Physical Layer Authentication in Mission-Critical MTC Networks: A Security and Delay Performance Analysis

06/27/2018 ∙ by Henrik Forssell, et al. ∙ KTH Royal Institute of Technology 0

We study the detection and delay performance impacts of a feature-based physical layer authentication (PLA) protocol in mission-critical machine-type communication (MTC) networks. The PLA protocol uses generalized likelihood-ratio testing based on the line-of-sight (LOS), single-input multiple-output channel-state information in order to mitigate impersonation attempts from an adversary node. We study the detection performance, develop a queueing model that captures the delay impacts of erroneous decisions in the PLA (i.e., the false alarms and missed detections), and model three different adversary strategies: data injection, disassociation, and Sybil attacks. Our main contribution is the derivation of analytical delay performance bounds that allow us to quantify the delay introduced by PLA that potentially can degrade the performance in mission-critical MTC networks. For the delay analysis, we utilize tools from stochastic network calculus. Our results show that with a sufficient number of receive antennas (approx. 4-8) and sufficiently strong LOS components from legitimate devices, PLA is a viable option for securing mission-critical MTC systems, despite the low latency requirements associated to corresponding use cases. Furthermore, we find that PLA can be very effective in detecting the considered attacks, and in particular, it can significantly reduce the delay impacts of disassociation and Sybil attacks.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 3

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

As mission-critical machine-type communication (MTC) emerges as a new approach to interconnect cyber-physical infrastructures, also new requirements on security features arise. Mission-critical machine-type communication targets at low latencies and high transmission reliabilities, in order to realize new use cases for instance arising in industrial automation. Thus, while in human-oriented communication data confidentiality followed by integrity form the utmost priorities (while service availability and security overhead typically have less relevance), the priorities change in the mission-critical setting. In detail, the order of concern is reversed [1]: Service availability has highest priority since automation applications are typically supposed to run uninterrupted over long time spans. The second highest priority has message integrity, as in a closed control loop it is of vital importance that sensor and actuation information is not altered during transmission, while it also must be assured that the received data indeed stems from the claiming source. Finally, confidentiality is of least importance, as in automation applications the reading of sensor and actuation information poses only little threat to the controlled plant. Paired with the general requirement for low transmission latencies, these inverted security priorities are challenging, as traditionally integrity is assured through crypto schemes on the higher layers, which comes with significant computational complexities.

Physical layer authentication (PLA) has been proposed as a lightweight alternative for crypto security for authentication in reliable MTC communications [2]. In general, PLA schemes perform hypothesis testing based on dedicated features of the communication pair like, e.g., the location-specific channel frequency response [3] or a device-specific local oscillator offset [4] to determine if transmissions originate from legitimate sources. The advantage of this method is that messages can be authenticated quickly at the physical layer, without relying on cryptographic methods at higher layers and with slim-to-none security overhead. However, such schemes also come with drawbacks. First of all, due to the hypothesis testing PLA inevitably results in false alarms from time to time (i.e., some legitimate messages will be erroneously rejected) which can necessitate a retransmission. Furthermore, missed detections (i.e., accepting messages from an adversary) can occur if communication is subject to an impersonation attack. Thus, despite the complexity advantages, PLA also comes with costs which potentially can be significant in the context of mission-critical MTC. This raises the question how these costs (i.e., false positives and missed detections) potentially impact in particular the delay performance of a mission-critical MTC system.

Related work so far has largely not been addressing this question. PLA for mission-critical MTC is proposed for instance in [5, 2] but without considering the impact on the delay. In [6], the reduction in delay from removing authentication-induced processing delays in cell-handovers by using PLA is simulated. However, this paper does not focus on MTC and additionally does not take false alarms of PLA into account. Ozmen et al. considers the delay-sensitive performance of a communication system under information-theoretic secrecy [7, 8]. Delay in these works is characterized through the concept of effective capacity, which essentially allows the approximation of queuing-related performance metrics like the backlog or latency. Furthermore in [9], the delay performance of a Rayleigh fading wiretap channel is studied using stochastic network calculus for queueing analysis. All papers [7, 8, 9] apply queueing analysis tools to study the delay impacts of different physical layer security techniques, however, none of them consider PLA.

In this work, we address the issue of delay analysis, and thus the cost, of PLA for mission-critical MTC. We consider a centralized MTC network running a mission-critical application in which devices need to deliver data to the access point reliably and with low latency. In the considered network, we introduce a standard generalized-likelihood-ratio test PLA scheme, which we extend to take multiple-message authentication into account. We model several strategies that the adversary can use, namely data injection, disassociation, and Sybil attacks, and analyze the detection performance for each scenario. To derive the delay performance impacts, we develop link-level queueing models that take the PLA errors and actions of the adversary into account. For queuing analysis, we employ tools from stochastic network calculus [10, 11]. This work significantly extend the scope of our previous study [12] of delay impacts of PLA that only considered a single antenna system without an active attacker.

The contributions of our paper are the following: We derive delay performance bounds for MTC links where PLA is used for combating various attack strategies. We develop models for how data injection, disassociation, and Sybil attacks are launched against a MTC network and their impact on the queueing delay performance. With respect to stochastic network calculus, we provide an approximation to a previously unsolved mathematical problem: an upper bound on the delay violation probability over a Rice fading single-input multiple-output channel. From our results, we conclude that PLA, under relatively strong line-of-sight conditions and with sufficient number of receive antennas, can indeed provide high security in a mission-critical application. We also show that PLA effectively reduce the impact of disassociation and Sybil attacks at the cost of an approximately constant increase in delay violation probability. Thus, our results show that despite some costs, PLA promises to be an effective scheme in ensuring message integrity even in mission-critical MTC systems.

The rest of the paper is organized as follows: Section II introduces the system assumptions and our problem formulation. In Section III, we describe the attacker models and their impact on the queueing model. Section IV is devoted to deriving the delay performance bounds using tools from stochastic network calculus. In Section V, we present our numerical results, and Section VI concludes the paper.

Notation: Matrices are represented by bold capital symbols , and and denote the matrix transpose and conjugate transpose, respectively. We let denote the trace of a matrix. Bold symbols

represents vectors with entries

and denotes the identity matrix. We let be the Euclidian norm. For an event , we let and

denote the probability and indicator function, respectively. For a random variable

, denotes its expected value and and

its probability density and cumulative distribution function, respectively. We let

represent the multivariate complex Gaussian distribution with mean

and covariance matrix , the corresponding real-valued Gaussian distribution, a central distribution with degrees of freedom, and a non-central distribution with degrees of freedom and non-centrality parameter .

Ii Preliminaries

A[][]Multiple-Antenna Access Point B[][]MAC C[][]Resource Scheduling D[][] Physical Layer E[][]Feature Bank F[][]Feature-Based Physical Layer Authentication G[][]Regular Physical Layer Processing H[][]Access Point I[][]Wireless MTC Device J[][]Adversary

Fig. 1: Single-antenna MTC devices (e.g., wireless sensors in a critical monitoring application) communicating in uplink to a multiple-antenna access point. The access point is equipped with a feature-based PLA protocol.

In this section, we present a centralized MTC network model consisting of wireless devices communicating uplink data to an access point, as depicted in Fig. 1. The network is assumed to run a mission-critical application in which the MTC devices buffer data (e.g., sensor measurements) that need to be delivered reliably to the access point with minimal delay, as for example in motion control or generally in factory automation. Furthermore, as depicted in Fig. 1, we assume that there is an adversary present in the vicinity of the network, attempting to disturb the system using stealthy wireless impersonation attacks that are compliant with the typical behavior of legitimate devices within the network (e.g., sending payloads, data or disconnection requests). For protection against such attacks, the access point is using a feature-based physical layer authentication (PLA) protocol that compares the channel-state information associated with each transmission to a pre-stored feature bank. The access point is assumed to be equipped with antennas, both in order to improve the PLA detection performance and to improve capacity, while the MTC devices (e.g., small sensors) are assumed to have single antennas. The stationary feature bank consists of the statistics of the phased-array antenna responses from each device to the multiple-antenna access point, and we assume that the devices are deployed such that a line-of-sight (LOS) path to the access point is available.

Ii-a Medium Access and Physical Layer

We assume that the MTC devices access the wireless medium in a frame-based structure, each beginning with a beacon transmitted by the access point for synchronization, followed by a management (MGMT) period where devices can make various requests111The MGMT phase is based on contention access; however, we assume that collisions are handled appropriately such that we can neglect their impact.. A device can request connecting to the access point (CN), disconnecting (DCN), or resources for transmission of data payload (DTA). The allocation of resources is then communicated to the devices in a broadcast period (BP), followed by the data transmission period (DTP) where devices transmit buffered data. This medium-access model is similar to existing standards such as LTE [13] and beacon-enabled IEEE 802.14e [14]. We let denote the set of request messages received in the MGMT period in frame , each associated with a request and a device identifier (e.g., an identification code such as a MAC address). We denote by the set of devices that are granted DTP resources in frame and we assume that the access point expects at most one request from each device.

We assume the DTP has a fixed length of complex symbols that are divided by TDMA to the devices in . A fair division of resources is assumed, where the number of symbols each device gets allocated in frame is denoted by222Note that in general is a random variable depending on the number of users allocated in the frame, and that can get very small if many devices request resources at the same time.

(1)

where denotes the largest integer smaller than . We denote the complex symbols received at the access point in frame by and let denote the th column of (i.e., the observation of the th symbol received from device in frame ). The single-input multiple-output (SIMO) channel is modeled according to

(2)

for , where represent the channel vector between device and the access point in frame , are the transmitted data symbols, and is the additive noise represented by a circular symmetric complex Gaussian random vector. We assume that where represent the average power received per antenna from device . We model the channel as a narrowband SIMO Rice fading channel, i.e., with representing the LOS component and covariance matrix representing the fading. The covariance matrix is given by , where is an matrix, is a correlation coefficient, and is a common Rice factor experienced by all antennas and all devices in the network. Furthermore, we assume that the frame period is shorter than the coherence time of the channel so that the channel realizations can be assumed to be constant within a frame, independent from frame to frame, and independent among the MTC devices.

For device , positioned at distance and with angle of arrival (AoA) relative to the receiver antenna array, the channel mean (i.e., the LOS component) is modeled as a phased-array antenna , where is the carrier wavelength, is the directional cosine, , and is the unit spatial signature given by

(3)

in terms of the complex number , where is the antenna spacing (normalized by the wavelength) [15]. From normalization of we get , and we assume the received power follows as where is a path-loss exponent, is the transmit power, and is the distance. Additionally, in the following we normalize the noise power spectral density such that also represents the average received signal-to-noise ratio (SNR) on the th link.

Remark 1.

The assumption of a narrow-band slow-fading LOS channel may appear as too restrictive at a first glance. However, it is relevant in scenarios with low or no device mobility and where the MTC deployment has been carefully planned, for instance, to use LOS beamforming for physical layer security [16]. Furthermore, these conditions allow us to upper bound the delay performance; if delay requirements are violated in this model, PLA will not be applicable for other models either.

Ii-B Feature-Based Physical Layer Authentication

With an adversary present, the validity of the message IDs are uncertain and the access point needs to determine their legitimacy. For PLA based on the observed channel states, the access point is assumed to have access to a feature bank consisting of the channel distributions that are associated with each legitimate channel and are used for hypothesis testing. In a real system, the access point can obtain the feature bank through learning based on legitimate transmissions (c.f., [17]). In this work, however, we assume that the distributions in the feature bank are perfectly known and the process by which they are obtained is omitted. For a received set of messages , we denote by the observed SIMO channel state associated with each message

. In general, this channel state is an estimate with limited precision. However, to simplify the analysis we assume perfect channel-state knowledge in the following. Furthermore, we assume that PLA is applied to

, i.e., MGMT requests and DTP data payloads are authenticated separately.

We consider now the case when messages share the same ID (e.g., due to multiple impersonated messages injected by an adversary). The PLA procedure divides the set into subsets of messages with the same ID, each authenticated independently. To test the legitimacy of the messages in the set , the access point constructs a -ary hypothesis test. We here denote by for , the disjoint hypotheses that message is authentic, i.e., that we believe , and by the hypothesis that no message in is authentic. The decision of results in accepting and rejecting the rest, while the decision of results in rejecting all messages in , since the authentication is predicated on that the access point expects only one message per legitimate device. The access point decides between the messages through

(4)

where is a discriminant function associated with the channel feature of the device with ID , given by . The minimization of the righthand side of (4) is to be viewed as choosing the maximum-likelihood (ML) decision (the discriminant function is also the log-likelihood of the observation given the legitimate distribution) while the threshold decision in the lefthand side determines if the ML decision is authentic.

Single message authentication ()

The message hypothesis test in (4) is an extension of the standard generalized-likelihood-ratio test (GLRT), used for PLA when deciding upon a multi-dimensional complex Gaussian feature such as a multi-carrier frequency response [18] or a channel impulse response [19]. Note that when (4) is reduced to (i.e., only a single message with is received), the hypothesis test becomes , where represents that the message is legitimate and represents that the message stems from an adversary.

Ii-C Adversarial Strategies

In this paper, we assume that a single attacker is present in the system, referred to as Eve, having a single antenna, located at distance and with AoA relative to the access point. We model Eve’s channel similarly to the legitimate channels with Rice factor and denote Eve’s channel realization in frame by , where with the normalized spatial signature given in (3). With this representation, we can model both the case when Eve is an external device or when the attack is launched from a compromised device within the network by letting and for some legitimate device . The power received from Eve’s transmissions is assumed to be .

Given Eve’s ability to send messages with fraudulent IDs, we differentiate four cases of adversary behavior:

Baseline

Eve is present, but inactive, and the performance of the system is only affected by false alarms. The baseline scenario models the impact of introducing the PLA protocol in the system when no attacks are attempted.

Data Injection Attack

Eve is sending DTA requests impersonating a legitimate MTC device. Once successful, Eve gets DTP resources and transmits false data with the aim of harming the underlying application (e.g., drive a control system into a dangerous state by introducing fake sensor or actuation signals). In our work, we do not model the impact of the data injection attack on the application; however, metrics like missed detection rate (see Section II-D and III-B) measure Eve’s success-rate under such attacks, and the number of resources each device gets scheduled will be affected.

Sybil Attack

Eve transmits multiple DTA requests with fraudulent IDs, referred to as Sybil IDs/devices, with the goal of depleting resources available to the other legitimate devices [20]. In a Sybil attack, we assume that Eve targets a set of inactive devices that are not transmitting in the frame and sends DTA requests with the corresponding IDs. Note that it does not make sense for Eve to target active devices in this attack since they will already transmit DTA requests. With each successful Sybil ID, in (1) is reduced which degrades the performance of the other links in the network.

Disassociation Attack

Eve targets a particular device and sends fraudulent requests to disassociate from the access point (DCN) with the corresponding device’s ID. If successful, Eve disconnects the legitimate device which needs to reconnect, a process we model as being disconnected for frames (e.g., due to management processes such as generating session keys).

The impersonation attacks that we consider can be launched by external entities (e.g., an attacker positioned in close proximity to the system, using a stolen MTC device or a software defined radio unit) or internal devices whose behavior has been hijacked by malicious code. Our attacker model allows us to model both cases by modifying the assumptions on Eve’s channel. We note, however, that Sybil attacks are generally assumed to originate from internal devices that are compromised [20].

Ii-D False Alarm and Missed Detection Rates

Here, we summarize the error events and corresponding probabilities for the single message authentication, which are standard results (c.f., [18] for proofs). In the message case, two error events can occur: (i) a false alarm when a legitimate message is rejected; and (ii) a missed detection when an illegitimate message is accepted. Under the legitimate hypothesis , we have and the false alarm rate is

(5)

where is the cumulative distribution function (CDF) of a distribution with degrees of freedom. Observe that for a given choice of threshold , the false alarm rate is equal across all device IDs , independently of our assumptions on Eve. In practice, the PLA could be designed with different thresholds for different devices. However, in order to simplify the analysis we assume a constant threshold . Under (i.e., Eve is sending the message with ), given that Eve’s channel covariance-matrix is of the form , we have , where and is the non-centrality parameter. Hence, the missed detection rate is

(6)

where is the CDF of a non-central distribution with degrees of freedom and non-centrality parameter . From this we can note that the missed detection rate varies with the device that Eve tries to impersonate. Error analysis for PLA with has to our knowledge not been studied before. In Section III-B, we provide bounds on the missed detection rate for and show that this case will suffice for the delay performance analysis under the considered attack strategies.

Ii-E Delay Performance Metric

As mentioned in Section I, the use of PLA for improved security might have unintended consequences on the system’s ability to meet delay requirements. To study such delay performance issues, we introduce infinite-buffer queues that model the flow of data from each MTC device to the access point. The queueing model is described by the bivariate stochastic processes

representing the cumulative arrivals to and departures from the queue in the time interval for all . In frame , represents the instantaneous arrivals to the th MTC device buffer measured in bits (e.g., incoming sensor measurements), and represent the instantaneous departures from the th queue (i.e., information successfully transmitted to the access point). The ability to transfer data from the buffer queue to the destination at the access point is characterized by the cumulative service process . Considering that a device is assigned resources, we assume that the transmitter chooses a coding rate , and transmits encoded information bits over the SIMO channel. Furthermore, we introduce the Bernoulli random variable , indicating if resources are scheduled to device . This results in the general service model

(7)

We use the Shannon capacity as a proxy for the amount of bits per channel use that can be transmitted over the channel. Assuming the access point has perfect channel state information and uses maximum-ratio combining for the channel model (2), the instantaneous SNR is given by .

A widely used measure on the queueing system’s ability to meet delay requirements is the delay violation probability [21]. The queueing delay at time point is defined as

(8)

representing the frames required to serve the bits in the queue at time . This delay is randomly varying due to the random service process and the delay violation probability is defined as , i.e., the probability that a bit is not received within a defined deadline . In many cases, an exact expression for the delay violation probability is complicated to derive. However, queueing analysis can give statistical bounds on this function. In particular, the stochastic network calculus framework, introduced in Section IV, contains tools that are appropriate for deriving an upper bound on given the underlying service process in (7). Such delay bounds are particularly suitable for performance evaluation in mission-critical networks since they provide upper limits on the delay violation probability, i.e., a real system operating under the assumed conditions will certainly achieve a better delay performance.

Ii-F Problem Formulation

Based on the system preliminaries outlined above, we are interested in jointly studying the security and delay performance impacts of PLA in the baseline scenario when Eve is inactive, as well as under the considered adversarial strategies presented in Section II-C. To be able to do this, we must first characterize how the PLA error events and the different attack strategies affect the link layer performance of the system, which we capture through queuing analysis. That is, we seek the distributions of and given the behavior of Eve. This problem is addressed in Section III. Next, we must analyze how the PLA impacts the delay performance in the resulting queueing system. We tackle this by deriving upper bounds on the delay violation probability , subject to a given PLA threshold , corresponding and , and the adversary strategy. Derivations of the bounds are provided in Section IV. Based on this analysis, we seek to answer if, and under which circumstances, PLA is a viable option for authentication in mission-critical communications. More specifically, we want to answer what the baseline delay impacts on introducing PLA are, how detection and delay performance scale with the number of receive antennas and the strength of LOS component , and what impacts the considered adversarial strategies have on the system. These among other questions are finally studied through our numerical results in Section V.

Iii Attack Modeling and Queueing Impacts

In this section, we analyze how erroneous PLA decisions impact the system and queueing service models that we have introduced in Section II under each of the adversarial strategies.

Iii-a Baseline Scenario

In the baseline scenario, the adversary is inactive and the queueing model is affected only by dropped messages due to false alarms. We assume that a set of devices are active and that each has a constant arrival rate , which means that each of the active devices will request DTA resources in each frame. Considering one of the active devices , it will request resources with a DTA request in the MGMT period. Since the adversary is inactive, the access point will receive only one request with the ID of device and the message will be authenticated based on the single message authentication (see Section II-B). The observed channel state will in this case be the authentic channel and the false alarm rate is given by in (5). Since we assume perfect channel-state information and a frame period shorter than the coherence time of the channel, the observed channel state will remain constant during the frame. Hence, if the DTA request is accepted, so will the following data payload message in the DTP333This is a consequence of our previous assumptions. However, if the coherence time is shorter, or estimation errors are present, modeling of this as a two independent authentication decisions would be straightforward.. Since the requests independently get rejected by PLA with

, the number of scheduled devices follows a binomial distribution

(9)

and the distribution of follows as . The threshold is ideally set such that is low, giving a possible approximation . For a particular device , the distribution of is given by

(10)

That is, in case of a false-alarm in frame , the data buffer observes zero service.

Iii-B Detection of Data Injection Attacks

In a data injection attack, Eve transmits a DTA request in the MGMT period with the aim of getting DTP resources for transmitting a false data message. Either Eve impersonates an inactive device that is not requesting resources in the current frame, in which case the DTA requests undergoes single-message authentication and is undetected with probability , or Eve impersonates an active device, in which case the message is authenticated by message authentication. In the latter case, denoting by and the messages from device and Eve, respectively, a missed detection occurs in the union of events and . In this case, the probability of missed detection, denoted by , can be written as

(11)

We now use the notation and to discuss the probability (11). The second line of (11) is simply . However, for the second term an exact expression can only be obtained in integral form. Instead, by noting that , we can provide upper and lower bounds

(12)

Additionally, we can observe that and provide an upper bound in the following lemma:

Lemma 1.

The probability can be upper bounded by

(13)

where , and .

Proof.

We rewrite and use the Chernoff bound to get that for every

(14)

where we have applied the Markov inequality and used the independence of and . Now since and (see Section II-D), we get and for

from the standard moment generating functions for the corresponding distributions. Plugging these expressions into (

14) and minimizing over yields (13) which completes the proof.

The upper bound that is tightest out of (12) and (13) depends on the authentication threshold (clearly as and as while is independent of ). Hence, we tighten our bound on the missed detection probability when Eve is launching a data injection attack against active device by

(15)

This bound will additionally later prove useful when analyzing the disassociation attack in Section III-D.

Remark 2.

In a data injection attack, the delay performance of legitimate devices will be affected since accepted DTA requests from Eve will reduce the amount of resources scheduled to other devices. However, this impact is principally the same as under the Sybil attack discussed in Section III-C. Therefore, we only use the data injection scenario to study the detection performance of PLA, leaving questions regarding queueing performance to be answered by the study of Sybil attacks.

Iii-C Queueing Impacts of Sybil Attacks

Recall that in a Sybil attack, Eve targets a set of inactive devices and sends DTA requests with the corresponding IDs. Consequently, the access point receives messages from in the MGMT period and needs to differentiate which ones are legitimate. If Eve successfully gets many DTA requests through, given by (1) decreases and legitimate devices get less resources which can result in growing queue backlogs. Under a Sybil attack, we assume that active legitimate devices experience service dropouts modeled by the same way as in the baseline case (10); however, the distribution of is different due to Sybil IDs launched by Eve.

Assuming all IDs in are distinct (Eve is assumed to target only inactive devices in the Sybil attack), the number of devices that get resources in the data transmission period is

(16)

We decompose where is characterized by the baseline distribution of (9) (i.e., requests rejected by false alarms) and

(17)

represents the number of Sybil IDs successfully launched by Eve. For a moderate number of Sybil IDs (), the distribution of can be combinatorially approximated as

(18)

where denotes the set of all size subsets of . This approximation stems from an assumption that the events can be approximated as independent, in which case is Poisson-binomial distributed. Now the distribution of under a Sybil attack can be written as the convolution

(19)

from which the distribution of follows as .

The impact of the Sybil attack depends on the system’s available resources : If by design allows all devices to communicate simultaneously, the Sybil IDs will not have a substantial impact on the service of the legitimate devices. However, if the system is optimized to only have a subset of devices communicating at a time (e.g., in order to reduce latency or if only a subset of devices is involved in a particular sensing tasks), the result of launching multiple additional Sybil IDs might have severe impacts on the active legitimate devices. An alternative counter-strategy is to only accept requests from devices that are expected to transmit (e.g., sensors carrying relevant measurements for the running application). However, such application-layer information might not be available at the physical and MAC layers.

Iii-D Queueing Impacts of Disassociation Attacks

In a disassociation attack, Eve targets an active legitimate device and sends DCN request with the corresponding ID. In an attacked frame, the access point will observe two messages and with the same ID (i.e., ) and uses (4) to decide which one is authentic. If the access point accepts the DCN request from Eve, the legitimate device will need to reconnect in order to continue its data transfer which results in a disruption of the communication (i.e., ) for consecutive frames which can lead to growing backlogs and increased delay. In principle, Eve could launch disassociation attacks against multiple links within the network. However, here we model the queueing impact when Eve targets a single device .

In the disassociation attack, the frame-level service process in (7) follows the same model as in the baseline scenario (10) (i.e., frames are dropped with the false alarm rate and is given by its baseline distribution). We consider independent Bernoulli attack attempts from Eve with probability and to model the impact on the queueing performance, we divide the data flow from device to the access point into blocks consisting of frames each and define the aggregated arrival process as and service process as

(20)

where is a Bernoulli random variable indicating a successful disassociation attack in the block. The distribution of is then given by

(21)

where is the probability of accepting Eve’s DCN message (i.e., the same situation as in the data injection attack and hence is given by (11)). We recall from Section III-B that a closed form solution for is not available. However, since is monotonically increasing with , an upper bound on suffices to upper bound . An upper bound on is given by (15) and hence we get an upper bound .

Our analysis of the disassociation attack serves as a worst-case model due to the upper bound on . However, since in the next Section IV we aim to upper bound the delay violation probability, an upper bound on the disassociation probability suffice for this purpose. Additionally, we acknowledge that other methods could be used for reducing the impact of disassociation attacks. For example, one could always choose DTA over DCN requests, which would render the disassociation attack harmless as long as an active device is targeted. However, we see this as an issue of protocol design and include disassociation attacks in our studies in the following.

Iv Delay Performance Analysis

In this section, we derive delay performance bounds for the considered system using tools from stochastic network calculus. We begin by introducing necessary results and notation from the stochastic network calculus framework:

Iv-a Stochastic Network Calculus

Stochastic network calculus is a mathematical framework that allows us to analyze input-output relationships of stochastic queueing systems through, for example, performance bounds on delay or backlog given arrival and service distributions. For a complete overview of stochastic network calculus, we refer to [10]. The work in [21] developed the stochastic network calculus framework for wireless fading links by observing that the analysis is simplified by converting the bivariate stochastic processes , and into , and . This transformation allows the characterization of the random service process in terms of the varying instantaneous SNR due to fading. This is referred to as transforming the bit-domain processes into the SNR-domain since the processes become linear in the instantaneous SNR instead of logarithmic. Arrival processes in the SNR-domain can then be seen as instantaneous SNR demands. In bit-domain, stochastic network calculus is based on a dioid algebra over . Stochastic network calculus in the SNR-domain, on the other hand, is instead based on the dioid algebra since processes in the SNR-domain become multiplicative instead of additive. The performance bounds, which can be seen as variations of moment bounds, are derived in terms of Mellin transforms of the involved queueing processes. The Mellin transform of a random variable , closely related to the moment-generating function (MGF), is defined as .

The upper bound on the delay violation probability we utilize in this paper is given by Lemma 2:

Lemma 2.

For ,

(22)

where is called the kernel and given by

(23)

and and are Mellin transforms of the SNR-domain service and arrival processes.

Proof.

See Theorem 1 in [21]. ∎

With i.i.d. instantaneous arrivals and service, we can write and , where and due to the independence of the instantaneous service and arrivals and . Then, assuming stationarity of the underlying queueing processes, we let in the righthand side of (22) and get

(24)

under the stability condition required for the sum in (23) to converge. Since Lemma 2 holds for all , it follows that minimization of (24) over gives us an asymptotic upper bound on the delay violation probability. Hence, for the stable and stationary queueing system, the upper bound on the delay violation probability can be compactly written as with the objective function to be minimized given by the steady-state kernel in (24). This function can be shown to be a convex function for every in the stability interval (see Theorem 1 in [22]). However, no analytical tools from convex optimization can be applied, and therefore, one typically resorts to a numerical grid search for the minimization over .

Since in this paper we assume constant arrivals of bits per frame, the arrival process is deterministic and the Mellin transform of the SNR-domain arrival process can easily be found to be . The service process, following the SIMO channel service model (7), has a more complicated Mellin transform which we derive in the following subsections for the considered attack scenarios.

It is worth noting that alternative stochastic network calculus approaches exist that may be used for this analysis including effective capacity [23] and MGF-based analysis [24]. Nevertheless, the usefulness of the approach in [22] that we employ is most apparent when applied to wireless fading channels as the Mellin transform is already derived for many fading channels in the literature, e.g., [11, 25, 9]. This makes the approach particularly attractive for wireless networks analysis.

Iv-B Baseline Analysis

Recall that in the baseline scenario no active attacker is present and frames are dropped with the false alarm rate, i.e, . The service model is given by (7) with where we now, for ease of notation, have dropped the user index . Note that in this section we assume the allocated resources to be deterministic, something we will later generalize when deriving the Sybil attack bound. To simplify the derivation, we define the functions and in terms of the instantaneous SNR so that

(25)

In the following, we provide our main analytical result, which is an approximate expression for the Mellin transform of in Theorem 1. From this result, the Mellin transform of the service process in steady-state easily follows, as stated in Corollary 1.

Theorem 1.

For the Rice fading SIMO channel with mean and covariance matrix , the Mellin transform of can be approximated by

(26)

where denotes the upper incomplete gamma function and and are parameters of the approximate distribution of given by

(27)
Proof.

We begin by using the fact that is a sum of independent non-central distributed random variables with and . Now we use that the sum of non-central random variables can be approximated as a scaled central  [26]. That is, we write , where . Transferred to the Mellin transform, the approximation becomes . Now, we seek

(28)

where in the second line we have used the change of variable and defined the integral which remains to be solved. To solve it, we can use the binomial expansion , which plugged into the integral yields

(29)

where we in the second to third line have used the change of variable and introduced . Plugging (29) into (28) yields (26). Finally, since and , we need and in order to match the two first moments of the approximation, which completes the proof.

With the result of Theorem 1 in place, we get the service-process Mellin transform through Corollary 1:

Corollary 1.

For the baseline scenario, with Bernoulli frame drops with probability due to PLA, the Mellin transform of the service process is given by

(30)
Proof.

It follows by taking the expectation of , observing that independent of

and Bernoulli distributed with

, and that in the baseline scenario. For mathematical details, we refer to [12, 11].

Iv-C Analysis for Sybil Attacks

In a Sybil attack, the number of resources each device gets assigned is varying depending on the success of the adversary. We provide the Mellin transform of the service process in this generalized case in the following corollary (following from Theorem 1):

Corollary 2.

Under Sybil attack, with scheduled resources distributed according to and frame-drops with the false alarm rate , the service-process Mellin-transform is given by