Qi Xiong,Ying-Chang Liang,Kwok Hung Li,Yi Gong

DOI: https://doi.org/10.1109/icc.2015.7248599

2015-01-01

Abstract:In a time-division duplex (TDD) based multi-input single-output (MISO) system, the channel state information (CSI) can be obtained during the channel estimation phase in which the receiver transmits the pilot symbols to the transmitter. This scheme may suffer from a so-called pilot spoofing attack, i.e., an adversary may send identical pilot signals as those of the legitimate receiver to spoof the transmitter. The resultant channel estimate may then contain the CSI of both legitimate and illegitimate receivers, and if such estimated channel is used for transmit beamforming, the information dedicated for legitimate receiver will leak to the illegitimate receiver. In this paper, we study the detection and defending strategies for such pilot spoofing attack. A two-way training based scheme is proposed. The durations of the training periods are also designed to optimize the secrecy rate. Finally, numerical results are presented to show the performance of our proposed method.

Yang,Yanjiao Chen,Wei Wang,Gang Yang

DOI: https://doi.org/10.1109/twc.2020.2970412

IF: 10.4

2020-01-01

IEEE Transactions on Wireless Communications

Abstract:The potential of multiuser MIMO (MU-MIMO) to increase network capacity has been intensively studied. To enable concurrent transmission in Frequency-Division Duplex (FDD) systems with limited feedback, users have to report the estimated channel state information (CSI) to the base station (BS) for interference elimination, which however has been proven to be vulnerable. In this paper, we reveal how to utilize the CSI feedbacks to launch sniffing attacks in a deterministic way, where the sniffing attack enables the attackers to eavesdrop other users in the same transmission group. We conduct a rigorous theoretical analysis on the construction of the forged CSI. In the proposed sniffing attacks, the malicious users can successfully sniff other users’ messages without knowing their own messages for signal cancellation. To make sniffing attacks more practical, we explore the possibilities of sniffing multiple users by a coalition of malicious users or a single malicious user. To thwart sniffing attacks, we design a novel secure CSI feedback (SCF) protocol based on the random masking technique, which requires simple modifications at the BS and incurs a little additional workload. Extensive theoretical analysis and experimental results are provided to further validate the effectiveness of our proposed sniffing attacks and the corresponding countermeasure.

Jiandong Xie,Ying-Chang Liang,Jun Fang,Xin Kang

DOI: https://doi.org/10.1109/icc.2017.7996989

2017-01-01

Abstract:In a multi-antenna time-division duplex (TDD) communication system, due to channel reciprocity, the downlink channel state information can be obtained by conducting uplink training. In a wire-tap channel, an active eavesdropper can perform active eavesdropping by pilot spoofing attack. In such an attack, the eavesdropper, during the uplink training phase, transmits the identical pilot sequence as that of the legitimate receiver to the transmitter. As a result, the estimated channel by the transmitter is a weighted sum of the legitimate channel and the eavesdropping channel. Motivated by the seriousness of pilot spoofing attack, in this paper, we propose a two-stage uplink training method for pilot spoofing attack detection and secure transmission. Using the new training method, the legitimate channel and the eavesdropping channel can be correctly estimated separately. Then we propose a pilot spoofing attack detector followed by a beamforming scheme for secure data transmission. Simulation results have shown that our proposed method achieves higher detection probability, and larger secrecy rate than previously proposed anti-pilot spoofing methods.

Qi Xiong,Ying-Chang Liang,Kwok Hung Li,Yi Gong,Shiying Han

DOI: https://doi.org/10.1109/tifs.2016.2516825

IF: 7.231

2016-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The pilot spoofing attack is one kind of active eavesdropping activities conducted by a malicious user during the channel training phase. By transmitting the identical pilot (training) signals as those of the legal users, such an attack is able to manipulate the channel estimation outcome, which may result in a larger channel rate for the adversary but a smaller channel rate for the legitimate receiver. With the intention of detecting the pilot spoofing attack and minimizing its damages, we design a two-way training-based scheme. The effective detector exploits the intrusive component created by the adversary, followed by a secure beamforming-assisted data transmission. In addition to the solid detection performance, this scheme is also capable of obtaining the estimations of both legitimate and illegitimate channels, which allows the users to achieve secure communication in the presence of pilot spoofing attack. The detection probability is evaluated based on the derived test threshold at a given requirement on the probability of false alarming. The achievable secrecy rate is utilized to measure the security level of the data transmission. Our analysis shows that even without any pre-assumed knowledge of eavesdropper, the proposed scheme is still able to achieve the maximal secrecy rate in certain cases. Numerical results are provided to show that our scheme could achieve a high detection probability as well as secure transmission.

Shiguo Wang,Qingyong Deng,Xuewen Fu,Peng Li

DOI: https://doi.org/10.1016/j.phycom.2023.102215

IF: 2.379

2023-11-06

Physical Communication

Abstract:For large-scale MIMO systems, upon the investigation of pilot spoofing on system security capacity, a novel detection scheme is proposed and the contaminated channel state information (CSI) is corrected. Specifically, a two-parts pilot sequence is exploited to implement channel estimation. The first one is conventional, and the other is partially randomized on the top of the first one. Leveraging the difference between the statistical characteristic of the estimated CSIs in two parts, a pilot spoofing detector is established based on the principle of the maximum likelihood ratio. Meanwhile, the contaminated CSI is purified with the obtained information in pilot spoofing detection, and thus system security capacity can be improved greatly. Finally, simulation results are presented to evaluate the superior performance of the proposed scheme.

telecommunications,engineering, electrical & electronic

Fengyi Bai,Pinyi Ren,Qinghe Du,Li Sun

DOI: https://doi.org/10.1109/pimrc.2016.7794707

2016-01-01

Abstract:Pilot spoofing attack can deteriorate the transmission performance of the legitimate system and facilitate eavesdropping concurrently. Some detection methods of pilot attack have been proposed, while we consider the problem of channel estimation under pilot spoofing attack. In this paper, a hybrid channel estimation strategy using random Binary Phase Shift Keying (BPSK) is proposed. Specifically, a random BPSK sequence is transmitted by the legal user once the attack is detected. In this manner, the base station detects the sequence and re-estimates the legal channel with both contaminated pilot and assistant sequence. We evaluate the estimation performance in three cases according to different responses of the malicious user. Simulation results demonstrate that the proposed strategy can effectively estimate the legitimate channel against pilot attack.

Lingyun Chai,Lin Bai,Tong Bai,Jia Shi,Arumugam Nallanathan

DOI: https://doi.org/10.1109/jiot.2023.3264679

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:As for the time-division communications system, the pilot spoofing attack technique is maliciously utilized by active eavesdroppers during the uplink training phase, for contaminating the legitimate channel estimation and thus altering the beamforming design towards the eavesdroppers. Nonorthogonal multiple access (NOMA) has been recognized as the key technology for the envisioned Internet of Things (IoT) networks. In order to prevent the aforementioned information leakage in NOMA-IoT systems, we develop a novel two-way training scheme to detect pilot spoofing attack and a robust secure beamforming design for providing secure transmission, by utilizing the emerging technique of reconfigurable intelligent surface (RIS), which is turned off during the uplink training phase and turned on during the downlink training phase, respectively. Considering that the perfect channel state information related to the eavesdropping channel is typically difficult to obtain, a secrecy outage probability constrained robust secure beamforming design is proposed to maximize the achievable sum secrecy rate of the legitimate users, by alternatively optimizing the active beamforming and RIS passive beamforming, while satisfying the requirements of the NOMA transmission. Elaborate simulation results reveal that the proposed detection method attains a super pilot spoofing attack detection performance and the proposed robust secure beamforming design is capable of efficiently enhancing the achievable sum secrecy rate, compared with various benchmark schemes.

computer science, information systems,telecommunications,engineering, electrical & electronic

Qi Xiong,Ying-Chang Liang,Kwok Hung Li,Yi Gong

DOI: https://doi.org/10.1109/ICASSP.2015.7178270

2015-01-01

Abstract:We study a spoofing attack happened in the physical layer of a multiple-antenna system, where an adversary tries to spoof the transmitter by sending the identical pilot (training) signal as that of a legitimate receiver in the uplink channel estimation phase. This attack, named as pilot spoofing attack, could lead to a secrecy information leakage to the adversary and information rate decrease at the legitimate receiver. Due to the serious results caused by the pilot spoofing attack, we propose an energy-ratio detector (ERD) to protect the legitimate components. The ERD makes the decision by exploiting the asymmetry of the received signal strength (RSS) between the transmitter and the legitimate receiver when the system is under the pilot spoofing attack. Numerical results are presented to illustrate the effectiveness of our proposed detector.

Delong Liu,Wei Wang,Yang Huang

DOI: https://doi.org/10.1049/ell2.70074

2024-10-30

Electronics Letters

Abstract:We present a pilot spoofing attack detection scheme by using the difference of two different estimators, that is, the least square estimator and the minimum mean square error estimator, without requiring any priori of eavesdroppers. In addition, we propose a data‐aided channel estimation scheme to eliminate the PSA effect. Pilot spoofing attack (PSA) is an active eavesdropping attack in massive multiple‐input multiple‐output systems, where the eavesdroppers transmit the same pilot sequence as the legitimate user does to the base station to confuse the normal channel estimation during the uplink channel training phase. With the contaminated channel estimations, more information will be leaked to eavesdroppers in the downlink transmission phase. However, it is a challenging issue to detect the PSA attack due to the similarity of the received signals and the variations of the wireless channels. Here, a new PSA detection scheme by using the difference of two different estimators is presented, that is, the least square estimator and the minimum mean square error estimator, without requiring any priori of eavesdroppers. Following that, a new data‐aided channel estimation scheme is proposed to eliminate the PSA effect. Simulation results demonstrate that the proposed PSA detection scheme outperforms the conventional energy detector, and more accurate legitimate channel estimation and higher sum secrecy rates can be obtained with the proposed scheme.

engineering, electrical & electronic

Hui-Ming Wang,Shao-Di Wang

DOI: https://doi.org/10.1109/LWC.2020.3009370

IF: 6.3

2020-01-01

IEEE Wireless Communications Letters

Abstract:In this letter, we consider downlink transmission of a multiuser multiple-input multiple-output (MU-MIMO) system with zero-forcing (ZF) precoders in the presence of multiple attackers. We propose a cooperative pilot spoofing attack (CPSA), where the attackers collaboratively impair the channel estimations in the uplink channel training phase, aiming at deteriorating the downlink throughput of the whole cell. We first evaluate the impacts of CPSA on the channel estimation and the downlink ZF precoding design, and then we derive an analytical expression for the achievable downlink sum-rate. Furthermore, we investigate the optimal attack strategy to minimize the achievable downlink sum-rate. We show that the optimization problem under consideration is a convex one so the global optimum could be obtained conveniently. Numerical results show that the CPSA attack results in a severe performance deterioration with the increase in the attacking power and the number of attackers.

Dongyang Xu,Pinyi Ren,Yichen Wang,Qinghe Du,Li Sun

DOI: https://doi.org/10.1109/icc.2017.7996861

2017-01-01

Abstract:Pilot spoofing attack is a serious threat to time-division duplex (TDD) orthogonal frequency division multiplexing (TDD-OFDM) system. By employing identical pilot tones as a legitimate receiver, an adversary can contaminate the uplink channel estimation between a transceiver pair. To solve this problem, we in this paper propose an independent component analysis (ICA) based channel estimation and identification mechanism with a subcarrier-block discriminating coding (SBDC) technique (ICA-SBDC). Firstly, a receiver randomizes the values of its pilot tones to avoid contamination, which however incurs pilot jamming attack. A minor-component-based detector (MCD) is devised to detect the attack efficiently. Secondly, the transmitter exploits the fourth-order statistical information of received signals to extract a linear-mixing channel. We can prove that given previously used legitimate pilots, both legitimate and attack sub-channels can be recovered from the obtained channel. Finally, the receiver maps its utilized pilots into various uplink transmission strategies on subcarrier-blocks which can be ultimately identified by the transmitter in a jamming environment. The mapping therein is formulated via a public-known codebook with discriminating algebraic property and the identification is achieved by decoding the codebook according to the results of MCD-based detection for each subcarrier-block. Simulation results verify the effectiveness of our proposed mechanism.

Xiaoming Liu,Yiwen Tao,Chenglin Zhao,Zhuo Sun

DOI: https://doi.org/10.1109/access.2021.3054821

IF: 3.9

2021-01-01

IEEE Access

Abstract:Pilot spoofing attack (PSA) is a kind of active eavesdropping, which launches the identical training sequence to manipulate the channel estimation outcome during the pilot training phase. The newly proposed intelligent reflecting surface (IRS) system is vulnerable to the PSA because it relies on the pilot-assisted channel estimation methods to obtain channel statement information (CSI). To combat PSA in IRS-assisted systems, we consider two significant challenges: 1) channel distribution information (CDI) is uncertain, which will make the PSA detection methods based on the statistic feature (SF) invalid; 2) the noise is uncertain when detecting PSA in practical scenarios, which would impair the popular energy-based detectors. In this paper, we design a three-step training (TST) scheme. The effective detector could achieve reliable detection performance by examining the transmitter's received signal power levels when PSA occurs. The proposed method does not require the prior knowledge of noise variance and could obtain the CSI of both legitimate and illegitimate dyadic backscatter channels. Theoretical analysis and numerical simulations are presented further to demonstrate the efficiency of our proposed TST scheme.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ke-Wen Huang,Hui-Ming Wang,Yongpeng Wu,Robert Schober

DOI: https://doi.org/10.1109/TWC.2018.2859949

IF: 10.4

2018-01-01

IEEE Transactions on Wireless Communications

Abstract:In this paper, we investigate the design of a pilot spoofing attack (PSA) carried out by multiple single-antenna eavesdroppers (Eves) in a downlink time-division duplex system, where a multiple antenna base station (BS) transmits confidential information to a single-antenna legitimate user. During the uplink channel training phase, multiple Eves collaboratively impair the channel acquisition of th...

Qi Xiong,Ying-Chang Liang,Kwok Hung Li,Yi Gong

DOI: https://doi.org/10.1109/tifs.2015.2392564

IF: 7.231

2015-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The pilot spoofing attack is one kind of active eavesdropping conducted by a malicious user during the channel estimation phase of the legitimate transmission. In this attack, an intelligent adversary spoofs the transmitter on the estimation of channel state information (CSI) by sending the identical pilot signal as the legitimate receiver, in order to obtain a larger information rate in the data transmission phase. The pilot spoofing attack could also drastically weaken the strength of the received signal at the legitimate receiver if the adversary utilizes large enough power. Motivated by the serious problems the pilot spoofing attack could cause, we propose an efficient detector, named energy ratio detector (ERD), by exploring the asymmetry of received signal power levels at the transmitter and the legitimate receiver when there exists a pilot spoofing attack. Our analysis shows that by setting the ratio of received signal power levels at the transmitter and the legitimate receiver as the test statistic, the detecting threshold is derived without using the knowledge of the CSI of the legitimate channel as well as the illegitimate channel. Furthermore, we study the performance of the proposed ERD in various special cases in order to obtain useful insights. Numerical results are presented to further demonstrate the performance of our proposed ERD.

Weiyang Xu,Ruiguang Wang,Yuan Zhang,Hien Quoc Ngo,Wei Xiang

DOI: https://doi.org/10.1109/tifs.2024.3402973

IF: 7.231

2024-05-29

IEEE Transactions on Information Forensics and Security

Abstract:The channel hardening effect is less pronounced in the cell-free massive multiple-input multiple-output (mMIMO) system compared to its cellular counterpart, making it necessary to estimate the downlink effective channel gains to ensure decent performance. However, the downlink training inadvertently creates an opportunity for adversarial nodes to launch pilot spoofing attacks (PSAs). First, we demonstrate that adversarial distributed access points (APs) can severely degrade the achievable downlink rate. They achieve this by estimating their channels to users in the uplink training phase and then precoding and sending the same pilot sequences as those used by legitimate APs during the downlink training phase. Then, the impact of the downlink PSA is investigated by rigorously deriving a closed-form expression of the per-user achievable downlink rate. By employing the min-max criterion to optimize the power allocation coefficients, the maximum per-user achievable rate of downlink transmission is minimized from the perspective of adversarial APs. As an alternative to the downlink PSA, adversarial APs may opt to precode random interference during the downlink data transmission phase in order to disrupt legitimate communications. In this scenario, the achievable downlink rate is derived, and then power optimization algorithms are also developed. We present numerical results to showcase the detrimental impact of the downlink PSA and compare the effects of these two types of attacks.

computer science, theory & methods,engineering, electrical & electronic

Songlin Chen,Sijing Wang,Xingchen Xu,Long Jiao,Hong Wen

DOI: https://doi.org/10.1109/infocomwkshps54753.2022.9797889

2022-01-01

Abstract:Security is of vital importance in wireless industrial communication systems. When spoofing attacking has occurred, leading to economic losses or even safety accidents. So as to address the concern, existing approaches mainly rely on traditional cryptographic algorithms. However, these methods cannot meet the needs of short delay and lightweight. In this paper, we propose a CSI-based PHY-layer security authentication scheme to detect spoofing detection. The main idea takes advantage of the uncorrelated nature of wireless channels to the identification of spoofing nodes in the physical layer. We demonstrate a MIMO-OFDM based spoofing detection prototype in industrial environments. Firstly, utilizing Universal Software Radio Peripheral (USRPs) to establish MIMO-OFDM communication systems is presented. Secondly, our proposed security scheme of CSI-based PHY-layer authentication is demonstrated. Finally, the effectiveness of the proposed approach has been verified via attack experiments.

Xuhang Ying,Joanna Mazer,Giuseppe Bernieri,Mauro Conti,Linda Bushnell,Radha Poovendran

DOI: https://doi.org/10.1109/cns.2019.8802732

2019-06-01

Abstract:The Automatic Dependent Surveillance-Broadcast (ADS-B) system is a key component of the Next Generation Air Transportation System (NextGen) that manages the increasingly congested airspace. It provides accurate aircraft localization and efficient air traffic management and also improves the safety of billions of current and future passengers. While the benefits of ADS-B are well known, the lack of basic security measures like encryption and authentication introduces various exploitable security vulnerabilities. One practical threat is the ADS-B spoofing attack that targets the ADS-B ground station, in which the ground-based or aircraft-based attacker manipulates the International Civil Aviation Organization (ICAO) address (a unique identifier for each aircraft)in the ADS-B messages to fake the appearance of non-existent aircraft or masquerade as a trusted aircraft. As a result, this attack can confuse the pilots or the air traffic control personnel and cause dangerous maneuvers. In this paper, we introduce SODA - a two-stage Deep Neural Network (DNN)-based spoofing detector for ADS-B that consists of a message classifier and an aircraft classifier. It allows a ground station to examine each incoming message based on the PHY-layer features (e.g., IQ samples and phases) and flag suspicious messages. Our experimental results show that SODA detects ground-based spoofing attacks with a probability of 99.34%, while having a very small false alarm rate (i.e., 0.43%). It outperforms other machine learning techniques such as XGBoost, Logistic Regression, and Support Vector Machine. It further identifies individual aircraft with an average F-score of 96.68 % and an accuracy of 96.66%, with a significant improvement over the state-of-the-art detector.

Weile Zhang,Hai Lin,Ruonan Zhang

DOI: https://doi.org/10.1109/tcomm.2018.2791535

IF: 6.166

2018-01-01

IEEE Transactions on Communications

Abstract:Pilot contamination attack is an important activity of active eavesdropping conducted by a malicious user during channel training phase. This attack is potentially harmful to the physical layer security. In this paper, motivated by the fact that frequency asynchronism could introduce divergence of the transmitted pilot signals between intended user and attacker, we propose a new uncoordinated frequency shift (UFS) scheme for detecting pilot contamination attack in multiple antenna system. During the reverse training phase of the UFS scheme, the legitimate user Bob deliberately introduces multiple random frequency shifts in the publicly known pilot sequence. Since eavesdropper Eve has no knowledge of these random frequency shifts, it is almost impossible for her to pretend exactly like Bob. This provides the opportunity to detect the presence of Eve. An attack detection algorithm is then developed based on source enumeration method. Both the asymptotic performance analysis and numerical results are provided to verify the proposed detection scheme. The proposed scheme is also enhanced based on noise power estimation to cope with attacks from a multi-antenna Eve. Furthermore, the proposed UFS scheme is extended by introducing general parameterized phase shifts. It is demonstrated that the proposed UFS scheme can achieve comparable detection performance as the existing superimposed random sequence based scheme, without sacrifice of legitimate channel estimation performance.