# Security Vulnerability of FDD Massive MIMO Systems in Downlink Training Phase

###### Abstract

We consider downlink channel training of a frequency division duplex (FDD) massive multiple-input-multiple-output (MIMO) system when a multi-antenna jammer is present in the network. The jammer intends to degrade mean square error (MSE) of the downlink channel training by designing an attack based on second-order statistics of its channel. The channels are assumed to be spatially correlated. First, a closed-form expression for the channel estimation MSE is derived and then the jammer determines the conditions under which the MSE is maximized. Numerical results demonstrate that the proposed jamming can severely increase the estimation MSE even if the optimal training signals with a large number of pilot symbols are used by the legitimate system.

â

## I Introduction

Massive MIMO is known as one of the main technologies in next generation of wireless networks (5G) in which the base stations (BS) in the cellular networks are supplied with a very large number of antennas [1]. This technology brings different advantages in the performance which spectral efficiency (SE) improvement is the most important one [2]. Massive MIMO can be deployed in two modes: frequency division duplex (FDD) and time division duplex (TDD). In contrast to the TDD massive MIMO systems, in the FDD mode, the SE does not always improve with the number of BS antennas and it may even degrade if the number of BS antennas gets too large. The reason is due to large overhead in downlink training of the FDD massive MIMO systems [3]. On the other hand, in the TDD mode, channel reciprocity can be utilized to estimate the downlink channel gain from the uplink training. But there are some problems in the TDD mode, for example, pilot contamination and calibration errors caused by hardware impairment can degrade the TDD massive MIMO systems performance significantly [4],[5]. Besides, the FDD mode has some advantages over the TDD mode, e.g. lower latency and better performance in symmetric traffic services. More importantly, most of the currently deployed systems are working in the FDD mode and economically it will be more efficient for the new generation networks to operate in the FDD mode. Therefore, using the FDD mode in massive MIMO systems has been an important research topic in recent years. One of the important problems in this regard is reducing the downlink training overhead that has been investigated in some papers, e.g. [6, 7, 8, 9, 10]. Also, there are some works on improving the efficiency of FDD massive MIMO systems with some assumptions about the channel model. For instance, the authors in [11] have considered a single-user FDD massive MIMO with a correlated channel and proposed an algorithm to optimize the energy efficiency of the system by adjusting training length and transmit power.

Another main issue in 5G networks is the security concerns because of their huge capacity and wider coverage. Physical layer security is one of the most effective approaches to solve the security issues of wireless networks against eavesdropping and jamming attacks [12]. Massive MIMO has an intrinsic security against passive eavesdropping [13]. But in the case of active eavesdroppers and jammers, massive MIMO security is not guaranteed and could be vulnerable. This problem has been investigated extremely in many works, e.g. [14, 15, 16, 17, 18].
In [14], the authors have considered a multi-user TDD massive MIMO system and demonstrated that how a limited-power smart jammer can perform an optimal attack in both uplink channel estimation and data transmission to minimize the uplink spectral efficiency of the system.
In [15], the authors have explored the pilot contamination attack by an active eavesdropper in a multi-cell TDD massive MIMO network. The secrecy rate is analyzed for matched filter precoding and an artificial random noise transmission strategy. In addition, a precoder null space design is proposed to secure the communication against the eavesdropper.
In [16], the authors have studied an advanced full-duplex adversary with a massive array who tries to attack a TDD single-user massive MIMO network. The adversary simultaneously performs eavesdropping and jamming. It is shown that even with imperfect jamming channel estimation and self-interference, the jammer can still disable conventional physical layer protecting schemes.
In [17], the authors have proposed an approach to detect jammers in the TDD massive MIMO systems by exploiting some unused pilots in the system and showed that by increasing the number of base station antennas and unused pilots, the proposed scheme can detect the jamming more efficiently.
In [18], a robust jamming-resistant receiver in the uplink of a TDD massive MIMO network is designed which utilizes some purposely unused pilot symbols in the training phase.
All of the aforementioned papers and other related references therein have assumed the TDD mode for massive MIMO networks and as far as we know, no work in the literature has considered the security issues of FDD massive MIMO systems.

In this paper, we study the security of massive MIMO systems in FDD mode. In particular, we consider downlink channel training of an FDD massive MIMO system when there is a multi-antenna jammer in the environment who tries to attack the training phase and degrade the channel estimation performance. In contrast to many other papers in this field, we have taken into account the spatial correlation of the channels which makes the channel model more realistic. The jammer designs its attack based on the second-order statistics of its channel. We show that how a smart jammer can efficiently attack the training phase and increase the estimation error significantly. The mean square error (MSE) maximization is selected as the attack criterion and the optimal design of the jammer signal is analytically derived. Numerical results illustrate that how much the proposed attack can jeopardize the downlink training phase in this system even if the BS uses optimal pilots for channel estimation. This security vulnerability is shown to be more severe at stronger correlated channels.

The remainder of this paper is organized as follows. In Section II, the system model is introduced. Downlink channel training procedure is presented in Section III. In Section IV, the jamming signal design problem is formulated and solved. Numerical results are given in Section V and in the end, Section VI provides the conclusion of this paper.

### I-a Notation

Throughout the paper, we use boldface uppercase to denote matrices, boldface lowercase for vectors and italic letters to denote scalars. represents conjugate transpose and denotes a matrix containing columns to of a matrix . is the expectation operator and represents circularly-symmetric complex Gaussian random vectors with zero mean and covariance matrix . The identity matrix is denoted by . For two random matrices and , the covariance matrix is represented by .

## Ii System Model

We consider a single-cell network with a large-scale BS supplied with antennas and a single-antenna user-equipment (UE) in the presence of a jammer who has antennas. The network operates in the FDD mode. Therefore, for downlink channel estimation, the BS transmits a training sequence to the UE, then the UE estimates the channel gain and feedbacks its estimation to the BS. The BS transmits a pilot signal, with the length of symbols from each of its transmit antennas. These pilots can be stacked into an matrix called . Unitary training sequence with the same power at each of the pilot symbols is adopted in this paper, i.e. . We assume that the jammer has a prior knowledge of and transmits a jamming signal containing at least symbols from each of its antennas. The signal transmitted by the jammer can be collected into an matrix called . The received signal by the UE will be

(1) |

where is the BS transmit power in the training phase, is the channel gain from the BS to the UE, is the jammer transmit power, is the channel gain from the jammer to the UE and models the thermal noise at the UE.

The channel gain from the BS to the UE is assumed to be spatially correlated. It is modeled as where is the covariance matrix of the channel vector . The same model is used for the channel gain from the jammer to the UE, i.e. .

## Iii Downlink channel estimation

The UE uses the received signal in (1) to estimate by minimum mean square error (MMSE) method [19] that yields

(2) |

where the covariance matrices are computed as

(3) | |||

(4) |

The estimated channel gain distribution is where the covariance matrix is computed as

(5) |

We define the estimation error vector as that and the average MSE per antenna (hereafter MSE) is computed as

(6) |

By exploiting Wishart matrix properties in [20], the MSE will be

(7) |

The eigenvalue decomposition (EVD) of is where is a diagonal matrix containing the eigenvalues of in descending order and contains the corresponding eigenvectors. The BS does not know about the jammer presence and designs the pilot matrix to minimize the MSE without taking into account the effect of the jammer. In [9], it is shown that the optimal design of pilots to minimize the MSE is as follows

(8) |

In the next section, we will analyze the estimation performance with the above optimal pilot design in the presence of our proposed jammer signal design.

## Iv Jammer attack signal design

In this section, we look at the channel estimation procedure from the jammer’s point of view and show that how a smart jammer with a limited power can efficiently design its attack signal, , to maximize the estimation error even if the BS uses the optimal pilots as in (8). The jammer knows its channel covariance matrix since it is the second-order statistics of the channel and changes slowly over many coherence intervals. The eigenvalue decomposition (EVD) of is where is a diagonal matrix containing the eigenvalues of in decreasing order and is corresponding eigenvector matrix. The jammer can design the signal in different ways. However, in all designs, the unitary signal structure with equal power at each of the symbols is used, i.e. . The jammer solves the following optimization problem to design its attack signal

(9) | |||

The matrix that maximizes the objective function in (9) minimizes . The following lemma gives a simple equivalent problem for (9) and and presents a solution for it.

###### Lemma 1.

Based on this lemma, we conclude that if the BS uses symbols for downlink training, a jammer with antennas can design an optimal attack signal and maximize the MSE. In the next section, we will evaluate the performance of the proposed jamming attack by numerical simulations.

## V Numerical Results

In this section, the performance of the proposed jamming is explored by means of numerical simulations and we inspect the estimation MSE in different channel conditions and pilot signal designs at the BS. We consider a BS with a uniform linear array (ULA) consisting of antennas. The exponential correlation model is used for the covariance matrix with elements , where the coefficient determines the strength of the correlation in the channel [5]. The same model is used for the jammer’s channel covariance matrix. Path-loss and shadow-fading are assumed to be the same for both channels and are normalized to unity. Furthermore, the variance of thermal noise is assumed to be and the transmit power of the BS and the jammer are measured in dB relative to .

To show the vulnerability of the estimation procedure in the presence of the proposed jamming, we consider five different scenarios and compare them in terms of the channel estimation MSE. The BS can design the pilot signal matrix in different ways but two extreme cases are important here. In the first case, the BS uses the optimal pilots in (8). In the second case which is the worst case scenario, the BS uses the complementary of these pilots. We call it the worst-case pilots which are obtained by the following problem,

(13) |

This can be derived by following an approach similar to the proof of (8) in [9]. In the jammer side, we consider our proposed jamming design and two other scenarios for benchmarking. First, the jammer is silent and does not attack the system. In the second scenario, the jammer designs its attack signal without considering the second-order statistics of its channel and the objective in (9) and only satisfies constraint . One way to do this which we call single-shot jamming is when every column of has only one ’1’ entry, and none of the rows has more than one ’1’ entry.

Fig. 1 illustrates the MSE of the estimator versus the number of pilot symbols the aforementioned pilot and jamming signal designs. We can see that in a realistic case that the BS uses the optimal pilots , our proposed jamming has a severe effect on the MSE and makes it close to the case that the BS uses the worst-case pilots. When the number of symbols, gets close to the number of BS antennas, the MSE under the proposed jamming gets even larger than the worst-case pilots scenario. We also see that when there is no jamming in the system, the MSE will tend to zero by increasing , but in the presence of the proposed jammer, it will saturate to a value around 0.5. This implies that the estimation procedure in this system is severely vulnerable to the jamming attack. The other point that can be seen from this figure is the merit of our proposed jamming in compared to single-shot jamming design.

Fig. 2 is in the same scenario as in Fig. 1 but with a larger correlation coefficient i.e. a stronger correlated channel. We can see that when the channel is more correlated, the optimal pilot design makes the MSE very small in the case of no jammer or with single-shot jamming in the system. But with our proposed jammer signal design, the MSE gets significantly large. Also it should be noted that in all the scenarios, when the number of pilot symbols is equal to the number of BS antennas, the MSE will be relatively small, but if the jammer uses our proposed design, the MSE will still be around 0.5 and can be very destructive in the downlink data phase precoder design.

Fig. 3 shows the channel estimation MSE versus the number of BS antennas. The number of pilot symbols in the system is fixed at and the jammer is assumed to have antennas. As we see, in the presence of our proposed smart jammer, the more antennas at the BS can blow down the MSE. However, after a minimum point, the MSE starts to grow up by increasing the number of BS antennas. That is because a large number of antennas leads to a high dimensional channel vector and pilot length is not sufficient to estimate this channel even if it is strongly correlated. Note that at any number of BS antennas, the MSE in the presence of our proposed jammer is still larger than all other scenarios that adopt optimal pilot designs at the BS.

## Vi Conclusion

In this work, we considered the security of an FDD massive MIMO system against a jammer who intends to attack the downlink training phase and degrade the estimation performance. The jammer tries to maximize the estimation MSE by optimal designing of its attack signal even if the BS uses the optimal training signals with a large number of pilot symbols. Numerical results showed the severe impact of this attack. In particular, when the BS uses optimal pilots with enough length of symbols, the estimation MSE could tend to zero in the absence of jammer or in the presence of other jamming schemes. But if the jammer attacks the system using our proposed design, the estimation MSE will be still large even at a large number of pilot symbols. This shows the security vulnerability in the downlink training phase of FDD massive MIMO systems against the proposed smart jammer.

## Appendix

### Vi-a proof of Lemma 1

First, we show that solving the problem in (10) is equivalent to the solution of (9). As is a constant and is independent of , we have

(14) |

Using the fact that , we can rewrite equation (5) as follows

(15) | |||

(16) | |||

(17) |

and are independent of . Also note that is in the inverted part of , therefore

(18) |

To solve the equivalent problem in (10), we use the fact that for a matrix and any matrix satisfying the constraint (1), the trace of matrix is maximized when is diagonal and also the main diagonal entries of are maximized. By exploiting the EVD of and noting that the eigenvalues of are in decreasing order in , we conclude that the matrix which maximizes and satisfies (1), must meet the following equation

(19) |

which implies that .

## References

- [1] E. G. Larsson, O. Edfors, F. Tufvesson, and T. L. Marzetta, “Massive mimo for next generation wireless systems,” IEEE Communications Magazine, vol. 52, pp. 186–195, February 2014.
- [2] H. Q. Ngo, E. G. Larsson, and T. L. Marzetta, “Energy and spectral efficiency of very large multiuser mimo systems,” IEEE Transactions on Communications, vol. 61, pp. 1436–1449, April 2013.
- [3] Z. Jiang, A. F. Molisch, G. Caire, and Z. Niu, “Achievable rates of fdd massive mimo systems with spatial channel correlation,” IEEE Transactions on Wireless Communications, vol. 14, pp. 2868–2882, May 2015.
- [4] O. Elijah, C. Y. Leow, T. A. Rahman, S. Nunoo, and S. Z. Iliya, “A comprehensive survey of pilot contamination in massive mimo 5g system,” IEEE Communications Surveys Tutorials, vol. 18, pp. 905–923, Secondquarter 2016.
- [5] E. Björnson, J. Hoydis, M. Kountouris, and M. Debbah, “Massive mimo systems with non-ideal hardware: Energy efficiency, estimation, and capacity limits,” IEEE Transactions on Information Theory, vol. 60, pp. 7112–7139, Nov 2014.
- [6] W. Shen, L. Dai, Y. Shi, B. Shim, and Z. Wang, “Joint channel training and feedback for fdd massive mimo systems,” IEEE Transactions on Vehicular Technology, vol. 65, pp. 8762–8767, Oct 2016.
- [7] Z. Gao, L. Dai, W. Dai, B. Shim, and Z. Wang, “Structured compressive sensing-based spatio-temporal joint channel estimation for fdd massive mimo,” IEEE Transactions on Communications, vol. 64, pp. 601–617, Feb 2016.
- [8] J. Fang, X. Li, H. Li, and F. Gao, “Low-rank covariance-assisted downlink training and channel estimation for fdd massive mimo systems,” IEEE Transactions on Wireless Communications, vol. 16, pp. 1935–1947, March 2017.
- [9] J. Choi, D. J. Love, and P. Bidigare, “Downlink training techniques for fdd massive mimo systems: Open-loop and closed-loop training with memory,” IEEE Journal of Selected Topics in Signal Processing, vol. 8, pp. 802–814, Oct 2014.
- [10] B. Dutta, R. Budhiraja, and D. R. Koilpillai, “Limited-feedback low-encoding complexity precoder design for downlink of fdd multi-user massive mimo systems,” IEEE Transactions on Communications, vol. 65, pp. 1956–1971, May 2017.
- [11] Y. Wang, C. Li, Y. Huang, D. Wang, T. Ban, and L. Yang, “Energy-efficient optimization for downlink massive mimo fdd systems with transmit-side channel correlation,” IEEE Transactions on Vehicular Technology, vol. 65, pp. 7228–7243, Sept 2016.
- [12] Y. Wu, A. Khisti, C. Xiao, G. Caire, K. Wong, and X. Gao, “A survey of physical layer security techniques for 5g wireless networks and challenges ahead,” IEEE Journal on Selected Areas in Communications, vol. 36, pp. 679–695, April 2018.
- [13] D. Kapetanovic, G. Zheng, and F. Rusek, “Physical layer security for massive mimo: An overview on passive eavesdropping and active attacks,” IEEE Communications Magazine, vol. 53, pp. 21–27, June 2015.
- [14] H. Pirzadeh, S. M. Razavizadeh, and E. Björnson, “Subverting massive mimo by smart jamming,” IEEE Wireless Communications Letters, vol. 5, pp. 20–23, Feb 2016.
- [15] Y. Wu, R. Schober, D. W. K. Ng, C. Xiao, and G. Caire, “Secure massive mimo transmission with an active eavesdropper,” IEEE Transactions on Information Theory, vol. 62, pp. 3880–3900, July 2016.
- [16] N. Nguyen, H. Q. Ngo, T. Q. Duong, H. D. Tuan, and D. B. da Costa, “Full-duplex cyber-weapon with massive arrays,” IEEE Transactions on Communications, vol. 65, pp. 5544–5558, Dec 2017.
- [17] H. Akhlaghpasand, S. M. Razavizadeh, E. Björnson, and T. T. Do, “Jamming detection in massive mimo systems,” IEEE Wireless Communications Letters, vol. 7, pp. 242–245, April 2018.
- [18] T. T. Do, E. Björnson, E. G. Larsson, and S. M. Razavizadeh, “Jamming-resistant receivers for the massive mimo uplink,” IEEE Transactions on Information Forensics and Security, vol. 13, pp. 210–223, Jan 2018.
- [19] S. M. Kay, Fundamentals of Statistical Signal Processing: Estimation Theory. Upper Saddle River, NJ, USA: Prentice-Hall, Inc., 1993.
- [20] A. M. Tulino and S. Verdú, Random Matrix Theory and Wireless Communications, vol. 1. Hanover, MA, USA: Now Publishers Inc., June 2004.