Orthogonality-Sabotaging Attacks against OFDMA-based Wireless - - PowerPoint PPT Presentation

Shangqing Zhao, Zhuo Lu, Zhengping Luo, Yao Liu University of South Florida

Orthogonality-Sabotaging Attacks against OFDMA-based Wireless Networks

OUTLINE

• Background
• Attack Strategy and Evaluation

– Motivation of orthogonality sabotaging – Experimental Evaluation

• Identification and Detection
• Conclusion

JAMMING ATTACKS

• Jamming attacks

JAMMING ATTACKS

• Jamming attacks
• -- broadcast nature of wireless signals

Frequency

AP User Attacker

Signal Jammer

Jamming attack works well against narrowband systems

JAMMING ATTACKS

• Traditional: jammer cannot disrupt signals beyond its

covered bandwidth

Frequency Signal Jammer

How about the broadband system ?

802.11n: 40 MHz 802.11ac/ax: 160 MHz

Narrow-band jamming is usually not effective for broadband systems

Affect area

JAMMING ATTACKS

• Traditional: jammer cannot disrupt signals beyond its

covered bandwidth

NOT always hold in OFDM(A (A) systems !!

4G, 5G 802.11ax

OFDMA

• OFDMA
• -- spectrum is split into multiple orthogonal subcarriers
• -- assigns a part of subcarriers to each user

Subcarriers

AP

User 1 User 2 User 3

OFDMA

• OFDMA Receiver (at the AP)

A/D and S/P FFT

frequency Sampling points

Fact 2: system is susceptible to the frequency drift

2 1

1

j ni N N n i i

Y S e N

π − − =

=

∑

1

Y

2

Y

4

Y

3

Y

Fact 1: Frequency-domain signals are on all subcarriers are orthogonal to each other

ATTACK

Orthogonality-Sabotaging Attacks

• Key idea:

– Use a narrowband jamming signal to disrupt the broadband OFDMA based system

• Methodology:

– Intentionally transmits a jamming signal with unaligned central frequency to other subcarriers, to break the

• rthogonality.
• Two goals:
• Understand its impact
• Detect and localize the attack

ATTACK

• Attack with no frequency offset

frequency Jammer Interference

ATTACK

• Attack with frequency offset

frequency Jammer Interference Frequency offset

ATTACK STRATEGIES

• Strategies

– Exact subcarrier jamming – Continuous-subcarrier attack – Scattered subcarrier attack

Subcarrier Index Power 1 2 3 4 5 6 7 8 9 10 11 12 User 1 User 2 User 3

Exact subcarrier jamming Continuous- subcarrier attack Scattered- subcarrier attack

no offset same offset different offsets

EXPERIMENTS

• Experimental setup
• -- USRP X300s with CBX daughterboards
• -- 8 USRPs are users, 1 USRP is AP, and 1 USRP is attacker
• -- Use Linksys EA8500 as the commercial AP (802.11ac)
• Parameters setting (802.11ax)
• -- 245 subcarriers
• -- attacker user 18 subcarriers
• -- each user occupies 26 subcarriers

EXPERIMENTS

• Indoor environment
• Metrics

– Bit error rate (BER) – Packet drop rate – Normalized throughput

802.11AX NETWORK

• Varying frequency offset
• 0.5
• 0.3
• 0.1

0.1 0.3 0.5 Frequency shift 5 6 7 8 9 Bit error rate (%) Continuous Scattered

BER reaches the maximum at |0.5| bandwidth of subcarrier

802.11AX NETWORK

• Varying modulation scheme

Attack can disrupt the signal with up to a bandwidth 500% broader than its own bandwidth

50 75 100 125 150 175 200 Subcarrier index 10 20 30 40 50 Bit error rate (%) BPSK 50 75 100 125 150 175 200 Subcarrier index 10 20 30 40 50 Bit error rate (%) BPSK QPSK 50 75 100 125 150 175 200 Subcarrier index 10 20 30 40 50 Bit error rate (%) BPSK QPSK 16QAM

802.11AX NETWORK

• Impact on users

Attack can affect up to 5 users using a single user’s bandwidth

1 2 3 4 5 6 7 8 User index 20 40 60 80 100 Packet drop rate (%) Continuous Scattered

802.11AC NETWORK

• Impact on commercial AP (Linksys EA8500)

Orthogonality-Sabotaging Attacks are more efficient

10 20 30 40 50 Bandwidth occupation ratio (%) 10 -2 10 0 10 2 Normalized throughput (%) Continuous Scattered Narrowband

IDENTIFICATION AND LOCALIZATION

How to identify and localize such attacks ?

IDENTIFICATION AND LOCALIZATION

• Spectrum analysis

Frequency 2.4 GHz 19 20 21 Power

Outlier

IDENTIFICATION AND LOCALIZATION

• Spectrum analysis

Frequency (2.4 GHz)

19 20 21

Power Outliers

Hard to say which one is from attacks or random fading.

• virtual subcarriers
• -- serves as the guard zones to protect interferences between users
• -- carry no information with 0 power, so …

Subcarrier Index User 2

……

User 1 User K-1 User K

…

Virtual Subcarrier

IDENTIFICATION AND LOCALIZATION

A positive measurement of power can be only due to noise or jamming interference.

IDENTIFICATION AND LOCALIZATION

• Given measurements on virtual subcarriers, we

can do …

Localization Identification Find the locations of subcarriers where attacker occupy Identify the attack is:

• Broadband jamming
• Orthogonality sabotaging attack
• Exact subcarrier jamming

LOCALIZATION

Jammer Subcarrier Index 1 2 3 4 5 User 1 User 2 Virtual subcarrier measurement

3

Φ

• Localization

LOCALIZATION

Subcarrier Index 1 3 a sinc function

[ ]

2 3

sin c((3-1) ) P π ε Φ = +

Offset ε Power P Location

• Localization

IDENTIFICATION

• Identification

– Broadband-like jamming – Orthogonality sabotaging attack – Exact subcarrier jamming

Virtual Subcarrier

1 2 3 4 5 6 7 8 9 10

SNR Broadband Jamming Orthogonality- sabotaging Subcarrier Jamming

ATTACK LOCALIZATION

• Localization error

Localization error is as low as 0.1–0.45 subcarrier spacing.

1 2 3 4 5 Location index 0.1 0.2 0.3 0.4 0.5 Localization error Continuous Scattered

ATTACK IDENTIFICATION

• Identification accuracy

The overall accuracy is no less than 92% under different attacks

• Orth. - Sab
• Broad. - like

Exact - sub.

• Iden. as Orth. - Sab

92.99% 2.4% 0.2%

• Iden. as Broad. - like

2.62% 98.6% 0.0%

• Iden. as Exact - sub.

4.39% 0.0% 99.8%

SUMMARY

• Orthogonality-Sabotaging attacks are very efficient.

– is orthogonal to recent smart jamming strategies (e.g., jamming preambles)

• The localization and identification methods achieve a

high accuracy.

SUMMARY

Thank you !