Secure Cooperative Spectrum Sensing and Allocation in Distributed Cognitive Radio Networks

Cognitive radio networks (CRNs) are an emerging wireless communications technique for resolving the significant spectrum scarcity problem. Despite their promising characteristics, CRNs also introduce new security threats, especially the internal attacks during the spectrum sensing and allocation process, which can degrade the efficiency of spectrum sensing and allocation. To address this issue, this paper proposes a distributed secure cooperative spectrum sensing strategy (DSCS) based on a dynamic reputation model to defend against attacks and provide reliable spectrum sensing. Moreover, the reputation values are used as weights in a novel distributed cheat-proof spectrum allocation strategy (DCSA) based on the Vickrey-Clarke-Groves (VCG) mechanism. Both theoretical analysis and simulation results indicate that the proposed DSCS and DCSA strategies can provide an effective countermeasure against the internal spectrum sensing data falsification (SSDF) attacks through enabling secondary users to obtain more accurate cooperative sensing results in adversarial environments.


Introduction
Cognitive radio networks (CRNs) are promising wireless communications systems that can resolve the spectrum scarcity problem arising from the escalating demand of wireless radio frequency and spectrum underutilization by license holders [1]. The architecture of CRNs is depicted in Figure 1, which consists of base stations and cognitive terminals. The base stations (i.e., primary users) constitute a primary network using the licensed spectrum and the cognitive terminals (i.e., secondary users) form a secondary network that makes use of the licensed spectrum when it is not occupied by the primary users [2]. To avoid the potential interference with the primary users, secondary users firstly sense whether the spectrum of interest is being used by the primary users. If the spectrum is unoccupied, the secondary users apply certain spectrum allocation scheme to decide which of them may access the available spectrum [3].
CRN can improve the efficiency of spectrum usage, but it also introduces new security threats including internal attacks during the spectrum sensing and allocation process, which can degrade the effectiveness of spectrum sensing and allocation dramatically. For example, an adversary may launch data or information falsification attacks during spectrum sensing and allocation process, where the adversary corrupts a subset of secondary users as illustrated in Figure 2 to report falsified data or information, aiming to affect the final group decision [2].
Cooperation in spectrum sensing and allocation can be achieved in two models: centralized or distributed. The former uses a common receiver (i.e., fusion center) to collect sensing results from all SUs and to make final spectrum sensing and allocation decisions [1,4]. In contrast, a distributed approach allows SUs to share individual sensing results with their neighbors and to make their own sensing and allocation decisions [3,5]. Despite the many benefits cooperative spectrum sensing and allocation process entitles, it is vulnerable to many potential attacks. A distributed scheme is even more vulnerable to such attacks due to its distributed and cooperative natures.  A number of papers [4][5][6][7][8][9] propose various methods to improve the security in spectrum sensing and allocation. These solutions are usually based on a centralized infrastructure, where a central authority plays an essential role in coordinating the attack defending. However, the centralized schemes will incur heavy communication overheads, and the malicious nodes can compromise the central authority to paralyze the entire system. Different distributed sensing schemes have also been proposed [10][11][12][13][14], using game theory [10], incentive design [11], consensus algorithm [3,12], outlier detection, computation verification [14], and so forth. Most of the existing works ignore the internal attacks launched by an inside attacker that has the legal identity. To overcome the above-mentioned problems, in this paper, we firstly design a distributed secure sensing strategy based on a dynamic reputation model.
The strategy establishes a distributed reputation database for nodes as a basis for the channel search sequence in spectrum sensing. Next, we design a novel Vickrey-Clarke-Groves (VCG) mechanism [3,15] based on the reputation generated from exchanged sensing results and propose a novel cheat-proof spectrum resource allocation strategy to restrict the impact of the malicious behaviours. As an important mechanism design, the VCG mechanism studies how to design mechanisms to incent the players (i.e., users or nodes) to provide truthful information about their preferences over different outcomes [3,15]. A VCG mechanism is a dominant strategy mechanism, which can achieve ex-post incentive compatibility (truth-telling is a dominant strategy for every player in the game) [3,15]. This paper makes the following main contributions.
(1) The reputation model and Vickrey-Clarke-Groves (VCG) mechanism are introduced into the coopera-tive sensing and spectrum allocation strategies. This combination can better reflect the real world nature of communication networks and defend against spectrum sensing data falsification (SSDF) attacks from internal malicious nodes.
(2) A distributed algorithm is designed to help secondary users compute the sensing result and allocate the spectrum. Secondary users iteratively update their local values to arrive at consensus, without help from any central authority.
(3) Simulation results demonstrate that the proposed strategies can provide an effective countermeasure against the internal SSDF attacks without relying on a central authority or a common control channel and are therefore applicable in distributed CRNs.
In the rest of the paper, Section 2 reviews related work. Section 3 introduces the network and adversary models. Section 4 presents the distributed secure cooperative sensing strategy. Section 5 presents the VCG based distributed cheat-proof spectrum allocation strategy. Section 6 presents the simulation results and performance analysis. Section 7 concludes the paper.

Distributed Spectrum
Sensing. Distributed spectrum sensing in CRNs has been widely studied, using game theory [10], incentive design [11], consensus algorithm [3,12], outlier detection, computation verification [14], and so forth. For instance, Mukherjee [10] discussed cooperative sensing problem in distributed CRNs with the game-theoretic models. Mukherjee considered the utility function for secondary users as improved sensing accuracy and examined the impact of various sensing parameters. Li et al. [11] first identified a new selfishness model named entropy selfishness in distributed CRNs. They further proposed YouSense, a one-time pad based incentive design in which sensing reports were encrypted before sharing, to prevent the entropy selfish users from learning the sensing reports. And yet, the honest user can recover this plaintext by spectrum sensing. Li et al. [3,12] proposed a distributed and scalable cooperative spectrum sensing scheme based on recent advances in consensus algorithms. In the proposed scheme, the secondary users can maintain coordination based on only local information exchange without a centralized common receiver and the proposed scheme used the consensus of secondary users to make the final decision. Zhang et al. [2,13] designed a fully distributed security scheme ReDiSen to counter attacks in cooperative sensing. ReDiSen applied the reputation generated from exchanged sensing results as an aid to restrict the impact of the malicious behaviours. Yan et al. [14] proposed a robust distributed outlier detection scheme with adaptive local threshold to counter covert adaptive attacks by exploiting the state convergence property. In addition, they also presented a hash-based computation verification scheme to effectively defend against colluding attackers.

Spectrum Allocation.
There are a number of works focused on spectrum allocation [16][17][18][19][20][21] in CRNs. For example, Xie et al. [16] formulated the energy-efficient resource allocation problem in heterogeneous CRNs with femtocells as a Stackelberg game and a gradient based iteration algorithm is proposed to obtain the Stackelberg equilibrium solution to the energy-efficient resource allocation problem. Jiang et al. [17] proposed a novel channel allocation scheme for the QoEdriven multimedia transmission over the CRNs. Moreover, a new analytical Markov model combining the ON/OFF model of PCs and the service queuing model is derived to evaluate the system performance. Xie et al. [18] studied the problem of resource allocation in CRNs supporting heterogeneous services with imperfect channel sensing. To reduce the computation complexity in the formulation with the imperfect channel information, Xie et al. formulated the problem of resource allocation as a mixed integer programming problem and proposed an aggressive discrete stochastic approximate algorithm based joint power and channel allocation. Tan and Le [19] first presented an optimal brute-force search algorithm to resolve the spectrum resource allocation problem for CRNs. And then, Tan and Le further proposed two channel assignment algorithms to resolve the high complexity of the optimal search. Wang et al. [20] proposed a mechanism to resolve the complex mixed integer programming program faced in the resource allocation process in CRNs. The proposed mechanism developed a fast barrier-based method which can achieve the optimal solution with an almost linear complexity and also proposed a method which can achieve nearly optimal solution with a constant complexity. Tachwali et al. [21] developed a new resource allocation optimization framework for single-cell multiuser multicarrier CRNs in the presence of multiple primary networks. The framework aims to minimize the spectral footprint of the CRN through the bandwidth-power product metric. The protection of PU from harmful interference is incorporated in the framework through PU activity index.

Joint Design of Spectrum Sensing and Spectrum Allocation.
The joint design of spectrum sensing and spectrum allocation in CRNs has attracted much attention from both industry and academia. El-Sherif and Liu [22] proposed a novel joint design of the spectrum sensing and channel access mechanisms based on the observation that the value of the test statistics could be used as a confidence measure for the test outcome. Therefore, this value can be used to define different channel access probabilities for secondary users. Zhang et al. [3] designed a distributed scheme to incentivize participation of nodes in cooperative sensing, by connecting sensing and spectrum allocation, and offering incentive from the latter to the former. In the proposed scheme, reputation is used as a pricing factor to incentivize cooperative sensing and a reputation-based pricing method is proposed to offer strong incentive for secondary users to pursue a lower price in the spectrum allocation process.
Existing spectrum sensing and allocation methods and security mechanisms are usually based on a centralized infrastructure, where a central authority plays an essential role in coordinating the defense against attacks and thus brings heavy communication overheads and the issue that central authority may be compromised by attackers. Moreover, few works took into account the joint design of spectrum sensing and spectrum allocation, but they only considered individual spectrum sensing or allocation. In particular, they did not consider the internal attacks launched by an inside attacker that has the legal identity. Consequently, it is still an open problem and a challenging task to design secure and distributed spectrum sensing and allocation schemes in CRNs to resist the internal attacks. The main notations and symbols used in this paper are summarized in Notations and Symbols.

Network Model.
We consider a distributed CRN consisting of a primary user network and a secondary user network [3,13]. There are secondary users and orthogonal frequency channels. Let Ω = {1, 2, . . . , } and Ω = {1, 2, . . . , } denote the sets of secondary users and channels, respectively. We suppose that each secondary user is equipped with a cognitive radio and they utilize omnidirectional antennas to communicate with each other. Meanwhile, secondary users are located within the transmission range of the primary users and can individually sense the environment to detect the existence of the primary users [3,13]. In the cooperative sensing process, we use the energy sensing method for a secondary user to detect primary users' presence. We also assume that an adversary can compromise a subset of honest secondary users. A secondary user may provide incorrect information (including attacking malicious users and honest users that sense channels incorrectly due to severe fading or system failure) or correct information (including honest users that sense channels correctly and nonattacking malicious users). An honest user has no a priori information on which of its neighbors are malicious. If the final sensing results indicate that the primary users are not transmitting on certain channels, the secondary users use the spectrum allocation scheme to allocate spectrum and transmit on these channels.

Adversary Model.
In distributed CRNs, the secondary user network is vulnerable to both external and internal attacks. External attacks can be effectively solved by using the traditional cryptography theory and authentication method. The internal attacks are launched by an inside legal and certificated user, which makes the traditional encryption and authentication techniques no longer effective. In the internal attacks, the attackers may or may not participate in the cooperative sensing process and may report falsified values when participating.
We assume that, in spectrum sensing, malicious secondary users strategically report falsified sensing results, aiming at incurring interference between the primary users and legitimate secondary users. In spectrum allocation, malicious secondary users may launch collusion attacks or bad mouthing attacks to report falsified reputation values, aiming to keep the legitimate secondary users away from using the spectrum resource.

Distributed Secure Cooperative Sensing Strategy (DSCS)
Distributed cooperative sensing strategy implements spectrum sensing through the distributed secondary users in a wide area. In distributed cooperative sensing, each secondary user obtains a local measurement in a time interval . After a sensing session, a series of value update sessions are executed by the secondary users. All secondary users exchange their local spectrum sensing results with their neighbors within its communication range and update their own values based on the received values.
Since distributed cooperative sensing can enhance sensing accuracy, while reducing the need for sensitive and expensive sensing technology, it is proposed to enhance the sensing performance [3,13]. However, it is vulnerable to the internal attacks threats. The internal adversary may control some nodes to report false sensing results to degrade the final sensing decision, which will make the performance of cooperative sensing degrade significantly.
Reputation systems are widely used to cope with liars holding false positive/negative opinions [23]. The concept of reputation has been widely used in economics, ecology, anthropology, and other social sciences. A rich body of literature has been devoted to the investigation of different reputation systems for computer networks [24][25][26]. Recently, derived from the Dempster-Shafer theory [27] and with the ability to explicitly represent and manage a node's uncertainty, subjective logic and uncertainty based reputation mechanism has emerged as an attractive tool for handling trust relationships and has attracted much attention in distributed CRNs.
In this section, we propose DSCS, a reputation-based sensing strategy that is a distributed cooperative strategy using subject logic based reputation mechanism to defend against internal malicious secondary users' attacks.
Subjective logic [28,29] represents a specific belief calculus that uses a belief metric called opinion to express subjective reputation. Since it is necessary to develop mechanisms to detect and manage malicious users in distributed CRNs, subjective logic with the ability to explicitly represent and manage a user's uncertainty has emerged as an attractive tool for handling trust relationships in distributed CRNs.
In subjective logic each opinion is denoted by a 4tuple : = ( : , : , : , : ), where : , : , and : designate node 's belief, disbelief, and uncertainty towards , respectively. The base rate : designates 's willingness to believe which determines how uncertainty is viewed as belief when the reputation is used. The uncertainty reflects the confidence in node 's knowledge of ; an uncertainty of 1.0 represents that a node has no basis for any conclusion. They satisfy the following conditions: When an opinion is used in a decision, it is projected onto the belief/disbelief axis through its expectation, ( : ), which is used to identify malicious nodes and can be computed as ( : ) = : + : : . (2) However, for the case that the belief, disbelief, uncertainty, and base rate change over time, the secondary users' reputation evaluation and the trust relationship between the secondary users also changes over time. Therefore, the reputation evaluation and the trust relationship at present time depends not only on the values of the underlying parameters but also on the decayed values of the previous trust.
Let direct , : ( , , , ) be the direct opinion of user to user at time , which is stored in 's local reputation table and can be computed at as follows: where , : ( , : = , : + , : ) is the total number of the sensing results that received from the user . , : is the number of the correct results and , : is the number of the wrong results from , respectively. = 0.5 stands for the case that 's willingness to believe is 50%. uncertain denotes the degree of uncertainty whether is trustworthy. uncertain can be computed as where we assume that the channel is AWGN. denotes the transition probability of the channel state from 1 to 0 after has sent some sensing results. is the detection probability of the secondary user, is the false alarm rate, and is the false negatives rate. and are defined as where 0 is the zero hypothesis, indicating that the sensed channel is idle, while 1 is the alternative hypothesis, indicating that the channel is busy. is the output and denotes the threshold. The signal/noise ratio (SNR) is ( 2 1 − 2 0 )/ 2 0 . is the number of testing samples, satisfies Γ( /2, ) = 1− , and Γ(⋅, ⋅) denotes the incomplete Gamma function.
The dynamic final reputation considering the trust decay at the time can be given by where 1 and 2 are the weight factors ( 1 + 2 = 1, ( 1 , 2 ∈ [0, 1])) used to determine how much the reputation evaluation results at times and affect the dynamic final reputation. When ( final , : ) is less than the threshold, the secondary user will start the recommendation reputation and final reputation evaluation [25,26]. Based on the abovementioned dynamic reputation model and combining with the characteristics of CRN, a reputationbased distributed secure cooperative sensing strategy (DSCS) is proposed. In DSCS, a secondary user combines its sensing results with the results of cooperative group members to evaluate the true state of the channel to improve the accuracy of sensing. Moreover, DSCS can also punish the untrustworthy user to reduce the influence of the false information to the network. The details of the DSCS are described in Algorithm 1. It is worth noting that local is 's local reputation table. The size of the table is 1 Mb-10 Mb depending on the number of cycles in the simulation, so the memory overhead is not much considering the memory size of modern devices.

Distributed Cheat-Proof Spectrum Allocation Strategy (DCSA)
After spectrum sensing, how to ensure the rationality and reliability of spectrum resource allocation is a new challenge for distributed CRNs. In this section, a novel cheatproof spectrum allocation strategy based on Vickrey-Clarke-Groves (VCG) mechanism is proposed. With the mechanism, we formulate the utility function of system and malicious users and then analyze and proof the efficiency of the strategy through the utility function.

6
International Journal of Distributed Sensor Networks In DCSA, we denote the channel set that can be controlled as = { 1 , 2 , . . . , | > 1} and define the relevant bandwidth set as = { 1 , 2 , . . . , }, where represents the number of channels. We model the spectrum allocation processes as a VCG based auctions process and define the user's profit model, system's profit model, and VCG based distributed cheat-proof mechanism as follows.

User's Profit Model.
Suppose user has got the permission to access the channel ( ∈ ) and its throughput requirement is , which is often private information known only to the user itself. Here, we adopt classical transmission model [30] as where is the transfer efficiency and is the signal-to-noise ratio of the receiver. The profit of the user , ( , ), can be expressed as where ( ) is the profit function that the profits user will gain when it gets the access permission.
where is the cost of channel . is relevant to the reputation; the higher the reputation the lower the cost.
Hence, when > 0, the profit of the user , ( , ), can be computed as

System's Profit Model.
We consider distributed CRNs consisting of ( = 1 + 2 , 1 ≥ 1, 2 ≥ 1) users, where 1 and 2 represent the number of the primary users and secondary users, respectively. In the round of channel allocation, let = ( , | = 1, 2, . . . , ; = 1, 2, . . . , ) denote the set of channel allocation, where , indicates that the channel is assigned to the user . The system's best profit * can be expressed as in which * is the best allocation results and can be computed as * = arg max

VCG Based Distributed Cheat-Proof Mechanism.
In the distributed spectrum allocation process, some secondary users behave maliciously to maximize their own performance by providing the false resource demand. To offer stronger incentives for secondary users to honestly participate in the spectrum allocation process, we connect spectrum allocation to the reputation through a VCG based distributed cheatproof mechanism.
Based on the abovementioned analysis in Sections 5.1 and 5.2, we first propose a distributed cheating-proof mechanism detailed description as follows.
In the proposed mechanism, the secondary user must pay taxes ( , ) > 0 in addition to the cost of channel to gain the spectrum resource. The taxes for a user denoted by ( , * ) can be expressed as .

(16)
A mechanism is the VCG mechanism if it can satisfy the following conditions [15,31,32]: (1) The mechanism is incentive compatible.
(2) The mechanism is individual rational.
Next, we will prove that the proposed distributed cheating-proof mechanism is a VCG mechanism.

Theorem 1 (the mechanism is incentive compatible (IC)). A mechanism is incentive compatible (IC) if truth-telling is the best strategy for the users, which means that the users have no incentive to reveal false information.
Proof. Suppose user needs unit resource, but it applies for and declares that (̂) > ( ), which gets the outcomê . According to the above description, user needs to pay the taxes as Compute the * PU = ( PU ) according to the PUs' resource requirement PU ; (5) Allocate the channel to the PU according to the * PU ; (6) Compute the total profit of the PU * PU according to the * PU ; (7) if there have the idle channel then (8) Compute thê * SU = ( SU ) according to the SUs' resource requirement SU ; (9) Allocate the channel to the SU according to thê * SU ; (10) Compute the total profit of the SU * SU according to the * SU ; (11) End if (12) loop--; (13) End While For (̂) ≤ * , we can get̂( ,̂) ≤ * ( , * ), which incents user to give true application resources and truthtelling is the best strategy for user . Theorem 2 (the mechanism is individual rational (IR)). In an individual rational (IR) mechanism, rational users are expected to gain a higher utility from actively participating in the mechanism than from avoiding it.
Proof. In the proposed mechanism, we consider the following two malicious behaviors: (1) The user does not have the requirement, but it still applies for resources.
(2) The user does not have enough to pay the cost and taxes for the resource, but it still applies for resources.
It is easy to show that in both cases thê(̂,̂) < 0 when the incentive compatible is achieved. Therefore, for each user , utility > 0 and participation into the recommendation is an optimal choice, which means that the mechanism is individual rational.
In conclusion, according to the definition of VCG, the proposed mechanism is a VCG mechanism.
The details of the DCSA are described in Algorithm 2. In DCSA, the application and allocation of channels are done in competing slots, which have two stages. At the first stage, the base station calculates the best allocation results and then allocates the channels based on the demands from primary users. Primary users can apply for consecutive slots to complete its transmission. At the second stage, base station allocates the remaining vacant channels to secondary users, who can only apply for one slot in order to avoid the interference with primary users. After the allocation, base station waits for the users to complete transmission and then reallocate channels in the next competing slot.

Performance Evaluation
In this section, we implement our strategies and conduct extensive simulation experiments using MATLAB to verify the efficacy of the proposed strategies. We assume that the malicious nodes can launch SSDF attacks in the sensing and allocation process by reporting falsified values. They can also implement the Random Attack strategy or the Intermittent Attack strategy which means that the attacks are launched intermittently in a random way. For the Intermittent Attack strategy, we simulate the scenario where the malicious nodes attack with a 50% intensity. The intensity stands for the probability that the malicious node launches an attack during an interaction.

Performance of the DSCS.
In this subsection, the performance of the proposed DSCS is compared to the distributed Random [33] and EDSO [34] schemes in terms of the sensing accuracy rate denoted by ACC.
In our simulations, the number of secondary users is 5 (secondary user is denoted by in the simulations) and the number of detectable channels of each secondary user is 4. The initial reputation of toward is First, we compare the ACC of the three strategies without SSDF attacks (i.e., without dishonest recommendations). Suppose that there are 6 available channels and each secondary user can detect up to 4 channels. The ACC can be computed as where success is the number of successful channel accesses and select is the number of channel accesses. We can observe in Figure 3 that all the three strategies can detect the channels from 1-4. But, since both the Random and EDSO strategies do not adopt the cooperative sensing scheme, they cannot detect channels 5 and 6. The proposed DSCS adopts the cooperative sensing scheme, which makes it possible to receive the sensing results recommended by the other cooperative users, so it can gain the status of channels 5 and 6 and use them to improve the channel utilization rate. Moreover, it is seen that the sensing accuracy performance of the DSCS is better than that of the Random and EDSO scheme. In the Random and EDSO scheme the channel status information is computed and obtained only from the local sensing results, while in DSCS the secondary users gather channel status information from the cooperative users and compute the final sensing results through combining the local sensing result with these cooperative sensing results.
Next, we compare the sensing accuracy performance of DSCS to that of the Random and EDSO scheme under the random SSDF and Intermittent SSDF attacks. The results are shown in  In Figure 4, we analyze the ACC performance of DSCS when malicious users exist. The results indicate that the sensing results are affected by the malicious users, and the ACC of DSCS decreases from 0.6 to less than 0.4 as the number of malicious users increases from 20 to 30. In DSCS, the proposed reputation mechanism will identify the malicious users and then punish them by isolating them from the network. The punishment will decrease the number of cooperative users and the cooperative sensing information; as a result, the accuracy of the DSCS drops.
As shown in Figure 5, the ACC of all the three strategies decreases when the number of the channels increases. Since the SSDF is randomly launched and cannot be detected effectively, the ACC of the Random and EDSO scheme decreases at a percentage up to 70% and 73%, respectively. However, for the DSCS, because the cooperative users can provide additional sensing information combined with the local sensing information to compute the final sensing result, its ACC only decreases by 35%.
In Figure 6, we compare the ACC of all the three strategies when the Intermittent SSDF attacks are present. In the simulation, we consider the scenario where the malicious  nodes attack with a 50% intensity. The results in Figure 6 are similar to those in Figure 5; the ACC of Random and EDSO scheme decreases at a percentage up to 80% and 83% (in Figure 5, they are 70% and 73%), respectively. For the DSCS, its ACC only decreases by 40% (in Figure 5, it is 35%), which is much lower than that of the Random and EDSO scheme.  In Figure 7, we set the deception rate = 0.2 and compare the ACR of the spectrum allocation process without DCSA under SSDF attacks to that with no SSDF attacks. The results in Figure 7 indicate that the ACR of both scenarios increases when the time increases. As expected, The ACR under no SSDF attacks is better than that under SSDF attacks, since the spectrum allocation will be affected by the SSDF attacks. Then, we investigate the impact of deception rates on the ACR. The simulation results are shown in Figure 8. It can be seen that the average ACR when = 0.2 is higher than that when = 2. The simulation results demonstrate that the deception rate has a big impact on the ACR: the higher is the deception rate, the lower is the ACR.  The above analysis shows that it is necessary to build a SSDF-proof spectrum allocation strategy. In the following, we will compare the ACR performance of the strategy with DCSA to that of the strategy without DCSA.
As shown in Figures 9 and 10, under the SSDF attack, the ACR of both strategies (with or without DCSA) decreases when the time or the percentage of the malicious users increases, while the ACR of strategy with DCSA decreases slower than that without DCSA. In this simulation, the malicious users are assumed to be rational, so the proposed DCSA can effectively incentivize secondary users to honestly participate in the spectrum allocation process by reducing its reputation when it provides dishonest information. Since the reputation of a secondary user will be the reference for the next round of spectrum allocation and cooperative user  selection, the reduction of reputation will keep the malicious users away from lying because they cannot get utility from lying. As a result, the ACR of the strategy with DCSA is better than that without DCSA.

Conclusions
In this paper, we have investigated the challenging problems of secure spectrum sensing and spectrum allocation in CRNs and have proposed a distributed cooperative sensing strategy (DSCS) and a cheat-proof spectrum allocation strategy (DCSA). Based on the combination of the proposed dynamic reputation model and VCG mechanism, the DSCS and DCSA can effectively defend against the internal SSDF attacks. Moreover, the DSCS and DCSA do not rely on a central authority or a common control channel and are therefore applicable in distributed CRNs. Nevertheless, the proposed algorithm imposes some communications and computing overhead caused by nodes interactions which is not calculated in this work, as we focus on the security and effectiveness of the cooperative spectrum sensing and allocation scheme in CRNs. We intend to investigate and analyze the overhead issue in our future work. The elaborated simulation tests and performance analysis have verified that the DSCS and DCSA are secure and efficient. More specifically, in the presence of SSDF attacks, the sensing accuracy rate and the spectrum allocation accuracy rate of the proposed DSCS and DCSA are much better than those of the existing strategies.

Notations and Symbols
: , direct , : , final , : : 's reputation, direct and final reputation towards at time , : , , : , , : , , : : 's belief, disbelief, and uncertainty towards and 's willingness to believe at time , : , , : , , : : Thetotalnumberofthe sensing results that received from the user , the number of the correct results, and the number of the wrong results from uncertain : The degree of uncertainty whether is trustworthy : The transition probability of the channel state from 1 to 0 after has sent some sensing results , , : The detection probability of the secondary user, the false alarm rate, and the false negatives rate Γ(⋅, ⋅): Th e i n c o m p l e t e G a m m a function 0 , 1 : Th e z e r o h y p o t h e s i s a n d t h e alternative hypothesis 1 , 2 : The weight factors used to determine how much the reputation evaluation results at times and affect the dynamic final reputation = { 1 , 2 , . . . , | > 1}: The channel set that can be controlled = { 1 , 2 , . . . , }: The relevant bandwidth set with the channels , : The transfer efficiency and the signal-to-noise ratio of the receiver ( , ): Th e p r o fi t o f t h e u s e r ( ): The profit function that the profits user will gain when it gets the access permission ( , ): Th e c o s t o f u s e r , : Th e c o s t o f c h a n n e land the throughput requirement to access the channel * , * : The system's best profit and the best allocation results ( , * ): The taxes for a user ∑ ̸ = ( , * ), ∑ ̸ = ( , − ): The total utility of all the other applicants when participates in the mechanism and the total utility of all the other applicants when withdraws from the mechanism * ( , * ): The best utility of user .