Uncoordinated Frequency Shifts based Pilot Contamination Attack Detection
Weile Zhang, Hai Lin

TL;DR
This paper introduces a novel uncoordinated frequency shift scheme to detect pilot contamination attacks in multi-antenna systems, leveraging frequency asynchronism to improve detection without harming channel estimation.
Contribution
It proposes a new UFS scheme and detection algorithm based on source enumeration, providing effective attack detection while maintaining channel estimation accuracy.
Findings
UFS scheme achieves detection performance comparable to existing methods.
The proposed method does not compromise legitimate channel estimation.
Analytical and numerical results validate the effectiveness of the approach.
Abstract
Pilot contamination attack is an important kind of active eavesdropping activity conducted by a malicious user during channel training phase. In this paper, motivated by the fact that frequency asynchronism could introduce divergence of the transmitted pilot signals between intended user and attacker, we propose a new uncoordinated frequency shift (UFS) scheme for detection of pilot contamination attack in multiple antenna system. An attack detection algorithm is further developed based on source enumeration method. Both the asymptotic detection performance analysis and numerical results are provided to verify the proposed studies. The results demonstrate that the proposed UFS scheme can achieve comparable detection performance as the existing superimposed random sequence based scheme, without sacrifice of legitimate channel estimation performance.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsWireless Communication Security Techniques · Wireless Signal Modulation Classification · Cryptographic Implementations and Security
Uncoordinated Frequency Shifts based Pilot Contamination Attack
Detection
Weile Zhang and Hai Lin*†*
MOE Key Lab for Intelligent Networks and Network Security, Xi’an Jiaotong University, Xi’an, China
*†*Department of Electrical and Information Systems, Osaka Prefecture University, Osaka, Japan
[email protected], [email protected]
Abstract
Pilot contamination attack is an important kind of active eavesdropping activity conducted by a malicious user during channel training phase. In this paper, motivated by the fact that frequency asynchronism could introduce divergence of the transmitted pilot signals between intended user and attacker, we propose a new uncoordinated frequency shift (UFS) scheme for detection of pilot contamination attack in multiple antenna system. An attack detection algorithm is further developed based on source enumeration method. Both the asymptotic detection performance analysis and numerical results are provided to verify the proposed studies. The results demonstrate that the proposed UFS scheme can achieve comparable detection performance as the existing superimposed random sequence based scheme, without sacrifice of legitimate channel estimation performance.
Index Terms:
Physical layer security, pilot contamination attack, uncoordinated frequency shift (UFS).
I Introduction
As an effective way to protect wireless transmissions from being eavesdropped, physical layer security has been drawing substantial research interests. Recent results in physical layer security methods require full or partial knowledge about channel state information of the legitimate system, which is quite vulnerable to smart malicious attacks. A typical example in a TDD system is the so-called pilot contamination attack from an active eavesdropper [1]. As illustrated in Fig. 1, the eavesdropper (Eve) wants to overhear the communication from the legitimate transmitter (Alice) to the intended receiver (Bob). During the reverse uplink training phase, Bob sends training (pilot) signal to Alice, and the latter performs legitimate channel estimation based on channel reciprocity. Unfortunately, during the training phase, the active eavesdropper Eve can also send the same pilot signals, thereby biasing the channel estimation at Alice. This not only degrades the signal reception quality at Bob but also leads to a significant signal leakage to Eve during the subsequent downlink data transmission.
The issue of above pilot contamination was first noted in [1] and a few works have been further reported to detect such smart attacks. For example, the random pilot sequence was employed in [2] to detect the presence of attack. A few number of detection schemes were studied in [3] assuming different knowledge about the large-scale fading parameters. A two-way training scheme for discriminatory channel estimation was proposed in [4] though a whitening-rotation based semiblind method. Based on the Neyman-Pearson criterion, a number of detection methods were developed in [5] under different assumptions about the channel and noise statistics. The authors in [6] proposed an energy ratio detector, by exploring the asymmetry of received signal power levels at the transmitter Alice and legitimate receiver Bob in the presence of an attack. Another recent work in [7] proposed superimposing a random sequence on the training sequence at the Bob, allowing use of source enumeration methods to detect attack. The idea was further extended to the multiuser TDD/SDMA uplink scenario [8].
All of the above detection works have assumed perfect frequency synchronization in the system. However, carrier frequency offset (CFO) naturally exists due to frequency mismatch between transceiver oscillators [10, 11]. This means both the legitimate user Bob and the attacker Eve should first perform CFO estimation and oscillator frequency calibration, such that the carrier frequency of their training signals can be aligned to Alice. Although the CFOs are expected to be completely eliminated for data transmission, however, they may be beneficial to the purpose of pilot contamination attack. Note that even the same pilot signals are transmitted from Bob and Eve, the natural CFOs would bring in individual phase shifts and thus result in divergence of the transmitted signals.
Motivated by the above observation, we propose a new uncoordinated frequency shift (UFS) scheme for detection of pilot contamination attack in multiple antenna system. During the reverse training phase of the UFS scheme, Bob deliberately introduces multiple random frequency shifts when transmitting the publicly known pilot sequence. Eve has no knowledge about these random frequency shifts, and should be quite difficult to pretend exactly like Bob. This provides the opportunity to detect the presence of Eve. We further develop an attack detection algorithm based on source enumeration method. Both the asymptotic detection performance analysis and the numerical results are provided to verify the proposed studies. The results demonstrate that the proposed UFS scheme can achieve comparable detection performance as the existing superimposed random sequence based scheme [7], but with a substantially improved legitimate channel estimation performance.
Notations: Superscripts , and represent conjugate, transpose and Hermitian, respectively; denotes expectation; denotes the Frobenius norm operator; defines the vector space of all complex matrices; is the imaginary unit; is a diagonal matrix with main diagonal of ; is the identity matrix; represents all-zero matrix with appropriate dimension.
II System Model
As illustrated in Fig. 1, we consider a transmission system with a legitimate transmitter Alice equipped with antennas, a legitimate single-antenna user Bob, and an active eavesdropper Eve. We consider a TDD communication system, where the downlink channels and uplink channels are assumed to be reciprocal. The uplink reverse training phase is a typical way for Alice to obtain the channel information from Bob in order to apply beamforming in downlink data transmission. We consider the training pilot signals are repeatedly used and publicly known, which allows the smart eavesdropper Eve be able to transmit the same training signals to confound Alice.
The channels from Bob and Eve to Alice are respectively modeled as the following length- vectors: and . We assume each element of and follows i.i.d. complex Gaussian distribution with variance , such that the total average channel gains from Bob and Eve at all receive antennas are normalized, i.e., and .
Denote as the publicly known training sequence transmitted from Bob. Assume the symbols are drawn from constant modulus constellations, i.e., . Denote the transmit power of Bob and Eve by and , respectively. We define two events, and ; Namely, : there exists no active eavesdropper who conducts pilot contamination attack; : the active eavesdropper conducts pilot contamination attack trying to steal the information from the transmitter. Then, under perfect frequency synchronization, the received signal at Alice during the uplink training period can be expressed as the following matrix:
[TABLE]
where and denotes the corresponding additive white Gaussian noise (AWGN) matrix. Assume each element of follows i.i.d. complex Gaussian distribution with variance . It is clear that in the case of Eve’s attack, Alice obtains a composite equivalent channel instead of the expected . If Alice is unaware of attack and employs as the legitimate channel information in the downlink beamforming design, this not only degrades the signal reception quality at Bob but also leads to a significant signal leakage to Eve during the subsequent downlink data transmission.
III Proposed Training Phase with UFS
From the comparison between (1) and (2), since Eve acts exactly in the same way as Bob, it is in fact quite difficult for Alice to distinguish whether Eve is presence or not. Motivated by the fact that frequency asynchronous nature would result in divergence between the transmitted signals from Bob and Eve, and thus may facilitate the detection of pilot contamination attack, we propose a new UFS scheme in this section to detect the pilot contamination attack.
Without loss of generality, we assume the length- training sequence block can be divided into equal-length segments, each with symbols, i.e., . We can then split the whole training sequence block into
[TABLE]
where {\bf s}_{k}=\big{[}s(1\!+\!(k\!-\!1)Q),s(2\!+\!(k\!-\!1)Q),\cdots,s(kQ)\big{]}^{T}\in\mathbb{C}^{Q\times 1} denotes the pilot symbols in the segment. In the UFS scheme, Bob sends the pilot signals deliberately with some random CFO-like phase shifts. Specifically, let Bob independently select artificial CFOs for each training segment, namely , . The normalized CFO of Bob in the segment can be expressed as , where denotes the symbol rate interval. Thus, in fact represents the deliberately introduced phase shift of Bob over the consecutive pilot symbols in the training segment. On the other side, since Eve has no knowledge about the random artificial CFOs of Bob, she can also randomly select one trial CFO for each segment, denoted by , . Correspondingly, the normalized CFO of Eve in the training segment can be expressed as .
Let stand for the diagonal matrix representing the phase shift introduced by the CFO . The equivalent transmitted pilot symbols from Bob and Eve in the segment can be expressed as and , respectively. Then, the received signals at Alice in the segment can be expressed as the following matrix:
[TABLE]
where denotes the corresponding AWGN matrix, and each element of is i.i.d. complex Gaussian variable with variance .
The attack detection algorithms at Alice based on the received signals , , will be developed in the following sections. Next, we first consider the CFO and channel estimation issue without Eve’s attack. Specifically, when Eve is absent, the maximum-likelihood (ML) single-user CFO estimation and channel estimation at Alice can be performed as follows:
[TABLE]
where and stand for the trial CFO and channel for Bob, respectively. The CFO estimation solution of (4) can be expressed as
[TABLE]
which targets at maximizing the correlation between the pilot and the received signal after CFO compensation of a trial CFO . The channel estimation solution can be then given by
[TABLE]
Regarding the CFO and legitimate channel estimation performance of UFS scheme, we obtain the following Lemma:
Lemma 1: In the proposed UFS scheme, the CFO and channel estimation mean square error (MSE) under the high signal-to-noise ratio (SNR) condition in the absence of Eve’s attack can be expressed as:
[TABLE]
The detailed proof is omitted due to the space limitation. The following observations can be made from Lemma 1: First, as expected, the CFO estimation performance highly depends on the length of each training segment. This says that for better CFO estimation performance, a single training segment is preferred, that is, and . However, this may not be a good choice for purpose of attack detection, which will be discussed in the following sections. Nevertheless, we see that the channel estimation performance, which is the main concerned issue in our work, is basically irrelevant to the segment length. In other words, the legitimate channel estimation performance is insensitive to the number of segments.
Second, the corresponding MSE performance without artificial frequency shifts in the conventional frequency synchronous channel estimation can be obtained as . As compared to this conventional benchmark, the relative increased MSE in channel estimation of our UFS scheme can be expressed as . The above discussions indicate that the multiple artificial frequency shifts in our UFS scheme introduce only negligible performance degradation in legitimate channel estimation, especially with more receive antennas at Alice. This differs from the existing superimposed random sequence based scheme [7] which suffers from a lot performance degradation in terms of the legitimate channel estimation.
IV Proposed UFS-MDL Detection Algorithm
In this section, we develop a source enumeration based algorithm, referred to as ‘UFS-MDL’, to detect the presence of attack at Alice based on the received signals , . The corresponding asymptotic detection performance analysis is also provided.
IV-A Proposed Detection Scheme
Owing to the uncoordinated frequency shifts, our UFS training scheme introduces the divergence between the equivalent transmitted pilot signals between Bob and Eve. Hence, for the case , the minimum description length (MDL) algorithm [9] can be employed by Alice to detection the presence of Eve.
Specifically, the autocorrelation matrix for the training segment can be expressed as
[TABLE]
In the absence of attack, there holds
[TABLE]
which implies the dimension of signal subspace of is only one.
Let represent the CFO between Bob and Eve in the training segment. In the presence of Eve’s attack, we have
[TABLE]
Here, represents the correlation of the equivalent transmitted pilot signals between Bob and Eve, where
[TABLE]
Theoretically, when , we have
[TABLE]
saying is nonsingular in this case. The dimension of signal subspace of is two when .
Following the above discussions under and , the MDL criterion [9] can be employed to determine the dimensional of signal subspace. Specifically, denote the eigenvalues of in descending order by , . The MDL estimation of signal subspace dimension for can be given by
[TABLE]
where
[TABLE]
When the signal subspace dimension of at least one training segment is above one, i.e., , we declare the presence of Eve’s attack. Otherwise, we consider the Eve’s attack is absence.
IV-B Asymptotic Performance Analysis
In the subsection, we provide asymptotic performance analysis for the proposed UFS-MDL detection algorithm. We consider the high SNR condition. Moreover, both the training sequence length and the receive antenna number at Alice are assumed to be very large, i.e, and . Note that there is an increasing interest from both academy and industry to equip base station with a large scale antenna array [12, 13], such a system can provide a remarkable increase in both reliability and spectral efficiency. We focus on the asymptotic false negative (miss detection) probability, which is defined as the probability when miss of detection happens. The following Lemma can be obtained:
Lemma 2: Assume the random normalized CFOs of Bob and Eve follow uniform distribution from to with . Denote . When the minimum power of Bob and Eve is larger than , i.e., , the asymptotic miss detection probability of the UFS-MDL detection algorithm can be approximately upper bounded by
[TABLE]
Otherwise, when , the miss detection probability of UFS-MDL approximately equal one, i.e., . The detailed proof is omitted due to the space limitation. The following observations can be made from Lemma 2:
- As expected, the miss detection probability of UFS-MDL can be reduced by increasing the range of random artificial CFOs. The asymptotic miss detection probability is also relevant to the noise power and the number of receive antennas. There exists a cliff-like jump of miss detection probability when the minimum power between Bob and Eve becomes less than .
- We see that the detection performance of UFS-MDL can always benefit from the increased attack power from Eve. Interestingly, the detection performance will asymptotically touch a lower bound when attack power becomes very large. Specifically, when , according to (19), the asymptotic lower bound of UFS-MDL can be obtained as
[TABLE]
It is observed that this lower bound can be simply reduced by a larger transmit power at Bob. 3) The equation (19) also demonstrates the benefit from the multiple frequency shifts in UFS-MDL.
V Simulations
In this section, we provide numerical results to evaluate the performance of the proposed scheme. Assume the pilot symbols are randomly drawn from QPSK constellation. Unless otherwise specified, the pilot length is taken as and let normalized artificial CFOs of Bob and Eve in each training segment follow uniform distribution from -0.2 to 0.2, i.e., .
In Fig. 2, we show miss detection probability of our UFS-MDL algorithm as a function of the relative power between Bob and Eve () under different SNR condition . The following observations can be made. First, as expected, the performance of UFS-MDL can be improved with stronger signal power from Eve. Second, we see that the simulation results closely match the corresponding asymptotic results, which verifies the correctness of the asymptotic analysis. Especially, when Eve has much stronger power than Bob, we can observe that the detection performance converges to the analytical lower bound given by (20).
The detection performance of UFS-MDL with different is plotted in Fig. 3. We also include the performance of the superimposed random sequence based MDL scheme [7], labelled as ‘SRS-MDL’. The results show that when Eve has smaller or similar power as Bob, the proposed scheme can achieve comparable detection performance as SRS-MDL with a relative large and a larger maximum artificial CFO . However, SRS-MDL behaves better in the region with much stronger attack power. Note that the performance of UFS-MDL approaches a lower bound as the attack power increases. Nevertheless, as the random sequences are superimposed in the pilot signal in SRS-MDL, our UFS scheme could substantially outperform SRS-MDL in terms of channel estimation, which will be demonstrated below.
In Fig. 4, we increase the maximum artificial CFO from 0 to 0.3 and demonstrate the detection performance evolution of our UFS scheme. As expected, we see that the detection performance of our proposed UFS scheme can be improved by increasing the maximum artificial CFOs. The results also clearly indicate the benefit of multiple segments. It is seen that, in the case of more segments, i.e., a larger , more random artificial CFOs are introduced and the miss detection probability could decline more quickly as the maximum CFO increases.
In the last, we plot the channel estimation performance comparison between SRS-MDL and our UFS scheme in Fig. 5. The MSE of channel estimation is adopted as the figure of merit. We assume absence of Eve in this example. The iterative channel estimation method is employed in SRS-MDL as described in [7]. It is seen that the channel estimation performance of both SRS-MDL and our scheme improves with increasing the pilot signal length. Moreover, our scheme show no much changes with different . Note that SRS-MDL superimposes the self-contamination random sequences in the pilot signal, inevitably degrading the performance of legitimate channel estimation. In comparison, our scheme could outperform SRS-MDL especially with a shorter pilot sequence. On the other side, we include the corresponding analytical results from (8) with in this figure, plotted as the dotted curve. The conventional channel estimation performance with frequency synchronization is also included, labelled as ‘SYNC’. It is observed that the simulation results of our scheme closely approach the analytical curve and the SYNC benchmark. This coincides with our previous observation that the proposed UFS scheme basically does not sacrifice the legitimate channel estimation performance for attack detection.
VI Conclusions
In this paper, we proposed a new UFS scheme for detection of pilot contamination attack. The proposed scheme deliberately introduces multiple random frequency shifts in the transmitted pilot signal from the legitimate user Bob. A detection algorithms were designed for Alice to detect the presence of attack. We also provided both the asymptotic performance analysis and numerical results to verify the proposed studies.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] X. Zhou, B. Maham and A. Hjorungnes, “Pilot contamination for active eavesdropping,” IEEE Trans. Wireless Commun. , vol. 11, pp. 903–907, Mar. 2012.
- 2[2] D. Kapetanovic, G. Zheng, K.-K. Wong, and B. Ottersten, “Detection of pilot contamination attack using random training and massive MIMO,” in Proc. IEEE PIMRC , pp. 13–18, London, UK, Sept. 2013.
- 3[3] D. Kapetanovic, A. Al-Nahari, A. Stojanovic, and F. Rusek, “Detection of active eavesdroppers in Massive MIMO,” in Proc. IEEE PIMRC , pp. 585–589, 2014.
- 4[4] J. Yang, S. Xie, X. Zhou, R. Yu, and Y. Zhang, “A semiblind two-way training method for discriminatory channel estimation in MIMO systems,” IEEE Trans. Commun. , vol. 62, no. 7, Jul. 2014.
- 5[5] J.-M. Kang, C. In, and H.-M. Kim, “Detection of pilot contamination attack for multi-antenna based secrecy systems,” in Proc. IEEE VTC Spring , May 2015.
- 6[6] Q. Xiong, Y.-C. Liang, K. H. Li, and Y. Gong, “An energy-ratio based approach for detecting pilot spoofing attack in multiple-antenna systems,” IEEE Trans. Info. Forensics & Security , vol. 10, pp. 932–940, May 2015.
- 7[7] J. K. Tugnait, “Self-contamination for detection of pilot contamination attack in multiple antenna systems,” IEEE Wirelss Commun. Lett. , vol. 4, no. 5, Oct. 2015.
- 8[8] J. K. Tugnait, “Detection of pilot contamination attack in T.D.D./S.D.M.A. systems,” in Proc. IEEE ICASSP , 2016.
