A project report on

FEMTOCELLS
A description and new security approaches

By
M A R C D E L VA L L E - O R T I Z G U A R D I À

Under the Guidance of

D R . V. S . S H A N K A R S R I R A M
Associate Professor

SCHOOL OF COMPUTING
Shanmugha
Arts, Science, Technology & Research Academy
(SASTRA University)
(A University Established under section 3 of the UGC Act, 1956)

Tirumalaisamudram
Thanjavur - 613401

January 2014
Marc del Valle-Ortiz Guardià: Femtocells, A description and new security
approaches, c January 2014
 Shanmugha
Arts, Science, Technology & Research Academy
(SASTRA University)
(A University Established under section 3 of the UGC Act, 1956)

Tirumalaisamudram
Thanjavur - 613401

SCHOOL OF COMPUTING

B O N A F I D E C E R T I F I C AT E
This is to certify that the Project entitled
Femtocells, A description and new security approaches
is a work done by
Marc del Valle-Ortiz Guardià

Internal Guide Associate Dean

Department of Information Technology

Submited for the university examination held on: January 2014

Internal Examiner External Examiner

ABSTRACT

Femtocells are an essential part in the future mobile cellular network. A

general literature survey on this technology is given in the first part of
the work. This general survey is the base for further work presented
in this document. Research work in the field of securing femtocells is
still in its infant stage. In this research contribution an attempt has been
done to identify and mitigate a possible attack in the femtocells where
locational information about a femto cell user is disclosed. The proposed
mechanism notifies the femto entity under threat about the attack. Also
a novel Multi-hop algorithm has been proposed to hide the details of
the communicating parties from the attacker. Furthermore the resource
allocation for the femtocells is also a big concern in the community. In
this document one of the already existing procedures is implemented
and also modified for improvements.

iv
ACKNOWLEDGEMENTS

I would like to express my very great appreciation to Dr.V.S Shankar

Sriram for his suggestions and comments during the development of
this research project.

I want to give a mention to my laboratory colleges who shared with

me knowledge and suggestions. And helped to spend great time while
working on the different projects.

Moreover I want to thank Dr. M. Sridharan without who joining SAS-

TRA university to develop my work might not be as easy as it has been.

And finally huge thanks to my family, friends and girlfriend for their
constant support and their unconditional cheers.

Moltes gràcies a vosaltres!

Thank you very much!
Mikavum nanri!

v
The difficulty lies not so much in developing new ideas as in escaping from old ones.
— John Maynard Keynes
CONTENTS

i general survey on femtocells 1

1 introduction 2
1.1 Cellular Mobile Network . . . . . . . . . . . . . . . . . . . . 2
1.2 Femtocells as a solution . . . . . . . . . . . . . . . . . . . . 3
1.3 Market Status . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 femtocell network 6
2.1 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.1 HeNB dedicated GW . . . . . . . . . . . . . . . . . . 6
2.1.2 HeNB none dedicated GW . . . . . . . . . . . . . . 7
2.1.3 C-plane HeNB dedicate GW . . . . . . . . . . . . . 7
2.2 Joining Policies . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.1 Closed HeBN . . . . . . . . . . . . . . . . . . . . . . 8
2.2.2 Open HeBN . . . . . . . . . . . . . . . . . . . . . . . 9
2.2.3 Hybrid HeBN . . . . . . . . . . . . . . . . . . . . . . 9
2.3 Interferences . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.3.1 Femtocell-Macrocell . . . . . . . . . . . . . . . . . . 9
2.3.2 Femtocell-Femtocell . . . . . . . . . . . . . . . . . . 12
2.4 Handover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.4.1 Legacy Handover . . . . . . . . . . . . . . . . . . . . 13
2.4.2 Fast Handover . . . . . . . . . . . . . . . . . . . . . . 14
3 survey on attacks and existing contrameasures 16
3.1 End User Attacks . . . . . . . . . . . . . . . . . . . . . . . . 16
3.1.1 Anonimity: Correlating Packages . . . . . . . . . . 16
3.1.2 Authenticity: Stealing UE Identity . . . . . . . . . . 17
3.1.3 Confidentiality: Disclosing the Data . . . . . . . . . 17
3.1.4 Availability: False Power Off . . . . . . . . . . . . . 18
3.1.5 Integrity: Changing SMS content . . . . . . . . . . . 18
3.2 Network Attacks . . . . . . . . . . . . . . . . . . . . . . . . 19
3.2.1 Getting other nodes information . . . . . . . . . . . 19
3.2.2 Remotely controling a HeNB . . . . . . . . . . . . . 19
3.2.3 Breaking operators infraestructure . . . . . . . . . . 20

ii proposed methodologies 21
4 user environment location privacy 22
4.1 Location Disclosure . . . . . . . . . . . . . . . . . . . . . . . 22
4.2 Tracking Notification Algorithm . . . . . . . . . . . . . . . 23
5 user anonymity 25
5.1 Multi hops Algorithm . . . . . . . . . . . . . . . . . . . . . 25
5.2 SImulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
5.2.1 Scenario Setup . . . . . . . . . . . . . . . . . . . . . 26
5.2.2 Results . . . . . . . . . . . . . . . . . . . . . . . . . . 27
6 resource allocation 29

vii
 6.1Graph Formation . . . . . . . . . . . . . . . . . . . . . . . . 29
6.2Graph Coloring . . . . . . . . . . . . . . . . . . . . . . . . . 30
6.3Algorithm Implementation . . . . . . . . . . . . . . . . . . 30
6.3.1 Coloring Algorithm . . . . . . . . . . . . . . . . . . 30
6.3.2 Coloring Optimization . . . . . . . . . . . . . . . . . 31
6.3.3 Results Evaluation . . . . . . . . . . . . . . . . . . . 32
7 conclusions 34

bibliography 35

LIST OF FIGURES

Figure 1 Femtocell Scenario . . . . . . . . . . . . . . . . . . 4

Figure 2 Dedicated HeNB GW. . . . . . . . . . . . . . . . . . 6
Figure 3 No-Dedicated HeNB GW. . . . . . . . . . . . . . . 7
Figure 4 C-Plane dedicated HeNB GW . . . . . . . . . . . . 8
Figure 5 Macrocell splitering scheme . . . . . . . . . . . . . 13
Figure 6 Legacy Handover Procedure . . . . . . . . . . . . . 14
Figure 7 Proximity Add/Release Process . . . . . . . . . . . 15
Figure 8 Tracking Threat . . . . . . . . . . . . . . . . . . . . 22
Figure 9 Tracking detection proccess flow chart . . . . . . . 23
Figure 10 MhA Number of Reflections p.d.f . . . . . . . . . . 27
Figure 11 MhA Introduced Delay p.d.f . . . . . . . . . . . . . 28
Figure 12 Graph coloring example . . . . . . . . . . . . . . . 33

L I S T O F TA B L E S

Table 1 LTE bassic Parameters . . . . . . . . . . . . . . . . 3

Table 2 Simulation Parameters Summary . . . . . . . . . . 26
Table 3 Number of reflections . . . . . . . . . . . . . . . . . 27
Table 4 Time inside the HeNB . . . . . . . . . . . . . . . . 28

LISTINGS

Listing 1 MhA pseudo-code . . . . . . . . . . . . . . . . . . . 25

Listing 2 Colorizing Function Matlab Code . . . . . . . . . . 31
Listing 3 Minimization Function Matlab Code . . . . . . . . 32

viii
ACRONYMS

FAP Femtocells Acces Point

MCN Mobile Core Network

HeNB Home Enhanced Node B

eNB Enhanced Node B

GA Genetic Algorithm

OFDMA Ortogonal Frequency-Division Multiple Access

PCI Physical Cell Identity

LTE Long Term Evolution

RAN Radio Access Network

GUI Guided User Interface

UE User Environment

LTE-A Long Term Evolution Advanced

SCTP Stream Control Transmission Protocol

GW Gateway

MME Mobility Managment Entity

NAS Network Attached Storage

OFDM Ortogonal Frequency-Division Multiplexing

PCI Physical Cell Identifier

IMEI International Mobile Station Equipment Identity

IMSI International Mobile Station Subscriber Identity

SMS Short Message Service

DoS Denial of Service

GSM Global System for Mobile

HTTP Hypertext Transfer Protocol

RSRP Reference Signal Recieved Power

ix
 Part I

G E N E R A L S U RV E Y O N F E M T O C E L L S

Brief introduction to the cellular network is given to begin

this work. This part focuses into introducing and describing
the femtocells concept. Analyzing the scenario that creates
the necessity, explaining the femtocell network configuration
and procedures. Moreover the existing security issues in fem-
tocells networks are listed and summarized.
Why are the femtocells necessary? How are femtocells imple-
mented? How the interferences are managed? What security
vulnerabilities have been detected in femtocells? These are
the questions which this part aims to answer.
 INTRODUCTION
1
1.1 cellular mobile network

Mobile cellular network is a concept which emerged in 1960 as evolution

of the fixed telecommunication network. Since that time the concept has
evolved and nowadays the mobile cellular network has become huge.
The network infrastructure basically consist on different base stations
deployed through the whole service coverage area. Each base station
(eNB, using 3GPP 1 notation), creates a coverage area named cell. This
cells are distributed in a non-overlapping pattern in order to maximize
de covered area, this area can be a city but also a whole country. The
users geographically located inside a cell are served by the eNB which
is creating that cell. Normally the cells created by eNB are represented
as an hexagon and are named macrocells. Different macrocells are using
the same frequency slot, since frequency reusing techniques had been
introduced, which is feasible since the signal power will decrease as we
are further from the base station.

The techniques used in the mobile cellular network have evolved quite
fast since their creation, nowadays the 4th generation is starting to get in
every user around the world, and the research community is working on
the 5th generation. This evolution started when changing from analog
to digital transmission from 1G to 2G. From 2G to 3G the change was the
start of using spread-spectrum based communications, which improved
the voice capacity. Many improvements had been done on this 3G to
improve the data caring in this technique, but this improvements has
not ben considered as a new generation.
The jump from the 3G to 4G not only changed the techniques used
for the transmission, moreover it attempt to change the network deploy-
ment. Traditionally the deployment of the eNB is done by the service
provider companies engineers who configure the network and set the
parameters for the base stations. The new approach introduce smaller
cells which can be deployed easily and adapt its parameters to the net-
work necessity. The extreme, and more recent introduced, of this small
cells are the femtocells, which are the smallest of the family. Femtocells
siblings are micro-cells and pico-cells. This reduction of the coverage area
also help to handle the increasing number of devices asking for through-
put, and to bring 5 bar coverage to all the main areas.
The 4th generation is also known as LTE and it is a middle step before
LTE-A. This step need to be done because of a need of introducing 4G
smoothly by gradually moving from 3G. Basically LTE converge all the

1 3rd Generation Partnership Project, collaborative work between telecom associations.

2
 1.2 femtocells as a solution 3

wireless technologies (WiMAX, CDMA, HSPA & GSM) in order to make

the migration to next step easy.

LTE: IP is the protocol used for the addressing, in concrete IPv6 which the
networks operators a more simple and scalable network. This network
is composed of four parts: i) radio access (RAN), ii) backhaul, iii)core and
iv)backbone, IP protocol allows to interconnect all this parts. The downlink
transmission in the RAN uses OFDMA, this technique allow the users to
share the available bandwidth, adjusting it regarding the users demands.

Access Shceme Bandwidth

UL DFTS-OFDM
1.4, 3, 5, 10, 15, 20MHz
DL OFDMA

Minimum TTI Sub-carrier spacing

1ms 15kHz

Modulation
QPSK, 16QAM, 64QAM

Table 1: LTE bassic Parameters

In Table 1 few important parameters of the LTE are printed, an other

important fact is the spatial multiplexing introduced in the DL. The la-
tency, system transmission delay, is reduced in LTE, and also the time to
initialize is quite small.

LTE-A: This technique add some new features to the LTE. New frequency
bands are used, TV bands for example. By channel aggregation the effec-
tive bandwidth can be increased up to 100MHz.

All the generation migrations imply a high cost for the networks oper- The cost of deploying
ators. Due to the high rates that this operators are paying for installing a eNB can reach
almost 1M dollars
new antennas (eNB) they were looking for more affordable solution.
per year

1.2 femtocells as a solution

Since the introduction of spread spectrum techniques users are expect-

ing for more features and connection speed in their devices. More and
more users and devices are being introduced into the network every day.
Network operators have the responsibility to provide better throughput
and bandwidth to the users of the wireless network. The implementa-
tion of femtocells into the network is also proposed as a better solution,
since this technique is able to recycle the frequency slots used by macro-
cell users in a specified range and transferring the data through the Inter-
net to the Mobile Core Network (MCN), which results in achieving high
bandwidth at low cost, satisfying the network users, by a affordable and
low inversion for the network operators.
A possible scenario showing these femtocells is presented in Figure 1.
As can bee seen the HeNB created can be in a overlapping environment,
 1.2 femtocells as a solution 4

which needs of interference mitigation techniques also between femto-

cells, moreover than only macrocell femtocell interferences.

Figure 1: Femtocell Scenario

To create the smallest of the mobile network cells a device is needed,

this devices are called femtocells access points (FAP). This devices in-
clude plug and play technology which means that no technical support
is needed for the installation. The user has only to power on the de-
vice and connect it to a backhaul network, this backhaul connection is
done throughout a high speed access network (xDSL) which connects
the HeNB to the Internet. The network operator only needs to handle
the new connection to the network, which can be easily done by prop-
erly configuring the gateway, as explained in Chapter 2. This fact give
to the network scalability and also low deployment cost.
FAPs are designed for indoor deployments, since they are creating
a cell of 20 meters range. Recent research extends the deployment to
outdoor as well [12]. This low coverage area has a great impact in the
power consumption of the UEs since the transmission power is less than
when connecting to a macrocell. Generally the implementation is done
by users who want to increase throughput inside office or home and
by users who have low coverage in their buildings. The two different
configurations proposed are suitable for these two scenarios, for home
HeNB 5 users are allowed in to join the FAP in other hand up to 16 users
can be managed in a office environment. Depending in the scenario that
the HeNB are deployed also different joining policies for accepting join
requests are used, these policies are described in Chapter 2.

Femtocells are not only introducing new features in the network layer,
also new application services appear by the deployment of femtocells.
Since the HeNB is going to detect you when arriving home, some tasks
can be automatized or notifications can be send. Some of this applica-
tions are presented in [11] but since it is a novel technology in next years
the growth of new features will be quite large.
 1.3 market status 5

1.3 market status

In 2007 Sprint launched the first consumer femtocell service, it was fo-
cused only in home deployment and it do not have a real impact in the
market until the first standardization were done, and put in the market
(2012). On 2013 most of the major mobile operators groups are offering
femtocells service, most remarkable of them are: AT&T, China Mobile,
France Telecom/Orange, Telefonica, T-Mobile/ Deutsche Telekom and
Vodafone. Some of these mobile operators reported the statistics of their
femtocell network, for example Sprint had deployed around one million
units in US. Also in US estimations regarding the AT&T status give an
approach of almost 1M units deployed by this operator. Other countries
were femtocells are starting to be deployed have more moderate num-
bers, in UK Vodafone reported about hundreds of thousands of HeNB.

The most interesting to analyze is the potential growth that this mar-
ket has. In [5] femtocell forum presents a market status and an estimated
forecast. The growth of the market is basically attributed to the small
cells deployed in the public areas, but the growth of private cells is also
quite fast. The forecast estimate a growth of 73% each year from 2012
to 2016. This growth is due to the LTE network which makes almost
mandatory the use of these small cells. The prediction also talks about
all-in-one devices which will include wi-fi access point and mobile net-
work access point, and not only allowing one generation of the mobile
techniques. Regarding this compatibility between different generations,t
in 2012 first device to include 3G and 4G was released on the market in
Japan.

The expectations are that the small cell market represent a value over
20 billion US dollars, this represent a huge amount of the market, this
creates a fierce competition between the network operators to offer more
services and more secure, which will allow them to get the maximum
number of users.
 FEMTOCELL NETWORK
2
2.1 architecture

As described by 3GPP in [1] different architecture approaches appear in

the femtocell network. Main difference between the approaches resides
in the HeNB gateway which is suppressed or reconfigured in the differ-
ent architectures described below. In order to secure the transmission
secure gateway (SeGW) is mandatory in all the approaches, this is not
shown in any of the diagrams1 . This SeGW is in charge of tunneling
the HeNB traffic into IPSec protocol to ensure that the data transiting
through internet is not disclosed.

2.1.1 HeNB dedicated GW

All the traffic incoming to the MCN from the different HeNB is concen-
trated in the HeNB GW. This can be translated that only one SCTP asso-
ciation is needed for the whole HeNB to join the MCN. This is a good
advantage in terms of traffic since the MCN is not flooded of SCTP asso-
ciations every time one HeNB each time it joins. That is quite common
since the FAP are allocated in users home and they are able to turn it on
at they own choice. One other great advantage is that this architecture
is really similar to the HNB (3G) architecture, which means that carriers
do not need large inversions for changing from the previous generation.
The connection
marked as S1
VPLMN HPLMN
represents in three
cases the connection
CSG
List Srv HSS done throughout
Internet
C1 (OMA DM /OTA) S6a

S1-MME MME

UE
S1 HeNB
HeNB S11
LTE-Uu GW
S1-U
S-GW

Figure 2: Dedicated HeNB GW.

Main disadvantages of this architecture presented in Figure 2 is that

if the HeNB-GW fails the whole HeNB nodes are affected. Moreover
tunneling changing is needed to forward the packets. The tunneling
needs to be changed from HeNB-GW→S-GW to HeNB-GW→HeNB and
vice-versa.
1 Figure 2,Figure 3 and Figure 4 diagrams are extracted from 3GPP specifications [1]

6
 2.1 architecture 7

2.1.2 HeNB none dedicated GW

By removing the HeNB-GW less elements will be in the network, that

means that in terms of operations done this approach give a better per-
formance. Also the update for new features is easiest since less elements
are involved. Furthermore the main disadvantage of the first variant is
no longer a problem since no concentration is done in this approach.
VPLMN HPLMN

CSG
List Srv HSS

C1 (OMA DM /OTA)
S6a

S1-MME MME

UE HeNB S11
LTE-Uu
S1-U
S-GW

Figure 3: No-Dedicated HeNB GW.

Unlike the dedicated gate way approach in this approach an SCTP

association will be created for every release or join of an HeNB. This
can easily overload the MCN with packets proceeding from the HeNB.
This approach will be feasible for example for application of carriers de-
ployed femtocells, which are most of the time turned on and are limited
in number in a certain region. For users deployed FAP this is not a good
approach as discussed.

2.1.3 C-plane HeNB dedicate GW

For this approach the HeNB-SW is introduced only in the control plane
(C-plane) of the link. With this configuration a low number of SCTP
messages is achieved since only one connection is done between the
HeNB-GW and MME. If we look to the user plane it is simplified and
as result of the HeNB suppression the points of failure are less. The
main advantage of having the control traffic centered by the HeNB-GW
is that we are able to run optimization techniques for the handover and
signaling messages of all the HeNB nodes.

Regarding the disadvantages that this approach present are basically

that if the number of HeNB nodes increase the UDP/IP connections will
cause an overload if the S-GW is not properly designed. This can be
solved by introducing additional S-GW if the network grows that much.
 2.2 joining policies 8

VPLMN HPLMN

CSG
List Srv HSS

C1 (OMA DM /OTA)
S6a

S1-MME
HeNB MME
S1-MME
GW S11
UE HeNB
LTE-Uu
S-GW
S1-U

Figure 4: C-Plane dedicated HeNB GW

2.2 joining policies

The mobile network is a very diverse environment, we can find in it

an huge number of different devices with different features and which
is most important for this case, operating in multiple carrier company.
Furthermore we can also find devices using a double SIM-card. Because
all this multiple users the HeNB network has to implement a login policy
to restrict its usage if it is necessary, with this perspective three different
joining policies appear in femtocells: open, closed and hybrid femtocells.

2.2.1 Closed HeBN

A control of the users joining the femtocell has to be done in this kind
of HeNB. Only the registered users might be able to join the femtocell,
this users have to be told to the service provider by the FAP owner. A
list with all the authorized users is created and stored in the MME block
(see architecture section for details), the MME is in charge of transfer-
ring and updating the data to the core of the network. When a new user
is joining the HeNB send a NAS request to the core of the network who
with the information provided by MME will make a decision. In case
the connection is rejected the standards specify that the cause of rejec-
tion must be send to the users.

In case the HeNB is deployed in public places and the owner of the
device is the operator itself, other cases appear. Operators will sign
roaming agreements in order different users can join this network com-
ing from a different carrier network. It is clear that it is also a closed
access femtocell where the list of authorized users are the ones belong-
ing to the operator clients list, and furthermore to other operators who
are in the roaming agreement.
Since users who are not permitted in the HeNB network can be in it
coverage area, this kind of policies are the ones that affect more to the
interferences, as discussed in next section.
 2.3 interferences 9

2.2.2 Open HeBN

In this kind of femtocells everybody is able to join if there are resources

available. Any kind of priority is there, first users who came are the ones
who will obtain resources. This is not a well seen policy for the carriers,
or the home users who want to have the control of who is joining the
HeNB. Instead of that this are very attractive for users who without
paying any extra they can get more features in their device. Knowing
that attackers have great opportunity, by deploying one of this femtocells
can monitor all the traffic going trough their own FAP.

2.2.3 Hybrid HeBN

This policy is in the middle way between the before explained policies.
In this femtocells a registered users list will also be created, which works
as the closed access. Furthermore also non registered users are accepted
to join this femtocells, while there are resources to allocate them.
This are a really great kind of femtocells for that users who are owning
a indoors place but they are receiving many different people, in exam-
ple a travel agency office where the workers are same every day, but
different customers are coming every hour.

2.3 interferences

As shown before the last connection of the network is done using the
air interface. As know this interface is very susceptible to interferences.
Moreover the future mobile network is going to have two tiers operat-
ing in the same frequency range, the femtocell tier and the macrocell
tier. It is important to distinguish two cases for LTE and for LTE-A in
the newest generation different subcarriers are able to spread the differ-
ent transmissions over them. Therefore the LTE is the most restrictive
scenario. In the lines below most powerful mitigation techniques from
[10] are resumed, if extracted from any other source it is specified in the
description.

2.3.1 Femtocell-Macrocell

The different approaches that appear in the literature for fighting against
the interference caused for the coexistence in time, space and frequency
of a eNB and a HeNB, take the first one as the high priority user. There-
fore HeNB have to adapt their transference parameters in order not to
interfere the macrocell. The higher interference scenario occurs when a
eNB user is trapped in a middle of closed HeNB operating in same fre-
quency that it is, as said in this case femtocells have to adapt themselves
to interfere as less as possible to the user.
 2.3 interferences 10

2.3.1.1 Control Channels

The control region in LTE can be allocated in first to third OFDM sym-
bol, and it is spread along the whole bandwidth. Because of this reason
different frequencies can not be assigned to femtocells and macrocells.
In eNB the number of users is assumed to be larger than in one femto-
cell, for that reason in first case the three OFDM symbols will be used
as control channel. Whereas that in femtocells is possible to manage
all users only using one OFDM symbol. LTE is having three different
control channels which need to be protected in front of interferences:
• PCFICH: It is in charge of announcing what is the structure of the band-
width, the information about how many OFDM symbols are being used
for the control channel can be found here. This is the most robust chan-
nel, it is repeated four times in the frequency domain. This channel raises
as the most important since if it is not correctly read all the data will be
misunderstood.

• PHICH: This channel is used to inform the UEs when an uplink trans-
mission is successfully completed. It has three repetitions in frequency
domain, this repetitions can be done in the same OFDM channel or each
in a different one. Moreover this control channel is spread in time and
frequency domain.

• PDCCH: This channel is also scattered in frequency and time domain, it

is used by the users to transmit the downlink transmissions. The distri-
bution along the frequency domain is diverse and it could seem random
but each user allocate this information according to certain equations.

The below paragraph describe different approaches for mitigating the

cross-tier interference for the control channels.

No coordination: If no technique is used the data channels used by

the femtocell interfere with the second and third ODFM symbols used
by the macrocell. Then the interference is not between control packets,
in this case is between data packets and control channel packets.

Spread femtocell control channel: This technique takes profit of the

fact that only one OFDM symbol is needed for femtocells channel. This
only channel information will be spread along the three possible sym-
bols, this reduces the interference and also reduces femtocell data chan-
nels.

Blank Subframe: It consist in coordinating macrocell and femtocell

in order they keep one blank frame, in that moment the other is able to
transmit without interference. This is the most basic technique but the
throughput is drastically reduced, since the number of available frames
for transmission is less.

PCI manipulation: This technique proposed in [3] attempts to change

the physical cell identity (PCI) when the HeNB is powered on. It is fo-
cused in avoiding collitions between the macrocell user PCFICH and the
 2.3 interferences 11

same channel of the femtocell user. When changing the PCI value the
control channels are moved inside the OFDM symbol. The HeNB has to
listen in order to identify the most dominant macrocell, once it is identi-
fied the PCI value has to be chosen intelligently in order the PCFICH of
the femtocell is allocated in a different position than the macrocell one.
This technique enhances the performance of the previous explained tech-
niques.

2.3.1.2 Data Channel

Genetic Algorithm Resource Allocation Model: With the objective to GA attempts to find
maximize the available throughput and minimize the interference this the best fitness
solution for an
technique is presented in [8]. As described the model consist on two
optimization problem
parts, first the bandwidth allocation is done and then GA is used to op-
timize the available resources. In first step all the bandwidth is split in
different orthogonal subcarriers, then an integer number of subcarriers
is assigned to each user depending on its requirements. Furthermore
the transmission power for each user is also set. This results are used as
initial population for the GA implemented in the second step. The GA
is implemented each time a user joins the network, the input parameters
are the users bandwidth demand, location and the network modulation.

Collaborative frequency Scheduling: The collaboration is done be-

tween eNB and HeNB, in order to obtain the most realistic channel sens-
ing. The eNB sends the channel information to the femtocells. Each
HeNB also perform a channel sensing and according to this to informa-
tions they get a more accurate frequency schedule. This technique can
be improved by adding a cognitive sensing, where all the near HeNB
share the sensing information in other to get a greater result. This tech-
nique is focused in reducing the interference in both links, downstream
and upstream.

Power Control: Since femtocells are the low priority users in the net-
work they are going to change their transmission parameters in order
not to interfere the eNB. One of the main parameters that can be modi-
fied for reducing the interferences is the power transmitted by the HeNB.
The main advantage is that for reducing the interferences only thing
which is compromised is SNR, no bandwidth resources are lost. The
power control can be made by having many different inputs to decide
what to do. For example groups of HeNB can be clustered and change
the cluster power all at same time. The decision of changing power pa-
rameters can be done in a central way or in a distributed way, where
each node decides by sensing the medium the transmission power. This
is one of the most simple techniques and also one of most efficient in
terms of interference mitigation.
 2.3 interferences 12

2.3.2 Femtocell-Femtocell

Cognitive Radio: In densified femtocells networks a cognitive approach Cognitive radio

can appear since the FAP need to be close enough in order to commu- refers to the smart
radios that have the
nicate to it neighbors. Instead of that the exchange of information can
ability to sense the
also be done using the HeNB-GW in case it exist, depending on the se- environment and
lected architecture scheme. The process occurs when the HeNB node is take decisions to
switched on, then it listen the air interface and select the channel to use adjust its
transmission
following following rules. If there is any channel that the neighbors are
parameters
not using the new HeNB selects it for the transmission. If all the chan- depending on its
nels are used it will select the one which is used by the further neighbor. surrounding
Finally if all the mentioned conditions can not be accomplished the FAP medium.
is going to select the less used of the furthest used channels. This tech-
nique is used for the downlink and as can bee seen a strict cooperation
between all the HeNB nodes is required.

Graph Coloring Resources Allocation: This novel technique for re-

source allocation is presented in [14]. The technique consist in making
a graph where all the nodes are linked to the ones which they are in
an interference area. Once this graph is created each node, following a
sequential process, apply graph coloring technique on that graph. Once
one node has decided which is its color it has to share this color with the
other neighbors, who will decide their color by seeing the others color.
Each color will represent a frequency slot available for that femtocells,
the number of resources might vary. Once one node joins the network
only thing it has to do is to ask for the colored graph and decide which
frequency to use, then transmit it to the whole network. As can be seen
this technique is like cognitive radio, where all the neighbors cooperate
to get best result, but if some of them give false feedback the perfor-
mance is highly decreased. As Q.Zhang et. al suggest many improve-
ments can be done for optimization of this algorithm, like refreshing the
coloring every time that a node joins or de-join the network, also apply-
ing optimization in the graph coloring, which will require a centralized
entity to control the whole frequencies allocations. More details about
this procedure can be find further in Chapter 6 in this document.

Fractional Frequency Reuse (FFR): Different techniques appear based

in this method which can mitigate the interference in both tiers of the
network, femto to femto and macro to femto. The main distinction that
can be done between these techniques is how the resources allocation
is done, there are dynamic and static allocations. When compared, first
case the signaling and the complexity is higher in favor of a more ef-
ficient use of the bandwidth resources. The main idea of FFR is to di-
vide geographically the macrocell area, three sectors are created in the
hexagonal cell. Furthermore distinction in radial distance from the eNB
is done, splitting in two coverage areas. If we do it all together each
macrocell is going to present six different regions. Also the frequency
 2.4 handover 13

spectrum will be divided in different slots, and depending on the loca-

tion of each HeNB it will be using different slots. A clear scheme can be
seen in Figure 5, where A,B,C and D are the frequency slots.

Figure 5: Macrocell splitering scheme

This techniques can also be used together with power control, this hy-
brid technique enhances the system performance, achieving really good
results.

2.4 handover

To explain the different handovers we are going to use the notation Tgt
to identify the target node for the handover. Src will be used to identify
the node that is going to be left by the UE.

2.4.1 Legacy Handover

Each UE connected to a HeNB or eNB is constantly sensing the medium

to send Measurament Report messages to the node which it is connected
to. This message is interpreted and the node takes positive or false
decision about the handover. If the decision is positive the next step
is to send a message to the Tgt, this request will be send by the Src.
through the MME. Once the Tgt received this request it sends a Handover
Command to the UE, in this moment the Src starts buffering the data
received for that UE. This that a will be forwarded to the Tgt once it
receives a Status Transfer message via the MME.
The data will also be buffered in the Tgt since the UE is finally con-
nected to it, at same time the target has to accept the Handover Confirm
from the UE. After the Path Switch Request is sent, before that happens
the data will be traveling twice through the internet network, from the
SGW to the Src and then to the Tgt. The Src will be finally secluded
from the data transfer after receiving an End Marker from the SGW, this
marks the end of the handover procedure.
The packet flow of the described procedure is shown in Figure 6.
This handover described before is that the timings of sending packets
 2.4 handover 14

Figure 6: Legacy Handover Procedure

through internet is quite high, that means that this handover is not opti-
mal for the femtocell network.

2.4.2 Fast Handover

As described before a need of a fast handover is there since the femtocell

network has appeared, in [9] a new approach for doing a quicker han-
dover is given. For implementing a fast handover the authors purpose a
proximity based method, also the speed of the UE is taken as an input
for doing or not the handover.
Firstly two different modes for the UE are defined, swift mode and free
mode. In the first the speed of the UE is higher than a certain threshold
and the handover only can be done between macrocells. The threshold
will be fixed regarding the network speed, in other mode the UE speed
is below this threshold and the handover is allowed. Also two regions
are defined for the femtocells coverage area, associable region and the
proximity region. This second region is defined as the area where the
strength of the HeNB is higher than a certain δ of the strongest signal.
The associable region is where the signal of the HeNB is the strongest
one in that area. Note than a UE can be in different HeNB proximity
regions but only in one associable region.
 2.4 handover 15

Figure 7: Proximity Add/Release Process

Proximity Add/Release Process this is the main process which is going to

make the handover faster. When the UE enters in a proximity region the
MME is going to duplicate the data stream of the SGW to send the data
also to the HeNB creating that proximity area. When going out of the
proximity area this duplicity has to be released in a similar way. Both
packets flows can be seen in Figure 7. Thanks to doing this pre-handover
process when the handover has to be done the Tgt already is receiving
the data and only needs the Src to tell it from which point the UE needs
to receive the data. This will be transited by using a Switch Marker send
by the Src to the Tgt. When using this method for the handover the time
can be reduced from 1.74 s in the Legacy Handover to 0.82s for the Fast
Handover, according to the results presented in [9].
S U R V E Y O N AT TA C K S A N D E X I S T I N G
CONTRAMEASURES
3
This chapter is an attempt to explain the most important threats going
on on femtocells. Different threats had been described in [13] and [2].
Furthermore in the 3GPP technical report [2] the security architecture
of the actual femtocell network architecture is described. Most of the
threats described in this mentioned bibliography are already solved. The
described attacks in this work are the ones that had not been solved at
all nowadays.

3.1 end user attacks

When talking about mobile cellular network, the user normally do not
chose which antennas to connect, users are not even aware about the
handover process. This means that a connection to a HeNB can happen
without choice or acknowledge for the user, if an attacker is able to in-
troduce a misbehaving HeNB to the femtocell network, the user security
can compromised in most of its layers.

3.1.1 Anonimity: Correlating Packages

A new security leakage in femtocells network is presented by Malone et

al. in [7]. Rouge femtocells appear in this scenario, the can easily ap-
pear in a open femtocell policy. Authors were able to identify each type
of packet in the network by using these misbehaving FAP. With this
knowledge an approach for correlating the packets in different HeNB
is discussed. Both edges of a data transfer can be pointed out by the
knowledge of ingoing and outgoing data in different femtocells correla-
tion. Therefore user anonymity can be broken only by monitoring the
backhaul traffic in the different femtocells, which represents a truly se-
curity leakage.

Three different mitigation approaches are given by the authors in [7],

dummy traffic, IMEI/IMSI verification and user verification. First of the op- IMEI & IMSI are
tions is that the HeNB constantly introduce traffic to the network to unique identifiers for
the device and the
make the traffic analysis more complex. Second technique consist in
sim card respectively.
adding an IMEI/IMSI field in the creation of the allowed users list. This Only physical access
makes more difficult to add certain users to a misbehaving HeNB since to the devices should
IMEI and IMSI are not as public as the phone number. But as described provide this
identifiers.
in other attacks existing procedures allow to get this identification num-
bers, therefore this technique just increase the complexity of the attack.
Last proposal is to ask the user if he/she wants to join the HeNB. Users

16
 3.1 end user attacks 17

have to choose to connect the device or not, and if they know that se-
curity leakage may be there connection will be never an option. This
results in a network without users since they don not want to compro-
mise their privacy. Regarding the infant stage of these techniques an
approach has been done in this work to provide anonymity. In Chap-
ter 5 collaborative work of the femtocell users is proposed to provide
anonymity by using a novel algorithm.

3.1.2 Authenticity: Stealing UE Identity

Presented in [6] and demonstrated in [4] by the use of a rogue HeNB

attackers are able to totally impersonate a subscriber. Attackers have to
create a GW proxy, from that proxy they will be sending joining requests
to the mobile network, when they are asked for authentication, the only
thing is needed is to ask the attacked user for that authentication. As it
is connected to the proxy GW and authentication request are a normal
service inside the HeNB the UE will send the response, authentication
message, to the proxy GW which only need to forward it in order to
get authentication. Once the attacker is authenticated in the network the
transmissions to wherever can start by making the network think that
these transmissions are coming from the victim UE instead than from
the attacker.

Authors pointing out this kind of attack conclude that femtocells are
not a good idea since this attack seems not to have any possible mit-
igation in the current scenario. Therefore the scenario is totally open
in order to mitigate this kind of attacks since nowadays only way to
avoiding it is to implement an user-decision approach. Then the user
has to remember which are the trusted HeNB and which are untrusted,
in order not to join them. While walking inside a building our phone is
going to send notifications every 30 meters asking for permission, which
do not seem as a real good solution.

3.1.3 Confidentiality: Disclosing the Data

DePerry et al. [4] demonstrated an idea of obtaining data from femto-

cell users, by joining the FAP and getting all the packets on transit. The
authors give a practical approach of how to record a voice call and read
SMS going on in a femtocell. This is possible since the keys are shared
from the MCN to the HeNB and stored in the HeNB. Since the access
point can be corrupted these keys are obtained and by sniffing the pack-
ets attackers can easily obtain the ongoing data. Procedure to get the
keys is described in [6] (Section 3.1).

In order to avoid this kind of attacks in [13] author propose to enhance

the security by adding more complexity to the authentication certificates.
Further work is needed to implement more complex cryptography tech-
 3.1 end user attacks 18

niques, by using different key management policies since the nodes in

the core network are no more trusted. Therefore the keys should not be
stored and send in clear to that nodes, only UEs have to be able to know
the key for encrypting their data.

3.1.4 Availability: False Power Off

By the creation of a GW proxy and using a misbehaving HeNB authors

in [6] are able to perform a DoS attack against a UE. By using the GW
proxy attacker is able to get the IMSI of the victim. By using this IMSI a
IMSI DETACH packet is sent to the mobile network, since in GSM and
3G this kind of packets are not using any authentication process. MCN
is going to assume that the victim has disconnected and it is not going
to deliver any transmission to it. The UE is not aware of this process
which means that it will continue listening and waiting for incoming
transmissions. Moreover the attack can be more effective if attacker can
manage a network of misbehaving HeNB, this allow to attack the whole
femtocell network with this DoS.

To provide authentication techniques to the detach message raises as

best solution to mitigate this kind of attack. Once more the keys used
for this authentication should not be known by the HeNB. Further work
is need to design the mechanism against this threat.

3.1.5 Integrity: Changing SMS content

Based on controlling a HeNB access point in [6] a threat for injecting

non desired SMS is described. The attack consist basically of tho differ-
ent threats, firstly the HeNB needs to be reconfigured to make it able to
detect the incoming and outgoing packets from the GW. That basically
is done creating our own GW proxy server and routing all the packets
through it. Once it is done the clients will authenticate themselves and
the proxy in the network, since they are authorized. When the SMS is
sent to the proxy it indicates to the user that it is being validated, instead
of that the SMS can be converted into plain text, modified and sent to
the network.

Same mitigation techniques than in the confidentiality threat might

be applied to mitigate this attack. If the data packet is properly and se-
curely enveloped the attacker has no chance to modify it without chang-
ing the envelope. Therefore once again keys have to be known only by
UE and the cryptography techniques of the data need to be improved.
 3.2 network attacks 19

3.2 network attacks

With the introduction of femtocells a new scenario appears, since attack-

ers can deploy their own FAP they will be part of the network. That
means that attackers are going to attack the network being inside of
it, then network operators have to implement mechanism to secure the
different nodes of the network against the other nodes inside the same
network, which now are potential attackers.

3.2.1 Getting other nodes information

As described on Chapter 2 all the HeNB are connected to a SeGW, since

more than one HeNB can be connected to the same SeGW the infor-
mation of all that femtocells can be compromised if one of them is an
attacker. If HeNB is presenting a web interface from where it is sending
the information to the MCN the attack just consist on getting the infor-
mation in that web interface. That can be done by anyone in the same
SeGW. If the web interface is not available by getting access to the FAP
(described in next subsection) that information can also be collected. If
this attack is performed the information that can be collected is: HeNB
IMEI and IMSI, phone number and status of the UEs, neighbor macrocell list.

In order to fight agains these information leakage best option is to

disable the web interface of the HeNB which adds complexity to the
attack. Since the information will not be sent it has to be securely stored
in the HeNB. Further work is needed to set a mechanism that ensures
the security of this information even that an attacker were able to access
the FAP.

3.2.2 Remotely controling a HeNB

The backhaul connection of the femtocell access point is done through

the Internet network, that means that the existing vulnerabilities on de-
vices connected to this network can also be applied on FAP. Authors in
[6] found a way of gaining root access in a FAP by exploring the HTTP
web server methods vulnerabilities. This particular case is already reg-
istered and known by the community, but many other methods can be
tried, and maybe successfully used for same propose. The remote access
was gained form an other HeNB connected to the same SeGW than the
target victim. By gaining remote control of a HeNB attackers can cre-
ate a network of misbehaving femtocells, this increase the impact of all
the attacks described in this chapter, and allow the introduction of new
threats like the location tracking introduced in Chapter 4.

The threat presented is based in the vulnerability registered as CVE-

2011-2900, it was introduced two years ago. Nowadays mitigation tech-
niques for this particular vulnerability are available. Software tools us-
 3.2 network attacks 20

ing HTTP such as browsers had introduced these solutions also mobile
network operators introduced them. These solutions stay closed but they
ensure that this issue has been solved. This facts fights agains this par-
ticular threat but if a new threat appear security might be compromised
again.

3.2.3 Breaking operators infraestructure

Taking into account the attacks previously presented, a signaling pack-

ets flooding can be easily performed. Misbehaving HeNB can overload
the network by sending fake signaling messages such as Location Update
Request which only requires the knowledge of the IMSI of the UE. By us-
ing a single femtocell attacker has the advantage that the source of the
signaling can change between all the UEs joined in same HeNB. This
allow to bypass the traffic control done by the network to mitigate this
kind of attacks coming from a single UE. Furthermore if attacker is hav-
ing a HeNB network under its control, as explained before, the impact
of the overloading will result into a DoS attack to the whole network.
A huge flooding will be bypassing the restrictions and congesting the
mobile network which can not handle all the petitions.

Flooding attacks are normally detected by traffic monitoring the net-

work and detecting the source of large number of packets, once the node
is detected it is banned from the network. As described the main prob-
lem of this attack is the capacity to avoid these detection by generating
lows amounts of traffic from large number of remotely accessed nodes.
Once the previously described attack, remotely controlling HeNB is mit-
igated the current threat will be easily defeated.
 Part II

PROPOSED METHODOLOGIES

With the background given in the previous part, in this sec-

ond step the proposed methodologies are presented. Three
main inters are referred in this section, firstly a new possible
attacking threat is presented. This attack disclose the location
of a targeted UE, a mitigation technique is also proposed in
Chapter 4. Regarding the anonymity attack previously pre-
sented a novel multi hops algorithm is implemented in the
femtocell network. In Chapter 5 the algorithm is described,
and simulation results in a software environment are pro-
vided and analyzed. On Chapter 6 an implementation of
graph coloring resource allocation algorithm is done, and ex-
plained. A small modification is introduced to the already
existing method, this modification allows a more optimal re-
sources allocation. In Chapter 7 the conclusions of the work
are given and further work is also proposed.
U S E R E N V I R O N M E N T L O C AT I O N P R I VA C Y
4
4.1 location disclosure
By having a smartphone device in users pockets many services appeared
where the location is used for setting up the service. In previous scenar-
ios user is able to decide to share its location or not with the application,
or at least it is advised that his or her location is going to be used. With
the implementation of femtocells also some services based on user loca-
tions are proposed, in this cases user also chooses to turn on or off this
services. These choosing possibility is not available in HeNB since the
UE is not going to inform the user when joining one of the FAP. Since
the femtocells antennas can be corrupted and the coverage area of the
HeNB is reduced, an attacker will be able to know who is connected to
the femtocell an furthermore get the UE location with a 20 to 30 meters
accuracy.

(a) Femtocells Realistic Scenario (b) Remotely Corrupted HeNB

! !
! !

T1# T2#

T4#
!
!
T3# !
!

(c) Notifications Sending (d) Path recovery

Figure 8: Tracking threat.

22
 4.2 tracking notification algorithm 23

In Figure 8 a real scale scenario is presented. Each hexagons represent

a randomly deployed HeNB inside a building. It can be seen how the
location is accurate enough, for example to distinguish in which shop
the victim has entered. This location disclosure can occur by an attacker
deploying a rogue FAP, or gaining access to it. But a more interesting
information for the attackers is not only to know the location, moreover
to know the path followed by a targeted user.
As described in [6] an attacker is able to remotely control a group of
HeNB. This fact give the chance to get a notification each time a tar-
geted UE joins one of the misbehaving femtocells. With this information
attacker is able to recover a potential path followed by the user. Not only
the location is disclosed also the joining time, which allow the attacker
to know the order followed by the victim to visit that places.

This described threat is a novel proposal done in this work. As can be

seen it represents a huge privacy leakage, an need to be mitigated. An
approach for reducing the impact of a possible tracking is presented in
next section.

4.2 tracking notification algorithm

Figure 9: Tracking detection proccess flow chart

 4.2 tracking notification algorithm 24

The main objective of this proposal is to mitigate the location disclo-

sure attack already explained. This approach objective is to inform the
user about its device might be under a location tracking thread.

A traffic monitoring device in the backhaul connection is needed to

analyze the packet flow between the device and the internet network.
The analysis of the traffic has to be done by the HeNB at same time it
is computing new joining requests, and also all the data transfers. Since
the amount of users in a femtocell is typically between 1 and 16 users,
this increase of computational operations can be afforded by the HeNB.
In Figure 9 the algorithm block diagram is presented. Once handover
process is over, by monitoring backhaul interface FAP can decide about if
user should join again. If after user re-joins same kind of packets appear
in backhaul link, a pop-up message appears in the users device advising
that its location might be compromised. Application like proposed by
iSEC partners [4], which attempts to refuse femtocell connection, can be
run after that notification appears.

The information correlation operation is the algorithm key point. A

learning function is needed to follow the evolution of the attacker threats.
Updates with the known threats have to be done through the backhaul
connection. Sharing new possible attacking threats with the network to
identify them is also mandatory. To improve this block of the algorithm
with all these features raises as a challenge for future work.
 USER ANONYMITY
5
5.1 multi hops algorithm

To provide privacy to the sender this algorithm ensures that each packet
sent is scheduled to travel in between the same femtocell users before
going out to the Internet. These operations will be made totally in ran-
dom; FAP is in charge of calculating next destination node by using a
random function. In Listing 1 pseudo-code approach for developing this
algorithm is proposed, there is no need for any extra hardware to run
this algorithm.

1 # Define Tmax
2 # Define Tmin
3 Tstamp=rand ( Tmin , Tmax ) ;
4 while ( Tstamp ! = 0 ) {
5 l i s t []= Listing a l l users ;
6 i =rand ( 0 , length ( l i s t ) ) ;
7 Send packet t o l i s t [ i ] ;
8 wait ( Same packet Rx ) ;
9 R e f r e s h Tstamp ;
10 }
11 Send packet t o I n t e r n e t ;

Listing 1: MhA pseudo-code

Tstamp value has to be generated in random by the sender attending to

the bounds fixed by Tmax and Tmin. These parameters are defined as
the maximum and minimum timestamp values, and they vary accord-
ing to different packet types and the network performance. Possible
values are given in next section by simulation results. The FAP has the
responsibility for the synchronization of all users, and listing the avail-
able users connected to the femtocell. Further this non disclosed table
will be stored in the FAP. Other users in the network only have to send
back the packets to the FAP in order it can go on with the algorithm.

5.2 simulation

NetSimTM v.71 is the software tool used to evaluate the performance of

the proposed algorithm. All the configuration parameters described be-
low can be modified with this software. For performance evaluation,
the packet average number of reflections and average time spent in the femto-
cell are measured for different Tstamp values. At the end of this section
discussion about the results is provided.
1 Registered trademark stochastic discrete event simulator, developed by Tectos in collab-
oration with Indian Institute of Science.

25
 5.2 simulation 26

5.2.1 Scenario Setup

A.) Network Parameters: Only one femtocell is considered for the simula-
tion. Alcatel-Lucent 9361 home cell v2 is used as model for the FAP. The
femtocell includes 15 users inside its radius coverage, which is 25 meters.
During the simulation period all users remain inside the femtocell since
when staying at home or office users will not move out for long time
periods. GSM is proposed as the cellular standard protocol. No indoor
path-loss model is proposed since in real time traffic a packet retrans-
mission might not be feasible. A summary of the simulation parameters
is presented in Table 2.

network parameters
Cellular Protocol GSM
Number of Users 15

mobility parameters
Restricted in HeNB coverage 25m
User speed 0.5 m/s

demand generation parameters

Voice packet size 300 bytes
Voice packet generation 20ms
Voice data rate 13.3 kbps
Underlying data rate 270 kbps
Ongoing calls 4

transmission parameters
Listening bands 1900 MHz
850 MHz

Table 2: Simulation Parameters Summary

B.) Packet Transmission: Channels are created by distributing all the

available bandwidth in same-width slots. In order to reduce the delay
on account of channels set-up a preallocating channel method is used.
Therefore the FAP is in charge to previously assign each user a channel.
C.) Time Stamp Ranges: According to literature a phone call can handle
a delay time up to 400ms. As presented in [9] average time spent for a
packet to travel through internet is 200ms. Since the packet has to travel
throughout the MCN some guard time should be kept. With these con-
siderations two different time stamp ranges are proposed and simulated.
First Tstamp is randomly selected between 10 and 30 milliseconds, then
an extended range up to 60 milliseconds is used.
 5.2 simulation 27

5.2.2 Results

Simulation results are presented in this section, in Table 2 and Table 3

direct results obtained from the simulations are presented. Probability
density functions (p.d.f ) are graphed in Figure 10 and Figure 11. Sim1
and Sim2 are used to refer Tstamp=(10,30) and Tstamp=(10,60) simula-
tions respectively.

tstamp=[10,30] tstamp=[10,60]

8919 6067 Records

4.0189 7.6949 Mean
2.3289 5.2575 Std Dev
1 1 Min.
13 26 Max.
4 7 Median

Table 3: Number of reflections

The mean number of reflections in Sim1 is 4 and in Sim2 7. This

means that by doubling the Tstamp we can achieve a little bit less than
the double of reflections. Furthermore in Figure 10 can be appreciate
that in Sim2 the probability density function is flatter, which means that
the number of reflections is more random than in Sim1.

Figure 10: MhA Number of Reflections p.d.f

In Figure 10 can be seen how for Sim1 the probability to have more
than 5 reflections decreases really fast. While for Sim2 the probabil-
ity decreases softly, providing higher values for more than 8 reflections.
As expected, in terms of number of reflections, best choice will be the
largest range for Tstamp values. Further work is need to find out which
 5.2 simulation 28

is the number of hops needed to ensure that an attacker can not point
out the sender user.

tstamp=[10,30] tstamp=[10,60]

8919 6067 Records

12.9382 22.8935 Mean
5.9170 13.7755 Std Dev
0.5200 0.5400 Min.
28.1800 57.2900 Max.
12.3800 20.3100 Median

Table 4: Time inside the HeNB

By observing the mean it is clear than by doubling the Tstamp range

we are not doubling the time inside the femtocell. In Figure 11 can be
seen graphically how the probability of getting low delays in Sim2 is not
so distant to the obtained in Sim1. If we analyse the delay obtained in
Sim2 it can be calculated than in 90% of the cases a delay under 43.7 ms
is introduced. This delay could be afforded by the proposed network
architecture.

Figure 11: MhA Introduced Delay p.d.f

By using the largest Tstamp range the average time for the packet
transmission will be lower than 260ms in worst delay case. This give
us a guard time of 400ms − 260ms = 140ms which seems to be enough
for the voice data transmission. With the obtained results it can be con-
cluded that the largest Tstamp range is a better choice. Moreover the
algorithm will become more robust if the delay is increased, but the re-
lation of this increase is not lineal since the robustness rises faster.
R E S O U R C E A L L O C AT I O N
6
Presented by Que Zang et.al in [14] this novel resource allocation algo-
rithm has his base in the graph coloring techniques. In this chapter this
algorithm is explained and implemented, moreover an improvement is
done to enhance its performance. Since the number of resources might
be preallocated or not large enough the algorithm here proposed takes
into account the interference grade in order to make the nodes with the
lowest interference share the same resource.

6.1 graph formation

This is the first of three steps for allocating the resources. The network
has to find out the identity of the nodes which are interfering to other
nodes. To do that each node in the network must have a node unique
identifier.
Then each HeNB has to calculate the interference, to do it the collab-
oration of the UE connected to each HeNB is needed. UE are going
to calculate the power of the signal received from its serving base sta-
tion (RSRPi ). In [14] only one UE per HeNB is assumed, in this work
more UEs can be sensing the interference. The HeNB has to collect
all the information and create a list of where the id of the interfering
HeNB is mapped to the maximum value of that interference reported
by the UEs. The UE consider interference if the received signal from
the j-HeNB (RSRPj ) is a certain threshold (Ith ) greater than the received
signal from the HeNB which it is connected (RSRPi ). This is calculated
as shown in Equation 1 and only if the interference is grater than the
threshold it will be sent as interference to the HeNB.
RSRPi − RSRPj = Iij < Ith (1)
Once the HeNB has collected the interference the list has to be shared
with all the neighbors who also will sent their own list. With this in-
formation and the mapping between id and number of node, provided
form the backhaul network by the operator, each HeNB is able to gener-
ate the matrix shown in Equation 2. This matrix is a n dimension square
matrix where n is the number of nodes inside the same eNB coverage
area. Each position Iij represents the interference between node i and
node j, for that reason the matrix diagonal is 0 since Iii = 0.
 
I1,1 I1,2 · · · I1,n
 
I I
 2,1 2,2 · · · I 
2,n 
Links =  . .. .. ..  (2)
 .. . . . 
 
In,1 In,2 · · · In,n

29
 6.2 graph coloring 30

An other property of the Links matrix is the symmetry, that is because

the value of interference for each position (ji, ij) will be chosen following
the expression: max[Iij , Iji ]. This is make to ease the calculations, since
we want to reduce the interference by allocating different resources in
adjacent nodes if the interference is coming from one direction or both
is not a matter.

6.2 graph coloring

Second step of the resource allocation is the core and the main difference
of the algorithm. A brief introduction to the graph coloring techniques
is given below.
Graph Coloring:This algorithms are used to color a graph (G) accomplishing
that the linked vertices of the graph are not painted with the same color,
it is also known as proper vertex coloring. The number of colors needed
depend on each graph, the minimum number of colors for each graph is
known as chromatic number (x(G)).
Graph coloring problem has two main phases, firstly we have to deter-
mine the chromatic number, which minimizes the number of colors used
for coloring. This number will be referenced as k. Once we know that G
is k − colorable we have to implement the graph colorization.

For resource allocation a sequential graph coloring is used, for that kind
of coloring it is essential that: the nodes are enumerated and that all nodes
have the same color selection sequence. An other consideration is introduced
here, the number of resources (nres ) might be set by the network admin-
istrator, the carrier. Moreover if nres < k a interference level based
factor will be introduced for coloring the graph. When the algorithm
leads node i to the nres + 1 color in its color sequence, then node i will
be painted in same color as the less interfering node, which is already
colored.

6.3 algorithm implementation

Matlab R2013a
Matlab is used as a tool for implementing and evaluating the proposed (8.1.0.604) for Mac
algorithm. Two functions are implemented, the first one colorize is the is the version used.
sequential coloring algorithm itself, which has been described in the
previous section.
Second function is chromnum and is in charge of finding the chromatic
number for that certain G, which means minimizing the number of col-
ors used for coloring the graph. Both functions are described below,
then the results are presented and evaluated.

6.3.1 Coloring Algorithm

In colorize function the code for the described algorithm is implemented.

This function uses matrix of connections between the nodes M, which
is as described in Equation 2. Other input is the number of available
 6.3 algorithm implementation 31

colors (numcol), or in other words the number of resources available in

the network. The output is a vector named painted containing in each
position (i) the color assigned to that i − node.
Notice that this functions is going to use always the minimum number
of colors, for example if user assign 4 colors but the algorithm never
reach the 4th color it will not be used. In the other hand the number
of colors used might not be x(G), optimization techniques need to be
implemented to obtain the minimum value.
1 f u n c t i o n p a i n t e d= c o l o r i z e (M, numcol )
2 numnod=length (M( : , 1 ) ) ;
3 p a i n t e d=NaN( 1 , numnod ) ;
4 i f ( numcol ==1)
5 painted =0;
6 else
7 f o r n i = 1 :numnod
8 l i n k s =M( ni , : ) ;
9 alinks= links >0;
10 c =1;
11 while (~ isempty ( find ( p a i n t e d ( a l i n k s ) ==c ) ) . . .
12 && c<=numcol )
13 c=c + 1 ;
14 end
15 i f ( c >numcol )
16 l i n k s (~ l i n k s ) = nan ;
17 [ ~ , y ]=max ( l i n k s ) ;
18 c=p a i n t e d ( y ) ;
19 while ( isnan ( c ) )
20 links ( y ) =0;
21 [ ~ , y ]=max ( l i n k s ) ;
22 c=p a i n t e d ( y ) ;
23 end
24 end
25 p a i n t e d ( n i ) =c ;
26 end
27 end
28 end

Listing 2: Colorizing Function Matlab Code

6.3.2 Coloring Optimization

In order to minimize the number of resources used, the coloring algo-

rithm has to use the minimum number of colors. The function chromnum
is implementing a basic minimization technique, which consist in do
the colorization by using different nodes of the graph as starting point.
Since the algorithm used is sequential coloring, this technique is able to
reduce the number of colors to the minimum required.

The Links (L) matrix is required as input, and the output of this func-
tion is a vector [node, k] where k is the minimum number of colors
required. The node from where the colorization should start is stored in
node.
 6.3 algorithm implementation 32

1 f u n c t i o n [ node , k ]=chromnum ( L )
2 i =1;
3 while ( i <=length ( L ( : , 1 ) ) )
4 p a i n t ( i ) =max ( c o l o r i z e ( L , 8 ) )
5 i = i +1;
6 L=[L ( : , 2 : end ) L ( : , 1 : 1 ) ] ;
7 L=[L ( 2 : end , : ) ; L ( 1 : 1 , : ) ] ;
8 end
9 [ k , node ]=min ( p a i n t ) ;
10 end

Listing 3: Minimization Function Matlab Code

The key point of this function is to swap the order of the columns and
rows of the Links matrix in order that the next coloring starts from
the next node. The transformation needed when we want to start the
colorization from the i − node be seen in Equation 3. As presented the
i − node now is the first node, in terms of rows and columns.
   
I1,1 · · · I1,i · · · I1,n Ii,i ··· Ii,n ··· Ii,i−1
   
 I2,1
 · · · I1,i · · · I2,n 
Ii+1,i · · · Ii+1,n · · · Ii+1,i−1 
 
 .. .. .. .. ..   .. .. .. .. .. 
 . . . . .   . . . . . 
⇒
  
 Ii,1 · · · I1,i · · · Ii,n   I1,i · · · I1,n · · · I1,i−1 
 
 . .. ..   . .. ..
.. .. .. ..

 . . .  . . .
 . . .   . . .
 

In,1 · · · I1,i · · · In,n Ii−1,i · · · Ii−1,n · · · Ii−1,i−1
(3)

6.3.3 Results Evaluation

For evaluating the performance of the algorithm it has been executed in

Matlab. A GUI interface has been created to make more user-friendly
the Links matrix creation. Regarding Matlab is only a mathematical tool
and not a transmission simulator, the distance between each interfering
node is used, instead of the interference value given in Equation 1. This
gives a good approach since the interference caused depends directly on
the distance between nodes.
A simple example of a possible scenario for the algorithm is given be-
low, the different steps done can be seen in Figure 12.

Equation 4 is the links matrix result of the topology drawn in Fig-

ure 12a. As expected the matrix is symmetric and 0-diagonal, and differ-
ent distance values are shown on it.
 
0.00 6.88 0.00 0.00 7.28 0
6.88 0.00 0.00 0.00 6.20 0.00 
 
0.00 0.00 0.00 11.52 5.74 7.86 
Links = 
0.00
 (4)
 0.00 11.52 0.00 0.00 12.23
7.28 6.20 5.74 0.00 0.00 5.99 
0.00 0.00 7.86 12.23 5.99 0.00
 6.3 algorithm implementation 33

Firstly coloring function is ran only by using 3 colors as maximum

number of resources available. The result is shown in Figure 12b, as the
equine has started from node 1, when it reaches the last node no more
colors are available. That makes node 6 share resource with the furthest
node, in this case node 4 (d46 = 12.23). As result of this simulation the
network might add an other resource in order to totally avoid interfer-
ences.

Once the minimization function is applied the result obtained is printed

in Figure 12c, in this case same three colors than before are used, but
with starting from a different node no resource sharing between interfer-
ing nodes is achieved.

(a) Uncolored interference graph

(b) No optimal Coloring, 3 resources (c) Coloring by optimization function

Figure 12: Graph coloring example.

CONCLUSIONS
7
Femtocells are the adopted solutions for the network operators to han-
dle the throughput and coverage requirements. Only two years back the
standardization of this devices was introduced, since then the market
has grown fast, but many issues still open. Femtocells bring the end
user the opportunity to be a part of the main network, that really chal-
lenges the operators who are in charge to ensure that these users are not
able to corrupt the entire network. This fact brings mobile network to
a similar scenario that the one in the internet network, operators have
to update their security systems in order to prevent attackers very often.
This is a huge disadvantage in terms of user security and new potential
attacks, but in the other hand many solutions are there, to adapt them
to the femtocells is what is needed nowadays.

Regarding this adaptation process, in this work the multi hops con-
cept is introduced in the femtocells network. This allows to provide
anonymity against external sniffing from the HeNB. The evaluation shows
low delay values, affordable for the network. Further work is needed to
test the technique in a real network to check the performance.
The location disclosure presented in this work, is a clear example on
how new security treats will appear frequently regarding the femtocell
network. The description of the attack and a possible approach for miti-
gating it has been given in this document. New techniques for avoiding
these kinds of attacks instead of just notifying about them are need to
be created in future works.

Femtocells are the fruit of a several years work, complex techniques

are applied to achieve the objectives, in terms of interferences manage-
ment and frequency reuse. The bunch of techniques is large and some
of them are only in first versions. The current work has improved one
of these resource allocation techniques, enhancing the performance of
the current algorithm. The implementation in real network of these new
improvement has to be done in order to complete the deployment phase.

Femtocells are the future, and regarding some voices in the commu-
nity are against them regarding all the security problems. This work
attempted to demonstrate a few solutions for identified security threats.
Users need to be aware of the vulnerabilities, and also the research com-
munity responsible of changing this fact.

34
BIBLIOGRAPHY

[1] 3rd Generation Partnership Project. Tr 23.830, technical specifi-

cation group services and system aspects; architecture aspects of
home nodeb and home enodeb. Technical report, 3GPP, 2009.

[2] 3rd Generation Partnership Project. Tr 33.820 v8.3.0, technical spec-

ification group service and system aspects; security of h(e)nb. Tech-
nical report, 3GPP, 2009.

[3] Zubin Bharucha. Femto-to-macro control channel interference miti-

gation via cell id manipulation in lte. Vehicular Technology Conference
(VTC Fall), 2011.

[4] Doug DePerry, Tom Ritter, and Andrew Rahimi. Traf-

fic interception and remote mobile phone cloning with
a compromised cdma femtocell. Black Hat Conference,
2013. https://www.isecpartners.com/blog/2013/august/
femtocell-presentation-slides-videos-and-app.aspx.

[5] The Small Cell Forum. Small Cell Market Status. Informa Telecoms
and Media Editor, 2013.

[6] Nico Golde, Kèvin Redon, and Ravishankar Borgaonkar. Weaponiz-

ing femtocells: The effect of rogue devices on mobile telecommuni-
cation. 19th Annual Network and Distributed System Security Sympo-
sium, 2012.

[7] David Malone, Darren F. Kavanagh, and Niall R. Murphy. Rogue

femtocell owners: How mallory can monitor my devices. The 5th
IEEE International Traffic Monitoring and Analysis Workshop, 2013.

[8] Hanaa Marshoud, Hadi Otrok, Hassan Barada, and Zbig-

niew Dziong Rebeca Estrada. Genetic Algorithm Based Resource Al-
location and Interference Mitigation for OFDMA Macrocell-Femtocells
Networks. IFIP WMNC, 2013.

[9] Ayaskant Rath and Shivendra Panwar. Fast handover in cellular

networks with femtocells. International Conference on Communica-
tions (ICC), 2012.

[10] Nazmus Saquib, Ekram Hossain, Long Bao Le, and Dong In Kim.
Interference management in ofdma femtocell networks: Issues and
approaches. Wireless Communications, IEEE (Volume:19 , Issue: 3 ),
2012.

[11] Takeshi Terayama, Hidehiko Ohyane, Goichi Sato, and Takuya Taki-
moto. Femtocell technologies for providing new services at home,.
NTT DOCOMO Technical Journal Vol. 11 No. 4., 2011.

35
 bibliography 36

[12] A. Tyrrell, F. Zdarsky, E. Mino, and M. Lopez. Use cases, enablers

and requirements for evolved femtocells. 73rd Vehicular Technology
Conference (VTC Spring), pages 1–5, 2011.

[13] Marcus Wong. Femtocells: Secure Communication and Networking.

River Publishers, 2014.

[14] Qian Zhang, Xinning Zhu, Leijia Wu, and Kumbesan San-
drasegaran. A coloring-based resource allocation for ofdma fem-
tocell networks. Wireless Communications and Networking Conference
(WCNC), 2013.