MIMO-based Jamming Resilient Communication in Wireless Networks

MIMO-based Jamming Resilient Communication in Wireless Networks Qiben Yan Huaceng Zeng Tingting Jiang Ming Li Wening Lou Y. Tomas Hou Virginia Polytecnic Institute and State University, VA, USA Uta State University, Logan, Uta, USA Abstract Reactive amming is considered te most powerful amming attack as te attack efficiency is maximized wile te risk of being detected is minimized. Currently, tere are no effective anti-amming solutions to secure OFDM wireless communications under reactive amming attack. On te oter and, MIMO as emerged as a tecnology of great researc interest in recent years mostly due to its capacity gain. In tis paper, we explore te use of MIMO tecnology for amming resilient OFDM communication, especially its capability to communicate against te powerful reactive ammer. We first investigate te amming strategies and teir impacts on te OFDM-MIMO receivers. We ten present a MIMO-based anti-amming sceme tat exploits interference cancellation and transmit precoding capabilities of MIMO tecnology to turn a ammed non-connectivity scenario into an operational network. Our testbed evaluation sows te destructive power of reactive amming attack, and also validates te efficacy and efficiency of our defense mecanisms. I. INTRODUCTION Ortogonal frequency-division multiplexing (OFDM) as developed into a popular sceme for broadband wireless communications. Modern wireless communication systems, suc as WLAN, digital TV systems and cellular communication systems, all adopt OFDM as one of te primary tecnologies. Wile OFDM systems are robust against multipat fading and ave te ability to cope wit severe interference and noise, tey are not ideal for environments were adversaries try to intentionally am communications. Jamming as been a maor denial-of-service attack to wireless communications. By intentionally transmitting amming signals, adversaries can disturb network communications, resulting in trougput degradation, network partition, or a complete zero connectivity scenario. Reactive amming is one of te most effective amming attacks. A reactive ammer continuously listens for te cannel activities, and emits amming signals wenever it detects activities, oterwise it stays quiet wen te sender is idle. Tis amming strategy is considered most effective, stealty, and difficult to deal wit. Te recent advance in te igly programmable software defined radio as made suc sopisticated but powerful amming attacks very realistic [] demonstrated tat a reactive ammer is readily implementable and te amming results devastating. Te increasingly severe ostile environments wit advanced amming treats prompt te development of security extensions to te OFDM systems. Some recent works investigate and attempt to alleviate te impacts of amming attacks to te OFDM systems. Han et al. [2] proposed a ammed pilot detection and excision algoritm for OFDM systems to counteract narrow-band ammer tat ams te pilot tones. Clancy et al. [3] furter introduced pilot nulling attack tat minimizes te received pilot energy to be more destructive, and provided mitigation scemes by randomizing te location and value of pilot tones. However, tey bot focus on pilot tone amming attack, wic requires to know te pilot location and also demands very tigt syncronization. Moreover, teir defense mecanisms will fail to recover signals wen all te OFDM subcarriers including te pilots are ammed as in te case of reactive amming attack. On te oter and, multi-input multi-output (MIMO) tecnology as emerged as a key tecnology for wireless networks mostly due to its potential capacity gain. New wireless devices are equipped wit a growing number of antennas. MIMO can be exploited to obtain diversity and spatial multiplexing gains, and lead to an increase in te network capacity. More importantly, recent advance in MIMO interference cancellation tecnique [4] [6] as greatly enanced MIMO communication capability. Tis inspires us to ponder te question: weter it is possible to exploit MIMO tecnology to devise antiamming tecniques for OFDM systems, in particular against reactive amming attack. In tis paper, we try to answer tis question by first examining te ammer s capability in disrupting OFDM-MIMO communication, and ten devising MIMO-based defense mecanisms by utilizing MIMO tecnology coupled wit interference cancellation and transmit precoding tecniques. We sow tat our design is able to restore admissible OFDM communication in te presence of reactive ammers at te expense of consuming available degrees-of-freedom (DoF) of MIMO links. Altoug te problems of interference cancellation and amming resistance are related as bot te interferer and te ammer will lead to undecodable signals at te receiver side, tey ave some significant differences: a) amming signals are sent by malicious ammers deliberately, wo can intentionally alter te amming signals for teir own benefits, wile te interferers produce interference inadvertently; b) ammers can modify teir signals muc faster and more freely tan interferers. Hence, amming signals are muc arder to track and remove tan conventional interference. Consequently, designing effective defense mecanisms faces several key callenges. First, different ammers transmit different types of amming signals, and te receiver must cancel

2 tese amming signals regardless of teir signal structures. Second, since ammers are able to adapt teir amming signals in real-time, te defense mecanisms sould be able to track teir adaptations to guide te receiver s cancellation strategy. Finally, te defense mecanisms must be robust against te ammers wo attempt to disrupt receiver s cancellation sceme. To meet tese callenges, we propose a defense mecanism for resilient OFDM communication based on MIMO interference cancellation tecnique, wic tracks amming signal s direction in real-time before canceling it out. We devise an iterative cannel tracking mecanism to estimate te sender and ammer s cannels alternately and iteratively in a timely fasion. More importantly, we introduce an enanced defense mecanism leveraging signal enance rotation tecnique, wic strategically rotates sender s signal to enance te proected signal strengt, resulting in an improved antiamming performance. Two main callenges in designing tese mecanisms are: ow to track te cannels promptly, and ow to feedback te rotation vectors reliably. In response, we deploy multiple pilots to facilitate cannel tracking, wile carrying out tactical interference cancellation to feedback messages. Te goal of tis paper is to sustain operational OFDM systems in te face of reactive amming attack. Te contributions of tis paper are two-fold: First, we exploit te MIMO interference cancellation and transmit precoding tecniques to counter reactive amming attacks for securing OFDM wireless communications. We propose two novel mecanisms: iterative cannel tracking and signal enance rotation to effectively sustain acceptable trougput under reactive amming attack. Furtermore, our defense mecanisms can also defeat pilot tone amming attack as long as te preamble remains undistorted. Second, we implement te amming attack and defense mecanisms using USRP radios, and conduct extensive experiments to evaluate teir performance. Te experimental results sow tat in te presence of a reactive ammer, te packet delivery rate improves significantly using our enanced defense mecanism. II. PROBLEM FORMULATION In tis section, we present te system model, define te attack model and lay out preliminary knowledge of OFDM- MIMO networks. A. System Model We consider an adverse wireless environment wit a ammer targeting at te communication link establised by a sender and a receiver. We consider te ammer as a common singleantenna device, wo is capable of taking any attack strategy to be most destructive. Te frames in OFDM wireless communication ave signal structures as sown in Fig.. A preamble is transmitted aead of te data, wic is used for signal acquisition, time syncronization and initial cannel estimation. We assume te sender transmits wen te ammer is not amming, eiter by Fig. : Reactive ammer starts amming after certain reaction time.(p: Preamble) taking a random backoff between transmissions or by sensing amming activity [7]. Let P SR and P JR be te received signal powers from S and J respectively. Te signal-to-amming ratio (SJR) at receiver R can be expressed as P SR /P JR, wic determines te decoding performance. We do not consider te noise and interference, since tey are negligible wen compared to te amming power. B. Attack Model Tere are tree typical amming attack models: ) constant ammer continuously transmits amming signals to corrupt packet transmission. Se as te capability of covering te wole frame structure, wereas er energy consumption is extremely ig, rendering erself easily discoverable; 2) random ammer is more energy-efficient, as se emits amming signals at random time for a random duration. However, er amming capability is limited, because of te small collision probability induced by er random beavior; 3) reactive ammer is more effective, energy-efficient and stealtier [8], wic is te main focus of tis paper. Te key feature of reactive ammer is sensing-beforeamming. Tere exists a reaction period before amming takes place, wic includes cannel sensing and amming initialization time. We assume te preamble of transmitted frame remains undistorted by te amming signal, as sown in Fig., since te reactive ammer needs to detect te presence of te preamble before emitting te amming signals. In addition, te ammer can transmit arbitrary signals witout any signal structures, and se is also free to adapt te signal amplitude or pase in real time. However, we assume te ammer cannot perform full duplex communications, wic disables er ability of sensing and amming simultaneously. C. OFDM-MIMO Preliminary OFDM divides te spectrum into multiple narrow subbands called subcarriers. Te receiver operates on eac subcarrier, and applies FFT to te received signal for demodulation. Tis allows many narrowband signals to be multiplexed in te frequency domain, wic greatly simplifies te cannel estimation and equalization. In our system, two cellular pones acting as te sender and receiver try to establis OFDM communication in te presence of a reactive ammer wit te signals of interest as OFDM signals. In a MIMO network, te spatial multiplexing gain can be represented by a concept called Degrees-of-Freedom (DoF), wic is defined as te dimension of received signal space over wic concurrent communications can take place [9]. DoF indicates te number of transmitted streams tat can be reliably distinguised at te receiver.

3 y 2i = ix i + six si, (4) Fig. 2: 2 OFDM-MIMO link attacked by a Jammer Consider te MIMO link wit DoF of two in Fig. 2, te signals ( x s x ) are transmitted concurrently troug te cannel H, and te received signals can be written as: ( y y 2 ) = ( s s )x s + ( )x, () wic live in a two-dimensional vector space corresponding to two receive antennas. In order to decode x s, interference cancellation tecnique is utilized to remove te interference from x by proecting te received signals onto te subspace ortogonal to x (see Fig. 2), i.e., [, ], yielding te proected signal as: y pro = y y 2 = ( s s)x s. (2) After tat, te proected signal can be decoded using any standard decoder. Tis interference cancellation tecnique is also called Zero-Forcing (ZF) tecnique. Note tat, estimating ammer s signal direction is te core of ZF decoder. From Fig. 2, we notice te proected signal is a scaled version of te original signal, indicating a loss of signal amplitude. Note tat Eq. () assumes a narrowband cannel, were (suc as s,, etc) appears as a complex number. For wideband cannels, signals at different frequencies will experience different cannels, bringing so called multi-pat effects. As a result, will become a complex vector indexed by different frequency responses. However, in a OFDM-MIMO system, Eq. () satisfies for eac OFDM subcarrier, suc tat ZF decoding is carried out over eac subcarrier. III. IMPACT OF REACTIVE JAMMING ATTACK TO OFDM-MIMO COMMUNICATIONS We exploit MIMO tecnology to defend against reactive amming attack in OFDM systems. In tis section, we caracterize te impact of reactive ammer to te OFDM-MIMO communications. For clarity, we will explain te amming strategy in te context of a two-antenna receiver decoding a single transmission in Fig. 2. Te sender and receiver form a 2 MIMO link wit DoF of two, one of wic will be consumed by te ammer. We conecture tat te receiver can process a concurrent data stream x s from te sender. According to Eq. (), te received frequency-domain signals for eac OFDM subcarrier i are sown below: y i = i x i + si x si, (3) Signal direction is determined by te received signal vector induced on te receive antenna array by te transmitted signal [9], wic is defined in te antenna-spatial domain and not te I-Q domain. were i, i, si and si are frequency version of cannels at subcarrier i, and x i and x si are frequency-domain signals from ammer and sender. Note tat te amming signals need not be OFDM modulated, and can be wideband, wic would be partitioned into multiple narrowband amming signals contained in te OFDM subbands of te sender s signals. Te recovery of te legitimate signal, implemented by ZF mecanism, will be carried out for eac subcarrier. Tus, te ZF mecanism is te key to te data recovery process, wic would definitely become te target of te ammer. In order to see tis point clearly, we reformulate Eqs. (3), (4) as follows (in te following, we omit te subscript notation i for i-t subcarrier): ( y y 2 ) = H( )x + H( )x s, (5) were H = [ s ] = [, s ] is te 2 2 cannel matrix. Te s received signals are te sum of two vectors J r = H[ ] T x and S r = H[ ] T x s, as sown in Fig. 2. Te angle 2 between J r and S r is determined by and s, wic will be exploited by te ammer to launc effective attack. Attacking Zero Forcing Mecanism. In order to understand te attack strategy, we inspect tree special cases in Fig. 3 wit different received signal spaces. Undoubtedly, te most severe attack is depicted in Fig. 3(a), in wic J r overlaps wit S r in te received signal space, preventing S r from being recovered. On te contrary, te least powerful attack emits a amming signal tat is ortogonal to te legitimate signal as sown in Fig. 3(b). In tis case, te proected signal is equivalent to te original signal, yielding te igest proected signal amplitude. Fig. 3(c) sows te case between te above two extreme cases, wen te angle of two received signals is a small value. Te corresponding proected signal will ave a signal amplitude tat is too low to make itself recoverable. Terefore, te key idea of attack strategy is to control te amming signal direction in order to nullify ZF mecanism. Clearly, te ammer s attack strategy is to srink te angle between te amming signal and te intended signal by exploiting te ammer s spatial location. In fact, te difference between s and deviates according to te distance between S and J []. More specifically, if te spacing between two antennas is narrower tan a alf wavelengt, te cannels from tese two antennas will become igly correlated [9], wic makes two received signal directions similar. Consequently, a smart ammer will simply attempt to approac te sender. In order to demonstrate te effectiveness of suc attack strategy, we perform an experiment wit varying distances between te ammer and sender s antennas. Te packet delivery rate (PDR) performance is sown in Fig. 4, from wic we can see tat wen te antenna distance is below 6cm, no packet can be successfully delivered. 2 Te angle between two received signal vectors is equal to te angle between two cannel vectors, computed by cosθ = H s. Te angle s s range is [, π 2 ].

4 (a) Overlap case (b) Ortogonal case (c) Small angle case Fig. 3: Different two-dimensional received signal spaces Packet Delivery Rate.6.5.3.2 2 4 6 8 2 4 6 8 Distance Between Two Antennas (cm) Fig. 4: Jamming performance by exploiting spatial location (in tis experiment, te device works on 2.45GHz central frequency wit a alf wavelengt λ = c 6.2cm) 2 2f Antenna-Spatial Domain vs. I-Q Domain. Te ammer as te option of varying te pase of te amming signal, resulting in a same situation as aving frequency offset. Te frequency offset causes te signal vectors to rotate in te I- Q plane. It may seem tat te amming signal will not ave a constant pase offset to te signal of interest as sown in Fig. 3. Tis reasoning owever is incorrect, since te received signal space of Fig. 3 is in te antenna-spatial domain and not te I-Q domain. Te frequency offset only determines ow signal rotates in te I-Q domain, but only scales te direction of te signal vectors in te antenna-spatial domain by a complex number [4]. In oter words, te amming signal direction in te received signal space is unaffected by rotation in te I-Q domain, but instead is determined by te cannels between te ammer and te receiver. IV. DEFENSE MECHANISMS AGAINST REACTIVE JAMMING ATTACK In tis section, we propose effective MIMO-based defense mecanisms to counteract reactive amming attack. We first present a defense mecanism based on interference cancellation tecnique. We propose to cancel arbitrary amming signals by keeping track of te amming signal direction, for wic we develop an iterative cannel tracking mecanism. Ten, an enanced defense mecanism is built by incorporating signal enance rotation to make te OFDM-MIMO system more robust against smart ammers. As opposed to te attack strategy tat is to force srinking te angle between two arrival signals, te defense mecanism attempts to expand te angle. We address two maor issues in tis section: ) ow to decode signals of interest in te presence of arbitrary amming signals; 2) ow to improve te robustness of OFDM communication against reactive ammer. A. Defense Mecanism Overview We offer an overview of proposed defense mecanisms in tis section. A ig-level flow cart is illustrated in Fig. 5, wic sows bot te defense mecanism and its enanced version. Te defense mecanism is carried out wolly at te receiver side, wic mainly includes angle expansion, signal decoding (Section IV-B), cannel tracking (Section IV-B) and amming detection (Section IV-C) modules. Angle expansion module aims at expanding te angle of arrival signals to make intended signals decodable. As long as te ammer fails to approac te sender, te cannels s and will be uncorrelated, resulting in a random angle between S r and J r. A random angle represents for a ig decoding rate as sown below. In te pysical SJR model, te transmission from a sender S is successfully received by receiver R under a simultaneous interfering transmission from a ammer J if: P SR P JR γ R, (6) We assume te angle between legitimate signal and amming signal is θ, so tat SJR = P s s 2 sin(θ) P JRpro, were P s is te sender s transmission power. Substituting tis expression into Eq. (6), we derive tresold θ t defined as te minimal angle required for successful reception: θ t = arcsin P JR pro γ R P s s 2. As long as te ammer fails to approac te sender, te angle will become a random number in [, π 2 ] due to cannels spatial and temporal variability. Hence, a successful attack rate of te ammer is given by θ t π/2. Typically, P s s 2 P JRpro, wic renders a small θ t, and tus a low successful attack rate or a ig decoding rate. In our defense mecanism, we take advantage of spatial retreat [] tecnique to get away from te ammer. Alternatively, te sender can also move randomly inside te receiver s reception range to avoid being approaced by te ammer. After clearing way for te decoding process, signal decoding is ten implemented using ZF tecnique, based upon te cannel tracking results. Meanwile, amming detection module intends to detect amming attack promptly for triggering oter modules operations. Enanced defense mecanism (Section IV-D) involves more modules at bot te sender and receiver sides, wose centerpiece is signal enance rotation module, for rotating te transmitted signal to improve te decoding rate. It also incorporates a feedback mecanism for instructing te sender s rotation process. B. Decoding te Signal of Interest According to Eqs. (2), (5), ZF mecanism can be directly applied for decoding x s at eac OFDM subcarrier, once te cannel estimation of H = [, s ] is obtained. Initial estimation of s can be derived via analyzing te undisturbed preamble. However, since initial estimation can only be used

5 Begin Begin Compute Jammer s Cannel Ratio Hs / Hs & Cancel Jamming Signal Angle Expansion Jamming Detection Estimation of Hrs Decoding of Feedback Signal Signal Enance Rotation Te First Packet in a Burst? N Compute Jammer s Cannel Ratio H / H & Cancel Jamming Signal Y Jamming Initial Estimation of Hs Signal Transmission Detection Decoding of Signal Iterative Cannel Tracking for Hs and H/H Feedback Mecanism Sender Receiver Fig. 5: A flow cart of proposed defense mecanisms (solid box: modules of basic defense mecanism, dased box: modules of enanced defense mecanism) witin te cannel coerence time, tracking te cannel estimation becomes a necessity. Moreover, because of te adaptive ammer s rapid reaction, one requirement of our sceme is to response fast to te ammer s adaptation. Inspired by ZigZag decoding tecnique [2], we devise an iterative cannel tracking mecanism by ointly keeping track of bot te sender and ammer s cannel conditions in a timely manner. In te following, we first exibit ammer s cannel estimation metod, and ten present te iterative mecanism for updating bot cannels iteratively. Jammer s Cannel Estimation. seems unreacable due to te randomness of te amming signal structure (no known symbols). However, since amming signal x is not an interest for te receiver, we claim tat te knowledge of is not necessary for decoding x s. In fact, as stated in Section II-C, te only information required about amming signal for ZF decoder is its signal direction, determined by cannel vector = [, ]T. We observe te nice scale invariance property of signal direction, i.e., te direction of [, ]T is equivalent to tat of [, ] T. Terefore, we only need to acquire ammer s cannel ratio. Te received signal is a mixed signal consisting of te sender and ammer s signals. If we can extract ammer s signals J r = ( )x, we can derive te ammer s cannel ratio by computing te ratio of received amming signals on two receive antennas, since = x x However, reactive ammer guarantees te amming attack appens immediately after te legitimate transmission, suc tat te amming signal always intertwines wit te legitimate signal, making it ard to separate tem. Our solution is based on an intuition tat if we purposefully let te amming signal. Fig. 6: Extended frame structure intertwine wit pre-known signals, we are able to extract te amming signal. In order to acieve tis, we insert multiple pre-known symbols or pilots into te original data packets, and extend te frame structure as sown in Fig. 6. Te pilots are inserted in te specified locations periodically in te packet. However, if te ammer learns te locations of te pilots, se can intentionally stop amming during tese pilot periods to avoid being tracked. Terefore, we assume bot te sender and receiver agree upon a series of secret locations of pilots. Note tat, te extension of te frame structure causes limited overeads, wic will be evaluated in Section VI-D. Te basic idea for extracting amming signal is to subtract te received pilot from te received mixed signal. Te subtracting step is widely studied and as been sown to work in practical implementations [2], [3]. It proceeds as follows: ) after detecting te start of amming (see Section IV-C), te receiver finds te locations of pilots; 2) received pilots are reconstructed using te known pilot symbol distorted by te estimated cannel; 3) te constructed received pilots are subtracted from te ammed pilots to restore te amming signal; 4) te extracted amming signal is used to compute te amming signal direction (ammer s cannel ratio). Iterative Cannel Tracking Mecanism. Now, we delve

6 into te details of cannel tracking mecanism. In order to update te cannel estimation in a timely manner for tracking ammer s adaptation, we will make use of multiple pilots from te extended frame structure in Fig. 6. Our mecanism is bootstrapped by initial cannel estimation from te preamble. During te first pilot, we learn ammer s cannel ratio by reconstructing te received pilot using te initial cannel estimation and subtracting it from te received mixed signal, as mentioned above. During te following pilots, if we continuously utilize initial cannel estimation to update ammer s cannel ratio and recover te data, eventually, tis process will fail because of te expiration of initial cannel estimation. Terefore, we propose to update te sender s cannel estimation and ammer s cannel ratio alternately and iteratively using multiple pilots. Te key observation is tat te received signal is a mixed signal wit two signal components. Witout fixing one of tem, we are not able to extract te oter one. Terefore, we preserve te fresly estimated ammer s cannel ratio for updating sender s cannel, wile retaining te sender s recent cannel estimation for tracking ammer s cannel ratio. We propose to update sender s cannel estimation during even number of pilots, and update ammer s cannel ratio during odd number of pilots. For example, during te second pilot, we keep te estimated ammer s cannel ratio fixed, and rewrite Eq. (5) as follows: ( y y 2 ) = ( )x + ( s s)x s, (7) were x s represents te known pilot signal. Ten, we proect te received signal onto te subspace [, ]. Te proected signal is represented as: y pro = y y 2 = ( s s)x s, (8) from wic we can update ( s s), consisting of two unknowns s and s. Ten we use te previously estimated s to update s. Similarly, during te fourt pilot, we use tis fres s to update s, wic implies tat te sender s cannel will be updated every oter pilot. Similarly, we can update ammer s cannel ratio using te sender s recent cannel estimate, since y x s s = y 2 x (derived s s from Eq. (7)). During te odd number of pilots, ammer s cannel ratio will be kept updated using ammer s cannel estimation metod to ensure correct decoding of te signal of interest. In fact, we can express te signal of interest by replacing te known pilot signal in Eq. (8) as: x s = y y 2, (9) s s wic sows tat as long as ( s s) and are precisely updated, te signal of interest can be correctly recovered. Note tat tis mecanism becomes reasonable only if we keep two Fig. 7: Soft error vector in QPSK constellation consecutive pilots staying witin te cannel coerence time, wic means te ammer s cannel gets updated in a very sort period, facilitating te defense mecanism to track te ammer s agile adaptation. Inter-Symbol Interference Issue. Anoter practical issue wit te wideband amming signal is tat it suffers from multipat effects, wic leads to inter-symbol interference (ISI). ISI of amming signal will impose additional noise to Eq. (5). In response to ISI, we average our cannel tracking results derived from multiple pilots to mitigate te negative effects of ISI. Altoug cannel estimation becomes more accurate, ISI still reduces te SNR of te intended signal. To address ISI issue, we must directly investigate te time-domain signal, since ISI is inerently a time-domain penomenon. We apply te metod in [5] to deal wit ISI issue, i.e., we convolute te received time-domain signal wit a filter obtained by taking te IFFT of ammer s cannel ratio to cancel out te ISI and amming signal simultaneously. Te signal of interest can ten be decoded using a standard decoder. C. Detecting te Jamming Signal As mentioned above, te receiver needs to detect te start and termination of amming. Te amming detection problem as been studied in [7], in wic te constellation diagrams are employed to identify ammed bits. We follow te same principle. Soft error vector is used as te detection metric, defined as te distance vector between te received symbol vector and te nearest constellation points in te I/Q diagram, as sown in Fig. 7. Te soft error is furter normalized by minimum distance of te constellation. We assume te normalized soft error vector is V k for k-t received symbol, ten te amming detection metric is defined as V k / V k at k-t symbol time, wic is called umped value. Jamming attack is supposed to start wen V k / V k > γ v, were γ v is pre-defined tresold for amming detection. Jamming attack stops if umped value returns to normal. In our design, we consider a ump tat is iger tan doubling te errors as a potential ammer, so tat γ v = 2. D. Enanced Defense Mecanism Altoug te signal of interest can be decoded using te above defense mecanism, te signal after proection will ave a reduced signal amplitude, wic will affect te trougput performance, as pointed out in [5], [4] and also sown in Fig. 2. Tis motivates us to build an enanced defense mecanism to raise te amplitude of proected signal, so as to

7 acieve a more robust OFDM communication against smart and adaptive ammers. Te key idea is to rotate te sender s signal to make it ortogonal to te amming signal. Tis mecanism works for a multi-antenna sender, but we focus on 2 2 link for ease of explanation. For a 2 2 MIMO link, te received two-dimensional signal can be represented as: ( y y 2 ) = x + H s ( )x s, () were denotes a two-dimensional cannel vector from J to R, and H s is te 2 2 cannel matrix from S to R. Since te ammer consumes one DoF, te two-antenna sender is allowed to transmit one OFDM data stream as seen from Eq. (). We exploit te nice property of MIMO communication to control te received signal vector along wic te signal is received [4]. In Eq. (), instead of multiplying vector [ ] T, MIMO allows te sender to multiply wit a different twodimensional vector r, wic we call rotation vector. After tat, te sender will transmit two elements of r x s, one over eac antenna respectively, and te receiver will receive H s r x s. In tis way, te sender is able to control te received signal vector. Constraints on Rotation Vector. After signal rotation, te received signal can be represented as: ( y y 2 ) = x + H s rx s, wit a 2 2 cannel matrix between S, J and R as H = {, H s r}. Since H sould remain as a full rank matrix in order to let x s decodable, one constraint on r is tat it cannot reduce te rank of cannel matrix. In addition, we ave P SR = P s H s r 2 and P JR = P 2, were P s and P are te sender and ammer s transmission powers. From te above formulas, we notice tat different r will induce different SJR, wic will in turn affect te decoding performance. Terefore, in tis work, we set r as a unit vector, i.e., r =, suc tat P SR will be confined in a reasonable range. Specifically, r can be set to rotate te received legitimate signal so as to make it overlapped wit te amming signal, if H s r =. On te oter and, r can also turn te received legitimate signal to be ortogonal to te amming signal, if H s r =, i.e., r = H s, were stands for te ortogonal vector of. Tis indeed is te key idea of our signal enance rotation tecnique. Signal Enance Rotation Mecanism. In a 2 2 MIMO link, signal rotation can be acieved by simply multiplying r = H s = H s [, ] T to te transmit signal. Note tat bot H s and can be derived using te cannel tracking mecanism in Section IV-B. After signal rotation, te received legitimate signal will be induced ortogonal to te amming signal, yielding te largest proected signal amplitude. As a result, we name tis mecanism as a signal enance rotation mecanism. However, signal enance rotation appens at te sender side, wile cannel estimation is performed at te receiver side. Terefore, we need to feedback te rotation vectors from te receiver, wic is acieved by piggybacking ACK information wit te rotation vectors for eac packet. To Fig. 8: Burst of packets facilitate signal enance rotation, we define a burst as a consecutive sequence of packets, sown in Fig. 8. During eac burst, te sender will continuously carry out signal enance rotation using te feedback information, if te ammer is found active. To reliably feedback rotation vectors in te presence of reactive ammer, we develop a feedback mecanism as follows. Feedback Mecanism. Now we present a feedback mecanism resembling te forward transmission. Te feedback frame is formulated using te frame structure in Fig.. Since feedback information is rater sort, we preclude te need of tracking te cannel using extended frame structure. Te same interference cancellation tecnique can be employed to decode te feedback information at te sender, altoug te role of te sender and receiver is reversed. However, besides te reversed role of S and R, anoter key difference exists between te feedback and forward transmissions. Remember in te forward transmission, preambles are used for bootstrapping process, wic are not supposed to be destroyed. But during te feedback transmission, if te ammer is continuously amming during a burst, bot te forwarding packets (except te first one) in te burst and te feedback packets will be completely covered, leading to a breakdown of te bootstrapping process. To address tis issue, we try to identify te ammer s isolated transmission. Let us first focus on te feedback packets covered by te amming signal. In tis case, te amming signal transmits aead of te feedback signal, leaving te opportunity of capturing te ammer s isolated transmission, from wic te sender can compute te ammer s cannel ratio s by taking s te ratio of two amming signals received on er two antennas y s = s x s and y s2 = s x s. Ten, te sender uses te ammer s cannel ratio to cancel out te amming signal, and find te preamble to estimate te feedback cannel, wic can be used for signal decoding. Similarly, te receiver can also use te same mecanism illustrated above to recover te forwarding packets including: computing ammer s cannel ratio, finding te preamble, estimating forward cannel s and decoding te signal. Terefore, as long as te preamble of te first packet in a burst is not ammed, te defense mecanism sould succeed. Two points are wort noting. First, te reactive ammer may stop amming anytime during a burst. Terefore, during te feedback period, te sender will carry out two metods simultaneously to decode te feedback information. Te first metod performs interference cancellation by assuming amming is on, wile te second metod processes normal

8 decoding by assuming amming is off. Based on te decoding results, te sender will learn te ammer s status (on/off), and decide weter se will perform signal enance rotation for te next packet. Second, te feedback information sould be received in a timely fasion, i.e., once te cannel estimation expires, te rotation vector will no longer be effective. In our design, te sender will count te feedback time to determine weter to apply signal enance rotation. E. Oter Types of Jammers In tis section, we briefly discuss about te impacts of constant ammer and random ammer to our defense mecanisms. Constant ammer can cover all te packets including teir preambles, wic will certainly disable our defense mecanisms. However, constant amming is impractical due to its enormous energy consumption. Random ammer randomly alternates between amming and sleeping. We investigate te ammer s probability of covering preambles, and present te modifications to te defense mecanisms. First, let us assume bot te amming and sleeping periods are uniformly distributed witin [, 2]ms wit an average of ms, tus te random ammer starts amming wit a probability of /2. We furter assume te preamble lengt is ms, and one burst lasts for ms wit 4ms inter-burst idle interval. Ten, te probability of covering te preamble of te first packet / (5 )/ in te burst can be easily written by: 2.. One can furter reduce te probability by introducing a longer burst or burst interval, wic makes te preamble distortion a small probability event. As long as te first preamble avoids of getting ammed, our defense mecanism becomes functional. Second, te amming detector can identify te start and end of amming attacks promptly. Ten, we modify our defense mecanism to perform normal processing wen te ammer is sleeping and conduct interference cancellation witin er amming duration. F. Discussion Our defense mecanisms can enable a reliable OFDM communication in te presence of powerful single-antenna reactive ammer. Extending to a network wit multiple ammers, te defense mecanism sould succeed in canceling amming signals as long as different ammers operate on different spectrum bands or transmit at different time slots, since te cancellation is carried out for eac OFDM subband at one time. In addition, our defense mecanism defeats te multiantenna ammers transmitting te same amming signals over all te antennas, because tey can be regarded as singleantenna ammers wit aggregated cannel state information. However, multi-antenna ammers sending multiple amming streams are more destructive to te OFDM-MIMO networks, since tey can deplete te DoF of MIMO links. Our antiamming solutions are not effective in cancelling out multiple amming streams witout any frame structure. However, tere is no available solution in te literature to provide ammingresistant communication under multi-antenna ammers wit multiple amming streams. We would like to leave it for our future researc. V. IMPLEMENTATION We build a prototype using five USRP-N2 radio platforms [5] and GNURadio software package. Eac USRP board is equipped wit one XCVR245 daugterboard operating on 82. spectrum. Te MIMO cable allows two USRP devices to sare reference clock and acieve time syncronization by letting te slave device acquire clock and time reference from te master device. By connecting two USRP boards using MIMO cable to act as one MIMO node, we build a 2 2 MIMO system using four USRP boards. Eac MIMO node runs 82.-like PHY layer protocol using OFDM tecnology wit 64 OFDM subcarriers. Te MIMO system works wit various modulation types, wile we use BPSK for legitimate communication in our experiments. We configure eac USRP to span M Hz bandwidt by setting bot te interpolation rate and decimation rate to. ZF tecnique is implemented at te receiver to recover te signals of interest. We also implement te decoding mecanism incorporating signal enance rotation at bot te sender and receiver sides. Te ammer is implemented using anoter USRP device. To defend against amming attack, te receiver first estimates sender s cannel and amming signal direction, ten uses ZF mecanism to eliminate te signals from te ammer. Meanwile, te receiver will compute te rotation vector and transmit it back to sender for signal enance rotation. Te sender cecks weter it still stays in te cannel coerence time since its last transmission, if it does, te sender will apply te rotation vector to its newly generated symbols and send te rotated elements troug two antennas. We set te transmission power of bot te sender and ammer as mw. In our implementation, we emulate te reactive amming and te ammer s sensing process by letting te receiver broadcast a trigger signal. Bot te ammer and sender record te timestamp of detecting te trigger t trig, ten sender sets its beginning time of transmission as t send = t trig + t, and ammer sets its amming start time as t am = t trig + t 2. Ten, te reactive ammer s reaction time is equivalent to (t 2 t ). VI. EVALUATION In tis section, we demonstratively sow te ability of ammer to disable ZF mecanism by managing te received signal directions, and we also evaluate te performance of our defense mecanisms in an indoor lab environment. In our experiments, we first sow ow te received signal direction affects te packet delivery performance. Ten, we present our measured cannel coerence time in te indoor environment and discuss ow it will affect te performance of our defense mecanism. Finally, we exibit te performance of amming attack and defense mecanisms under different bandwidt settings.

9 Packet Delivery Rate.6.5.3.2 2 3 4 5 6 7 8 9 Angle Between Two Clients in Degrees Fig. 9: Packet delivery rate performance wit different angles between two clients Normalized Autocorrelation Value.6.5.3.2 st Subcarrier Autocorrelation 5 t Subcarrier Autocorrelation 35 t Subcarrier Autocorrelation 5 5 2 25 3 35 Number of OFDM Symbols Fig. : Autocorrelation of cannel pase in an indoor environment (wit 5KHz Bandwidt) A. Impact of Received Signal Direction We argued in Section III tat te angle between two received signal directions will affect te ZF decoding performance. In tis section, we will sow te packet delivery performance wit respect to different angles. We set up two clients syncronized by a MIMO cable, togeter wit a two-antenna receiver. Ten, two clients transmit different streams to te receiver. Te receiver conducts ZF mecanism to decode te streams. We ave mentioned tat te signal direction is determined by te cannels between te transmitter and te receiver. Altoug te cannel evolves over time, we observe tat te angle remains relatively stable for te time being, once te locations of clients and receiver are fixed. Ten, we cange te locations of clients and receiver to measure te packet delivery performance wen two received signals ave different angles. We keep te distance from clients to receiver fixed, so tat te performance variation among different cases is mainly induced by different angles, rater tan different pat losses. We sow te performance measurement in Fig. 9, from wic we can see te angle between two received signals indeed affects te packet delivery performance significantly. Te maor observation is tat PDR deteriorates to be below 2% once te angle becomes smaller tan 2, wile PDR rises above 9% once te angle expands greater tan 6. Tis result confirms our analysis. B. Impact of Cannel Coerence Time Te cannel coerence time determines ow often te cannel estimation sould be updated and te validity period of te rotation vector. In tis section, we measure te cannel coerence time in te indoor environment. We let a sender transmit consecutive known OFDM symbols following a preamble to track te cannel variation. Te receiver uses tese known OFDM symbols to estimate te cannel coefficients, and examines ow long te cannel from te sender to te receiver remains correlated. Eac cannel coefficient is a complex number wit amplitude and pase. We investigate multiple subcarriers over several rounds. Fig. sows te autocorrelation of cannel pase over multiple subcarriers. Te cannel pase correlates over multiple OFDM symbols before it becomes uncorrelated (i.e. te normalized autocorrelation value is below zero). Te number of correlated OFDM symbols varies wit subcarriers, wit te average num- ber of 33. On te oter and, te cannel amplitude stays more stable over multiple OFDM symbols, wose autocorrelation value sows correlation over 5 OFDM symbols. Terefore, te cannel coerence time is nearly 33 OFDM symbols or 8.5ms, i.e., we need to update cannel estimation at least every 3 OFDM symbols, nearly 2 bytes under 5KHz bandwidt, or nearly 4 bytes under M Hz bandwidt. Consider 5KHz bandwidt case, as we update te cannel estimation every oter pilot in Section IV-B, we need to insert pilots at least once every bytes of data. Tis result also tells us te rotation vector takes effect during te 33 OFDM symbols. After cannel coerence time, rotation vector becomes expired. Note tat during ammer s cannel estimation in Section IV-B, we assume ammer s cannel keeps static during te cannel coerence time. However, mobile ammer as te ability of canging er cannel condition. Referring back to Fig. 4, we notice cm distance cange will bring a dissimilar cannel, i.e., if te ammer moves cm witin te cannel coerence time, not only te ammer s cannel estimation will be inaccurate, but te ammer can also vary er signal directions in real-time to nullify te cannel tracking. However in tis case, te ammer sould move at a speed of at least.8 = 2.5m/s, or equivalently 45km/, making it extremely difficult to target at a specific MIMO link. Apparently, reducing te pilot interval is a remedy to defeat a ig-speed ammer. C. Jamming Attack and Defense Performance In tis section, we evaluate te performance of amming attack and our defense mecanisms. In te experiment, we place te sender, ammer and receiver at different locations, and repeat te experiments for times under seven different cases respectively (approximately 4-8 meters between sender and receiver, 3-8 meters between ammer and receiver), wit te average PDR as te performance criterion. We first present te amming performance to 2 link in Fig., from wic we can see te PDR drops to zero in almost all seven cases. Tis result sows us te reactive ammer can trottle communication completely. Ten, we perform experiments in 2 2 OFDM-MIMO networks, wit one amming antenna. Fig. 2 plots te PDR

performance of one transmit antenna under different bandwidt settings. Tis figure sows te ammer is very effective in degrading packet delivery performance in OFDM-MIMO networks, as none of te packets gets troug using te traditional MIMO decoding metod. In contrast, using our defense mecanism witout signal enance rotation, te signals from ammer can be canceled out by estimating er signal directions. Terefore, te PDR under 5KHz bandwidt can stay iger tan 3%, wose exact value depends on te estimation accuracy and te angles between signals from ammer and sender. We notice tat te performance varies a lot across difference cases using te defense mecanism. We furter improve te performance using signal enance rotation. From bot figures, we notice tat te packet delivery performance becomes more stable and significantly iger tan te case witout signal enance rotation, wit more tan 6% PDR under 5M Hz bandwidt and more tan 4% PDR under M bandwidt. Tus, we conclude tat signal enance rotation elps sustain more robust OFDM communication. From Fig. 2(a) to Fig. 2(b), we observe te packet delivery performance becomes worse wen te transmission bandwidt expands. Tat is because iger data rate transmission is more sensitive to interference and noise in te environment. D. Overead Analysis We analyze te overead for bot te pilots and feedback information. As mentioned in Section VI-B, we insert one pilot symbol every 5 OFDM data symbols. Terefore, te pilot takes nearly 6% of te wole packet. On te oter and, te feedback message includes 48 rotation vectors wit one for eac subcarrier in our setting. In order to reduce te feedback size, instead of returning all te 48 vectors, it is sufficient to response wit 2 vectors, since te cannels for consecutive subcarriers are very similar. Again, te direction of vector [v, v 2 ] is equivalent to [, v 2 v ], tus we can reduce te number of elements in a vector into one complex number. Te overall feedback overead adds up to 24 bytes, or 4 OFDM symbols. Terefore, te feedback information is also very sort wit only a few OFDM symbols. VII. RELATED WORK Jamming Attack and Defense Mecanisms. Powerful reactive amming as aroused many researcers interests. For instance, [] demonstrates te feasibility of reactive amming using software-defined radios. [8] proposes detection mecanism to unveil reactive ammer in sensor networks. [6] investigates te impacts of reactive smart amming attacks to IEEE 82. rate adaptation algoritms. Recent studies consider more powerful wideband and ig power amming attacks [7], [7]. However, bot of tem only support low data rate communication. Besides tat, bot of tese two defense mecanisms only work for conventional wireless communications tat are not OFDM-based. In [8], Vo-Huu et al. proposes a mecanical beamforming sceme and a digital interference cancellation algoritm to cancel ig-power amming signals. However, tey can only deal wit static attackers and require additional ardware costs, wile our mecanism is purely digital wic is capable of dealing wit mobile attackers as long as te cannel estimation is accurate. Furter, tey only focus on non-ofdm systems. In te context of amming-resilient OFDM/MIMO networks, Rob Miller et al. [9] study various amming attacks to disrupt te MIMO communication by targeting its cannel estimation procedure. Specifically, te adversary interferes wit te preambles or pilots to let sender and receiver perform false estimation. In similar essence, [2], [3] study pilot tone amming attack. However, it is extremely difficult for te adversary to syncronize er transmission wit te legitimate sender during te sort cannel sounding period, wile tis paper focuses on a more practical reactive amming attack. Interference Cancellation Mecanisms. Researc efforts in te interference management area ave developed novel interference cancellation tecniques to improve te network trougput [4], medium access protocol [6] and robustness [5] of MIMO networks. Te most relevant work is [5], wic enables MIMO communication under ig-power crosstecnology interferers. Yet, our work exposes significant differences: ) we consider smart ammers, wo can adapt teir attack strategy to be more destructive, wile interferers are unintentional; 2) teir cannel estimation metods require to average over multiple OFDM symbols, wic is not applicable for tracking ammer s cannel due to ammer s fast adaptation, wile we insert pilots into known locations to ointly track sender and ammer s cannels in a prompt manner. VIII. CONCLUSION OFDM is one of te most widely adopted wireless communication scemes. Despite of its popularity in te wireless field, it is vulnerable to advanced amming attacks, especially te powerful reactive amming attack enabled by software defined radio tecnology. Wile no effective anti-amming solutions exists to secure OFDM communications, for te first time, we exploited MIMO tecnologies to defend against suc amming attacks. We sowed tat suc attacks can severely disrupt OFDM-MIMO communication troug controlling te amming signal vectors in te antenna-spatial domain. Accordingly, we proposed defense mecanisms based on interference cancellation and transmit precoding tecniques to maintain OFDM communication under reactive amming. To twart smart attacks tat cange teir signal vectors on-te-fly, we proposed iterative cannel tracking and signal enance rotation mecanisms to track te ammer s cannel and adapt te transmitted legitimate signals. Our prototype experimental results demonstrated tat, wile te OFDM-MIMO communication can be completely trottled by amming attacks, our defense mecanisms can effectively turn it into an operational scenario wit more tan 4% of normal trougput. REFERENCES [] M. Wilelm, I. Martinovic, J. B. Scmitt, and V. Lenders, Reactive amming in wireless networks - ow realistic is te treat? in Proc. of WiSec, June 2.