Channel-Based Intrusion Detection at the LTE Physical Layer1453602/FULLTEXT01.pdfThe received LTE signals have physical layer properties, such as Channel State Information (CSI) and

IN DEGREE PROJECT ELECTRICAL ENGINEERING,SECOND CYCLE, 30 CREDITS

, STOCKHOLM SWEDEN 2019

Channel-Based Intrusion Detection at the LTE Physical Layer

BJARKI MÁR BENEDIKTSSON

KTH ROYAL INSTITUTE OF TECHNOLOGYSCHOOL OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE

ii

Abstract

Long Term Evolution (LTE) is the most widespread cellular technology aroundthe globe. An LTE device must communicate with base stations without en-cryption and authentication before a connection to a network is established andsecurity steps executed. During that period the device is vulnerable to attacksfrom rogue base stations; that is, transmitters set up by adversaries to imitate le-gitimate base stations. The received LTE signals have physical layer properties,such as Channel State Information (CSI) and Carrier Frequency Offset (CFO),which can be utilized to distinguish between legitimate transmissions and ille-gitimate ones. A method to detect intrusions based on CSI using a Kalman filterand a hypothesis test is studied in this thesis and its performance evaluated.

Downlink LTE signals are collected from genuine LTE base stations in an2x2 Multiple-Input Multiple-Output (MIMO) system using Universal SoftwareRadio Peripherals (USRPs) and Software Defined Radio (SDR). Measurementsperformed at different frequency bands (i.e., different operators) are used torepresent signals from a legitimate transmitter and attackers. The performanceof the proposed scheme is evaluated by comparing the acceptance rate of symbolsfrom the legitimate transmitter and the attacker. Additionally, the effects oferrors due to false alarms and missed detection are explored. The filtering basedintrusion detection shows improved performance compared to a non-filtering CSIbased approach.

iii

iv

Sammanfattning

Long Term Evolution (LTE) ar den mest utbredda teknologin for mobil kom-munikation runt om varlden. Innan anslutning till ett natverk upprattas ochfoljande sakerhetssteg utfors, maste en LTE-enhet kommunicera med basstatio-nen utan kryptering och autentisering. Under den perioden ar enheten sarbar forattacker fran sa kallade falska basstationer, det vill saga sandare som satts uppmed syftet att imitera legitima basstationer. Mottagna LTE-signaler besittervissa fysikaliska egenskaper relaterade till den tradlosa kanalen och sandarenshardvara, till exempel Channel State Information (CSI) samt Carrier Frequen-cy Offset (CFO), som kan utnyttjas for att skilja mellan legitima och illegitimameddelanden. En metod for att upptacka intrang baserat pa CSI med hjalp avett Kalman-filter och ett hypotestest studeras i denna uppsats och dess prestan-da utvarderas.

Downlink LTE-signaler samlas in fran akta LTE-basstationer i ett 2x2 Multiple-Input Multiple-Output (MIMO) system med Universal Software Radio Perip-herals (USRPs) och Software Defined Radio (SDR). Matningar som utfors vidolika frekvensband (dvs olika operatorar) anvands for att representera signalerfran en legitim respektive falsk sandare. Utforandet av den foreslagna metodenutvarderas genom att jamfora acceptansgraden for symboler fran den legitimasandaren respektive fran den falska basstationen. Dessutom utvarderas effekter-na av felaktiga beslut i detektionsmetoden (av typ-1 och typ-2). Den filterba-serade metoden for detektion av falska basstationer visar forbattrad prestandajamfort med en icke-filtrerande CSI-baserad metod.

v

vi

Contents

List of Acronyms ix

List of Figures xi

List of Tables xiii

1 Introduction 11.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.3 Thesis Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Background 52.1 Vulnerabilities in LTE . . . . . . . . . . . . . . . . . . . . . . . . 52.2 Physical Layer Authentication . . . . . . . . . . . . . . . . . . . . 62.3 LTE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.4 Kalman Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.5 Sustainability and Ethical Concerns . . . . . . . . . . . . . . . . 11

3 Method 133.1 System Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.2 Experimental Setup and Data Acquisition . . . . . . . . . . . . . 14

3.2.1 CSI Estimation and Processing . . . . . . . . . . . . . . . 163.3 Intrusion Detection Scheme . . . . . . . . . . . . . . . . . . . . . 183.4 Simulating Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.4.1 Markov Intrusion Model . . . . . . . . . . . . . . . . . . . 21

4 Results and Discussion 234.1 Filter Updated for Every Symbol . . . . . . . . . . . . . . . . . . 234.2 Effect of Only Updating for Accepted Symbols . . . . . . . . . . 264.3 Markov Intrusion Model . . . . . . . . . . . . . . . . . . . . . . . 274.4 Antenna Separation . . . . . . . . . . . . . . . . . . . . . . . . . 284.5 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

5 Conclusions and Summary 315.1 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

vii

viii CONTENTS

List of Acronyms

3GPP The 3rd Generation Partnership Project

5G NR 5G New Radio

CFO Carrier Frequency Offset

CP Cyclic prefix

CSI Channel State Information

eNB Evolved Node B

IMSI International Mobile Subscriber Identity

ISI Intersymbol interference

LTE Long Term Evolution

LTE-A Long Term Evolution-Advanced

MIB Master Information Block

MIMO Multiple-Input Multiple-Output

OFDM Orthogonal Frequency Division Multiplexing

PBCH Physical Broadcast Channel

PSS Primary Synchronization Sequence

RG Resource Grid

ROC Receiver operating characteristic

RRC Radio Resource Control

SDR Software Defined Radio

SIB System Information Block

SNR Signal-to-Noise Ratio

SSS Secondary Synchronization Sequence

UE User Equipment

USRP Universal Software Radio Peripheral

WSSUS Wide-sense Stationary Uncorrelated Scattering

ix

x LIST OF ACRONYMS

List of Figures

2.1 Alice, Bob and Eve. . . . . . . . . . . . . . . . . . . . . . . . . . 62.2 The LTE resource grid for 1.4 MHz bandwidth. . . . . . . . . . . 10

3.1 The GNURadio flowchart used to collect raw I-Q data. . . . . . . 143.2 The experimental setup. . . . . . . . . . . . . . . . . . . . . . . . 153.3 An overview of the data collection and CSI processing. . . . . . . 163.4 The CSI phase before and after correction. . . . . . . . . . . . . . 173.5 How the filtering and hypothesis testing is performed. . . . . . . 193.6 The USRP receiver and eNBs representing Alice and Eve. . . . . 193.7 Filtering based on Alice and updating the filter for every symbol. 203.8 Filtering based on Alice, updating the filter for accepted symbols. 203.9 A simple Markov chain intrusion model. . . . . . . . . . . . . . . 213.10 Filtering Markov generated CSI. . . . . . . . . . . . . . . . . . . 21

4.1 Acceptance rate comparison between a filtering system and anon-filtering system. . . . . . . . . . . . . . . . . . . . . . . . . . 24

4.2 ROC curve comparison of a filtering system and a non-filteringsystem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4.3 A logarithmic scale ROC with false negative rate against the falsepositive rate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4.4 Comparing the acceptance rate, and ROC curves of a filter thatonly updates for accepted symbols (whole line) vs. the filter thatupdates for every symbol (dashed line). . . . . . . . . . . . . . . 26

4.5 The acceptance rate difference of the two filters for three differentmeasurements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4.6 Acceptance rate of the filter using the Markov generated intrusions. 274.7 The ROC curve compared to an ROC curve from random decisions. 284.8 Acceptance rate of the filter using the Markov generated intru-

sions with a high probability of attacks. . . . . . . . . . . . . . . 284.9 Correlation of CSI of two transmit/receiver antenna pairs. . . . . 29

xi

xii LIST OF FIGURES

List of Tables

2.1 Possible outcomes from the hypothesis test. . . . . . . . . . . . . 82.2 LTE channel parameters. . . . . . . . . . . . . . . . . . . . . . . 9

3.1 The measurement configuration parameters. . . . . . . . . . . . . 15

4.1 The centre frequencies of the base stations used to representAlice, Eve 1 and Eve 2. . . . . . . . . . . . . . . . . . . . . . . . 23

xiii

xiv LIST OF TABLES

Chapter 1

Introduction

1.1 Introduction

Wireless communications serve an important role in the day to day lives ofpeople. Individuals around the globe are used to having access to all of the in-formation of the internet at any time in any location due to their mobile devicesbeing connected to cellular networks. The most common cellular technologytoday is the Long Term Evolution (LTE) standard, which was developed byThe 3rd Generation Partnership Project (3GPP) to fulfil the requirements of4G communication systems. It offers higher data rate and spectral efficiencythan previous cellular technologies. In addition to serving an important rolein the day to day lives of people, LTE is also used in scenarios where reliablecommunications are required, e.g. to broadcast emergency information, such asannouncing natural disasters and other crises [1].

Security is an increasing concern in wireless communications as more sens-itive information is transmitted wirelessly. Attacks against wireless commu-nication systems can range from sniffing information, to jamming the commu-nication channels, or to spoofing attacks, in which an attacker impersonates adevice. Although LTE is more secure than earlier cellular technologies, it stillfaces threats due to its vulnerabilities. The security weaknesses of LTE and itssuccessor 5G New Radio (5G NR) are evaluated in [1], [2], and some channelsand signals in LTE are shown to be susceptible to jamming attacks. Locationleaking attacks and denial of services attacks using readily available and inex-pensive hardware are demonstrated in [3]. As attackers can use relatively cheaphardware to create a fake base station, there’s need for a robust authenticationscheme.

In traditional authentication methods, communicating devices share theiridentities and use them to verify each other. Generally, encryption is set upsimultaneously. This increases the security of the communication between themas sniffing and spoofing attacks are more difficult, at the cost of a transmissionoverhead. As the RF waves transmitted have properties which are intrinsic tothe devices or are dependent on the channel environment, these properties canbe manipulated to authenticate the transmitted messages. An authenticationbased on these properties is called physical layer authentication and can beimplemented as an additional layer of security.

1

2 CHAPTER 1. INTRODUCTION

There are a number of different physical layer properties, e.g. Signal-to-Noise Ratio (SNR), Carrier Frequency Offset (CFO), Channel State Information(CSI), Channel Impulse Response, Angle-of-Arrival, signal transients, some ofwhich are more suitable for authentication purposes than others. CFO is causedby differences in oscillator frequencies and motion induced Doppler shift, and in[4] a CFO based physical layer authentication scheme using a Kalman filter and ahypothesis test to accept and reject packets is presented. CSI is a physical layerproperty which describes how the signal propagates between the transmitterand receiver, and is the attribute that will be used for the intrusion detectionscheme in this thesis. The complex CSI depends on multiple factors, such as howthe signal scatters, fades and attenuates. Small changes in the communicationenvironment can have a drastic effect on the CSI, especially its phase. S. Yousefiet al. [5] have shown that the CSI of WiFi signals can be used to categorizehuman behaviour.

The goal of the thesis is to filter CSI measured from real LTE base stationsto distinguish between a legitimate transmitter and an attacker. To accomplishthat a Kalman filter is used to track the CSI and then a binary hypothesis testused to decide if the signal comes from a legitimate transmitter or an attacker.The Kalman filter is widely used for various applications. it is an algorithm thatprovides estimates of unknown variables given noisy observations. It does notneed to store previous states as it only need the current observation, a previouslycalculated state and a covariance matrix. That is, the filter takes a current noisymeasurement of the CSI, uses it, the previous state and its covariance to predictthe correct CSI. Then it updates its state and covariance. A hypothesis testis used to make a decision based on the predicted state from the filter. A teststatistic is calculated and compared to a threshold. There are a few possibleoutcomes of the hypothesis test, e.g. a false positive or true negative. Theseare metrics that will be used to evaluate the performance of the filter.

Downlink LTE data is captured from several LTE base stations using opensource Software Defined Radio (SDR) and Universal Software Radio Peripherals(USRPs) from Ettus Research. LTE is chosen as it is widely used, it is possible tocollect downlink data from real base stations eliminating the need to set up owntransmitters, and LTE has several vulnerabilities, which are discussed in moredetail in the next chapter. Although the authentication system is developedusing an LTE system, the Kalman filtering based authentication approach couldbe altered to also work for systems using other protocols.

1.2 Related Work

Physical Layer Authentication is a current matter of research. L. Xiao et al. [6]introduce a physical layer authentication algorithm using channel probing andhypothesis testing to determine whether current and prior communication at-tempts are made by the same transmit terminal. It is assumed that the receiverfirst stores the frequency response of the channel between it and the legitim-ate transmit terminal, HA. The channel is modelled as Wide-sense StationaryUncorrelated Scattering (WSSUS). After some time it measures the frequencyresponse of the channel, Ht, and has to decide whether the transmitting ter-minal is still the same. To decide a hypothesis test is performed. The paperintroduces a hypothesis test statistic, which is the basis for a test statistic used

1.3. THESIS OUTLINE 3

in this thesis.W. Hou et al. [4] propose a novel physical layer authentication scheme based

on time-varying CFO. The CFO is caused by a frequency mismatch betweentransmitter and receiver oscillators due to manufacturing imperfections, and avariable Doppler shift. The frequency oscillator mismatch can be consideredconstant but the mobility induced Doppler effect changes rapidly during trans-mission. The CFO is tracked with a Kalman filter and a hypothesis test usedto decide if the current data from a legitimate transmitter or an illegitimateone. Simulation results are presented to demonstrate the effectiveness of theproposed scheme.

1.3 Thesis Outline

In this thesis, first relevant background material is covered in Chapter 2. Itprovides the motivation for intrusion detection at the physical layer in LTE,necessary theory for authentication and filtering, and an overview of the physicallayer in LTE. Additionally, the effects on sustainability and possible ethicalconcerns are considered. The third chapter introduces the system model anddata acquisition method. It details how the CSI is extracted and processedbefore filtering. The filtering process along with the hypothesis testing used tomake decisions is presented. Finally, two methods of simulating attacks usingdownlink LTE signals are suggested. Chapter 4 presents results and a discussion.Lastly, the report is summarized in Chapter 5 along with concluding remarksand a discussion on possible future work based on the thesis.

4 CHAPTER 1. INTRODUCTION

Chapter 2

Background

This chapter introduces background concepts, such as authentication, physicallayer authentication, hypothesis testing, LTE downlink, and Kalman filtering.These preliminaries provide the background knowledge necessary to understandthe methods described in Chapter 3 and the motivation behind the thesis.

2.1 Vulnerabilities in LTE

Wireless communication is widely used, and for mobile users, LTE is currentlythe most used standard. In 2018 the number of LTE subscriptions reached 3.2billion, accounting for over a third of all mobile subscriptions, and is expectedto reach 5.6 billion subscriptions by 2022 [7]. With so many users, any securityvulnerabilities pose a great threat.

M. Lichtman et al. [1] investigated the vulnerabilities of LTE due to RFjamming. Even though LTE was not designed as a mission-critical technology,cellular networks are used to broadcast emergency information and LTE is usedas a public safety network in the US. They explore how vulnerable differentLTE channels and signals are to jamming attacks. They conclude that thePSS, PUCCH, PCFICH, and PBCH are most susceptible to attacks in terms ofefficiency and complexity. The jamming attack mitigation strategies suggestedrequire changes to the LTE standard and the transmit/receive devices. In [2]the physical layer vulnerabilities of 5G NR, which is expected to overtake LTE,are explored. Due to the more dynamic nature of 5G NR, it is not as vulnerableto jamming attacks, but the PSS and PBCH are the weakest subsystems.

In [8], R. P. Jover explores vulnerabilities in modern LTE networks, anddemonstrates the threat of attacks using readily available hardware and opensource software. He argues that although LTE is generally considered securegiven that it has mutual authentication and a strong encryption scheme, LTEnetworks are vulnerable to protocol exploits, location leaks and rouge base sta-tions. Several types of attacks are presented, such as an LTE IMSI catcher,using a rouge Evolved Node B (eNB) to either temporarily block User Equip-ments (UEs) or force them to downgrade to a GSM network, and device track-ing. A. Shaik et al. [3] demonstrate practical attacks against LTE networksusing commercial LTE devices and real LTE networks. First they show locationleak attacks, in which an LTE device is forced to reveal its location, e.g. by

5

6 CHAPTER 2. BACKGROUND

exploiting Radio Resource Control (RRC) vulnerabilities to accurately pinpointa target user via GPS coordinates or trilateration. Secondly, they demonstratedenial of service attacks, for instance, by forcing user devices to use 2G or 3Gnetworks instead of LTE. Countermeasures to the attacks are suggested, suchas protecting public broadcast messages with a key.

2.2 Physical Layer Authentication

Both [3] and [8] exhibit modern attacks against LTE networks using accessibleand affordable hardware. When an LTE device connects to a network, it has tocommunicate with base stations before authentication and encryption is estab-lished. The UE will communicate with eNBs that advertise themselves with thecorrect broadcast information, which can be easily sniffed. Therefore, UEs arevulnerable to attacks from rogue base stations until it connects to the networkand the authentication and encryption step of the connection have been carriedout [8].

These types of attacks using rogue base stations could be mitigated if theUE were able to authenticate the broadcasted messages, i.e., make sure thatthe packets they receive originate from where they claim to originate from. Incommon terminology, the transmitter is called Alice, the receiver is called Bob,and the attacker is called Eve. To be sure that the received messages originatefrom Alice, Bob must authenticate them.

Figure 2.1: Alice, Bob and Eve [6].

Traditionally, authentication is performed at a higher level. In LTE the au-thentication is performed during an Attach Request procedure. The LTE deviceand the network confirm each other’s identities [9]. If an adversary were to ac-quire these identities it could impersonate them. However, as the RF waveshave properties that depend on channel environment, or are intrinsic to thetransmitting and receiving devices, these properties can be used to authentic-ate the transmission. Physical layer authentication can add an additional layerof security if used in conjunction with traditional authentication methods aswell as providing user security during the transmissions before authenticationand encryption is set up in LTE. Another benefit of physical layer authentic-ation is that it can continuously authenticate transmissions while traditional

2.2. PHYSICAL LAYER AUTHENTICATION 7

authentication methods only verify the identities once when a connection isestablished [4].

Physical Layer Authentication could be used to verify the broadcast trans-missions from LTE base stations before the UE attaches to the network or usedalongside a traditional authentication as an additional layer of security. Thephysical layer has several attributes, some suitable for authentication. SNR isdependent on the transmit power and the distance between transmitter and re-ceiver. As a transmitter transmits at a certain power, the received signal shouldhave SNR of some expected level assuming the channel noise is known. However,as the SNR can be manipulated by changing the transmit power, an intrudercan impersonate a transmitter by altering its own transmit power. ThereforeSNR is not useful on its own for physical layer authentication.

Several physical layer attributes have been used in research of authentic-ation at the physical layer. Some of these properties are device dependent.An example of that is CFO which is caused by frequency mismatch betweentransmitter and receiver oscillators due to manufacturing imperfections, and avariable Doppler shift. According to W. Hou et al. [4] the frequency oscillatormismatch can be considered constant but the mobility induced Doppler effectchanges rapidly during transmission. They authenticate packets by perform-ing a hypothesis test on Kalman filter predictions. In [10] the reciprocity andrandomness of phase responses over multi-carrier channels are used for authen-tication. Other commonly used attributes are channel-based. For instance,in [6, 11] the location specific channel frequency response is used, [12] utilizesthe channel impulse response, and [13] uses a multi-antenna channel. In [14]an authentication method which combines using physical layer properties withcryptographic authentication to improve authentication efficiency during han-dover in heterogeneous 5G networks is proposed.

CSI represents how the RF waves propagate between the transmitter and re-ceiver. The radio signal reaches the receiver over multiple paths. The multipathsignals arrive at the receiver with a slight timing difference due to reflections,scattering, refraction, etc. This time dispersion can lead to intersymbol inter-ference (ISI) [15]. In a typical wireless scenario, the channel response along eachmultipath is frequency-selective, in a location specific way [6], meaning that, inthe case of OFDM, a complex set of numbers specify the channel and these setsof numbers decorrelate between two paths if they are separated by the order ofan RF wavelength or more. The frequency-selective fading results in ISI [15],which OFDM is resistant to. In LTE, typical user devices are mobile, whichadds a Doppler shift. However, if the transmitter and receiver are stationaryin a frequency-selective channel, the Doppler shift is zero, and the channel istime-invariant [15], which simplifies the modelling.

CSI is used for various purposes in wireless communications. It is commonlyused to adapt transmissions to channel conditions, [16] illustrated how it can beused to improve indoor positioning methods in IEEE 802.11. S. Yousef et al. [5]did a survey on techniques that use CSI to recognize human behaviour. CSIcan potentially be used for a plethora of new application, e.g. distinguishingbetween messages from a legitimate transmitter and an attacker. Recently, Q.Wang et al. [17] studied CSI-based authentication using deep neural networks.Due to the potential CSI has for distinguishing between transmissions fromdifferent entities, it is chosen as the physical layer property for the intrusiondetection presented in the next chapter.


Hypothesis testing can be used to decide if a packet should be accepted orrejected. Two hypothesis are put forth. First, a null hypothesis, H0, which isthe hypothesis that the packet originates from Alice. The second hypothesis,H1, called the alternative hypothesis is that the packet comes from Eve:

H0 : h[k] = hA[k], (2.1)

H1 : h[k] 6= hA[k]. (2.2)

Here h[k] represents the CSI.There are four possible outcomes of the hypothesis test, which are summar-

ized in Table 2.1. The first is correctly accepting the null hypothesis, which iscalled a true negative. If the null hypothesis is accepted in the case that it isfalse (false negative), a type II error occurs. The null hypothesis being acceptedis referred as a negative in the sense of not detecting an attack. In the caseof rejecting the null hypothesis, the possible outcomes are a false positive anda true positive, if the null hypothesis is true or false, respectively. The falsepositive is a type I error and often called a false alarm. A true positive repres-ents the case when an intrusion is detected, i.e., the transmission comes froman attacker and the decision from the hypothesis test is to reject it.

H0 is true H1 is trueH0 is accepted True Negative

(Correct)False Negative(Type II error)

H0 is rejected False Positive(Type I error)

True Positive(Correct)

Table 2.1: Possible outcomes from the hypothesis test.

To make a decision based on the chosen property, in this case the CSI, asuitable metric is needed. This is called a hypothesis test statistic, Z, whichcan be compared to a threshold, T , to make a decision. The hypothesis test isevaluated according to

ZH1

RH0

T. (2.3)

If the test statistic is greater that the threshold, then the alternative hypo-thesis is assumed to be true, that is, the message comes from Eve. Otherwiseit is assumed to originate from Alice. The test statistic used in the intrusiondetection method introduced in the next chapter is based on the one presentedin [6].

2.3 LTE

LTE is a wireless communication standard developed by the 3GPP. It providesa high data rate, low latency and high spectral efficiency compared to previ-ous cellular technology [9]. Since then, the 3GPP has released specificationsfor a system known as Long Term Evolution-Advanced (LTE-A), which was anupdate of LTE that fulfilled requirements of the fourth generation (4G) com-munication system. It is required to deliver peak data rates of 1000 Mbps inthe downlink and 500 Mbps in the uplink, and is backwards compatible with

2.3. LTE 9

LTE. Therefore, an LTE device can connect with an LTE-A base station andvice versa [9]. For the rest of the thesis no distinction will be made betweenLTE and LTE-A, and both will be referred to as LTE. An LTE base station iscalled eNB and mobile user devices are called UE.

Bandwidth [MHz] Number of Resource Blocks Sampling Frequency [MHz]1.4 6 1.923 15 3.845 25 7.6810 50 15.3615 75 23.0420 100 30.72

Table 2.2: LTE channel parameters.

LTE uses a multiple access Orthogonal Frequency Division Multiplexing(OFDM) scheme, called OFDMA, in the downlink. OFDM has several ad-vantages over other multiple access schemes, such as high spectral efficiency,resistance to ISI caused by multipath fading, and a natural support for Multiple-Input Multiple-Output (MIMO) schemes [18]. OFDM subcarriers are separatedby 15 kHz of bandwidth.

In the time domain, LTE transmits sequences of 10 ms long frames. Eachframe is divided into 1 ms subframes, and each subframe has two equal lengthslots. Furthermore, each slot is comprised several OFDM symbols, either sevenor six, depending on whether a normal or extended cyclic prefix (CP) is used [18].

LTE downlink is constructed from resource elements. They are 1 symbol intime and 1 subcarrier in frequency. Resources elements make Resource Blocks,which are 1 slot by 12 subcarriers. The Resource Blocks construct the ResourceGrid (RG), which can be seen in Figure 2.2. LTE is designed to work with avariety of different bandwidths, which range from 1.4 MHz up to a maximum of20 MHz [9]. The available transmission bandwidth and corresponding samplingfrequency is listed in Table 2.2.

LTE user devices are called UEs and they access the LTE network throughLTE base stations, which are called eNBs. In order for the UE to access theLTE network it must synchronize with the eNB with a cell acquisition pro-cedure [20]. First the UE detects the Primary Synchronization Sequence (PSS)and determines the cell’s physical layer identity, and acquires time and frequencysynchronization. The Secondary Synchronization Sequence (SSS) provides theUE with the physical cell identity group. The physical cell identity group alongwith the physical layer identity provide the full physical cell identity. Throughthe SSS, the UE also learns about the CP type and duplexing mode used bythe cell [1].

After synchronizing with the eNB the UE can decode the Master Inform-ation Block (MIB), which is transmitted over the Physical Broadcast Chan-nel (PBCH). The MIB, PSS and SSS occupy the central 6 resource blocks, andtherefore UEs can synchronize to eNBs with a lower bandwidth configurationthan the eNB uses. Additional configuration details are extracted from theSystem Information Block (SIB) and then the RRC connection establishment


Figure 2.2: The LTE resource grid for 1.4 MHz bandwidth [19].

can take place [9]. All of these messages are exchanged between the UE andeNB before the identities of the devices are verified. It is not until the UE sendsan Attach Request after the RRC connection establishment that authenticationtakes place and encryption is set up. Therefore, in this phase of a UE connectingto the network, a rogue base station can impersonate a eNB and the UE has noway to verify its legitimacy [8].

Each subcarrier can reach the receiver with an arbitrary amplitude andphase. Therefore, reference symbols are injected into the transmitted datastream. The incoming reference signals are measured and uses the differencebetween them and the transmitted ones to remove the amplitude changes andphase shifts from the incoming signal [9]. An LTE receiver needs to performchannel equalization and estimation. Details on how the channel is estimatedand the CSI extracted are presented in Section 3.2.1.

2.4 Kalman Filter

Since its inception in the 1960s the Kalman filter has found widespread use. Itis an algorithm that uses noisy data to estimate unknown variables with greateraccuracy. As it is fast, efficient and has strong anti-interference capabilities, ithas been widely applied in the fields of orbit calculation, target tracking andmore [21]. The filter has two steps, a prediction step and an update step. Thefilter assumes that the feature it is tracking, xk, at time k evolves from the stateat time k − 1 according to the model

xk = Axk−1 + Buk−1 + vk, (2.4)

where A is a state transition model, uk is a control input with control inputmodel B, and vk is the Gaussian zero mean process noise with covariance Σv.

2.5. SUSTAINABILITY AND ETHICAL CONCERNS 11

It is assumed that xk can not be measured accurately, so the measured state is

xk = Hxk + wk, (2.5)

where H is the observational model and wk is the observation noise, which iszero mean Gaussian with covariance Σw.

In the prediction step two estimates are calculated. An estimate of the statexk|k−1 and an estimate of the error covariance Pk|k−1:

xk|k−1 = Axk−1|k−1 + Buk−1 (2.6)

Pk|k−1 = APk−1|k−1AT + Σv. (2.7)

In the update step, an updated estimates of the covariance, Pk|k, and thestate, xk|k, are calculated based on the observation xk.

yk = xk −Hxk|k−1, (2.8)

Sk = HPk|k−1HT + Σw, (2.9)

Kk = Pk|k−1HTS−1k , (2.10)

xk|k = xk|k−1 + Kkyk, (2.11)

Pk|k = (I−KkH)Pk|k−1(I−KkH)T + KkΣwKk, (2.12)

yk|k = xk −Hxk|k. (2.13)

If the Kalman gain, Kk, is the optimal Kalman gain, then the updated covari-ance estimate can be simplified to Pk|k = (I−KkH)Pk|k−1. Initialization ofthe filter can be troublesome, particularly the covariance matrices. The filterwill be used to track complex CSI and to accept or reject packets. How thefilter is applied and used will be described in the next chapter.

2.5 Sustainability and Ethical Concerns

Sustainable development can be defined as development that meets the needs ofthe present without compromising future generations to meet their own needs [22],this definition is known as the Brundtland definition. Sustainable developmentis not limited to sustainable use of resources, but it should also fulfil humanneeds [23]. Engineers have the responsibility to ensure sustainable use of re-sources and consider the social impact of their work. The thesis considers intru-sion detection using a Kalman filter and a hypothesis test, which does not offerany direct improvements to common resource-oriented sustainability indicators,such as improved energy efficiency. However, it can provide improved securityfor multiple projects which pursue sustainable development. The United Na-tions (UN) introduced 17 Sustainable Development Goals (SDG), which were ad-opted by all UN member states in 2015 [24]. Wireless Sensor Networks (WSNs),Internet of Things (IoT) and 5G are examples of technologies that are essential


to achieving the SDGs. Increased security for these systems of the future iscrucial. For example, smart cities utilize IoT to increase energy efficiency andimprove transportation. In a smart city there is a vast amount of devices andsensors communicating together, and there are multitudes of potential attacksagainst them. Physical layer authentication, perhaps based on detecting intru-sions with a Kalman filter, can serve an important role in securing these systemsand therefore enabling sustainable development.

In addition to considering the sustainability of their work, engineers mustalso consider if it is ethical. Their work has the potential to be used in anunintended way by adversaries, and therefore it can be unethical to publish it.For instance, in [3] the threat of attacks against LTE are investigated. As theauthors implement practical attacks, they are careful not to describe them indetail so that they can not be easily replicated. This is not a concern in thisthesis but there are some things that need to be considered. The intrusiondetection is implemented by using a Kalman filter to track the CSI of transmis-sions from an LTE base stations. Adversaries can use similar techniques to trackdevices and possibly design attacks to track the location of users. In general,physical layer authentication techniques have similar ethical concerns as thephysical layer properties used to improve security can be manipulated to designattacks. For instance, an attacker can use a device to listen to transmissionswithin a cell and using some physical layer properties, such as CSI, keep trackof devices within that cell. Using multiple listeners at adjacent cells, attackerscan additionally track the movements of devices between cells. Adversaries canpotentially create attacks which can not easily be mitigated as they are basedon properties extracted from the transmitted signals that can not be masked.

Chapter 3

Method

The goal of the thesis is to filter CSI measured from real eNBs to detect intru-sions, i.e., distinguish between transmissions from a legitimate transmitter andan attacker. This chapter will describe the methods used.

First the system model is presented. Then the data acquisition is explained,how the signals are collected and the CSI extracted from then. The CSI mustbe phase corrected due to the channel estimation method not accounting forfrequency differences of the OFDM subcarriers. Then an intrusion detectionapproach using a Kalman filter and a hypothesis test is presented. Finally, threemethods of simulating attacks, which will be used to evaluate the performanceof the intrusion detection, are introduced.

The algorithm operates in an offline setting, i.e., all the data is collectedfirst and then the data is filtered and intrusions are detected. Conceptually it ispossible to have a real-time implementation in which the data is filtered as it iscollected. However, real-time processing of LTE signals in MATLAB is resourceintensive and therefore difficult to achieve. Nonetheless, the results of the thesisprovide a valid proof of concept.

3.1 System Model

The CSI, h[k], is the feature which will be fed to the filter to authenticate mes-sages. The CSI is the frequency response of the channel for a single antennasampled at the frequencies of the subcarriers. Baseband CSI is considered hereand throughout the thesis. As this is an LTE system, each timestep, k, repres-ents one OFDM symbol. There are two channels, one between Alice and Bobwith CSI

hA[k] = AhA[k − 1] + vA[k], (3.1)

and the other between Eve and Bob, with CSI

hE [k] = AhE [k − 1] + vA[k], (3.2)

where A = αI is the gain and v[k] is the process noise. The channels areassumed to be Wide-sense Stationary Uncorrelated Scattering (WSSUS). When

13

14 CHAPTER 3. METHOD

the channel estimates are extracted, the measured channel is either between Boband Alice or Bob and Eve, so the measured CSI is

h[k] =

{hA[k] + w[k], H0 is true,

hE [k] + w[k], H1 is true,(3.3)

where w[k] is the measurement noise.The noise covariance matrices have to be decided, as they serve as initializ-

ation for the Kalman filter. The measurement noise can be assumed to have adiagonal covariance matrix, i.e., Σw = σ2

wI, due to orthogonality of the OFDMsubcarriers. The process noise covariance matrix is set as

Σv = σ2vP, (3.4)

where Pi,j = ρ−|i−j|. The reasoning is that some correlation exists between thesubcarriers but it should decrease as the subcarriers are further apart.

3.2 Experimental Setup and Data Acquisition

The aim of the data acquisition is to capture LTE downlink signals with twoantennas using Software Defined Radio (SDR), and then demodulate them andextract the desired property, CSI, using MATLAB. As will be explained furtherin section 3.4, transmitting LTE signals with a rogue eNB is infeasible. There-fore, data is collected from three eNBs, and some will be used to represent Alice,and other represent Eve. Although most devices connected to LTE networksare mobile, or at least nomadic, the receiver antennas are kept stationary whilecollecting data to simplify the system model and filtering.

Figure 3.1: The GNURadio flowchart used to collect raw I-Q data.

GNURadio is an open source software development toolkit which can be usedto implement SDR with external RF equipment. A laptop running GNURadiois connected to two Ettus N210 USRPs [25], which are connected together with

3.2. EXPERIMENTAL SETUP AND DATA ACQUISITION 15

a MIMO cable. Two USRPs are needed to set up a 2 antenna receiver fora MIMO system since each N210 USRP is only equipped with one receiverchain. The data collection is simple, the GNURadio flowchart used can be seenin Figure 3.1. The data comes from the USRP source block, is filtered andresampled, and written to a file. To limit the file size, the data is sampled at2.5 MHz and resampled to 1.92 MHz. That corresponds to an LTE bandwidthof 1.4 MHz. As the synchronization signals are contained within the inner most6 resource blocks, it is enough to collect this data to extract the desired channelestimates.

Hardware Setup 2 Ettus N210 USRPs with oneantenna each, connected to anUbuntu machine

Software GNURadio and MATLAB usingthe LTE Toolbox

Centre Frequencies 816 MHz, 806 MHz, 796 MHzIQ raw data size ≈ 10s, corresponding to ≈14000

OFDM symbolsSampling Frequency 2.5 MHz, downsampled to 1.92

MHzAntenna Separation 25cm, 50cm, 85cm

Table 3.1: The measurement configuration parameters.

The measurements are performed in an indoor setting. The measurementconfiguration parameters are listed in Table 3.1. Data was collected from threedifferent base stations, each with the listed separation between the two antennas.Figure 3.2 shows how the distance between the antennas is measured. For eachmeasurement, data was collected over 10 seconds, which corresponds to 14000OFDM symbols.

Figure 3.2: The experimental setup.


An overview of the data collection process is shown in Figure 3.3. The rawIQ data of the downlink LTE signals are collected using GNURadio and the twoUSRPs. In GNURadio the signals are resampled and low pass filtered, and theIQ data saved to a binary file. The IQ data is extracted from the binary fileto be demodulated in MATLAB using the LTE Toolbox. After demodulatingthe signals, the channel is estimated and the CSI extracted. Finally, the CSI isprocessed, and the Kalman filtering and hypothesis testing is performed. Theremaining sections of this chapter detail the filtering, hypothesis testing, andhow attacks are simulated.

USRPSource

IQ datacapture usingGNURadio

Binaryfile

LTE demodulationand channelestimation

in MATLAB

CSI processing,Kalman filteringand hypothesis

testing in MATLAB

IQ streamover

ethernet

Figure 3.3: An overview of the data collection and CSI processing.

3.2.1 CSI Estimation and Processing

The CSI is the most vital physical layer property used in this project. The nextsection will detail how it is acquired and the processing needed before filtering.The raw data is processed using MATLAB. The code is based on the examplein [26].

To get the channel estimates, a RG is constructed in the OFDM demodu-lation process by performing one FFT operation per received OFDM symbolto recover the received subcarrier values [27]. After the RG is constructed thechannel estimates can be extracted according to some cell-wide settings. Thesize of the grid is M-by-N-by-P, where M is the number of subcarriers, N thenumber of OFDM symbols, and P the number of antennas.

The channel estimation is done by looping through the RG one frame at atime and performed in three steps. First, the pilot symbols for transmit-receiveantenna pairs are extracted and used to calculate the least squares estimates ofthe channel response of the pilot symbol positions within the frame. Secondly,the least squares estimates are averaged to reduce unwanted noise from the pilotsymbols. Finally, the cleaned pilot symbols are interpolated into an estimate ofthe entire number of subframes [28].

The extracted channel estimates, h[k], need to be processed before beingpassed to the Kalman filter. The extracted CSI is a complex vector of sizeNSC × NSym, where NSC is the number of subcarriers and NSym is the totalnumber of OFDM symbols collected during the measurements. The first Ncalsymbols are used for calibration, e.g., correcting the CSI phase and calibratingthe filter, the rest of the symbols are used to evaluate the filter performance.

3.2. EXPERIMENTAL SETUP AND DATA ACQUISITION 17

The CSI phase drifts with time, and decays over subcarriers due to thechannel estimation method not accounting for the small frequency differencesbetween them. In [29] it is explained that in a multipath environment thereceived signal is due to multiple non line of sight paths and a line of sight path.Each multipath generates varying time delay, amplitude attenuation, and phaseshift. Therefore, the CSI of subcarrier j at timestep k can be expressed as

hj [k] = alosδ[k] +

M−1∑i=1

anlos,ie−jθiδ[k − ki] + w[k], (3.5)

where M is the number of multipaths, ai, θi and ki represent the amplitude,phase and time delay of the ith path signal, respectively. The phase correspond-ing to each multipath can be expressed as

θi = 2πfki = 2πf∆d/c. (3.6)

As the receiver only synchronizes with one subcarrier, the obtained phase varieslinearly with frequency

φj = φj + 2πj

Mkε + λ+ w (3.7)

Here φj is the actual phase of subcarrier j, kε is the timing estimation error,λ is a constant phase offset and w is measurement noise. Thus, to extractthe actual phase, a straight line(φlin) is fit to the observed phase using linearregression. This term is then subtracted from the observed phase to get theactual phase

φj = φj − φlin,j . (3.8)

0 20 40 60 80Subcarrier number

-25

-20

-15

-10

-5

0

5

Pha

se [r

adia

ns]

Before Phase Correction

0 20 40 60 80Subcarrier number

-25

-20

-15

-10

-5

0

5

Pha

se [r

adia

ns]

After Phase Correction

Figure 3.4: The CSI phase before and after correction.

Figure 3.4 shows the phase before and after correction. As the phase decayover the subcarriers before correction spans over a larger interval than [−π, π],the phase is kept continuous over a larger interval.

Additionally, the CSI is assumed to follow a zero-mean Gaussian distribu-tion, but the measured CSI is not zero-mean. That is fixed by subtracting themean calculated from the first Ncal OFDM symbols of the non-zero mean CSI,h, from itself

h[k] = h[k]− 1

Ncal

Ncal∑n=1

h[n]. (3.9)


3.3 Intrusion Detection Scheme

To implement a physical layer authentication scheme, the symbols from thelegitimate transmitter must be distinguished from the illegitimate ones. In otherwords, illegitimate transmissions, or intrusions, must be detected. As channelbetween Alice and Bob, and Eve and Bob, are different, the CSI at the receiveris different for the two channels.

A Kalman filter is chosen to track the CSI. In [4] a Kalman filter is used totrack CFO to distinguish between messages from a legitimate transmitter andan attacker.

The filter predicts the next state of the CSI, and if it is too far from theprediction, it can be rejected. Idea is that the CSI changes over time, but withina reasonable margin for each timestep k. However, if a symbol comes from Eve,then the change in CSI should be greater than usual and the symbol rejected.

The Kalman filter equations from Section 2.4 are adapted to the system totrack the CSI, h[k]. The prediction step is:

h[k|k − 1] = Ah[k − 1|k − 1], (3.10)

Pk|k−1 = APk−1|k−1AT + Σv. (3.11)

The update step is

Kk = Pk|k−1(Pk|k−1 + Σw)−1, (3.12)

h[k|k] = h[k|k − 1] + Kk(h[k]− h[k|k − 1]), (3.13)

Pk|k = (I−Kk)Pk|k−1(I−Kk)T + KkΣwKTk . (3.14)

Based on the predicted values h[k|k− 1] and Pk|k−1, a hypothesis test stat-istic, Z, is calculated:

Zk = zHz = 2(h[k]− h[k|k − 1])HP−1k|k−1(h[k]− h[k|k − 1]), (3.15)

where z =√

2((Pk|k−1)Hd )−1(h[k] − h[k|k − 1]). The test statistic is based onthe one presented by [6]. The test statistic is then be compared to a thresholdT in a hypothesis test:

ZkH1

RH0

T. (3.16)

If the test statistic is less than the threshold, then the null hypothesis isassumed to be true, i,e. that the symbol comes from Alice and Bob shouldaccept it. Similarly, if the test statistic is greater than the threshold, the symbolis assumed to originate from Eve and is rejected.

When evaluating performance, the filter can either be updated for everysymbol, or it can update itself only for the accepted symbols. That affects thetest statistic Zk as if the filter is only updated for accepted symbols, more timeis between the symbols used to calculate Zk. Both types of filters are tested.

Figure 3.5 shows how the filtering is performed for each symbol. The filteruses the observed CSI of the symbol along with the previously updated states,h[k− 1|k− 1] and Pk−1|k−1 to carry out the prediction step. The filter uses the

3.4. SIMULATING ATTACKS 19

h[k − 1|k − 1]Pk−1|k−1

KalmanFilter

h[k]

Zk

h[k|k − 1]Pk|k−1

HypothesisTest

FilterUpdate

Figure 3.5: How the filtering and hypothesis testing is performed.

predicted states and the measured CSI to calculate the test statistic, Zk, whichis then passed to the hypothesis test. Then the filter is updated based on thedecision from the hypothesis test.

One drawback of using a Kalman filter to track the CSI is that it can losetrack. It can happen if the filter misses updates due to false positive or truepositives. If the filter accepts too many symbols from Eve, the filter can starttracking Eve.

3.4 Simulating Attacks

The frequencies that LTE uses are a part of licensed frequency band, whichmeans that it is not allowed to transmit LTE signals without a license. Withouta license, the only way to transmit in the LTE band would be using a Faradaycage. The cost and trouble of constructing a Faraday cage is too high, thereforealternative means are needed to simulate the attacks.

Alice

Eve 1

Receiver

eNodeB transmitting

at centre frequency

F1

eNodeBs transmitting

at centre frequencies

F2 and F3

USRP listening to

downlink signals from

Alice and Eve

Eve 2

Figure 3.6: The USRP receiver and eNBs representing Alice and Eve.

Instead of using USRPs transmitting on the LTE band to create a fake eNB,baseband equivalent channel estimates are collected from downlink LTE trans-missions from different eNBs, and one eNB is used to represent a legitimate


transmitter while others can represent attackers as depicted in Figure 3.6. Asthe eNBs are in different physical locations the channels between them and thereceiver are different. The measurements are performed consecutively for thedifferent channels and as the channel is time-varying, the small time differencecan be the cause of some difference in the channel estimates from the measure-ments. Additionally, the eNBs are transmitting at different centre frequencies,which causes a difference in the CSI from them. However, the centre frequen-cies are close to each other and the physical location difference probably has alarger impact on the CSI difference. Although this method is not as realisticas using a Faraday cage and setting up USRPs to transmit as Alice and Eve,we consider it to be a good approximation of the reality given the regulatoryconstraints. Induo’s website [30], which lists frequency bands in Sweden, is usedto find centre frequencies of LTE channels. One channel is chosen to representthe legitimate eNB, Alice, and other channels represent attackers, Eve.

FilterPredictions

Alice

Eve

FilterUpdate

Accept Reject

Accept Reject

Figure 3.7: Filtering based on Alice and updating the filter for every symbol.

FilterPredictions

Alice

Eve

FilterUpdate

Accept

Reject

Accept Reject

Figure 3.8: Filtering based on Alice, updating the filter for accepted symbols.

The filtering can be evaluated by separately accepting and rejecting symbolsfrom Alice and Eve based on the filter predictions and then updating the filterbased on Alice. The filter can be updated for every symbol, or it can be updatedonly for the symbols that it accepts. Figures 3.7 and 3.8 show these two filteringscenarios, which will be used in Chapter 4 to evaluate the performance of thefilter.

3.4. SIMULATING ATTACKS 21

3.4.1 Markov Intrusion Model

A more complex intrusion scenario is using a Markov chain to randomly gen-erate one vector from the CSI from two eNBs, one representing the legitimatetransmitter, Alice, and the other representing the attacker, Eve. The first Ncalsymbols come from Alice, then each subsequent symbol comes from the statethat the Markov chain, seen in Figure 3.9, is in at that time, k. It starts in stateAlice, and stays the with probability PA. Similarly, if in state Eve, it stays therewith probability PE .

Alice EvePA

1− PA

1− PE

PE

Figure 3.9: A simple Markov chain intrusion model.

There are two possible types of errors due to wrong decisions of the hypo-thesis test. The possible errors from the hypothesis test are listed in Table 2.1.The first type of error is a false positive, also called a false alarm, when a trans-mission from a legitimate transmitter is rejected. A false alarm causes the filterto lose accuracy due to missed updates. A type II error is a false negative, alsocalled missed detection, which is when an illegitimate frame is accepted. Misseddetection causes the filter performance to deteriorate due to false updates. Bothtypes of errors can cause feedback loops, i.e. an error reduces the accuracy ofthe filter, which in turn makes the filter more likely to make wrong decisions.

Figure 3.10 shows the third filtering scenario, which will be used to evaluatethe intrusion detection performance in the next chapter. The filter predictionsand the observed CSI are used to make a decision. If the symbol is acceptedthe filter is updated. In this scenario, the filter performance is affected by bothtypes of errors, and if too many illegitimate symbols are accepted, Eve can takeover the filter.

FilterPredictions

FilterUpdate

Alice (p)Eve (1-p)

Reject

Accept

Figure 3.10: Filtering Markov generated CSI.


Chapter 4

Results and Discussion

In this chapter the performance results of the filter are presented. Most of theresults are based on filtering the CSI of one transmit/receiver antenna pair. Inthat case three scenarios are explored.

i. The filter is used to calculate the test statistic, Zk, and make a decisionbased on the hypothesis test, but the filter is updated for each k, even inthe case that the symbol is rejected. As depicted in Figure 3.7.

ii. The same scenario as in i., but the filter is only updated for symbols thatare accepted. As depicted in Figure 3.8.

iii. The Markov intrusion model from Section 4.3 is used to simulate a realscenario and evaluate the performance of the filter. As depicted in Fig-ure 3.10.

The first two scenarios are based on the simpler attacker model from Section 3.4.The first one updates the filter for each symbol and the second only updatesthe filter for accepted symbols. As in these scenarios the filter only considerstransmissions from Alice when updating and making decisions, the differencebetween the two illustrates the effect of rejecting symbols from Alice. This isto compare the two filters as not updating the filter for multiple symbols in arow can affect the test statistic, Zk. The centre frequencies of the base stationsused are listed in Table 4.1. The CSI extracted from them is the baseband CSI.

Alice Eve 1 Eve 2816 MHz 806 MHz 796 MHz

Table 4.1: The centre frequencies of the base stations used to represent Alice,Eve 1 and Eve 2.

4.1 Filter Updated for Every Symbol

To evaluate the performance of the Kalman filter, suitable metrics must beinvestigated. One metric is the acceptance rate, and it can be compared forAlice versus Eve 1 and Eve 2. At first the filter is used and the hypothesis test

23

24 CHAPTER 4. RESULTS AND DISCUSSION

statistic in Eq. (3.15) is calculated and the filter is updated for each k. To set abaseline to compare this to, the acceptance rate is also calculated for a systemnot running the filter, that is, the test statistic from [6] is used. The acceptancerate for both systems is calculated for an increased threshold T and the resultsare shown in Figure 4.1. It is clear that in the system with the filter legitimateacceptance rate increases faster than the illegitimate acceptance rate comparedto the system without the filter.

0 1 2 3 4Threshold T 105

0

0.2

0.4

0.6

0.8

1

Acc

epta

nce

Rat

e

With Filter

AliceEve 1Eve 2

0 1 2 3 4Threshold T 105

0

0.2

0.4

0.6

0.8

1

Acc

epta

nce

Rat

e

Without Filter

AliceEve 1Eve 2

Figure 4.1: Acceptance rate comparison between a filtering system and a non-filtering system.

The system with filtering can achieve ≈ 90% legitimate acceptance rate whilekeeping the acceptance rate from Eve at 0%. In the system without filteringa 90% acceptance rate for Alice results in 40 − 50% acceptance rate for Eve.A more conventional way to evaluate the performance is to plot the receiveroperating characteristic (ROC) curve. That is done by calculating the falsepositive rate and true negative rate for increasing values of the threshold, T .Each point in the plot corresponds to the true positive rate against the falsepositive rate for a given value of T . As shown in Table 2.1, the false positives aremessages from Alice that are decided to come from Eve, and the true negativesare messages from Eve that are detected as such. Therefore, the optimal pointfor a test to achieve would be (0,1) in the ROC plot. As seen in Figure 4.2,the filtering system comes much closer to this optimal point. The green linerepresents a baseline which shows the performance of a system which randomlydecides if messages are from Alice or Eve.

When designing a system, the number of true negatives will be unknown, butusually to reject an acceptable amount of illegitimate messages an acceptablefalse positive rate must be decided. The false positive rate can be used as adesign parameter. Figure 4.3 illustrates that when designing, a system a falsepositive rate of ≈ 10% would expect a low false negative rate. However if it isa system that requires a lower false positive rate, e.g. 1%, then the expectedfalse negative rate is high (> 90%).

4.1. FILTER UPDATED FOR EVERY SYMBOL 25

0 0.2 0.4 0.6 0.8 1False Positive Rate

0

0.2

0.4

0.6

0.8

1

Tru

e P

ositi

ve R

ate

ROC With Filter

Eve 1Eve 2Baseline


0

0.2

0.4

0.6

0.8

1

Tru

e P

ositi

ve R

ate

ROC Without Filter

Eve 1Eve 2Baseline

Figure 4.2: ROC curve comparison of a filtering system and a non-filteringsystem.

10-4 10-3 10-2 10-1 100

False Positive Rate

0

0.2

0.4

0.6

0.8

1

Fal

se N

egat

ive

Rat

e

ROC With Filter

Eve 1Eve 2

Figure 4.3: A logarithmic scale ROC with false negative rate against the falsepositive rate.


4.2 Effect of Only Updating for Accepted Sym-bols

Here, the case of only updating the filter for accepted symbols is considered.The filter misses updates due to false alarms (type I errors) and is less accuratethan the filter in scenario 1. It is clear that this filter should in the best caseperform as well as the filter that’s updated for every symbol but generally theperformance is worse. Figure 4.4 compares the acceptance rate of the two filtersas well as their ROC curves. It illustrates the performance loss of the filterin this scenario. This filter achieves a 90% acceptance rate from Alice against≈ 20− 30% acceptance rate for Eve.

0 1 2 3 4 5Threshold T 105

0

0.2

0.4

0.6

0.8

1

Acc

epta

nce

Rat

e

With Filter and Rejections

816 MHz806 MHz796 MHz

10-5 100

False Positive Rate

0

0.2

0.4

0.6

0.8

1

Fal

se N

egat

ive

Rat

e

ROC With Filter

Eve 1Eve 2

Figure 4.4: Comparing the acceptance rate, and ROC curves of a filter thatonly updates for accepted symbols (whole line) vs. the filter that updates forevery symbol (dashed line).

Figure 4.5 shows the acceptance rate difference of the two filter for threemeasurements. The difference is high for a low threshold but as T is increased,it is eliminated eventually.

0 1 2 3 4 5Threshold T 105

0

0.2

0.4

0.6

0.8

1

Acc

epta

nce

Rat

e

Acceptance Rate Difference

Meas1Meas2Meas3

Figure 4.5: The acceptance rate difference of the two filters for three differentmeasurements.

There is a variation in the plot for the second measurement. It could be

4.3. MARKOV INTRUSION MODEL 27

caused by an outlier in the CSI from Alice, i.e., one legitimate symbol that isaccepted when the threshold reaches a certain value could skew the filter andcause it to reject other legitimate symbols until the threshold increases.

4.3 Markov Intrusion Model

The third scenario based on the Markov intrusion model from Section 4.3 isconsidered. Here PA = 0.85 and PE = 0.1. In this case the CSI fed to the filteris comprised of CSI from both Alice and Eve. Therefore, two types of decisionerrors can affect the performance of the filter. Figure 4.6 shows the acceptancerate for the Markov generated CSI.

0 0.5 1 1.5 2Threshold T 106

0

0.2

0.4

0.6

0.8

1

Acc

epta

nce

Rat

e

Filtering with Markov Generated Intrusions

AliceEve

Figure 4.6: Acceptance rate of the filter using the Markov generated intrusions.

For this particular realization of the CSI generated with the Markov chain,the filter can achieve great performance. That is, for a certain interval of T , itachieves a 100% acceptance rate from Alice while rejecting all symbols from Eve.It can be seen in the ROC curve in Figure 4.7 that it reaches the (0, 1) point.Looking at Figure 4.6 it can be seen that after it reaches an acceptance rate of1 for Alice, but as the acceptance rate for Eve starts rising, the acceptance ratefor Alice starts to decrease despite the threshold increasing. This is the effectof type II errors due to wrong decisions, which is also visible in the ROC plotin Figure 4.7.

The filtering can achieve good performance in for this scenario for CSI gen-erated with low probability of intrusions. It could be interesting to investigatehow it performs for a CSI with a higher attacker density.

CSI is generated with PA = 0.4 and PE = 0.6. There are only 5222 symbolsfrom Alice out of the are only 13272 symbols total. The acceptance rate of Aliceand Eve for this realization of the Markov generated CSI is shown in Figure 4.8.The filter still manages to accept all symbols from Alice and reject all symbolsfrom Eve for some thresholds. As T is increased the transmissions from Evehave more influence on the filter. For T > 740000 the acceptance rate from Eveis higher than the acceptance rate from Alice, and Eve has taken over the filter.For some intervals of T the acceptance rate of Alice and Eve flips, e.g., when



0

0.2

0.4

0.6

0.8

1

Tru

e P

ositi

ve R

ate

ROC With Filter

Figure 4.7: The ROC curve compared to an ROC curve from random decisions.

T = 500000 the acceptance rate of Alice is almost 0 and the acceptance rateof Eve is close to 1. This is because the filter accepts too many symbols fromEve and starts tracking Eve instead of Alice. It is one of the downsides of theKalman filter that it can lose track of Alice or even start to track the attacker.

0 0.5 1 1.5 2Threshold T 106

0

0.2

0.4

0.6

0.8

1

Acc

epta

nce

Rat

e

Markov Generated Intrusions - PA

=0.4, PE

=0.6

AliceEve

Figure 4.8: Acceptance rate of the filter using the Markov generated intrusionswith a high probability of attacks.

4.4 Antenna Separation

All of the results presented above are based on filtering using only CSI froma single transmit/receiver antenna pair at a time. However, all the data wascollected with measurements in a 2x2 MIMO system. The distance between thereceiver antennas can affect the performance of the filtering as the correlationof the CSI from the two antennas changes with distance between the antennas.Figure 4.9 shows the correlation between the CSI of two channels. Measurements

4.5. DISCUSSION 29

were made with an increasing distance between the antennas, incremented by5cm at a time.

Figure 4.9: Correlation of CSI of two transmit/receiver antenna pairs.

This should be relevant for a filter that utilizes the CSI from all four trans-mit/receiver antenna pairs.

4.5 Discussion

The performance of the filtering has been evaluated by computing the accept-ance rate of messages from Alice and Eve for an increasing threshold. By com-paring the acceptance rate of the filter to the acceptance rate of a system usingthe test statistic from [6] without filtering, it is clear that the filter offers im-proved performance. The results indicate that the filtering could be used forintrusion detection in systems that tolerate a false alarm rate of ≈ 10%.

Filtering CSI generated with the Markov intrusion model is evaluated fordifferent state probabilities PA and PE . The filter is able to accept all sym-bols from Alice and reject all symbols from Eve, even when the majority ofthe symbols originate from Eve. The effect of type II errors can be seen wheninspecting the acceptance rate graphs. As the threshold increases, more ille-gitimate frames are accepted, which deteriorates the filter performance and thefilter accepts more symbols from Eve. It can be seen that if the filter acceptstoo many transmissions from Eve, it also rejects more transmissions from Alice.

When designing a filter for intrusion detection it is important to choosea suitable threshold. The acceptance rate figures illustrate that for a certainregion of T the performance is good. Furthermore, as false alarms and misseddetection degrade the performance of the filter, their impact must be minimizedwith an appropriate threshold. L. Xiao [6] suggest that z follows a chi-squaredistribution, which could be used to set a fitting threshold to detect intrusions.However, the z computed during filtering, does not follow a chi-square distri-bution and therefore a suitable threshold can not be determined from it. Athreshold can be computed empirically, but that requires the filter to receiveonly symbols from legitimate transmitter for some time before it can used to


detect intrusions.The filter has only been implemented to use one transmit/receive antenna

pair channel at a time. Implementing the filter to use all four channels fromthe 2x2 MIMO system could result in improved detection due to increased di-versity. Choosing an antenna distance with lower correlation between channelpairs provide better performance.

Chapter 5

Conclusions and Summary

In this thesis, the vulnerabilities in LTE have been explored. UEs are espe-cially vulnerable to attacks from rogue base stations before a connection to theLTE network is established. Physical layer authentication, which utilizes prop-erties of the physical layer to detect and reject transmissions from adversaries,could be implemented to mitigate these types of attacks in LTE and offers con-tinuous authentication during communication. A CSI based intrusion detectionapproach was proposed. It uses a Kalman filter to predict the true state of themeasured CSI and computes a test statistic to compare to a decision threshold.

Downlink LTE signals were collected from three real eNBs in an 2x2 MIMOset up with Ettus N210 USRPs. Although that the intrusion detection schemewas implemented using only CSI from one transmitter/receiver antenna pair ata time, the data was collected from all four channels. One eNB was used torepresent Alice and the other two represented attackers, Eve 1 and Eve 2.

The performance of the intrusion detection approach was evaluated for threescenarios with ROC plots and acceptance rate comparison between legitimatetransmissions and illegitimate ones. In the first scenario the filter predictionswere used to accept or reject symbols from Alice and Eve separately and thefilter updated for every symbol from Alice. The filter was able to achieve a 90%acceptance rate from Alice while rejecting all symbols from Eve. The filteringapproach shows improved performance over a non-filtering based method. TheROC plots show that the filter in this case would be useful in systems thattolerate > 10% false alarm rate. The second scenario is the same as the firstexcept that the filter is only updated for accepted symbols from Alice. Theresults here show the effect of type I errors due to missed updates. In this casea 90% acceptance rate from Alice corresponds to ≈ 20 − 30% acceptance ratefrom Eve. In the third scenario a CSI sequence was generated with a Markovintrusion model. The results show that the filter is able to accept all legitimatesymbols and reject all transmissions from Eve with a suitable threshold, T .However, if the threshold to high, the effects of type II errors appear. As moresymbols from Eve are accepted the filter performance declines.

The results are promising, however there are a few things that need to beconsidered. The attacks were simulated by making signals from one LTE basestation transmitting at centre frequency F1 represent Alice, and signals fromother base stations transmitting at centre frequencies F2 and F3 represent theattackers, Eve 1 and Eve 2. Additionally, the data was collected from the base

31

32 CHAPTER 5. CONCLUSIONS AND SUMMARY

stations a few minutes apart. This frequency and timing difference is a cause ofsome difference in the CSI of the signals representing Alice, Eve 1 and Eve 2,and might have caused an increase in performance of the intrusion detection.

5.1 Future Work

The proposed intrusion detection scheme shows promising results, but there area few areas that must be investigated to see if it is feasible to use in a real worldsystem.

First, the filter could be extended to use all four channels of the trans-mit/receiver antenna pairs. This would increase the receiver diversity. Theextended filter could be used to verify the hypothesis that the filter perform-ance is improved by choosing an antenna separation which results in a lowercorrelation between CSI of the channels.

The system model can also be adjusted for mobile receivers, which wouldbetter represent real users in LTE. This could be difficult as the CSI is sensitiveto movement, especially its phase. The movement of the receiver must somehowbe mapped to a change in CSI.

After extending the filter to account for a moving receiver and use the CSIfrom all of the transmitter/receiver antenna pairs, the intrusion detection shouldbe tested using multiple sets of USRPs to transmit as legitimate base stationsand rogue base stations. This should be performed in a Faraday cage, so that thetransmissions do not affect real LTE traffic. By testing the intrusion detectionthis way, the USRPs can all transmit simultaneously and the rogue base stationscan transmit at the same centre frequency as the legitimate one. This would bea more realistic attacker scenario.

Finally, a method to determine a suitable threshold for the hypothesis testis needed. The thesis has illustrated how decision errors deteriorate the filterperformance. In a real system, the filter should be able to distinguish betweensymbols from Alice and Eve without calibrating transmissions from Alice, whichare needed to determine a threshold empirically. The test statistic distributionneeds to be explored.

Bibliography

[1] M. Lichtman, R. P. Jover, M. Labib, R. Rao, V. Marojevic, and J. H.Reed, “LTE/LTE-A jamming, spoofing, and sniffing: threat assessmentand mitigation,” IEEE Communications Magazine, vol. 54, no. 4, pp. 54–61, April 2016.

[2] M. Lichtman, R. M. Rao, V. Marojevic, J. H. Reed, and R. P. Jover, “5GNR jamming, spoofing, and sniffing: Threat assessment and mitigation,”2018 IEEE International Conference on Communications Workshops (ICCWorkshops), pp. 1–6, 2018.

[3] A. Shaik, R. Borgaonkar, N. Asokan, V. Niemi, and J.-P. Seifert, “Practicalattacks against privacy and availability in 4G/LTE mobile communicationsystems,” Jan. 2016.

[4] W. Hou, X. Wang, J. Chouinard, and A. Refaey, “Physical layer authentic-ation for mobile systems with time-varying carrier frequency offsets,” IEEETransactions on Communications, vol. 62, no. 5, pp. 1658–1667, May 2014.

[5] S. Yousefi, H. Narui, S. Dayal, S. Ermon, and S. Valaee, “A survey onbehavior recognition using WiFi Channel State Information,” IEEE Com-munications Magazine, vol. 55, no. 10, pp. 98–104, Oct. 2017.

[6] L. Xiao, L. J. Greenstein, N. B. Mandayam, and W. Trappe, “Using thephysical layer for wireless authentication in time-variant channels,” IEEETransactions on Wireless Communications, vol. 7, no. 7, pp. 2571–2579,July 2008.

[7] (2018, July) Global number of LTE subscribers grows byalmost a billion in the last year. Accessed on Oct. 28,2019. [Online]. Available: https://gsacom.com/press-release/global-number-of-lte-subscribers-grows-by-almost-a-billion-in-the-last-year/

[8] R. P. Jover, “LTE security, protocol exploits and location trackingexperimentation with low-cost software radio,” CoRR, vol. abs/1607.05171,2016. [Online]. Available: http://arxiv.org/abs/1607.05171

[9] C. Cox, An Introduction to LTE: LTE, LTE-Advanced, SAE and 4G MobileCommunications, 1st ed. Wiley Publishing, 2012.

[10] X. Wu and Z. Yang, “Physical-layer authentication for multi-carrier trans-mission,” IEEE Communications Letters, vol. 19, no. 1, pp. 74–77, Jan.2015.

33

https://gsacom.com/press-release/global-number-of-lte-subscribers-grows-by-almost-a-billion-in-the-last-year/

https://gsacom.com/press-release/global-number-of-lte-subscribers-grows-by-almost-a-billion-in-the-last-year/

http://arxiv.org/abs/1607.05171

34 BIBLIOGRAPHY

[11] L. Xiao, L. Greenstein, N. Mandayam, and W. Trappe, “Fingerprints in theether: Using the physical layer for wireless authentication,” in 2007 IEEEInternational Conference on Communications, June 2007, pp. 4646–4651.

[12] F. J. Liu, Xianbin Wang, and H. Tang, “Robust physical layer authen-tication using inherent properties of channel impulse response,” in 2011 -MILCOM 2011 Military Communications Conference, Nov. 2011, pp. 538–542.

[13] P. Baracca, N. Laurenti, and S. Tomasin, “Physical layer authenticationover MIMO fading wiretap channels,” IEEE Transactions on WirelessCommunications, vol. 11, no. 7, pp. 2564–2573, July 2012.

[14] X. Duan and X. Wang, “Fast authentication in 5G HetNet through SDNenabled weighted secure-context-information transfer,” in 2016 IEEE In-ternational Conference on Communications (ICC), May 2016, pp. 1–6.

[15] A. Grami, Introduction to Digital Communications. Elsevier, 2016.

[16] G. Escudero, J. Hwang, and J. Park, “An indoor positioning method usingIEEE 802.11 Channel State Information,” Journal of Electrical Engineeringand Technology, vol. 12, pp. 1286–1291, May 2017.

[17] Q. Wang, H. Li, D. Zhao, Z. Chen, S. Ye, and J. Cai, “Deep neural networksfor CSI-based authentication,” IEEE Access, vol. 7, pp. 123 026–123 034,2019.

[18] H. Zarrinkoub, Understanding LTE with MATLAB®: From MathematicalModeling to Simulation and Prototyping. Wiley Publishing, Jan. 2013.

[19] LTE resource grid. Accessed on June 3, 2019. [Online]. Available:http://niviuk.free.fr/lte resource grid.html

[20] T. Pushpalata and S. Y. Chaudhari, “Need of physical layer security inLTE: Analysis of vulnerabilities in LTE physical layer,” in 2017 Inter-national Conference on Wireless Communications, Signal Processing andNetworking (WiSPNET), March 2017, pp. 1722–1727.

[21] Q. Li, R. Li, K. Ji, and W. Dai, “Kalman filter and its application,” in2015 8th International Conference on Intelligent Networks and IntelligentSystems (ICINIS), Nov. 2015, pp. 74–77.

[22] “Our common future: Report of the world commission on environmentand development,” The United Nations, 1987, Accessed on Dec. 2,2019. [Online]. Available: https://sustainabledevelopment.un.org/content/documents/5987our-common-future.pdf

[23] L. M. Hilty and B. Aebischer, “ICT for sustainability: An emergingresearch field,” in ICT Innovations for Sustainability, L. M. Hilty andB. Aebischer, Eds. Springer International Publishing, 2015, pp. 3–36.

[24] About the sustainable development goals. Accessed on Dec. 3,2019. [Online]. Available: https://www.un.org/sustainabledevelopment/sustainable-development-goals/

http://niviuk.free.fr/lte_resource_grid.html

https://sustainabledevelopment.un.org/content/documents/5987our-common-future.pdf

https://sustainabledevelopment.un.org/content/documents/5987our-common-future.pdf

https://www.un.org/sustainabledevelopment/sustainable-development-goals/

https://www.un.org/sustainabledevelopment/sustainable-development-goals/

BIBLIOGRAPHY 35

[25] URSP� N200/N210 networked series, Ettus Research, 1043 NorthShoreline Blvd Suite 100 Mountain View, CA 94043, 2012. [Online].Available: https://www.ettus.com/wp-content/uploads/2019/01/07495Ettus N200-210 DS Flyer HR 1.pdf

[26] LTE cell search, MIB and SIB1 recovery with two an-tennas. Accessed on March 4, 2019. [Online]. Avail-able: https://se.mathworks.com/help/supportpkg/usrpradio/examples/lte-cell-search-mib-and-sib1-recovery-with-two-antennas.html

[27] lteOFDMDemodulate: OFDM demodulation. Accessed on May14, 2019. [Online]. Available: https://se.mathworks.com/help/lte/ref/lteofdmdemodulate.html

[28] lteDLChannelEstimate: Downlink channel estimation. Accessed on May14, 2019. [Online]. Available: https://se.mathworks.com/help/lte/ref/ltedlchannelestimate.html

[29] L. Gong, W. Yang, D. Man, G. Dong, M. Yu, and J. Lv, “WiFi-based real-time calibration-free passive human motion detection,” Sensors, vol. 15,pp. 32 213–32 229, Dec. 2015.

[30] Frekvenser for 4G (LTE), GSM och 3G. Accessed on May 21, 2019. [Online].Available: https://www.induo.com/s/g/gsm-3g-4g-frekvensband/

https://www.ettus.com/wp-content/uploads/2019/01/07495_Ettus_N200-210_DS_Flyer_HR_1.pdf

https://www.ettus.com/wp-content/uploads/2019/01/07495_Ettus_N200-210_DS_Flyer_HR_1.pdf

https://se.mathworks.com/help/supportpkg/usrpradio/examples/lte-cell-search-mib-and-sib1-recovery-with-two-antennas.html

https://se.mathworks.com/help/supportpkg/usrpradio/examples/lte-cell-search-mib-and-sib1-recovery-with-two-antennas.html

https://se.mathworks.com/help/lte/ref/lteofdmdemodulate.html

https://se.mathworks.com/help/lte/ref/lteofdmdemodulate.html

https://se.mathworks.com/help/lte/ref/ltedlchannelestimate.html

https://se.mathworks.com/help/lte/ref/ltedlchannelestimate.html

https://www.induo.com/s/g/gsm-3g-4g-frekvensband/

www.kth.seTRITA-EECS-EX-2019:831

Documents

Channel-Based Intrusion Detection at the LTE Physical Layer1453602/FULLTEXT01.pdfThe received LTE signals have physical layer properties, such as Channel State Information (CSI) and