WINLAB Rutgers, The State University of New Jersey - - PowerPoint PPT Presentation

winlab
SMART_READER_LITE
LIVE PREVIEW

WINLAB Rutgers, The State University of New Jersey - - PowerPoint PPT Presentation

Mar 09, 2024 211 likes •494 views

Jamming MIMO Communications Jamming MIMO Communications WINLAB Rutgers, The State University of New Jersey www.winlab.rutgers.edu Contact: Rob Miller rdmiller@winlab.rutgers.edu So just what is this guy talking about? So just what is this

slide-1
SLIDE 1

Jamming MIMO Communications Jamming MIMO Communications

Rutgers, The State University of New Jersey www.winlab.rutgers.edu Contact: Rob Miller rdmiller@winlab.rutgers.edu

WINLAB

slide-2
SLIDE 2

[2]

WINLAB

So just what is this guy talking about? So just what is this guy talking about?

Multi-Input Multi-Output (MIMO) Overview Channel State Information (CSI) MIMO Channel Capacity Jamming Results and Observations

– Singular Value Decomposition (SVD)-based MIMO – Alamouti Space-Time Block Code (STBC)

Conclusions and Questions

slide-3
SLIDE 3

[3]

WINLAB

Introducing the MIMO channel Introducing the MIMO channel… …

where, H is nr by nt channel matrix n is additive channel noise

  • Alice sends x

using nt transmit antennas

  • Bob sees r

with nr receive antennas

Alice Bob

r = H x + n

slide-4
SLIDE 4

[4]

WINLAB

Three main sub Three main sub-

  • categories of MIMO exist

categories of MIMO exist… …

Spatial Multiplexing

– Low-rate streams are created from a high-rate signal and transmitted from different antennas – Does not always require Channel State Information (CSI) – Can be combined with Pre-coding or Diversity Coding

Pre-coding

– Ranges from multi-layer beamforming to all spatial processing – Requires CSI at the transmitter

Diversity Coding

– Includes space-time coding (STC) techniques – Does not require CSI at the transmitter

slide-5
SLIDE 5

[5]

WINLAB

Most MIMO schemes involve some level of Most MIMO schemes involve some level of Channel State Information (CSI). Channel State Information (CSI).

Channel State Information is utilized by the

transmitter, the receiver, or both.

– Bob to Alice – Alice to Bob – Alice to Bob and then back

◆ estim ation ◆ m essaging

802.11n packet structure lets Bob estimate the CSI.

Alice Bob

M

slide-6
SLIDE 6

[6]

WINLAB

Attacking only the CSI procedure is efficient, Attacking only the CSI procedure is efficient, effective, and covert. effective, and covert.

CSI Training Sequences (TS) are shorter than data transmissions

Efficient

Jamming only during the CSI is energy conservative

Effective

Jamming the CSI causes errors in decoding the data

Covert

Jamming only the CSI is more inconspicuous

TS Data

time Eve

slide-7
SLIDE 7

[7]

WINLAB

A commonly studied MIMO technique A commonly studied MIMO technique is SVD is SVD-

  • based MIMO.

based MIMO.

Recall, the SVD of H yields

U and V are the left and right singular vectors

Singular values found in diag(∑)

Bob and Alice compute the SVD

– Alice transmits (Vx) – Bob receives r, and operates on it with (UH)

Results in min(nr , nt ) parallel SISO channels

d = U H r = U H H V x + U H n = U H U ΣV H V x + U H n = Σx + U H n

H = U ΣV H r= H V x + n

Alice Bob

V x H

slide-8
SLIDE 8

[8]

WINLAB

SVD SVD-

  • based MIMO can achieve capacity by

based MIMO can achieve capacity by waterfilling waterfilling over the best channel

  • ver the best channel eigenmodes

eigenmodes. .

Mutual Information Maximization: Capacity: Power Distribution:

I ( H , Q )= l

  • g2(

de t ( [ I

nr + ρH Q H H ]

) ) Q ⋆ = V di ag{p⋆

1,

. . . , p⋆

n}V H

C ( H )=

n

  • k= 1

l

  • g2[

1+ ρp⋆

kλk]

p⋆

k = (

μ − 1 ρλk )

+

, where Power Constraint

n

k= 1 p⋆ k = P

μ

waterfilling

slide-9
SLIDE 9

[9]

WINLAB

Jamming SVD Jamming SVD-

  • based MIMO is complicated

based MIMO is complicated as there are many degrees of freedom. as there are many degrees of freedom.

The rabbit hole deepens…

CSI knowledge:

– Perfect, Estimated, None

Perturbation Ability:

– Perfect, Estimated, Random

Target:

– Alice, Bob, Alice and Bob

Equipment:

– Single/Multiple antenna – Power constraints (J/S) General CSI jamming

slide-10
SLIDE 10

[10]

WINLAB

With ample control, Eve may force Alice and With ample control, Eve may force Alice and Bob to perform opposite Bob to perform opposite waterfilling waterfilling. .

Eve can force opposite waterfilling

– Compute the SVD of H – Reverse the singular values – Reconstruct the new channel – Disseminate the new info

Alice and Bob use

H = U ΣV H

ˆ σi = σn− i

ˆ H = U ˆ ΣV H ˆ H

slide-11
SLIDE 11

[11]

WINLAB

Without CSI or complete RF control, Eve can Without CSI or complete RF control, Eve can still effectively jam SVD still effectively jam SVD-

  • based MIMO.

based MIMO.

Random perturbations of H make small singular values larger If Alice and Bob use the same estimate

– Emphasize a physical channel to create a random channel

◆ Pow er, on average, w ill em pty

uniform ly into the actual eigenm odes

  • f the channel

If Alice and Bob use independent estimates

– Emphasize different physical channels to create two random channels

◆ Alice pre-codes w ith right singular vectors

that do not pair w ith the left singular vectors that Bob uses for decoding

σ1 σ2

ˆ σ1

slide-12
SLIDE 12

[12]

WINLAB

Another popular MIMO scheme is the Another popular MIMO scheme is the Alamouti Alamouti Space Space-

  • Time Block Code (STBC).

Time Block Code (STBC).

The Alamouti STBC is included in 802.11n, WiMax, and 3GPP Analyze the 2 by 1 STBC vulnerabilities

– 2 transmit antennas – 1 receive antenna

Extend results to 2 by 2 STBC and beyond

slide-13
SLIDE 13

[13]

WINLAB

The The Alamouti Alamouti 2 by 1 STBC is essentially a 2 by 1 STBC is essentially a spatial repeater with a decoding trick. spatial repeater with a decoding trick.

Spatial repeater w/decoding trick

– Alice has 2 transmit antennas – Bob has 1 receive antenna

c1 c2

c1 c2

  • c2

*

c1

*

r

1 = c 1h1 + c 2h2 + n1

Symbol Period 1, Bob receives: Symbol Period 2, Bob receives:

r

2 = − c ∗ 2h1 + c ∗ 1h2 + n1

h1 h2

slide-14
SLIDE 14

[14]

WINLAB

The The Alamouti Alamouti 2 by 1 STBC is essentially a 2 by 1 STBC is essentially a spatial repeater with a decoding trick. spatial repeater with a decoding trick.

Over both symbol periods, Bob receives:

r = r

1

r

∗ 2

  • G =

h1 h2 h∗

2

− h∗

1

  • c =

c

1

c

2

  • n =

n1 n∗

2

  • r = G c+ n
slide-15
SLIDE 15

[15]

WINLAB

The The Alamouti Alamouti 2 by 1 STBC is essentially a 2 by 1 STBC is essentially a spatial repeater with a decoding trick. spatial repeater with a decoding trick.

Bob decodes by selecting the symbol-tuple

that minimizes the decoding metric:

d = | G H r− αˆ c|

2

= | G H ( G c+ n)− αˆ c|

2

= | G H G c+ G H n − αˆ c|

2

= | αc+ G H n − αˆ c|

2

= | α( c− ˆ c)+ G H n|

2

G H G = αI

2

α = | h1|

2 + |

h2|

2

Note:

slide-16
SLIDE 16

[16]

WINLAB

We investigate the impact of jamming the We investigate the impact of jamming the channel estimate for the channel estimate for the Alamouti Alamouti 2 by 1 STBC. 2 by 1 STBC.

Eve jams: Bob now selects the symbol-tuple that

minimizes the jammed decoding metric:

dJ = |ˆ G

H r− ˆ

αˆ c|

2

= |ˆ G

H (

G c+ n)− ˆ αˆ c|

2

= |ˆ G

H (

G c+ n − ˆ G ˆ c) |

2

= |ˆ G

H (

G c− ˆ G ˆ c)+ ˆ G

H n| 2

ˆ α = | ˆ h1|

2 + |

ˆ h2|

2

Eve’s goal Maximize dJ for the proper symbol-tuple, minimize it

  • therwise

G → ˆ G

Note:

slide-17
SLIDE 17

[17]

WINLAB

Forcing minimization for the Forcing minimization for the Alamouti Alamouti 2 by 1 2 by 1 STBC can be done in multiple ways. STBC can be done in multiple ways.

Metric minimization occurs

when

– 2 interesting cases: (1) (2)

Notable Attacks

– Selective Symbol Jamming

Force Bob to decode sym bol-tuples Eve desires!

– Oscillating Channel Inversion Attack

Guaranteed jam m ing perform ance w ith no CSI! ˆ G

H = 0

G c− ˆ G ˆ c = 0

Not covert

( G c− ˆ G ˆ c)∈ N (ˆ G

H )

dJ = |ˆ G

H r− ˆ

αˆ c|

2

= |ˆ G

H (

G c+ n)− ˆ αˆ c|

2

= |ˆ G

H (

G c+ n − ˆ G ˆ c) |

2

= |ˆ G

H (

G c− ˆ G ˆ c)+ ˆ G

H n| 2

decoding metric

slide-18
SLIDE 18

[18]

WINLAB

With ample control, Eve can force Bob to With ample control, Eve can force Bob to decode the symbol decode the symbol-

  • tuples

tuples that she desires. that she desires.

Selective Symbol Jamming

– Eve chooses:

ˆ G = G cV ˆ

cΣ − 1 ˆ c U H ˆ c

ˆ c = U ˆ

cΣ ˆ cV H ˆ c

where

BPSK Example using h = [7 -8]

Eve’s goal: Make Bob decode c(1) not c(0). But, jamming also affects the

  • ther transmitted symbol tuples.
slide-19
SLIDE 19

[19]

WINLAB

With ample control, Eve can force Bob to With ample control, Eve can force Bob to decode the symbol decode the symbol-

  • tuples

tuples that she desires. that she desires.

Selective Symbol Jamming

– But, the format of G may be constrained: – Viable solutions still exist.

BPSK Example using h = [7 -8]

Eve’s goal: Make Bob decode c(1) not c(0).

ˆ G =

  • a

b b

− a∗

  • ˆ

h = [ − 7− 8] Now use:

slide-20
SLIDE 20

[20]

WINLAB

Without CSI or complete RF control, Eve can Without CSI or complete RF control, Eve can still effectively jam the still effectively jam the Alamouti Alamouti STBC. STBC.

Optimal Jamming Region is

constellation specific

Oscillating Channel Inversion Attack

– For single antenna using QPSK, P(Ω) = ¾ (when J/S >> 0 dB) – Oscillating by 180 guarantees jamming region penetration

J/S >> 0 dB Single Antenna Jamming Region Dual Antenna Jamming Region FSM

slide-21
SLIDE 21

[21]

WINLAB

The oscillating channel inversion attack was The oscillating channel inversion attack was successful in a real successful in a real-

  • world experiment.

world experiment.

– GNU Radio/USRP

◆ Alam outi 2 by 1 STBC

  • 1800 MHz
  • 12 QPSK symbols @12.5 kBd

– Arbitrary Waveform Generator

◆ Increm ental 90 degrees per attack

J/S ~ 10 dB Symbol Error Rate 0.65

slide-22
SLIDE 22

[22]

WINLAB

Attacking the CSI Procedure in MIMO Attacking the CSI Procedure in MIMO Systems is viable, effective, and efficient. Systems is viable, effective, and efficient.

CSI plays an important role in most MIMO systems. Jamming the CSI represents a powerful point of attack

– SVD-based MIMO – Alamouti STBC

◆ Real w orld experim entation using 2 by 1 STBC ◆ Extensions to higher order antenna constellations straightforw ard

slide-23
SLIDE 23

[23]

WINLAB

Questions & Comments? Questions & Comments?

slide-24
SLIDE 24

[24]

WINLAB

Extra Slides Follow Extra Slides Follow

slide-25
SLIDE 25

[25]

WINLAB

slide-26
SLIDE 26

[26]

WINLAB

Jamming SVD Jamming SVD-

  • based MIMO

based MIMO

Unknown E can be a serious problem

– SVD is non-continous function: – Only of concern for close singular values…

H = 1 1+ ǫ

  • E =

ǫ ǫ − ǫ

  • ˆ

H = H + E = 1 ǫ ǫ 1

  • V =

1 1

  • ˆ

V = 1 √ 2 1 1 1 − 1

  • SVD

45° shift in eigenvector space!

slide-27
SLIDE 27

[27]

WINLAB

Jamming SVD Jamming SVD-

  • based MIMO

based MIMO

Close singular values in real-world channels? Consider a Rayleigh Fading MIMO channel

– Uncorrelated Antenna elements – Singular values are roots of the eigenvalues

  • f the central Wishart

matrix: – Ordered eigenvalue distribution follows:

,where and

W = H H H p( λ1, λ2, . . . , λn)= K

n

  • i

= 1

e

− λiλ( m − n) i

·

n

  • i

< j

( λi− λj)

2

K = π(

n( n− 1) )

Γ( m ) Γ( n) Γn( a)= π(

n(n− 1) /2) n

  • i

= 1

( a − i ) !

slide-28
SLIDE 28

[28]

WINLAB

2 4 6 8 10 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 Eigenvalue Distance Probability mean min

Jamming SVD Jamming SVD-

  • based MIMO

based MIMO

Close singular values in real-world channels? Rayleigh 3x4

3 Eigenvalues

Not probable

Reliable bounding:

| σk( H + E )− σk( H ) |≤ σ1( E )= E 2

n

  • k= 1

( σk( H + E )− σk( H ) )

2 ≤ E 2 F