Orthogonality-Sabotaging Attacks against OFDMA-based Wireless Networks Shangqing Zhao, Zhuo Lu, Zhengping Luo, Yao Liu University of South Florida
OUTLINE • Background • Attack Strategy and Evaluation – Motivation of orthogonality sabotaging – Experimental Evaluation • Identification and Detection • Conclusion
JAMMING ATTACKS • Jamming attacks
JAMMING ATTACKS • Jamming attacks --- broadcast nature of wireless signals Jamming attack works well against Attacker narrowband systems Signal Jammer User AP Frequency
JAMMING ATTACKS • Traditional: jammer cannot disrupt signals beyond its covered bandwidth Narrow-band jamming is usually not effective for broadband systems How about the broadband system ? Jammer Affect area 802.11n: 40 MHz 802.11ac/ax: 160 MHz Signal Frequency
JAMMING ATTACKS • Traditional: jammer cannot disrupt signals beyond its covered bandwidth NOT always hold in OFDM(A (A) systems !! 802.11ax 4G, 5G
OFDMA • OFDMA --- spectrum is split into multiple orthogonal subcarriers --- assigns a part of subcarriers to each user Subcarriers User 1 User 2 AP User 3
OFDMA • OFDMA Receiver (at the AP) Y Y Y Y 2 3 4 1 A/D and S/P FFT π − j 2 ni N 1 1 − ∑ = N Y S e n i N = 0 i frequency Sampling points Fact 1: Fact 2: Frequency-domain signals are on all subcarriers system is susceptible to the frequency drift are orthogonal to each other
ATTACK Orthogonality-Sabotaging Attacks • Key idea: – Use a narrowband jamming signal to disrupt the broadband OFDMA based system • Methodology: – Intentionally transmits a jamming signal with unaligned central frequency to other subcarriers, to break the orthogonality. • Two goals: • Understand its impact • Detect and localize the attack
ATTACK • Attack with no frequency offset Interference Jammer frequency
ATTACK • Attack with frequency offset Jammer frequency Frequency offset Interference
ATTACK STRATEGIES • Strategies – Exact subcarrier jamming no offset – Continuous-subcarrier attack same offset – Scattered subcarrier attack different offsets Power Exact subcarrier Continuous- Scattered- jamming subcarrier attack subcarrier attack Subcarrier Index 1 2 3 4 5 6 7 8 9 10 11 12 User 1 User 2 User 3
EXPERIMENTS • Experimental setup --- USRP X300s with CBX daughterboards --- 8 USRPs are users, 1 USRP is AP, and 1 USRP is attacker --- Use Linksys EA8500 as the commercial AP (802.11ac) • Parameters setting (802.11ax) --- 245 subcarriers --- attacker user 18 subcarriers --- each user occupies 26 subcarriers
EXPERIMENTS • Indoor environment • Metrics – Bit error rate (BER) – Packet drop rate – Normalized throughput
802.11AX NETWORK • Varying frequency offset 9 Continuous Scattered 8 Bit error rate (%) 7 6 5 -0.5 -0.3 -0.1 0.1 0.3 0.5 Frequency shift BER reaches the maximum at |0.5| bandwidth of subcarrier
802.11AX NETWORK • Varying modulation scheme 50 50 50 BPSK BPSK QPSK BPSK QPSK 40 40 40 16QAM 30 30 30 Bit error rate (%) Bit error rate (%) Bit error rate (%) 20 20 20 10 10 10 0 0 0 50 75 100 125 150 175 200 50 50 75 75 100 100 125 125 150 150 175 175 200 200 Subcarrier index Subcarrier index Subcarrier index Attack can disrupt the signal with up to a bandwidth 500% broader than its own bandwidth
802.11AX NETWORK • Impact on users 100 Continuous Scattered 80 Packet drop rate (%) 60 40 20 0 1 2 3 4 5 6 7 8 User index Attack can affect up to 5 users using a single user’s bandwidth
802.11AC NETWORK • Impact on commercial AP (Linksys EA8500) 10 2 Continuous Scattered Narrowband Normalized throughput (%) 10 0 10 -2 0 10 20 30 40 50 Bandwidth occupation ratio (%) Orthogonality-Sabotaging Attacks are more efficient
IDENTIFICATION AND LOCALIZATION How to identify and localize such attacks ?
IDENTIFICATION AND LOCALIZATION • Spectrum analysis Outlier 21 20 Power 19 Frequency 2.4 GHz
IDENTIFICATION AND LOCALIZATION • Spectrum analysis Outliers 21 20 Power 19 Hard to say which one is from Frequency (2.4 GHz) attacks or random fading.
IDENTIFICATION AND LOCALIZATION • virtual subcarriers --- serves as the guard zones to protect interferences between users … …… Subcarrier Index User K-1 User 1 User 2 User K Virtual Subcarrier --- carry no information with 0 power, so … A positive measurement of power can be only due to noise or jamming interference.
IDENTIFICATION AND LOCALIZATION • Given measurements on virtual subcarriers, we can do … Localization Identification Find the locations of Identify the attack is: subcarriers where Broadband jamming • attacker occupy • Orthogonality sabotaging attack • Exact subcarrier jamming
LOCALIZATION • Localization Jammer measurement Φ 3 Subcarrier Index 1 2 3 4 5 User 2 Virtual User 1 subcarrier
LOCALIZATION • Localization Offset ε a sinc function [ ] Φ = π + ε 2 P sin c((3-1) ) 3 Power P Subcarrier Index 1 3 Location
IDENTIFICATION • Identification – Broadband-like jamming – Orthogonality sabotaging attack – Exact subcarrier jamming SNR Broadband Jamming Orthogonality- sabotaging Subcarrier Jamming 1 2 3 4 5 6 7 8 9 10 Virtual Subcarrier
ATTACK LOCALIZATION • Localization error 0.5 0.4 Continuous 0.3 Localization error Scattered 0.2 0.1 0 1 2 3 4 5 Location index Localization error is as low as 0.1–0.45 subcarrier spacing.
ATTACK IDENTIFICATION • Identification accuracy Orth. - Sab Broad. - like Exact - sub. Iden. as Orth. - Sab 92.99% 2.4% 0.2% Iden. as Broad. - like 2.62% 98.6% 0.0% Iden. as Exact - sub. 4.39% 0.0% 99.8% The overall accuracy is no less than 92% under different attacks
SUMMARY • Orthogonality-Sabotaging attacks are very efficient. – is orthogonal to recent smart jamming strategies (e.g., jamming preambles) • The localization and identification methods achieve a high accuracy.
SUMMARY Thank you !
Recommend
More recommend
