Security Vulnerability and Countermeasures of Frequency Offset Correction in 802.11a Systems Hanif Rahbari, Marwan Krunz, and Loukas Lazos Department of.

Slides:

Advertisements

Similar presentations

VSMC MIMO: A Spectral Efficient Scheme for Cooperative Relay in Cognitive Radio Networks 1.

Advertisements

Institute of Communications Engineering, NCTU 1 Unit 2 Synchronization.

1. INTRODUCTION In order to transmit digital information over * bandpass channels, we have to transfer the information to a carrier wave of.appropriate.

The Impact of Channel Estimation Errors on Space-Time Block Codes Presentation for Virginia Tech Symposium on Wireless Personal Communications M. C. Valenti.

a By Yasir Ateeq. Table of Contents INTRODUCTION TASKS OF TRANSMITTER PACKET FORMAT PREAMBLE SCRAMBLER CONVOLUTIONAL ENCODER PUNCTURER INTERLEAVER.

01/10/2013 Ebro Observatory, October 1st, 2013 New Technology involved in SWING: Software Radio and HF Links A.L. Saverino A.Capria, F.Berizzi, M. Martorella,

1 Peak-to-Average Power Ratio (PAPR) One of the main problems in OFDM system is large PAPR /PAR(increased complexity of the ADC and DAC, and reduced efficiency.

Department of electrical and computer engineering An Equalization Technique for High Rate OFDM Systems Mehdi Basiri.

1 Synchronization for OFDMA System Student: 劉耀鈞 Advisor: Prof. D. W. Lin Time: 2006/3/16.

Communication Systems Simulation - II Harri Saarnisaari Part of Simulations and Tools for Telecommunication Course.

#7 1 Victor S. Frost Dan F. Servey Distinguished Professor Electrical Engineering and Computer Science University of Kansas 2335 Irving Hill Dr. Lawrence,

12- OFDM with Multiple Antennas. Multiple Antenna Systems (MIMO) TX RX Transmit Antennas Receive Antennas Different paths Two cases: 1.Array Gain: if.

A FREQUENCY HOPPING SPREAD SPECTRUM TRANSMISSION SCHEME FOR UNCOORDINATED COGNITIVE RADIOS Xiaohua (Edward) Li and Juite Hwu Department of Electrical and.

Implementing Adaptive Modulation in a Software-Defined Cognitive Radio Brandon Bilinski Computer Engineering Senior, Clemson University.

COMMUNICATION SYSTEM COMMUNICATION :

ORTHOGONAL FREQUENCY DIVISION MULTIPLEXING(OFDM)

Friendly CryptoJam: A Mechanism for Securing Physical-Layer Attributes

1 Cooperative STBC-OFDM Transmissions with Imperfect Synchronization in Time and Frequency Fan Ng and Xiaohua(Edward) Li Department of Electrical and Computer.

Wireless Communication Technologies 1 Outline Introduction OFDM Basics Performance sensitivity for imperfect circuit Timing and.

Modulation-Why? 1. Low frequency signal has less energy, which means it can travel less distance. 2. Practibility of antenna.

Wireless Communication Technologies 1 Phase noise A practical oscillator does not produce a carrier at exactly one frequency, but rather a carrier that.

Decoding Collisions Shyamnath Gollakota Dina Katabi.

Space-Time and Space-Frequency Coded Orthogonal Frequency Division Multiplexing Transmitter Diversity Techniques King F. Lee.

Spread Spectrum Spread-spectrum techniques are methods by which energy generated in a particular bandwidth is deliberately spread in the frequency domain,

The effect of phase-noise in OFDM system 指導老師 : 高永安學生 : 蘇家弘.

OFDM Each sub-carrier is modulated at a very low symbol rate, making the symbols much longer than the channel impulse response. Discrete Fourier transform.

Doc.: IEEE /383 Submission November1998November 1998 Jamshid Khun-Jush, ETSI-BRANSlide 1 BRAN#11 PHY Decisions & Issues to Resolved with

TI Cellular Mobile Communication Systems Lecture 4 Engr. Shahryar Saleem Assistant Professor Department of Telecom Engineering University of Engineering.

Geometric Representation of Modulation Signals

TCP-Cognizant Adaptive Forward Error Correction in Wireless Networks

ECE 4371, Fall, 2015 Introduction to Telecommunication Engineering/Telecommunication Laboratory Zhu Han Department of Electrical and Computer Engineering.

Doc.: IEEE /1014r0 Submission September 2004 Pangan Ting, CCL/ITRISlide 1 Partial Proposal for n: ITRI Preamble Specification Yung-Yih Jian,

PAPR Reduction Method for OFDM Systems without Side Information

Defeating Energy-Efficient Jamming in IEEE based Wireless Networks By: y D. Wood, John A. Stankovic, and Gang Zhou, University of Virginia Presented.

Single carrier  Multicarrier  OFDM Single Carrier - ISI, Receiver complexity  ISI, Bit rate limitation Multi-carrier - Negligible ISI, Approximately.

Principles & Applications

FD-MMAC: Combating Multi-channel Hidden and Exposed Terminals Using a Single Transceiver Yan Zhang, Loukas Lazos, Kai Chen, Bocan Hu, and Swetha Shivaramaiah.

Introduction to OFDM and Cyclic prefix

INTRODUCTION. Electrical and Computer Engineering  Concerned with solving problems of two types:  Production or transmission of power.  Transmission.

Doc.: IEEE /1014r2 Submission September 2004 Pangan Ting, CCL/ITRISlide 1 Partial Proposal for n: ITRI Preamble Specification Yung-Yih Jian,

Selective Jamming Attacks in Wireless Networks Alejandro Proaño - Loukas Lazos Dept. of Electrical and Computer Engineering University of Arizona.

doc.: IEEE <doc#>

244-6: Higher Generation Wireless Techniques and Networks

A G3-PLC Network Simulator with Enhanced Link Level Modeling

EE359 – Lecture 8 Outline Capacity of Flat-Fading Channels

Advanced Wireless Networks

I. Previously on IET.

Space-Time and Space-Frequency Coded Orthogonal Frequency Division Multiplexing Transmitter Diversity Techniques King F. Lee.

디지털통신 Bandpass Modulation 1 임 민 중 동국대학교 정보통신공학과.

Design and Validation of a UWB Transmitter for FPGA Implementation

Multi Sub-band Scheduling

Effective (20us) Preambles for MIMO-OFDM

Coding and Interleaving

Modulation Techniques

Channel Spoofer: Defeating Channel Variability and Unpredictability

ELEG 6203: "Wireles Networks" Wireless Networks December 04,2003

UWB Receiver Algorithm

Multicarrier Communication and Cognitive Radio

Source: [Yafei Tian, Chenyang Yang, Liang Li ]

Partial Proposal for n: ITRI Preamble Specification

Wireless Mesh Networks

Date Submitted: [March, 2007 ]

Wireless PHY (Modulation)

Preambles for MIMO channel estimation

20us effective preambles for MIMO-OFDM

OUT OF BAND AND ICI REDUCTION TECHNIQUE

20us effective preambles for MIMO-OFDM

PHY Performance Evaluation with 60 GHz WLAN Channel Models

Presentation transcript:

Security Vulnerability and Countermeasures of Frequency Offset Correction in a Systems Hanif Rahbari, Marwan Krunz, and Loukas Lazos Department of Electrical & Computer Engineering University of Arizona INFOCOM 2014

Bob Jamming Wireless Communications Jamming: intentional interference with radio transmissions 2 Alice hdrpayload Jamming models: constant, random, reactive, frame-selective Models differ in hardware, energy requirements, complexity, stealthiness, effectiveness Jay 4/30/2014INFOCOM 2014

Jamming duration (τ j ) for dropping a packet A function of coding, data rate (modulation), interleaving, jamming power, … Jamming Efficiency - Duration 3 hdr payload 4/30/2014INFOCOM 2014 τ j : 10% - 20% of a frame, BER ~ 5% - 10% τ j : 0.5% of the frame, BER ~ 50% Frequency Offset (FO) attack Targets the part of the preamble used for FO estimation Independent of coding scheme, data rate, etc. τjτj τjτj

Frequency Offset (FO) in OFDM Systems Frequency Offset (FO): The difference in operating freq. between two devices OFDM systems (802.11a/g/n, …) are very sensitive to FO Zero ICI FO Frequency domain: OFDM subcarriers w/o FO Frequency domain: OFDM subcarriers w/ FO Non-zero ICI 4/30/2014INFOCOM

FO is estimated from the PHY preamble (publicly known) a Preamble 5 4/30/2014INFOCOM 2014 Δf s = 4 Δf f 159 Subcarrier spacing of STSs and LTSs Δf l = Δf 123 f f Related to the FO amount that can be corrected STS Spacing LTS Spacing

FO Estimation (Noiseless) 6 conjugate 4/30/2014INFOCOM 2014 Same sample transmitted after t i th samplePhase offset riri r i+t riri * FO r i+t riri t

FO Estimation (Noisy) Because of noise, the estimation is erroneous : an estimate of in the presence of noise To better estimate, a summation of ’s is used 7 4/30/2014INFOCOM 2014 t

Estimated phase offset is limited to Estimated FO: FO is unambiguous as long as  f ≤ 0.5 * subcarrier spacing STS can correct up to 2Δf LTS can correct up to 0.5Δf Rx first uses STSs for coarse FO estimation (less samples) LTS are used for FO estimation refinement (more samples) FO Estimation Limits 8 4/30/2014INFOCOM 2014 Δf s = 4 Δf f f f Δf l = Δf STS SpacingLTS Spacing

FO Estimation and Correction (Example) An OFDM system with 4 subcarriers 1) Estimate using STSs 2) Estimate using LTSs 9 Bob Alice Receiving Correct after STSs Correct after LTSs 12 4/30/2014INFOCOM 2014

FO Estimation Attack Principle: Alter the estimated FO beyond the correctable range of LTSs by jamming STSs Phase differences as seen during STSs: 10 To correct FO after STSs Jamming is successful if Correctable phase offset range by LTSs 4/30/2014INFOCOM 2014

FO Estimation Attack (Example) 11 Alice Receiving Correct (STSs) Correct (LTSs) xx Bob xx   xx xx xx xx  ~0.5 BER 4/30/2014INFOCOM 2014 Channel estimation errors due to large FO during LTSs

Use a jamming signal u with the same structure as STSs For STS + jamming samples: 12 (1) scalar (3) Unknown amplitude & unknown phase (2) known phase (1) (2) (3) 4/30/2014INFOCOM 2014 Eve-Bob FO Step 1: Impose a Desired Phase Offset

To control, the jammer first has to eliminate the effect of the channel-dependent term urY 13 Rearrange 4/30/2014INFOCOM 2014 Step 1: Impose a Desired Phase Offset (con’d)

Step 2: Elimination of Channel-Dependent Term Define the second jamming sample u 2 as a function of the first sample u 1 to eliminate the effect of urY (pairing rule). 14 4/30/2014INFOCOM 2014 Preamble samples at the Tx

Step 3: Selection of Injected Offset B is simplified to one scalar and one complex variable with controllable phase Multiply samples of u i with any desired phase to inject desired offset at the Rx For sample i of u i -> Multiply with is the additional FO to ensure obtains any desired value Additional optimizations w.r.t. jamming power |u i | 2 4/30/2014INFOCOM

Evaluation (Simulations) Worst case: Demodulated into wrong subcarriers: random bits Correct bits (no demodulation error) Demodulated into wrong bits but possibly correctable Corresponding constellation maps of data symbols Estimated by STSs BER after LTSs 4/30/2014INFOCOM

Final Remarks We have demonstrated fast frame detection and accounted for timing imperfections: We have optimized the attack w.r.t jamming power Demonstrated the FO attack on USRPs Preliminary Defenses Sequence hopping (SH) To estimate this FO, nonadjacent sequences (up to two STSs away) are sufficient Randomly select two STSs from all the STSs Preamble obfuscation: modify the preamble structure at the Tx Example: Tx artificially changes the FO of the preamble according to some pre-agreed rule, not known to the jammer /30/2014INFOCOM 2014

Frame Detection (Symbol Timing) 1 st window 2 nd window 4/30/2014INFOCOM

Experimental Evaluation NI-2921 USRPs 5GHz band Connection through Gigabit Ethernet NIC 19 Eve Alice Bob 4/30/2014INFOCOM 2014

Step 3: Optimizing the Jamming Power 20 Successful attack region Eve to Bob FO 4/30/2014INFOCOM 2014

Experimental Evaluation (con’d) Estimated FO after LTSs d eb : Eve-to-Bob to Alice-to-Bob distance ratio (equivalent to SJR) Sequence Hopping (SH) is often successful in mitigating the FO attack The jammer is successful even if he has a longer distance to the RX 21 Successful attack: One shift forward Successful attack: Two shifts backward 4/30/2014INFOCOM 2014

Step 4: Accounting for Synchronization Errors Jamming seed 4/30/2014INFOCOM 2014