Consistency Check Across Multiple Channel Estimates

1. Consistency Check Across Multiple Channel Estimates Date:2018-01-16 Authors:

2. Abstract (1) • Security is one of the most important features in 11az. • Both MAC- and PHY-level security protections are being added to ranging protocol. • Mechanisms that enable detection of adversarial attack at PHY level can help to enhance security level. • FRD [1] describes Type A and Type B adversaries that are characterized according to attacker’s response time. • Adversary goal: to spoof the range of STA. • Type A: 1 msec response time. • VHT/HE Type B: 1 usec response time. • DMG/EDMG Type B: 10 nsec response time. Mingguang Xu, et al., Apple Qinghua Li, et al., Intel

3. Abstract (2) • A few security threat models are listed in [2]-[3]. Examples: • Preamble attack applicable to known LTF: • CP-replay attack applicable to CP-OFDM structure: Mingguang Xu, et al., Apple Qinghua Li, et al., Intel

4. Abstract (3) • One step back: How to combat noise and/or jammer? • Noise and/or jammer can pollute channel estimate, and cause incorrect ToA/RTT estimate. • “Consistency check” across multiple channel estimates within channel coherence time. • Proposed in [4] under the context of selecting different CSD’s and Golay sequences for adversary detection. • Can be leveraged to filter out incorrect ToA estimate due to noise and/or jammer. • Enables protection against noise and/or jammer, and prevention of further security damage. Mingguang Xu, et al., Apple Qinghua Li, et al., Intel

5. System Model (1) • Transform-domain channel estimation: • In frequency domain: • In time domain, channel impulse response used for ToA estimation: Rx signal with jammer in time domain: Rx signal with jammer in frequency domain: Mingguang Xu, et al., Apple Qinghua Li, et al., Intel

6. System Model (2) • It is difficult to detect jammer if there is only a single channel estimate/measurement. • Even if zero-padded waveform in [5][6] is used, attacker can still create fake paths with random arrival times by jamming the ranging signal. • Note that zero-padded waveform can guarantee fake paths cannot be created in a deterministic way. • ToA/RTT may be spoofed randomly with non-negligible chance. • Consistency check is an effective way for detecting jammer. • A fake path cannot be created by attacker in a deterministic way. • Random fake paths can be identified by consistency check across more than one channel estimates. Mingguang Xu, et al., Apple Qinghua Li, et al., Intel

7. System Model (3) • Channel estimates with different training sequences. • E.g., two channel estimates assuming channel itself doesnot change: • If training sequences {X1(k), X2(k)} are independent and secured: • Since the training sequences are unknown to attacker • Attacker cannot manipulate the jamming signal so that the disturbance terms are the same across two instances of channel estimates. • Can be generalized to multiple channel estimates, i.e., more than 2. • If the noise level is too high (low-SNR regime), channel estimates will look unalike and can be filtered out/discarded to prevent erroneous ToA/RTT with high confidence. Mingguang Xu, et al., Apple Qinghua Li, et al., Intel

8. System Model (4) Fake paths w/ identical position. • MIMO case: • P matrix based scheme can be used to multiplex secure ranging waveforms from different Tx antennas. • If CSD is applied, then replay attack applies due to the repetition CSD introduces. • If CSD is not applied, fake path can be created in the same position for channel estimates from different Tx antennas. • Consistency check based on multiple channel estimates obtained in time domain is needed to detect jammer. Mingguang Xu, et al., Apple Qinghua Li, et al., Intel

9. Protocol Design Considerations [1] • Consistency check based on different CSD’s in [4] can be repurposed to be based on multiple zero-padded random waveforms as proposed in [5][6]. • At Tx side, transmit multiple zero-padded random waveforms for channel estimation in a single packet. • So that channel changes by the minimum amount, thus avoid rejecting valid measurements. • Minimum overhead incurred, e.g., due to legacy portion of preamble. • Overall time used for ranging is minimized: Generally helpful to protect against attackers. • Multiple channel estimates can also be used for noise reduction if consistency check passes. Mingguang Xu, et al., Apple Qinghua Li, et al., Intel

10. Protocol Design Considerations [2] • Waveforms need to be independent of each other and secured. • Can be shared in between R-STA and I-STA via secure message before ranging measurement. • Otherwise, consistency check cannot help since fake path can be generated in a deterministic way. Mingguang Xu, et al., Apple Qinghua Li, et al., Intel

11. Methods for Consistency Check (1) • Example 1: Heuristics. • Define a function to measure consistency, e.g., for two estimates: • A few examples: • Distance based, e.g., vectornorm: • Ratio based: • FAP (First Arrival Path) based: Detection results based. Mingguang Xu, et al., Apple Qinghua Li, et al., Intel

12. Methods for Consistency Check (2) • Example 2: Hypothesis testing: p-value approach. • Goal: Test whether the observation is statistically significant to reject the null hypothesis. • Null hypothesis, denoted asH: Interference from attacker does not exist. • Alternative hypothesis: Interference from attacker exists. • Data: Can choose the difference between two observed channel estimates, i.e., • p-value: Prob. under the null hypothesis of obtaining an observation equal to or more extreme than what was observed, . • Joint probability on the vector of channel difference, component wise comparison. • Under H, each element of X follows the distribution of complex Gaussian. • Null hypothesis is rejected if p-value is less than or equal to a threshold. Mingguang Xu, et al., Apple Qinghua Li, et al., Intel

13. Numerical Results (1) • Consistency check by heuristics, Ranging error = rangeest– rangetrue. • Assumption: No jammer. • 11ad, BW = 2.16 GHz, CP = 128, NFFT = 512, random waveform for CE, Nyquist sampling rate, path delay is an integer multiple of sampling periods. Mingguang Xu, et al., Apple Qinghua Li, et al., Intel

14. Numerical Results (2) • Consistency check by heuristics, Ranging error = rangeest– rangetrue. • Assumption: No jammer. • 11ad, BW = 2.16 GHz, CP = 128, NFFT = 512, random waveform for CE, Nyquist sampling rate, path delay is an integer multiple of sampling periods. Mingguang Xu, et al., Apple Qinghua Li, et al., Intel

15. Summary • Consistency check across multiple channel estimates within coherence time is an effective way to detect jammer and combat noise. • Once consistency check fails, the results can be discarded to prevent damage to security. • Noise reduction if consistency check passes. • Secure ranging protocol should be designed to enable consistency check. • Multiple waveforms for channel estimation need to be transmitted within the same packet. • Methods for consistency check can be implementation specific. Mingguang Xu, et al., Apple Qinghua Li, et al., Intel

16. References [1] IEEE 802.11-16/424R11, 11az FRD. [2] IEEE 802.11-17/0120r2: “Intel secured location threat model”, B. Abramovsky, O. Bar-Shalom, and C. Ghosh, Jan. 2017. [3] IEEE 802.11-17/1122r0: “CP-replay threat model for 11az”, M. Xu, J. Dogan, K. Brogle, AJ Ringer, SK Yong, and Q. Wang, July 2017. [4] IEEE 802.11-17/0795r3: “PHY-level security protection”, Q. Li, F. Jiang, J. Segev, B. Abramovsky, C. Ghosh, O. Bar-Shalom, and R. Stacey, July 2017. [5] IEEE 802.11-17/1378r2: “Zero-padded waveform for secure channel estimation”, M. Xu, J. Dogan, SK Yong, Q. Wang, K. Brogle, and AJ Ringer, Sept. 2017. [6] IEEE 802.11-17/1372r1: “CP replay attack protection”, E. Lindskog, N. Zhang, C. Zhang, N. Kakani, and A. Raissinia, Sept. 2017. Mingguang Xu, et al., Apple Qinghua Li, et al., Intel

17. Straw Poll 1 For operation in the sub 7Ghz and 60Ghz bands, do you agree to add support for transmission of multiple zero padded waveforms in a single packet for channel estimation in a single Tx antenna case? Results: Y: N: A: Mingguang Xu, et al., Apple Qinghua Li, et al., Intel

18. Motion 1 • Move to adopt the set of spec framework requirements listed below instruct the SFD editor to include it in the TGaz SFD under the sub-section 6 (security) for the .11az protocol • For operation in the sub 7Ghz and 60Ghz bands, multiple zero padded waveforms in a single packet shall be transmitted for channel estimation in a single Tx antenna case • Results: Y: N: A: Mingguang Xu, et al., Apple Qinghua Li, et al., Intel

19. Straw Poll 2 For operation in the sub 7GHz band, do you agree to support transmission of multiple P-matrix encoded training symbol sets in a single packet to enable multiple channel estimates in a multiple Tx antenna case? Results: Y: N: A: Mingguang Xu, et al., Apple Qinghua Li, et al., Intel

20. Motion 2 • Move to adopt the set of spec framework requirements listed below instruct the SFD editor to include it in the TGaz SFD under the sub-section 6 (security) for the .11az protocol • For operation in the sub 7GHz band, multiple P-matrix encoded and zero padded training symbol sets in a single packet shall be transmitted to enable multiple channel estimates in a multiple Tx antenna case. • Results: Y: N: A: Mingguang Xu, et al., Apple Qinghua Li, et al., Intel