Active Eavesdropping via Spoofing Relay Attack

This paper studies a new active eavesdropping technique via the so-called spoofing relay attack, which could be launched by the eavesdropper to significantly enhance the information leakage rate from the source over conventional passive eaves-dropping. With this attack, the eavesdropper acts as a relay to spoof the source to vary transmission rate in favor of its eavesdropping performance by either enhancing or degrading the effective channel of the legitimate link. The maxi-mum information leakage rate achievable by the eavesdropper and the corresponding optimal operation at the spoofing relay are obtained. It is shown that such a spoofing relay attack could impose new challenges from a physical-layer security perspective since it leads to significantly higher information leakage rate than conventional passive eavesdropping.Comment: submitted for possible conference publicatio

Proactive Eavesdropping via Jamming for Rate Maximization over Rayleigh Fading Channels

Instead of against eavesdropping, this letter proposes a new paradigm in wireless security by studying how a legitimate monitor (e.g., government agencies) efficiently eavesdrops a suspicious wireless communication link. The suspicious transmitter controls its communication rate over Rayleigh fading channels to maintain a target outage probability at the receiver, and the legitimate monitor can successfully eavesdrop only when its achievable rate is no smaller than the suspicious communication rate. We propose a proactive eavesdropping via jamming approach to maximize the average eavesdropping rate, where the legitimate monitor sends jamming signals with optimized power control to moderate the suspicious communication rate.Comment: Submitted for possible publicatio

Uncoordinated Frequency Shifts based Pilot Contamination Attack Detection

Pilot contamination attack is an important kind of active eavesdropping activity conducted by a malicious user during channel training phase. In this paper, motivated by the fact that frequency asynchronism could introduce divergence of the transmitted pilot signals between intended user and attacker, we propose a new uncoordinated frequency shift (UFS) scheme for detection of pilot contamination attack in multiple antenna system. An attack detection algorithm is further developed based on source enumeration method. Both the asymptotic detection performance analysis and numerical results are provided to verify the proposed studies. The results demonstrate that the proposed UFS scheme can achieve comparable detection performance as the existing superimposed random sequence based scheme, without sacrifice of legitimate channel estimation performance

Wireless Surveillance of Two-Hop Communications

Wireless surveillance is becoming increasingly important to protect the public security by legitimately eavesdropping suspicious wireless communications. This paper studies the wireless surveillance of a two-hop suspicious communication link by a half-duplex legitimate monitor. By exploring the suspicious link's two-hop nature, the monitor can adaptively choose among the following three eavesdropping modes to improve the eavesdropping performance: (I) \emph{passive eavesdropping} to intercept both hops to decode the message collectively, (II) \emph{proactive eavesdropping} via {\emph{noise jamming}} over the first hop, and (III) \emph{proactive eavesdropping} via {\emph{hybrid jamming}} over the second hop. In both proactive eavesdropping modes, the (noise/hybrid) jamming over one hop is for the purpose of reducing the end-to-end communication rate of the suspicious link and accordingly making the interception more easily over the other hop. Under this setup, we maximize the eavesdropping rate at the monitor by jointly optimizing the eavesdropping mode selection as well as the transmit power for noise and hybrid jamming. Numerical results show that the eavesdropping mode selection significantly improves the eavesdropping rate as compared to each individual eavesdropping mode.Comment: Submitted for conference publicatio

Cooperative Pilot Spoofing in MU-MIMO Systems

In this letter, we consider downlink transmission of a multiuser multiple-input multiple-output (MU-MIMO) system with zero-forcing (ZF) precoders in the presence of multiple attackers. We propose a cooperative pilot spoofing attack (CPSA), where the attackers collaboratively impair the channel estimations in the uplink channel training phase, aiming at deteriorating the downlink throughput of the whole cell. We first evaluate the impacts of CPSA on the channel estimation and the downlink ZF precoding design, and then we derive an analytical expression for the achievable downlink sum-rate. Furthermore, we investigate the optimal attack strategy to minimize the achievable downlink sum-rate. We show that the optimization problem under consideration is a convex one so the global optimum could be obtained conveniently. Numerical results show that the CPSA attack results in a severe performance deterioration with the increase in the attacking power and the number of attackers

Data-Aided Secure Massive MIMO Transmission under the Pilot Contamination Attack

In this paper, we study the design of secure communication for time division duplex multi-cell multi-user massive multiple-input multiple-output (MIMO) systems with active eavesdropping. We assume that the eavesdropper actively attacks the uplink pilot transmission and the uplink data transmission before eavesdropping the downlink data transmission of the users. We exploit both the received pilots and the received data signals for uplink channel estimation. We show analytically that when the number of transmit antennas and the length of the data vector both tend to infinity, the signals of the desired user and the eavesdropper lie in different eigenspaces of the received signal matrix at the base station provided that their signal powers are different. This finding reveals that decreasing (instead of increasing) the desired user's signal power might be an effective approach to combat a strong active attack from an eavesdropper. Inspired by this observation, we propose a data-aided secure downlink transmission scheme and derive an asymptotic achievable secrecy sum-rate expression for the proposed design. For the special case of a single-cell single-user system with independent and identically distributed fading, the obtained expression reveals that the secrecy rate scales logarithmically with the number of transmit antennas. This is the same scaling law as for the achievable rate of a single-user massive MIMO system in the absence of eavesdroppers. Numerical results indicate that the proposed scheme achieves significant secrecy rate gains compared to alternative approaches based on matched filter precoding with artificial noise generation and null space transmission.Comment: To appear in IEEE Transactions on Communications. arXiv admin note: substantial text overlap with arXiv:1801.0707

Blind Channel Separation in Massive MIMO System under Pilot Spoofing and Jamming Attack

We consider a channel separation approach to counter the pilot attack in a massive MIMO system, where malicious users (MUs) perform pilot spoofing and jamming attack (PSJA) in uplink by sending symbols to the basestation (BS) during the channel estimation (CE) phase of the legitimate users (LUs). More specifically, the PSJA strategies employed by the MUs may include (i) sending the random symbols according to arbitrary stationary or non-stationary distributions that are unknown to the BS; (ii) sending the jamming symbols that are correlative to those of the LUs. We analyze the empirical distribution of the received pilot signals (ED-RPS) at the BS, and prove that its characteristic function (CF) asymptotically approaches to the product of the CFs of the desired signal (DS) and the noise, where the DS is the product of the channel matrix and the signal sequences sent by the LUs/MUs. These observations motivate a novel two-step blind channel separation method, wherein we first estimate the CF of DS from the ED-RPS and then extract the alphabet of the DS to separate the channels. Both analysis and simulation results show that the proposed method achieves good channel separation performance in massive MIMO systems

Jamming-assisted Eavesdropping over Parallel Fading Channels

This paper advances the proactive eavesdropping research by considering a practical half-duplex mode for the legitimate monitor and dealing with the challenging case that the suspicious link opportunistically communicates over parallel fading channels. To increase eavesdropping success probability, we propose cognitive jamming for the monitor to change the suspicious link's long-term belief on the parallel channels' distributions, and thereby induce it to transmit more likely over a smaller subset of unjammed channels with a lower transmission rate. As the half-duplex monitor cannot eavesdrop the channel that it is simultaneously jamming to, our jamming design should also control the probability of such "own goal" that occurs when the suspicious link chooses one of the jammed (uneavesdroppable) channels to transmit. We formulate the optimal jamming design problem as a mixed integer nonlinear programming and show that it is non-convex. Nevertheless, we prove that the monitor should optimally use the maximum jamming power if it decides to jam, for maximally reducing suspicious link's communication rate and driving the suspicious link out of the jammed channels. Then we manage to simplify the MINLP to integer programming and reveal a fundamental trade-off in deciding the number of jammed channels: jamming more channels helps reduce the suspicious link's communication rate for overhearing more clearly, but increases own goal probability and thus decreases eavesdropping success probability. Finally, we extend our study to the two-way suspicious communication scenario, and show there is another interesting trade-off in deciding the common jammed channels for balancing bidirectional eavesdropping performances. Numerical results show that our optimized jamming-assisted eavesdropping scheme greatly increase eavesdropping success probability as compared with the conventional passive eavesdropping

Jamming-Aided Secure Communication in Massive MIMO Rician Channels

In this paper, we investigate the artificial noise-aided jamming design for a transmitter equipped with large antenna array in Rician fading channels. We figure out that when the number of transmit antennas tends to infinity, whether the secrecy outage happens in a Rician channel depends on the geometric locations of eavesdroppers. In this light, we first define and analytically describe the secrecy outage region (SOR), indicating all possible locations of an eavesdropper that can cause secrecy outage. After that, the secrecy outage probability (SOP) is derived, and a jamming-beneficial range, i.e., the distance range of eavesdroppers which enables uniform jamming to reduce the SOP, is determined. Then, the optimal power allocation between messages and artificial noise is investigated for different scenarios. Furthermore, to use the jamming power more efficiently and further reduce the SOP, we propose directional jamming that generates jamming signals at selected beams (mapped to physical angles) only, and power allocation algorithms are proposed for the cases with and without the information of the suspicious area, i.e., possible locations of eavesdroppers. We further extend the discussions to multiuser and multi-cell scenarios. At last, numerical results validate our conclusions and show the effectiveness of our proposed jamming power allocation schemes

Pilot Spoofing Attack by Multiple Eavesdroppers

In this paper, we investigate the design of a pilot spoofing attack (PSA) carried out by multiple single-antenna eavesdroppers (Eves) in a downlink time-division duplex (TDD) system, where a multiple antenna base station (BS) transmits confidential information to a single-antenna legitimate user (LU). During the uplink channel training phase, multiple Eves collaboratively impair the channel acquisition of the legitimate link, aiming at maximizing the wiretapping signal-to-noise ratio (SNR) in the subsequent downlink data transmission phase. Two different scenarios are investigated: (1) the BS is unaware of the PSA, and (2) the BS attempts to detect the presence of the PSA. For both scenarios, we formulate wiretapping SNR maximization problems. For the second scenario, we also investigate the probability of successful detection and constrain it to remain below a pre-designed threshold. The two resulting optimization problems can be unified into a more general non-convex optimization problem, and we propose an efficient algorithm based on the minorization-maximization (MM) method and the alternating direction method of multipliers (ADMM) to solve it. The proposed MM-ADMM algorithm is shown to converge to a stationary point of the general problem. In addition, we propose a semidefinite relaxation (SDR) method as a benchmark to evaluate the efficiency of the MM-ADMM algorithm. Numerical results show that the MM-ADMM algorithm achieves near-optimal performance and is computationally more efficient than the SDRbased method.Comment: Accepted by IEEE Transaction on Wireless Communication