Professional Documents
Culture Documents
Marc Del Valle - Femtocells - A Description and New Security Approaches PDF
Marc Del Valle - Femtocells - A Description and New Security Approaches PDF
Marc Del Valle - Femtocells - A Description and New Security Approaches PDF
FEMTOCELLS
A description and new security approaches
By
M A R C D E L VA L L E - O R T I Z G U A R D I À
SCHOOL OF COMPUTING
Shanmugha
Arts, Science, Technology & Research Academy
(SASTRA University)
(A University Established under section 3 of the UGC Act, 1956)
Tirumalaisamudram
Thanjavur - 613401
January 2014
Marc del Valle-Ortiz Guardià: Femtocells, A description and new security
approaches,
c January 2014
Shanmugha
Arts, Science, Technology & Research Academy
(SASTRA University)
(A University Established under section 3 of the UGC Act, 1956)
Tirumalaisamudram
Thanjavur - 613401
SCHOOL OF COMPUTING
B O N A F I D E C E R T I F I C AT E
This is to certify that the Project entitled
Femtocells, A description and new security approaches
is a work done by
Marc del Valle-Ortiz Guardià
iv
ACKNOWLEDGEMENTS
And finally huge thanks to my family, friends and girlfriend for their
constant support and their unconditional cheers.
v
The difficulty lies not so much in developing new ideas as in escaping from old ones.
— John Maynard Keynes
CONTENTS
ii proposed methodologies 21
4 user environment location privacy 22
4.1 Location Disclosure . . . . . . . . . . . . . . . . . . . . . . . 22
4.2 Tracking Notification Algorithm . . . . . . . . . . . . . . . 23
5 user anonymity 25
5.1 Multi hops Algorithm . . . . . . . . . . . . . . . . . . . . . 25
5.2 SImulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
5.2.1 Scenario Setup . . . . . . . . . . . . . . . . . . . . . 26
5.2.2 Results . . . . . . . . . . . . . . . . . . . . . . . . . . 27
6 resource allocation 29
vii
6.1Graph Formation . . . . . . . . . . . . . . . . . . . . . . . . 29
6.2Graph Coloring . . . . . . . . . . . . . . . . . . . . . . . . . 30
6.3Algorithm Implementation . . . . . . . . . . . . . . . . . . 30
6.3.1 Coloring Algorithm . . . . . . . . . . . . . . . . . . 30
6.3.2 Coloring Optimization . . . . . . . . . . . . . . . . . 31
6.3.3 Results Evaluation . . . . . . . . . . . . . . . . . . . 32
7 conclusions 34
bibliography 35
LIST OF FIGURES
L I S T O F TA B L E S
LISTINGS
viii
ACRONYMS
GA Genetic Algorithm
UE User Environment
GW Gateway
ix
Part I
G E N E R A L S U RV E Y O N F E M T O C E L L S
The techniques used in the mobile cellular network have evolved quite
fast since their creation, nowadays the 4th generation is starting to get in
every user around the world, and the research community is working on
the 5th generation. This evolution started when changing from analog
to digital transmission from 1G to 2G. From 2G to 3G the change was the
start of using spread-spectrum based communications, which improved
the voice capacity. Many improvements had been done on this 3G to
improve the data caring in this technique, but this improvements has
not ben considered as a new generation.
The jump from the 3G to 4G not only changed the techniques used
for the transmission, moreover it attempt to change the network deploy-
ment. Traditionally the deployment of the eNB is done by the service
provider companies engineers who configure the network and set the
parameters for the base stations. The new approach introduce smaller
cells which can be deployed easily and adapt its parameters to the net-
work necessity. The extreme, and more recent introduced, of this small
cells are the femtocells, which are the smallest of the family. Femtocells
siblings are micro-cells and pico-cells. This reduction of the coverage area
also help to handle the increasing number of devices asking for through-
put, and to bring 5 bar coverage to all the main areas.
The 4th generation is also known as LTE and it is a middle step before
LTE-A. This step need to be done because of a need of introducing 4G
smoothly by gradually moving from 3G. Basically LTE converge all the
2
1.2 femtocells as a solution 3
LTE: IP is the protocol used for the addressing, in concrete IPv6 which the
networks operators a more simple and scalable network. This network
is composed of four parts: i) radio access (RAN), ii) backhaul, iii)core and
iv)backbone, IP protocol allows to interconnect all this parts. The downlink
transmission in the RAN uses OFDMA, this technique allow the users to
share the available bandwidth, adjusting it regarding the users demands.
Modulation
QPSK, 16QAM, 64QAM
LTE-A: This technique add some new features to the LTE. New frequency
bands are used, TV bands for example. By channel aggregation the effec-
tive bandwidth can be increased up to 100MHz.
All the generation migrations imply a high cost for the networks oper- The cost of deploying
ators. Due to the high rates that this operators are paying for installing a eNB can reach
almost 1M dollars
new antennas (eNB) they were looking for more affordable solution.
per year
Femtocells are not only introducing new features in the network layer,
also new application services appear by the deployment of femtocells.
Since the HeNB is going to detect you when arriving home, some tasks
can be automatized or notifications can be send. Some of this applica-
tions are presented in [11] but since it is a novel technology in next years
the growth of new features will be quite large.
1.3 market status 5
In 2007 Sprint launched the first consumer femtocell service, it was fo-
cused only in home deployment and it do not have a real impact in the
market until the first standardization were done, and put in the market
(2012). On 2013 most of the major mobile operators groups are offering
femtocells service, most remarkable of them are: AT&T, China Mobile,
France Telecom/Orange, Telefonica, T-Mobile/ Deutsche Telekom and
Vodafone. Some of these mobile operators reported the statistics of their
femtocell network, for example Sprint had deployed around one million
units in US. Also in US estimations regarding the AT&T status give an
approach of almost 1M units deployed by this operator. Other countries
were femtocells are starting to be deployed have more moderate num-
bers, in UK Vodafone reported about hundreds of thousands of HeNB.
The most interesting to analyze is the potential growth that this mar-
ket has. In [5] femtocell forum presents a market status and an estimated
forecast. The growth of the market is basically attributed to the small
cells deployed in the public areas, but the growth of private cells is also
quite fast. The forecast estimate a growth of 73% each year from 2012
to 2016. This growth is due to the LTE network which makes almost
mandatory the use of these small cells. The prediction also talks about
all-in-one devices which will include wi-fi access point and mobile net-
work access point, and not only allowing one generation of the mobile
techniques. Regarding this compatibility between different generations,t
in 2012 first device to include 3G and 4G was released on the market in
Japan.
The expectations are that the small cell market represent a value over
20 billion US dollars, this represent a huge amount of the market, this
creates a fierce competition between the network operators to offer more
services and more secure, which will allow them to get the maximum
number of users.
FEMTOCELL NETWORK
2
2.1 architecture
All the traffic incoming to the MCN from the different HeNB is concen-
trated in the HeNB GW. This can be translated that only one SCTP asso-
ciation is needed for the whole HeNB to join the MCN. This is a good
advantage in terms of traffic since the MCN is not flooded of SCTP asso-
ciations every time one HeNB each time it joins. That is quite common
since the FAP are allocated in users home and they are able to turn it on
at they own choice. One other great advantage is that this architecture
is really similar to the HNB (3G) architecture, which means that carriers
do not need large inversions for changing from the previous generation.
The connection
marked as S1
VPLMN HPLMN
represents in three
cases the connection
CSG
List Srv HSS done throughout
Internet
C1 (OMA DM /OTA) S6a
S1-MME MME
UE
S1 HeNB
HeNB S11
LTE-Uu GW
S1-U
S-GW
6
2.1 architecture 7
CSG
List Srv HSS
C1 (OMA DM /OTA)
S6a
S1-MME MME
UE HeNB S11
LTE-Uu
S1-U
S-GW
For this approach the HeNB-SW is introduced only in the control plane
(C-plane) of the link. With this configuration a low number of SCTP
messages is achieved since only one connection is done between the
HeNB-GW and MME. If we look to the user plane it is simplified and
as result of the HeNB suppression the points of failure are less. The
main advantage of having the control traffic centered by the HeNB-GW
is that we are able to run optimization techniques for the handover and
signaling messages of all the HeNB nodes.
VPLMN HPLMN
CSG
List Srv HSS
C1 (OMA DM /OTA)
S6a
S1-MME
HeNB MME
S1-MME
GW S11
UE HeNB
LTE-Uu
S-GW
S1-U
A control of the users joining the femtocell has to be done in this kind
of HeNB. Only the registered users might be able to join the femtocell,
this users have to be told to the service provider by the FAP owner. A
list with all the authorized users is created and stored in the MME block
(see architecture section for details), the MME is in charge of transfer-
ring and updating the data to the core of the network. When a new user
is joining the HeNB send a NAS request to the core of the network who
with the information provided by MME will make a decision. In case
the connection is rejected the standards specify that the cause of rejec-
tion must be send to the users.
In case the HeNB is deployed in public places and the owner of the
device is the operator itself, other cases appear. Operators will sign
roaming agreements in order different users can join this network com-
ing from a different carrier network. It is clear that it is also a closed
access femtocell where the list of authorized users are the ones belong-
ing to the operator clients list, and furthermore to other operators who
are in the roaming agreement.
Since users who are not permitted in the HeNB network can be in it
coverage area, this kind of policies are the ones that affect more to the
interferences, as discussed in next section.
2.3 interferences 9
This policy is in the middle way between the before explained policies.
In this femtocells a registered users list will also be created, which works
as the closed access. Furthermore also non registered users are accepted
to join this femtocells, while there are resources to allocate them.
This are a really great kind of femtocells for that users who are owning
a indoors place but they are receiving many different people, in exam-
ple a travel agency office where the workers are same every day, but
different customers are coming every hour.
2.3 interferences
As shown before the last connection of the network is done using the
air interface. As know this interface is very susceptible to interferences.
Moreover the future mobile network is going to have two tiers operat-
ing in the same frequency range, the femtocell tier and the macrocell
tier. It is important to distinguish two cases for LTE and for LTE-A in
the newest generation different subcarriers are able to spread the differ-
ent transmissions over them. Therefore the LTE is the most restrictive
scenario. In the lines below most powerful mitigation techniques from
[10] are resumed, if extracted from any other source it is specified in the
description.
2.3.1 Femtocell-Macrocell
The different approaches that appear in the literature for fighting against
the interference caused for the coexistence in time, space and frequency
of a eNB and a HeNB, take the first one as the high priority user. There-
fore HeNB have to adapt their transference parameters in order not to
interfere the macrocell. The higher interference scenario occurs when a
eNB user is trapped in a middle of closed HeNB operating in same fre-
quency that it is, as said in this case femtocells have to adapt themselves
to interfere as less as possible to the user.
2.3 interferences 10
• PHICH: This channel is used to inform the UEs when an uplink trans-
mission is successfully completed. It has three repetitions in frequency
domain, this repetitions can be done in the same OFDM channel or each
in a different one. Moreover this control channel is spread in time and
frequency domain.
same channel of the femtocell user. When changing the PCI value the
control channels are moved inside the OFDM symbol. The HeNB has to
listen in order to identify the most dominant macrocell, once it is identi-
fied the PCI value has to be chosen intelligently in order the PCFICH of
the femtocell is allocated in a different position than the macrocell one.
This technique enhances the performance of the previous explained tech-
niques.
Power Control: Since femtocells are the low priority users in the net-
work they are going to change their transmission parameters in order
not to interfere the eNB. One of the main parameters that can be modi-
fied for reducing the interferences is the power transmitted by the HeNB.
The main advantage is that for reducing the interferences only thing
which is compromised is SNR, no bandwidth resources are lost. The
power control can be made by having many different inputs to decide
what to do. For example groups of HeNB can be clustered and change
the cluster power all at same time. The decision of changing power pa-
rameters can be done in a central way or in a distributed way, where
each node decides by sensing the medium the transmission power. This
is one of the most simple techniques and also one of most efficient in
terms of interference mitigation.
2.3 interferences 12
2.3.2 Femtocell-Femtocell
This techniques can also be used together with power control, this hy-
brid technique enhances the system performance, achieving really good
results.
2.4 handover
To explain the different handovers we are going to use the notation Tgt
to identify the target node for the handover. Src will be used to identify
the node that is going to be left by the UE.
through internet is quite high, that means that this handover is not opti-
mal for the femtocell network.
When talking about mobile cellular network, the user normally do not
chose which antennas to connect, users are not even aware about the
handover process. This means that a connection to a HeNB can happen
without choice or acknowledge for the user, if an attacker is able to in-
troduce a misbehaving HeNB to the femtocell network, the user security
can compromised in most of its layers.
16
3.1 end user attacks 17
have to choose to connect the device or not, and if they know that se-
curity leakage may be there connection will be never an option. This
results in a network without users since they don not want to compro-
mise their privacy. Regarding the infant stage of these techniques an
approach has been done in this work to provide anonymity. In Chap-
ter 5 collaborative work of the femtocell users is proposed to provide
anonymity by using a novel algorithm.
Authors pointing out this kind of attack conclude that femtocells are
not a good idea since this attack seems not to have any possible mit-
igation in the current scenario. Therefore the scenario is totally open
in order to mitigate this kind of attacks since nowadays only way to
avoiding it is to implement an user-decision approach. Then the user
has to remember which are the trusted HeNB and which are untrusted,
in order not to join them. While walking inside a building our phone is
going to send notifications every 30 meters asking for permission, which
do not seem as a real good solution.
ing HTTP such as browsers had introduced these solutions also mobile
network operators introduced them. These solutions stay closed but they
ensure that this issue has been solved. This facts fights agains this par-
ticular threat but if a new threat appear security might be compromised
again.
PROPOSED METHODOLOGIES
! !
! !
T1# T2#
T4#
!
!
T3# !
!
22
4.2 tracking notification algorithm 23
To provide privacy to the sender this algorithm ensures that each packet
sent is scheduled to travel in between the same femtocell users before
going out to the Internet. These operations will be made totally in ran-
dom; FAP is in charge of calculating next destination node by using a
random function. In Listing 1 pseudo-code approach for developing this
algorithm is proposed, there is no need for any extra hardware to run
this algorithm.
1 # Define Tmax
2 # Define Tmin
3 Tstamp=rand ( Tmin , Tmax ) ;
4 while ( Tstamp ! = 0 ) {
5 l i s t []= Listing a l l users ;
6 i =rand ( 0 , length ( l i s t ) ) ;
7 Send packet t o l i s t [ i ] ;
8 wait ( Same packet Rx ) ;
9 R e f r e s h Tstamp ;
10 }
11 Send packet t o I n t e r n e t ;
5.2 simulation
25
5.2 simulation 26
A.) Network Parameters: Only one femtocell is considered for the simula-
tion. Alcatel-Lucent 9361 home cell v2 is used as model for the FAP. The
femtocell includes 15 users inside its radius coverage, which is 25 meters.
During the simulation period all users remain inside the femtocell since
when staying at home or office users will not move out for long time
periods. GSM is proposed as the cellular standard protocol. No indoor
path-loss model is proposed since in real time traffic a packet retrans-
mission might not be feasible. A summary of the simulation parameters
is presented in Table 2.
network parameters
Cellular Protocol GSM
Number of Users 15
mobility parameters
Restricted in HeNB coverage 25m
User speed 0.5 m/s
transmission parameters
Listening bands 1900 MHz
850 MHz
5.2.2 Results
tstamp=[10,30] tstamp=[10,60]
In Figure 10 can be seen how for Sim1 the probability to have more
than 5 reflections decreases really fast. While for Sim2 the probabil-
ity decreases softly, providing higher values for more than 8 reflections.
As expected, in terms of number of reflections, best choice will be the
largest range for Tstamp values. Further work is need to find out which
5.2 simulation 28
is the number of hops needed to ensure that an attacker can not point
out the sender user.
tstamp=[10,30] tstamp=[10,60]
By using the largest Tstamp range the average time for the packet
transmission will be lower than 260ms in worst delay case. This give
us a guard time of 400ms − 260ms = 140ms which seems to be enough
for the voice data transmission. With the obtained results it can be con-
cluded that the largest Tstamp range is a better choice. Moreover the
algorithm will become more robust if the delay is increased, but the re-
lation of this increase is not lineal since the robustness rises faster.
R E S O U R C E A L L O C AT I O N
6
Presented by Que Zang et.al in [14] this novel resource allocation algo-
rithm has his base in the graph coloring techniques. In this chapter this
algorithm is explained and implemented, moreover an improvement is
done to enhance its performance. Since the number of resources might
be preallocated or not large enough the algorithm here proposed takes
into account the interference grade in order to make the nodes with the
lowest interference share the same resource.
This is the first of three steps for allocating the resources. The network
has to find out the identity of the nodes which are interfering to other
nodes. To do that each node in the network must have a node unique
identifier.
Then each HeNB has to calculate the interference, to do it the collab-
oration of the UE connected to each HeNB is needed. UE are going
to calculate the power of the signal received from its serving base sta-
tion (RSRPi ). In [14] only one UE per HeNB is assumed, in this work
more UEs can be sensing the interference. The HeNB has to collect
all the information and create a list of where the id of the interfering
HeNB is mapped to the maximum value of that interference reported
by the UEs. The UE consider interference if the received signal from
the j-HeNB (RSRPj ) is a certain threshold (Ith ) greater than the received
signal from the HeNB which it is connected (RSRPi ). This is calculated
as shown in Equation 1 and only if the interference is grater than the
threshold it will be sent as interference to the HeNB.
RSRPi − RSRPj = Iij < Ith (1)
Once the HeNB has collected the interference the list has to be shared
with all the neighbors who also will sent their own list. With this in-
formation and the mapping between id and number of node, provided
form the backhaul network by the operator, each HeNB is able to gener-
ate the matrix shown in Equation 2. This matrix is a n dimension square
matrix where n is the number of nodes inside the same eNB coverage
area. Each position Iij represents the interference between node i and
node j, for that reason the matrix diagonal is 0 since Iii = 0.
I1,1 I1,2 · · · I1,n
I I
2,1 2,2 · · · I
2,n
Links = . .. .. .. (2)
.. . . .
In,1 In,2 · · · In,n
29
6.2 graph coloring 30
Second step of the resource allocation is the core and the main difference
of the algorithm. A brief introduction to the graph coloring techniques
is given below.
Graph Coloring:This algorithms are used to color a graph (G) accomplishing
that the linked vertices of the graph are not painted with the same color,
it is also known as proper vertex coloring. The number of colors needed
depend on each graph, the minimum number of colors for each graph is
known as chromatic number (x(G)).
Graph coloring problem has two main phases, firstly we have to deter-
mine the chromatic number, which minimizes the number of colors used
for coloring. This number will be referenced as k. Once we know that G
is k − colorable we have to implement the graph colorization.
For resource allocation a sequential graph coloring is used, for that kind
of coloring it is essential that: the nodes are enumerated and that all nodes
have the same color selection sequence. An other consideration is introduced
here, the number of resources (nres ) might be set by the network admin-
istrator, the carrier. Moreover if nres < k a interference level based
factor will be introduced for coloring the graph. When the algorithm
leads node i to the nres + 1 color in its color sequence, then node i will
be painted in same color as the less interfering node, which is already
colored.
The Links (L) matrix is required as input, and the output of this func-
tion is a vector [node, k] where k is the minimum number of colors
required. The node from where the colorization should start is stored in
node.
6.3 algorithm implementation 32
1 f u n c t i o n [ node , k ]=chromnum ( L )
2 i =1;
3 while ( i <=length ( L ( : , 1 ) ) )
4 p a i n t ( i ) =max ( c o l o r i z e ( L , 8 ) )
5 i = i +1;
6 L=[L ( : , 2 : end ) L ( : , 1 : 1 ) ] ;
7 L=[L ( 2 : end , : ) ; L ( 1 : 1 , : ) ] ;
8 end
9 [ k , node ]=min ( p a i n t ) ;
10 end
The key point of this function is to swap the order of the columns and
rows of the Links matrix in order that the next coloring starts from
the next node. The transformation needed when we want to start the
colorization from the i − node be seen in Equation 3. As presented the
i − node now is the first node, in terms of rows and columns.
I1,1 · · · I1,i · · · I1,n Ii,i ··· Ii,n ··· Ii,i−1
I2,1
· · · I1,i · · · I2,n
Ii+1,i · · · Ii+1,n · · · Ii+1,i−1
.. .. .. .. .. .. .. .. .. ..
. . . . . . . . . .
⇒
Ii,1 · · · I1,i · · · Ii,n I1,i · · · I1,n · · · I1,i−1
. .. .. . .. ..
.. .. .. ..
. . . . . .
. . . . . .
In,1 · · · I1,i · · · In,n Ii−1,i · · · Ii−1,n · · · Ii−1,i−1
(3)
Regarding this adaptation process, in this work the multi hops con-
cept is introduced in the femtocells network. This allows to provide
anonymity against external sniffing from the HeNB. The evaluation shows
low delay values, affordable for the network. Further work is needed to
test the technique in a real network to check the performance.
The location disclosure presented in this work, is a clear example on
how new security treats will appear frequently regarding the femtocell
network. The description of the attack and a possible approach for miti-
gating it has been given in this document. New techniques for avoiding
these kinds of attacks instead of just notifying about them are need to
be created in future works.
Femtocells are the future, and regarding some voices in the commu-
nity are against them regarding all the security problems. This work
attempted to demonstrate a few solutions for identified security threats.
Users need to be aware of the vulnerabilities, and also the research com-
munity responsible of changing this fact.
34
BIBLIOGRAPHY
[5] The Small Cell Forum. Small Cell Market Status. Informa Telecoms
and Media Editor, 2013.
[10] Nazmus Saquib, Ekram Hossain, Long Bao Le, and Dong In Kim.
Interference management in ofdma femtocell networks: Issues and
approaches. Wireless Communications, IEEE (Volume:19 , Issue: 3 ),
2012.
[11] Takeshi Terayama, Hidehiko Ohyane, Goichi Sato, and Takuya Taki-
moto. Femtocell technologies for providing new services at home,.
NTT DOCOMO Technical Journal Vol. 11 No. 4., 2011.
35
bibliography 36
[14] Qian Zhang, Xinning Zhu, Leijia Wu, and Kumbesan San-
drasegaran. A coloring-based resource allocation for ofdma fem-
tocell networks. Wireless Communications and Networking Conference
(WCNC), 2013.