Vulnerability and Protection of Channel State Information in MU-MIMO Networks1

Presented by

Abhijit MondalHaritabh SinghSuman MondalSubhendu Khatuya

Under the Guidance of

Dr. Sandip ChakrabortyAssistant ProfessorCSEDIIT Kharagpur

1 Yu-Chih Tung, Sihui Han, Dongyao Chen, and Kang G. Shin. 2014. "Vulnerability and Protection of Channel State Information in Multiuser MIMO Networks". In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). ACM, New York, NY, USA

Agenda

• Introduction to MIMO• Beamforming in MU-MIMO• Attack Models• Sniffing Attack• Power Attack• Equal Power Allocation Scheme• Maximizing Throughput Scheme• Evaluation• Countermeasure• Conclusion

Introduction to MIMO

Fig. MIMO and its Benefits

Beamforming in MU-MIMO

Beamforming in MU-MIMO(Cont.)

● One Transmitter with N antennas● M receivers (clients), each with a single Antenna● hij :- The downlink CSI coefficient from the

transmitter’s j -th antenna to the i -th receiver .● H = [h1

T,h2T,............,hT

M]T is the full CSI (represented by a M x N matrix), where the i -th row vector hi represents the CSI of the link from the transmitter’s N antennas to the i -th receiver.

● The received signal y of transmitted signal x can be expressed as

y = Hx + n

● x = [x1,x2,.......,xN]T is the N x 1 vector represents the signals sent from the transmitter’s N antennas.

● y = [y1,y2,........,yM]T is M x 1 vector represents the signals received at M concurrent receivers.

● n = [n1,n2,......,nM] represents an additive noise with standard deviation σ1,σ2,.....,σM.

● Attack Models

Physical Layer Security

In terms of physical layer security it is proved that information will not be leaked to other concurrent receivers as each receiver only receives the message sent to itself.

Artificial noise(to have 15dB lower SNR than signal) is introduced to prevent other from sniffing .

All necessary computations are done in wireless communication chip so keeping data confidential in this way is minimal in MU-MIIMO.

General Attack Model

• The 2*2 MU-MIMO system model can be represented as :

• The received message at rxi

Assuminng second client as malicious the channel matrix perceived at transmiters will be

It is impossible to mislead the decoded signals at rx1 no matter how rx2 forges and report CSI.

The information of m1 is leaked to rx2 because CSI is falsely reported as f2 instead of h2.

Sniffing Attack• Packet sniffing allows individuals to capture data as it is transmitted over a network.

• The received signal at y2,contains a mixture of signals from m1 and m2.

We can assume m2 is already known to rx2 then rx2 can decode m1 via interference cancellation law.

Decoding the Sniffed Packets:

Selection Of Forged CSI

• Intutive Selection:• Maximize the sniffed SNR Minimizing

Heuristic Selection:

The forged CSI is selected as a weighted sum of genuine CSI as:

Power Attack

● Total amount of power available to the Access Point for transmission of data is fixed.

● The attack aims at getting the AP to divert more power towards the attacker or in other words, increasing its SNR.

● The attacker accomplishes this by providing a false representation of its CSI to the AP.

● The two most representative schemes of power allocation are EP (Equal Power) and MT (Maximizing Throughput)

● The attack involves the knowledge of attacker’s own CSI and the power allocation scheme followed by AP.

● Since the total power available to the AP is constant, the attack leads to a decrease in capacity of the other stations.

Attack based on EP(Equal Power) Scheme

● EP scheme of power allocation follows i.e., equal power allocation for all the stations.

● The attacker reports its CSI as i.e., a scaled version of its actual CSI with the scaling coefficient(w) < 1.

● The forged CSI leads the router to believe that the attacker suffers from heavy channel fading, thus leading to the AP increasing the power diverted towards the attacker.

● The forged CSI is in the same direction as the authentic CSI of the attacker, thus there is no interference due to other nodes which had their CSI orthogonal to the attacker’s authentic CSI.

Attack based on MT(Maximizing Throughput) Scheme

● EP scheme of power allocation follows i.e., maximizing total capacity subject to the total power constraint.

● The attacker reports its CSI as i.e., a scaled version of its actual CSI with the scaling coefficient(w) > 1.

● The forged CSI leads the router to believe that the attacker has good channel conditions, thus leading to the AP increasing the power diverted towards the attacker to maximize overall capacity.

● The forged CSI is in the same direction as the authentic CSI of the attacker, thus there is no interference due to other nodes which had their CSI orthogonal to the attacker’s authentic CSI.

Evaluation Setup

Sniffing Attack

BER and SNR of m1 sniffed by different

receiver when artificial noise is ¼ of

AP power

Message received by sniffing attack

Sent a grayscale bitmap image from

warp to rx1 and received by

different receiver.

Power Attack

Gain extra power/capacity by forge it won CSI.

Countermeasures

Countermeasures

Sniffing Attack

CSIsec

Countermeasures

Power Attack

Spatial dependency

Introduce randomness in protocol.

Not helpful in wireless network.

Discourage malicious client

Conclusion

● In this paper two possible attack (i.e sniffing attack and power attack ) is proposed and validated their possibility

THANK YOU