ebook img

Swift Jamming Attack on Frequency Offset Estimation: The Achilles' Heel of OFDM Systems PDF

14 Pages·2015·0.8 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Swift Jamming Attack on Frequency Offset Estimation: The Achilles' Heel of OFDM Systems

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMC.2015.2456916, IEEE Transactions on Mobile Computing 1 Swift Jamming Attack on Frequency Offset Estimation: The Achilles’ Heel of OFDM Systems Hanif Rahbari, Marwan Krunz, Fellow, IEEE, and Loukas Lazos Abstract—Frequencyoffset(FO)referstothedifferenceintheoperatingfrequenciesoftworadiooscillators.Failuretocompensatefor theFOmayleadtodecodingerrors,particularlyinOFDMsystems.TocorrecttheFO,wirelessstandardsappendapubliclyknown preambletoeveryframebeforetransmission.Inthispaper,wedemonstratehowanadversarycanexploittheknownpreamble structureofOFDM-basedwirelesssystems,particularlyIEEE802.11a/g/n/ac,tolaunchaverystealth(lowenergy/dutycycle)reactive jammingattackagainsttheFOestimationmechanism.Inthisattack,theadversaryquicklydetectsatransmittedOFDMframeand subsequentlyjamsatinypartofthepreamblethatisusedforFOestimationatthelegitimatereceiver.Byoptimizingtheenergyand structureofthejammingsignalandaccountingforframedetectiontimingerrorsandunknownchannelparameters,weempirically showthattheadversarycaninduceabiterrorratecloseto0.5,makingthetransmissionpracticallyirrecoverable.Suchvulnerabilityto FOjammingexistsevenwhentheframeisshieldedbyefficientchannelcoding.WeevaluatetheFOestimationattackthrough simulationsandUSRPexperimentation.Wealsoproposethreeapproachestomitigatesuchanattack. IndexTerms—PHY-layersecurity,frequencyoffset,OFDM,reactivejamming,IEEE802.11,USRPimplementation. ✦ 1 INTRODUCTION COMMUNICATION between two wireless devices in- PHY-layer standards usually employ publicly known se- volves several concerted functions at the physical quences,knownaspreambles,atthebeginningofaframeto (PHY) layer, including time synchronization, carrier fre- acquire important communication parameters, such as the quency offset (FO) correction, channel estimation, channel transmissiontiming,channel,andFO[2].Theseparameters coding,modulation,interleaving,andothers[2].PHY-layer are used to align received symbols. An adversary may functions are designed to combat oscillator imperfections exploitthepublicityofthe preambletoconstruct areactive and wireless channel impairments, and to decode wireless jamming attack and target the estimation of these critical signals that are corrupted by a limited amount of interfer- parameters. In particular, we demonstrate the feasibility of ence.However,wirelesstransmissionsstillremainvulnera- an energy-efficient and low duty cycle attack against the bletointentionalinterferenceattacks,commonlyreferredto FOestimationprocessof IEEE802.11OFDM-baseddevices asjamming. (including 802.11a,.11g,.11n,.11ac,and11ah),allof which One measureof the effectivenessof a jammingattackis exploitthe samepreamblestructure.Ourresultscanbe ex- its duty cycle, i.e., the fraction of the frame that needs to tendedtootherOFDM-basedsystems,including802.16e/m be jammed so that the frame is discarded at the receiver (WiMAX),LTE,and5G. (Rx) [3], [4]. This metric is directly related to the jammer’s The jamming of OFDM systems has recently been the distancetotheRx,energybudget,andtheabilitytodisrupt subject of extensive research (e.g., [6]–[12]). These works concurrenttransmissions.Ajammerthatremainsactivefor often consider vulnerabilities in time synchronization or a longer period can corrupt more bits and defeat stronger susceptibility to inter-carrier interference (ICI). For exam- error correction codes (ECCs), at the expense of higher en- ple, the authors in [8] proposed several jamming attacks ergyconsumptionandfewertargetedcommunications.This against OFDM time synchronization, including barrage at- morepotentjammerisalsoeasiertodetect[5],localize,and tacks,falsepreambletiming,andpreamblewarping.Inthe physicallyremoveusingjammerlocalizationmethods[4]. barrage attack, white noise is transmitted to decrease the Inthispaper,weinvestigateanextremelylowdutycycle SNR during synchronization. In false preamble timing, the jamming model that is facilitated by public knowledge of jammer forges a preamble to fool the Rx about the true the frame structure and PHY-layer functions. Our goal is starttimeoftheframe.Asimilartechniquewasusedin[9] to demonstrate how an adversary can inflict the highest against an 802.11b Rx to hamper the network throughput. possible number of decoding errors at the Rx, without Preamblewarpingtriestodestroythetime-domaincorrela- jamming the corresponding header or payload symbols. tion(usedfortimeacquisition)withinthepreamble. • H.Rahbari,M.Krunz,andL.LazosarewiththeDepartmentofElectrical 1.1 FrequencyOffsetEstimationAttacks andComputerEngineering,UniversityofArizona,Tucson,AZ85721. E-mail:{rahbari,krunz,llazos}@email.arizona.edu In OFDM systems, frequency synchronization errors are • AnabridgedversionofthispaperappearedintheProceedingsoftheIEEE more devastatingthantimingerrors [13]. Whentworadios INFOCOMConference,April2014[1]. aretunedtothesametargetfrequency,theiroscillatorscan- 1536−1233 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMC.2015.2456916, IEEE Transactions on Mobile Computing 2 ThesuperpositionofthesetwosignalswithdifferentFOsat the Rx achieves sufficient FO estimation error. We derive the amount of FO estimation error needed to guarantee erroneous OFDM demodulation and accordingly, develop anoptimalattackstrategy.Toensurethatthejammingsignal isindependentoftheAlice-Bobchannelparameters(which are unknown to Eve), we propose a pairing scheme for the jammingsequence.Thejammingattackshouldalsoaccount Fig.1.EffectofuncompensatedFOonabitmapimageoveranoiseless for timing errors in frame detection at Eve while keeping channel(FO=0.32%ofthesubcarrierspacing). the jammingsignalchannel-independent. Forthispurpose, achainingschemeisdesignedontopofthepairingscheme notbeexactlyalignedtothatfrequencyduetohardwareim- toaccountforotherpossibleframestarttimes. perfections.FOistheinherentdifferencebetweentheactual Consequently, not only the channel estimation is auto- frequenciesofthesetwooscillators.InOFDM,FOisusually maticallycorruptedatBob,butmoreimportantly,allthefre- normalizedtotheinter-subcarrierfrequencyinterval,called quencysubcarriersareshiftedforwardorbackward.Hence, subcarrier spacing. Without frequency synchronization, the Bobwillhaveashiftedversionofthebitstreamtransmitted performance of OFDM degrades severely because all sub- in every OFDM symbol. Combined with a faulty channel carriers will move away from their expected frequencies, estimation and thus demodulation errors, the bits become resulting in subcarriers’ orthogonality violation, ICI [13], irrecoverable. We further optimize the power of this jam- andchannelestimationerrors[1],[14]. ming attack and experimentally evaluate its performance To appreciate the significance of correct FO estimation, on a USRP testbed. In contrast to previous attacks on the weconduct asimulationexperimentinwhichaframecon- framepreamble,oursinessencedoesnotaimatnecessarily taining a bitmap image is transmitted between two nodes. causing ICI. It is also different from the attacks in [7], [9], Fig.1depictstheeffectofasmallFOestimationerror(0.32% [10] in that it is channel-independent and energy-efficient, i.e., ofsubcarrierspacing)onthetransmittedimage(left) when onlyasmallportionofthepreambleisjammedirrespective 48 subcarriers are used at a rate of 6 Mbps. The received ofthejammer’slocation.Thisshort-livedattacklastsforless image (right) exhibits noticeable degradation in the form than3µsperframe(equivalentto,forexample,about0.5% of image block misplacement. In practice, FO can be even of802.11a’smaximumframedurationwhenthedatarateis largerthanthesubcarrierspacing[2]. at itshighest value). Note thatthis is evenshorterthanthe A few jamming schemes have been proposed in the duration of an OFDM symbol (4 µs). Our proposed attack literature (e.g., [7], [9], [10]) with the goal of inflicting alsodisarmsalltheprovisionedFOestimationmethodsby ICI. Phase warpingand differential scramblingattacks [10] justefficiently defeatingone of them. Ourwork focuses on consider the preamble structure of Schmidl and Cox [15], the 802.11 OFDM-based wireless systems, and efficiently whichisdifferentfromtheoneusedin802.11OFDM-based exploitstheirFOvulnerabilityforthefirsttime. standards,andinessencetrytoalterpreamblesymbolsina The paper is organized as follows. In Section 2, we heuristicfashionwithoutprovidinganysuccessguarantees. provide background on frame detection, FO estimation, Gummadi et al. [9] showed the vulnerability of 802.11a and channel estimation in OFDM-based 802.11 standards. clock(frequency)synchronizationtoacertainnarrow-band Thesystemmodel,assumptions,andevaluationmetricsare jamming pattern that interferes with the entire preamble. given in Section 3. The proposed attack and the optimal In [7] the jammer transmits multiple asynchronous subcar- jamming strategy are presented in Section 4 and related riers to cause ICI in an OFDM symbol. These attacks may issuesarediscussedinSection5.Section6demonstratesthe fail if robust ECC, interleaving methods, or additional FO effectiveness of the attack through simulations and experi- estimationmechanismsareemployedattheRx. ments.Finally,weproposepossibleremediesandprovidea summaryofexistingattacksinSections7and8,respectively. 1.2 Contributions Wedesignanenergy-efficientjammingattackthatinterferes 2 FRAME DETECTION AND FO CORRECTION IN with a small portion of the preamble, i.e., one of the parts OFDM SYSTEMS used for FO estimation, and causes one or two units shift of the subcarrier indices (e.g., every subcarrier takes the InOFDM, a bitstreamissplitinto severalsubstreams,each position of its next/previous subcarrier). To make this de- ofwhichisdigitallymodulatedandtransmittedoveroneof sign possible, the adversary (Eve) must first estimate the the orthogonal frequency channels (subcarriers). For exam- FObetweenthelegitimatetransmitter(Alice)andintended ple, 802.11a/g defines 64 subcarriers with subcarrier spac- receiver (Bob), and then quickly detect the transmission of ingf =312.5kHzwithinabandwidthof20MHz.Only48 ∆ a target frame. We provide an adaptive frame detection ofthesesubcarriersareusedfordata.Fourothersubcarriers methodtofacilitatefastdetectionatEve.Thesuperposition carrypilotsignalsandtheremaining12subcarriersarenot of the jamming signal with the preamble are designed to used.Soan802.11a/gOFDMsymbolistransmittedover52 delude Bob into estimating an FO that is sufficiently far subcarriers. from the true FO, sothat Bob decodes wrong symbols, i.e., ICI in OFDM systems creates significant BER at the thesymbolsofadjacentsubcarriers.Theideaistocome up Rx [16] (see Fig. 2). To prevent ICI, the Rx uses the PHY- with a structure that is similar to the actual preamble so layerpreambletoestimatetheFO(sameforallsubcarriers) as to control the FO embedded in the jamming sequence. and adjust the subcarriers to their expected orthogonal 1536−1233 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMC.2015.2456916, IEEE Transactions on Mobile Computing 3 FO Frame detection FO estimation Fine FO / channel estimation IIICCCIII t t t t t t t t t t GI T T 1 2 3 4 5 6 7 8 9 10 1 2 (cid:3405)(cid:3405) (cid:882)(cid:882) 2.4 µs Short Training Sequences (STSs) Long Training Sequences (LTSs) 0 2 4 6 8 10 12 14 16 µs ff Fig.3.Time-domainrepresentationofacommonpreamblestructurein 802.11a/g/n/acsystems(20MHzbandwidth). the constellation map, leading to more bit errors. Beyond Fig.2.Inter-carrierinterference(ICI)(cid:1858)a(cid:2940)saresultofuncorrectedFOina channel estimationerrors, accumulationof the phaseoffset systemwiththreesubcarriers. can significantly change the phase of some of the symbols, especiallyinlongframes. frequencybins.Iftheoffsetislessthanhalfofthefrequency The de facto time-domain FO estimation method used distancebetweenthesubcarriers,theRxcansafelyidentify in OFDM systems is the one proposed by Schmidl and thefrequencybinthateachsubcarrierbelongsto. Cox [15]. We consider it as a representative FO estimation Every PHY-layer frame starts with a preamble. In scheme.Itassumesthatthechanneldoesnotchangeduring OFDM-based 802.11 systems, the preamble begins with the preamble transmission. Having a sequence r with two two essential fields (see Fig. 3). The first field contains ten identical halves is the key idea in this method. It works identical short training sequences (STSs), which represent as follows. Assume that each half of the sequence has L ten replicas of a particular periodic function with period sampleswithsamplingperiodofts.Letribetheithsample λSTS = 0.8 µs. The second field consists of two long of the sequence r, i = 1,...,2L. So ri = rL+i. Ignoring trainingsequences(LTSs),whichrepresenttwocyclesofan- the noise, this equality also holds for the corresponding otherknownperiodicfunctionwithperiodλLTS =4λSTS, samplesattheRxaslongasthereisnoFO. However,with plus a 1.6 µs cyclic prefix (GI)1. The periodic function in an FO of ∆f, the phase of rL+i relative to ri is rotated by an STS is constructed by superposing only the subcarri- ∆ϕ(ts)=2π∆fLts.Multiplyingtheconjugateofri(i.e.,ri∗) ers whose frequencies are integer multiples of 4f∆. As a byrL+i,weobtain: result, the minimum subcarrier spacing between any two STS-enabled subcarriers is 4f∆, and hence their period is si d=efri∗rL+i =|ri|2e−j2π∆fLts =|ri|2e−j∆ϕ(ts). (1) λSTS = λLTS/4. STSs are used for frame detection and coarse FO correction. LTSs, on the other hand, employ all Taking into account the channel coefficient hi = hL+i the data subcarriers and are used for channel estimation andthenoise terms,ni andnL+i,the valueof si attheRx, andfine-tuningthecoarseSTS-basedFOestimation. denotedbysi,is: We briefly explain the channel estimation process in e si = hiri 2e−j2π∆fLts +n¯i (2) | | OFDM-based 802.11 systems because it is affected by the e coarseFOestimation.LTSsareusedforchannelestimation, where n¯i d=ef rin∗L+i + rL∗+ini + nin∗L+i has zero mean. the taskof estimatingthe response of the channel, because To average out the n¯i’s, the estimated phase offset, ∆ϕ, is theyaresupposedtobealmostFO-free afterSTS-basedFO measuredoverthesummationofallthes˜i’s,i.e., g correction.Therearetwogeneralapproachesforchanneles- L−1 taipmpartoioacnh:eFsr,etqhueeancpyridoorimkaninowanndLTtiSmseydmobmoalsinar[e13c]o.mInpbaroetdh ∆^ϕ(ts)=∡(cid:16)Xsi(cid:17) (3) i=0 e withthe received symbolsin order toestimatethe impulse where the notation ∡(x) indicates the phase of a complex or frequency response that results in the minimum mean- quantityx.Thus,theestimatedFOis: square-error (MSE). The MSE can grow quadratically as a functionoftheFOestimationerror[14]. ^ ∆ϕ(t ) s ∆f = . (4) 2πLt g s 2.1 FOEstimationandCorrection Fig.4showsanexampleofasequenceoflength2L=8 Let∆f betheactualfrequencyoffsetbetweenatransmitter samples. The more samples are used to estimate ∆ϕ, the (Tx) and an Rx. This FO translates into a phase offset of moreaccuratetheestimatedFOis. g ∆ϕ(t) = 2π∆ftforthereceivedsignal,wheretisthetime elapsed since the start of the transmission. In addition to causingICI, a linearincreaseinthe phaseoffset during the (cid:1835)(cid:1865) LTSs due to FO results in incorrect channel phaser estima- (cid:1871)(cid:3557)(cid:2872) tion.Tocompensateforchannelimpairments,theinverseof thephaserismultipliedtothereceivedsamples.Asaresult, (cid:1871)(cid:3557)(cid:2871) all received modulated samples will be rotated equally on (cid:1871)(cid:3557)(cid:2870) (cid:1871)(cid:3557)(cid:2869) 1.In MIMO-OFDMsystems,thesetwofieldsare followed byaddi- (cid:543)(cid:3562)(cid:2030) tionaltrainingsequencesforMIMOchannelestimation[17]. Fig.4.Exampleofphaseoffsetaveragedover(cid:1844)L(cid:1857)=4s˜iproducts. 1536−1233 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMC.2015.2456916, IEEE Transactions on Mobile Computing 4 Regarding the phase of a complex number such as si, theRxobservesavaluebetween π andπ.Inotherwordes, 1 − the Rx cannot distinguish ∆ϕ from ∆ϕ 2kπ in (4), for any integer k. The phase offset of 2π co±rresponds to 1 0.8 L = 16 offset, i.e., one subcarrier spacing. In particular, considLetsr n)0.6 L = 80 a subcarrier and two FOs from it, ∆f and ∆f , where M( 1 2 0.4 ∆f 1 and ∆f = ∆f + 1 . The corresponding p| ha1se|s≤ar2eLt2sπ ∆f1|Lts2|and|2π1∆| f1LLtsts +2π, respectively. 0.2 | | | | Becausethephasesdifferby2π,therewillbeanambiguity 0 indistinguishingbetweenthem.TheRxinterprets∆f + 1 0 15 30 45 60 75 90 105 120 135 150 165 1 Lts Sampleindex(n) as ∆f and will mistakenly adjust ∆f to the neighboring 1 2 subcarrier bin. In general, the phase is unambiguous and cor- Fig.5.M(n) vs. n fortwoextremecases ofwindow lengths(SNR = rectableaslongas ∆f < 1 (halfasubcarrierspacing).This 42dB,framestartsatn=31,ts=50ns). | | 2Lts alsoimpliesthatalongerperiodofacyclereducestherange of FO that can be corrected unambiguously. Given a fixed second one is computed. Let (n) be the summation of A samplinginterval,alongerperiodresultsinhigherL. these correlations when the first window starts at the nth Let ths and thl be the maximum ∆f values that STSs sampleofthewholesequence: | | and LTSs can correct unambiguously, respectively. In the L−1 8se0q2u.1e1nac/egw, tiwthotwofotihdeenltaisctalthhraeleveSsTfSosrcaorearcsheoFsOenesttoimfoartmiona. A(n)= Xs∗n+isn+L+i. (5) i=0 e e Since the number of samples of an LTS is four times the Using (n), a normalized timing metric, (n), is com- numberofsamplesofanSTS,thenthl =ths/4=f∆/2. A M puted: The above discussion reveals a tradeoff between the (n)2 accuracy and range of the correctable FO. The goal of the (n)= |A | (6) STSs is to estimate a large FO value and compensate for M (n) 2 (cid:0)E (cid:1) it by multiplying the rest of the samples (including those obtained during the LTSs) by e−j(−2π∆gfsits), where ∆fs whereE(n)d=efPiL=−01|sn+L+i|2isthereceivedsignalenergy is the estimated FO in the STSs phase and i is the samgple over the second windeow. M(n) is close to zero if either window does not contain any preamble sample. On the index. Using LTSs, the Rx then computes ∆fl to fine-tune other hand, (n)peakswhen bothwindows contain only thecoarselyestimatedFO. Thisexplainsonge ofthereasons M preamblesamples.Ideally, (n)shouldstayconstantatthe for concatenating short and a long training fields in 802.11 M maximumvalueof1,aslongasboththewindowsarebeing systems. Consequently, if the actual FO is larger than ths, moved inside the preamble boundaries. So the first time thisFOestimationmethodfailstofullycompensateforit. that (n)hitsthemaximumismarkedasthebeginningof EvenaftertheLTS-basedFOcorrection,asmallresidual M the frame. Because of noise, the maximum mayoccur later FO may remain due to noise. This error is typically too thantheactualpreamblestarttime.Toaccountfor this,the small to cause ICI, but it gradually rotates the phase of the received symbols on the constellation map and may algorithm first finds Mˆ = maxnM(n) and tˆhen searches fortheearliesttimebeforetheoccurrenceof withan increase the BER, specially in the long frames. A prede- value greater than (1 ǫ) ˆ, where 0 < ǫ <M1 is a systeMm termined subset of subcarriers with known values (called − M parameter.Thattimeinstantistakenasthebeginningofthe pilot subcarrier) are used to track and compensate for these frame. small phase changes. Theoretically, there is no frequency Fig. 5 shows two examples of the smallest and largest range limitation for FO estimation in pilot subcarriers [13]. possible window sizes in the 802.11a frame detection Inaddition,knownpilotsubcarrierscanbeusedfortracking scheme. When L = 80, the noise is averaged out, so the channelvariations. estimate ˆ is more reliable. In contrast, when L = 16, (n) exhMibits a higher fluctuation and ˆ is less reliable, 2.2 FrameDetection rMequiringalargerǫtodecreasetheprobabMilityofmisdetect- ForatypicalwirelessRx,anincreaseinthereceivedpower ingthe frame starttime.Eventhoughthesharpincreaseof is a first indication of a new frame. To verify whether this (n) makes room to increase ǫ, it is unclear how much M increase is indeed due to a transmitted 802.11a/g/n/ac increaseissufficient. frame and thentime synchronize with it, the Rx checks for the existence of successive identical sequences of a preset 3 MODEL AND ASSUMPTIONS length [15]. In Schmidl and Cox’s frame detection method, the Rx considers two non-overlapping intervals, each of We consider a link between Alice (the Tx) and Bob (the duration kλSTS microseconds (equivalently, kL samples, Rx). The adversary (Eve) is in the transmission ranges of where k is an integer) to represent two identical halves bothAliceandBob.Alicetransmitsan802.11OFDMframe of a sequence. For example, three STSs with ts = 50 ns and Bob uses a few of the first STSs for frame detection. sampleperiod(owingtotheNyquistrateof20MHz)result He chooses two of the last three STSs, in conformity with in L = 48 samples. In the 802.11 standard, 1 k 5. the standard (see Fig. 3) and employs the Schmidl and ≤ ≤ The correlation between the samples’conjugate in the first Cox method for FO estimation. Once Bob estimates the interval (window) and the corresponding samples in the coarseFOusingSTSsandcompensatesfor∆fs,heassumes, g 1536−1233 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMC.2015.2456916, IEEE Transactions on Mobile Computing 5 by default, that the residual FO is less than thl and then estimates it using LTSs. According to the 802.11 standard, : STSs and LTSs subcarriers Bob does not perform any kind of boundary check during : LTSs-only subcarriers theLTS-andpilot-basedFOestimationprocesses. EveaimsatirrecoverablycorruptingAlice’sframeatBob using the lowest possible jamming effort. Eve is aware of (cid:2722)(cid:2256)(cid:2194) the PHY-layer protocol and the FO correction mechanism (cid:2722)(cid:2256)(cid:2183)(cid:2184) at Bob. She makes no assumptions about the channel pa- (cid:543)(cid:1858)(cid:3028)(cid:3029) (cid:3398)(cid:543)(cid:3562)(cid:1858)(cid:3046) rameters or Alice’s transmission power. If the oscillators f are either stable or accurate, Eve initially eavesdrops on Aexlcichea’nsgaensd) fBoorba’swphrielaem. Tbhleroturagnhsmavisesriaognisng(,e.sgh.,edeasttaim-AaCteKs (aar)eaPhraesperedseonmtsainth:eThLeT(cid:3398)Ss-h(cid:2722)b(cid:3562)a(cid:2256)adseedd (tbi(cid:1872)m)(cid:1860)Fa(cid:3039)rtie(cid:3404)oqnu(cid:1858)e(cid:2940)onf(cid:512)c(cid:884)y∆gdfosmcaainn:Imnocovrere∆ctfeasb- correctablerange.Awrongphase out of the LTS-based correctable their FOs relative to Eve, denoted by ∆fae and ∆fbe, estimation ∆gϕ can move ∆ϕab range. respectively2. outofthecorrectablerange. ThemetricsofinterestarecoarseandfinalestimatedFOs Fig.6.PhaseandfrequencyoffsetsasobservedduringtheSTSs. atBob,Symbolerrorrate(SER),theBERafterdemodulation but before decoding, and the jamming effort (defined as the jammer’s duty cycle [3]). These metrics will be studied 4.2 Phase2:PreambleJamming withrespecttotheSNR,modulationscheme,andsignal-to- jammingratio(SJR)atBob. Based on i , Eve computes the arrival time of the last 0 threeSTSsofthepreambleandgeneratesajammingsignal thatwouldbealignedwiththoseSTSs.Theenergy-efficient 4 FREQUENCY OFFSET ESTIMATION ATTACK jammingsequence is designed to defeat allSTS-, LTS-, and In this section, we describe in detail an attack on the FO pilot-based FO corrections without jamming the LTSs and estimation. Eve launches this attack in two phases: (1) pilot subcarriers. For this attack to be successful, Eve has Eavesdropping on the channel to detect the start of Alice’s to account for unknown channel parameters and frame- frametransmissionandacquireitstiminginformation; and detection timing errors. More specifically, the jamming se- (2) jamming the last three STSs of the preamble, which are quenceisdesignedtoachievethefollowinggoals: usedforcoarseFOestimation. 4.1 Phase1:AdaptiveFastFrameDetection 4.2.1 ForcingBobtomakeadestructiveerror To pinpoint the last three STSs in time and corrupt the FO By default, Bob assumesthat the FO to be estimated using estimation at Bob, Eve must detect Alice’s frame and syn- chronizewithitsarrivalatBob.Thedetectionshouldbefast LTSs is less than thl. If Eve deceives Bob into erroneously enough to allow sufficient time for processing, switching pushthe FO beyond thl after receiving the STSsinsteadof reducing it, then she achieves her goal without needing to to transmission mode, and jamming the last three STSs. jamtheLTSs. Referring to the frame detection mechanism in Section 2, Eve chooses the minimum possible window size (one STS, Without loss of generality, Eve assumesi0 is the correct L=16)andreducesthecapturetimeto2.5λSTS =2µsto starttimeoftheframe(wewillrelaxthisassumptionlater). makesurethatatleastthefirsttwoSTSsarecaptured. Let∆feb = ∆fbeand∆fab =∆fae ∆fberepresentBob’s − − To account for the higher detection inaccuracy due to estimatesof Eve-to-Bob andAlice-to-Bob FOs,respectively. the small window size, Eve assumes that the actual start Let ∆ϕab, ∆ϕeb, and ∆ϕl = π/4 be the phase offsets time belongs to the first V = log (L)3 sample indices corresponding to ∆fab, ∆feb, and thl, respectively, after a 2 i0,i1,...,iV−1thataregreaterthan(1 ǫ) ˆ andfindsallof single STS (0.8 µs). To cause incorrect FO estimation(∆fs) them,insteadofjustlookingforthefir−stoMne.Shesetsǫtoa suchthattheupdatedFOafterSTSs(∆fab ∆fs)ishiggher − valueless than1/L,the contribution of a preamblesample thanthl,thefollowinginequalityshouldholdg: pair in (n). This is an attempt to exclude the samples located Mmore than one index before the actual frame start |∆ϕab−∆ϕ|>∆ϕl. (7) g time.IftherearelessthanV samplevaluesgreaterthanthe Fig.6(a)and 6(b)showanexampleofsuchasituationin threshold,Eveadaptivelydecreasesthethresholdbyfinding thepolarcoordinatesandfrequencydomain,respectively. thesmallestǫthatguaranteestheexistenceofV candidates4. Eve’s jamming signal needs to satisfy (7). Let g be the Eve-to-Bob channel coefficient. We assume that during 2.Ingeneral,oscillatorsexhibitnumerousinstabilities,duetoaging, temperature, acceleration, ionizing radiation, power supply voltage, Eve’s jamming period, g is the same for all the jamming etc. Thus, the Rx must update the FO estimate on a per-frame basis, samples that belong to the jamming sequence u, denoted even if the frame sender is already known. This is specially the case withnon-stableoscillators.Inthiscase,EvecanperformFOestimation by ui,i = 1,...,2L. Let r˜i = hri and u˜i = gui. We con- alongwithfastframedetectiontooptimallydesignthejammingsignal sider two different approaches for generating the jamming foreachframe(seeSection4.1). sequence: 3.The reason of this specific number will be explained in Sec- 1) Random noise: A simple way to corrupt the FO tion 4.2.3. estimationatBobistojamthelastthreeSTSswitharandom 4.Evemayalsoapplythesynchronizationmethodin[18]toimprove thedetectionaccuracy. signal. Recalculating the autocorrelation at Bob after the A 1536−1233 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMC.2015.2456916, IEEE Transactions on Mobile Computing 6 superpositionandignoringthenoisetermin(2),wehave: 4.2.2 Designingachannel-independentjammingsignal L−1 L−1 Toaddresstheaforementionedchallenge,Evetakesadvan- Arandom d=efXsi = X(r˜i+u˜i)∗(r˜ie−j∆ϕab +u˜L+i) tage of Alice’s known preamble samples and the product i=0 e i=0 sumin(3)tocanceloutthetermswithunknownphases.Eve L−1 L−1 firstchoosesL/2non-overlappingpairsofsamples.Without =X|r˜i|2e−j∆ϕab + Xr˜i∗u˜L+i (8) loss of generality, let Eve pair the samples in order and let i=0 i=0 (u1,u2)bethefirstpairofsamplesinthejammingsequence. L−1 ByknowingthepreamblesamplevaluesatAlice,u canbe + Xu˜∗i(r˜ie−j∆ϕab +u˜L+i). designed such that when Bob sums up s˜1 and s˜22, all the i=0 terms that depend on r˜(excluding r˜) in the term in (9) | | B areeliminated.Thus, Thephaseandamplitudeofthe2ndand3rdtermsin(8) (oannldythheenycein∆gclϕurdanedroamndd=eofm∡Acoramndpomle)xanreuumnbkenroswu˜in,bbeuctaaulssoenthoet u2 =−rr21∗∗u1 (12) phaseandamplitudeofr˜i areunknownaftertraversingthe whichimpliesthat Alice-to-Bob channel. Hence, ∆ϕ may not satisfy (7), so FO jamming with a randomgsriagnndoaml cannot provide any s1+s2 =e−j∆ϕab × (13) FOdistortionguaranteestobeatLTS-basedFOestimation. er˜ 2e+ r˜ 2+(u˜ 2+ u˜ 2 )e−j(∆ϕeb−∆ϕab) . h 1 2 1 2 i | | | | | | | | | 2) Fake preamble: A more effective jamming approach thatexploitsbothknowledgeoftheFOestimationalgorithm Therequirementin(12)issimilarlyimposedontherest and ∆fab is to construct a fake preamble with “identical of the even samples. We refer to this requirement as the halves”. For now, assume that the samples of the jamming pairingrule.Accordingly, theautocorrelationfunction for A signal ui,i = 1,...,2L can take any arbitrary value as thisscheme,denotedbyAfake,becomes: long as the signal conforms to the protocol bandwidth L−1 requirement. The preamble phase warping attack in [10] is = s = Afake X i a special case of this approach, where the jamming signal i=0 e is a random frequency-shifted version of an arbitrary fake L−1 L−1 (14) preamble. The advantage of having identical halves is that e−j∆ϕabhX|r˜i|2+ X|u˜i|2e−j(∆ϕeb−∆ϕab)i. we can control and carefully calculate a desired FO for u i=0 i=0 based on how Bob estimates ∆fab. Here, we also note that | C(∆ϕeb{−z∆ϕab) } thechannelresponsebetweenEveandBobdoesnotchange the FO. Before we explain how a desired FO (and hence NowAfake is a function of the difference between∆ϕab ∆sigfneba)liasnddetEervme’isnejadm, cmoinnsgidaetr tBhoeb.suDpreorpppoisnitgiotnheofinAdliecxe’si ∆anϕdeb∆inϕeabwoanylyt.haStomEavkeesc|a∡nCd(∆etϕeremb−in∆eϕaabd)e|s>ire∆dϕvl,awluheicohf satisfies(11). from(2)andignoringthenoiseterm,wehave: s˜=(r˜+u˜)∗(r˜e−j∆ϕab +u˜e−j∆ϕeb)=e−j∆ϕab 4.2.3 Robustnesstoerrorsinframestarttime × r˜2+ u˜2e−j(∆ϕeb−∆ϕab)+r˜∗u˜e−j(∆ϕeb−∆ϕab)+u˜∗r˜ . We now relax the assumptionthat Eve can precisely deter- h i | | | | mine the true frame start time and consider a scenario in | {Bz } whichshecompilesashortlistofpossibleframestarttimes (9) besidesi ,asexplainedinSection4.1.Thusfar,wehavere- 0 quiredthejammingsequencetohaveidenticalhalveswitha Thus,theestimatedphaseoffsetatBobis: ∆ϕebthatsatisfies(11)andtheevensamplestobeafunction ∆ϕ=∡s˜=∆ϕab+∡ +∡n¯. (10) of odd samples (pairing rule). Eve could still benefit from B g the remaining free, unassigned samples (i.e., odd samples) Notethatthephaseestimationerrorϕe d=ef∡ isafunction to cancel out channel-dependent terms for other possible B ofSJRand∆ϕeb,andjammingwillhavenoeffectifϕe =0. starttimes.Wegeneralizethepairingtechniquetolargersets Upon calculating ∆ϕ and ∆fs, Bob changes the FO for ofsamplesanddefinethefollowingchainingruletoaccount tshueccreessstfoufltifhsehferacmaneetnogs∆urfeatbh−atg∆g∆fϕs.ebAscactoisrfideinsgthteof(o7l)l,oEwviengis: forLVet−m1o=the{rmst1a,r.t.t.i,mmeVs−i11,}i2w,.h.e.r,eiVm−j1.5= ij − i0. First, Eve extends her jamming sequence by appending (cycli- π ∆ϕab ∆ϕ >∆ϕl ϕe+∡n¯ >∆ϕl = . (11) cally postfixing) the first mV−1 jamming samples to this | − | ⇒| | 4 g sequence. So for any candidate frame start time ij, the Eve canguaranteeadesired ϕe onlyif SJR . Oth- jamming signal will be fully superposed on Alice’s three → −∞ erwise,evenifsheknows∆ϕab andu˜ andcanalsocontrol STSs because the jamming signal is cyclically extended ∆ϕeb, she has no control over other channel-dependent already by mV−1 > mj samples. Next, Eve assumes that parameters in . Specifically, the phase and amplitude of i1 is the correct frame start. In this case, the superposition B r˜arechannel-dependentandEvecannotestimatetheAlice- to-Bob channel coefficient h. That means that Eve is still 5.Evecanprecomputeandthenaccountforthepropagationdelays by timestamping the data-ACK exchanges between Alice and Bob unable to guarantee a successful attack, which is also the andestimatingtheEve-to-Bobdistance.Thechainingrulecanalsobe caseinthepreamblephasewarpingattack. leveragedtoaccountforerrorsinestimatingthesedelays. 1536−1233 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMC.2015.2456916, IEEE Transactions on Mobile Computing 7 Jamming seed Algorithm1Chainingandpairingrulescombined 1 1: Input:L,V,r[1...L],m[0...V 1] − 1 9 2: Initialize:u=0 (cid:1861)(cid:2871)(cid:1372) 1 5 9 13 3: forj 1,V 1do (cid:1861)(cid:2870)(cid:1372) 1 3 5 7 9 11 13 15 4: k ←←2j − 5: whilek <Ldo (cid:1861)(cid:2869)(cid:1372) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 6: t=circularlyshiftedrbymj (cid:1861)(cid:2868)(cid:1372) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 7: x=−Pki=k−2j+1uit∗i/Pki=+k2+j1uit∗i (cid:1861)(cid:2868)(cid:483) 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 98:: k[u=k,.k.+.,u2kj++12j−1]=[uk,...,uk+2j−1]∗x (cid:1861)(cid:2869)(cid:483) 14 15 16 1 2 3 4 5 6 7 8 9 10 11 12 13 10: endwhile (cid:1861)(cid:2870)(cid:483) 13 14 15 16 1 2 3 4 5 6 7 8 9 10 11 12 11: endfor 12: Returnu (cid:1861)(cid:2871)(cid:483) Fig. 7. Cascaded chaining and pairing of the samples towards the jammingseed.Jammingsamplesareshownonthetreeandtheshifted versions of Alice’s preamble on the bottom. Horizontal dashed lines A pseudocode of the chaining rule, which alsocontains representdirectdependencybetweensamples. thepairingrule,is providedinAlgorithm 1.Thealgorithm ofthejammingsignalonAlice’sthreeSTSswillbedifferent iterates for each mj, j = 1,...,V − 1. At each iteration and for each pair of free samples, the right subtree (the from the previous case (i.e., the jamming sequence is slid rightsiblingsofallits2j 1dependents)ismultipliedbya withrespecttoAlice’sSTSs)and(12)isnolongersufficient − coefficient x (defined in line 8) such that the summation toeliminatethelasttwochannel-dependenttermswithin B of the corresponding 2j product terms in (9) and the 2j in (9). Instead, Eve can find pairs of yet free samples and, terms corresponding to the left subtree is zero. The hori- similartothepairingrule,defineoneofthesamplesofeach zontal arrows in Fig. 7 show the dependence of the right of such pairs based on the other sample of that pair and subtrees on their left subtrees. As a result, L/2j samples alsothe corresponding samplesin r. Afterthis step,halfof are assignedat each iterationand the algorithm terminates thefreesampleswillbegivenvalues.Everepeatsthesame after V = log (L) iterations. In the end, all but one of the procedurefortherestoftheframestarttimesandfreesam- 2 samples (u in our example) will be a right sibling at least ples. Based on these hierarchical dependencies among the 1 once at some point in the tree and so are assigned. We call samplesui,Eveconstructsabinarychainingtreeinwhichthe the remaining free sample the jamming seed, to which all dependency between two samples is mapped to a parent- the samples are chained either directly or recursively. The child relationship. Note that an unassigned (free) sample jammingseedcanbeusedtocontrolthejammingpower. may already have a chain of other dependent sample(s). Thevalueofthedependentswillbeupdatedwheneverthat sampletakesanewvalue. 4.3 EffectsofLTSsonFOandChannelEstimation An example is depicted in Fig. 7 with m = 0,1,3,4 . { } Without loss of generality, we assume Alice’s preamble LTSs are used for fine FO and channel estimation. As ex- sequence is shifted instead of the jamming sequence. The plainedinSection2,thephaseoffsetfromtheLTS-basedFO treeinthisfigureshowshowthejammingsamplesarebeing corresctionperspectiveis between π andπ, whichmeans − chained together and used to construct the tree from the thatthetrueFOafterSTS-basedcorrectionhastobebetween bottom to the top. Apairof free samplesare considered as thl andthl.SoLTSscancorrectuptothl =f∆/2FO,and − siblings.Theleftchildspecifiesthevalueofitsrightsibling any remaining phase offset will be an integer multiple of based on mj and then the left child is copied to its parent 2π, which corresponds to 2kthl = kf∆, k = 1,2,.... In node.Sotherightchilddependsonitssibling.Toexplicitly otherwords,theLTSsatBobrounduptheFOmanipulated definethedependencybetweenthetwosiblingsamples,all by ∆fs to the nearest multiple of 2thl and avoid ICI by their dependent samples must also be taken into account adjugstingthesubcarrierstotheclosest,thoughincorrect,fre- because their values in (9) are affected by their parents’ quencybins.Consequently,inthisattackallthesubcarriers values. For example, when j = 1, Eve may select two free will be shifted forward or backward, replacing neighbor- samples u1 and u3 (together with their dependents u2 and ing subcarriers. Bob eventually demodulates the bits of all u4)toeliminatethechannel-dependentterms: OFDMsymbols,butheisunawarethatthesesymbolshave ∗ ∗ ∗ ∗ been shifted and misplaced. A simple example with four u r +u r +u r +u r =0 (15) 1 16 2 1 3 2 4 3 subcarriersisprovidedinFig.8.Eachsubcarriercarriestwo which implies the dependency of u to u (u and u are bits(QPSK-modulatedsymbols).Intheshiftedversion,two 3 1 2 4 substituted by their corresponding pairing rule dependen- unknown bits are added in the beginning and the rest of ciesonu andu ): the sequence is shifted to the right, although the bits are 1 3 correctlydemodulated.Therefore,whenthebitsofdifferent r (r r r r ) ∗ 4 2 16 1 1 ∗ u = − u . (16) OFDMsymbolsareconcatenatedtoreconstructtheoriginal 3 − r (r r r r ) 1 2 2 4− 3 3 bitsequence,theentiresequencewilllookshuffledandout- Now the valueof the dependent of u (u in this example) of-order compared to the original bit sequence. A shifted 3 4 isupdatedtomaintainitsdependencyrelationshipwiththe versionofanarbitrarybitsequencewillresultinveryhigh rightsiblingu . BER. 3 1536−1233 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMC.2015.2456916, IEEE Transactions on Mobile Computing 8 1 BW shift 01 10 00 11 xx 01 10 00 (cid:543)(cid:2030)(cid:3039) Fig.8.ExampleoftheFO attackonfoursubcarriers (left):Theattack 2 BW shifts shiftsthesubcarriersandthecorrespondingbitstotheright. (cid:2870) (cid:2159) (cid:1873)(cid:3556) 2 FW shifts (cid:883)(cid:885)(cid:887)(cid:953) AnSTS-basedFOestimationerror alsoaffectsthe chan- (cid:2870) (cid:1870)(cid:449) nel estimation process, which is applied across the LTSs, specially if Bob estimates the channel irrespective to the 1 FW shift outcome of the fine FO estimation. To elaborate, the phase offsetaccumulatesovertime,causingdifferentLTSsamples Fig.9.SuperpositionofAlice’sandEve’ssignalsatBobandtheresulting tohavedifferentphaseoffsets.However,Bob complacently subcarriershifts.Theminimumfeasible|u˜|2occurwhenthevector|u˜|2 tries to interpret this time-varying phase offset as a fixed- isperpendiculartoanedgeofthe1-shiftregions.Thepartsofacontour crossingtheshadedareasshowthefeasiblephasesforagiven|u˜|2. value channel phasor by minimizing the MSE. Hence, his attempt to model the FO as if it is a channel parameter b smret4qLaheeqc.ue4salehuteeuxiaΦccneliotltmvecOiisnznbeeuipsagnd=ttmtDtheeii|faomleeΦl∆nnsasmeautibiϕlrignba|ooe.cnJcxbntoTaia)a−mrrmhmtrrei∆ueissamecmprϕtmtih.neaspaehbsgox.tiipsfiImSmtfsaittyaabrihzntalleoeeadtdaetS|id∡gooJcR’yhvnCsea(a(amΦrntOclnelBooopbedom)wtlb|iumpesvlihaasapEtallkiovusonseoJensorabit,wbmsoywylnemiomhn,piFiEflbcntOhviiogcmeltaseaScftstolahteelinnyer-- ∆∆| f− f| (normalized to f)∆ebab1111....−−2468211 00 11 22 OSupbticmararli e| r∆s33 sfehbi−ft∆ fab| −−021Number of f shifts in subcarriers at Bo∆ SJR (dB) mationinaccuraciesduetonoiseatEveorBob.Tocalculate the optimal |Φeb|, we represent the total received jamming fFoirg.d1iff0e.reOnpttiSmJaRl|v∆alfueebs−. ∆fab|andresultingamountofsubcarriershift energy u˜2 and signal energy r˜2 in polar coordinates, as | | | | smhaoxwimnuinmF∡ig. ,9w. Uhesirneg g=eomr˜2et+ricu˜a2rge−umj(Φeenbt)s.,Ewacehficnirdcutlhaer orequivalently,|∆feb−∆fab|=1.5f∆. | C| C | | | | Equation (20) says that the phase offset of Eve’s sig- contour in this figure shows the end points of the vector C nal as perceived by Bob should have phase difference of forAasgilvoenngSaJsRu˜bu<tdir˜ff,er∡entrΦeeabcvhaelsuietss.maximumwhenthe |π/2+∆ϕl|relativetoAlice’ssignal.Evenif∆ϕeb doesnot | | | | | C| satisfy(20),Evecanaugmentthehardware-dependent∆feb vector is tangent to the contour circle. Ina right triangle, C and obtainan effective ∆feb by imposingan artificialFO of thisimplies u˜2 ∆fnonthejammingsequencebeforeitistransmittedbythe ∡ =arcsin| | (17) oscillator.Thisisachievedbymultiplyingthesamplesofthe | C| |r˜|2 jammingsequencebye−j2π∆fnits,where∆fn isgivenby: and Φeb =π/2+∡ . (18) ∆fn =±1.5f∆−∆feb+∆fab. (21) | | C When u˜ r˜, the maximum ∡ equals to π, which The optimal |Φeb| that minimizes the jamming energy | | ≥ | | C isparticularlyimportantindesigningtheoptimaljamming is always achieved when |Φeb| = π. In Fig. 10, we plot strategybecausetheSJRatBobisusuallyunknowntoEve. tfhoredcoifrfreersepnotnSdJiRngvaolputeism.aBla|s∆edfeobn−∡∆f,awb|edaulrsiongdetrhieveSTthSes The optimaljammingstrategyto dealwith this situationis C to consider the worst-case (highest) SJR under which the resulting number of subcarrier-spacings shift after LTSs. attackis successful and then set the effective FO according Notethatphaseoffsetsπ/2andπcorrespondtoFOsofone to(20).Therefore,EvealwayssetsΦeb to (π/2+∆ϕl). andtwof ’s,respectively.FromtheSTSsperspective,LTSs ± ∆ adjusta phaseoffset to itsclosest multipleof 2ϕl. Sowhen ∡ >3ϕl,theattackresultsinashiftoftwosubcarriers. 5 DISCUSSION | C| Thejammingsequencecanbedesignedtominimizethe OFDM-based802.11systemsemployinterleavingandadap- tooftaaltjlaemasmt ionngeesnuebrcgayrrPieriL=−s0h1i|fu˜t,i|i2.e,.s,u∡bje(cΦt etob)the c∆onϕslt.raTihnet trievseiliemnocdyualagtaioinnstanjadmmcoidnigngan(AdMbiCt)esrcrohresm. eHsotwoeivnecrr,eathsee | C | ≥ shaded area in Fig. 9 shows the feasible region. According achievedBERvalueoftheaforementionedFOattack( 0.5) ∼ to(17)andthegeometryinFig.9,weconcludethat: is high enough that the mutual information between the 1) Theenergyminimizationproblemisfeasibleaslongas transmitted and received sequences is zero, and hence practical coding schemes cannot recover the frame. After L−1 r˜ 2 1 SJR= Pi=0 | i| =√2 1.5dB. (19) an unsuccessful transmission and subsequent data rate re- PiL=−01|u˜i|2 ≤ sin(∆ϕl) ≈ duction, Alice may increase her transmit power for the whole frame. In the case of the proposed FO attack, such 2) Theminimumjammingenergyisachievedwhen an increase is unnecessary and inefficient for the payload, ∆ϕeb ∆ϕab = π/2+∆ϕl =3π/4, (20) which constitutes up to 99.9% of a frame. In addition, an | − | | | 1536−1233 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMC.2015.2456916, IEEE Transactions on Mobile Computing 9 intelligent jammer can track Alice’s power increase (e.g., e by overhearing management frames), adjust the jamming Ev 1 at power to always achieve the optimal SJR, and force the n o 0.8 droppingofsubsequenttransmissions. cti e It may also be argued that because pilot subcarriers et D 0.6 are transmitted on known frequencies, Bob can compare me tcheeivekdnosywmnbsoylsmobnodlsiffoefretnhtesupbilcoatrrsiuerbsctaorridieernstiwfyitahptohsesibrele- se Fra 0.4 ci subcarrier shift. However, because channel estimation is Pre 0.2 Fast Frame Detection, 1st candidate distorted, locating the corrupted pilot subcarriers at Bob of Fast Frame Detection, all 4 candidates icsanqnuoittebecheaalsleilnyguinsged. Ffourrtchhearnmnoerlee,stthimesaetiopnilo(twseulbecaavreritehres Prob. 0 10 De2fa0ult Frame3 D0etection, 41s0t candidat5e0 SNR (dB) investigationofthisproblemtoafuturework). Moreover,wenotethatjammingtheLTSsafterjamming Fig. 11. Performance of different variants of frame detection vs. SNR the STSs strengthens the attack by further distorting the (simulations). channel estimation process. However, jamming the LTSs alone cannot lead to a subcarrier shift even though it in- thedurationsoft8 andt9.However,itisnotconstantwhen volves more jamming effort (8-µs duration on 48 subcarri- thechainingruleisapplied,anddependsonmV−1. ers) than jamming three STSs ( 3 µs on 12 subcarriers). ≤ Furthermore, withLTSs jamming,pilot subcarrierscan still 6.1 Simulations beusedtoestimatethechannelandcorrectanyresidualFO. We consider an AWGN channel model without signal at- ThesystemmodelinthispaperassumesasingleTx-Rx- tenuation. In our simulations, the SJR is normalized to pair (i.e., Alice and Bob, and hence their FO, are known). the energy of two full STSs. However, the chaining rule In the case of multiple Tx-Rx pairs, Eve can construct a results in a variable-length cyclic postfix extension, which database of the FOs between different Tx-Rx pairs. Bene- sometimes has a slightly higher sample power than the fiting from CSMA/CA channel access mechanism, Eve can averagesamplepoweroveranSTS. consider one transmissionat a time andthen leverage pro- tocol semantics (e.g., data-ACK exchanges)to guess the Tx 6.1.1 FrameDetectionandJammingDuration andRxofanupcomingtransmission.Furtherinvestigation ofthisissueisleftforfuturework. Initially, we assess the accuracy of our adaptive fast frame detectionmethodatEveandalsoitsimpactonthejamming duration.Eventhoughouradaptivedetectionmethoduses 6 PERFORMANCE EVALUATION a small window of L = 16 compared to L = 48 for the Inthis section,we evaluatetheeffectivenessoftheFOesti- default scheme, adapting ǫ based on finding V frame-start mation attackthrough simulations and USRP experiments. candidates increasesthe probabilityof preciseframe detec- We implemented the 802.11a/g preamble (including both tion even for the first candidate. This is shown in Fig. 11, short and long training sequences) by extending the PHY- where each probability is calculated based on more than layer library functions of LabVIEW. Alice appends 1500 25000 runs. By including additional V 1 candidate start − modulated random bits to the frame preamble.Pilot-based times, we further increase the probability of including the channel and FO estimation and channel coding were not true start time in V candidates, specially under high noise implementedtoconcentrateonthespecificeffectsoftheFO levels.ThechainingrulebenefitsfromV starttimesbecause attackon received uncoded bits. The impact of coding and it equally likely considers all the candidate start times to pilotsubcarrierswasdiscussedinSection5. constructthejammingsignal. WeassumethatBobusestheSTSst9 andt10,asdefined The jamming duration depends on mV−1 and the in Fig. 3, for coarse FO estimation, followed by fine FO es- amount of postfix extension. In Table 1, we report the av- timationusingLTSs.Channelestimationisperformed over erage index-distance betweenthe first andthe lastsamples the first LTS using the time domain method [13]. We first (mV−1) in the set of V start times when an STS contains evaluate the performance under a simulated AWGN chan- L = 16 samples. The table shows that even at low SNR, nel model and later in a multi-path indoor environment. the amount of cyclic extension due to the chaining rule (Moreresultsareprovidedin[19].)WevarytheSJR,theSNR is often less than half an STS. In particular, in 99.88% of (noiselevel),themodulationscheme,andEve’seffectiveFO, the cases, mV−1 8, which means the jamming duration ≤ denotedbyDeb.Inparticular,weconsiderBPSK,QPSK,and willbelessthan3.5λSTS or,equivalently,0.7ofanOFDM- 16-QAM modulation schemes. We measure ∆fs as well as symbolduration.A1500-bitBPSK-modulatedpayloadlasts finalestimatedFO,SER,andBER. g for 32 OFDM symbols, equivalent to 160λSTS. The dura- Wecomparethreecases:1)jammingthelastSTSswitha tions of 16-QAM-modulated and QPSK-modulated signals random signal(seeSection4.2.1),2)FOattackwithpairing of the same payload will be 40 and 80λSTS, respectively. rule only (V = 1 and L = 16 for frame detection), and 3) Sothe jammingeffort inoursimulationsisupperbounded theentireFOattackincludingthechainingrule,withL=16 by 2.0%, 3.5%, and 5.9% for BPSK, QPSK, and 16-QAM- andV = log L.Thepurposeofevaluatingthesecondcase modulated payloads, respectively. In general, an 802.11a 2 is to study the impact of the chaining rule. The jamming framelastsfor20 10−6+ (22+LENGTH)/DATARATE × ⌈ ⌉ duration for the second case is always equal to the sum of seconds [2], where LENGTH and DATARATE denote the 1536−1233 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMC.2015.2456916, IEEE Transactions on Mobile Computing 10 0.6 o f)∆ f(normalizedto)∆ 00..240 f(normalizedto)∆ 0000....2345 wwRa// onc dhcoahmiani inFnignOg jammer O at Bob (normalized t 000...4681 ww// oc hcahianiinnigng g∆Ef[]s−−00..42 0 0.5ww// oc hcahianiinn1igng 1.5 2 g∆Ef[]s0.10 Estimated F 0.20 0 0.5 1 1.5 2 −50 −40 −30 −20 −10 Effective FO D (normalized to f) Effective FO D (normalized to f) eb ∆ Noise power (dBm) eb ∆ (a) Impact of the effective Eve-to-Bob FO (b)Impactofthenoiselevelontheperfor- (c) Impact of the effective Eve-to-Bob FO on theperformance ofthe coarse FOesti- manceoftheFOattack(SJR=1.59dBand ontheestimatedFOatBob(SJR= 1.3dB mation(SJR=1.59dBandSNR=25dB). Deb=1.52f∆). andSNR=25dB). d to f)∆ 1 1 0.5 malize 0.8 0.8 0.4 O at Bob (nor 00..46 wwRa// onc dhcoahmiani inFnignOg jammer SER00..46 BPSK BER00..23 BPSK F QPSK QPSK mated 0.2 0.2 16−QAM 0.1 16−QAM Esti 0 −0.5 0 0.5 1 1.5 2 2.5 00 0.5 1 1.5 2 00 0.5 1 1.5 2 SJR (dB) Effective FO Deb (normalized to f∆) Effective FO Deb (normalized to f∆) (d) Impact of SJR on the estimated FO at (e) SER performance for different modu- (f)BERperformancefordifferentmodula- Bob(SNR=25dBandDeb=1.52f∆). lation schemes (SJR = 1.59 dB and SNR tion schemes (SJR= 1.59 dB and SNR = =30dB). 30dB). Fig. 12. Performance of different variants of the FO attack and of random FO jammingunder different noise levels, Deb and SJR values, and modulationschemes.Thetransmissionpoweris0dBm.(simulationresults) encodedpayloadsize(inbits)andthedatarate,respectively. reducestheeffectivenessoftheattack,butthisincreasehas For a typical 802.11a frame [3], the jamming effort varies less impact when the chaining rule is applied. When the between0.07%and0.88%,dependingonthecodeanddata noise level is higher than 20 dBm, the gap between the − rates. This is 30% less than the effort of the OFDM symbol curvesbelongingtothetwomodesoftheFOattackiswider, jammingattackin[3]. showing that the chaining rule is more robust in highly noisychannels. SNR(dB) 5 10 15 20 25 30 When ∆ϕ > ∆ϕl,theLTSsroundthe estimatedFOto | | E(mV−1) 4.05 3.74 3.54 3.23 3.02 3.0 the nearestgmultiple of 2thl. Otherwise, LTSs try to round the FO to zero. In Fig. 12(c), we plot the average final TABLE1 AveragevalueofmV−1inthechainingrulefordifferentSNRlevels. estimated FO at Bob when SJR= 1.3 dB during the last three STSs and the noise level is 25 dBm throughout the − frame. The chainingrule improvesEve’s abilitytoshift the 6.1.2 FOEstimation subcarriers by one f . With respect to the SJR, we can ∆ Fig. 12(a) depicts the average ∆fs, measured after the observe in Fig. 12(d) that when Eve’e Deb is close to its corrupted STSs of 150 frames, whgen SJR= 1.59 dB, trans- optimal value, Eve is not able to guarantee a successful mission power is 0 dBm, and noise level is 25dBm. The attackwithout the chaining rule evenwiththe optimalSJR − horizontallinerepresentsthl,normalizedtof∆.Thechain- valueof1.5dB. ingruleimprovesthejammingeffectivenessandguarantees a range of effective FO values for which the attack is 6.1.3 ImpactoftheFOAttackonModulationPerformance successful (∆ϕ > ∆ϕl). When the chaining rule is not UnderarelativelyhighSNR(e.g.,30dBinoursimulations) applied, thegjamming attack is optimal at the optimal ef- and without the FO attack, the SER is very close to zero. fective FO derived in Section 4.4, but is still insufficient to TheFOattackimpactsboththechannelandFOestimations. passthethresholdbecauseofframedetectionerrors.When We measure the overall impact for different modulation the chaining rule with V candidates is applied, the maxi- schemesbymeasuringtheSERandBER.First,weconsider mum average ∆ϕ occurs later than the maximum for the the case when ∆ϕ < ∆ϕl and the LTSs are still able to no-chaining casge because of slightly higher power during correcttheFO.Ingthiscase,Bobtriestominimizetheerrorof postfix samples. Fig. 12(b) shows the effect of noise on the estimatinga channelphasorthat is supposedlyresponsible STS-based estimated FO when SJR= 1.59 during the last forthephaseshiftaccumulationsoverLTSsamples.Because three STSs and with Deb = 1.52f∆, a near-optimal value the phase shift ∆ϕ = 2π∆ft is linear in time, the best for this setup. The 90% confidence intervals are shown for estimateisaphasorthatequalstotheaveragephaseshifts. eachpoint.Theincreaseinframetimingerrorsduetonoise As long as ∆ϕ ∆ϕl (i.e., the resulting FO is still | | ≤ g 1536−1233 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

Description:
We also propose three approaches to mitigate such an attack. Index Terms—PHY-layer security, frequency offset, OFDM, reactive jamming, IEEE802.11, USRP implementation. ♢. 1 INTRODUCTION. COMMUNICATION between two wireless devices in- volves several concerted functions at the physical.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.