital radio over fiber, etc.), which
less networks, SDR networks and CRNs. We summarize provides an enormous transmission rate. In general, the virtu-
potential security threats in C-RAN and propose security alized BBUs pool and the BSs in the cloud are responsibility
and trust requirements in order to put forward some future for limiting radio signal transmission and reception, then
security research directions. In particular, the contributions remote RRHs are used to collect and manage signals from
of this paper are described below. end users based on a general processor and a Digital Signal
• We introduce the C-RAN architecture, discuss its Processor (DSP) controller.
main application scenarios and summarize its specific The first architecture, shown in Figure 2a, integrates all
characteristics; layers (i.e., L1, L2 and L3) and baseband functions into
• We analyze the security threats and vulnerabilities of the BBUs pool, benefitted from upgrading software and
C-RAN. We then review the existing literature studies, extending the existing network capacity. Moreover, due to all
introduce the solutions to security threats in different protocols are located in the virtualized BBUs pool, the oper-
logic layers of C-RAN and discuss their pros and cons. ators can protect protocol layer against security threats (e.g.,
• We propose security and trust requirements in C-RAN eavesdropping and jamming attacks, identity-theft attack,
and use them as a measure to figure out open prob- user access control, spectrum allocation, connection estab-
lems and propose future research directions in order lishment, etc.). Besides, based on the virtualized BBUs pool,
to motivate the research in C-RAN security and multi-standard digital signals can be flexibly and efficiently
trust. classified by a multi-cell collaborative signal processing
The rest of this survey is organized as follows. Section 2 technology. However, this goes along with that the OTN
introduces C-RAN architecture and main deployment sce- needs higher freeboard bandwidth to carry input/output (I/O)
narios. We compare C-RAN with the traditional RAN to signals. Once the baseband suffers from Small-Backoff-
highlight its specific characteristics. In Section 3, we review Window (SBW) attack [16], a monopolize attack against
the existing solutions to overcome security attacks or threats baseband, the whole network will suffer from a huge loss.
in C-RAN based on a logical structure of C-RAN [18] that The other architecture, shown in Fig 2b, integrates collab-
includes a physical plane, a control plane, and a service plane. orative function, L2 and L3 scheduling, and wireless resource
Section 4 refines the security requirements of C-RAN by allocation into the BBUs pool, benefitted from scheduling the
considering its specific characteristics. In Section 5, we use wireless resources and realizing the joint transmission or joint
the refined security requirements as a measure to compare reception in the PHY layer to improve cell edge performance.
existing work for discussing open research problems and Moreover, this architecture is similar to the present 4G net-
proposing future research trends in the field of C-RAN work architecture, which minimizes the change on existing
security and trust. Our conclusions are presented in the last transport networks. However, due to the fact that RRH in
section. C-RAN is deployed with limited functions (L1 only), the

13374 VOLUME 5, 2017

F. Tian et al.: Survey on C-RAN Security

FIGURE 1. Two solutions of C-RAN achitecure design according to different separation of L1 function module.

C-RAN may be vulnerable to the attacks at RRH or fronthaul scenario, the first architecture can solve the drop call problem
sides due to lack of authentication, access control, etc. better. First, it decreases the number of base stations by
centralizing the deployment of the BBUs in outdoor machine
B. C-RAN DEPLOYMENT SCENARIOS rooms or a specialized management center. Second, small
Current RAN technologies, e.g., Global System for Mobile and flexible remote RRHs can be installed in lampposts,
Communication (GSM), Long Term Evolution (LTE), Long shelters or waiting halls, which is not only suitable for this
Term Evolution Advanced (LTE-A), etc., can hardly meet scenario, but also avoids severe equipment damage and fast
end users’ traffic requirements. The C-RAN is expected frequent handovers.
to become a new technology to solve the aforementioned
challenges. Different application scenarios (e.g., macro cell, 2) SCENARIO 2
micro cell, pico cell, indoor coverage system, etc) have been In this scenario, we mainly discuss the places with the nature
studied based on the C-RAN architecture [6]. They were of a ’tidal effect’ phenomenon, which is also called as Inte-
discussed to play as a new alternative approach of current grated Service Access Zone (e.g., high science and tech-
cellular network to improve network performance and deliver nology parks, residential neighborhoods, industrial parks or
rich network services in a cost-effective manner. In this part, college campus, etc.). Moreover, in these places at a rush
we do not discuss all deployment scenarios since they are hour, BSs’ spectrum efficiency is low, which cannot be solved
not the emphasis of this article. We mainly overview some of by the traditional RAN well due to limited power, memory
the common scenarios that could be vulnerable to large-scale storage and computing capability [6]. In this scenario, the par-
security threats. tial centralization architecture becomes a better choice. This
architecture integrates the baseband processing into RRHs
1) SCENARIO 1 and deploys some BBUs in remote sites. The cooperation of
In this scenario, many people are assembled in highway, sub- both can quickly conduct joint transmission or joint reception
way or railway, where they change their locations quickly [6]. in a cell interval based on the joint processing and coordinated
In the traditional network architecture, when an end user’s beamforming technology. However, due to the L1 separates
terminal device switches too fast from an original cell to a from the virtual BBUs pool, there are many security threats
new one, drop call phenomena could often happen. In this against the physical layer’s functions.

VOLUME 5, 2017 13375

 F. Tian et al.: Survey on C-RAN Security

FIGURE 2. Two different C-RAN architectures based on different locations of L1 functions: (a) fully centralized architecture and (b) partially centralized
architecture.

3) SCENARIO 3 C. SPECIFIC C-RAN CHARACTERISTICS DISTINGUISHED

Another representative application scenario occurs in the FROM TRADITIONAL RAN
places where many different wireless access networks coex- The C-RAN network architecture has some similarity to the
ist, such as GSM, WLAN, Ad Hoc network, etc [6]. We call traditional RAN, but it also has some distinct differences as
it a heterogeneous network environment. In this environment, described below [6].
different kinds of network connect to the core network, and First, BBUs are centralized. The traditional BSs’ archi-
integrate into a whole through a same gateway. A unified tecture is all-in-one, and each or some need a separate
management platform manages all heterogeneous wireless computer room. C-RAN applies a distributed architecture,
network resources, which not only provides users with ubiq- and BBUs and RRHs together play the role of BSs. Hun-
uitous services and seamless handovers, but also improves dreds and thousands of BBUs are placed centrally in a
the utilization of resources. Rawat et al. [10] discussed sec- big computer room, and the RRHs are placed in the
ondary users and primary users competitively shared one outdoor.
RAN system’s idle spectrum resources. They proposed a Second, different BBUs closely corporate with each other
secure spectrum resource sharing algorithm based on cloud in the same virtualized BBUs pool. Different BBUs can
computing. In this scheme, the spectrum occupancy infor- quickly and efficiently exchange idle spectrum resources,
mation of heterogeneous cognitive radio networks is stored channel information and user data by introducing a real-
in a cloud computing unit. The cloud computing unit is in time and high-speed internal infrastructure, which reduces
charge of secondary user identity authentication, the access of the inter-cell interference and improve the whole system’s
spectrum opportunities, and connection establishment. In this capacity.
scenario, the remote cloud computing unit plays an important Third, the relationship between BBUs and baseband com-
role in the whole RAN architecture. Once the cloud system is puting resources is one-to-many. In the C-RAN architecture,
under wholesale attackes from the outside, the whole network baseband computing resources no longer belong to a BBU
service will be paralysed. alone but belong to the virtualized BBUs pool. Moreover,

13376 VOLUME 5, 2017

F. Tian et al.: Survey on C-RAN Security

FIGURE 3. C-RAN logic architecture.

Resource allocation is shared in a common pool of virtualized summary on existing work about C-RAN security and point
resources. out their advantages and shortcomings.
Fourth, the base station is software defined. In the
C-RAN architecture, the BBUs realize the function of base- A. SOLUTIONS TO OVERCOME THREATS RELATED TO
band processing based on a uniform and open software radio PHYSICAL PLANE SECURITY
platform. The BBUs can support multi-standard air inter-
As we can see in Figure 3, the physical plane is mainly
face protocols and easily upgrade wireless signal processing
responsible for performing virtualized resource allocation,
algorithms. In addition, virtualization technology makes BSs
node switch (e.g., signal transmission and processing) and
very flexible, and the BSs of different operators can establish
baseband pool interconnection based on the channel decod-
collaboration and work together in an easy way, through
ing technology, multi-point processing, Fast Fourier Trans-
sharing resources and processing power of the BSs. However,
form (FFT), and so on. The safety of the physical plane is
there still remains some unsolved security and trust problems
a foundation that guarantees a secure and reliable C-RAN
in practice, such as identity authentication across operator
system. This plane has been a focus of security concern.
domains, trusted collaboration establishment, trusted coop-
The existing work mainly focuses on overcoming the the
eration environment, etc.
following attacks and threats.
III. SOLUTIONS OF SECURITY THREATS AND
VULNERABILITIES IN C-RAN 1) EAVESDROPPING ATTACK
In 2015, Wu et al. [18] proposed a novel logical structure of Massive MIMO technology has drawn operators’ attention
C-RAN, which includes physical plane, control plane, and and will be integrated in 5G network architecture. It is one
service plane, as shown in Figure 3. It focuses on service- of the key techniques of C-RAN physical layer. However,
oriented cloud architecture, commerce and personal resource corresponding security problem occurs immediately. Eaves-
scheduling and management. In this section, we review and dropping attack is a common problem in all RANs. To prevent
discuss existing solutions to resist the threats and attacks BS and channel estimation from passive eavesdropping and
in the C-RAN communication system based on the C-RAN active attacks, Kapetanovic et al. [19] discussed the bene-
logical structure. We make a comprehensive investigation and fits of Massive Multiple-Input Multiple-Output systems to

VOLUME 5, 2017 13377

 F. Tian et al.: Survey on C-RAN Security

physical security, and introduced two schemes for detecting by analyzing node reports. When the suspicious level reaches
the eavesdropping attack. In the first scheme, a legitimate the certain threshold, the node will be regarded as an imper-
user can generate an additional random phase-shift keying sonation malicious CR node and its report will be excluded.
sequence, and the BS can effectively detect the eavesdropping The scheme repeats this procedure for the remaining nodes
attack through the received sequence. In the second scheme, until there are no malicious nodes detected. Experimental
there is no need to generate additional random sequences. The results showed that the scheme can improve the performance
beamformer is adopted to detect the eavesdropping attack. of collaborative processing of CR nodes, and efficiently
Benefited from the same beamformer (between a BS and detect malicious nodes. But this scheme has a shortcoming
an initial user), the BS transmits a pilot to the initial user that it allows the suspicious level of a node change from
based on a received signal. The initial user can compare this high to normal. This means that malicious nodes may not be
pilot with a previously agreed value (between the BS and completely excluded.
the initial user). When eavesdropper forges and modifies the
original information to BS, this value will change. However, 4) PUEA (PRIMARY USER EMULATION ATTACKS)
compared to a cooperative detection scheme, there is a short- In general, the traditional core network can authenticate a
coming of these two schemes since they need more than two user’s identity by Evolved Packet System (EPS) and Key
interactions (between the BS and the initial user) to detect the Agreement Protocol. However, in C-RAN, there exist the pri-
attack, which increases communication overhead. mary users (PUs) and the secondary users (SUs). The network
environment is more complex compared to the traditional
2) JAMMING ATTACK core network. For example, malicious attackers can occupy
It is also called DoS attack, which means a malicious node a specific idle spectrum band by imitating the characteristics
interferes with other network nodes’ radio frequencies by of the PUs, then interfere radio frequencies in the form of
sending out white noise or other useless network traffic sending false signals or conducting a DoS attack. When the
signals. Mpitziopoulos et al. [20] surveyed the most com- SUs want to achieve the spectrum resources, terminal nodes
mon jamming threats in wireless sensor networks, such as may refuse their demands by making an excuse that there are
spot jamming, sweep jamming, barrage jamming, and decep- no idle resources.
tive jamming. The authors classified the jamming attacks Chen et al. [22] proposed a localization-based
and summarized four possible jamming goals: (1) through defense (LocDef) scheme to detect the signals that an adver-
an immediate DoS attack to block user access to the radio sary’s CR emulated based on the PUs’ signals. The proposed
network nodes; (2) occupying most of the spectrum and scheme can estimate a given signal’s location and its signal
leaving a small portion of the spectrum to degrade core characteristics to verify whether it is an incumbent signal.
network functions; (3) learning the defense strategy of the First, the LocDef scheme uses a spectrum sensor to generate
core network in order to achieve the next attack; (4) herding snapshot of received signal strength measurements. Next,
of a jammer by attacking a radio network node concert with according to the peak of the snapshot, the scheme can esti-
other malicious jammers. mate the identity and geographical location of a primary user.
Simulation results showed that this scheme can effectively
3) IMPERSONATION ATTACK defeat PUEA and has strong expandability to meet the needs
Impersonation attack is often mentioned as a threat in the of various types of wireless network architecture. But this
literature. In the traditional radio network architecture, there scheme has a shortcoming that it is easily to be disturbed by
are two types of main impersonation attacks: Cognitive obstacles.
Radio (CR) node impersonation attack and primary user Yao et al. [23] proposed a physical layer authentication
impersonation attack. In the first type, assuming that a scheme and discussed the benefits of cryptographic signa-
CR node is attacked, it can cooperate with other attacked tures and wireless link signature technology to detect a pri-
nodes, and provide false information (e.g., idle spectrum and mary user’s signals and distinguish a legitimate user’s signal
user geographical location) to a normal node. More seriously, from an attacker’s signal. The scheme proposed that a helper
it may even refuse to provide services in order to achieve node is placed physically around a primary user. The function
selfish aims or damage the core network. In the C-RAN of the helper node is to enable secondary users to verify
architecture, due to its open nature, any CR nodes either cryptographic signature information sent by the helper node
illegitimate or not can access the core network functions. For and obtain the helper node’s authentic link signatures to verify
example, in the scenario 3 as described above, the effects whether the primary user’s signal is true. In the whole pro-
of different CR nodes are different in this heterogeneous cess, the helper node plays as a role of a ‘‘bridge’’. The helper
network environment. It could be very common that when a node can be applied to support the primary user’s authen-
user tries to access a malicious CR node, its spectrum sensing tication and feedback. Besides, the authors also proposed a
search cannot have any result. corresponding algorithm that can be used for authentication.
Wang et al. [21] proposed a scheme to defend against CR Experimental results showed that this scheme is feasible, and
node impersonation attack. They allocated a default threshold greatly reduces the number of PUEAs. However, the weak-
for each CR node and obtained the suspicious level of a node ness of this scheme is the security and trustworthiness of the

13378 VOLUME 5, 2017

F. Tian et al.: Survey on C-RAN Security

helper node are ignored. Once the helper node is attacked, exchange encrypted information through certified cognitive
the secondary users will not be able to judge the validity of the radio nodes. In [31], the authors discussed multi-input multi-
cryptographic signature information and the authentic link output wiretap channels and proposed a many-to-many trans-
signatures. mitter and receiver pattern around the one to one transmitter
Borle et al. [24] proposed a physical layer authentication and receiver pattern. For this multiple antenna channel, they
scheme to defend PUEA. This scheme is divided into two drew a conclusion that this channel could load maximal secu-
steps: (1) when a primary user transmits a signal, it can use a rity capacity. Dong et al. [32] used three cooperative relay
one-way hash chain to generate an authentication tag. (2) the protocols, that are decode-and-forward, amplify-and-forward
authentication tag is embedded into the signal by constella- and cooperative jamming, to improve the security of the phys-
tion shift. This is similar to the way of digital watermarking. ical wireless channels. However, there is a shortcoming that
Experimental results showed that this scheme is reliable and the above works are based on the ideal channel state infor-
almost do not cause performance degradation. However, its mation, which means the Channel Quality Indicator (CQI) is
shortcoming is this authentication tag is generated by a hash high, such as higher signal noise ratio and lower error code
algorithm, which may result in a high tag bit error rate. The rate.
authors did not evaluate the computational overhead caused Other researchers studied wireless channel threats in the
by the above operations. presence of Channel Estimation (CE) errors in fading wireless
Jin et al. [25] analyzed the advantages between Neyman- environments. Jia et al. [33] discussed the security and relia-
Pearson Composite Hypothesis Test (NPCHT) and Wald’s bility of C-RAN wireless channel with CE errors. The authors
Sequential Probability Ratio Test (WSPRT) in preventing analyzed the performance of C-RAN in the presence of CE
from PUEAs. They discussed the feasibility of NPCHT and errors in Rayleigh fading channels and proposed a three-
WSPRT to detect PUEAs in fading wireless channels in the phase (i.e., BBU, RRHs and users.) transmission scheme.
presence of multiple malicious attackers. This study showed This scheme first selects an optimal RRH in all RRHs, which
that when primary signal loss probability is above a criti- is used as a bridge to exchange information between the
cal threshold (e.g., 50%), NPCHT is more efficient against BBU and users and prevent eavesdroppers from attacking
certain PUEAs than WSPRT, and vice versa. However, both the C-RAN channel. Simulation results showed that the more
NPCHT and WSPRT are used to detect PUEAs in a certain the number of RRHs is, the better the C-RAN security per-
network radio frequency, they do not apply to all network formance regarding CE error interference. However, a short-
types. coming of this scheme is that an eavesdropper can attempt to
In current research, most of schemes defended PUEAs interfere the selection process or directly attack the optimal
based on received signal power. Chen et al. [26] first designed RRH.
a new PUEA, which actively obtains the key information
of a primary user (e.g., the transmit power of the primary B. SOLUTIONS TO OVERCOME THREATS RELATED
user, the channel parameter, etc.) by applying estimation RELATED TO CONTROL PLANE SECURITY
techniques and learning methods. They then proposed a novel As shown in Figure 3, the control layer of C-RAN is divided
variance detection method to resist this attack. This detection into two modules: service maintenance module and resource
method estimated the invariant of a communication channel, management module. The resource management module is
the variance of the received signal power of the primary user, responsible for resource allocation and distribution with
then used this information to determine whether this signal is context-awareness. The service maintenance module con-
normal or from a malicious user. This work verified that the tains the functions for service advertisement and negotiation,
invariant of communication channel is important for prevent- and protocol management (e.g., Quality-of-Service manage-
ing PUEAs. However, its drawback is when the variance of ment, common control channel, spectrum resource allocation,
the signal power received by the primary user and the attacker MAC and network layer protocol management, etc.). The
are identical, this scheme will not work. physical plane security is the precondition to guarantee a
secure and reliable C-RAN system. However, control plane
5) WIRELESS CHANNEL THREATS security is the core of C-RAN security. Current research in
According to whether channel state information is prefect, control plane security focuses on the following aspects.
wireless channel security researches can be broadly divided
into two categories. One is detecting security threats based on 1) NETWORK AND MAC LAYER PROTOCOL ATTACKS
ideal channel state information (e.g., studying eavesdropping As mentioned in Section 1, network layer protocol attacks
attack in no fading wireless environments, etc.) [27]–[32]. mainly include IP spoofing, IP hijacking and Smurf
Safdar and Neill [30] described the advantages of common attack [13]. We do not further discuss them herein. Target-
control channel for cognitive radio communication system ing at the MAC layer attacks, previous literature often pro-
security. Besides, a secure common control channel frame- poses novel cognitive radio MAC protocols to improve radio
work was proposed, which establishes a secure and effective nodes’ cognitive ability and security in a distributed cognitive
communication session between two cognitive radio nodes radio architecture [34], [35]. In [34], Cormio and Chowdhury
after mutual authentication. Thus, nodes can reciprocally investigated the application scenarios, features, advantages

VOLUME 5, 2017 13379

 F. Tian et al.: Survey on C-RAN Security

and disadvantages of the common cognitive radio MAC pro- A network operator allocates radio resources to multiple
tocols, and divided them into three classes: random access service providers. They proposed a user-centric security
protocols, time slotted protocols and hybrid ones. In [35], resource allocation scheme and a corresponding algorithm
an opportunistic spectrum MAC protocol was proposed to based on user self-condition, such as user Quality-of-
protect MAC layer security. This protocol can be used for Service (QoS) requirements and data upload and download
adaptively and dynamically seeking and utilizing available rates. However, the security problems of radio resource shar-
spectrum bands of licensing and unlicensed spectra. Different ing were not discussed. C-RAN inherites RAN’s advantages.
users can access and share these resources. Licensed and It can widely sense spectrum band and modifies frequency
unlicensed users can mutually cooperate with each other. parameters based on the change of radio frequency in real
However, in order to ensure that different users can commu- time. Rawat et al. [10] discussed spectrum resource threats
nicate with each other, this protocol depends on a trusted third in C-RAN. Compared to the traditional radio wireless net-
authoritative party to divide available spectrum into a secure work’s one-to-one architecture, the C-RAN architecture uses
common control channel and multiple secure data channels. distributed RRHs and centralized virtual BBUs pool man-
agement, which is more vulnerable in terms of spectrum
2) COMMON CONTROL CHANNEL THREATS security. For example, a malicious user or node selfishly uses
A common control channel is different from a band channel unauthorized spectrum resources to induce a lot of traffic and
in that the former uses a predefined frequency channel to occupy bandwidth, or it exploits this to generate a DoS attack
send or receive information (e.g., collaborative processing to others.
requests, spectrum resource state and channel negotiation Huang et al. [39] studied how to improve QoS required by
information, etc), which is very important for operators [16]. users. Through maximizing the various modules of C-RAN
Fragkiadakis et al. [16] pointed out that a common control (e.g., virtual BBUs pool, user groups, RRHs and transmit
channel faces three threats: (1) MAC spoofing since most beamforming, etc.), they proposed two algorithms. One is
of current cognitive radio networks lack a model that can dynamic user-centric scheduling algorithm for solving the
authenticate data integrity spread to every node; (2) extended imbalance between users’ traffic and their non-uniform geo-
DoS threats; (3) jamming attacks. graphical locations. The other is transmit beamformer opti-
Bian and Park [36] analyzed two kinds of improper behav- mization algorithm to achieve an optimal allocation between
iors: DoS attacks and selfish misbehaviors. In the DoS each user’s maximize QoS and each RRH’s maximize capac-
attacks, attackers can exploit the control channel saturation ity load. By applying both algorithms, the security per-
problem to attack the common control channel and impair formance and utility of the whole C-RAN system can be
its functions (e.g., resource allocation function). Regarding improved with sound QoS. However, this approach needs to
the selfish misbehaviors, a selfish CR node impairs the com- collect user personal information, but does not consider user
mon channel negotiation process by disrupting data packets privacy.
forwarding, which causes false channel information (e.g.,
about channel availability). The authors also discussed an 5) SSDF ATTACK
authenticating MAC layer control frames, which is similar to Among radio spectrum resource threats, the most widely
IEEE 802.22. However, it is infeasible for CRN, because it researched one is SSDF attack, in which malicious users
lacks a key management infrastructure. disturb the accuracy of collaborative spectrum sensing and
resource allocation by sending error observations in a CRN
3) IEEE 802.22 SPECIFIC THREATS environment. Chen et al. [40] proposed a joint spectrum
In 2006, IEEE 802.22 was designed as the first standard sensing and resource allocation scheme to resist the SSDF
for providing confidentiality and authentication in the MAC attack. In this scheme, they selected optimal users for coop-
layer. IEEE 802.22 adds some new air interfaces based on erative spectrum sensing based on their trust degrees to avoid
the Wireless Area Network (WAN). In [37], Bian and Park malicious attackers in resource allocation. The trust degree
described the common threats that IEEE 802.22 faces, such is evaluated based on the users’ past behaviors. However, a
as DoS attack, replay attack, special jamming attack, PUEAs, drawback of this scheme is it has an error rate problem, which
and wireless microphone beacon. Besides, they discussed a may mistakenly think a normal user as a malicious attacker.
secure sub layer based on the IEEE 802.22 standard, which In the C-RAN architecture, to a certain extent, the centralized
includes an encapsulation protocol and a privacy-preserving virtual BBUs pool defends against this attack by uniformly
key management protocol. However, the secure sub layer observing and processing the spectrum signals that remote
lacks an effective solution to generate, manage and distribute RRHs sense. The SSDF attack seriously affects the balance of
related keys. system spectrum resource allocation, especially for the virtual
BBUs pool.
4) RADIO SPECTRUM RESOURCE THREATS Cooperative spectrum sensing and resource allocation
Niu et al. [38] first discussed the process of dynamic technique is a common method to prevent from attacks. There
resource sharing in the C-RAN architecture, where end users are lots of existing studies in this research direction [41]–[43].
subscribe to radio resources from their service providers. Chen discussed several factors (e.g., signal-to-noise ratio,

13380 VOLUME 5, 2017

F. Tian et al.: Survey on C-RAN Security

signal-to-interference ratio, the number of secondary users, only consider the QoS problem, but unaware of who is the
sample correlation, etc.) for reducing secondary user inter- service provider. The service provider only needs to meet
ferences in a collaborative spectrum sensing process [42]. users’ requirements regardless of their identities. Recently,
The research results showed that the secondary user inter- the service plane’s safety has attracted increasing attention
ferences are a controllable factor, which may cause varying due to its importance. In C-RAN, the service layer should
damage on the collaborative spectrum system. However, this prevent the cloud infrastructure and the virtual BBUs pool
work cannot fundamentally defend against the SSDF attack. from invasion and provide security functionalities such as
It only reduces the damage of collaborative spectrum as more identity authentication, access control, and so on. Current
as possible. Zheng et al. [43] discussed the effect of each security research in the service layer focuses on overcoming
cognitive node’s signal-to-noise ratio on each node’s sensing the following attacks and threats.
and reporting ability and proposed a collaborative spectrum
algorithm based on the compasion of the signal-to-noise 1) TRANSPORT AND APPLICATION LAYER PROTOCOL
ratios of nodes. The research results showed that using the ATTACKS
nodes with a sound signal-to-noise ratio can greatly improve As discussed, the application delivery service mainly involves
the secrecy capacity of the collaborative spectrum sensing relevant protocols in the transport and application layers.
process. However, this algorithm estimates the quality of each The attacks in the transport layer or the application layer
node’s signal-to-noise ratio by transmitting additional signal- include TCP/UDP flooding attacks, sequence number predic-
to-noise ratio information to the core network. In this process, tion attacks, SQL injection, FTP bounce attacks and SMTP
the confidentiality and integrity of the information cannot be attacks, and so on [13]. This is similar to the traditional wire-
guaranteed. less network. Thus, we do not further discuss their detection
Weighted Sequential Probability Ratio Test (WSPRT) is solutions herein.
a very effective way to prevent from the SSDF attack.
Zhu and Seo discussed the shortcomings of this method. 2) CLOUD COMPUTING SECURITY THREATS
First, it needs high sampling numbers of nodes. Next, its One of the biggest difference between the traditional RAN
robustness is low, and it easily deadlocks. Finally, it can only and C-RAN is that cloud computing is applied in C-RAN.
be applied into a simple and stable wireless environment. Thus, it is important to consider cloud computing security
The authors proposed two solutions to overcome the above problems. At any time, when multiple base stations share a
problems. One is Enhanced Weighted Sequential Probability resource (e.g., service, hardware, data storage, etc.) over the
Ratio Test (EWSPRT), which adds and updates five new cloud, a security risk could occur. The C-RAN architecture
functions: (1) weighting and allocating node’s credit; (2) soft applies cloud computing related technology (e.g., virtualiza-
decision; (3) setting different nodes with different priorities; tion technology, cloud storage, real-time data analysis and
(4) periodically truncating terminals’ signals, which is used process, etc.), which brings new secure threats and chal-
for testing; (5) periodically measuring CRN’s noise level. The lenges. In [46], the authors summarized the opportunities,
other is Enhanced Weighted Sequential Zero/One Test (EWS- solutions, and progress of cloud security and privacy research
ZOT). Compared to EWSPRT, EWSZOT only lacks sequen- in recent years, such as data storage and management security,
tial test and soft decision function. This research showed that access control, trust management, and so on. They pointed out
both EWSPRT and EWSZOT perform better for detecting the the shortcomings of the traditional cryptographic techniques
SSDF attack than WSPRT. However, the robustness of these and security policies, such as lengthy computations, the lack
two schemes cannot be ensured, which may cause additional of reliable trusted third party and so on. In [47], the authors
instability and increase error rate. discussed the threats and security challenges of the cloud
Li et al. [45] proposed a new algorithm for detecting abnor- system, and defined the basic requirements for building a
mal SSDF attacks. This algorithm estimates the abnormal secure and trustworthy cloud system: (1) outsourcing security
realted to SSDF attacks based on a data mining technology that the cloud provider shall be trustworthy by providing trust
by analyzing each user’s historical informtation (e.g., user and privacy protection, and they should ensure the confiden-
geographical locations). The advantage of this algorithm is tiality and integrity of the outsourced data; (2) multi-tenancy
that defenders do not need to know concrete attack types security that the shared cloud platform should ensure the
and various attacks can be flexibly detected. However, this security of resource allocation in a a virtualized environment;
algorithm needs to collect user personal information, which (3) massive data and intense computation security that it is
intrudes user privacy. But user privacy protection was not necessary to design new strategies and protocols to satify
considered in this study. massive data and intense computation. But the authors did not
discuss the trust attribute of the security cloud ecosystem.
C. SOLUTIONS TO OVERCOME THREATS RELATED TO Cloud Security Alliance (CSA) proposed nine security
SERVICE PLANE SECURITY threats with regard to cloud computing in [48]. For C-RAN,
The service plane of the C-RAN architecture is a cloud the following security threats should be seriously considered:
platform, which directly interacts with the users or service data loss and leakage, shared technology issues, abuse and
providers. For example, with the service plane, end users nefarious use of cloud services, and Distributed Denial of

VOLUME 5, 2017 13381

 F. Tian et al.: Survey on C-RAN Security

Service (DDoS) attacks. One example attack is a hacker can distinct characteristics, thus faces specific security chal-
steal other virtualized machines’ private key from one virtual- lenges. Section 3 reviews security schemes related to C-RAN
ized machine. Besides, virtualized BBUs are responsible for with regard to the threats and attacks in its three logic layers.
handling cloud services, user data, spectrum allocation and so In this section, we summarize the relevant security require-
on based on hardware resources. Once the virtualized BBUs ments that a C-RAN system should satisfy in order to resist
pool is attacked, the core network performance will be greatly various threats and attacks. We also use these requirements
influeced, which may lead to serious damage and economic as a measure to compare existing security solutions (as shown
loss. in Table 1) and attempt to find open issues for directing future
research trends. For some security requirements, we discuss
3) VIRTUALIZATION THREATS them in terms of cloud computing services.
One of main technology applied in cloud computing is
virtualization. In the C-RAN architecture, virtualized BSs A. ACCESS CONTROL TO RESOURCES (AC)
pool security is important for the overall network archi- This is the most basic security requirement that a C-RAN
tecture. In [49], the authors discussed and summarized the system should fulfill. The system should forbid unauthorized
current security solutions and challenges of virtualization users to access resources or services anytime and anywhere.
technology. For current common virtualization attacks (e.g., It is an effective solution to fight against PUEAs, privacy
tampering guest or host machine, virtual machine covert intrusions and cognitive radio node impersonation attacks.
channel, virtual machine-based rootkits and Virtual Machine
B. ROBUSTNESS (Rb)
Manager (VMM) attacks), they summarized four defense
methods: virtual machine-based intrusion detection, vir- The C-RAN system should not only ensure the robustness of
tual machine-based kernel protection, virtual machine-based software or hardware resources, but also guarantee the robust-
access control, and virtual machine-based trusted computing. ness of the cognitive radio channel for meeting the QoS of
But they did not carry out experiments to verify the validity communication services required by users. In some scenarios,
of the defense methods. the robustness of spectrum sensing should be enhanced when
some sensing nodes are easily malfunctioned. Robustness is
4) PRIVACY THREATS an essential requirement for overcoming the security threats
The privacy of users is easily attacked. In C-RAN application caused by jamming, DoS or DDoS attacks.
scenarios, it is common that idle spectrum resources are C. CONFIDENTIALITY, INTEGRITY AND AVAILABILITY
allocated to users based on the users’ geographic locations. (C\I\A)
In this process, users’ private information (e.g., personal No matter which kind of framework, one-to-one architec-
affairs, personal information and personal domain, etc.) may ture or novel C-RAN architecture, confidentiality, integrity
be leaked to unauthorized parties. Thus, mobile user privacy and availability are commonly considered as three basic secu-
should be considered, especially when a user is served by a rity properties. Integrity means that the system, the compo-
cloud computing service that cannot be fully trusted. How- nents of the system, and the data or information transmitted
ever, the literature still lacks study on this issue. in the system are complete. Any data, such as user data and
spectrum resources, should be confidential and available as
5) OTHER SECURITY THREATS a whole. In the C-RAN system, confidentiality requires data,
For C-RAN, some studies explored the cloud platform no matter signal processing results, required cloud computing
itself (e.g., openstack, cloudstack, etc.) to improve the secu- services, or user data, uploaded to the virtualized BBUs pool
rity of the whole architecture. Sze et al. [50] aimed at the should have exclusiveness. Only authorized users can access
safety of the openstack cloud platform. They proposed an or use these data. Integrity requires the data associated with
attack method. In this attack, the attackers hack into a com- cloud computing is complete, effective and real, which cannot
puter node, get its administrator privileges of the virtual be illegally manipulated, corrupted, tampered, and forged.
machine deployed on the node, then they can steal all tenant’s Availability of the C-RAN requires any data or services is
token and the administrator rights of the whole platform. continuous and punctual, which is not interrupted or delayed.
In order to resist this attack, they proposed a secure platform
framework, which supports freely designing a security policy D. AUTHENTICATION (Au)
towards ensuring secure interaction between different com- Authentication is a very effective way to overcome CR
ponents and nodes. But this framework has a limitation that node impersonation attacks and primary user imperson-
it cannot prevent other types of attacks. ation attacks. By applying an authentication mechanism, the
C-RAN system can verify who performs what, thus possible
IV. SECURITY REQUIREMENTS OF C-RAN to detect fake CR nodes and malicious users. Moreover, it is
In Section 1, we introduced the security requirements of essential to discuss a new authentication mechanism to sup-
the traditional wireless network, SDR network and CRNs. port authentication across domains and collaboration among
By discussing the C-RAN architecture and deployment sce- multiple mobile operators in order to resist potential security
narios in Section 2, we can see that C-RAN holds its own threats when switching or accessing CRN.

13382 VOLUME 5, 2017

F. Tian et al.: Survey on C-RAN Security

TABLE 1. Comparison of existing work based on C-RAN security requirements.

E. PRIVACY (Pr) effective solution to overcome virtualization threats or MAC

In C-RAN, the privacy of operators and end users should layer related threats.
be considered. The privacy of end users can be divided into
data privacy, identity privacy and personal information pri- G. COMPLIANCE TO LOCAL REGULATORY STANDARD
vacy. Most Communication services are to gather data and (CLRS)
personal information around end users themselves, which The C-RAN system should be designed to meet the regulatory
may reveal information sensitive to their privacy. Adversaries standards of its local operator, which is a prerequisite for the
would further extract more personal information about work- establishment of a communication system. When the C-RAN
ers, such as location information, trajectory, and preference. architecture is deployed in a public place, it should meet all
relevant security standards and requirements made by the
F. TRUSTWORTHINESS (Tr) Trans European Trunked Radio (TETRA) or the Association
Compared to a traditional cellular network, the C-RAN of Public-Safety Communications Officials (APCO).
communication environment has such characteristics as
highly scalable, open and heterogeneous. Many C-RAN H. NON-REPUDIATION (NR)
usage scenarios are accomplished effectively through the It is also called accountability. The C-RAN system can verify
cooperation among mobile operators. Therefore, a trust man- any users’ actions, and this kind of action cannot be denied.
agement mechanism becomes crucially important to realize It is an effective solution to overcome the threats caused by
trustworthy collaboration among the operators. It may be an impersonation attacks and radio spectrum attacks.

VOLUME 5, 2017 13383

 F. Tian et al.: Survey on C-RAN Security

V. OPEN RESEARCH ISSUES AND FURTURE RESEARCH Fifth, achieving physical layer security is especially chal-
TRENDS lenging due to the open nature of C-RAN. The phy
A. OPEN RESEARCH ISSUES sical layer security has always been a hot spot of
We compare the existing work with regard to the above research. Although we can see all kinds of methods are used
requirements. The result is shown in Table 1. The table is to prevent from physical layer attacks in the literature. Still,
classified according to the C-RAN logic layers that face effective solutions for C-RAN physical layer security are
different security threats or attacks. We observe a number of missed.
open issues in the area of C-RAN security. Finally, there are other open issues which need us to dis-
First, the literature lacks a comprehensive and universal cuss and research, such as, cloud computing security issues,
C-RAN security framework that can fulfill all security virtualization security, and so on. Therefore, the open issues
requirements. Most existing work only concerned some spe- with regard to cloud computing security are well worth our
cific security issues regarding different planes of the C-RAN research for achieving C-RAN security.
logic architecture. As shown in Section 3, none of existing B. FURTURE RESEARCH TRENDS
solutions can defend against all security threats and satisfy
Based on the open research problems discussed above,
all security requirements.
we further propose a number of promising research directions
Second, a more efficient radio resource allocation and
to motivate our future research.
management scheme should be studied to improve the secu-
rity of the C-RAN system. Among the security requirements, 1) INVESTIGATION OF A UNIVERSAL AND COMPREHENSIVE
secure spectrum resource management (e.g., spectrum sens- C-RAN SECURITY FRAMEWORK
ing, spectrum sharing, and spectrum allocation, etc.) is con- This framework should integrate the current advance of
sidered to be the most important challenge. Original spectrum C-RAN security technologies, which can resist various secu-
sensing techniques generally use energy detection methods, rity threats and attacks in different logic layers. It should
which do not resist all radio spectrum resource threats in the also take all security requirements into account for supporting
complex C-RAN communication environment. For example, different C-RAN deployment scenarios.
the centralized and virtual BBUs pool can effectively resist 2) INVESTIGATION OF A UNIFORM, EFFICIENT AND SECURE
the SSDF attack to some extent. But there exists security AUTHENTICATION MECHANISM
weakness that adversaries can attack the pool by massive When users access or switch a radio network node in
attacks in a centralized way. The literature still lacks relevant C-RAN, this mechanism can uniformly authenticate a user
researches to solve this problem. and verify data security in all scenarios of C-RAN system.
Third, privacy preservation has been a hot topic dis- The traditional core network can authenticate user identities
cussed widely. But based on our survey, there is no much with Evolved Packet System (EPS) and Key Agreement Pro-
related work about privacy preservation in the field of tocol. However, it cannot meet the practical security require-
C-RAN. In many C-RAN application scenarios, due to ment of C-RAN, especially for roaming and inter-operator
business requirements, the service providers need to obtain cases.
user personal information, such as user locations, personal
3) INVESTIGATION OF A SECURITY TECHNOLOGY THAT
identities and behaviors. So, it is necessary to propose a
ALLOWS DIFFERENT OPERATORS TO SHARE THE MAXIMUM
C-RAN privacy preservation method to avoid the leakage
AMOUNT OF RESOURCES IN THE VIRTUALIZED BBUs POOL
of user personal information. From a user point of view,
IN A TRUSTWORTHY WAY
he/she expects high QoS without worrying to sacrifice pri-
vacy. How to solve this problem is a still open research Concretely, we need a trust mechanism to let an operator
issue. auditing and monitor how many resources have been con-
Forth, trust management in C-RAN is expected in practice, sumed at another operator, especially for the ones borrowed
which, however, has not yet seriously explored. As discussed from another operator.
in Section 4, trust is important for virtualization security. In 4) INVESTIGATION OF NEW SECURITY SOLUTIONS THAT
the current literature, there exist few schemes about trust- ENHANCE THE SECURITY OF C-RAN SYSTEM BASED ON
worthy environment establishment in C-RAN. Most existing TRUST RELATIONSHIPS AMONG USERS AND OPERATORS
schemes requests further investigation in order to show their For example, C-RAN system can inspect users’ historical
applicability. Niu et al. [38] described a trust scheme aimed trust relationships to decide whether to issue access or provide
at the MAC layer of C-RAN. This scheme builds a trust services accordingly.
evaluation mechanism at each cognitive radio node, and the
trust evaluation is based on node behaviors. When a node 5) INVESTIGATION OF A PRIVACY PRESERVATION
overly allocates shared spectrum resources or it hinders other MECHANISM FOR C-RAN
nodes to communicate, its trust rating will be judged as worst. When a service provider needs to obtain user personal infor-
However, the availability of the model was not rigorously mation, this mechanism can prevent the leakage of user per-
proven. sonal information.

13384 VOLUME 5, 2017

F. Tian et al.: Survey on C-RAN Security

6) INVESTIGATION OF SECURE VIRTUALIZATION [15] J. Mitola, III, ‘‘Cognitive radio for flexible mobile multimedia communi-
MECHANISMS IN THE VIRTUALIZED BBUs POOL cations,’’ in Proc. IEEE Int. Workshop Mobile Multimedia Conf. (MoMuC),
Nov. 1999, pp. 3–10.
How to ensure the security of the virtualized BBUs pool [16] A. G. Fragkiadakis, E. Z. Tragos, and I. G. Askoxylakis, ‘‘A survey on
has not been explored serioursly in the literature, which is security threats and detection techniques in cognitive radio networks,’’
a promising research topic. IEEE Commun. Surveys Tuts., vol. 15, no. 1, pp. 428–445, 1st Quart., 2013.
[17] G. Baldini, T. Sturman, A. R. Biswas, R. Leschhorn, G. Godor, and
M. Street, ‘‘Security aspects in software defined radio and cognitive radio
VI. CONCLUSIONS networks: A survey and a way ahead,’’ IEEE Commun. Surveys Tuts.,
C-RAN has become an essential component of 5G infrastruc- vol. 14, no. 2, pp. 355–379, 2nd Quart., 2012.
[18] J. Wu, Z. Zhang, Y. Hong, and Y. Wen, ‘‘Cloud radio access
ture. In this paper, we introduced the C-RAN architecture and network (C-RAN): A primer,’’ IEEE Netw., vol. 29, no. 1, pp. 35–41,
its deployment scenarios in order to illustrate its differences Jan. 2015.
from the traditional RAN. By comparing the C-RAN with the [19] D. Kapetanovic, G. Zheng, and F. Rusek, ‘‘Physical layer security for mas-
sive MIMO: An overview on passive eavesdropping and active attacks,’’
traditional RAN, we highlighted its specific characteristics. IEEE Commun. Mag., vol. 53, no. 6, pp. 21–27, Jun. 2015.
Existing security solutions of C-RAN were reviewed based [20] A. Mpitziopoulos, D. Gavalas, C. Konstantopoulos, and G. Pantziou,
on its logic layers. By applying the security requirements ‘‘A survey on jamming attacks and countermeasures in WSNs,’’ IEEE
of C-RAN as a measure, we compared the existing solu- Commun. Surveys Tuts., vol. 11, no. 4, pp. 42–56, 4th Quart., 2009.
[21] W. Wang, H. Li, Y. Sun, and Z. Han, ‘‘CatchIt: Detect malicious nodes in
tions in order to figure out open issues and direct future collaborative spectrum sensing,’’ in Proc. IEEE Global Telecommun. Conf.
research. Through this survey, we found that C-RAN security (GLOBECOM), Nov./Dec. 2009, pp. 1–6.
is a new research area in its infancy. A comprehensive C-RAN [22] R. Chen, J. M. Park, and J. H. Reed, ‘‘Defense against primary user emu-
lation attacks in cognitive radio networks,’’ IEEE J. Sel. Areas Commun.,
security framework is still missing in the literature. Trust vol. 26, no. 1, pp. 25–37, Jan. 2008.
management and privacy preservation are highly requested [23] Y. Liu, P. Ning, and H. Dai, ‘‘Authenticating primary users’ signals
in such a framework in order to support advanced networking in cognitive radio networks via integrated cryptographic and wireless
services to gain user adoption. link signatures,’’ in Proc. IEEE Symp. Secur. Privacy (SP), May 2010,
pp. 286–301.
[24] K. M. Borle, B. Chen, and W. Du, ‘‘A physical layer authentication scheme
REFERENCES for countering primary user emulation attack,’’ in Proc. IEEE Int. Conf.
Acoust., Speech Signal Process. (ICASSP), May 2013, pp. 2935–2939.
[1] ‘‘Cisco visual networking index: Global mobile data traffic forecast update,
2012–2017,’’ Cisco, San Jose, CA, USA, Tech. Rep., Feb. 2013. [25] Z. Jin, S. Anand, and K. P. Subbalakshmi, ‘‘Mitigating primary user
emulation attacks in dynamic spectrum access networks using hypothe-
[2] Marketing Charts. (2015). Mobile Network Operators Face Cost Crunch.
sis testing,’’ ACM SIGMOBILE Comput. Commun. Rev., vol. 13, no. 2,
[Online]. Available: http://www.marketingcharts.com/wp/direct/mobile-
pp. 74–85, Apr. 2009.
networkoperators-face-cost-crunch-17700/
[26] Z. Chen, T. Cooklev, C. Chen, and C. Pomalaza-Ráez, ‘‘Modeling primary
[3] Juniper Research. (2016). Press Release: Mobile Network Operator Rev-
user emulation attacks and defenses in cognitive radio networks,’’ in
enues. [Online]. Available: http://juniperresearch.com/viewpressrelease.
Proc. IEEE Int. Conf. Perform. Comput. Commun. (IPCCC), Dec. 2009,
php?pr=245
pp. 208–215.
[4] Y. Lin, L. Shao, Z. Zhu, Q. Wang, and R. K. Sabhikhi, ‘‘Wireless network
cloud: Architecture and system requirements,’’ IBM J. Res. Develop., [27] Z. Li, R. Yates, and W. Trappe, ‘‘Secret communication with a fading
vol. 54, no. 1, pp. 4:1–4:12, Jan./Feb. 2010. eavesdropper channel,’’ in Proc. IEEE Int. Symp. Inf. Theory (ISIT),
Jun. 2007, pp. 1296–1300.
[5] I. Chih-Lin, C. Rowell, S. Han, Z. Xu, G. Li, and Z. Pan, ‘‘Toward
green and soft: A 5G perspective,’’ IEEE Commun. Mag., vol. 52, no. 2, [28] P. K. Gopala, L. Lai, and H. El Gamal, ‘‘On the secrecy capac-
pp. 66–73, Feb. 2014. ity of fading channels,’’ IEEE Trans. Inf. Theory, vol. 54, no. 10,
[6] ‘‘C-RAN: The road towards green RAN, ver. 3.0,’’ China Mobile, pp. 4687–4698, Oct. 2008.
Hong Kong, White Paper, Dec. 2013. [29] A. Khisti and G. W. Wornell, ‘‘Secure transmission with multiple antennas
[7] A. Checko et al., ‘‘Cloud RAN for mobile networks—A technology I: The MISOME wiretap channel,’’ IEEE Trans. Inf. Theory, vol. 56, no. 7,
overview,’’ IEEE Commun. Surveys Tuts., vol. 17, no. 1, pp. 405–426, pp. 3088–3104, Jul. 2010.
1st Quart., 2015. [30] G. A. Safdar and M. O’Neill, ‘‘Common control channel security frame-
[8] P. Rost et al., ‘‘Cloud technologies for flexible 5G radio access networks,’’ work for cognitive radio networks,’’ in Proc. IEEE 69th Veh. Technol. Conf.
IEEE Commun. Mag., vol. 52, no. 5, pp. 68–76, May 2014. (VTC Spring), Apr. 2009, pp. 1–5.
[9] M. Peng, Y. Sun, X. Li, Z. Mao, and C. Wang, ‘‘Recent advances in [31] F. Oggier and B. Hassibi, ‘‘The secrecy capacity of the MIMO wire-
cloud radio access networks: System architectures, key techniques, and tap channel,’’ IEEE Trans. Inf. Theory, vol. 57, no. 8, pp. 4961–4972,
open issues,’’ IEEE Commun. Surveys Tuts., vol. 18, no. 3, pp. 2282–2308, Aug. 2011.
3rd Quart., 2016. [32] L. Dong, Z. Han, A. P. Petropulu, and H. V. Poor, ‘‘Improving wire-
[10] D. B. Rawat, S. Shetty, and K. Raza, ‘‘Secure radio resource man- less physical layer security via cooperating relays,’’ IEEE Trans. Signal
agement in cloud computing based cognitive radio networks,’’ in Proc. Process., vol. 58, no. 3, pp. 1875–1888, Mar. 2010.
41st Int. Conf. Parallel Process. Workshops (ICPPW), Sep. 2012. [33] J. You, Z. Zhong, G. Wang, and B. Ai, ‘‘Security and reliability perfor-
pp. 288–295. mance analysis for cloud radio access networks with channel estimation
[11] K. Guo, M. Sheng, J. Tang, T. Q. S. Quek, and Z. Qiu, ‘‘Exploiting hybrid errors,’’ IEEE Access, vol. 2, pp. 1348–1358, 2014.
clustering and computation provisioning for green C-RAN,’’ IEEE J. Sel. [34] C. Cormio and K. R. Chowdhury, ‘‘A survey on MAC protocols for
Areas Commun., vol. 34, no. 12, pp. 4063–4076, Dec. 2016. cognitive radio networks,’’ Ad Hoc Netw., vol. 7, no. 7, pp. 1315–1329,
[12] D. Sabella et al., ‘‘RAN as a service: Challenges of designing a flexible Sep. 2009.
RAN architecture in a cloud-based heterogeneous mobile network,’’ in [35] B. Hamdaoui and K. G. Shin, ‘‘OS-MAC: An efficient MAC protocol for
Proc. Future Netw. Mobile Summit, Jul. 2013, pp. 1–8. spectrum-agile wireless networks,’’ IEEE Trans. Mobile Comput., vol. 7,
[13] Y. Zou, J. Zhu, X. Wang, and L. Hanzo, ‘‘A survey on wireless security: no. 8, pp. 915–930, Aug. 2008.
Technical challenges, recent advances, and future trends,’’ Proc. IEEE, [36] K. Bian and J.-M. Park, ‘‘MAC-layer misbehaviors in multi-hop cognitive
vol. 104, no. 9, pp. 1727–1765, Sep. 2016. radio networks,’’ in Proc. US-Korea Conf. Sci., Technol., Entrepreneur-
[14] J. Mitola, III, ‘‘Software radios: Survey, critical evaluation and future ship (UKC), Aug. 2006, pp. 1–8.
directions,’’ IEEE Aerosp. Electron. Syst. Mag., vol. 8, no. 4, pp. 25–36, [37] K. Bian and J. M. J. Park, ‘‘Security vulnerabilities in IEEE 802.22,’’ in
Apr. 1993. Proc. 4th Annu. Int. Conf. Wireless Internet, Nov. 2008, p. 9.

VOLUME 5, 2017 13385

 F. Tian et al.: Survey on C-RAN Security

[38] B. Niu, Y. Zhou, H. Shah-Mansouri, and V. W. S. Wong, ‘‘A dynamic PENG ZHANG received the Ph.D. degree in com-
resource sharing mechanism for cloud radio access networks,’’ IEEE Trans. puter and communication engineering from the
Wireless Commun., vol. 15, no. 12, pp. 8325–8338, Dec. 2016. Beijing University of Posts and Telecommuni-
[39] X. Huang, G. Xue, R. Yu, and S. Leng, ‘‘Joint scheduling and beamforming cations, China. He conducted his post-doctoral
coordination in cloud radio access networks with QoS guarantees,’’ IEEE research at the Helsinki University of Technology
Trans. Veh. Technol., vol. 65, no. 7, pp. 5449–5460, Jul. 2016. from 1999 to 2001. He is currently a Computer
[40] H. Chen, M. Zhou, L. Xie, K. Wang, and J. Li, ‘‘Joint spectrum sensing Scientist with an interest in trust and mobile ser-
and resource allocation scheme in cognitive radio networks with spectrum
vices. He has published more than 60 papers and
sensing data falsification attack,’’ IEEE Trans. Veh. Technol., vol. 65,
invented ten granted patents. He also served as
no. 11, pp. 9181–9191, Nov. 2016.
[41] T. C. Aysal, S. Kandeepan, and R. Piesiewicz, ‘‘Cooperative spectrum an organization committee member for numerous
sensing with noisy hard decision transmissions,’’ in Proc. IEEE Int. Conf. international conferences and a reviewer for many prestigious journals.
Commun., Jun. 2009, pp. 1–5.
[42] Y. Chen, ‘‘Collaborative spectrum sensing in the presence of secondary
user interferences for lognormal shadowing,’’ Wireless Commun. Mobile
Comput., vol. 12, no. 5, pp. 463–472, Apr. 2012.
[43] Y. Zheng, X. Xie, and L. Yang, ‘‘Cooperative spectrum sensing based on
SNR comparison in fusion center for cognitive radio,’’ in Proc. Int. Conf.
Adv. Comput. Control (ICACC), Jan. 2009, pp. 212–216.
[44] F. Zhu and S. W. Seo, ‘‘Enhanced robust cooperative spectrum sensing in
cognitive radio,’’ J. Commun. Netw., vol. 11, no. 2, pp. 122–133, Apr. 2009.
[45] H. Li and Z. Han, ‘‘Catching attacker(s) for collaborative spectrum sensing
in cognitive radio systems: An abnormality detection approach,’’ in Proc.
IEEE Symp. New Frontiers Dyn. Spectr., vols. 44–47. Apr. 2010, pp. 1–12.
[46] Z. Tari, ‘‘Security and privacy in cloud computing,’’ IEEE Cloud Comput.,
vol. 1, no. 1, pp. 54–57, May 2014.
[47] Z. Xiao and Y. Xiao, ‘‘Security and privacy in cloud computing,’’ IEEE
Commun. Surveys Tuts., vol. 15, no. 2, pp. 843–859, 2nd Quart., 2012.
ZHENG YAN (M’06–SM’14) received the
[48] The Notorious Nine Cloud Computing Top Threats in 2013, Cloud Secur. B.Eng. degree in electrical engineering and the
Alliance, Singapore, Jul. 2013, pp. 1–14. M.Eng. degree in computer science and engineer-
[49] X. Wang, Q. Wang, X. Hu, and J. Lu, ‘‘Security technology in virtualization ing from the Xi’an Jiaotong University, Xi’an,
system: State of the art and future direction,’’ in Proc. IET Int. Conf. Inf. China, in 1994 and 1997, respectively, and the
Sci. Control Eng. (ICISCE), Dec. 2012, pp. 1–7. M.Eng. degree in information security from the
[50] W. K. Sze, A. Srivastava, and R. Sekar, ‘‘Hardening openstack cloud National University of Singapore, Singapore,
platforms against compute node compromises,’’ in Proc. 11th ACM Asia in 2000, and the Licentiate of Science and the
Conf. Comput. Commun. Secur., Jun. 2016, pp. 341–352. Doctor of Science in technology in electrical engi-
neering from the Helsinki University of Technol-
ogy, Helsinki, Finland, in 2005 and 2007. She is currently a Professor with
Xidian University, Xi’an, and a Visiting Professor with the Aalto University,
Espoo, Finland. She authored over 160 peer-reviewed publications and solely
FENGYU TIAN received the B.Sc. degree in authored two books. She is the inventor and co-inventor of over 60 patents
telecommunications engineering from the Henan and PCT patent applications. Her research interests are in trust, security and
University of Science and Technology, Luo Yang, privacy, and data mining. She serves as an Associate Editor of Information
China, in 2015. He is currently pursuing the mas- Sciences, Information Fusion, the IEEE INTERNET OF THINGS JOURNAL, IEEE
ter’s degree in electronics and communication ACCESS, JNCA, Security and Communication Networks, and Soft Computing.
engineering with Xidian University, Xi’an, China. She is a leading Guest Editor of many reputable journals, including the
His research interests are in security, privacy, and ACM TOMM, the FGCS, the IEEE SYSTEMS JOURNAL, and MONET. She
trust management in 5G network. served as a steering, organization, and program committee member for over
70 international conferences.

13386 VOLUME 5, 2017