Pilot Contamination Attack Research Articles

Physical-Layer Security in TDD Massive MIMO

We consider a single-cell downlink time-division duplex-based massive MIMO communication in the presence of an adversary capable of jamming and eavesdropping simultaneously. We show that the massive MIMO communication is naturally resilient to no training-phase jamming attack in which the adversary jams only the data communication and eavesdrops both the data communication and the training. Specifically, we show that the secure degrees of freedom (SDoF) attained in the presence of such an attack are identical to the maximum DoF attainable under no attack. Furthermore, we evaluate the number of base station (BS) antennas necessary in order to establish information theoretic security without even a need for Wyner encoding for a given rate of information leakage to the attacker. Next, we show that things are completely different once the adversary starts jamming the training phase. Specifically, we consider the pilot contamination attack, called training-phase jamming in which the adversary jams and eavesdrops both the training and the data communication. We show that under such an attack, the maximum achieved SDoF is identical to zero. Furthermore, the maximum achievable secure rates of users also vanish, even in the asymptotic regime in the number of the BS antennas. We finally address this attack and show that, under training-phase jamming , if the number of pilot signals is scaled in a certain way and the pilot signal assignments can be hidden from the adversary, the users achieve an SDoF identical to the maximum achievable DoF under no attack.

Secrecy Rate Analysis for Pilot Contamination Attacks in Massive MIMO With Limited RF Chains

Pilot contamination attacks in training-based massive multiple-input multiple-output systems with limited radio-frequency chains are investigated. A lower bound for the achievable secrecy rate in the presence of a multi-antenna active eavesdropper is derived in closed-form. Thereby, the secrecy rate loss due to the active attacks over the passive eavesdropping is quantified. Moreover, the secrecy rate loss due to hybrid precoding over the full-dimensional digital precoding is derived.

Detection of Pilot Contamination Attack based on Uncoordinated Frequency Shifts

Pilot contamination attack is an important activity of active eavesdropping conducted by a malicious user during channel training phase. This attack is potentially harmful to the physical layer security. In this paper, motivated by the fact that frequency asynchronism could introduce divergence of the transmitted pilot signals between intended user and attacker, we propose a new uncoordinated frequency shift (UFS) scheme for detecting pilot contamination attack in multiple antenna system. During the reverse training phase of the UFS scheme, the legitimate user Bob deliberately introduces multiple random frequency shifts in the publicly known pilot sequence. Since eavesdropper Eve has no knowledge of these random frequency shifts, it is almost impossible for her to pretend exactly like Bob. This provides the opportunity to detect the presence of Eve. An attack detection algorithm is then developed based on source enumeration method. Both the asymptotic performance analysis and numerical results are provided to verify the proposed detection scheme. The proposed scheme is also enhanced based on noise power estimation to cope with attacks from a multi-antenna Eve. Furthermore, the proposed UFS scheme is extended by introducing general parameterized phase shifts. It is demonstrated that the proposed UFS scheme can achieve comparable detection performance as the existing superimposed random sequence based scheme, without sacrifice of legitimate channel estimation performance.

Pilot Spoofing Attack Detection and Countermeasure

In a time-division duplex multiple antenna system, the channel state information can be estimated using reverse training. A pilot spoofing (contamination) attack occurs when during the training phase, an adversary (spoofer) also sends synchronized, identical training (pilot) signal as that of the legitimate receiver. This contaminates channel estimation and alters the legitimate beamforming/precoder design, facilitating eavesdropping. A recent approach proposed superimposing a random sequence on the training sequence at the legitimate receiver and then using the minimum description length (MDL) criterion to detect pilot contamination attack. In this paper, we augment this approach with estimation of both legitimate receiver and eavesdropper channels, and secure beamforming, to mitigate the effects of pilot spoofing. We consider two cases: 1) the spoofer transmits only the pilot signal and 2) the spoofer also adds a random sequence to its pilot, mimicking the legitimate receiver. We also employ a random matrix theory-based source enumeration approach instead of MDL, for spoofing detection, leading to improved detection performance. The proposed detection and mitigation approaches are illustrated via simulations.

An improved technique for the detection of pilot contamination attacks in TDD wireless communication systems

One of the problems phasing the physical layer security of a wireless system is its vulnerability to pilot contamination attacks and hence schemes for its detection need to be applied. A method proposed in the literature consists of training with two N-PSK pilots. Although the method is effective in most of the cases, it is not able to discover an attack initiated during the transmission of the second pilot from the pair if both the legitimate and non-legitimate pilots coincide. In this current paper, an improvement to this method is proposed which detects an intruder who misses the first pilot transmission. The suggested improvement eliminates the usage of threshold values in the detection – a main drawback of previously existing solution.

Secret Key Agreement With Large Antenna Arrays Under the Pilot Contamination Attack

We present a secret key agreement (SKA) protocol for a multi-user time-division duplex system where a base-station (BS) with a large antenna array (LAA) shares secret keys with users in the presence of non-colluding eavesdroppers. In the system, when the BS transmits random sequences to legitimate users for sharing common randomness, the eavesdroppers can attempt the pilot contamination attack (PCA) in which each of eavesdroppers transmits its target user's training sequence in hopes of acquiring possible information leak by steering beam towards the eavesdropper. We show that there exists a crucial complementary relation between the received signal strengths at the eavesdropper and its target user. This relation tells us that the eavesdropper inevitably leaves a trace that enables us to devise a way of measuring the amount of information leakage to the eavesdropper even if PCA parameters are unknown. To this end, we derive an estimator for the channel gain from the BS to the eavesdropper and propose a rate-adaptation scheme for adjusting the length of secret key under the PCA. Extensive analysis and evaluations are carried out under various setups, which show that the proposed scheme adequately takes advantage of the LAA to establish the secret keys under the PCA.

Self-Contamination for Detection of Pilot Contamination Attack in Multiple Antenna Systems

In a time-division duplex (TDD) multiple antenna system, the channel state information (CSI) can be acquired using reverse training. A pilot contamination attack occurs when during the training phase, an adversary also sends identical training (pilot) signal as that of the legitimate receiver. This contaminates the channel estimation phase and can alter the legitimate beamformer/precoder design, facilitating eavesdropping. In this letter, we propose superimposing a random sequence on the training sequence at the legitimate receiver, allowing use of source enumeration methods to detect pilot contamination attack. The proposed method is analyzed and its detection performance is illustrated via simulations.

Physical layer security for massive MIMO: An overview on passive eavesdropping and active attacks

This article discusses opportunities and challenges of physical layer security integration in massive multiple-input multiple-output (MaMIMO) systems. Specifically, we first show that MaMIMO itself is robust against passive eavesdropping attacks. We then review a pilot contamination scheme which actively attacks the channel estimation process. This pilot contamination attack is not only dramatically reducing the achievable secrecy capacity but is also difficult to detect. We proceed by reviewing some methods from literature that detect active attacks on MaMIMO. The last part of the paper surveys the open research problems that we believe are the most important to address in the future and give a few promising directions of research to solve them.

A Semiblind Two-Way Training Method for Discriminatory Channel Estimation in MIMO Systems

Discriminatory channel estimation (DCE) is a recently developed strategy to enlarge the performance difference between a legitimate receiver (LR) and an unauthorized receiver (UR) in a multiple-input multiple-output (MIMO) wireless system. Specifically, it makes use of properly designed training signals to degrade channel estimation at the UR which in turn limits the UR's eavesdropping capability during data transmission. In this paper, we propose a new two-way training scheme for DCE through exploiting a whitening-rotation (WR) based semiblind method. To characterize the performance of DCE, a closed-form expression of the normalized mean squared error (NMSE) of the channel estimation is derived for both the LR and the UR. Furthermore, the developed analytical results on NMSE are utilized to perform optimal power allocation between the training signal and artificial noise (AN). The advantages of our proposed DCE scheme are two folds: 1) compared to the existing DCE scheme based on the linear minimum mean square error (LMMSE) channel estimator, the proposed scheme adopts a semiblind approach and achieves better DCE performance; 2) the proposed scheme is robust against active eavesdropping with the pilot contamination attack, whereas the existing scheme fails under such an attack.