An improved technique for the detection of pilot contamination attacks in TDD wireless communication systems

One of the problems phasing the physical layer security of a wireless system is its vulnerability to pilot contamination attacks and hence schemes for its detection need to be applied. A method proposed in the literature consists of training with two N-PSK pilots. Although the method is effective in most of the cases, it is not able to discover an attack initiated during the transmission of the second pilot from the pair if both the legitimate and non-legitimate pilots coincide. In this current paper, an improvement to this method is proposed which detects an intruder who misses the first pilot transmission. The suggested improvement eliminates the usage of threshold values in the detection – a main drawback of previously existing solution.


Introduction
One of the major problems in wireless networks relates to ensuring their security. In an endeavour to achieve this a new strategy, called physical layer security (PLS), has been developed. Instead of using crypto-algorithms, PLS relies on the changes in the physical properties of the channel when an intruder attempts to participate in the communication.
In spite of the fact that PLS improves secrecy without using the complex computational systems that are typical of cryptographic schemes, some of its weaknesses, as observed in [1], require extensive additional research. One of these weaknesses is the capability of the malicious user to interfere with the process of channel estimation. This vulnerability can be exploited in what is known as a pilot contamination attack, a comprehensive description of which can be found in [2].
A time division duplex (TDD) system such as massive MIMO (MaMIMO), where the uplink and downlink channels are reciprocal and the channel state information (CSI) is obtained during a training phase, is particularly vulnerable to such a pilot contamination attack. Different levels of CSI at the transmitter and the eavesdropper (ED) and their influence on the confidentiality of a system are discussed in [3]. The process of channel estimation on MaMIMO consists of the receiver sending pilot signals to the transmitter, which then computes the CSI and, based on this result, designs its precoder. The objective of a prospective eavesdropper is to send pilots together with the legitimate receiver and thus to produce incorrect channel estimation at the transmitter end, resulting in an erroneous precoder, which also sends the data signal in the direction of the attacker. By this active attack the intruder could overcome the passive eavesdropping resistance of a MaMIMO system, as is observed in [4].
A pilot contamination attack undermines security at the physical layer and consequently has a detrimental effect on the security capability of the whole system. Hence the significance of introducing schemes for the detection of a pilot contamination attack and the need to terminate the communication in the event that one is detected.

System model
The current paper is focused on a technique for the detection of pilot contamination attacks. The system is TDD, composed of a single cell in which a base station (BS) with multiple antennas -M in number -communicates with a legitimate user (LU) and where an ED tries to circumvent the security. The model, used for the sake of simplicity, is composed of a single LU and one ED in the cell, both of them equipped with a single antenna transceiver. In addition, the channels are assumed to be static and subject to Additive White Gaussian Noise (AWGN), and user mobility is not included.
The system model is depicted in Fig.1. During the uplink TDD phase, the LU and ED synchronically send their pilot sequences to the BS, where the CSI is computed. The uplink channels of the LU and ED, denoted as gLU and gED respectively, follow Eq. 1: where PLU and PED are the transmit powers of the LU and ED, dLU and dED are scalars for the large-scale fading, and hLU and hED are M u 1 vectors for the small-scale fading.

Two random N-PSK pilots detection method (2-N-PSK)
A simple and effective technique for the detection of a pilot contamination attack is suggested in [5]. This method consists in sending random PSK pilot signals during the uplink channel estimation phase of a TDD system. An 8-PSK constellation is shown in Fig. 2, where the relationship between the coordinates of a complex number, its trigonometric form, and its module and argument representation is given by Euler's equation: . sin cos This method makes a decision about the presence of an ED via the following procedure. The LU sends two N-PSK pilot symbols to the BS, the first of which could be publicly known, with the second being chosen at random. The signals received at the BS for the first and second pilots, denoted as y1 and y2 respectively, are given in Eq. (3) where the pilots sent from the LU during the first and the second training periods are p1 LU and p2 LU , the pilots from the ED are p1 ED and p2 ED , and the AWGN in the first and second time slots are n1 and n2 respectively.
In the BS the CSI is obtained by processing the received signals. Their correlation is computed by Eq. (4), where () H means Hermitian matrix and n12 is the noise result: The scalar product of the correlation result is then analysed.
If its phase converges to a phase of a valid N-PSK symbol, two possible scenarios exist: either the ED is absent during both of the training periods or the ED is present in only one of the time slots.
If the scalar product of the correlation result has an angle that does not converge to a valid N-PSK phase, a definite decision is taken that the pilot contamination attack appears in both the training periods.
Summarising the simulation results of the 2-N-PSK, the method reveals the intervention of a non-legitimate user in the channel estimation procedure when either one or both of the ED's pilots differ from the pilots of the LU. When the ED sends a pilot which equals the one sent from the LU in only one of the training intervals, the 2-N-PSK technique undertakes additional verification to determine if this intervention is non-legitimate in nature. The worst case scenario, which the method is not able to detect, is when both of the attacker's pilots coincide with the legitimate pilots or when the first is the same and the second is shifted by 180 degrees, i.e. the complex number of the second ED's pilot is reciprocal to that of the LU.
The main advantages and drawbacks of the method are discussed in [6], where other solutions which have been proposed in the literature are also analysed and compared.

An improved technique for the 2-N-PSK detection method
As described in the previous sections, the objective of the pilot contamination attack is to compromise the CSI and thus to reveal the legitimate channel to the malicious user. So, once the ED starts sending pilots to the BS synchronically with the LU this process would continue until all of the information about the channel is revealed. However, the ED could participate in the communication at a later stage and thus miss one or more of the training periods. This is exactly the case when, despite the presence of the ED in the second slot, the angle of the correlation result converges to a valid N-PSK phase if the ED guesses either the pilot of the LU or the reciprocal number.
When this situation occurs, the authors in [7] suggest a revision of the amplitude of the received signals, since the received power of the contaminated pilot will be larger than that of the non-contaminated pilot. To decide if the difference in the received power is a result of a pilot contamination attack in one of the slots or is simply a consequence of the natural imperfections of the channel, the ratio of the received signals is compared with some thresholds. A decision that a malicious user has sent a pilot during one of the slots is made if the result of the ratio is outside the range defined by the thresholds. Otherwise, the conclusion is that there is no ED present during the channel estimation procedure.
Since the assignment of thresholds requires previous channel knowledge, the reference values are difficult to obtain and their definition is subject to possible error. Therefore, in the case of pilot contamination during only one of the slots the use of the 2-N-PSK detection method is not effective.
In the current paper we propose another solution for the detection of a pilot contamination attack initiated during the second training period, which avoids the use of threshold values. We will consider the scenario in which the ED duplicates the pilot of the LU or sends its reciprocal value. Hence, if the phase of the correlation result z12 is a valid N-PSK angle, the technique described below is applied. It is illustrated in Fig. 3. Considering the first pilot transmission, according to Eq. (3) apart from the noise, the signal received at the BS in the absence of an ED is: , 1 1 LU LU g p y (5) which defines the value of the channel gain as: In the second training slot the ED's contamination with p2 ED =p2 LU forms: leading to channel gain: Since the BS is familiar with both the sent pilots and the received signals, the values of the channel gains can be calculated and the channel knowledge from the two Uplink transmission of the first pair of pilots and channel estimation at the BS, where detection statistic z12 is formed the impact of noise could give rise to some limited variations, in order to avoid setting thresholds of an acceptable range of alteration, the values of the channel gain could be compared to those calculated during the next training interval.
First, the correlation of the next two pilots is computed. In the worst case, where the ED manages to guess the third pilot, the received signal is: The argument of the correlation z23 between the second and the third pilot is also a valid N-PSK phase. Then the effect of the channel gain for the third received pilot is calculated: LU ED LU p y g g g 3 3 3 (10) and the intrusion is confirmed in the case of equal channel gain values in the second and the third received pilots, i.e. when g2 = g3.
The block diagram depicted in Fig. 4 illustrates the proposed approach.
Another interpretation of the proposed technique can be observed in Fig. 5, where a geometric representation of the 8-PSK pilots is shown together with the correlation results. For simplicity, the simulation is carried out with a single antenna BS, a static channel is assumed and noise influence is not taken into account. The amplitudes of the pilots from the LU and ED are regarded as being equal and their value is set to 1. For the purposes of the simulation, the channel between the BS and LU is assumed to be gLU = 1 and that between the BS and ED to be gED = 0.7. As can be seen from the example in Fig. 5, when no ED is present the channel gain at the BS equals the gain of the legitimate channel. When an attack is under way, the resulting channel gain equals a larger value, which continues to show up during the next pilot sessions. Even in the worst case, when the ED's pilots coincide with those of the LU and the phase of the correlation result is a valid 8-PSK angle, the second appearance of the channel gain g2 indicates the presence of an intruder.
In addition, the proposed complement to the 2-N-PSK method could be used to indicate the presence of an attacker whose first pilot repeats the LU's pilot and whose second pilot is reciprocal to the LU's second pilot. This situation could not be detected by the 2-N-PSK itself, since the phase of the detection statistic coincides with the angle of a symbol from the N-PSK constellation. However, the value of the channel gain computed from the first received pilot differs significantly from the channel gain of the second pilot, which demonstrates the presence of malicious intervention.

Conclusion
Effective schemes for the detection of pilot contamination attacks are recommended for use in wireless systems and the communication needs to be interrupted if such an attack is discovered.
In this paper a complement of the 2-N-PSK method for the detection of pilot contamination attacks is proposed. The improvement does not cover the case when the attacker repeats both the pilots of the legitimate user and further investigation is needed in this direction. Although the solution improves the accuracy of the detection when the channel is static, its efficiency needs to be tested in the presence of noise.
In the case of low power noise, it is possible to outline an area around the N-PSK symbols in which there is no ED present. In this situation the proposed technique will provide a good detection performance. When the signalto-noise ratio is very low, comprehensive information about the noise power at the BS is necessary in order to improve the success rate of the method. These elements are important considerations for future studies.