EMERGENT BEHAVIOR ANALYSIS OF MARITIME OVER-THE-HORIZON COMMUNICATION USING LASERS AND SPACE PLATFORM RELAYS

This thesis studied an over-the-horizon (OTH) maritime laser communication concept using free-space optics (FSO) and space-based relays. This thesis applied a systems engineering analysis approach to study stakeholder needs, identify requirements, and develop a conceptual design of the FSO concept. Three concept of operations scenarios were developed to illustrate (1) land-to-maritime, (2) maritime-to-land, and (3) maritime-to-maritime communication transmission. The three conceptual FSO communication capability scenarios were modeled using the behavioral modeling tool, Monterey Phoenix (MP). The MP models could be varied to represent nominal, or clear atmospheric conditions, and off-nominal, or poor atmospheric conditions (e.g., precipitation, thermal turbulence, absorption, and scattering). The thesis analyzed expected, unexpected, and emergent behavior using the MP model. The results yielded event traces characterized by transmission time, success data, and behavior expectation data. The MP model analysis produced a pattern of unexpected or emergent behavior that would interfere with successful communication transmission. Laser system failures, ship movement, or operator issues are possible emergent behavior factors. The study results indicated that the FSO OTH communication system could transmit communication quickly and with high data rates, but only during nominal or fair atmospheric conditions.ONR, Arlington, VA 22217Lieutenant, United States NavyApproved for public release. Distribution is unlimited

Wideband cyclostationary spectrum sensing and characterization for cognitive radios

Motivated by the spectrum scarcity problem, Cognitive Radios (CRs) have been proposed as a solution to opportunistically communicate over unused spectrum licensed to Primary users (PUs). In this context, the unlicensed Secondary users (SUs) sense the spectrum to detect the presence or absence of PUs, and use the unoccupied bands without causing interference to PUs. CRs are equipped with capabilities such as, learning, adaptability, and recongurability, and are spectrum aware. Spectrum awareness comes from spectrum sensing, and it can be performed using different techniques

Acoustic-channel attack and defence methods for personal voice assistants

Personal Voice Assistants (PVAs) are increasingly used as interface to digital environments. Voice commands are used to interact with phones, smart homes or cars. In the US alone the number of smart speakers such as Amazon’s Echo and Google Home has grown by 78% to 118.5 million and 21% of the US population own at least one device. Given the increasing dependency of society on PVAs, security and privacy of these has become a major concern of users, manufacturers and policy makers. Consequently, a steep increase in research efforts addressing security and privacy of PVAs can be observed in recent years. While some security and privacy research applicable to the PVA domain predates their recent increase in popularity and many new research strands have emerged, there lacks research dedicated to PVA security and privacy. The most important interaction interface between users and a PVA is the acoustic channel and acoustic channel related security and privacy studies are desirable and required. The aim of the work presented in this thesis is to enhance the cognition of security and privacy issues of PVA usage related to the acoustic channel, to propose principles and solutions to key usage scenarios to mitigate potential security threats, and to present a novel type of dangerous attack which can be launched only by using a PVA alone. The five core contributions of this thesis are: (i) a taxonomy is built for the research domain of PVA security and privacy issues related to acoustic channel. An extensive research overview on the state of the art is provided, describing a comprehensive research map for PVA security and privacy. It is also shown in this taxonomy where the contributions of this thesis lie; (ii) Work has emerged aiming to generate adversarial audio inputs which sound harmless to humans but can trick a PVA to recognise harmful commands. The majority of work has been focused on the attack side, but there rarely exists work on how to defend against this type of attack. A defence method against white-box adversarial commands is proposed and implemented as a prototype. It is shown that a defence Automatic Speech Recognition (ASR) can work in parallel with the PVA’s main one, and adversarial audio input is detected if the difference in the speech decoding results between both ASR surpasses a threshold. It is demonstrated that an ASR that differs in architecture and/or training data from the the PVA’s main ASR is usable as protection ASR; (iii) PVAs continuously monitor conversations which may be transported to a cloud back end where they are stored, processed and maybe even passed on to other service providers. A user has limited control over this process when a PVA is triggered without user’s intent or a PVA belongs to others. A user is unable to control the recording behaviour of surrounding PVAs, unable to signal privacy requirements and unable to track conversation recordings. An acoustic tagging solution is proposed aiming to embed additional information into acoustic signals processed by PVAs. A user employs a tagging device which emits an acoustic signal when PVA activity is assumed. Any active PVA will embed this tag into their recorded audio stream. The tag may signal a cooperating PVA or back-end system that a user has not given a recording consent. The tag may also be used to trace when and where a recording was taken if necessary. A prototype tagging device based on PocketSphinx is implemented. Using Google Home Mini as the PVA, it is demonstrated that the device can tag conversations and the tagging signal can be retrieved from conversations stored in the Google back-end system; (iv) Acoustic tagging provides users the capability to signal their permission to the back-end PVA service, and another solution inspired by Denial of Service (DoS) is proposed as well for protecting user privacy. Although PVAs are very helpful, they are also continuously monitoring conversations. When a PVA detects a wake word, the immediately following conversation is recorded and transported to a cloud system for further analysis. An active protection mechanism is proposed: reactive jamming. A Protection Jamming Device (PJD) is employed to observe conversations. Upon detection of a PVA wake word the PJD emits an acoustic jamming signal. The PJD must detect the wake word faster than the PVA such that the jamming signal still prevents wake word detection by the PVA. An evaluation of the effectiveness of different jamming signals and overlap between wake words and the jamming signals is carried out. 100% jamming success can be achieved with an overlap of at least 60% with a negligible false positive rate; (v) Acoustic components (speakers and microphones) on a PVA can potentially be re-purposed to achieve acoustic sensing. This has great security and privacy implication due to the key role of PVAs in digital environments. The first active acoustic side-channel attack is proposed. Speakers are used to emit human inaudible acoustic signals and the echo is recorded via microphones, turning the acoustic system of a smartphone into a sonar system. The echo signal can be used to profile user interaction with the device. For example, a victim’s finger movement can be monitored to steal Android unlock patterns. The number of candidate unlock patterns that an attacker must try to authenticate herself to a Samsung S4 phone can be reduced by up to 70% using this novel unnoticeable acoustic side-channel

Architecting a One-to-many Traffic-Aware and Secure Millimeter-Wave Wireless Network-in-Package Interconnect for Multichip Systems

With the aggressive scaling of device geometries, the yield of complex Multi Core Single Chip(MCSC) systems with many cores will decrease due to the higher probability of manufacturing defects especially, in dies with a large area. Disintegration of large System-on-Chips(SoCs) into smaller chips called chiplets has shown to improve the yield and cost of complex systems. Therefore, platform-based computing modules such as embedded systems and micro-servers have already adopted Multi Core Multi Chip (MCMC) architectures overMCSC architectures. Due to the scaling of memory intensive parallel applications in such systems, data is more likely to be shared among various cores residing in different chips resulting in a significant increase in chip-to-chip traffic, especially one-to-many traffic. This one-to-many traffic is originated mainly to maintain cache-coherence between many cores residing in multiple chips. Besides, one-to-many traffics are also exploited by many parallel programming models, system-level synchronization mechanisms, and control signals. How-ever, state-of-the-art Network-on-Chip (NoC)-based wired interconnection architectures do not provide enough support as they handle such one-to-many traffic as multiple unicast trafficusing a multi-hop MCMC communication fabric. As a result, even a small portion of such one-to-many traffic can significantly reduce system performance as traditional NoC-basedinterconnect cannot mask the high latency and energy consumption caused by chip-to-chipwired I/Os. Moreover, with the increase in memory intensive applications and scaling of MCMC systems, traditional NoC-based wired interconnects fail to provide a scalable inter-connection solution required to support the increased cache-coherence and synchronization generated one-to-many traffic in future MCMC-based High-Performance Computing (HPC) nodes. Therefore, these computation and memory intensive MCMC systems need an energy-efficient, low latency, and scalable one-to-many (broadcast/multicast) traffic-aware interconnection infrastructure to ensure high-performance. Research in recent years has shown that Wireless Network-in-Package (WiNiP) architectures with CMOS compatible Millimeter-Wave (mm-wave) transceivers can provide a scalable, low latency, and energy-efficient interconnect solution for on and off-chip communication. In this dissertation, a one-to-many traffic-aware WiNiP interconnection architecture with a starvation-free hybrid Medium Access Control (MAC), an asymmetric topology, and a novel flow control has been proposed. The different components of the proposed architecture are individually one-to-many traffic-aware and as a system, they collaborate with each other to provide required support for one-to-many traffic communication in a MCMC environment. It has been shown that such interconnection architecture can reduce energy consumption and average packet latency by 46.96% and 47.08% respectively for MCMC systems. Despite providing performance enhancements, wireless channel, being an unguided medium, is vulnerable to various security attacks such as jamming induced Denial-of-Service (DoS), eavesdropping, and spoofing. Further, to minimize the time-to-market and design costs, modern SoCs often use Third Party IPs (3PIPs) from untrusted organizations. An adversary either at the foundry or at the 3PIP design house can introduce a malicious circuitry, to jeopardize an SoC. Such malicious circuitry is known as a Hardware Trojan (HT). An HTplanted in the WiNiP from a vulnerable design or manufacturing process can compromise a Wireless Interface (WI) to enable illegitimate transmission through the infected WI resulting in a potential DoS attack for other WIs in the MCMC system. Moreover, HTs can be used for various other malicious purposes, including battery exhaustion, functionality subversion, and information leakage. This information when leaked to a malicious external attackercan reveals important information regarding the application suites running on the system, thereby compromising the user profile. To address persistent jamming-based DoS attack in WiNiP, in this dissertation, a secure WiNiP interconnection architecture for MCMC systems has been proposed that re-uses the one-to-many traffic-aware MAC and existing Design for Testability (DFT) hardware along with Machine Learning (ML) approach. Furthermore, a novel Simulated Annealing (SA)-based routing obfuscation mechanism was also proposed toprotect against an HT-assisted novel traffic analysis attack. Simulation results show that,the ML classifiers can achieve an accuracy of 99.87% for DoS attack detection while SA-basedrouting obfuscation could reduce application detection accuracy to only 15% for HT-assistedtraffic analysis attack and hence, secure the WiNiP fabric from age-old and emerging attacks

Secure Neighbor Discovery and Ranging in Wireless Networks

This thesis addresses the security of two fundamental elements of wireless networking: neighbor discovery and ranging. Neighbor discovery consists in discovering devices available for direct communication or in physical proximity. Ranging, or distance bounding, consists in measuring the distance between devices, or providing an upper bound on this distance. Both elements serve as building blocks for a variety of services and applications, notably routing, physical access control, tracking and localization. However, the open nature of wireless networks makes it easy to abuse neighbor discovery and ranging, and thereby compromise overlying services and applications. To prevent this, numerous works proposed protocols that secure these building blocks. But two aspects crucial for the security of such protocols have received relatively little attention: formal verification and attacks on the physical-communication-layer. They are precisely the focus of this thesis. In the first part of the thesis, we contribute a formal analysis of secure communication neighbor discovery protocols. We build a formal model that captures salient characteristics of wireless systems such as node location, message propagation time and link variability, and we provide a specification of secure communication neighbor discovery. Then, we derive an impossibility result for a general class of protocols we term "time-based protocols", stating that no such protocol can provide secure communication neighbor discovery. We also identify the conditions under which the impossibility result is lifted. We then prove that specific protocols in the time-based class (under additional conditions) and specific protocols in a class we term "time- and location-based protocols," satisfy the neighbor discovery specification. We reinforce these results by mechanizing the model and the proofs in the theorem prover Isabelle. In the second part of the thesis, we explore physical-communication-layer attacks that can seemingly decrease the message arrival time without modifying its content. Thus, they can circumvent time-based neighbor discovery protocols and distance bounding protocols. (Indeed, they violate the assumptions necessary to prove protocol correctness in the first part of the thesis.) We focus on Impulse Radio Ultra-Wideband, a physical layer technology particularly well suited for implementing distance bounding, thanks to its ability to perform accurate indoor ranging. First, we adapt physical layer attacks reported in prior work to IEEE 802.15.4a, the de facto standard for Impulse Radio, and evaluate their performance. We show that an adversary can achieve a distance-decrease of up to hundreds of meters with an arbitrarily high probability of success, with only a minor cost in terms of transmission power (few dB). Next, we demonstrate a new attack vector that disrupts time-of-arrival estimation algorithms, in particular those designed to be precise. The distance-decrease achievable by this attack vector is in the order of the channel spread (order of 10 meters in indoor environments). This attack vector can be used in previously reported physical layer attacks, but it also creates a new type of external attack based on malicious interference. We demonstrate that variants of the malicious interference attack are much easier to mount than the previously reported external attack. We also provide design guidelines for modulation schemes and devise receiver algorithms that mitigate physical layer attacks. These countermeasures allow the system designer to trade off security, ranging precision and cost in terms of transmission power and packet length

Tactical Electronics Simulation Test System: Final Report CDRL A004

Report addresses the preliminary findings of the Tactical Electronics Simulation Test System (TESTS) Phase I effort: Requirements Analysis and Feasibility Assessment, involving requirements for an advanced identification friend or foe (IFF) simulation environment, existing applicable and available facilities and resources for subsequent project phases, technical issues and concerns to minimize risk, and technical approach and conceptual design for an advanced IFF system and environment simulation leading to TESTS

Blind Estimation of OFDM System Parameters for Automatic Signal Identification

Orthogonal frequency division multiplexing (OFDM) has gained worldwide popular­ ity in broadband wireless communications recently due to its high spectral efficiency and robust performance in multipath fading channels. A growing trend of smart receivers which can support and adapt to multiple OFDM based standards auto­ matically brings the necessity of identifying different standards by estimating OFDM system parameters without a priori information. Consequently, blind estimation and identification of OFDM system parameters has received considerable research atten­ tions. Many techniques have been developed for blind estimation of various OFDM parameters, whereas estimation of the sampling frequency is often ignored. Further­ more, the estimated sampling frequency of an OFDM signal has to be very accurate for data recovery due to the high sensitivity of OFDM signals to sampling clock offset. To address the aforementioned problems, we propose a two-step cyclostation- arity based algorithm with low computational complexity to precisely estimate the sampling frequency of a received oversampled OFDM signal. With this estimated sampling frequency and oversampling ratio, other OFDM system parameters, i.e., the number of subcarriers, symbol duration and cyclic prefix (CP) length can be es­ timated based on the cyclic property from CP sequentially. In addition, modulation scheme used in the OFDM can be classified based on the higher-order statistics (HOS) of the frequency domain OFDM signal. All the proposed algorithms are verified by a lab testing system including a vec­ tor signal generator, a spectrum analyzer and a high speed digitizer. The evaluation results confirm the high precision and efficacy of the proposed algorithm in realistic scenarios

Multifunction Radios and Interference Suppression for Enhanced Reliability and Security of Wireless Systems

Wireless connectivity, with its relative ease of over-the-air information sharing, is a key technological enabler that facilitates many of the essential applications, such as satellite navigation, cellular communication, and media broadcasting, that are nowadays taken for granted. However, that relative ease of over-the-air communications has significant drawbacks too. On one hand, the broadcast nature of wireless communications means that one receiver can receive the superposition of multiple transmitted signals. But on the other hand, it means that multiple receivers can receive the same transmitted signal. The former leads to congestion and concerns about reliability because of the limited nature of the electromagnetic spectrum and the vulnerability to interference. The latter means that wirelessly transmitted information is inherently insecure. This thesis aims to provide insights and means for improving physical layer reliability and security of wireless communications by, in a sense, combining the two aspects above through simultaneous and same frequency transmit and receive operation. This is so as to ultimately increase the safety of environments where wireless devices function or where malicious wirelessly operated devices (e.g., remote-controlled drones) potentially raise safety concerns. Specifically, two closely related research directions are pursued. Firstly, taking advantage of in-band full-duplex (IBFD) radio technology to benefit the reliability and security of wireless communications in the form of multifunction IBFD radios. Secondly, extending the self-interference cancellation (SIC) capabilities of IBFD radios to multiradio platforms to take advantage of these same concepts on a wider scale. Within the first research direction, a theoretical analysis framework is developed and then used to comprehensively study the benefits and drawbacks of simultaneously combining signals detection and jamming on the same frequency within a single platform. Also, a practical prototype capable of such operation is implemented and its performance analyzed based on actual measurements. The theoretical and experimental analysis altogether give a concrete understanding of the quantitative benefits of simultaneous same-frequency operations over carrying out the operations in an alternating manner. Simultaneously detecting and jamming signals specifically is shown to somewhat increase the effective range of a smart jammer compared to intermittent detection and jamming, increasing its reliability. Within the second research direction, two interference mitigation methods are proposed that extend the SIC capabilities from single platform IBFD radios to those not physically connected. Such separation brings additional challenges in modeling the interference compared to the SIC problem, which the proposed methods address. These methods then allow multiple radios to intentionally generate and use interference for controlling access to the electromagnetic spectrum. Practical measurement results demonstrate that this effectively allows the use of cooperative jamming to prevent unauthorized nodes from processing any signals of interest, while authorized nodes can use interference mitigation to still access the same signals. This in turn provides security at the physical layer of wireless communications

Teaching Your Wireless Card New Tricks: Smartphone Performance and Security Enhancements Through Wi-Fi Firmware Modifications

Smartphones come with a variety of sensors and communication interfaces, which make them perfect candidates for mobile communication testbeds. Nevertheless, proprietary firmwares hinder us from accessing the full capabilities of the underlying hardware platform which impedes innovation. Focusing on FullMAC Wi-Fi chips, we present Nexmon, a C-based firmware modification framework. It gives access to raw Wi-Fi frames and advanced capabilities that we found by reverse engineering chips and their firmware. As firmware modifications pose security risks, we discuss how to secure firmware handling without impeding experimentation on Wi-Fi chips. To present and evaluate our findings in the field, we developed the following applications. We start by presenting a ping-offloading application that handles ping requests in the firmware instead of the operating system. It significantly reduces energy consumption and processing delays. Then, we present a software-defined wireless networking application that enhances scalable video streaming by setting flow-based requirements on physical-layer parameters. As security application, we present a reactive Wi-Fi jammer that analyses incoming frames during reception and transmits arbitrary jamming waveforms by operating Wi-Fi chips as software-defined radios (SDRs). We further introduce an acknowledging jammer to ensure the flow of non-targeted frames and an adaptive power-control jammer to adjust transmission powers based on measured jamming successes. Additionally, we discovered how to extract channel state information (CSI) on a per-frame basis. Using both SDR and CSI-extraction capabilities, we present a physical-layer covert channel. It hides covert symbols in phase changes of selected OFDM subcarriers. Those manipulations can be extracted from CSI measurements at a receiver. To ease the analysis of firmware binaries, we created a debugging application that supports single stepping and runs as firmware patch on the Wi-Fi chip. We published the source code of our framework and our applications to ensure reproducibility of our results and to enable other researchers to extend our work. Our framework and the applications emphasize the need for freely modifiable firmware and detailed hardware documentation to create novel and exciting applications on commercial off-the-shelf devices