Identification of smart jammers: Learning-based approaches using wavelet preprocessing

Identification of smart jammers: Learning-based approaches using wavelet preprocessing

Journal Pre-proof Identification of smart jammers: Learning-based approaches using wavelet preprocessing Ozan Alp Topal, Selen Gecgel, Ender Mete Eksi...

2MB Sizes 0 Downloads 67 Views

Journal Pre-proof Identification of smart jammers: Learning-based approaches using wavelet preprocessing Ozan Alp Topal, Selen Gecgel, Ender Mete Eksioglu, Gunes Karabulut Kurt PII: DOI: Reference:

S1874-4907(19)30507-5 https://doi.org/10.1016/j.phycom.2020.101029 PHYCOM 101029

To appear in:

Physical Communication

Received date : 3 July 2019 Revised date : 4 December 2019 Accepted date : 22 January 2020 Please cite this article as: O.A. Topal, S. Gecgel, E.M. Eksioglu et al., Identification of smart jammers: Learning-based approaches using wavelet preprocessing, Physical Communication (2020), doi: https://doi.org/10.1016/j.phycom.2020.101029. This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of record. This version will undergo additional copyediting, typesetting and review before it is published in its final form, but we are providing this version to give early visibility of the article. Please note that, during the production process, errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

© 2020 Published by Elsevier B.V.

Journal Pre-proof

pro of

Identification of Smart Jammers: Learning-based Approaches Using Wavelet Preprocessing Ozan Alp Topala,∗, Selen Gecgela , Ender Mete Eksioglua , Gunes Karabulut Kurta a Department

of Electronics and Communication Engineering, Istanbul Technical University, 34469, Maslak, Istanbul, Turkey

Abstract

Smart jammer nodes can disrupt communication between a transmitter and a

re-

receiver in a wireless network, and they leave traces that are undetectable to classical jammer identification techniques, hidden in the time-frequency plane. These traces cannot be effectively identified through the use of the classical Fourier transform based time-frequency transformation (TFT) techniques with

lP

a fixed resolution. Inspired by the adaptive resolution property provided by the wavelet transforms, in this paper, we propose a jammer identification methodology that includes a pre-processing step to obtain a multi-resolution image, followed by the use of a classifier. Support vector machine (SVM) and deep convolutional neural network (DCNN) architectures are investigated as classi-

urn a

fiers to automatically extract the features of the transformed signals and to classify them. Three different jamming attacks are considered, the barrage jamming that targets the complete transmission bandwidth, the synchronization signal jamming attack that targets synchronization signals and the reference signal jamming attack that targets the reference signals in an LTE downlink transmission scenario. The performance of the proposed approach is compared

Jo

with the classical Fourier transform based TFT techniques, demonstrating the ∗ Corresponding

author. Email addresses: [email protected] (Ozan Alp Topal ), [email protected] (Selen Gecgel), [email protected] (Ender Mete Eksioglu), [email protected] (Gunes Karabulut Kurt) 1 This work was supported in part by Turkcell Iletisim Hizmetleri under Grant H-OPTO 9170045.

Preprint submitted to Physical Communication

December 4, 2019

Journal Pre-proof

efficacy of the proposed approach in the presence of smart jammers. Keywords: Smart jamming attacks, jammer identification, LTE, wavelet

pro of

analysis, support vector machine, deep convolution neural network.

1. Introduction

Orthogonal frequency division multiple access (OFDMA) technique constitutes the physical layer multiplexing method of choice for the Long Term Evolution (LTE) networks and its later Releases due to its robustness against noise 5

and fading impacts [1]. Based on the advantages provided by OFDMA, LTE has brought up numerous favorable properties including but not limited to higher

re-

data rates, better coverage, higher energy efficiency and lower latency than previous cellular networking technologies [2]. Despite the advantages that come with the OFDMA technique, LTE networks suffer from attacks generated by 10

active radio nodes [3]. These attacks generally include cases where an attacker

lP

(a jamming node) transmits a signal aiming to falsify the receiver or disrupt the communication. Such communication disruptions are frequently referred to as layer-1 denial-of-service (DoS) attacks.

Concurrent with the evolution of communication networks, newly introduced 15

jammer types may attack in very short time intervals or narrow and chang-

urn a

ing frequency bands. As scrutinized in [4], these types of attackers, named as smart jammers, can target a specific part of the legitimate signal and cannot be detected from conventional detection methods by hiding in the time-frequency plane. LTE vulnerabilities against these type of jammers are discussed in [5]. 20

Defense mechanisms against jamming attacks are proposed from different perspectives such as repeated game algorithms [6], or frequency hopping algorithms [7]. These network strategy algorithms require the knowledge of the jammer

Jo

type in order to combat against the jammer attack. Therefore, the jammer identification is a requirement prior to the jamming prevention/anti-jamming

25

systems.

In this work, we consider the LTE-downlink channel jamming scenario, where

2

pro of

Journal Pre-proof

Jammer

eNB

MN

Training

Down-convertor

Color mapping

Classification

re-

Preprocessing (TFT)

Fig. 1: A base station (eNB), monitoring node (MN) and a jammer in a LTE cell. The received

lP

signal from the MN would be the superposition of LTE signal and jammer signal.

a stationary monitoring node (MN) captures downlink channel observations by continuously processing the received baseband signal. The MN is synchronized with the cell and a stationary jammer attacks the transmission from the base 30

station (eNB), as shown in Figure 1. Note that, MN does not have any prior

urn a

knowledge about the jammer attack. In the presence of a smart jammer, two major vulnerabilities become apparent in LTE-downlink transmission: synchronization signals and reference signals [5]. These signals are transmitted along with the message signal over the network. Unlike message signals, they contain 35

critical information and even a partial disruption of this information may cause loss of the complete LTE packet. Our main contributions can be listed as the following;

Jo

• We introduce a novel system model for the identification of the smart jammers. Proposed identification system can be divided into two steps:

40

(i) a preprocessing step to highlight the disrupted parts of the signal, (ii) a classification step that automatically identifies jamming signals. 3

Journal Pre-proof

• We provide a Gabor wavelet transform based preprocessing step that conveys multi-resolution representation of the signals. We compare Gabor

45

pro of

wavelet transform with state-of-the-art preprocessing methods: spectrogram and Choi-Williams.

• For the classification step, we utilize a DCNN architecture to automatically extract the features of the transformed signals and to classify them. • As an alternative for the classification step, we utilized SVM also for the first time considering the smart jammer identification. The classification 50

accuracies of two classification schemes are compared with each other.

re-

• The validity of the proposed identification scheme is confirmed via simulations that are repeated for different location cases considering that the identification accuracy could change under different signal-to-noise (SNR) and signal-to-jamming (SJR) cases.

• In order to test the proposed system for a real-time applications, we also

lP

55

consider a dynamic adversarial environment in numerical studies, where the SNR/SJR values are not stable over time. The rest of this paper is organized as follows. In Section 2, we present related

60

urn a

work. In Section 3, we review possible LTE smart jamming attack types. In Section 4, we present the proposed system model for jammer identification. Numerical analysis and results are presented in Section 5 and 6 respectively. Finally, the paper is concluded in Section 7.

2. Related Work

Learning techniques are proposed for different types of jamming identification purposes. In [8], the authors propose unsupervised learning algorithms

Jo

65

that identify different types of jamming attacks on vehicle communication systems. [9] presents a machine learning-based jamming identification approach for IEEE 802.11 networks, where the authors compare the accuracy and robustness 4

Journal Pre-proof

of different popular machine learning techniques, which include decision tree, 70

adaptive boosting, support vector machine (SVM), expectation maximization

pro of

and random forest. In addition to shallow machine learning based identification schemes, the use of DCNNs has been studied in different communication problems that require quick response in real-time applications [10]. In [11], the proposed system 75

model can identify different types of barrage jamming attacks using CNN as a classifier. One of the most related research with our work is [22]. The authors of [22] aim detection of the barrage type jammers, and they provide an SVM based detection method. In addition to the barrage jamming, we consider smart

80

re-

jamming attacks such as reference signal jamming and synchronization signal jamming, which is a first in the literature. Smart jamming attacks are more robust against the detection schemes given in the literature. Therefore as a second difference, we consider the utilization of different pre-processing methods in order to magnify the effects of these jammers on the time-frequency axis.

85

lP

Also, we utilize principle component analysis (PCA) before SVM classification in order to strengthen the correlation among the features. Another related work, [12] proposes a CNN based jammer identification method where jammer types have been classified solely depending on the at-

urn a

tacked bandwidth. In [12], the considered jamming attacks include audio jamming, narrowband jamming, pulse jamming, sweep jamming and spread spec90

trum jamming. These jamming types have different frequency band characteristics, hence their detection and classification is more straightforward when compared to the smart jamming attacks, which are the subject of our work. As a second difference from our work, they do not require the pre-processing methods in order to increase the classification performance. On the other hand, pre-processing is an integral part of our work. As a final difference, we consider a more realistic jamming case when the network cannot verify SNR and SJR

Jo

95

values.

As a difference from the previous works, we propose an identification system

model against LTE smart jamming attacks, more specifically attacks on the 5

Journal Pre-proof

100

synchronization and reference signals. As discussed in [4], these signals are vulnerable against adversarial nodes and a combat strategy against LTE smart

pro of

jammers have not been considered in the literature. The proposed system model consist of a pre-processing part and a classification part, where the jamming type is decided from the observations obtained from a single LTE packet. The 105

proposed methods in both parts are compared with the state-of-the-art methods in terms of identification accuracies.

3. LTE Smart Jamming Model

This section is devoted to the review of the LTE smart jamming attack

110

re-

models to the relevant characteristics of the LTE signals. 3.1. LTE- Downlink Signal Generation

LTE downlink channel uses OFDMA as the channel access scheme. The

lP

transmission can be in frequency division duplex (FDD) or time division duplex (TDD) mode [13]. Data is delivered in frames of 10 milliseconds. An LTE frame is composed of ten subframes of 1 ms, and each subframe contains 2 time slots of 0.5 ms. Each time slot contains L symbols, and L depends on the cyclic-prefix (CP) mode. K denotes the total number of subcarriers. Depending on the

urn a

transmission bandwidth, K changes between 128 to 2048. The smallest defined unit, ak,l , denotes a resource element which consists of k th subcarrier during the lth symbol, where k = 0, 1, · · · , K − 1 and l = 0, 1, · · · , L − 1. According to the selected bandwidth and protocol, control and message signals are mapped into empty resource blocks. After mapping all signals into resource blocks, discrete time baseband representation of the transmitted downlink LTE signal s(l) can be obtained as

Jo

K−1 1 X s(l) = √ ak,l ej2πkl/K ω (l/K + KCP − 1). K k=0

(1)

The mapped subcarrier and symbol indexes for message signal can be denoted with km and lm , respectively. KCP denotes the cyclic-prefix length and ω(l0 ) is 6

Journal Pre-proof

(2)

pro of

a discrete rectangular window that is defined by   1 ; 0 ≤ l0 ≤ 1 ω(l0 ) = .  0 ; otherwise

Jamming attacks can be classified according to different characteristics such

as attacked bandwidth and jamming signal transmission. We will focus on jammers that attack the LTE characteristics explained above. Therefore four different types of jamming cases are considered: (i) there is no attack to the system, 115

(ii) the complete time-frequency plane is attacked, (iii) only the synchronization signals are attacked and (iv) only reference signals are attacked. Following

re-

titles are the specific names for these different jammer types respectively. 3.2. Barrage Jamming (BJ)

Barrage jamming (BJ) is the most frequent form of the jamming attack. Its detection [14], [15] and mitigation [16] have been exhaustively discussed in

lP

the literature. In BJ, the attacker continuously transmits band limited noise over the entire spectrum of the receiver. Discrete time representation of the transmitted BJ signal is

jb (l) ∼ CN (0, σj2 ),

120

urn a

where CN (µ, σ 2 ) denotes the complex normal distribution with mean µ and

variance σ 2 .

3.3. Synchronization Signal Jamming (SSJ) Unlike BJ, in synchronization signal jamming (SSJ), the attacker should be aware of the locations of the resource blocks as explained above. Although there are several ways of jamming synchronization signals, we assume that the attacker generates an LTE frame similar to the transmitter, but maps only PSS

Jo

and the SSS signals to related resource elements. The rest of the packet is filled with zeros. The process can be shown as ajkss ,ls ∼ CN (0, σs2 ), 7

Journal Pre-proof

where ks denotes the subcarrier indices of mapped resource elements with ks = m − 31 + K/2. ls denotes the symbol indexes of the mapped resource elements 125

pro of

and set to L − 2 for the PSS and L − 1 for the SSS. Remaining resource blocks of the jammer are filled with zeros: ajksrf ,lrf = 0 and ajksm ,lm = 0. Here, the mapped subcarrier and symbol indices for reference signal is respectively denoted by krf and lrf . The mapped subcarrier and symbol indices for message signal can be denoted by km and lm , respectively. In this case, discrete time representation of the transmitted SSJ signal can be denoted as

K−1 1 X js j2πkl/K js (l) = √ ak,l e ω (l/K + KCP − 1). K k=0

Note that, the SSJ signal transmission should be synchronized with the eNB,

re-

130

(3)

and the indices, ks and ls , should also be known by the attacker. 3.4. Reference Signal Jamming (RSJ)

lP

In reference signal jamming (RSJ), the attacker is assumed to know the locations of the reference signals. For RSJ signal generation, we have followed an approach similar to SSJ signal generation. We assumed that the attacker generates the random signal only on the reference signals locations and maps zeros on the data locations similar to the SC. The mapping can be shown as j

urn a

akrf ∼ CN (0, σr2 ), rf ,lrf

. In this work, subcarrier and symbol indices of the reference signals are assumed as fixed, respectively as krf = 0, 7, 14, · · · , N and lrf = 0, 7, 14, · · · , N . The j

j

remaining resource elements are filled with zeros; akrf = 0 and akrf = 0. In s ,ls m ,lm this case, discrete time representation of the RSJ signal is

Jo

K−1 1 X jrf j2πkl/K ak,l e ω (l/K + KCP − 1). jrf (l) = √ K k=0

(4)

3.5. Received Signal Model under Smart Jammer Attacks In an ideal case, received signal is affected by the channel attenuation and

the noise. Considering a flat fading discrete time uncorrelated channel in the 8

Journal Pre-proof

existence of a jammer, we can obtain the received baseband signal as s(l) · h(l) ji (l) · g(l) p + p + η(l), L L dP dP 1 2

(5)

pro of

r(l) =

where ji (l) is the jamming signal of the jammer type i, while i ∈ {b, s, rf } respectively for BJ, SSJ and RSJ. r(l) is the received signal, h(l) is the channel coefficient for the transmitted signal, g(l) is the channel coefficient for the jammer signal, d1 is the distance between the eNB and the MN, d2 is the distance between the jammer and the MN, P L is the path loss exponent and η(l) is the noise at the receiver. The channel coefficients are assumed to be complex valued random variables with h(l), g(l) ∼ CN (0, σ 2 ) distribution, and the noise at the

receiver is assumed as η(l) ∼ CN (0, σn2 ). Resulting signal-to-noise (SNR) ratio

re-

expression can be obtained as in the following SNR =

Ps σ 2 , L σn2 dP 1

(6)

where Ps denotes the power of the transmitted signal. Another important pa-

follows

lP

rameter for jammer analysis is the signal-to-jamming ratio (SJR) and given as  P L Ps d 2 , (7) Pj i d 1 is the jamming power. In the following section, jammer signal idenSJR =

where Pji 135

tification model will be presented. We aim to identify the jammer type, i, by

urn a

applying different transformation and classification methods to the r(l). 4. Identification System Model The general system structure and alternative operations for the system model are presented in this section. Identification system model is shown in 140

Figure 1. The preprocessing part of the identification system is carried out via a TFT which represents a 1D time signal into 2D time-frequency plane. After

Jo

transformation, 2D output signal can be named as time-frequency representation (TFR). Before classification, the TFR of the received signal is saved as an image. The second part of the identification system includes the automatic

145

classification for the generated images. 9

Journal Pre-proof

No Jammer

pro of

BJ SSJ

128x128

RSJ

Outputs

[email protected] Convolutional Layer 1   [email protected]

Pooling Convolutional Convolutional Layer 2 29X29 Layer 2 Layer 3 [email protected] [email protected] 21692

Pooling Layer 1 63X63

Feature Extraction

128

512

Classification

Fig. 2: A detailed DCNN block diagram. F @Υ1 × Υ2 where F represents the number of

re-

feature maps in the corresponding layer, whereas Υ1 × Υ2 denotes the size of anindividual feature map.

4.1. Preprocessing with Time-Frequency Transformations

lP

Time-frequency transformations (TFT) allow analyzing the temporal changes of the signal, and they give a compact representation on the time-frequency domain [17]. 150

4.1.1. Short Time Fourier Transformation (STFT)

urn a

In spectrogram, first a windowing function ω(l) is applied to the received signal to divide it into short time periods. Then fast Fourier transform (FFT) is applied separately to each time period. We can show the STFT of the r(l) as 1 Rs (c, κ) = √ 2π

(L−1)/2

X

l=(−L+1)/2

r(l)ω(c − l)e−j2πcl/L ,

(8)

where c = t × fs indicates the sample number, and κ is the frequency variable. For our case, frequency values of the related subcarriers as κ = k∆f where ∆f shows the frequency difference of the consecutive subcarriers. ω(l0 ) is a

Jo

155

discrete time rectangular function with length ˜l having a unit magnitude for (−˜l +1)/2 ≤ l0 ≤ (˜l −1)/2 . Note that ω(l0 ) can also be generated as a Hamming

10

Journal Pre-proof

or Hanning function, but we only consider the rectangular form because of its simplicity. Then the spectrogram of the signal is

pro of

160

Ps (c, κ) = |Rs (c, κ)|2 .

(9)

Time resolution of the spectrogram is δtS = (˜l − 1)/(2fs ) [18]. Using this approach, we can obtain the frequency content of the signal for short time periods.

4.1.2. Choi-Williams Transformation (CWT)

First proposed in [19], Choi-Williams Transform (CWT) actually aims to

re-

overcome difficulties on another TFT named as Wigner-Ville transformation (WVT). In WVT, multitone signals generate high power cross terms that should be zero. CWT remarkably reduces the cross-terms without worsening the spectral representation. The CWT of the received signal is 2L−1 X

S 0 (c, l)e−j2πκl/L ,

lP

Rcw (c, κ) = 2

(10)

l=0

where S 0 (c, l) is

urn a

and

   S(c, l) ,    0 S (c, l) = 0 ,      S(c, l − 2L) ,

S(c, l) = ω(ν)

165

0≤l ≤L−1 l=L

(11)

L + 1 ≤ l ≤ 2L − 1

L/2 X

(ν−1)2 1 − p e 4π2 /σ r(l + ν)r∗ (l − ν), 4πl2 /σ ν=−L/2

(12)

Similar to spectrogram, we can define the absolute square of the transform:

Jo

Pcw (c, κ) = |Rcw (c, κ)|2 .

(13)

The effective time resolution is δtcw = (˜l − 1)/(2fs ) [18]. Finally the resulting TFR Pcw (c, κ) is color-mapped and saved for the further classification process.

11

Journal Pre-proof

4.1.3. Gabor Wavelet Transformation Wavelet transforms are commonly used signal processing techniques thanks to the tunable time and frequency resolution properties [20]. Similar to Fourier

pro of

170

transform, wavelet transforms represent a signal through a linear combination on particular basis functions. In Fourier transform, the basis functions are sinusoidals which are not localized on time-frequency plane due to continuous oscillation. On the contrary, wavelets are finite in time and localized on time175

frequency plane, enabling successful detection and identification of the smart jammers hiding in the time-frequency plane. STFT provides an observation on temporal changes of the signal by applying a rectangular window to the

re-

signal before Fourier transform. Since same rectangular window is applied to the signal in STFT, time-frequency resolution of the signal would be same at all 180

positions. Unlike STFT, varying window size in the wavelet transforms provides multi-resolution on the different positions of the signal [21]. In this way, we can provide an adaptive resolution property against changing signal characteristics

lP

resulting from smart jammers.

In the presence of a smart jammer, the received signal r(l) would show vary185

ing characteristics over time. While the attacked parts exhibit abrupt changes in the signal, non-attacked parts would have smooth changing components. These

urn a

abrupt changes become apparent in higher frequency components. Increasing the scaling factor of the wavelet provides a better representation of the abrupt changes on the signal. We can construct a TFR from the received signal by 190

sequencing the arrays obtained from different scale factors of wavelet transformations.

Among various wavelet bases, Gabor functions provide the optimal resolution in both time and frequency domains by using a Gaussian shaped windowing

Jo

function [17]. Gabor wavelet transformation function can be expressed as f2 2 f c Ψ(c, f ) = √ e γ 2 ej2πcf , γ π

(14)

where f /γ is the scaling factor and γ is the quality factor and f = 1, 2, · · · , F .

The transformation is carried out via convolving the received signal r(l) with 12

Journal Pre-proof

defined Gabor wavelet transformation function: (15)

pro of

Rgm (c, f ) = r(l) ∗ Ψ(c, f ),

where ∗ denotes the convolution operation and f shows the different frequency values on which wavelet transform is applied. The TFR, also named as scalogram for Gabor-wavelet transform is

Pgm (c, f ) = |Rgm (c, f )|2 , 195

(16)

where the time resolution of the scalogram is defined as δtgm (f ) = γ/f [18]. Ps , Pcw and Pgm are TFR’s of the received signal and they are constructed as 2D

re-

matrices. They are stored in the memory for training the classification methods. The values in these magnitude level representations are color-mapped by their amplitude values. The color-mapping operation can be seen as a quantization 200

of the magnitude levels into different color levels.

lP

4.2. Classification Methods

In this work, we consider SVM and DCNN for classification purposes due to their high performances as reported in the literature [22], [12]. 4.2.1. Support Vector Machine (SVM)

Support vector machine (SVM) is a supervised learning method and was

urn a

205

firstly developed for binary classification. The main idea behind SVM is finding the optimal decision boundary by discriminating the feature vectors. The decision boundary is also named as a hyperplane and for optimality it has to maximize the separation between two data classes. The method starts with selecting a hyperplane in the feature space and is defined as follows;

Jo

210

wT x + b = 0,

(17)

where x is the feature vector or in this study output of PCA, w is the support T

vector, (·) denotes transpose operation and b is the bias term. SVM separates the data classes by maximizing the margin defined as minimum distance of any 13

Journal Pre-proof

data points to the decision boundary. If the data are not linearly separable, optimization problem is defined as below to find the maximal margin hyperplane;

ξ,w,b

1 2 2 kwk



Pm

pro of

min

p=1 ξp

subject to y (p) (wT x(p) + b) ≥ 1 − ξp

(18)

and ξp ≥ 0 p = 1, ..., m.

where m is the number of training samples, x(p) , y(p) , ξp are related to pth training sample and y (p) is a class label, which has one of only two values, either −1 or 1. ξp is a slack variable. The first term minimizes the distance to the closest data point, and the second term reduces the number of misclassified points. Optimization problem is constructed as the Lagrangian as given below

re-

215

L(w, b, a) = 21 kwk2 + λ p=1

ap [y

(p)

T

(w x

(p)

p=1 ξp

+ b) − 1 + ξp ] −

lP



Pm

Pm

Pm

p=1

(19) µp ξp ,

where 0 ≤ ap ≤ λ, λ is a hyperparameter called as penalty of the error term or regularization term, and µp ≥ 0 is the Lagrange term. When the above equation is solved, it turns into following form; Pm

p=1

urn a

f (x) =

ap y (p) K(x(p) , x) + b,

(20)

where K is a kernel function, and f (x) is called as decision function or score 220

function which is used to compute score for each input vector. According to the output of (20), SVM predicts the class of each input. Principal component analysis (PCA) is used as an effective and robust method for feature extraction [23]. After feature extraction through PCA, the dimension of the input vector x fed to the classifier is equal to the number of extracted principle components. SVM is applied to the multi-class classification

Jo

225

problem by using the ”one against the rest” approach [53].

14

Journal Pre-proof

4.2.2. Deep Convolutional Neural Networks (DCNN) Deep convolutional neural networks (DCNN) can be thought of as a series

230

pro of

of layers which are trained by the network model using a given dataset. These layers are convolutional layers, sub-sampling layers (also known as pooling layers) and full-connected layers. Pooling and convolution layers are fundamental layers of feature extraction part of DCNN. From the first layer to the last one, simple features are extracted initially, and gradually it continues to more complex features. The convolution layer is based on a discrete convolution process. 235

Discrete convolution in two dimensions is given as the following;

Y (r, t) =

∞ X

∞ X

X(r − k1 , t − k2 )W (k1 , k2 ),

(21)

re-

k1 =−∞ k2 =−∞

where Xn1 ×n2 represents two dimensional input matrix and Wm1 ×m2 is a kernel/filter matrix with m1 ≤ n1 and m2 ≤ n2 . A feature map is produced by sliding the convolution filter over the input signal. The sliding scale is a

lP

hyper-parameter known as stride. When zero padding is not used, calculation of feature map size or convolution layer output length for each dimensions can be realized using the following equation nd − m d sd

+1

d = 1, 2.

(22)

urn a

od =

nd and md represent the length of the input vector and the kernel length in dth dimension, where s is the value of stride. Pooling operations decrease the size of feature maps with some functions taking average or maximum value of each distinct region of size a1 × a2 from the input. Pooling layer solves disadvantages 240

related to probability of over-fitting and computational complexity [24]. Here, pooling layer does not include learnable parameters like bias units or weights. After the feature extraction, classification part follows and consists of one or

Jo

more full connected layers. In full connected layers, each neuron is connected to the preceding layer, and at the end of the classification neural network produces

245

the outputs.

In neural networks, activation function is used for producing a non-linear 15

Journal Pre-proof

decision boundary via functions of the weighted inputs. As often preferred, in this work rectified linear unit activation (ReLu) is selected and it is defined as

pro of

follows: φ(z) = max(0, z).

(23)

In output layers especially related to the classification problem, softmax function is a very strong option. As a normalized function, the softmax function is useful to obtain meaningful class membership predictions in multiclass settings [24]. The softmax function is defined below, where z is a vector of the inputs, i is the 250

output index, and M is the number of classes.

n=1

5. Numerical Analysis

5.1. Jamming Attack Simulation

ez n

.

re-

ezi p(y = i|z) = φ(z) = PM

(24)

lP

LTE signal generation and transmission scheme is modeled with the MATLAB LTE Toolbox. The parameters regarding to complete system can be found 255

in Table 2. The channels between radio nodes are assumed as flat fading with unit gain Rayleigh distribution. Four different jamming scenarios are consid-

urn a

ered, and the classification labels are: the absence of a jammer (no jamming), BJ, SSJ, and RSJ. The jamming is assumed to be active throughout a packet transmission duration. The transmission is repeated 5000 times for each sce260

nario. In each scenario, the received signal r is generated in accordance with (6). Same process is repeated considering nine different combinations of the jammer and the MN locations. The location cases and their equivalent SNR/SJR values with error vector magnitude (EVM) values are given in Table 1. C1 corresponds to the case when the jamming signal does not significantly reduce the transmission. On other cases, EVM values are higher than 70%, indicating that the

Jo

265

transmission is blocked by the jamming signal.

16

Journal Pre-proof

Table 1: Description of location cases and their distances, SNR, SJR and SJNR equivalents d2

SNR

SJR

EVM (%) No

BJ

RSJ

SSJ

pro of

d1 0.5

1.5

10

10

16.58

18.25

17.69

17.14

C2

1

1

5

0

23.14

95.82

85.18

77.64

C3

1

1.5

5

5

23.14

86.15

69.22

71.92

C4

1.5

1

0

-5

30.58

99.72

92.19

79.14

C5

1.5

1.5

0

0

30.58

89.18

83.26

75.84

C6

1.5

0.5

0

-10

30.58

99.16

96.24

98.47

C7

0.5

0.5

10

0

16.58

85.69

82.71

84.90

C8

1

0.5

5

-5

23.14

97.78

89.19

85.25

C9

0.5

1

10

5

16.58

37.55

28.17

29.60

re-

C1

5.2. Preprocessing

At the second step of the analysis, three different TFT’s are applied on the received signals in order to compare their performances with classifiers. Figure 3 shows the images obtained from the Ps , Pcw and Pg on logarithmic scale.

lP

270

These images are saved in portable network graphics (png) format and fed into two classifiers. All images for a given transformation are cropped to the same size in order to eliminate misleading features. As it can be seen from Figure 3, the existence of BJ is observable for every preprocessing method. Considering spectrogram, differences among no-jamming, SSJ and RSJ are not apparent

urn a

275

due to the single resolution property as discussed in Section III. Since most of the energy is located near the low frequencies, the abrupt changes occuring in high frequencies are not observable from the generated images. For CWT, the difference between no-jamming and BJ are not as apparent as spectrogram 280

and Gabor wavelet transform, because of the obscure background. As discussed above, the ambiguity arises from the cross-term effects is still observable, de-

Jo

spite the cross-term minimizing effects of CWT. Yet, classification results in the following of this paper show that the features in the images are still separable by the classifiers. In Gabor wavelet transform the images of four different jam-

285

ming scenarios are separable from each other. For the no-jamming scenario,

17

Journal Pre-proof

No-Jamming

Barrage Jamming

Reference Signal Jamming

pro of

Spectrogram

Synchronization Signal Jamming

Choi-Williams

re-

Gabor Wavelet

Fig. 3: Spectrogram, CWT and Gabor wavelet transform applied images. (from left to right no-jamming, BJ, SSJ and RSJ; from up to down spectrogram, CWT, Gabor wavelet transform)

energy is mostly localized in the low-frequency values. As it can be seen from

lP

the turquoise colored region, received signal contains abrupt changes due to the channel fading and the noise. These changes are closely located energy content on the time-frequency domain. Hence, these changes are represented with the 290

same color. In BJ scenario, jammer attacks are spread over the entire time-

urn a

frequency plane. As the power of the jammer increases, the abrupt changes on the signal become dominant over the time-frequency plane. In SSJ and RSJ, the attacked locations on time-frequency plane become apparent due to the multi-resolution property of wavelet transform. The emitted energy from SSJ 295

and RSJ becomes apparent in Gabor wavelet transform since the wavelets are localized on time-frequency plane. 5.3. Classification

Jo

In classification part, we compare two machine learning algorithms; DCNN

and SVM. DCNN architecture is implemented in KERAS Python library inter-

300

face that works with Tensorflow back end, while SVM is implemented in Phyton. We train each model with 1000 images and the size of images are 128 × 128. 18

Journal Pre-proof

On parameter selection, we utilize the accuracy of classification as the main metric. As shown in Figure 2, DCNN architecture consists of three convolution

305

pro of

layers, two pooling layers and three full-connected layers. We choose 2 × 2 for pooling size and 3 × 3 filter size for convolutional kernels. After each layer we apply batch normalization and ReLu function, except the output layer in which softmax function has been used. Also we employ dropout layer of 40% rate to prevent over-fitting.

Besides DCNN, we also applied SVM to compare their classification accura310

cies. Unlike DCNN, SVM requires an explicit feature extraction step to realize classification. After completion of the classification model training, 18400 test

re-

images are used to determine the performance of the algorithms for identifying the jammer types considering a single position case. For every position case,

Jo

urn a

lP

same training and test process is repeated.

19

Journal Pre-proof

Table 2: Parameters for numerical analysis. Parameter

Value

# of subcarriers

140

# of subframes

10

Duplex Mode

FDD

Cyclic Prefix

Normal

Modulation Type d1

1, 1.5

SNR (dB)

Simulation

0, 5, 10

SJNR (dB)

-5, 0, -5

Channel Fading Channel Gain

PL

4

γ F

128

re-

σcw

128

100 √ 5/2 2log2 256

lP

δts , δtcw

0.1024

δtgm

3.221/f

L

512

Colormap

Jet

PCA component number

1000

C

1

Kernel function

linear

Gamma value

0.001

Batch size

64

Epoch number

40

urn a

PCA-SVM

1

1.92 MHz

n2

Classification

Rayleigh

Sampling Frequency

n1

Preprocessing

QPSK

1, 1.5

d2

Jamming

pro of

Step

Convolution

Jo

layer stride

(1,1) Stochastic

Optimizer

Gradient Descent

Learning rate

0.1 Categorical cross

Loss Function DCNN

Classification

entropy function

Total parameters

13,867,988

Trainable parameters

13,866,508

Non-trainable params

1,480

20

Journal Pre-proof

315

6. Numerical Results Figure 4 shows the classification accuracies when SVM is selected as the

pro of

classifier. The groups at horizontal axis show the case numbers, where their SNR/SJR equivalents can be found from Table 1. Considering C1 , the identification accuracies are lower than other cases. In this case, jamming signal 320

is not detected by the identification system. The jamming signal cannot block the transmission anyways, which makes identification obsolete at the first place as the identification accuracies are lower than other cases. Considering other cases, the figure shows that the Gabor wavelet transform outperforms other classification methods with a minimum of 90% accuracy. As the signal and the jamming powers become closer to each other, in other words as the SJR

re-

325

approaches to zero, the classification accuracy of the Gabor wavelet transform increases. In high SNR values, classification accuracy is higher than the low SNR values considering Gabor wavelet transform. Considering C6 , the power of

330

lP

the jamming signal is much more powerful than the message signal. In this case, jammer signal becomes dominant over the time-frequency plane, where identification accuracy improves for all pre-processing methods. Both Choi-Williams transform and spectrogram work better in the low SNR region. Figure 5 shows the classification accuracies when DCNN is selected as the

335

urn a

classifier. Similar to the results of SVM classifier, the jammer activity cannot detected by the DCNN classifier in C1 . Gabor wavelet transform gives the best accuracy results overall with a minimum 93% accuracy. Similar to the SVM classification, Gabor wavelet works better as the SJR approaches zero. Although the remaining transformation techniques show high performance for C2 and C4 , their performance are steadily reduced in C3 and C5 . If we evaluate 340

the overall success of the classification methods, the first noticeable feature is

Jo

the superior jammer classification performance of the DCNN for all different transforms and setups. Although SVM has respectable performance in certain cases, DCNN with its hidden layers provides consistent and robust performance for all differing setup choices and TFT methods. Note that one similar trend

21

Journal Pre-proof

99

100

98.2

95.8 90.5

82.3

78.8

80

78.6

76.1

74.7

70

Accuracy(%)

pro of

90

60.6

58.2

60

56.2

52.9

51.3 50

45.3

50.2 50

44.8

43.2

40 30

CWT GWT S

99.9

100

28.1 24.7

20 12.6 10 0

1

2

3

4

5

6

Cases

7

50 50.1 49.8

8

9

345

re-

Fig. 4: Different time-frequency analysis comparison for SVM classification.

for both classification cases are the high accuracy gained with Gabor-wavelet transform. Besides, as the SJR value decreases for the same SNR, jammer signal becomes stronger. In this case, jammer signals become more visible on

lP

the time-frequency plane, and it becomes easier to detect their existence for all of the pre-processing and classification methods. The detection accuracy levels 350

in cases C4 , C6 and C8 can be given as the exemplary cases for high jamming power scenarios. On the other hand, as the jamming power decreases, detecting an attack becomes more difficult. In this case, the effect of jammers becomes

urn a

negligible as in case C1 .

Figure 6 shows the confusion matrices of different pre-processing methods 355

for the case where the SNR/SJR values are unknown at the MN. Here, classification accuracies for spectrogram, Choi-Williams and Gabor wavelet preprocessing methods are respectively 81.17%, 77.03% and 81.65%. The identification performance of Gabor-wavelet preprocessing with DCNN is promising to combat with smart jammer attacks under dynamic environment and attack cases. Table 3 demonstrates the average computation time considering different

Jo

360

pre-processing and detection schemes.

While DCNN classification provides

similar durations for different pre-processing techniques, the duration for the SVM classification depends on the input data, consequently the selected pre-

22

Journal Pre-proof

99.999.1 99.2

100

99.6

97.998.8

90

85.1 75.2

pro of

79.4 80.1

80

76.3

69.9

70

Accuracy(%)

CWT GWT S

100 100

99.7 100

99.6

98.4 93.3

62.9

60

60.3

52.3

50

45.9

39.6

40 30

26.5 25

25.2

20 10 0

1

2

3

4

5

Cases

6

7

8

9

RSJ 865

20000

9

8

15000

15954

26

10000

True

BJ 874 22559 SSJ 2870 RSJ 2231

0 0

9

16610

Predicted

(a)

No Jammer BJ

5000 0

SSJ

RSJ

6193

872

BJ 1309 19746 2137

258

No Jammer 16074 311

SSJ 7417

289 14664 1080

RSJ 962

13

705 21770

20000 15000 10000 5000

No Jammer BJ

SSJ

RSJ

No Jammer 15643 4896 1589 1322

True

SSJ 1564

lP

7

True

No Jammer BJ No Jammer 21014

re-

Fig. 5: Different time-frequency analysis comparison for DCNN classification.

BJ 1923 21075 266

186

SSJ 2474 1960 18911 105 RSJ 499

1975

14

Predicted

Predicted

(b)

(c)

20962

20000 15000 10000 5000

Fig. 6: Confusion matrices of different preprocessing methods for DCNN classification consid-

urn a

ering the blind-SNR/SJR case.

processing technique. Even though SVM classification is faster than DCNN 365

classification in many cases, the obtained accuracy levels are not acceptable for

Jo

a real-life application.

23

Journal Pre-proof

Table 3: The total avarage time duration spent for the prediction of 19000 test samples by SVM and DCNN models with different pre-processing methods.

pro of

Time duration [in sc.]

S SVM

6.000

CWT GWT S

DCNN

3.692

17.848 9.837

CWT

11.041

re-

GWT

10.184

7. Conclusion

In this paper, we present a novel LTE smart jammer identification system and determine the identification performance over various jamming cases. The proposed system can differentiate three main types of jamming attacks: barrage

lP

370

jamming, synchronization signal jamming and reference signal jamming cases along with the absence of jammer case. Even though barrage jammer can be easily detected as an unexpected random noise combined with the original signal, other types of attacks are harder to detect and to tolerate since they effectively hide in the targeting time-frequency plane and possibly disrupt communication

urn a

375

with a low power. The proposed system model is composed of a wavelet-based pre-processing step and a deep learning based classification stage. We consider an LTE downlink communication scenario, where the effectiveness of the wavelet transform based approach is clearly observed, even in the dynamic adversarial 380

channel scenario. As a future work, the proposed identification system can also be extended to multi-antenna systems. The monitoring node can benefit from

Jo

the diversity came within the multiple antenna structure. The observations from multiple antennas can be fused with different signal processing techniques for jammer identification and localization. Besides, the proposed methodology can

385

also be utilized in order to identify the uplink smart jamming attacks, where

24

Journal Pre-proof

the consequences might be more severe than the downlink scenario.

pro of

References [1] C. Shahriar, M. La Pan, M. Lichtman, T. C. Clancy, R. McGwier, R. Tandon, S. Sodagari, J. H. Reed, PHY-layer resiliency in OFDM communica390

tions: A tutorial, IEEE Communications Surveys & Tutorials 17 (1) (2015) 292–314. doi:10.1109/COMST.2014.2349883.

[2] M. Baker, From LTE-advanced to the future, IEEE Communications Magazine 50 (2) (2012). doi:10.1109/MCOM.2012.6146490.

395

re-

[3] Y. Zou, J. Zhu, X. Wang, L. Hanzo, A survey on wireless security: Technical challenges, recent advances, and future trends, Proceedings of the IEEE 104 (9) (2016) 1727–1765. doi:10.1109/JPROC.2016.2558521. [4] M. Lichtman, R. P. Jover, M. Labib, R. Rao, V. Marojevic, J. H.

lP

Reed, LTE/LTE-A jamming, spoofing, and sniffing: threat assessment and mitigation, IEEE Communications Magazine 54 (4) (2016) 54–61. 400

doi:10.1109/MCOM.2016.7452266.

[5] M. Lichtman, J. H. Reed, T. C. Clancy, M. Norton, Vulnerability of LTE to hostile interference, in: 2013 IEEE Global Conference on Signal and In-

urn a

formation Processing, 2013, pp. 285–288. doi:10.1109/GlobalSIP.2013. 6736871. 405

[6] F. M. Aziz, J. S. Shamma, G. L. St¨ uber, Jammer-type estimation in LTE with a smart jammer repeated game, IEEE Transactions on Vehicular Technology 66 (8) (2017) 7422–7431. doi:10.1109/TVT.2017.2672682. [7] K. A. Shridhara, Jamming detection and blanking for GPS receivers, US

Jo

Patent 6,448,925 (Sep. 10 2002).

410

[8] D. Karagiannis, A. Argyriou, Jamming attack detection in a pair of RF communicating vehicles using unsupervised machine learning, Vehicular Communications 13 (2018) 56–63. doi:10.1016/j.vehcom.2018.05.001. 25

Journal Pre-proof

[9] O. Pu˜ nal, I. Akta, C.-J. Schnelke, G. Abidin, K. Wehrle, J. Gross, Machine Learning-based Jamming Detection for IEEE 802.11: Design and Experimental Evaluation.

pro of

415

[10] T. O’Shea, J. Hoydis, An introduction to deep learning for the physical layer, IEEE Transactions on Cognitive Communications and Networking 3 (4) (2017) 563–575. doi:10.1109/TCCN.2017.2758370.

[11] Y. Junfei, L. Jingwen, S. Bing, J. Yuming, Barrage Jamming Detection 420

and Classification Based on Convolutional Neural Network for Synthetic Aperture Radar, IEEE International Geoscience and Remote Sensing Sym-

re-

posium (2018) 4583–4586doi:10.1109/IGARSS.2018.8519373.

[12] Z. Wu, Y. Zhao, Z. Yin, H. Luo, Jamming signals classification using convolutional neural network, in: 2017 IEEE International Symposium on Signal 425

Processing and Information Technology (ISSPIT), IEEE, 2017, pp. 062–

lP

067. doi:10.1109/ISSPIT.2017.8388320.

[13] T. ETSI, 136 211 V8. 7.0,” LTE; Evolved Universal Terrestrial Radio Access (E-UTRA); Physical channels and modulation (3GPP TS 36.211 version 8.7. 0 Release 8),” (2009).

[14] R. C. Hendrickson, Jamming detection in a wireless security system, US

urn a

430

Patent 5,950,110 (Sep. 7 1999). [15] M. Lichtman, T. Czauski, S. Ha, P. David, J. H. Reed, Detection and mitigation of uplink control channel jamming in LTE, in: Military Communications Conference (MILCOM), IEEE, 2014, pp. 1187–1194. doi: 435

10.1109/MILCOM.2014.199.

[16] R. Di Pietro, G. Oligeri, Jamming mitigation in cognitive radio networks,

Jo

IEEE Network 27 (3) (2013) 10–15. doi:10.1109/ICMCIS.2015.7158697.

[17] L. Cohen, Time-frequency distributions-a review, Proceedings of the IEEE 77 (7) (1989) 941–981. doi:10.1109/5.30749.

26

Journal Pre-proof

440

[18] A. Figueiredo, M. Nave, E.-J. contributors, Time–frequency analysis of nonstationary fusion plasma signals: a comparison between the choi–williams

4268–4270. doi:10.1063/1.1787573.

pro of

distribution and wavelets, Review of scientific instruments 75 (10) (2004)

[19] H.-I. Choi, W. J. Williams, Improved time-frequency representation of 445

multicomponent signals using exponential kernels, IEEE Transactions on Acoustics, Speech, and Signal Processing 37 (6) (1989) 862–871. doi: 10.1109/ASSP.1989.28057.

[20] S. G. Mallat, A theory for multiresolution signal decomposition: The

450

re-

wavelet representation, IEEE Transactions on Pattern Analysis and Machine Intelligence 11 (7) (1989) 674–693. doi:10.1109/34.192463. [21] G. Strang, Wavelet transforms versus Fourier transforms, Bulletin of the American Mathematical Society 28 (2) (1993) 288–305. doi:10.1090/

lP

S0273-0979-1993-00390-2.

[22] J. A. Jahanshahi, M. Eslami, On the performance of SVM based jam455

ming attacks detection algorithm in Base Station, in: 2011 IEEE Swedish Communication Technologies Workshop (Swe-CTW), 2011, pp. 109–113.

urn a

doi:10.1109/Swe-CTW.2011.6082476. [23] M. Pal, Multiclass approaches for support vector machine based land cover classification, arXiv prePrint arXiv:0802.2411 (2008). [24] S. Raschka, Python Machine Learning, Packt Publishing, 2015.

Jo

460

27

Journal Pre-proof

Declaration of interests ☒ The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Jo

urn a

lP

re-

pro of

☐The authors declare the following financial interests/personal relationships which may be considered as potential competing interests:

Journal Pre-proof 1

Ozan Alp Topal received the B.S. degree in Electronics and Communication Engineering from Istanbul Technical University, Istanbul, Turkey, in 2017, and the M.A.Sc. degree in Telecommunication Engineering from Istanbul Technical University in 2019. He has been serving as a research assistant at the Istanbul Technical University Electronics and Communications Engineering since 2018. His research interests

pro of

include physical layer security, quantum key distribution and visible light communication.

Selen Gecgel received the B.S. degree in Electronics and Communication Engineering from Yildiz Technical University, Istanbul, Turkey, in 2016. She is currently pursuing a M.S. degree with the Department of Telecommunication Engineering in Istanbul Technical University. She is a member of the ITU Wireless Communication Research Laboratory and her currently researches are interested in machine learning and

re-

wireless communication.

lP

Ender Mete Eksioglu was born in Istanbul, Turkey in 1976. He received the B.Sc. and M.Sc. degrees in Electrical Engineering from the University of Michigan, Ann Arbor, in 1997 and 1999, respectively. He received the Ph.D degree in Electronics and Communication Engineering from the Istanbul Technical University, Istanbul, Turkey in 2005. Same year he joined the Electronics and Communication Engineering Department the at Istanbul Technical University as an Assistant Professor, where he is currently working as

urn a

an Associate Professor. His current research interests include sparsity-based signal and image processing, machine learning applications in image processing and adaptive signal processing.

Gunes Karabulut Kurt (M06-SM’15) received the B.S. degree (Hons.) in electronics and electrical engineering from Bogazici University, Istanbul, Turkey, in 2000, and the M.A.Sc. and Ph.D. degrees in

Jo

electrical engineering from the University of Ottawa, ON, Canada, in 2002 and 2006, respectively. From 2000 to 2005, she was a Research Assistant with the CASP Group, University of Ottawa. From 2005 to 2006, she was with TenXc Wireless, where she worked on location estimation and radio-frequency identification systems. From 2006 to 2008, she was with Edgewater Computer Systems Inc., where she

worked on high-bandwidth networking in aircraft and priority-based signaling methodologies. From 2008 to 2010, she was with Turkcell Research and Development Applied Research and Technology, Istanbul. Since 2010, she has been an Associate Professor with Istanbul Technical University. Her research interests include sparse signal decomposition algorithms, multicarrier networks, traffic analysis, and network planning/management. She is a Marie Curie Fellow.

Journal Pre-proof

AUTHOR STATEMENT Ozan Alp Topal: Conceptualization, Methodology, Software, Validation, Data Curation, Writing



Selen Geçgel: Conceptualization, Methodology, Software, Validation, Data Curation, Writing

 

Ender Mete Ekşioğlu: Conceptualization, Methodology, Supervision, Writing Güneş Karabulut Kurt: Conceptualization, Methodology, Supervision, Project administration, Writing

Jo

urn a

lP

re-

pro of