WINLAB Rutgers, The State University of New Jersey - PowerPoint PPT Presentation

Jamming MIMO Communications Jamming MIMO Communications WINLAB Rutgers, The State University of New Jersey www.winlab.rutgers.edu Contact: Rob Miller rdmiller@winlab.rutgers.edu

So just what is this guy talking about? So just what is this guy talking about? � Multi-Input Multi-Output (MIMO) Overview � Channel State Information (CSI) � MIMO Channel Capacity � Jamming Results and Observations – Singular Value Decomposition (SVD)-based MIMO – Alamouti Space-Time Block Code (STBC) � Conclusions and Questions WINLAB [2]

Introducing the MIMO channel… … Introducing the MIMO channel •Alice sends x using n t transmit antennas •Bob sees r with n r receive antennas r = H x + n where, H is n r by n t channel matrix n is additive channel noise Alice Bob WINLAB [3]

Three main sub- -categories of MIMO exist categories of MIMO exist… … Three main sub � Spatial Multiplexing – Low-rate streams are created from a high-rate signal and transmitted from different antennas – Does not always require Channel State Information (CSI) – Can be combined with Pre-coding or Diversity Coding � Pre-coding – Ranges from multi-layer beamforming to all spatial processing – Requires CSI at the transmitter � Diversity Coding – Includes space-time coding (STC) techniques – Does not require CSI at the transmitter WINLAB [4]

Most MIMO schemes involve some level of Most MIMO schemes involve some level of Channel State Information (CSI). Channel State Information (CSI). � Channel State Information is utilized by the transmitter, the receiver, or both. – Bob to Alice – Alice to Bob M – Alice to Bob and then back ◆ estim ation Alice Bob ◆ m essaging � 802.11n packet structure lets Bob estimate the CSI. WINLAB [5]

Attacking only the CSI procedure is efficient, Attacking only the CSI procedure is efficient, effective, and covert. effective, and covert. CSI Training Sequences (TS) are shorter than data transmissions � Efficient Jamming only during the CSI is energy conservative � Effective Jamming the CSI causes errors in decoding the data � Covert Jamming only the CSI is more inconspicuous TS Data time Eve WINLAB [6]

A commonly studied MIMO technique A commonly studied MIMO technique is SVD- -based MIMO. based MIMO. is SVD H = U ΣV H � Recall, the SVD of H yields U and V are the left and right singular vectors Singular values found in diag( ∑ ) � Bob and Alice compute the SVD r= H V x + n V x – Alice transmits ( Vx ) – Bob receives r , H and operates on it with ( U H ) U H r d = U H H V x + U H n = Alice Bob U H U ΣV H V x + U H n = Σx + U H n = Results in min(n r , n t ) parallel SISO channels WINLAB [7]

SVD- -based MIMO can achieve capacity by based MIMO can achieve capacity by SVD waterfilling over the best channel over the best channel eigenmodes eigenmodes. . waterfilling � Mutual Information n r + ρH Q H H ] I ( H , Q )= l og 2 ( de t ( [ I ) ) � Maximization: Q ⋆ = V di n }V H ag{p ⋆ p ⋆ 1 , . . . , waterfilling � Capacity: n � 1+ ρp ⋆ C ( H )= l og 2 [ k λ k ] k= 1 � Power Distribution: μ 1 p ⋆ + k = ( μ − ) ρλ k � n k= 1 p ⋆ k = P , where Power Constraint WINLAB [8]

Jamming SVD- -based MIMO is complicated based MIMO is complicated Jamming SVD as there are many degrees of freedom. as there are many degrees of freedom. The rabbit hole deepens… � CSI knowledge: – Perfect, Estimated, None � Perturbation Ability: – Perfect, Estimated, Random � Target: – Alice, Bob, Alice and Bob � Equipment: – Single/Multiple antenna – Power constraints (J/S) General CSI jamming WINLAB [9]

With ample control, Eve may force Alice and With ample control, Eve may force Alice and Bob to perform opposite waterfilling waterfilling. . Bob to perform opposite � Eve can force opposite waterfilling – Compute the SVD of H H = U ΣV H – Reverse the singular values σ i = σ n− i ˆ – Reconstruct the new channel H = U ˆ ˆ ΣV H – Disseminate the new info ˆ H Alice and Bob use WINLAB [10]

Without CSI or complete RF control, Eve can Without CSI or complete RF control, Eve can still effectively jam SVD- -based MIMO. based MIMO. still effectively jam SVD � Random perturbations of H make small singular values larger � If Alice and Bob use the same estimate σ 1 ˆ σ 1 – Emphasize a physical channel to create a random channel σ 2 ◆ Pow er, on average , w ill em pty uniform ly into the actual eigenm odes of the channel � If Alice and Bob use independent estimates – Emphasize different physical channels to create two random channels ◆ Alice pre-codes w ith right singular vectors that do not pair w ith the left singular vectors that Bob uses for decoding WINLAB [11]

Another popular MIMO scheme is the Alamouti Alamouti Another popular MIMO scheme is the Space- -Time Block Code (STBC). Time Block Code (STBC). Space � The Alamouti STBC is included in 802.11n, WiMax, and 3GPP � Analyze the 2 by 1 STBC vulnerabilities – 2 transmit antennas – 1 receive antenna � Extend results to 2 by 2 STBC and beyond WINLAB [12]

The Alamouti Alamouti 2 by 1 STBC is essentially a 2 by 1 STBC is essentially a The spatial repeater with a decoding trick. spatial repeater with a decoding trick. � Spatial repeater w/decoding trick – Alice has 2 transmit antennas – Bob has 1 receive antenna * -c 2 c 1 h 1 h 2 * c 1 c 2 Symbol Period 2, Bob receives: Symbol Period 1, Bob receives: ∗ ∗ c 1 c 2 r 1 = c 1 h 1 + c 2 h 2 + n 1 r 2 = − c 2 h 1 + c 1 h 2 + n 1 WINLAB [13]

The Alamouti Alamouti 2 by 1 STBC is essentially a 2 by 1 STBC is essentially a The spatial repeater with a decoding trick. spatial repeater with a decoding trick. � Over both symbol periods, Bob receives: r = G c+ n � h 1 � h 2 G = h ∗ − h ∗ 2 1 � n 1 � � c � 1 n = c = n ∗ c 2 2 � r � 1 r = ∗ r 2 WINLAB [14]

The Alamouti Alamouti 2 by 1 STBC is essentially a 2 by 1 STBC is essentially a The spatial repeater with a decoding trick. spatial repeater with a decoding trick. � Bob decodes by selecting the symbol-tuple that minimizes the decoding metric: G H r− αˆ 2 d = | c| G H ( 2 = | G c+ n)− αˆ c| G H G c+ G H n − αˆ 2 = | c| αc+ G H n − αˆ 2 = | c| c)+ G H n| 2 = | α( c− ˆ G H G = αI Note: 2 2 + | 2 α = | h 1 | h 2 | WINLAB [15]

We investigate the impact of jamming the We investigate the impact of jamming the channel estimate for the Alamouti Alamouti 2 by 1 STBC. 2 by 1 STBC. channel estimate for the ˆ � Eve jams: G → G � Bob now selects the symbol-tuple that minimizes the jammed decoding metric: H r− ˆ |ˆ 2 αˆ d J = G c| Eve’s goal H ( |ˆ 2 = G G c+ n)− ˆ αˆ c| Maximize d J for H ( |ˆ G c+ n − ˆ 2 G ˆ = G c) | the proper H ( H n| symbol-tuple, |ˆ G c− ˆ c)+ ˆ 2 = G G ˆ G minimize it 2 + | otherwise Note: ˆ ˆ 2 α = | ˆ h 1 | h 2 | WINLAB [16]

Forcing minimization for the Alamouti Alamouti 2 by 1 2 by 1 Forcing minimization for the STBC can be done in multiple ways. STBC can be done in multiple ways. � Metric minimization occurs decoding metric H ) when G c− ˆ c)∈ N (ˆ G ˆ ( G H r− ˆ |ˆ – 2 interesting cases: 2 αˆ d J = G c| H ( H = 0 |ˆ (1) 2 ˆ = G G c+ n)− ˆ αˆ c| G Not covert H ( |ˆ G c+ n − ˆ 2 (2) G c− ˆ = G G ˆ c) | G ˆ c = 0 H ( H n| |ˆ G c− ˆ c)+ ˆ 2 = G G ˆ G � Notable Attacks – Selective Symbol Jamming Force Bob to decode sym bol-tuples Eve desires! – Oscillating Channel Inversion Attack Guaranteed jam m ing perform ance w ith no CSI! WINLAB [17]

With ample control, Eve can force Bob to With ample control, Eve can force Bob to decode the symbol- -tuples tuples that she desires. that she desires. decode the symbol � Selective Symbol Jamming – Eve chooses: ˆ c Σ − 1 c U H G = G cV ˆ ˆ c ˆ c V H ˆ c = U ˆ c Σ ˆ where ˆ c BPSK Example using h = [7 -8] Eve’s goal: Make Bob decode c(1) not c(0). But, jamming also affects the other transmitted symbol tuples. WINLAB [18]

With ample control, Eve can force Bob to With ample control, Eve can force Bob to decode the symbol- -tuples tuples that she desires. that she desires. decode the symbol � � � Selective Symbol Jamming a b ˆ – But, the format of G may be constrained: G = ∗ − a ∗ b – Viable solutions still exist. BPSK Example using h = [7 -8] Eve’s goal: Make Bob decode c(1) not c(0). Now use: ˆ h = [ − 7− 8] WINLAB [19]

Without CSI or complete RF control, Eve can Without CSI or complete RF control, Eve can still effectively jam the Alamouti Alamouti STBC. STBC. still effectively jam the � Optimal Jamming Region is constellation specific � Oscillating Channel Inversion Attack – For single antenna using QPSK, P( Ω ) = ¾ (when J/S >> 0 dB) – Oscillating by 180 guarantees jamming region penetration Single Antenna Jamming Region Dual Antenna Jamming Region FSM J/S >> 0 dB WINLAB [20]