# On the Pilot Contamination Attack in Multi-Cell Multiuser Massive MIMO Networks

In this paper, we analyze pilot contamination (PC) attacks on a multi-cell massive multiple-input multiple-output (MIMO) network with correlated pilots. We obtain correlated pilots using a user capacity-achieving pilot sequence design. This design relies on an algorithm which designs correlated pilot sequences based on signal-to-interference-plus-noise ratio (SINR) requirements for all the legitimate users. The pilot design is capable of achieving the SINR requirements for all users even in the presence of PC. However, this design has some intrinsic limitations and vulnerabilities, such as a known pilot sequence and the non-zero cross-correlation among different pilot sequences. We reveal that such vulnerabilities may be exploited by an active attacker to increase PC in the network. Motivated by this, we analyze the correlated pilot design for vulnerabilities that can be exploited by an active attacker. Based on this analysis, we develop an effective active attack strategy in the massive MIMO network with correlated pilot sequences. Our examinations reveal that the user capacity region of the network is significantly reduced in the presence of the active attack. Importantly, the SINR requirements for the worst-affected users may not be satisfied even with an infinite number of antennas at the base station.

## Authors

• 5 publications
• 26 publications
• 1 publication
• 50 publications
• ### Location-Aware Pilot Allocation in Multi-Cell Multi-User Massive MIMO Networks

We propose a location-aware pilot allocation algorithm for a massive mul...
04/26/2018 ∙ by Noman Akbar, et al. ∙ 0

• ### Interference-Aware Flexible TDD Design for Massive MIMO 5G Systems

Both the use of very large arrays of antennas and flexible time division...
03/09/2018 ∙ by David M. Gutierrez-Estevez, et al. ∙ 0

• ### URLLC with Massive MIMO: Analysis and Design at Finite Blocklength

The fast adoption of Massive MIMO for high-throughput communications was...
09/22/2020 ∙ by Johan Östman, et al. ∙ 0

• ### Can Massive MIMO Support URLLC?

We investigate the feasibility of using Massive MIMO to support URLLC in...
02/18/2021 ∙ by Hangsong Yan, et al. ∙ 0

• ### Pilot Decontamination for Massive MIMO Network with UAVs

This letter studies the pilot contamination (PC) problem for massive mul...
06/09/2020 ∙ by Rui Lu, et al. ∙ 0

• ### Humans and Machines can be Jointly Spatially Multiplexed by Massive MIMO

Future cellular networks are expected to support new communication parad...
08/28/2018 ∙ by Kamil Senel, et al. ∙ 0

• ### Topological Pilot Assignment in Large-Scale Distributed MIMO Networks

We consider the pilot assignment problem in large-scale distributed mult...
05/26/2021 ∙ by Han Yu, et al. ∙ 0

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## I Introduction

Massive multiple-input multiple-output (MIMO) has been widely acknowledged as an essential enabler for the next-generation wireless networks. In massive MIMO networks, base stations (BSs) are equipped with a huge number of antennas to offer numerous benefits over regular MIMO, such as simpler power control [2], higher spectral efficiency, and higher energy efficiency [3, 4]. A key benefit of massive MIMO is that the wireless channels become increasingly orthogonal when the number of antennas at BS increases [5]. Thus, recent experimental results have suggested that massive MIMO offers a major improvement in performance towards achieving a thousand time increased data rate as compared to the 4G networks, which confirms the important role of massive MIMO in the 5G era [6, 7, 8].

Pilot contamination (PC) is one of the key performance limiting factors for unlocking the full potential offered by massive MIMO [9, 10, 11, 12, 13]. PC stems from the reuse of pilot sequences in the massive MIMO network. Consequently, the pilot sequences assigned to different users in the network are non-orthogonal [11, 12]. We highlight that the next-generation wireless networks are required to support a large number of high-mobility users. As such, it is not possible to assign orthogonal pilot sequences to all the users in the network. Also, the short duration of the channel coherence interval restricts the use of a large number of orthogonal pilot sequences in the massive MIMO network. Consequently, there are limited orthogonal pilot sequences available in massive MIMO networks.

Considering the fact that PC degrades the performance of the massive MIMO network, a number of solutions have been proposed to compensate for this degradation [9, 14]. Such solutions can be broadly grouped into five categories: 1) the protocol-based method which restricts the simultaneous transmission from the users having the same pilot sequence or wisely assigns pilot sequences among users to alleviate PC [15, 16, 17]; 2) the precoding-based method which relies on specifically designed precoders to reduce the interference caused by PC [10, 18]; 3) the angle-of-arrival (AoA)-based method which mitigates the interference from the users having the same pilot sequence and mutually non-overlapping AoAs [19, 20]; 4) the blind method which partitions the signal space into desired signal subspace and interference signal subspace and then develops algorithms to reduce the interference from the latter [21, 22]; and 5) the pilot sequence design methods which aim at designing pilot sequences such that the PC does not severely impacts the network performance [11, 12, 13]. It is worth mentioning that most conventional methods assumed orthogonal pilot sequences to perform PC analysis [19, 15, 10, 20]. However, this assumption may not be practical in realistic massive MIMO networks. Fortunately, pilot sequence design methods relax the assumption of strict orthogonality between the pilot sequence set [11, 12, 13]. As such, the pilot sequences set is non-orthogonal and every pilot sequence has a non-zero cross-correlation with other pilot sequences. Accordingly, the pilot sequence design methods aim at minimizing the cross-correlation such that the network achieves its performance target, e.g., signal-to-interference-plus-noise ratio (SINR) requirements. Although pilot sequence design methods provide an adequate solution to the PC problem, the use of correlated pilots makes the massive MIMO network more susceptible to PC attacks by an adversary [1].

We highlight that PC attack may be difficult to detect in a massive MIMO network [23, 24]. Recently, several methods have been proposed for PC attack detection [25, 26, 27]. PC attacks can be detected using self-contamination [25, 26] or via random channel training [27]. If an attacker avoids detection and countermeasures, it may successfully modify the downlink precorder at BSs for legitimate users with PC attack [24]. Different from [24], we consider a network with multiple Bobs and Eves. Furthermore, we analyze the optimal pilot selection at Eves for PC attack when the pilot sequences used in the network are correlated. As such, the results, analysis, and discussions in this manuscript cannot be obtained directly from [24]. Notably, it is possible to increase the adversity of PC attack with multiple Eves [28]. As such, PC attack has large potential to severely degrade the performance of massive MIMO networks.

In this paper, we analyze the user capacity-achieving pilot sequence design from the perspective of an active attacker. We highlight that the user capacity-achieving pilot sequence design method composes correlated pilots for all the users in the network [11, 12, 13]. The user capacity-achieving pilot sequence design determines the user capacity region of the network under PC, where the user capacity-region signifies the range for the SINR requirements that can be satisfied by using the user capacity-achieving pilot sequence design. This design also recommends a downlink power allocation method to minimize the interference between different users in the network. The major advantage of using the user capacity-achieving pilot sequence design is that it can satisfy a diverse range of SINR requirement for all the users in the network as long as the SINR requirements lie inside the user capacity region of the massive MIMO network. In this paper, we demonstrate the vulnerabilities in the user capacity-achieving pilot sequence design. As such, an active attacker with limited knowledge about the network configuration and parameters can successfully reduce the achievable SINR of the users in the network such that they may no longer be satisfied with the user capacity-achieving pilot sequence design. Furthermore, we propose an active attacking strategy for increasing PC in the network. Additionally, we demonstrate the limitations of using correlated pilots and reveal that the use of correlated pilots makes a network prone to active attacks. To this end, we analyze the network performance under the active PC attack.

The major contributions and novelty of this work are summarized as follows:

• We analyze and identify the limitations of using correlated pilots in a multiuser massive MIMO network where the correlated pilots are designed using the user capacity-achieving pilot sequence design [11, 12, 13]. To this end, we first derive analytical expressions to demonstrate the reduction in the user capacity region in a massive MIMO network under PC attack. We then demonstrate that the SINR requirements for all the users in the network can no longer be satisfied with the user capacity-achieving pilot sequence design in a network under PC attack.

• We propose a PC attack strategy on the user capacity-achieving pilot sequence design in the considered multiuser massive MIMO network. We show that the user capacity region achieved by the user capacity-achieving pilot sequence design is significantly reduced by the PC attack. Thus, a diverse range of SINR requirements for users are no longer supported. Importantly, the SINR requirements for some users cannot be guaranteed even with an infinite number of antennas at the BS in the network under PC attack.

• We analyze the structure of pilot sequences designed by the user capacity-achieving pilot sequence design. We demonstrate that the structure of the pilot sequences provides useful information to an active attacker, which can then be exploited for a PC attack.

We present numerical results to demonstrate the impact of PC attack under varying network parameters. Our numerical results demonstrate that PC attack reduces the SINR requirements for some users such that they can no longer be satisfied even with an unlimited number of antennas at the BS. Furthermore, the PC attack reduces the SINR for other users such that additional antennas are required at the BS to fulfill their SINR requirements during the downlink transmission phase.

Notations

: Vectors and matrices are denoted by lower-case and upper-case boldface symbols, respectively.

denotes the transpose, denotes the Hermitian transpose, denotes the Kronecker product, denotes the mathematical expectation, denotes the norm, denotes the trace operation, and

denotes the variance operation.

## Ii System Model

We consider a multi-cell massive MIMO network consisting of cells with single-antenna active attackers in each cell, denoted by Eves. Each cell consists of an -antenna array BS, denoted by Alice, and legitimate single-antenna users, denoted by Bobs. We assume that the channels between various nodes (i.e., Alice, Bobs, and Eves) encounter both small-scale and large-scale propagation effects. We express the channel between the -th legitimate user in the -th cell, and Alice in the -th cell, , as , where , , and . Here, we denote the small-scale propagation vector between and by , the elements of which are Rayleigh distributed small-scale propagation coefficients with zero mean and unit variance, i.e., . We denote the distance-dependent large-scale propagation coefficient between and by . Similarly, the channel between and the -th Eve in the -th cell, , is expressed as , where and and denote the distance-dependent large-scale propagation coefficient and small-scale propagation vector between and , respectively. Additionally, we assume that the number of Bobs in the network is greater than the length of the pilot sequences, i.e., . As such, both the intra-cell and the inter-cell PC exists in the network [13, 29, 30].

The communication between Bobs and Alice consists of two phases: (i) the uplink channel estimation from Bobs to Alice and (ii) the downlink transmission from Alice to Bobs. In the uplink channel estimation phase, Bobs send their pre-assigned pilot sequences to the same-cell Alice for channel estimation. We assume that the network operates in the time division duplex (TDD) mode, indicating that the uplink and the downlink channels are assumed to be reciprocal. As such, the uplink channels and the downlink channels remain the same during a channel coherence interval. Based on the assumption of channel reciprocity, Alice utilizes the uplink channel estimates in the downlink transmission phase

[31].

### Ii-a Uplink Channel Estimation Under Pilot Contamination Attack

We now examine the impact of PC attack on the uplink channel estimation phase. In this phase, obtains the uplink channel estimates with the aid of the pilot sequences transmitted from Bobs in the same cell. At the beginning of each channel coherence interval, Bobs send their pre-assigned pilot sequences to . We consider that has some knowledge of the pilot sequences used in the network. As such, transmits a pilot sequence during the uplink channel estimation phase such that the correlation between and is non-zero, where is the pilot sequence assigned to .111We highlight that in the absence of the prior knowledge about pilot sequences, can transmit a random pilot sequence, which is considered as a jamming attack in the massive MIMO network [32, 33]. The uplink pilot transmission vector received at in the presence of Eves is represented as

 ¯yl=L∑i=1K∑j=1√pijβijlSijhijl+L∑i=1N∑n=1√¯pin¯βinl¯Sin¯hinl+z, (1)

where denotes the pilot transmit power at , denotes the pilot sequence matrix for , is the transmit power at , is the pilot sequence matrix for , and denotes the additive white Gaussian noise (AWGN) at with zero mean and variance of , i.e., each element of follows . We assume that the pilot sequences assigned to different Bobs in the network are correlated. Specifically, the correlation between pilot sequences assigned to and is given by . Afterwards, obtains the least-square (LS) channel estimate of the channel from to by multiplying (1) with the pilot sequence matrix as [11, 13, 4].

 ^¯hlkl =√plkβlklhlkl+L∑i=1(i,j)≠K∑j=1(l,k)√pijβijlρijlkhijl +L∑i=1N∑n=1√¯pin¯βinlρinlk¯hinl+z, (2)

where . We note that when , we have 222We highlight that utilizing uncorrelated pilot sequences during the uplink transmission phase, i.e., , is a specific case of (II-A), where for and for .. Consequently, the second term on the right-hand side (RHS) of (II-A) exists due to the use of correlated pilots assigned to different Bobs in the network. We highlight that the third term on the RHS of (II-A) exists due to Eves’ PC attack, which degrades the quality of channel estimates obtained by . Since indicates no PC attack, the third term on the RHS of (II-A) disappears when . When , the third term is always positive and PC attack reduces the channel estimation accuracy.

We note from (II-A) that the increase in PC depends on the strength of the interference caused by , which can be controlled through adjusting , , and . However, increasing the pilot transmit power, i.e., , also increases the chances that the PC attack is detected by . Additionally, we highlight that depends on the distance between and . To increase , needs to move closer to , which may not be possible due to mobility restrictions for , as moving closer to will make more prone to detection. We clarify that by carefully selecting the pilot sequence for the PC attack, can increase without compromising its own privacy. We will discuss the selection of pilot sequences for the PC attack in Section VI.

### Ii-B Downlink Transmission and SINR Under Pilot Contamination Attack

In this subsection, we determine the downlink achievable SINR at in the downlink transmission phase where sends data symbols to Bobs in the same cell. Based on the assumption of channel reciprocity in the TDD mode, uses the uplink channel estimates obtained via the uplink channel training, i.e., the channel estimates contaminated by Eves given by (II-A), for the downlink transmission. We denote the symbols intended for by and assume that transmits using the transmit power , where . Assuming that performs maximum-ratio-transmission (MRT) using the channel estimates contaminated by Eves, the precoding vector for under PC attack is given by

 ¯tlk=1√M¯αlk^¯hlkl, (3)

where

 ¯αlk=L∑i=1K∑j=1pijβijl∣∣ρijlk∣∣2+L∑i=1N∑n=1¯pin¯βinl|ρinlk|2+σ2z. (4)

We note that the second term on the RHS of (4) is caused by Eves’ PC attack. Thus, Eves modify the precoder for by contaminating the channel estimates such that the downlink achievable SINR for is lower than that without the PC attack.

 ^¯rlk=L∑i=1K∑j=1√βlkihHlki(¯tijxij)+w, (5)

where is the AWGN at . Assuming that only has statistical information about its channel , we express the downlink signal received at as

 ^¯rlk= √βlklE[hHlkl¯tlk]xlk+√βlkl(hHlkl¯tlk−E[hHlkl¯tlk])xlk (6)

Noting that the first term on the RHS of (II-B) is independent and uncorrelated with the remaining terms, the downlink SINR at is written as

 ¯θlk,M=∣∣E[hHlkl¯tlk]∣∣2βlklPlkvar[hHlkl¯tlk]βlklPlk+ζlki+σ2w, (7)

where we define . Afterwards, (7) can be written in closed-from as [11, 13]

 ¯θlk,M=βlklPlk¯αlk(∑(i,j)≠(l,k)∣∣ρlkij∣∣2Ξ2lkiβlkiPij¯αij)+¯αlkM(Ptot), (8)

where and .

We highlight that (8) is valid for an arbitrary number of antennas at the BS and an arbitrary number of Eves in the network. Notably, (8) is also valid for the network having no Eve, i.e., . For this network, we obtain the downlink achievable SINR at as

 (9)

where

 αlk=L∑i=1K∑j=1pijβijl∣∣ρijlk∣∣2+σ2z. (10)

Comparing (4) with (10), we note that utilizing the precoding vector contaminated by Eves results in an increased interference at during the downlink data transmission phase.

###### Remark 1

By comparing (8) with (9), we observe that Eves are able to degrade the SINR at with the PC attack. Importantly, the correlation parameter with Eves, given by (4), is greater than correlation parameter without Eve, given by (10), i.e., . As a result, it is expected that the downlink SINR with Eves is smaller than that without Eves, i.e., .

## Iii User Capacity in Massive MIMO Networks Under Pilot Contamination Attack

In this section, we examine the impact of the PC attack on the user capacity of the considered massive MIMO network. Here, we define the user capacity as the bound on the number of Bobs that can be simultaneously served via the downlink of the network such that the SINR requirement for all Bobs can be satisfied.

We assume that the SINR requirement for is . Also, we assume that the downlink achievable SINR at needs to be higher than the SINR requirement for successful downlink transmission, i.e, for antennas at . We present the bound on the user capacity of the network in the following proposition.

###### Proposition 1

For a multi-cell multiuser massive MIMO network under PC attack, where the transmit power of is during the uplink transmission phase, the bound on the total number of Bobs, , that can be simultaneously served via the downlink transmission is given by

 Ktot≤[(τLN+1)L∑l=1K∑k=1(1+γlkγlk)]12, (11)

where and is the effective bandwidth of .

###### Proof:

The proof is presented in Appendix A.

We note that the bound on the user capacity given in (11) is a generalized expression and valid for any pilot sequence design. However, not every pilot design is capable of achieving the bound in (11) with equality [11, 13]. For most pilot designs, (11) is satisfied without equality, i.e., . As such, different pilot designs are capable of supporting different numbers of Bobs in the network. We highlight that a carefully designed pilot sequence, such as the use capacity-achieving pilot design [11, 13], is capable of achieving the bound on the user capacity with equality, i.e., . As such, the user capacity-achieving pilot design can satisfy a diverse range of SINR requirements for various Bobs in the network.

###### Proposition 2

The bound on the user capacity given by (11) with Eves in each cell of the network holds when the sum of effective bandwidths of all Bobs in the network is less than or equal to the ratio between the length of the pilot sequence and . We express this condition as

 L∑l=1K∑k=1γlk1+γlk≤τLN+1. (12)
###### Proof:

Utilizing the Cauchy-Schwarz inequality, we obtain

 L∑l=1K∑k=11+γlkγlk≥K2tot∑Ll=1∑Kk=1γlk1+γlk. (13)

Using (12), we simplify (13) as

 L∑l=1K∑k=11+γlkγlk≥K2tot(LN+1)τ. (14)

We next simplify the expression (14) to obtain (11), which completes the proof.

From (11), we note that the bound on the user capacity of the network without Eves is a special case of (11) when . Specifically, the bound on the user capacity region of the massive MIMO network without Eves is obtained as

 Ktot≤(τL∑l=1K∑k=11+γlkγlk)12. (15)

Furthermore, the user capacity given in (15) is satisfied when the sum of the effective bandwidths of all Bobs in the network are less than or equal to the length of the pilot sequence [11]. This condition is expressed as

 L∑l=1K∑k=1γlk1+γlk≤τ. (16)

We note that the bound in (16) specifies the user capacity region of the network without Eves. Notably, the bound on the user capacity in (15) is satisfied as long as the bound on the user capacity region in (16) holds. For a given user capacity and user capacity region, it is possible to design pilot sequences for all Bobs in the network such that the Bobs’ SINR requirements are satisfied with a limited number of antennas at Alice [11, 12, 13]. We refer to this pilot sequence design as the user capacity-achieving pilot sequence design. We further refer to the designed pilot sequences as user capacity-achieving pilot sequences.

###### Remark 2

Comparing (12) and (16), we note that the user capacity region is significantly reduced in the presence of the PC attack. The reduction in the user capacity region depends on the number of Eves, , in the network.

Table I provides a summary of important formulas in Section. II and Section. III. We highlight that the network without the PC attack is a special case of a network with the PC attack for .

## Iv Capacity-Achieving Pilot Sequence Design and Power Allocation

In this section, we present the algorithm for the user capacity-achieving pilot sequence design. The algorithm designs pilot sequences such that the SINR requirements for all Bobs in the network are satisfied. We assume that the pilot sequences are designed by based on the individual SINR requirements for Bobs in the same cell. These pilot sequences are then used by Bobs during the uplink channel estimation phase. We assume that each Bob has a minimum SINR requirement for the downlink transmission, i.e., has the minimum SINR requirement of . The goal of the user capacity-achieving pilot design is to generate correlated pilots such that is greater than or equal to . We next detail the pilot sequence design process.

### Iv-a Pilot Sequence Design at Alice

#### Iv-A1 Computation of Effective Bandwidths

We assume that knows the SINR requirements for all Bobs in the -th cell. We represent the SINR requirement for all Bobs in the -th cell by a vector , where . Based on the information of , Alice calculates the effective bandwidths for all Bobs as . We note that the SINR requirements must be chosen to achieve the bound on the user capacity region given in (16). We highlight that it is desirable to achieve (16) with equality such that the benefits of a lager user capacity region are fully utilized [11]. As such, Alice modifies as , where and . We highlight that the SINR modification needs to be carefully carried out such that they remain inside the user capacity region.

#### Iv-A2 Majorization and T-Transform

In this step, aims to find a vector that majorizes , i.e., . We highlight that is easily obtained from when , where and , where . Given , is obtainable by applying at most T-transform operations [34] on , i.e., , and there exists a matrix , where

is a unitary matrix, which is generated from

at each step of the T-transform [34, 35, 11].

#### Iv-A3 Generation of User Capacity-Achieving Pilot Sequences

In this step, generates pilot sequences for all Bobs in the -th cell based on , and . obtains a matrix from , where contains only the first rows from . Afterwards, obtains the pilot sequence for all Bobs in the -th cell as

 (17)

where and . We note that each column of represents the pilot sequence vector for one Bob in the -th cell. Specifically, . We highlight that the user capacity-achieving pilot sequence design method is based on the principles of generalized Welch bound equality sequences used in code-division multiple access systems [36].

### Iv-B Downlink Power Allocation at Alice

During the downlink data transmission phase, carefully chooses the downlink transmission power with the aim to satisfy the SINR requirers for all Bobs in the -th cell. Specifically, allocates the downlink power for as [11, 13]

 Plk=c^γlk1+^γlk, (18)

where is a constant power-scaling factor. Moreover, [11] proposed a specific power allocation scheme where the power-scaling factor for is chosen as . When is used for , the user capacity-achieving pilot sequence design satisfies the SINR requirements of all the Bobs in the network, where there is no pilot contamination attack, i.e., [11]. We highlight that when the power allocation scheme is used with the user capacity-achieving pilot sequence design, it is possible to achieve the SINR requirements for all Bobs in the network provided that the SINR requirements lie inside the user capacity region [11, 13].

###### Remark 3

We note that can design a valid pilot sequence set as long as the SINR requirements lie inside the user capacity region. However, when is large, the area under the user capacity region is small. Consequently, even if is aware of the PC attack, it may not be possible for to design pilot sequences to satisfy the SINR requirements for all Bobs in the -th cell when is large.

## V Vulnerabilities in User Capacity-Achieving Pilot Sequence Design

In this section, we identify the potential vulnerabilities in the user capacity-achieving pilot sequence design. Specifically, we highlight that these vulnerabilities make the massive MIMO network prone to PC attack.

### V-a Structure of Pilot Sequence Set

We note that the pilot sequence for at least one Bob in each cell is the same, regardless of the SINR requirements for all Bobs in the network. This limitation stems from the design of the user capacity-achieving pilot method. We highlight that the pilot sequence for at least one Bob in each cell is , where the pilot sequence is a column vector with length . As such, based on the knowledge that the user capacity-achieving pilot design is used in the network, Eves knows the pilot sequence for at least one Bob per cell. Consequently, it is logical for Eves to transmit for the PC attack in the network where the pilot sequences are obtained by using the user capacity-achieving pilot sequence design.

### V-B SINR Modification in User Capacity-Achieving Pilot Design

We highlight that the user capacity-achieving pilot sequence design modifies the SINR requirements for all Bobs by choosing . The SINR modification is performed such that the SINR requirements lie on the upper surface boundary of the user capacity region, i.e, . We note that this SINR modification in the user capacity-achieving pilot sequence design makes the network more prone to PC attack. Moreover, it is possible that the SINR requirements may lie outside the user capacity region in the presence of the PC attack. We highlight that the user capacity-achieving pilot sequence design is undefined for the area outside the user capacity region. As such, the pilot sequence design no longer guarantees that the SINR requirements for all the users are satisfied when they lie outside the user capacity region. Furthermore, we observe from (12) that the user capacity region is significantly reduced in the presence of even a single active attacker. Importantly, the SINR requirements may lie outside the user capacity region in a network under the PC attack, which undermines the benefits of the user capacity-achieving pilot sequence design.

### V-C Correlated Pilots

The pilot sequences designed by the user capacity-achieving pilot sequence design are correlated, i.e., . The user capacity-achieving pilot sequence design aim at controlling the cross-correlation between pilot sequences to manage PC. However, due to the use of correlated pilots, the PC attack by using the known pilot sequences identified in Sec. V-A can potentially contaminate the channel estimates for Bobs with the pilot sequences unknown to Eves.

## Vi Pilot Contamination Attack Strategy Adopted by Eves

In this section, we outline a simple yet effective PC attack strategy. We assume that Eves has limited knowledge about the network. However, we note that Eves need to know two network parameters for successfully exploiting the user capacity-achieving pilot sequence design, i.e., the length of pilot sequence and the information that user capacity-achieving pilot design is used in the network. We highlight that these parameters are easy to obtain in any network. Throughout this paper, we assume that Eves have knowledge of these network parameters before the uplink channel training phase.

### Vi-a Attacking Aims of Eves

As active attackers, Eves aim to disturb the functioning of the network. Specifically, Eves aims to:

1. Exploit the vulnerabilities in the user capacity-achieving pilot sequence design to increase PC in the uplink channel estimates;

2. Degrade the achievable SINR of the user with known pilot sequence, i.e., , such that the SINR target for cannot be satisfied even with an unlimited number of antennas at ;

3. Deteriorate the achievable SINR for users with unknown pilot sequence such that their respective SINR targets are no longer satisfied with the pre-determined number of antennas at the .

We recall from (1) that the has some degree of control over three parameters, i.e., , , and . We next detail each parameter in the following subsections.

### Vi-B Transmit Power ¯pin at Evein During Uplink Training

During the uplink channel estimation phase, transmits the pilot sequence with the transmit power . Furthermore, can transmit with a small non-zero transmit power to avoid being detected. We note that can increase PC in the channel estimates at by increasing . We also note that the increase in

increases the probability of detection of

by . As such, we make a reasonable assumption that cannot be greater than the highest transmit power amongst all Bobs in the -th cell in the network network during the uplink channel estimation phase. We represent this condition as

 0<¯pin≤max{plk}, % where k∈{1,…,K}. (19)

### Vi-C Locations of Eves

We note that the location of is important in the success of the PC attack. We highlight that the large-scale propagation coefficient is a distance-dependent parameter. As such, an Eve can locate itself close to the BS to increase PC. However, the mobility of Eves may not be practical in order to avoid detection by the BS. Additionally, the BS may perform a simple inverse-power control to mitigate the effect of the large-scale propagation coefficient. The inverse-power control is applied such that . As such, there is an additional constraint on the pilot transmit power of , given by

 ¯pin¯βinl≤1. (20)

This condition ensures that the PC power from received at does not exceed the power received from Bobs during the uplink channel estimation phase.

### Vi-D Pilot Sequence Transmitted by Eves

In this subsection, we present the optimal pilot sequence adopted at for the PC attack on . Moreover, we examine the impact of Eves’ PC attack on the uplink channel estimates of Bobs whose pilot sequences are not known to Eves.

###### Proposition 3

For a multi-cell multiuser massive MIMO network under PC attack, the optimal pilot sequences transmitted by to maximize the error variance between the channel estimate for without the PC attack and the channel estimate for with the PC attack are given by and , respectively.

###### Proof:

From (II-A), we obtain the error between the channel estimate for with no PC and the channel estimate for with the PC attack as

 ξlk=^¯hlkl−^hlkl=L∑i=1N∑n=1√¯pin¯βinlρinlk¯hinl, (21)

where is the channel estimate for without the PC attack and is obtained from (II-A) when . We next obtain the variance of from (21) as

 var(ξlk) =E[ξHlkξlk], =E[(L∑i=1N∑n=1√¯pin¯βinlρinlk¯hHinl)× (22) (L∑p=1N∑q=1√¯ppq¯βpqlρpqlk¯hpql)], =L∑i=1N∑n=1¯pin¯βinlρinlkE[¯hHinl¯hinl]. (23)

We next utilize the channel hardening property of massive MIMO, which is given by [11, 13]

 limM→∞1MhHijlhlkl={1,∀ (i,j)=(l,k)0,otherwise, (24)

to simplify (3) under the assumption that as

 var(Ξlk)=ML∑i=1N∑n=1¯pin¯βinl|ρinlk|2. (25)

Using (20) and (25), we obtain

 var(Ξk)≤ML∑i=1N∑n=1|ρinlk|2. (26)

We recall that , where the value of is between and for user capacity achieving pilot sequence design. Also, we note that the maximum value of is , which is achieved when or . From (26), we note that the maximum value of is , when all Eves transmit the known pilot sequence. As such, is maximum when all Eves transmit the same pilot sequence allocated to , which completes the proof.

We highlight that maximizing error variance of the channel estimates also impacts the downlink precoder. Alternatively, it is possible to directly compute the pilot contamination precoder through eigenvalue analysis of the correlation matrix

[37]. We next examine the impact of Eves’ PC attack using the known pilot sequences on Bobs with the unknown pilot sequences in the network in the following Lemma.

###### Lemma 1

For a multi-cell multiuser massive MIMO network under PC attack, where a non-orthogonal pilot sequence set is used in the network, transmitting the known pilot sequence by Eves contaminates the channel estimates of Bobs with unknown pilot sequences.

###### Proof:

We note that the channel estimates are contaminated when . Notably, when a non-orthogonal pilot sequence set is used in the network, is achieved for all Bobs in the network. Specifically, pilot designs, e.g., the user capacity-achieving sequence design, have a non-zero cross-correlation for all Bobs. Consequently, we observe from (26) that when Eves transmit the known pilot sequence used by , we have . Furthermore, , where and . As such, transmitting the known pilot sequences by Eves in a network with correlated pilot sequences not only degrades the performance of Bobs with known pilot sequences but degrades the performance of Bobs with unknown pilot sequences.

### Vi-E Detection and Mitigation of PC Attack

In this subsection, we discuss the detection and mitigation of PC attack from the perspective of . We highlight that utilizes the known vulnerabilities in the user capacity-achieving pilot design for PC attack. As such, the target user archives an SINR lower than the target . To detect the PC attack on , can request feedback from on whether occurs in the previous channel coherence interval. Based on the feedback from , multiple unsuccessful transmissions in the downlink for indicate a possible PC attack on . After detecting the attack, can perform a reactive action and redesign the pilot sequences for the -th cell. As such, is assigned a pilot sequence that is different from the one known to . This implies that can mitigate the impact of the PC attack on by redesigning pilot sequences if the attack is detected.

Another possible method for to mitigate the impact of PC attack is to use a proactive approach in pilot sequence design. For example, may anticipate the PC attack and carefully design the pilot sequences for all Bobs in the -th cell. Importantly, may sacrifice the advantages offered by a higher per-cell user capacity region by designing the pilot sequences according to

 L∑l=1K∑k=1γlk1+γlk≤τ−δl (27)

instead of (16), where is the factor indicating the anticipated reduction in the per-cell user capacity region in the -th cell under the PC attack. Thus, the pilot sequences designed by using (27) lie inside the per-cell user capacity region. It follows that the SINR requirements for all the users in the -th cell are satisfied, even in the presence of the PC attack. Furthermore, it is possible to detect and mitigate PC attack by including a random training phase after the uplink training phase [38].

## Vii Numerical Results

In this section, we numerically analyze the performance of the massive MIMO network under the PC attack. We first evaluate the impact of Eves on the user capacity region. Then, we examine the impact of Eves on the achievable SINR when is equipped with a large but limited number of antennas. A summary of important simulation parameters is given in Table II. Throughout this section, the simulation parameters remain the same unless we specifically state otherwise.

### Vii-a Impact of PC Attack on User Capacity Region

In this subsection, we examine the performance of the network with a sufficiently large number of antennas at . The results in this subsection are obtained from (12), which represents the bound on the user capacity of the massive MIMO network with Eves.

We first demonstrate the reduction in the user capacity region when the network is under the PC attack. The SINR requirements for all Bobs in the massive MIMO network are given by the vector . Furthermore, we assume and . Fig. 2 shows the upper surface boundary of the per-cell user capacity region for different values of . Here, indicates no Eves in the network. For the purpose of visualization, we set . We note that the per-cell user capacity region is significantly reduced in the presence of Eves. For example, when and , there is a and reduction in the area under the user capacity region, respectively, as compared to . The reduction in the user capacity region signifies that the network is no longer capable of satisfying a diverse range of SINR requirements when the user capacity-achieving pilot sequence design is used in the network. Importantly, when , the SINR requirements may lie outside the per-cell user capacity region with . Since the pilot sequences are designed under the assumption of , the user capacity-achieving pilot sequence design can no longer guarantee to satisfy the SINR requirements for all Bobs in the network.

We next evaluate the impact of increasing the number of Bobs and Eves on the maximum achievable SINR of the massive MIMO network. In this simulation, we assume that all Bobs have the same SINR requirements, i.e., , where is the maximum achievable SINR. Fig. 3 depicts the maximum achievable SINR versus the number of Eves for different values of . We note that increasing decreases the maximum achievable SINR in the network, which signifies the impact of Eves on the network. For example, when and increases from to , the maximum achievable SINR reduces from to , which amounts to reduction. We also note that increasing decreases the maximum achievable SINR in the network. For example, when and increases from to , the maximum achievable SINR reduces from to , which is equivalent to reduction in the maximum achievable SINR. Furthermore, the user capacity-achieving pilot sequence design is capable of designing pilot sequences to satisfy the SINR requirement of all Bobs in a cell or equivalently all Bobs in the network as long as the SINR requirements remain inside the per-cell user capacity region. As such, increasing adversely affects the network performance compared to increasing .

We next examine the impact of increasing the maximum achievable SINR requirements in the presence of Eves in the network. The SINR requirements in the network are given by