Pilot Distortion Attack and Zero-Startup-Cost Detection in Massive MIMO Network: From Analysis to Experiments

Accurate channel state information (CSI) is a key requirement for massive multiple-input multiple-output to achieve multi-fold increases in throughput and secrecy rate. Consequently, an adversary targeting the channel sounding process has the potential to significantly degrade performance. In this paper, we first present and model the pilot distortion attack, a simple but devastating jamming strategy in which the adversary distorts the access point’s (AP’s) CSI measurement of even a single client leading to denial of service for all clients associated with the AP. We then propose multiple-antenna carrier frequency offset estimate (MACE) as a countermeasure that exploits the AP’s antenna array to detect jamming with zero startup cost and zero additional network overhead. Our key insight is that with multiple antennas, the AP’s variance estimator of client carrier frequency offset significantly increases when there are jamming signals present. We build a test bed with a 72-antenna AP and collect over 3 000 000 over-the-air transmissions. Our results show that a single-antenna adversary jamming no more than 1/60 of the time and having no more transmit power than any client can cause over 23% reduction of achievable rate of all clients. Moreover, by setting a single detection threshold, MACE can achieve 0.97 true positive at 0.01 false positive for various client/adversary locations and for a wide range of signal-to-noise ratio (SNR) (5 ~ 35 dB) and signal-to-interference ratio (SIR) (−5 ~ 35 dB) with SNR – SIR $\geq5$ dB.

[1]  Loukas Lazos,et al.  Security vulnerability and countermeasures of frequency offset correction in 802.11a systems , 2014, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[2]  Joseph R. Cavallaro,et al.  Decentralized data detection for massive MU-MIMO on a Xeon Phi cluster , 2016, 2016 50th Asilomar Conference on Signals, Systems and Computers.

[3]  Kang G. Shin,et al.  Analog man-in-the-middle attack against link-based packet source identification , 2016, MobiHoc.

[4]  Paul H. Moose,et al.  A technique for orthogonal frequency division multiplexing frequency offset correction , 1994, IEEE Trans. Commun..

[5]  Ming Li,et al.  Disrupting MIMO Communications With Optimal Jamming Signal Design , 2015, IEEE Transactions on Wireless Communications.

[6]  Emil Björnson,et al.  Jamming Detection in Massive MIMO Systems , 2017, IEEE Wireless Communications Letters.

[7]  Erik G. Larsson,et al.  Energy and Spectral Efficiency of Very Large Multiuser MIMO Systems , 2011, IEEE Transactions on Communications.

[8]  Can Emre Koksal,et al.  Securing massive MIMO at the physical layer , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[9]  Edward W. Knightly,et al.  CSIsnoop: Attacker Inference of Channel State Information in Multi-User WLANs , 2017, MobiHoc.

[10]  Kang G. Shin,et al.  Fingerprinting Electronic Control Units for Vehicle Intrusion Detection , 2016, USENIX Security Symposium.

[11]  Michele Garetto,et al.  Multi-user downlink with single-user uplink can starve TCP , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[12]  Martin Haardt,et al.  Multi-Branch Tomlinson-Harashima Precoding for MU-MIMO Systems: Theory and Algorithms , 2014, ArXiv.

[13]  Srdjan Capkun,et al.  Attacks on physical-layer identification , 2010, WiSec '10.

[14]  Lena Schwartz Next Generation Wireless Lans 802 11n And 802 11ac , 2016 .

[15]  Wade Trappe,et al.  On the Vulnerabilities of CSI in MIMO Wireless Communication Systems , 2012, IEEE Transactions on Mobile Computing.

[16]  Xiangyun Zhou,et al.  Pilot Contamination for Active Eavesdropping , 2012, IEEE Transactions on Wireless Communications.

[17]  Tobias J. Oechtering,et al.  Massive MIMO Pilot Retransmission Strategies for Robustification Against Jamming , 2017, IEEE Wireless Communications Letters.

[18]  C.-C. Jay Kuo,et al.  Maximum-likelihood synchronization and channel estimation for OFDMA uplink transmissions , 2006, IEEE Transactions on Communications.

[19]  Fredrik Rusek,et al.  Physical layer security for massive MIMO: An overview on passive eavesdropping and active attacks , 2015, IEEE Communications Magazine.

[20]  Jinho Choi,et al.  Secret key agreement under an active attack in MU-TDD systems with large antenna arrays , 2013, 2013 IEEE Global Communications Conference (GLOBECOM).

[21]  Edward W. Knightly,et al.  Massive MIMO pilot distortion attack and zero-startup-cost detection: Analysis and experiments , 2017, 2017 IEEE Conference on Communications and Network Security (CNS).

[22]  Hessam Pirzadeh,et al.  Subverting Massive MIMO by Smart Jamming , 2016, IEEE Wirel. Commun. Lett..

[23]  Andrea J. Goldsmith,et al.  On the optimality of multiantenna broadcast scheduling using zero-forcing beamforming , 2006, IEEE Journal on Selected Areas in Communications.

[24]  Fredrik Rusek,et al.  Detection of active eavesdroppers in massive MIMO , 2014, 2014 IEEE 25th Annual International Symposium on Personal, Indoor, and Mobile Radio Communication (PIMRC).

[25]  Emil Björnson,et al.  Jamming a TDD Point-to-Point Link Using Reciprocity-Based MIMO , 2017, IEEE Transactions on Information Forensics and Security.

[26]  Vijay K. Bhargava,et al.  Secure Transmission in Multicell Massive MIMO Systems , 2014, IEEE Transactions on Wireless Communications.

[27]  Wenyuan Xu,et al.  The feasibility of launching and detecting jamming attacks in wireless networks , 2005, MobiHoc '05.

[28]  Mounir Ghogho,et al.  Data Detection in Cooperative STBC-OFDM Systems With Multiple Frequency Offsets , 2009, IEEE Signal Processing Letters.

[29]  Jinho Choi,et al.  Robustness of secret key agreement protocol with massive MIMO under pilot contamination attack , 2013, 2013 International Conference on ICT Convergence (ICTC).

[30]  Björn E. Ottersten,et al.  Detection of pilot contamination attack using random training and massive MIMO , 2013, 2013 IEEE 24th Annual International Symposium on Personal, Indoor, and Mobile Radio Communications (PIMRC).

[31]  Srdjan Capkun,et al.  Investigation of multi-device location spoofing attacks on air traffic control and possible countermeasures , 2016, MobiCom.

[32]  Wade Trappe,et al.  Subverting MIMO wireless systems by jamming the channel estimation procedure , 2010, WiSec '10.

[33]  Thomas L. Marzetta,et al.  Argos: practical many-antenna base stations , 2012, Mobicom '12.

[34]  Srdjan Capkun,et al.  Detection of Reactive Jamming in Sensor Networks , 2009 .

[35]  Emil Björnson,et al.  Jamming-Resistant Receivers for the Massive MIMO Uplink , 2017, IEEE Transactions on Information Forensics and Security.