Wenyuan Xu,Timothy Wood,Wade Trappe,Yanyong Zhang

DOI: https://doi.org/10.1145/1023646.1023661

2004-01-01

Abstract:Wireless networks are built upon a shared medium that makes it easy for adversaries to launch denial of service (DoS) attacks. One form of denial of service is targeted at preventing sources from communicating. These attacks can be easily accomplished by an adversary by either bypassing MAC-layer protocols, or emitting a radio signal targeted at jamming a particular channel. In this paper we present two strategies that may be employed by wireless devices to evade a MAC/PHY-layer jamming-style wireless denial of service attack. The first strategy, channel surfing, is a form of spectral evasion that involves legitimate wireless devices changing the channel that they are operating on. The second strategy, spatial retreats, is a form of spatial evasion whereby legitimate mobile devices move away from the locality of the DoS emitter. We study both of these strategies for three broad wireless communication scenarios: two-party radio communication, an infrastructured wireless network, and an ad hoc wireless network. We evaluate several of our proposed strategies and protocols through ns-2 simulations and experiments on the Berkeley mote platform.

Jiejiao Tian,Ying-Chang Liang,Xin Kang,Gang Yang

DOI: https://doi.org/10.1109/ICCChina.2017.8330342

2017-01-01

Abstract:In this paper, we propose a new type of attack from the perspective of the eavesdropper. The full-duplex eavesdropper acts as a relay in the uplink channel estimation phase forwarding the received pilot signal from legitimate receiver to confound the legitimate transmitter. Compared to pilot spoofing attack, which needs the eavesdropper to know the pilot signal accurately, the pilot relay attack only needs the eavesdropper to know the frame structure of the legitimate transceiver pair. In this paper, we study the optimal amplify-and-forward strategy of the eavesdropper so that its eavesdropping behavior is harder to be detected by maximizing the transmission rate from the legitimate transmitter to the legitimate receiver under the constraint that the eavesdropping rate is larger than the legitimate transmission rate. Furthermore, we analyze the performance of the pilot relay attack when Eve is at different locations, the simulations have shown that different strategies should be adopted at different locations.

Qi Xiong,Ying-Chang Liang,Kwok Hung Li,Yi Gong,Shiying Han

DOI: https://doi.org/10.1109/tifs.2016.2516825

IF: 7.231

2016-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The pilot spoofing attack is one kind of active eavesdropping activities conducted by a malicious user during the channel training phase. By transmitting the identical pilot (training) signals as those of the legal users, such an attack is able to manipulate the channel estimation outcome, which may result in a larger channel rate for the adversary but a smaller channel rate for the legitimate receiver. With the intention of detecting the pilot spoofing attack and minimizing its damages, we design a two-way training-based scheme. The effective detector exploits the intrusive component created by the adversary, followed by a secure beamforming-assisted data transmission. In addition to the solid detection performance, this scheme is also capable of obtaining the estimations of both legitimate and illegitimate channels, which allows the users to achieve secure communication in the presence of pilot spoofing attack. The detection probability is evaluated based on the derived test threshold at a given requirement on the probability of false alarming. The achievable secrecy rate is utilized to measure the security level of the data transmission. Our analysis shows that even without any pre-assumed knowledge of eavesdropper, the proposed scheme is still able to achieve the maximal secrecy rate in certain cases. Numerical results are provided to show that our scheme could achieve a high detection probability as well as secure transmission.

Ning Gao,Zhijin Qin,Xiaojun Jing

DOI: https://doi.org/10.1109/lsp.2019.2913085

2019-01-01

IEEE Signal Processing Letters

Abstract:In the channel training phase, the attacker launches a pilot contamination attack by sending a synchronized and identical pilot signal with the legitimate transmitter. Such an attack can contaminate the channel estimation and alter the legitimate beamformer design. In this letter, first, we propose a pilot contamination attack detection scheme for wireless communications. By considering the prior uncertainty of the attack, we find that the decision-maker will conservatively decide the state of the attack, which is a subjective choice. In this case, we derive the subjective detection probability, the subjective false alarm probability, and the threshold. We analyze the tradeoff problem between ergodic wire-tap channel rate and subjective detection probability. Next, based on the worst case that the attacker adopts the optimal power allocation to launch the optimal attack, we discuss the defense strategy of the optimal attack. Simulations show that the proposed scheme has a better performance than the benchmark method.

Kemal Davaslioglu,Yalin E. Sagduyu

DOI: https://doi.org/10.48550/arXiv.1910.10766

2019-10-24

Abstract:We present a Trojan (backdoor or trapdoor) attack that targets deep learning applications in wireless communications. A deep learning classifier is considered to classify wireless signals using raw (I/Q) samples as features and modulation types as labels. An adversary slightly manipulates training data by inserting Trojans (i.e., triggers) to only few training data samples by modifying their phases and changing the labels of these samples to a target label. This poisoned training data is used to train the deep learning classifier. In test (inference) time, an adversary transmits signals with the same phase shift that was added as a trigger during training. While the receiver can accurately classify clean (unpoisoned) signals without triggers, it cannot reliably classify signals poisoned with triggers. This stealth attack remains hidden until activated by poisoned inputs (Trojans) to bypass a signal classifier (e.g., for authentication). We show that this attack is successful over different channel conditions and cannot be mitigated by simply preprocessing the training and test data with random phase variations. To detect this attack, activation based outlier detection is considered with statistical as well as clustering techniques. We show that the latter one can detect Trojan attacks even if few samples are poisoned.

Networking and Internet Architecture,Cryptography and Security,Machine Learning,Signal Processing

Linqing Wan,Guangchi Zhang,Miao Cui,Fan Lin

DOI: https://doi.org/10.1007/s11277-017-5213-0

IF: 2.017

2017-12-29

Wireless Personal Communications

Abstract:Proactive eavesdropping is a new paradigm shift in wireless physical layer security from preventing conventional eavesdropping attacks to legitimate intercepting suspicious communications, which has attracted a lot of attention recently. Pilot contamination is one effective technique in proactive eavesdropping, which spoofs the suspicious transmitter on channel estimation by sending the same pilot signal as the suspicious receiver, and lets it leak information in the direction of the legitimate eavesdropper during its transmission. However, this technique may fail when an anti-pilot-contamination mechanism called “energy ratio detector (ERD)” is applied at the suspicious receiver. To deal with the case that the suspicious receiver is a smart device using ERD, in this paper, we study using pilot contamination along with jamming to improve the legitimate eavesdropping performance. We first derive a closed-form expression for the probability of pilot contamination being detected by the suspicious receiver, and use it to obtain a closed-form expression for the eavesdropping rate. Using this theoretical analysis result, we propose an algorithm to maximize the eavesdropping rate by jointly optimizing the pilot contamination power and jamming power via two-dimensional search. Simulation results show that the proposed eavesdropping rate maximization algorithm can significantly improve eavesdropping rate, as compared to other benchmark schemes.

telecommunications

Hui-Ming Wang,Ke-Wen Huang,Theodoros A. Tsiftsis

DOI: https://doi.org/10.48550/arXiv.1801.04104

2018-01-12

Abstract:Transmitter-side channel state information (CSI) of the legitimate destination plays a critical role in physical layer secure transmissions. However, channel training procedure is vulnerable to the pilot spoofing attack (PSA) or pilot jamming attack (PJA) by an active eavesdropper (Eve), which inevitably results in severe private information leakage. In this paper, we propose a random channel training (RCT) based secure downlink transmission framework for a time division duplex (TDD) multiple antennas base station (BS). In the proposed RCT scheme, multiple orthogonal pilot sequences (PSs) are simultaneously allocated to the legitimate user (LU), and the LU randomly selects one PS from the assigned PS set to transmit. Under either the PSA or PJA, we provide the detailed steps for the BS to identify the PS transmitted by the LU, and to simultaneously estimate channels of the LU and Eve. The probability that the BS makes an incorrect decision on the PS of the LU is analytically investigated. Finally, closed-form secure beamforming (SB) vectors are designed and optimized to enhance the secrecy rates during the downlink transmissions. Numerical results show that the secrecy performance is greatly improved compared to the conventional channel training scheme wherein only one PS is assigned to the LU.

Information Theory

Ke-Wen Huang,Hui-Ming Wang,Yongpeng Wu,Robert Schober

DOI: https://doi.org/10.1109/TWC.2018.2859949

IF: 10.4

2018-01-01

IEEE Transactions on Wireless Communications

Abstract:In this paper, we investigate the design of a pilot spoofing attack (PSA) carried out by multiple single-antenna eavesdroppers (Eves) in a downlink time-division duplex system, where a multiple antenna base station (BS) transmits confidential information to a single-antenna legitimate user. During the uplink channel training phase, multiple Eves collaboratively impair the channel acquisition of th...

Weiyang Xu,Ruiguang Wang,Yuan Zhang,Hien Quoc Ngo,Wei Xiang

2024-04-11

Abstract:The channel hardening effect is less pronounced in the cell-free massive multiple-input multiple-output (mMIMO) system compared to its cellular counterpart, making it necessary to estimate the downlink effective channel gains to ensure decent performance. However, the downlink training inadvertently creates an opportunity for adversarial nodes to launch pilot spoofing attacks (PSAs). First, we demonstrate that adversarial distributed access points (APs) can severely degrade the achievable downlink rate. They achieve this by estimating their channels to users in the uplink training phase and then precoding and sending the same pilot sequences as those used by legitimate APs during the downlink training phase. Then, the impact of the downlink PSA is investigated by rigorously deriving a closed-form expression of the per-user achievable downlink rate. By employing the min-max criterion to optimize the power allocation coefficients, the maximum per-user achievable rate of downlink transmission is minimized from the perspective of adversarial APs. As an alternative to the downlink PSA, adversarial APs may opt to precode random interference during the downlink data transmission phase in order to disrupt legitimate communications. In this scenario, the achievable downlink rate is derived, and then power optimization algorithms are also developed. We present numerical results to showcase the detrimental impact of the downlink PSA and compare the effects of these two types of attacks.

Information Theory

Ning Zhang,Renyong Wu,Shenglan Yuan,Chao Yuan,Dajiang Chen

DOI: https://doi.org/10.1109/jiot.2019.2919743

IF: 10.6

2019-10-01

IEEE Internet of Things Journal

Abstract:Internet of Things (IoT) security becomes of great importance, as IoT is the foundation for many emerging services. To safeguard IoT security, cryptosystems at upper layer relying on sophisticated key management alone can face many challenges due to the massive deployment of resource constrained machine-type communication (MTC) devices. Physical layer (PHY) security can complement and enhance IoT security, by exploiting the characteristics of the bottom layer. In PHY security, channel state information (CSI) estimated through reverse pilot training is essential for the sender to select appropriate beamforming/precoder, which however is also vulnerable to adversaries. An adversary can actively launch pilot contamination attacks to affect the channel estimation and improve its signal reception quality. In this paper, we propose a relay-aided vectorized (RAV) secure transmission scheme, to safeguard the downlink communication in IoT networks under potential pilot contamination attacks. The proposed scheme does not distinguish the pilot sequences sent from an adversary and the receiver; and the sender utilizes what it receives to estimate the CSI for beamforming/precoder design. Then, a set of data symbols are presuperposed using a random complex matrix to form signal vectors to send. Through cooperation with a relay, the signal vectors can be recovered by the intended receiver whereas the adversary or the relay cannot, as proved through security analysis. The simulation results also demonstrate that the bit error rate (BER) of the adversary is 0.5 regardless of its channel quality, indicating perfect secrecy is achieved.

computer science, information systems,telecommunications,engineering, electrical & electronic

Simone Soderi,Rocco De Nicola

DOI: https://doi.org/10.1007/978-981-99-9614-8_11

2024-04-24

Abstract:Covert channel networks are a well-known method for circumventing the security measures organizations put in place to protect their networks from adversarial attacks. This paper introduces a novel method based on bit-rate modulation for implementing covert channels between devices connected over a wide area network. This attack can be exploited to exfiltrate sensitive information from a machine (i.e., covert sender) and stealthily transfer it to a covert receiver while evading network security measures and detection systems. We explain how to implement this threat, focusing specifically on covert channel networks and their potential security risks to network information transmission. The proposed method leverages bit-rate modulation, where a high bit rate represents a '1' and a low bit rate represents a '0', enabling covert communication. We analyze the key metrics associated with covert channels, including robustness in the presence of legitimate traffic and other interference, bit-rate capacity, and bit error rate. Experiments demonstrate the good performance of this attack, which achieved 5 bps with excellent robustness and a channel capacity of up to 0.9239 bps/Hz under different noise sources. Therefore, we show that bit-rate modulation effectively violates network security and compromises sensitive data.

Cryptography and Security,Information Theory,Networking and Internet Architecture

Jiandong Xie,Ying-Chang Liang,Jun Fang,Xin Kang

DOI: https://doi.org/10.1109/icc.2017.7996989

2017-01-01

Abstract:In a multi-antenna time-division duplex (TDD) communication system, due to channel reciprocity, the downlink channel state information can be obtained by conducting uplink training. In a wire-tap channel, an active eavesdropper can perform active eavesdropping by pilot spoofing attack. In such an attack, the eavesdropper, during the uplink training phase, transmits the identical pilot sequence as that of the legitimate receiver to the transmitter. As a result, the estimated channel by the transmitter is a weighted sum of the legitimate channel and the eavesdropping channel. Motivated by the seriousness of pilot spoofing attack, in this paper, we propose a two-stage uplink training method for pilot spoofing attack detection and secure transmission. Using the new training method, the legitimate channel and the eavesdropping channel can be correctly estimated separately. Then we propose a pilot spoofing attack detector followed by a beamforming scheme for secure data transmission. Simulation results have shown that our proposed method achieves higher detection probability, and larger secrecy rate than previously proposed anti-pilot spoofing methods.

Matthew Smith,Martin Strohmeier,Jon Harman,Vincent Lenders,Ivan Martinovic

DOI: https://doi.org/10.48550/arXiv.1905.08039

2019-05-20

Cryptography and Security

Abstract:Many wireless communications systems found in aircraft lack standard security mechanisms, leaving them fundamentally vulnerable to attack. With affordable software-defined radios available, a novel threat has emerged, allowing a wide range of attackers to easily interfere with wireless avionic systems. Whilst these vulnerabilities are known, concrete attacks that exploit them are still novel and not yet well understood. This is true in particular with regards to their kinetic impact on the handling of the attacked aircraft and consequently its safety. To investigate this, we invited 30 Airbus A320 type-rated pilots to fly simulator scenarios in which they were subjected to attacks on their avionics. We implement and analyse novel wireless attacks on three safety-related systems: Traffic Collision Avoidance System (TCAS), Ground Proximity Warning System (GPWS) and the Instrument Landing System (ILS). We found that all three analysed attack scenarios created significant control impact and cost of disruption through turnarounds, avoidance manoeuvres, and diversions. They further increased workload, distrust in the affected system, and in 38% of cases caused the attacked safety system to be switched off entirely. All pilots felt the scenarios were useful, with 93.3% feeling that simulator training for wireless attacks could be valuable.

Zhangnan Wang,Yichen Wang

DOI: https://doi.org/10.1109/vtc2022-spring54318.2022.9860696

2022-01-01

Abstract:Existing studies on pilot contamination attacks often assume that the enemy has not made any strategic corrections to the detection plan. In this paper, we assume that the intelligent malicious user can obtain legitimate users' pilot sequence and power in a timely and accurate manner. Based on the acquired pilot information, the attacker adjusts the pilot contamination attack strategy during the reverse training phase and the jamming power during the data transmission phase to improve his eavesdropping performance and reduce the downlink transmission rate of legitimate users. By modeling the defender-attacker interaction as a Stackelberg game, Bob as the leader chooses his pilot training power, while a full-duplex eavesdropper as the follower determines the pilot contamination power according to the observed Bob's ongoing training signals transmission. In addition, we analyze Bob's pilot transmission power and secrecy rate under complete and incomplete information conditions. Simulation results show that the proposed scheme can defend against an intelligent active eavesdropper with a higher secrecy rate and utility.

Liakot Ali,Farshad

DOI: https://doi.org/10.1371/journal.pone.0254903

IF: 3.7

2021-07-29

PLoS ONE

Abstract:Due to Hardware Trojan (HT), trustworthiness of Integrated Circuit (IC) supply chain is a burning issue in Semiconductor Industry nowadays. Over the last decade, extensive research has been carried on HT detection methods for digital circuits. However, the HT issue remains largely unexplored in the domain of Analog Mixed Signal (AMS)/ RF circuit where it is now an appealing target for the attackers. The increasing popularity of Orthogonal Frequency Division Multiplexing (OFDM) based wireless cryptographic ICs in modern communication systems makes it a lucrative target for HT-based attacks which could have a devastating impact on data security. This paper presents a trigger-based Hardware Trojan Threat model that exploits the extended cyclic prefix (ECP) property of the OFDM communication scheme to leak the secret encryption key over low noise Additive White Gaussian Channel (AWGN) and developed a Cyclic Prefix (CP) checker based detection mechanism named "SENTRY" to detect such trojans once it is triggered.

Qi Xiong,Ying-Chang Liang,Kwok Hung Li,Yi Gong

DOI: https://doi.org/10.1109/tifs.2015.2392564

IF: 7.231

2015-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The pilot spoofing attack is one kind of active eavesdropping conducted by a malicious user during the channel estimation phase of the legitimate transmission. In this attack, an intelligent adversary spoofs the transmitter on the estimation of channel state information (CSI) by sending the identical pilot signal as the legitimate receiver, in order to obtain a larger information rate in the data transmission phase. The pilot spoofing attack could also drastically weaken the strength of the received signal at the legitimate receiver if the adversary utilizes large enough power. Motivated by the serious problems the pilot spoofing attack could cause, we propose an efficient detector, named energy ratio detector (ERD), by exploring the asymmetry of received signal power levels at the transmitter and the legitimate receiver when there exists a pilot spoofing attack. Our analysis shows that by setting the ratio of received signal power levels at the transmitter and the legitimate receiver as the test statistic, the detecting threshold is derived without using the knowledge of the CSI of the legitimate channel as well as the illegitimate channel. Furthermore, we study the performance of the proposed ERD in various special cases in order to obtain useful insights. Numerical results are presented to further demonstrate the performance of our proposed ERD.

Yuda Lin,Liang Jin,Kaizhi Huang,Xiaoli Sun,Feihu Wang

DOI: https://doi.org/10.1109/jsyst.2022.3165055

IF: 4.802

2022-01-01

IEEE Systems Journal

Abstract:Multiantenna technique can provide a substantial rate gain for wireless communication; however, when applied in covert wireless communication, the potential detecting risk of pilot transmission is always neglected. In this article, for the first time, we consider the effect of pilot leakage on the performance of covert communication over a finite transmission blocklength. First, we construct a general analysis model of multiantenna joint covert communication (JTCC), where the uplink covert pilot, the imperfect channel estimation issues, and the downlink covert communication is taken into account. Second, we evaluate the covertness performance of the proposed system in which an independent detection scheme (IDS) and two joint detection schemes (JDSs) are adopted at an unintended warden, respectively. In particular, the closed-form expressions of tight average covert probability are derived under the different detection schemes. Third, we establish an optimization framework for the covert throughput maximization subject to the constraints of covertness, reliability, and blocklength. Moreover, a simple and robust solution is provided by jointly designing the pilot length and the transmit power. Numerical results highlight the advantages of the JTCC system in resisting pilot detection and indicate the tradeoff of pilot design between the achievable covertness, the required reliability, and the overall rate performance.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Haoyu Wang,Zhu Han,A. Lee Swindlehurst

2024-01-01

Abstract:While reconfigurable intelligent surface (RIS) technology has been shown to provide numerous benefits to wireless systems, in the hands of an adversary such technology can also be used to disrupt communication links. This paper describes and analyzes an RIS-based attack on multi-antenna wireless systems that operate in time-division duplex mode under the assumption of channel reciprocity. In particular, we show how an RIS with a non-diagonal (ND) phase shift matrix (referred to here as an ND-RIS) can be deployed to maliciously break the channel reciprocity and hence degrade the downlink network performance. Such an attack is entirely passive and difficult to detect and counteract. We provide a theoretical analysis of the degradation in the sum ergodic rate that results when an arbitrary malicious ND-RIS is deployed and design an approach based on the genetic algorithm for optimizing the ND structure under partial knowledge of the available channel state information. Our simulation results validate the analysis and demonstrate that an ND-RIS channel reciprocity attack can dramatically reduce the downlink throughput.

Signal Processing

Qi Xiong,Ying-Chang Liang,Kwok Hung Li,Yi Gong

DOI: https://doi.org/10.1109/ICASSP.2015.7178270

2015-01-01

Abstract:We study a spoofing attack happened in the physical layer of a multiple-antenna system, where an adversary tries to spoof the transmitter by sending the identical pilot (training) signal as that of a legitimate receiver in the uplink channel estimation phase. This attack, named as pilot spoofing attack, could lead to a secrecy information leakage to the adversary and information rate decrease at the legitimate receiver. Due to the serious results caused by the pilot spoofing attack, we propose an energy-ratio detector (ERD) to protect the legitimate components. The ERD makes the decision by exploiting the asymmetry of the received signal strength (RSS) between the transmitter and the legitimate receiver when the system is under the pilot spoofing attack. Numerical results are presented to illustrate the effectiveness of our proposed detector.