A project report on

F E M T O C E L L SA description and new security approaches

ByM A R C D E L VA L L E - O RT I Z G U A R D I À

Under the Guidance of

D R . V. S . S H A N K A R S R I R A MAssociate Professor

S C H O O L O F C O M P U T I N GShanmugha

Arts, Science, Technology & Research Academy(SASTRA University)

(A University Established under section 3 of the UGC Act, 1956)

TirumalaisamudramThanjavur - 613401

January 2014

Marc del Valle-Ortiz Guardià: Femtocells, A description and new securityapproaches, c© January 2014

ShanmughaArts, Science, Technology & Research Academy

(SASTRA University)(A University Established under section 3 of the UGC Act, 1956)

TirumalaisamudramThanjavur - 613401

S C H O O L O F C O M P U T I N G

B O N A F I D E C E RT I F I C AT EThis is to certify that the Project entitled

Femtocells, A description and new security approaches

is a work done byMarc del Valle-Ortiz Guardià

Internal Guide Associate Dean

Department of Information Technology

Submited for the university examination held on: January 2014

Internal Examiner External Examiner

A B S T R A C T

Femtocells are an essential part in the future mobile cellular network. Ageneral literature survey on this technology is given in the first part ofthe work. This general survey is the base for further work presentedin this document. Research work in the field of securing femtocells isstill in its infant stage. In this research contribution an attempt has beendone to identify and mitigate a possible attack in the femtocells wherelocational information about a femto cell user is disclosed. The proposedmechanism notifies the femto entity under threat about the attack. Alsoa novel Multi-hop algorithm has been proposed to hide the details ofthe communicating parties from the attacker. Furthermore the resourceallocation for the femtocells is also a big concern in the community. Inthis document one of the already existing procedures is implementedand also modified for improvements.

iv

A C K N O W L E D G E M E N T S

I would like to express my very great appreciation to Dr.V.S ShankarSriram for his suggestions and comments during the development ofthis research project.

I want to give a mention to my laboratory colleges who shared withme knowledge and suggestions. And helped to spend great time whileworking on the different projects.

Moreover I want to thank Dr. M. Sridharan without who joining SAS-TRA university to develop my work might not be as easy as it has been.

And finally huge thanks to my family, friends and girlfriend for theirconstant support and their unconditional cheers.

Moltes gràcies a vosaltres!Thank you very much!

Mikavum nanri!

v

The difficulty lies not so much in developing new ideas as in escaping from old ones.

— John Maynard Keynes

C O N T E N T S

i general survey on femtocells 1

1 introduction 2

1.1 Cellular Mobile Network . . . . . . . . . . . . . . . . . . . . 2

1.2 Femtocells as a solution . . . . . . . . . . . . . . . . . . . . 3

1.3 Market Status . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 femtocell network 6

2.1 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.1.1 HeNB dedicated GW . . . . . . . . . . . . . . . . . . 6

2.1.2 HeNB none dedicated GW . . . . . . . . . . . . . . 7

2.1.3 C-plane HeNB dedicate GW . . . . . . . . . . . . . 7

2.2 Joining Policies . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.2.1 Closed HeBN . . . . . . . . . . . . . . . . . . . . . . 8

2.2.2 Open HeBN . . . . . . . . . . . . . . . . . . . . . . . 9

2.2.3 Hybrid HeBN . . . . . . . . . . . . . . . . . . . . . . 9

2.3 Interferences . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.3.1 Femtocell-Macrocell . . . . . . . . . . . . . . . . . . 9

2.3.2 Femtocell-Femtocell . . . . . . . . . . . . . . . . . . 12

2.4 Handover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.4.1 Legacy Handover . . . . . . . . . . . . . . . . . . . . 13

2.4.2 Fast Handover . . . . . . . . . . . . . . . . . . . . . . 14

3 survey on attacks and existing contrameasures 16

3.1 End User Attacks . . . . . . . . . . . . . . . . . . . . . . . . 16

3.1.1 Anonimity: Correlating Packages . . . . . . . . . . 16

3.1.2 Authenticity: Stealing UE Identity . . . . . . . . . . 17

3.1.3 Confidentiality: Disclosing the Data . . . . . . . . . 17

3.1.4 Availability: False Power Off . . . . . . . . . . . . . 18

3.1.5 Integrity: Changing SMS content . . . . . . . . . . . 18

3.2 Network Attacks . . . . . . . . . . . . . . . . . . . . . . . . 19

3.2.1 Getting other nodes information . . . . . . . . . . . 19

3.2.2 Remotely controling a HeNB . . . . . . . . . . . . . 19

3.2.3 Breaking operators infraestructure . . . . . . . . . . 20

ii proposed methodologies 21

4 user environment location privacy 22

4.1 Location Disclosure . . . . . . . . . . . . . . . . . . . . . . . 22

4.2 Tracking Notification Algorithm . . . . . . . . . . . . . . . 23

5 user anonymity 25

5.1 Multi hops Algorithm . . . . . . . . . . . . . . . . . . . . . 25

5.2 SImulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

5.2.1 Scenario Setup . . . . . . . . . . . . . . . . . . . . . 26

5.2.2 Results . . . . . . . . . . . . . . . . . . . . . . . . . . 27

6 resource allocation 29

vii

6.1 Graph Formation . . . . . . . . . . . . . . . . . . . . . . . . 29

6.2 Graph Coloring . . . . . . . . . . . . . . . . . . . . . . . . . 30

6.3 Algorithm Implementation . . . . . . . . . . . . . . . . . . 30

6.3.1 Coloring Algorithm . . . . . . . . . . . . . . . . . . 30

6.3.2 Coloring Optimization . . . . . . . . . . . . . . . . . 31

6.3.3 Results Evaluation . . . . . . . . . . . . . . . . . . . 32

7 conclusions 34

bibliography 35

L I S T O F F I G U R E S

Figure 1 Femtocell Scenario . . . . . . . . . . . . . . . . . . 4

Figure 2 Dedicated HeNB GW. . . . . . . . . . . . . . . . . . 6

Figure 3 No-Dedicated HeNB GW. . . . . . . . . . . . . . . 7

Figure 4 C-Plane dedicated HeNB GW . . . . . . . . . . . . 8

Figure 5 Macrocell splitering scheme . . . . . . . . . . . . . 13

Figure 6 Legacy Handover Procedure . . . . . . . . . . . . . 14

Figure 7 Proximity Add/Release Process . . . . . . . . . . . 15

Figure 8 Tracking Threat . . . . . . . . . . . . . . . . . . . . 22

Figure 9 Tracking detection proccess flow chart . . . . . . . 23

Figure 10 MhA Number of Reflections p.d.f . . . . . . . . . . 27

Figure 11 MhA Introduced Delay p.d.f . . . . . . . . . . . . . 28

Figure 12 Graph coloring example . . . . . . . . . . . . . . . 33

L I S T O F TA B L E S

Table 1 LTE bassic Parameters . . . . . . . . . . . . . . . . 3

Table 2 Simulation Parameters Summary . . . . . . . . . . 26

Table 3 Number of reflections . . . . . . . . . . . . . . . . . 27

Table 4 Time inside the HeNB . . . . . . . . . . . . . . . . 28

L I S T I N G S

Listing 1 MhA pseudo-code . . . . . . . . . . . . . . . . . . . 25

Listing 2 Colorizing Function Matlab Code . . . . . . . . . . 31

Listing 3 Minimization Function Matlab Code . . . . . . . . 32

viii

A C R O N Y M S

FAP Femtocells Acces Point

MCN Mobile Core Network

HeNB Home Enhanced Node B

eNB Enhanced Node B

GA Genetic Algorithm

OFDMA Ortogonal Frequency-Division Multiple Access

PCI Physical Cell Identity

LTE Long Term Evolution

RAN Radio Access Network

GUI Guided User Interface

UE User Environment

LTE-A Long Term Evolution Advanced

SCTP Stream Control Transmission Protocol

GW Gateway

MME Mobility Managment Entity

NAS Network Attached Storage

OFDM Ortogonal Frequency-Division Multiplexing

PCI Physical Cell Identifier

IMEI International Mobile Station Equipment Identity

IMSI International Mobile Station Subscriber Identity

SMS Short Message Service

DoS Denial of Service

GSM Global System for Mobile

HTTP Hypertext Transfer Protocol

RSRP Reference Signal Recieved Power

ix

Part I

G E N E R A L S U RV E Y O N F E M T O C E L L S

Brief introduction to the cellular network is given to beginthis work. This part focuses into introducing and describingthe femtocells concept. Analyzing the scenario that createsthe necessity, explaining the femtocell network configurationand procedures. Moreover the existing security issues in fem-tocells networks are listed and summarized.Why are the femtocells necessary? How are femtocells imple-mented? How the interferences are managed? What securityvulnerabilities have been detected in femtocells? These arethe questions which this part aims to answer.

1I N T R O D U C T I O N

1.1 cellular mobile network

Mobile cellular network is a concept which emerged in 1960 as evolutionof the fixed telecommunication network. Since that time the concept hasevolved and nowadays the mobile cellular network has become huge.

The network infrastructure basically consist on different base stationsdeployed through the whole service coverage area. Each base station(eNB, using 3GPP 1 notation), creates a coverage area named cell. Thiscells are distributed in a non-overlapping pattern in order to maximizede covered area, this area can be a city but also a whole country. Theusers geographically located inside a cell are served by the eNB whichis creating that cell. Normally the cells created by eNB are representedas an hexagon and are named macrocells. Different macrocells are usingthe same frequency slot, since frequency reusing techniques had beenintroduced, which is feasible since the signal power will decrease as weare further from the base station.

The techniques used in the mobile cellular network have evolved quitefast since their creation, nowadays the 4th generation is starting to get inevery user around the world, and the research community is working onthe 5th generation. This evolution started when changing from analogto digital transmission from 1G to 2G. From 2G to 3G the change was thestart of using spread-spectrum based communications, which improvedthe voice capacity. Many improvements had been done on this 3G toimprove the data caring in this technique, but this improvements hasnot ben considered as a new generation.

The jump from the 3G to 4G not only changed the techniques usedfor the transmission, moreover it attempt to change the network deploy-ment. Traditionally the deployment of the eNB is done by the serviceprovider companies engineers who configure the network and set theparameters for the base stations. The new approach introduce smallercells which can be deployed easily and adapt its parameters to the net-work necessity. The extreme, and more recent introduced, of this smallcells are the femtocells, which are the smallest of the family. Femtocellssiblings are micro-cells and pico-cells. This reduction of the coverage areaalso help to handle the increasing number of devices asking for through-put, and to bring 5 bar coverage to all the main areas.

The 4th generation is also known as LTE and it is a middle step beforeLTE-A. This step need to be done because of a need of introducing 4Gsmoothly by gradually moving from 3G. Basically LTE converge all the

1 3rd Generation Partnership Project, collaborative work between telecom associations.

2

1.2 femtocells as a solution 3

wireless technologies (WiMAX, CDMA, HSPA & GSM) in order to makethe migration to next step easy.

LTE: IP is the protocol used for the addressing, in concrete IPv6 which thenetworks operators a more simple and scalable network. This networkis composed of four parts: i) radio access (RAN), ii) backhaul, iii)core andiv)backbone, IP protocol allows to interconnect all this parts. The downlinktransmission in the RAN uses OFDMA, this technique allow the users toshare the available bandwidth, adjusting it regarding the users demands.

Access Shceme Bandwidth

UL DFTS-OFDM

DL OFDMA1.4, 3, 5, 10, 15, 20MHz

Minimum TTI Sub-carrier spacing

1ms 15kHz

Modulation

QPSK, 16QAM, 64QAM

Table 1: LTE bassic Parameters

In Table 1 few important parameters of the LTE are printed, an otherimportant fact is the spatial multiplexing introduced in the DL. The la-tency, system transmission delay, is reduced in LTE, and also the time toinitialize is quite small.

LTE-A: This technique add some new features to the LTE. New frequencybands are used, TV bands for example. By channel aggregation the effec-tive bandwidth can be increased up to 100MHz.

All the generation migrations imply a high cost for the networks oper- The cost of deployinga eNB can reachalmost 1M dollarsper year

ators. Due to the high rates that this operators are paying for installingnew antennas (eNB) they were looking for more affordable solution.

1.2 femtocells as a solution

Since the introduction of spread spectrum techniques users are expect-ing for more features and connection speed in their devices. More andmore users and devices are being introduced into the network every day.Network operators have the responsibility to provide better throughputand bandwidth to the users of the wireless network. The implementa-tion of femtocells into the network is also proposed as a better solution,since this technique is able to recycle the frequency slots used by macro-cell users in a specified range and transferring the data through the Inter-net to the Mobile Core Network (MCN), which results in achieving highbandwidth at low cost, satisfying the network users, by a affordable andlow inversion for the network operators.

A possible scenario showing these femtocells is presented in Figure 1.As can bee seen the HeNB created can be in a overlapping environment,

1.2 femtocells as a solution 4

which needs of interference mitigation techniques also between femto-cells, moreover than only macrocell femtocell interferences.

Figure 1: Femtocell Scenario

To create the smallest of the mobile network cells a device is needed,this devices are called femtocells access points (FAP). This devices in-clude plug and play technology which means that no technical supportis needed for the installation. The user has only to power on the de-vice and connect it to a backhaul network, this backhaul connection isdone throughout a high speed access network (xDSL) which connectsthe HeNB to the Internet. The network operator only needs to handlethe new connection to the network, which can be easily done by prop-erly configuring the gateway, as explained in Chapter 2. This fact giveto the network scalability and also low deployment cost.

FAPs are designed for indoor deployments, since they are creatinga cell of 20 meters range. Recent research extends the deployment tooutdoor as well [12]. This low coverage area has a great impact in thepower consumption of the UEs since the transmission power is less thanwhen connecting to a macrocell. Generally the implementation is doneby users who want to increase throughput inside office or home andby users who have low coverage in their buildings. The two differentconfigurations proposed are suitable for these two scenarios, for homeHeNB 5 users are allowed in to join the FAP in other hand up to 16 userscan be managed in a office environment. Depending in the scenario thatthe HeNB are deployed also different joining policies for accepting joinrequests are used, these policies are described in Chapter 2.

Femtocells are not only introducing new features in the network layer,also new application services appear by the deployment of femtocells.Since the HeNB is going to detect you when arriving home, some taskscan be automatized or notifications can be send. Some of this applica-tions are presented in [11] but since it is a novel technology in next yearsthe growth of new features will be quite large.

1.3 market status 5

1.3 market status

In 2007 Sprint launched the first consumer femtocell service, it was fo-cused only in home deployment and it do not have a real impact in themarket until the first standardization were done, and put in the market(2012). On 2013 most of the major mobile operators groups are offeringfemtocells service, most remarkable of them are: AT&T, China Mobile,France Telecom/Orange, Telefonica, T-Mobile/ Deutsche Telekom andVodafone. Some of these mobile operators reported the statistics of theirfemtocell network, for example Sprint had deployed around one millionunits in US. Also in US estimations regarding the AT&T status give anapproach of almost 1M units deployed by this operator. Other countrieswere femtocells are starting to be deployed have more moderate num-bers, in UK Vodafone reported about hundreds of thousands of HeNB.

The most interesting to analyze is the potential growth that this mar-ket has. In [5] femtocell forum presents a market status and an estimatedforecast. The growth of the market is basically attributed to the smallcells deployed in the public areas, but the growth of private cells is alsoquite fast. The forecast estimate a growth of 73% each year from 2012

to 2016. This growth is due to the LTE network which makes almostmandatory the use of these small cells. The prediction also talks aboutall-in-one devices which will include wi-fi access point and mobile net-work access point, and not only allowing one generation of the mobiletechniques. Regarding this compatibility between different generations,tin 2012 first device to include 3G and 4G was released on the market inJapan.

The expectations are that the small cell market represent a value over20 billion US dollars, this represent a huge amount of the market, thiscreates a fierce competition between the network operators to offer moreservices and more secure, which will allow them to get the maximumnumber of users.

2F E M T O C E L L N E T W O R K

2.1 architecture

As described by 3GPP in [1] different architecture approaches appear inthe femtocell network. Main difference between the approaches residesin the HeNB gateway which is suppressed or reconfigured in the differ-ent architectures described below. In order to secure the transmissionsecure gateway (SeGW) is mandatory in all the approaches, this is notshown in any of the diagrams1. This SeGW is in charge of tunnelingthe HeNB traffic into IPSec protocol to ensure that the data transitingthrough internet is not disclosed.

2.1.1 HeNB dedicated GW

All the traffic incoming to the MCN from the different HeNB is concen-trated in the HeNB GW. This can be translated that only one SCTP asso-ciation is needed for the whole HeNB to join the MCN. This is a goodadvantage in terms of traffic since the MCN is not flooded of SCTP asso-ciations every time one HeNB each time it joins. That is quite commonsince the FAP are allocated in users home and they are able to turn it onat they own choice. One other great advantage is that this architectureis really similar to the HNB (3G) architecture, which means that carriersdo not need large inversions for changing from the previous generation.

The connectionmarked as S1represents in threecases the connectiondone throughoutInternet

UE HeNB HeNB GW

MME

S-GW

HSS CSG

List Srv

S1

S6a

LTE-Uu

S1-MME

S1-U

S11

VPLMN

C1 (OMA DM /OTA)

HPLMN

Figure 2: Dedicated HeNB GW.

Main disadvantages of this architecture presented in Figure 2 is thatif the HeNB-GW fails the whole HeNB nodes are affected. Moreovertunneling changing is needed to forward the packets. The tunnelingneeds to be changed from HeNB-GW→S-GW to HeNB-GW→HeNB andvice-versa.

1 Figure 2,Figure 3 and Figure 4 diagrams are extracted from 3GPP specifications [1]

6

2.1 architecture 7

2.1.2 HeNB none dedicated GW

By removing the HeNB-GW less elements will be in the network, thatmeans that in terms of operations done this approach give a better per-formance. Also the update for new features is easiest since less elementsare involved. Furthermore the main disadvantage of the first variant isno longer a problem since no concentration is done in this approach.

UE HeNB

MME

S-GW

LTE-Uu

S1-MME

S1-U

S11

HSS

S6a

CSG List Srv

C1 (OMA DM /OTA)

VPLMN HPLMN

Figure 3: No-Dedicated HeNB GW.

Unlike the dedicated gate way approach in this approach an SCTPassociation will be created for every release or join of an HeNB. Thiscan easily overload the MCN with packets proceeding from the HeNB.This approach will be feasible for example for application of carriers de-ployed femtocells, which are most of the time turned on and are limitedin number in a certain region. For users deployed FAP this is not a goodapproach as discussed.

2.1.3 C-plane HeNB dedicate GW

For this approach the HeNB-SW is introduced only in the control plane(C-plane) of the link. With this configuration a low number of SCTPmessages is achieved since only one connection is done between theHeNB-GW and MME. If we look to the user plane it is simplified andas result of the HeNB suppression the points of failure are less. Themain advantage of having the control traffic centered by the HeNB-GWis that we are able to run optimization techniques for the handover andsignaling messages of all the HeNB nodes.

Regarding the disadvantages that this approach present are basicallythat if the number of HeNB nodes increase the UDP/IP connections willcause an overload if the S-GW is not properly designed. This can besolved by introducing additional S-GW if the network grows that much.

2.2 joining policies 8

UE

S1-MME

S1-U LTE-Uu

S1-MME

S11

HSS

S6a

HeNB

HeNB GW

S-GW

MME

CSG List Srv

C1 (OMA DM /OTA)

VPLMN HPLMN

Figure 4: C-Plane dedicated HeNB GW

2.2 joining policies

The mobile network is a very diverse environment, we can find in itan huge number of different devices with different features and whichis most important for this case, operating in multiple carrier company.Furthermore we can also find devices using a double SIM-card. Becauseall this multiple users the HeNB network has to implement a login policyto restrict its usage if it is necessary, with this perspective three differentjoining policies appear in femtocells: open, closed and hybrid femtocells.

2.2.1 Closed HeBN

A control of the users joining the femtocell has to be done in this kindof HeNB. Only the registered users might be able to join the femtocell,this users have to be told to the service provider by the FAP owner. Alist with all the authorized users is created and stored in the MME block(see architecture section for details), the MME is in charge of transfer-ring and updating the data to the core of the network. When a new useris joining the HeNB send a NAS request to the core of the network whowith the information provided by MME will make a decision. In casethe connection is rejected the standards specify that the cause of rejec-tion must be send to the users.

In case the HeNB is deployed in public places and the owner of thedevice is the operator itself, other cases appear. Operators will signroaming agreements in order different users can join this network com-ing from a different carrier network. It is clear that it is also a closedaccess femtocell where the list of authorized users are the ones belong-ing to the operator clients list, and furthermore to other operators whoare in the roaming agreement.

Since users who are not permitted in the HeNB network can be in itcoverage area, this kind of policies are the ones that affect more to theinterferences, as discussed in next section.

2.3 interferences 9

2.2.2 Open HeBN

In this kind of femtocells everybody is able to join if there are resourcesavailable. Any kind of priority is there, first users who came are the oneswho will obtain resources. This is not a well seen policy for the carriers,or the home users who want to have the control of who is joining theHeNB. Instead of that this are very attractive for users who withoutpaying any extra they can get more features in their device. Knowingthat attackers have great opportunity, by deploying one of this femtocellscan monitor all the traffic going trough their own FAP.

2.2.3 Hybrid HeBN

This policy is in the middle way between the before explained policies.In this femtocells a registered users list will also be created, which worksas the closed access. Furthermore also non registered users are acceptedto join this femtocells, while there are resources to allocate them.

This are a really great kind of femtocells for that users who are owninga indoors place but they are receiving many different people, in exam-ple a travel agency office where the workers are same every day, butdifferent customers are coming every hour.

2.3 interferences

As shown before the last connection of the network is done using theair interface. As know this interface is very susceptible to interferences.Moreover the future mobile network is going to have two tiers operat-ing in the same frequency range, the femtocell tier and the macrocelltier. It is important to distinguish two cases for LTE and for LTE-A inthe newest generation different subcarriers are able to spread the differ-ent transmissions over them. Therefore the LTE is the most restrictivescenario. In the lines below most powerful mitigation techniques from[10] are resumed, if extracted from any other source it is specified in thedescription.

2.3.1 Femtocell-Macrocell

The different approaches that appear in the literature for fighting againstthe interference caused for the coexistence in time, space and frequencyof a eNB and a HeNB, take the first one as the high priority user. There-fore HeNB have to adapt their transference parameters in order not tointerfere the macrocell. The higher interference scenario occurs when aeNB user is trapped in a middle of closed HeNB operating in same fre-quency that it is, as said in this case femtocells have to adapt themselvesto interfere as less as possible to the user.

2.3 interferences 10

2.3.1.1 Control Channels

The control region in LTE can be allocated in first to third OFDM sym-bol, and it is spread along the whole bandwidth. Because of this reasondifferent frequencies can not be assigned to femtocells and macrocells.In eNB the number of users is assumed to be larger than in one femto-cell, for that reason in first case the three OFDM symbols will be usedas control channel. Whereas that in femtocells is possible to manageall users only using one OFDM symbol. LTE is having three differentcontrol channels which need to be protected in front of interferences:

• PCFICH: It is in charge of announcing what is the structure of the band-width, the information about how many OFDM symbols are being usedfor the control channel can be found here. This is the most robust chan-nel, it is repeated four times in the frequency domain. This channel raisesas the most important since if it is not correctly read all the data will bemisunderstood.

• PHICH: This channel is used to inform the UEs when an uplink trans-mission is successfully completed. It has three repetitions in frequencydomain, this repetitions can be done in the same OFDM channel or eachin a different one. Moreover this control channel is spread in time andfrequency domain.

• PDCCH: This channel is also scattered in frequency and time domain, itis used by the users to transmit the downlink transmissions. The distri-bution along the frequency domain is diverse and it could seem randombut each user allocate this information according to certain equations.

The below paragraph describe different approaches for mitigating thecross-tier interference for the control channels.

No coordination: If no technique is used the data channels used bythe femtocell interfere with the second and third ODFM symbols usedby the macrocell. Then the interference is not between control packets,in this case is between data packets and control channel packets.

Spread femtocell control channel: This technique takes profit of thefact that only one OFDM symbol is needed for femtocells channel. Thisonly channel information will be spread along the three possible sym-bols, this reduces the interference and also reduces femtocell data chan-nels.

Blank Subframe: It consist in coordinating macrocell and femtocellin order they keep one blank frame, in that moment the other is able totransmit without interference. This is the most basic technique but thethroughput is drastically reduced, since the number of available framesfor transmission is less.

PCI manipulation: This technique proposed in [3] attempts to changethe physical cell identity (PCI) when the HeNB is powered on. It is fo-cused in avoiding collitions between the macrocell user PCFICH and the

2.3 interferences 11

same channel of the femtocell user. When changing the PCI value thecontrol channels are moved inside the OFDM symbol. The HeNB has tolisten in order to identify the most dominant macrocell, once it is identi-fied the PCI value has to be chosen intelligently in order the PCFICH ofthe femtocell is allocated in a different position than the macrocell one.This technique enhances the performance of the previous explained tech-niques.

2.3.1.2 Data Channel

Genetic Algorithm Resource Allocation Model: With the objective to GA attempts to findthe best fitnesssolution for anoptimization problem

maximize the available throughput and minimize the interference thistechnique is presented in [8]. As described the model consist on twoparts, first the bandwidth allocation is done and then GA is used to op-timize the available resources. In first step all the bandwidth is split indifferent orthogonal subcarriers, then an integer number of subcarriersis assigned to each user depending on its requirements. Furthermorethe transmission power for each user is also set. This results are used asinitial population for the GA implemented in the second step. The GAis implemented each time a user joins the network, the input parametersare the users bandwidth demand, location and the network modulation.

Collaborative frequency Scheduling: The collaboration is done be-tween eNB and HeNB, in order to obtain the most realistic channel sens-ing. The eNB sends the channel information to the femtocells. EachHeNB also perform a channel sensing and according to this to informa-tions they get a more accurate frequency schedule. This technique canbe improved by adding a cognitive sensing, where all the near HeNBshare the sensing information in other to get a greater result. This tech-nique is focused in reducing the interference in both links, downstreamand upstream.

Power Control: Since femtocells are the low priority users in the net-work they are going to change their transmission parameters in ordernot to interfere the eNB. One of the main parameters that can be modi-fied for reducing the interferences is the power transmitted by the HeNB.The main advantage is that for reducing the interferences only thingwhich is compromised is SNR, no bandwidth resources are lost. Thepower control can be made by having many different inputs to decidewhat to do. For example groups of HeNB can be clustered and changethe cluster power all at same time. The decision of changing power pa-rameters can be done in a central way or in a distributed way, whereeach node decides by sensing the medium the transmission power. Thisis one of the most simple techniques and also one of most efficient interms of interference mitigation.

2.3 interferences 12

2.3.2 Femtocell-Femtocell

Cognitive Radio: In densified femtocells networks a cognitive approach Cognitive radiorefers to the smartradios that have theability to sense theenvironment andtake decisions toadjust itstransmissionparametersdepending on itssurroundingmedium.

can appear since the FAP need to be close enough in order to commu-nicate to it neighbors. Instead of that the exchange of information canalso be done using the HeNB-GW in case it exist, depending on the se-lected architecture scheme. The process occurs when the HeNB node isswitched on, then it listen the air interface and select the channel to usefollowing following rules. If there is any channel that the neighbors arenot using the new HeNB selects it for the transmission. If all the chan-nels are used it will select the one which is used by the further neighbor.Finally if all the mentioned conditions can not be accomplished the FAPis going to select the less used of the furthest used channels. This tech-nique is used for the downlink and as can bee seen a strict cooperationbetween all the HeNB nodes is required.

Graph Coloring Resources Allocation: This novel technique for re-source allocation is presented in [14]. The technique consist in makinga graph where all the nodes are linked to the ones which they are inan interference area. Once this graph is created each node, following asequential process, apply graph coloring technique on that graph. Onceone node has decided which is its color it has to share this color with theother neighbors, who will decide their color by seeing the others color.Each color will represent a frequency slot available for that femtocells,the number of resources might vary. Once one node joins the networkonly thing it has to do is to ask for the colored graph and decide whichfrequency to use, then transmit it to the whole network. As can be seenthis technique is like cognitive radio, where all the neighbors cooperateto get best result, but if some of them give false feedback the perfor-mance is highly decreased. As Q.Zhang et. al suggest many improve-ments can be done for optimization of this algorithm, like refreshing thecoloring every time that a node joins or de-join the network, also apply-ing optimization in the graph coloring, which will require a centralizedentity to control the whole frequencies allocations. More details aboutthis procedure can be find further in Chapter 6 in this document.

Fractional Frequency Reuse (FFR): Different techniques appear basedin this method which can mitigate the interference in both tiers of thenetwork, femto to femto and macro to femto. The main distinction thatcan be done between these techniques is how the resources allocationis done, there are dynamic and static allocations. When compared, firstcase the signaling and the complexity is higher in favor of a more ef-ficient use of the bandwidth resources. The main idea of FFR is to di-vide geographically the macrocell area, three sectors are created in thehexagonal cell. Furthermore distinction in radial distance from the eNBis done, splitting in two coverage areas. If we do it all together eachmacrocell is going to present six different regions. Also the frequency

2.4 handover 13

spectrum will be divided in different slots, and depending on the loca-tion of each HeNB it will be using different slots. A clear scheme can beseen in Figure 5, where A,B,C and D are the frequency slots.

Figure 5: Macrocell splitering scheme

This techniques can also be used together with power control, this hy-brid technique enhances the system performance, achieving really goodresults.

2.4 handover

To explain the different handovers we are going to use the notation Tgtto identify the target node for the handover. Src will be used to identifythe node that is going to be left by the UE.

2.4.1 Legacy Handover

Each UE connected to a HeNB or eNB is constantly sensing the mediumto send Measurament Report messages to the node which it is connectedto. This message is interpreted and the node takes positive or falsedecision about the handover. If the decision is positive the next stepis to send a message to the Tgt, this request will be send by the Src.through the MME. Once the Tgt received this request it sends a HandoverCommand to the UE, in this moment the Src starts buffering the datareceived for that UE. This that a will be forwarded to the Tgt once itreceives a Status Transfer message via the MME.

The data will also be buffered in the Tgt since the UE is finally con-nected to it, at same time the target has to accept the Handover Confirmfrom the UE. After the Path Switch Request is sent, before that happensthe data will be traveling twice through the internet network, from theSGW to the Src and then to the Tgt. The Src will be finally secludedfrom the data transfer after receiving an End Marker from the SGW, thismarks the end of the handover procedure.

The packet flow of the described procedure is shown in Figure 6.This handover described before is that the timings of sending packets

2.4 handover 14

Figure 6: Legacy Handover Procedure

through internet is quite high, that means that this handover is not opti-mal for the femtocell network.

2.4.2 Fast Handover

As described before a need of a fast handover is there since the femtocellnetwork has appeared, in [9] a new approach for doing a quicker han-dover is given. For implementing a fast handover the authors purpose aproximity based method, also the speed of the UE is taken as an inputfor doing or not the handover.

Firstly two different modes for the UE are defined, swift mode and freemode. In the first the speed of the UE is higher than a certain thresholdand the handover only can be done between macrocells. The thresholdwill be fixed regarding the network speed, in other mode the UE speedis below this threshold and the handover is allowed. Also two regionsare defined for the femtocells coverage area, associable region and theproximity region. This second region is defined as the area where thestrength of the HeNB is higher than a certain δ of the strongest signal.The associable region is where the signal of the HeNB is the strongestone in that area. Note than a UE can be in different HeNB proximityregions but only in one associable region.

2.4 handover 15

Figure 7: Proximity Add/Release Process

Proximity Add/Release Process this is the main process which is going tomake the handover faster. When the UE enters in a proximity region theMME is going to duplicate the data stream of the SGW to send the dataalso to the HeNB creating that proximity area. When going out of theproximity area this duplicity has to be released in a similar way. Bothpackets flows can be seen in Figure 7. Thanks to doing this pre-handoverprocess when the handover has to be done the Tgt already is receivingthe data and only needs the Src to tell it from which point the UE needsto receive the data. This will be transited by using a Switch Marker sendby the Src to the Tgt. When using this method for the handover the timecan be reduced from 1.74 s in the Legacy Handover to 0.82s for the FastHandover, according to the results presented in [9].

3S U RV E Y O N AT TA C K S A N D E X I S T I N GC O N T R A M E A S U R E S

This chapter is an attempt to explain the most important threats goingon on femtocells. Different threats had been described in [13] and [2].Furthermore in the 3GPP technical report [2] the security architectureof the actual femtocell network architecture is described. Most of thethreats described in this mentioned bibliography are already solved. Thedescribed attacks in this work are the ones that had not been solved atall nowadays.

3.1 end user attacks

When talking about mobile cellular network, the user normally do notchose which antennas to connect, users are not even aware about thehandover process. This means that a connection to a HeNB can happenwithout choice or acknowledge for the user, if an attacker is able to in-troduce a misbehaving HeNB to the femtocell network, the user securitycan compromised in most of its layers.

3.1.1 Anonimity: Correlating Packages

A new security leakage in femtocells network is presented by Malone etal. in [7]. Rouge femtocells appear in this scenario, the can easily ap-pear in a open femtocell policy. Authors were able to identify each typeof packet in the network by using these misbehaving FAP. With thisknowledge an approach for correlating the packets in different HeNBis discussed. Both edges of a data transfer can be pointed out by theknowledge of ingoing and outgoing data in different femtocells correla-tion. Therefore user anonymity can be broken only by monitoring thebackhaul traffic in the different femtocells, which represents a truly se-curity leakage.

Three different mitigation approaches are given by the authors in [7],dummy traffic, IMEI/IMSI verification and user verification. First of the op- IMEI & IMSI are

unique identifiers forthe device and thesim card respectively.Only physical accessto the devices shouldprovide thisidentifiers.

tions is that the HeNB constantly introduce traffic to the network tomake the traffic analysis more complex. Second technique consist inadding an IMEI/IMSI field in the creation of the allowed users list. Thismakes more difficult to add certain users to a misbehaving HeNB sinceIMEI and IMSI are not as public as the phone number. But as describedin other attacks existing procedures allow to get this identification num-bers, therefore this technique just increase the complexity of the attack.Last proposal is to ask the user if he/she wants to join the HeNB. Users

16

3.1 end user attacks 17

have to choose to connect the device or not, and if they know that se-curity leakage may be there connection will be never an option. Thisresults in a network without users since they don not want to compro-mise their privacy. Regarding the infant stage of these techniques anapproach has been done in this work to provide anonymity. In Chap-ter 5 collaborative work of the femtocell users is proposed to provideanonymity by using a novel algorithm.

3.1.2 Authenticity: Stealing UE Identity

Presented in [6] and demonstrated in [4] by the use of a rogue HeNBattackers are able to totally impersonate a subscriber. Attackers have tocreate a GW proxy, from that proxy they will be sending joining requeststo the mobile network, when they are asked for authentication, the onlything is needed is to ask the attacked user for that authentication. As itis connected to the proxy GW and authentication request are a normalservice inside the HeNB the UE will send the response, authenticationmessage, to the proxy GW which only need to forward it in order toget authentication. Once the attacker is authenticated in the network thetransmissions to wherever can start by making the network think thatthese transmissions are coming from the victim UE instead than fromthe attacker.

Authors pointing out this kind of attack conclude that femtocells arenot a good idea since this attack seems not to have any possible mit-igation in the current scenario. Therefore the scenario is totally openin order to mitigate this kind of attacks since nowadays only way toavoiding it is to implement an user-decision approach. Then the userhas to remember which are the trusted HeNB and which are untrusted,in order not to join them. While walking inside a building our phone isgoing to send notifications every 30 meters asking for permission, whichdo not seem as a real good solution.

3.1.3 Confidentiality: Disclosing the Data

DePerry et al. [4] demonstrated an idea of obtaining data from femto-cell users, by joining the FAP and getting all the packets on transit. Theauthors give a practical approach of how to record a voice call and readSMS going on in a femtocell. This is possible since the keys are sharedfrom the MCN to the HeNB and stored in the HeNB. Since the accesspoint can be corrupted these keys are obtained and by sniffing the pack-ets attackers can easily obtain the ongoing data. Procedure to get thekeys is described in [6] (Section 3.1).

In order to avoid this kind of attacks in [13] author propose to enhancethe security by adding more complexity to the authentication certificates.Further work is needed to implement more complex cryptography tech-

3.1 end user attacks 18

niques, by using different key management policies since the nodes inthe core network are no more trusted. Therefore the keys should not bestored and send in clear to that nodes, only UEs have to be able to knowthe key for encrypting their data.

3.1.4 Availability: False Power Off

By the creation of a GW proxy and using a misbehaving HeNB authorsin [6] are able to perform a DoS attack against a UE. By using the GWproxy attacker is able to get the IMSI of the victim. By using this IMSI aIMSI DETACH packet is sent to the mobile network, since in GSM and3G this kind of packets are not using any authentication process. MCNis going to assume that the victim has disconnected and it is not goingto deliver any transmission to it. The UE is not aware of this processwhich means that it will continue listening and waiting for incomingtransmissions. Moreover the attack can be more effective if attacker canmanage a network of misbehaving HeNB, this allow to attack the wholefemtocell network with this DoS.

To provide authentication techniques to the detach message raises asbest solution to mitigate this kind of attack. Once more the keys usedfor this authentication should not be known by the HeNB. Further workis need to design the mechanism against this threat.

3.1.5 Integrity: Changing SMS content

Based on controlling a HeNB access point in [6] a threat for injectingnon desired SMS is described. The attack consist basically of tho differ-ent threats, firstly the HeNB needs to be reconfigured to make it able todetect the incoming and outgoing packets from the GW. That basicallyis done creating our own GW proxy server and routing all the packetsthrough it. Once it is done the clients will authenticate themselves andthe proxy in the network, since they are authorized. When the SMS issent to the proxy it indicates to the user that it is being validated, insteadof that the SMS can be converted into plain text, modified and sent tothe network.

Same mitigation techniques than in the confidentiality threat mightbe applied to mitigate this attack. If the data packet is properly and se-curely enveloped the attacker has no chance to modify it without chang-ing the envelope. Therefore once again keys have to be known only byUE and the cryptography techniques of the data need to be improved.

3.2 network attacks 19

3.2 network attacks

With the introduction of femtocells a new scenario appears, since attack-ers can deploy their own FAP they will be part of the network. Thatmeans that attackers are going to attack the network being inside ofit, then network operators have to implement mechanism to secure thedifferent nodes of the network against the other nodes inside the samenetwork, which now are potential attackers.

3.2.1 Getting other nodes information

As described on Chapter 2 all the HeNB are connected to a SeGW, sincemore than one HeNB can be connected to the same SeGW the infor-mation of all that femtocells can be compromised if one of them is anattacker. If HeNB is presenting a web interface from where it is sendingthe information to the MCN the attack just consist on getting the infor-mation in that web interface. That can be done by anyone in the sameSeGW. If the web interface is not available by getting access to the FAP(described in next subsection) that information can also be collected. Ifthis attack is performed the information that can be collected is: HeNBIMEI and IMSI, phone number and status of the UEs, neighbor macrocell list.

In order to fight agains these information leakage best option is todisable the web interface of the HeNB which adds complexity to theattack. Since the information will not be sent it has to be securely storedin the HeNB. Further work is needed to set a mechanism that ensuresthe security of this information even that an attacker were able to accessthe FAP.

3.2.2 Remotely controling a HeNB

The backhaul connection of the femtocell access point is done throughthe Internet network, that means that the existing vulnerabilities on de-vices connected to this network can also be applied on FAP. Authors in[6] found a way of gaining root access in a FAP by exploring the HTTPweb server methods vulnerabilities. This particular case is already reg-istered and known by the community, but many other methods can betried, and maybe successfully used for same propose. The remote accesswas gained form an other HeNB connected to the same SeGW than thetarget victim. By gaining remote control of a HeNB attackers can cre-ate a network of misbehaving femtocells, this increase the impact of allthe attacks described in this chapter, and allow the introduction of newthreats like the location tracking introduced in Chapter 4.

The threat presented is based in the vulnerability registered as CVE-2011-2900, it was introduced two years ago. Nowadays mitigation tech-niques for this particular vulnerability are available. Software tools us-

3.2 network attacks 20

ing HTTP such as browsers had introduced these solutions also mobilenetwork operators introduced them. These solutions stay closed but theyensure that this issue has been solved. This facts fights agains this par-ticular threat but if a new threat appear security might be compromisedagain.

3.2.3 Breaking operators infraestructure

Taking into account the attacks previously presented, a signaling pack-ets flooding can be easily performed. Misbehaving HeNB can overloadthe network by sending fake signaling messages such as Location UpdateRequest which only requires the knowledge of the IMSI of the UE. By us-ing a single femtocell attacker has the advantage that the source of thesignaling can change between all the UEs joined in same HeNB. Thisallow to bypass the traffic control done by the network to mitigate thiskind of attacks coming from a single UE. Furthermore if attacker is hav-ing a HeNB network under its control, as explained before, the impactof the overloading will result into a DoS attack to the whole network.A huge flooding will be bypassing the restrictions and congesting themobile network which can not handle all the petitions.

Flooding attacks are normally detected by traffic monitoring the net-work and detecting the source of large number of packets, once the nodeis detected it is banned from the network. As described the main prob-lem of this attack is the capacity to avoid these detection by generatinglows amounts of traffic from large number of remotely accessed nodes.Once the previously described attack, remotely controlling HeNB is mit-igated the current threat will be easily defeated.

Part II

P R O P O S E D M E T H O D O L O G I E S

With the background given in the previous part, in this sec-ond step the proposed methodologies are presented. Threemain inters are referred in this section, firstly a new possibleattacking threat is presented. This attack disclose the locationof a targeted UE, a mitigation technique is also proposed inChapter 4. Regarding the anonymity attack previously pre-sented a novel multi hops algorithm is implemented in thefemtocell network. In Chapter 5 the algorithm is described,and simulation results in a software environment are pro-vided and analyzed. On Chapter 6 an implementation ofgraph coloring resource allocation algorithm is done, and ex-plained. A small modification is introduced to the alreadyexisting method, this modification allows a more optimal re-sources allocation. In Chapter 7 the conclusions of the workare given and further work is also proposed.

4U S E R E N V I R O N M E N T L O C AT I O N P R I VA C Y

4.1 location disclosure

By having a smartphone device in users pockets many services appearedwhere the location is used for setting up the service. In previous scenar-ios user is able to decide to share its location or not with the application,or at least it is advised that his or her location is going to be used. Withthe implementation of femtocells also some services based on user loca-tions are proposed, in this cases user also chooses to turn on or off thisservices. These choosing possibility is not available in HeNB since theUE is not going to inform the user when joining one of the FAP. Sincethe femtocells antennas can be corrupted and the coverage area of theHeNB is reduced, an attacker will be able to know who is connected tothe femtocell an furthermore get the UE location with a 20 to 30 metersaccuracy.

(a) Femtocells Realistic Scenario (b) Remotely Corrupted HeNB

! !

! !

! !

! !

T1#

T3#

T2#

T4#

(c) Notifications Sending (d) Path recovery

Figure 8: Tracking threat.

22

4.2 tracking notification algorithm 23

In Figure 8 a real scale scenario is presented. Each hexagons representa randomly deployed HeNB inside a building. It can be seen how thelocation is accurate enough, for example to distinguish in which shopthe victim has entered. This location disclosure can occur by an attackerdeploying a rogue FAP, or gaining access to it. But a more interestinginformation for the attackers is not only to know the location, moreoverto know the path followed by a targeted user.

As described in [6] an attacker is able to remotely control a group ofHeNB. This fact give the chance to get a notification each time a tar-geted UE joins one of the misbehaving femtocells. With this informationattacker is able to recover a potential path followed by the user. Not onlythe location is disclosed also the joining time, which allow the attackerto know the order followed by the victim to visit that places.

This described threat is a novel proposal done in this work. As can beseen it represents a huge privacy leakage, an need to be mitigated. Anapproach for reducing the impact of a possible tracking is presented innext section.

4.2 tracking notification algorithm

Figure 9: Tracking detection proccess flow chart

4.2 tracking notification algorithm 24

The main objective of this proposal is to mitigate the location disclo-sure attack already explained. This approach objective is to inform theuser about its device might be under a location tracking thread.

A traffic monitoring device in the backhaul connection is needed toanalyze the packet flow between the device and the internet network.The analysis of the traffic has to be done by the HeNB at same time itis computing new joining requests, and also all the data transfers. Sincethe amount of users in a femtocell is typically between 1 and 16 users,this increase of computational operations can be afforded by the HeNB.In Figure 9 the algorithm block diagram is presented. Once handoverprocess is over, by monitoring backhaul interface FAP can decide about ifuser should join again. If after user re-joins same kind of packets appearin backhaul link, a pop-up message appears in the users device advisingthat its location might be compromised. Application like proposed byiSEC partners [4], which attempts to refuse femtocell connection, can berun after that notification appears.

The information correlation operation is the algorithm key point. Alearning function is needed to follow the evolution of the attacker threats.Updates with the known threats have to be done through the backhaulconnection. Sharing new possible attacking threats with the network toidentify them is also mandatory. To improve this block of the algorithmwith all these features raises as a challenge for future work.

5U S E R A N O N Y M I T Y

5.1 multi hops algorithm

To provide privacy to the sender this algorithm ensures that each packetsent is scheduled to travel in between the same femtocell users beforegoing out to the Internet. These operations will be made totally in ran-dom; FAP is in charge of calculating next destination node by using arandom function. In Listing 1 pseudo-code approach for developing thisalgorithm is proposed, there is no need for any extra hardware to runthis algorithm.

1 # Define Tmax2 # Define Tmin3 Tstamp=rand ( Tmin , Tmax) ;4 while ( Tstamp ! = 0 ) {5 l i s t [ ] = L i s t i n g a l l users ;6 i =rand ( 0 , length ( l i s t ) ) ;7 Send packet to l i s t [ i ] ;8 wait ( Same packet Rx ) ;9 Refresh Tstamp ;

10 }11 Send packet to I n t e r n e t ;

Listing 1: MhA pseudo-code

Tstamp value has to be generated in random by the sender attending tothe bounds fixed by Tmax and Tmin. These parameters are defined asthe maximum and minimum timestamp values, and they vary accord-ing to different packet types and the network performance. Possiblevalues are given in next section by simulation results. The FAP has theresponsibility for the synchronization of all users, and listing the avail-able users connected to the femtocell. Further this non disclosed tablewill be stored in the FAP. Other users in the network only have to sendback the packets to the FAP in order it can go on with the algorithm.

5.2 simulation

NetSimTMv.71 is the software tool used to evaluate the performance ofthe proposed algorithm. All the configuration parameters described be-low can be modified with this software. For performance evaluation,the packet average number of reflections and average time spent in the femto-cell are measured for different Tstamp values. At the end of this sectiondiscussion about the results is provided.

1 Registered trademark stochastic discrete event simulator, developed by Tectos in collab-oration with Indian Institute of Science.

25

5.2 simulation 26

5.2.1 Scenario Setup

A.) Network Parameters: Only one femtocell is considered for the simula-tion. Alcatel-Lucent 9361 home cell v2 is used as model for the FAP. Thefemtocell includes 15 users inside its radius coverage, which is 25 meters.During the simulation period all users remain inside the femtocell sincewhen staying at home or office users will not move out for long timeperiods. GSM is proposed as the cellular standard protocol. No indoorpath-loss model is proposed since in real time traffic a packet retrans-mission might not be feasible. A summary of the simulation parametersis presented in Table 2.

network parameters

Cellular Protocol GSM

Number of Users 15

mobility parameters

Restricted in HeNB coverage 25m

User speed 0.5 m/s

demand generation parameters

Voice packet size 300 bytes

Voice packet generation 20ms

Voice data rate 13.3 kbps

Underlying data rate 270 kbps

Ongoing calls 4

transmission parameters

Listening bands 1900 MHz

850 MHz

Table 2: Simulation Parameters Summary

B.) Packet Transmission: Channels are created by distributing all theavailable bandwidth in same-width slots. In order to reduce the delayon account of channels set-up a preallocating channel method is used.Therefore the FAP is in charge to previously assign each user a channel.

C.) Time Stamp Ranges: According to literature a phone call can handlea delay time up to 400ms. As presented in [9] average time spent for apacket to travel through internet is 200ms. Since the packet has to travelthroughout the MCN some guard time should be kept. With these con-siderations two different time stamp ranges are proposed and simulated.First Tstamp is randomly selected between 10 and 30 milliseconds, thenan extended range up to 60 milliseconds is used.

5.2 simulation 27

5.2.2 Results

Simulation results are presented in this section, in Table 2 and Table 3direct results obtained from the simulations are presented. Probabilitydensity functions (p.d.f ) are graphed in Figure 10 and Figure 11. Sim1

and Sim2 are used to refer Tstamp=(10,30) and Tstamp=(10,60) simula-tions respectively.

tstamp=[10 ,30] tstamp=[10 ,60]

8919 6067 Records

4.0189 7.6949 Mean

2.3289 5.2575 Std Dev

1 1 Min.

13 26 Max.

4 7 Median

Table 3: Number of reflections

The mean number of reflections in Sim1 is 4 and in Sim2 7. Thismeans that by doubling the Tstamp we can achieve a little bit less thanthe double of reflections. Furthermore in Figure 10 can be appreciatethat in Sim2 the probability density function is flatter, which means thatthe number of reflections is more random than in Sim1.

Figure 10: MhA Number of Reflections p.d.f

In Figure 10 can be seen how for Sim1 the probability to have morethan 5 reflections decreases really fast. While for Sim2 the probabil-ity decreases softly, providing higher values for more than 8 reflections.As expected, in terms of number of reflections, best choice will be thelargest range for Tstamp values. Further work is need to find out which

5.2 simulation 28

is the number of hops needed to ensure that an attacker can not pointout the sender user.

tstamp=[10 ,30] tstamp=[10 ,60]

8919 6067 Records

12.9382 22.8935 Mean

5.9170 13.7755 Std Dev

0.5200 0.5400 Min.

28.1800 57.2900 Max.

12.3800 20.3100 Median

Table 4: Time inside the HeNB

By observing the mean it is clear than by doubling the Tstamp rangewe are not doubling the time inside the femtocell. In Figure 11 can beseen graphically how the probability of getting low delays in Sim2 is notso distant to the obtained in Sim1. If we analyse the delay obtained inSim2 it can be calculated than in 90% of the cases a delay under 43.7 msis introduced. This delay could be afforded by the proposed networkarchitecture.

Figure 11: MhA Introduced Delay p.d.f

By using the largest Tstamp range the average time for the packettransmission will be lower than 260ms in worst delay case. This giveus a guard time of 400ms− 260ms = 140ms which seems to be enoughfor the voice data transmission. With the obtained results it can be con-cluded that the largest Tstamp range is a better choice. Moreover thealgorithm will become more robust if the delay is increased, but the re-lation of this increase is not lineal since the robustness rises faster.

6R E S O U R C E A L L O C AT I O N

Presented by Que Zang et.al in [14] this novel resource allocation algo-rithm has his base in the graph coloring techniques. In this chapter thisalgorithm is explained and implemented, moreover an improvement isdone to enhance its performance. Since the number of resources mightbe preallocated or not large enough the algorithm here proposed takesinto account the interference grade in order to make the nodes with thelowest interference share the same resource.

6.1 graph formation

This is the first of three steps for allocating the resources. The networkhas to find out the identity of the nodes which are interfering to othernodes. To do that each node in the network must have a node uniqueidentifier.

Then each HeNB has to calculate the interference, to do it the collab-oration of the UE connected to each HeNB is needed. UE are goingto calculate the power of the signal received from its serving base sta-tion (RSRPi). In [14] only one UE per HeNB is assumed, in this workmore UEs can be sensing the interference. The HeNB has to collectall the information and create a list of where the id of the interferingHeNB is mapped to the maximum value of that interference reportedby the UEs. The UE consider interference if the received signal fromthe j-HeNB (RSRPj) is a certain threshold (Ith) greater than the receivedsignal from the HeNB which it is connected (RSRPi). This is calculatedas shown in Equation 1 and only if the interference is grater than thethreshold it will be sent as interference to the HeNB.

RSRPi − RSRPj = Iij < Ith (1)

Once the HeNB has collected the interference the list has to be sharedwith all the neighbors who also will sent their own list. With this in-formation and the mapping between id and number of node, providedform the backhaul network by the operator, each HeNB is able to gener-ate the matrix shown in Equation 2. This matrix is a n dimension squarematrix where n is the number of nodes inside the same eNB coveragearea. Each position Iij represents the interference between node i andnode j, for that reason the matrix diagonal is 0 since Iii = 0.

Links =

I1,1 I1,2 · · · I1,n

I2,1 I2,2 · · · I2,n...

.... . .

...

In,1 In,2 · · · In,n

(2)

29

6.2 graph coloring 30

An other property of the Links matrix is the symmetry, that is becausethe value of interference for each position (ji, ij) will be chosen followingthe expression: max[Iij, Iji]. This is make to ease the calculations, sincewe want to reduce the interference by allocating different resources inadjacent nodes if the interference is coming from one direction or bothis not a matter.

6.2 graph coloring

Second step of the resource allocation is the core and the main differenceof the algorithm. A brief introduction to the graph coloring techniquesis given below.

Graph Coloring:This algorithms are used to color a graph (G) accomplishingthat the linked vertices of the graph are not painted with the same color,it is also known as proper vertex coloring. The number of colors neededdepend on each graph, the minimum number of colors for each graph isknown as chromatic number (x(G)).Graph coloring problem has two main phases, firstly we have to deter-mine the chromatic number, which minimizes the number of colors usedfor coloring. This number will be referenced as k. Once we know that Gis k− colorable we have to implement the graph colorization.

For resource allocation a sequential graph coloring is used, for that kindof coloring it is essential that: the nodes are enumerated and that all nodeshave the same color selection sequence. An other consideration is introducedhere, the number of resources (nres) might be set by the network admin-istrator, the carrier. Moreover if nres < k a interference level basedfactor will be introduced for coloring the graph. When the algorithmleads node i to the nres + 1 color in its color sequence, then node i willbe painted in same color as the less interfering node, which is alreadycolored.

6.3 algorithm implementation

Matlab R2013a(8.1.0.604) for Macis the version used.

Matlab is used as a tool for implementing and evaluating the proposedalgorithm. Two functions are implemented, the first one colorize is thesequential coloring algorithm itself, which has been described in theprevious section.

Second function is chromnum and is in charge of finding the chromaticnumber for that certain G, which means minimizing the number of col-ors used for coloring the graph. Both functions are described below,then the results are presented and evaluated.

6.3.1 Coloring Algorithm

In colorize function the code for the described algorithm is implemented.This function uses matrix of connections between the nodes M, whichis as described in Equation 2. Other input is the number of available

6.3 algorithm implementation 31

colors (numcol), or in other words the number of resources available inthe network. The output is a vector named painted containing in eachposition (i) the color assigned to that i−node.

Notice that this functions is going to use always the minimum numberof colors, for example if user assign 4 colors but the algorithm neverreach the 4th color it will not be used. In the other hand the numberof colors used might not be x(G), optimization techniques need to beimplemented to obtain the minimum value.

1 function painted= c o l o r i z e (M, numcol )2 numnod=length (M( : , 1 ) ) ;3 painted=NaN( 1 ,numnod) ;4 i f ( numcol==1)5 painted =0 ;6 e lse7 for ni =1 :numnod8 l i n k s =M( ni , : ) ;9 a l i n k s = l inks >0 ;

10 c =1 ;11 while (~ isempty ( find ( painted ( a l i n k s ) ==c ) ) . . .12 && c<=numcol )13 c=c +1 ;14 end15 i f ( c>numcol )16 l i n k s (~ l i n k s ) = nan ;17 [~ , y]=max ( l i n k s ) ;18 c=painted ( y ) ;19 while ( isnan ( c ) )20 l i n k s ( y ) =0 ;21 [~ , y]=max ( l i n k s ) ;22 c=painted ( y ) ;23 end24 end25 painted ( ni ) =c ;26 end27 end28 end

Listing 2: Colorizing Function Matlab Code

6.3.2 Coloring Optimization

In order to minimize the number of resources used, the coloring algo-rithm has to use the minimum number of colors. The function chromnumis implementing a basic minimization technique, which consist in dothe colorization by using different nodes of the graph as starting point.Since the algorithm used is sequential coloring, this technique is able toreduce the number of colors to the minimum required.

The Links (L) matrix is required as input, and the output of this func-tion is a vector [node,k] where k is the minimum number of colorsrequired. The node from where the colorization should start is stored innode.

6.3 algorithm implementation 32

1 function [ node , k]=chromnum( L )2 i =1 ;3 while ( i <=length ( L ( : , 1 ) ) )4 paint ( i ) =max ( c o l o r i z e ( L , 8 ) )5 i = i +1 ;6 L=[L ( : , 2 : end ) L ( : , 1 : 1 ) ] ;7 L=[L ( 2 : end , : ) ; L ( 1 : 1 , : ) ] ;8 end9 [ k , node]=min ( paint ) ;

10 end

Listing 3: Minimization Function Matlab Code

The key point of this function is to swap the order of the columns androws of the Links matrix in order that the next coloring starts fromthe next node. The transformation needed when we want to start thecolorization from the i− node be seen in Equation 3. As presented thei−node now is the first node, in terms of rows and columns.

I1,1 · · · I1,i · · · I1,n

I2,1 · · · I1,i · · · I2,n...

. . ....

. . ....

Ii,1 · · · I1,i · · · Ii,n...

. . ....

. . ....

In,1 · · · I1,i · · · In,n

⇒

Ii,i · · · Ii,n · · · Ii,i−1

Ii+1,i · · · Ii+1,n · · · Ii+1,i−1

.... . .

.... . .

...

I1,i · · · I1,n · · · I1,i−1

.... . .

.... . .

...

Ii−1,i · · · Ii−1,n · · · Ii−1,i−1

(3)

6.3.3 Results Evaluation

For evaluating the performance of the algorithm it has been executed inMatlab. A GUI interface has been created to make more user-friendlythe Links matrix creation. Regarding Matlab is only a mathematical tooland not a transmission simulator, the distance between each interferingnode is used, instead of the interference value given in Equation 1. Thisgives a good approach since the interference caused depends directly onthe distance between nodes.

A simple example of a possible scenario for the algorithm is given be-low, the different steps done can be seen in Figure 12.

Equation 4 is the links matrix result of the topology drawn in Fig-ure 12a. As expected the matrix is symmetric and 0-diagonal, and differ-ent distance values are shown on it.

Links =

0.00 6.88 0.00 0.00 7.28 0

6.88 0.00 0.00 0.00 6.20 0.00

0.00 0.00 0.00 11.52 5.74 7.86

0.00 0.00 11.52 0.00 0.00 12.23

7.28 6.20 5.74 0.00 0.00 5.99

0.00 0.00 7.86 12.23 5.99 0.00

(4)

6.3 algorithm implementation 33

Firstly coloring function is ran only by using 3 colors as maximumnumber of resources available. The result is shown in Figure 12b, as theequine has started from node 1, when it reaches the last node no morecolors are available. That makes node 6 share resource with the furthestnode, in this case node 4 (d46 = 12.23). As result of this simulation thenetwork might add an other resource in order to totally avoid interfer-ences.

Once the minimization function is applied the result obtained is printedin Figure 12c, in this case same three colors than before are used, butwith starting from a different node no resource sharing between interfer-ing nodes is achieved.

(a) Uncolored interference graph

(b) No optimal Coloring, 3 resources (c) Coloring by optimization function

Figure 12: Graph coloring example.

7C O N C L U S I O N S

Femtocells are the adopted solutions for the network operators to han-dle the throughput and coverage requirements. Only two years back thestandardization of this devices was introduced, since then the markethas grown fast, but many issues still open. Femtocells bring the enduser the opportunity to be a part of the main network, that really chal-lenges the operators who are in charge to ensure that these users are notable to corrupt the entire network. This fact brings mobile network toa similar scenario that the one in the internet network, operators haveto update their security systems in order to prevent attackers very often.This is a huge disadvantage in terms of user security and new potentialattacks, but in the other hand many solutions are there, to adapt themto the femtocells is what is needed nowadays.

Regarding this adaptation process, in this work the multi hops con-cept is introduced in the femtocells network. This allows to provideanonymity against external sniffing from the HeNB. The evaluation showslow delay values, affordable for the network. Further work is needed totest the technique in a real network to check the performance.

The location disclosure presented in this work, is a clear example onhow new security treats will appear frequently regarding the femtocellnetwork. The description of the attack and a possible approach for miti-gating it has been given in this document. New techniques for avoidingthese kinds of attacks instead of just notifying about them are need tobe created in future works.

Femtocells are the fruit of a several years work, complex techniquesare applied to achieve the objectives, in terms of interferences manage-ment and frequency reuse. The bunch of techniques is large and someof them are only in first versions. The current work has improved oneof these resource allocation techniques, enhancing the performance ofthe current algorithm. The implementation in real network of these newimprovement has to be done in order to complete the deployment phase.

Femtocells are the future, and regarding some voices in the commu-nity are against them regarding all the security problems. This workattempted to demonstrate a few solutions for identified security threats.Users need to be aware of the vulnerabilities, and also the research com-munity responsible of changing this fact.

34

B I B L I O G R A P H Y

[1] 3rd Generation Partnership Project. Tr 23.830, technical specifi-cation group services and system aspects; architecture aspects ofhome nodeb and home enodeb. Technical report, 3GPP, 2009.

[2] 3rd Generation Partnership Project. Tr 33.820 v8.3.0, technical spec-ification group service and system aspects; security of h(e)nb. Tech-nical report, 3GPP, 2009.

[3] Zubin Bharucha. Femto-to-macro control channel interference miti-gation via cell id manipulation in lte. Vehicular Technology Conference(VTC Fall), 2011.

[4] Doug DePerry, Tom Ritter, and Andrew Rahimi. Traf-fic interception and remote mobile phone cloning witha compromised cdma femtocell. Black Hat Conference,2013. https://www.isecpartners.com/blog/2013/august/

femtocell-presentation-slides-videos-and-app.aspx.

[5] The Small Cell Forum. Small Cell Market Status. Informa Telecomsand Media Editor, 2013.

[6] Nico Golde, Kèvin Redon, and Ravishankar Borgaonkar. Weaponiz-ing femtocells: The effect of rogue devices on mobile telecommuni-cation. 19th Annual Network and Distributed System Security Sympo-sium, 2012.

[7] David Malone, Darren F. Kavanagh, and Niall R. Murphy. Roguefemtocell owners: How mallory can monitor my devices. The 5thIEEE International Traffic Monitoring and Analysis Workshop, 2013.

[8] Hanaa Marshoud, Hadi Otrok, Hassan Barada, and Zbig-niew Dziong Rebeca Estrada. Genetic Algorithm Based Resource Al-location and Interference Mitigation for OFDMA Macrocell-FemtocellsNetworks. IFIP WMNC, 2013.

[9] Ayaskant Rath and Shivendra Panwar. Fast handover in cellularnetworks with femtocells. International Conference on Communica-tions (ICC), 2012.

[10] Nazmus Saquib, Ekram Hossain, Long Bao Le, and Dong In Kim.Interference management in ofdma femtocell networks: Issues andapproaches. Wireless Communications, IEEE (Volume:19 , Issue: 3 ),2012.

[11] Takeshi Terayama, Hidehiko Ohyane, Goichi Sato, and Takuya Taki-moto. Femtocell technologies for providing new services at home,.NTT DOCOMO Technical Journal Vol. 11 No. 4., 2011.

35

bibliography 36

[12] A. Tyrrell, F. Zdarsky, E. Mino, and M. Lopez. Use cases, enablersand requirements for evolved femtocells. 73rd Vehicular TechnologyConference (VTC Spring), pages 1–5, 2011.

[13] Marcus Wong. Femtocells: Secure Communication and Networking.River Publishers, 2014.

[14] Qian Zhang, Xinning Zhu, Leijia Wu, and Kumbesan San-drasegaran. A coloring-based resource allocation for ofdma fem-tocell networks. Wireless Communications and Networking Conference(WCNC), 2013.