as) United States
`a2) Patent Application Publication 10) Pub. No.: US 2015/0141026 Al
`JOVER
`May 21, 2015
`(43) Pub. Date:
`
`US 20150141026A1
`
`(54)
`
`ENDPOINT DEVICE ANTENNA BEAM
`FORMING BASED JAMMING DETECTION
`AND MITIGATION
`(71) Applicant: AT&T Intellectual Property I, L.P.,
`Atlanta, GA (US)
`Inventor: ROGER PIQUERAS JOVER, New
`York, NY (US)
`Assignee: AT&T Intellectual Property I, L.P.,
`Atlanta, GA (US)
`
`(72)
`
`(73)
`
`Publication Classification
`
`(51)
`
`Int. Cl.
`H04K 3/00
`(52) U.S. CL
`CPC
`
`(2006.01)
`
`H004K 3/224 (2013.01)
`
`ABSTRACT
`(57)
`A method, computer-readable storage device and apparatus
`for locating a source of a communication impairment are
`disclosed. For example, the method detects the communica-
`tion impairment, performs a sweep to locate a direction of the
`source of the communication impairment, wherein the sweep
`is performed in response to the detecting the communication
`impairment at the endpoint device, and generates a null in the
`direction of the source of the communication impairment.
`
`492
`
`(21) Appl. No.: 14/081,944
`
`(22)
`
`Filed:
`
`Nov. 15, 2013
`
`490
`
`472
`
`RADIO
`JAMMER
`460
`
`474
`
`+10dB
`
`480
`
`5dB
`
`Samsung Exhibit 1005, Page 1 of 17
`
`

`

`Patent Application Publication May 21,2015 Sheet 1 of 7
`
`US 2015/0141026 Al
`
`FIG.1
`
`117
`
`LTEUE
`
`111
`
`eNodeB
`
`104
`
`EUTRAN
`
`3
`
`112
`
`eNodeB
`
`03
`
`1
`
`EUTRAN
`
`116
`116
`
`LTEUE
`
`MON
`
`105
`
`BACKBONE
`
`NETWORKCOM
`Ne
`
`EPC
`
`LTENETWORK101
`
`100
`
`Samsung Exhibit 1005, Page 2 of 17
`
`

`

`Patent Application Publication
`
`May 21, 2015 Sheet 2
`
`US 2015/0141026 Al
`
`1
`
`216
`
`FIG.2B
`
`JAMMING
`SMART
`
`216C
`
`8
`
`250
`
`240
`
`260
`
`JAMMER
`SMART
`
`\216B
`
`FIG.2A
`
`JAMMING
`
`216A
`
`260
`
`JAMMER
`RADIO
`
`/
`
`2160
`
`(250
`
`216B
`
`216C
`
`240
`
`212
`
`((
`
`203
`
`212
`
`203
`
`Samsung Exhibit 1005, Page 3 of 17
`
`

`

`Patent Application Publication May 21,2015 Sheet 3 of 7
`
`US 2015/0141026 Al
`
`310
`
`BEAMFORMINGENGINE
`
`-340
`
`'G1
`
`/G2
`
`0
`
`60
`
`N/\
`
`X
`
`~/30
`
`AG3\
`
`1
`
`-9
`-6
`-3
`
`60
`
`30
`
`a
`
`90
`
`FIG.3
`
`300
`
`eNodeB
`FROMTHE
`FEEDBACK
`
`390
`
`A
`
`320
`
`CHANNEL"a
`
`WIRELESS
`
`ENGINE
`SENSING
`
`330
`
`ENGINE
`
`ESTIMATION
`™ORIENTATION
`
`336
`
`COMPASS
`
`335
`GYRO
`
`Samsung Exhibit 1005, Page 4 of 17
`
`

`

`Patent Application Publication May 21,2015 Sheet 4 of 7
`
`US 2015/0141026 Al
`
`150
`
`180
`
`-400
`
`460
`
`JAMMER
`RADIO
`
`120
`
`480
`
`9
`
`+0
`
`30
`
`60
`
`490
`
`4230
`422D/
`
`423C
`422
`
`13
`
`421D
`
`421C
`
`FIG.4B
`
`G1aaeG4
`
`423B
`422B
`
`2
`
`30
`
`423A
`422A
`
`0
`
`-400
`
`4218
`
`421A
`
`/60
`
`790
`
`460
`
`JAMMER
`RADIO
`
`_--730
`
`1
`
`9 6
`
`3
`
`0
`
`30
`
`470
`
`490
`
`60
`
`\G4
`\\G3
`13OH14
`
`423D
`422D
`
`423C
`422C
`
`421D
`
`423B
`422B\/
`G2
`
`G1
`
`423A
`422A
`
`421C
`
`12>
`
`421B
`
`tl
`
`421A
`
`FIG.4A
`
`Samsung Exhibit 1005, Page 5 of 17
`
`

`

`Patent Application Publication May 21,2015 Sheet 5 of 7
`
`US 2015/0141026 Al
`
`FIG.4C
`
`-5dB
`
`Samsung Exhibit 1005, Page 6 of 17
`
`

`

`Patent Application Publication May 21,2015 Sheet 6 of 7
`
`US 2015/0141026 Al
`
`500
`
`510
`
`520
`
`530
`
`a 540
`
`550
`
`560
`
`570
`
`580
`
`i
`
`2
`
`i i
`
`1
`
`1
`
`START
`
`905
`
`y
`DETECT A COMMUNICATION IMPAIRMENT AT AN ENDPOINT DEVICE
`
`V
`PERFORM A SWEEP TO LOCATE A DIRECTION OF A SOURCE OF THE
`COMMUNICATION IMPAIRMENT IN RESPONSE TO THE DETECTING
`THE COMMUNICATION IMPAIRMENT AT THE ENDPOINT DEVICE
`
`Y
`GENERATE A NULL IN THE DIRECTION OF THE SOURCE OF THE
`COMMUNICATION IMPAIRMENT
`
`DETERMINE DIRECTION OF A DESIRED SIGNAL
`
`DIRECT A BEAM IN THE DIRECTION OF THE DESIRED SIGNAL, WHERE
`BEAM COMPRISES A REGION OF MAXIMUM GAIN OF A PLURALITY
`OF ANTENNAS OF THE ENDPOINT DEVICE
`
`DETERMINE AN ORIENTATION OF THE ENDPOINT DEVICE
`
`RECALCULATE GAIN AND PHASE APPLIED TO EACH OF A PLURALITY
`OF ANTENNAS OF THE ENDPOINT DEVICE TO MAINTAIN A NULL IN
`THE DIRECTION OF THE SOURCE OF THE COMMUNICATION
`IMPAIRMENT AND/OR TO MAINTAIN THE BEAM IN THE DIRECTION
`OF THE DESIRED SIGNAL
`
`DISABLE GLOBAL SYSTEM FOR MOBILE COMMUNICATIONS SERVICES
`AT THE ENDPOINT DEVICE IN RESPONSE TO THE DETECTING THE
`COMMUNICATION IMPAIRMENT AT THE ENDPOINT DEVICE
`
`END
`
`595
`
`FIG. 5
`
`Samsung Exhibit 1005, Page 7 of 17
`
`

`

`Patent Application Publication May 21,2015 Sheet 7 of 7
`
`US 2015/0141026 Al
`
`FIG.6
`
`A
`
`Aa
`
`Lu «©
`oO oO
`
`Oo
`
`>> Lua©
`ox
`=nOF
`
`A
`
`Dw
`O°
`
`©
`
`Samsung Exhibit 1005, Page 8 of 17
`
`

`

`US 2015/0141026 Al
`
`1
`
`May 21,2015
`
`ENDPOINT DEVICE ANTENNA BEAM
`FORMING BASED JAMMING DETECTION
`AND MITIGATION
`Embodiments of the present disclosure relate to
`[0001]
`detecting jamming attacks at an endpoint device and tech-
`niques to minimize the effects of such jamming attacks.
`BACKGROUND
`Long Term Evolution (LTE) offers enhanced capac-
`[0002]
`ity and coverage for current mobility networks, which expe-
`rience a constant traffic increase and skyrocketing bandwidth
`demands. LTE is built upon a redesigned physical layer and
`based on an Orthogonal Frequency Division Multiple Access
`(OFDMA) modulation. LTE also features robust perfor-
`mance in challenging multipath environments and improves
`the performance of the wireless channel in terms of bits per
`second per Hertz (bps/Hz). Nevertheless, LTE remains vul-
`nerable to radio jamming attacks.
`SUMMARY
`Inoneembodiment, the present disclosure describes
`[0003]
`amethod, computer readable storage device and apparatus for
`locating a source of a communication impairment. For
`example, the method detects the communication impairment,
`performs a sweep to locate a direction of the source of the
`communication impairment, wherein the sweep is performed
`in response to the detecting the communication impairment at
`the endpoint device, and generates a null in the direction of
`the source of the communication impairment.
`BRIEF DESCRIPTION OF THE DRAWINGS
`Theteaching of the present disclosure can be readily
`[0004]
`understood by considering the following detailed description
`in conjunction with the accompanying drawings, in which:
`FIG. 1 illustrates an exemplary network related to
`[0005]
`the present disclosure:
`FIG. 2A illustrates an exemplary jamming attack on
`[0006]
`a base station sector;
`FIG. 2B illustrates and an exemplary smartjamming
`[0007]
`attack on a base station sector;
`FIG. 3 illustrates an exemplary endpoint device,
`[0008]
`according to embodiments of the present disclosure;
`FIG. 4A illustrates an endpoint device during a
`[0009]
`sweep to detect a source of a communication impairment,
`according to embodiments of the present disclosure;
`FIG. 4B illustrates an endpoint device while direct-
`[0010]
`ing a null in the direction of a source of a communication
`impairment, according to embodiments of the present disclo-
`sure;
`FIG. 4C illustrates an endpoint device while direct-
`[0011]
`ing beams in the directions of desirable signals, according to
`embodiments of the present disclosure:
`FIG. 5 illustrates a flowchart of a method for locat-
`[0012]
`ing a source ofa communication impairment at a base station,
`according to embodiments of the present disclosure; and
`FIG. 6 illustrates a high-level block diagram of a
`[0013]
`general-purpose computer suitable for use in performing the
`functions, methods and algorithms described herein.
`To facilitate understanding,
`identical
`reference
`[0014]
`numerals have been used, where possible, to designate iden-
`tical elements that are common to the figures.
`
`DETAILED DESCRIPTION
`The present disclosure broadly describes a method,
`[0015]
`computer-readable storage device and apparatus for locating
`a source of a communication impairment at an endpoint
`device. Although the present disclosure is discussed below in
`the context of exemplary LTE networks and evolved uniform
`terrestrial radio access networks (CUTRANS),
`the present
`disclosure is not so limited. Namely, the present disclosure
`can be applied to communication networks in general, e.g.,
`general packet radio service (GPRS) networks, universal ter-
`restrial radio access networks (UTRANs), Global System for
`Mobile Communications (GSM) networks, and the like,
`where at least one cellular access network is available.
`Inone embodiment, the present disclosure describes
`[0016]
`a technique for detection and mitigation ofjamming attacks
`that affect endpoint devices of a cellular network. Jamming
`attacks generally involve transmitting radio signals to disrupt
`communications between cell sites and endpoint devices and
`to decrease the signal-to-noise ratio (SNR). For an LTE
`access network, this can cause LTE communications between
`the cell site and an endpoint device to fall back to GSM mode,
`which is less secure and allows a number of exploits to be
`used to intercept traffic, steal credentials, and so forth. In
`particular the GSM encryption is weaker than the LTE stan-
`dards. In addition, a successful jamming attack on LTE com-
`munications does not necessarily need high power, and can be
`focused on essential LTE control channels if these are known,
`e.g., saturating an uplink signaling channel.
`To address these issues, one embodiment provides
`[0017]
`an endpoint device having multiple antennas that can be used
`for beam steering as well as for null generation in desired
`directions. When the endpoint device detects an impairment
`condition, e.g.,a low SNR, or some other trigger, the endpoint
`device may initiate a process to detect a direction/location of
`a source of the communication impairment. In particular, the
`endpoint device considers that the communication impair-
`ment is due to a jamming signal and attempts to locate the
`source of the jamming signal.
`In one embodiment, the endpoint device may con-
`[0018]
`trol the azimuthal angles and/or vertical tilt of the antenna
`radiation beam pattern to form a narrow beam and then sweep
`the beam such that the beam eventually covers all surface
`areas of an imaginary sphere surrounding the endpoint
`device. In one embodiment, when the strongest noise signal is
`detected during the sweep, the endpoint device determines
`that this is the likely direction and/or general location of the
`jamming signal. Thereafter, the endpoint device may then
`control the multiple antennas to form a null (e.g., an approxi-
`in the direction of the
`mately 50-60 dB or greater loss)
`detected jamming signal. The null being a portion of the
`antenna radiation pattern where a direction correlating to the
`is strongly attenuated. This will
`detected jamming signal
`mitigate the interference of the jamming signal and allow
`communications between the endpoint device and the base
`station to continue, e.g., without falling back to GSM.
`It should be noted that although examples are
`[0019]
`described herein relating to a jamming attack (i.e., a deliber-
`ate jamming signal) the present disclosure is equally appli-
`cable to other sources ofcommunication impairments that are
`non-malicious. For example, a user-deployed femtocell or
`personal base station may generate sufficient interference to
`degrade the communication quality between an endpoint
`device and the network service provider base station. In one
`embodiment, the endpoint device also tracks its orientation
`
`Samsung Exhibit 1005, Page 9 of 17
`
`

`

`US 2015/0141026 Al
`
`2
`
`May 21,2015
`
`and/or changes in the orientation using a gyroscope and com-
`pass or similar means. Accordingly, the endpoint device can
`continuously update the antenna radiation beam pattern such
`that the null continues to be directed and the source of the
`communication impairment.
`In addition, in one embodiment the endpoint device
`[0020]
`may also track a direction of a desired signal and direct a
`beam in the direction of the desired signal. In one embodi-
`ment, the beam comprises a region of greater or greatest gain
`as compared to other regions of an antenna radiation beam
`pattern surrounding the endpoint device. For example, as
`mentioned above the endpoint device may control the azi-
`muthal angles and/or vertical tilt of the antenna radiation
`beam pattern to form a narrow beam and then sweep the beam
`throughout a range surrounding the endpoint device (e.g.,
`such that the beam eventually covers all surface areas of an
`imaginary sphere surrounding the endpoint device). Thus, in
`one embodiment, when a desired signal is detected at a great-
`est magnitude, a greatest SNR, a lowest BER and so forth
`during the sweep, the endpoint device may determine that this
`is a direction of a desired signal. In one embodiment, the
`desired signal may comprise a control channel communica-
`tion from a base station. In another embodiment, the direction
`of the desired signal may comprise a multipath propagation
`from a base station that is indirectly received, e.g., by bounc-
`ing off a building, a mountain and so forth. As such, in one
`embodiment, the direction of the desired signal may not be a
`direction of an absolute greatest magnitude of a received
`signal strength, but instead, may be a local maximum, or one
`of several local maximums. In any case, in addition to gener-
`in a direction of a source of a communication
`ating a null
`impairment, the endpoint device may direct a beam (a region
`of greater gain) in one or more directions of a source of a
`desired signal.
`To further aid in understanding, the following pro-
`[0021]
`vides a brief overview of common terms and technologies
`related to the present disclosure. Broadly defined, 3GPP is a
`global effort to define a wireless communication system
`specification. 2G refers to a second generation cellular net-
`work technology, 3G refers to a third generation cellular
`network technology, and 4G is a fourth generation cellular
`network technology. GSM is an example of a 2G cellular
`technology and a Universal Mobile Telecommunications
`System (UMTS) is an example of a 3G cellular network
`technology. In accordance to the 3GPP global effort, a Gen-
`eral Packet Radio Service (GPRS) refers to acommunications
`service used to transfer data via a cellular network. GPRS is
`available to users of a 2G cellular system, e.g., GSM. The
`GPRS provides an enhancement to the GSM system so that
`data packets are supported. In addition, in 3GPP release 8,
`LTE is provided as a set of enhancements to the UMTS. The
`focuses on adopting 4th Generation (4G)
`enhancement
`mobile communications technology to include an all Internet
`Protocol (IP) end-to-end networking architecture. LTE is an
`example of a 4G cellular network technology.
`[0022] A base station for a 2G network is also referred to as
`a base transceiver station (BTS). A base station in a 3G
`network is also referred to as a Node B. At a particular time
`period, a particular base station in a 3G wireless network is
`controlled by a radio network controller (RNC). If at a later
`time period, another radio network controller is selected to
`control the traffic traversing through the particular base sta-
`tion, the particular base station is said to be re-homed to the
`later radio network controller. Similarly, at a particular time
`
`period, each base station in a 2G wireless network is con-
`trolled by a base station controller (BSC). For a 4G network,
`a radio base transceiver station (RBS), as per the 3GPP stan-
`dards, is referred to as an eNodeB (or simply as a base sta-
`tion). An eNodeB for a 4G network provides an LTE-air
`interface and performs radio resource management for wire-
`less access. It should be noted base stations in accordance
`with other network protocols or standards are within the
`scope of the present disclosure.
`The radio network controllers and base station con-
`[0023]
`trollers route calls from user endpoint devices towards their
`destination via the service provider's core network. Similarly,
`calls destined to the user endpoint devices traverse the core
`network to reach a radio network controller (for 3G), a base
`station controller (for 2G) or an eNodeB (for 4G). As appli-
`cable, the radio network controllers, base station controllers
`and eNodeBs forward the calls towards their intended user
`endpoint device.
`In one embodiment, a base station for a wireless
`[0024]
`network may be deployed with one or more directional anten-
`nas that cover a predetermined portion of the 360 degree
`angle. The coverage of one directional antenna is determined
`by dividing the 360 degrees by the number of directional
`antennas included in the base station. A portion of a wireless
`network that
`is covered with one directional antenna is
`referred to as a sector. For example, if there are three direc-
`tional antennas at a base station, each directional antenna
`covers 120 degrees, thereby resulting in three sectors. The
`exemplary base station may also be referred to as a three
`sector base station.
`in a 2G/GSM network,
`In one embodiment, e.g.,
`[0025]
`each sector uses a predetermined portion of available fre-
`quency resources such that adjacent sectors may assign chan-
`nels in mutually exclusive frequency ranges. However,
`it
`should be noted that other cellular networks may assign fre-
`quency ranges in a different manner and the present disclo-
`sure is not limited in this aspect. For example, each of the
`three sectors above may use one third of available frequency
`resources. Adjacent sectors use different frequency ranges.
`The channels for adjacent sectors are then assigned in mutu-
`ally exclusive frequency ranges such that interference is mini-
`mized. However, in another embodiment, e.g., in a code divi-
`sion multiple access (CDMA) network or in an orthogonal
`frequency division multiple access (OFDMA) network (e.g.,
`a 4G/LTE network), each cell and each sector may utilize all
`of the available frequency resources. In other words each cell
`and/or each sector reuses the same frequency resources.
`FIG. 1 illustrates an exemplary network 100 related
`[0026]
`to the present disclosure. In one illustrative embodiment, the
`network 100 comprises an LTE network 101 and user end-
`point devices 116 and 117.
`The user endpoint devices 116 and 117 can be a
`[0027]
`smart phone, a cellular phone, a computer or laptop, a com-
`puting tablet, or any endpoint communication devices
`equipped with wireless capabilities.
`The LTE network 101 may comprise access net-
`[0028]
`works 103 and 104 and a core network 105. In one example,
`each of the access networks 103 and 104 comprises an
`evolved Universal Terrestrial Radio Access Network (eU-
`TRAN). In one example, the core network 105 comprises an
`Evolved Packet
`Core (EPC ) network.
`The eUTRANS are the air interfaces of the 3GPP's
`[0029]
`LTE specifications
`for mobile networks. Namely,
`the
`eUTRAN comprises a radio access network standard that will
`
`Samsung Exhibit 1005, Page 10 of 17
`
`

`

`US 2015/0141026 Al
`
`3
`
`May 21,2015
`
`replace previous generations of air interface standards. All
`eNodeBs in the eUTRANs 103 and 104 are in communication
`with the EPC network 105. The EPC network provides vari-
`ous functions that support wireless services in the LTE envi-
`ronment. In one embodiment, an EPC network is an Internet
`Protocol (IP) packet core network that supports both real-
`time and non-real-time service delivery across a LTE net-
`work, e.g., as specified by the 3GPP standards.
`In operation, LTE user equipment or user endpoint
`[0030]
`(UE) 116 may access wireless services via the eNodeB 112
`located in the eUTRAN 103. Similarly, the LTE VE 117 may
`access wireless services via the eNodeB 111 located in the
`eUTRAN 104. It should be noted that any number of eNo-
`deBs can be deployed in an eUTRAN. In one illustrative
`example, the eUTRANs 103 and 104 may comprise one or
`more eNodeBs.
`The above network 100 is described to provide an
`[0031]
`illustrative environment in which embodiments of the present
`disclosure may be employed. In other words, the network 100
`is merely illustrative of one network configuration that is
`suitable for implementing embodiments of the present dis-
`closure. Thus, the present disclosure may also include any
`other different network configurations that are suitable for
`implementing embodiments of the present disclosure, for
`conveying communications among endpoint devices, for con-
`veying communications between endpoint devices and other
`components (e.g., core network and access network compo-
`nents), and so forth. Those skilled in the art will realize that
`the communication system 100 may be expanded by includ-
`ing additional endpoint devices, access networks, network
`elements, application servers, etc., or modifying or substitut-
`ing those illustrated in FIG. 1, without altering the scope of
`the present disclosure.
`To further aid in understanding the present disclo-
`[0032]
`sure, FIG. 2A illustrates a conventional jamming attack on a
`base station sector 240 ofa cell 203. As illustrated in FIG. 2.4,
`cell 203 comprises a base station 212 that is servicing end-
`point devices 216A-216D in sector 240. In one embodiment,
`base station 212 comprises an eNodeB of an eUTRAN (e.g.,
`a 4G network), or a NodeB of a UTRAN (e.g., a 3G network).
`As also illustrated in FIG. 2A, a radio jammer 260 is trans-
`mitting a jamming signal that covers an area 250. Notably, in
`a traditional jamming attack, the radio jammer transmits a
`jamming signal, typically random noise, over a broad range of
`frequencies to attempt to disrupt communication. However,
`to jam the entire frequency band often requires a considerable
`Consequently, if radio jammer 260 com-
`amount of power.
`prises a typical endpoint device, such as a cellular phone,
`cellular-enabled laptop computer or an off-the-shelf radio
`jammer, the radio jammer 260 may only be capable ofjam-
`ming a small area 250 surrounding the radio jammer 260. In
`this example, endpoint device 216A is within area 250 and
`thus is jammed by the signal from radio jammer 260. In one
`example, thejamming causes the signal-to-noise ratio (SNR),
`the signal-to-interference-and-noise (SINR) ratio and/or the
`received signal strength indication (RSSI) experienced by
`endpoint device 216A (and any other device in the area 250
`affected by thejamming) to drop. Alternatively or in addition,
`the jamming may cause the bit-error rate (BER) experienced
`by endpoint device 2164 to increase. In another embodiment,
`the jamming may cause a drop in traffic volume from a base
`station to be observed ina core network, while the base station
`still appears to be operational. In still another embodiment,
`the jamming may cause one or more of the endpoint device to
`
`fail to synchronize to the base station, or otherwise fail to
`establish communications with the base station. For example,
`thejamming attack may cause endpoint device 216A to fail to
`receive a primary and/or secondary synchronization signal
`(PSS, SSS) or to receive a corrupted PSS and/or SSS.
`Asa a further consequence, as noted above jamming
`[0033]
`may cause 4G/LTE or 3G communications to deteriorate to
`the point where an endpoint device and/or base station may
`fall back on to 2G/GSM communications. Thus,
`in this
`example, endpoint device 216A may attempt to communicate
`with the base station 212 via GSM during the j amming attack.
`For example, the base station 212 may include components to
`support legacy GSM communications as a backup, or as an
`alternative to 3G, 4G and/or LTE. However, GSM communi-
`cations are widely considered to have weak encryption stan-
`dards and are subject to known exploits for base station spoof-
`ing, sniffing attacks, phishing attacks and so forth. In this
`regard, it should be noted that even if the base station 212 does
`not support 2G/GSM communication, an attacker may set up
`a femtocell or 2G base station (e.g., a base transceiver station
`(BTS)) that appears to be a legitimate base station from the
`perspective of the endpoint device 216A. For example the
`attacker may use the same device, e.g., radio jammer 260, for
`radio jamming as well as for providing a rouge base station. If
`the endpoint device 216A can be forced or tricked into con-
`necting to the rouge base station, the attacker can then imple-
`ment a number of further exploits. It should be noted that
`several examples herein describe attacks on 3G and/or
`4G/LTE components, where 2G/GSM components comprise
`a backup infrastructure. Nevertheless, the present disclosure
`may also be applied to attacks on cellular devices and cellular
`network infrastructure that employ various different types of
`technology, including 2G/GSM infrastructure. In particular,
`the present disclosure relates to any cellular network suitable
`for use with endpoint devices having multiple antennas/di-
`rectional antennas for beam steering and null generation.
`FIG. 2B illustrates a more advanced jamming attack
`[0034]
`on a base station sector 240, referred to herein as "smart
`jamming". In particular, the cell 203, base station 212, sector
`240 and endpoint devices 216A-216D may comprise the
`same devices and areas shown in FIG. 2.4. However, in this
`case the radio jammer 260 illustrated in FIG. 2B comprises a
`smart jammer. Notably, the radio jammer 260 concentrates
`the jamming signal and power output over one or 2013-0734
`more specific and targeted frequencies, or over a narrower
`range of frequencies as compared to the radio jammer 260 in
`FIG. 24. Thus,
`in FIG. 2B,
`the area 250 affected by the
`jamming signal may include the entire range of sector 240,
`e.g., when the attack targets uplink signaling channels. As
`such, all of endpoint devices 216A-216D are affected. For
`example, a typical endpoint device, such as a cellular tele-
`phone or laptop computer, may be capable ofjamming both
`uplink and downlink control channels used for 3G, 4G and/or
`LTE call establishment and maintenance using off-the-shelf
`components, or with only small upgrades or enhancements to
`the radio resources, e.g., an amplifier, range extender and so
`forth. For example, a smart jamming attack may target the
`(PBCH) which has assigned
`physical broadcast channel
`physical resource blocks (PRBs) which are known in advance
`and are always mapped to the central 72 subcarriers of the
`OFDMA signal. Similarly, a smart j amming attack may target
`the physical downlink control channel (PDCH or PDCCH),
`the physical uplink control channel (PUCH or PUCCH), the
`
`Samsung Exhibit 1005, Page 11 of 17
`
`

`

`US 2015/0141026 Al
`
`4
`
`May 21,2015
`
`physical random access channel (PR ACH), the primary syn-
`chronization signal (PSS),
`the secondary synchronization
`signal (SSS) and so forth.
`It should be noted that LTE includes physical chan-
`[0035]
`nels as well as logical channels, and that control channels may
`be physical control channels or logical control channels. The
`most straightforward smart jamming attack will target the
`physical control channels occupying defined frequencies/
`wavelengths. However, logical control channels may also be
`targeted ifthe attacker knows the timing of the logical control
`channel. For example, some of the control channels may
`comprise slot assignments within a master information block
`(MIB), e.g., on a central 72 subcarriers of the spectrum. Thus,
`the smart jamming may target the 72 central subcarriers with
`a noise signal synchronized to the timing of the particular
`control channel's slot assignments. However, it also remains
`possible for an attacker to simply target the central 72 sub-
`carriers with a continuous noise signal.
`In any case, by targeting specific channels/frequen-
`[0036]
`cies used for conveying signaling information for call estab-
`lishment, the radio jammer 260 can effectively disrupt all
`communications. A successful smart jamming attack allows
`the attacker to utilize all of the same exploits available with
`regular (broadband) jamming, but affords a greater range. In
`addition, the cell tower itselfmay be affected while allowing
`the radio jammer 260 to be located a safe distance away, e.g.,
`where the attacker can remain concealed or anonymous, if the
`attacker is using, for example, a directional antenna pointed to
`the eNodeB. In other words,
`the attacker may effectively
`locate the radio jammer 260 anywhere in the sector 240, while
`being able to affect all or most of the endpoint devices in the
`sector 240 as well as the equipment of base station 212 that
`services the sector 240.
`To mitigate jamming attacks such as illustrated in
`[0037]
`FIGS. 2A and 2B, the present disclosure includes a process
`for an endpoint device to sweep a beam around the endpoint
`device, to locate ajamming source and then to direct a null in
`the detected direction.
`FIG. 3 illustrates an exemplary endpoint device 300,
`[0038]
`according to the present disclosure. In one embodiment, end-
`point device 300 includes a beam-forming engine 310, a
`wireless channel sensing engine 320, an orientation estima-
`tion engine 330 and aset ofantennas 340. In one embodiment,
`the endpoint device 300 and any one or more of its compo-
`nents 310, 320, 330, etc.,. may comprise a computing device
`or system, e.g., as described below in connection with FIG. 6.
`The endpoint device 300 may also include a gyroscope 335
`and a compass 336 for use by the orientation estimation
`engine 330. In one embodiment, the endpoint device 300 is
`also in communication with a base station 390 (e.g., an eNo-
`deB).
`In one embodiment, the beam-forming engine 310
`[0039]
`is for controlling the gain and phase/delay of each antenna of
`the set of antennas 340 for beam steering and null generation.
`For example, when a communication impairment that may be
`indicative of a jamming attack is detected, the beam-forming
`engine 310 may generate and sweep a beam throughout all
`areas surrounding the endpoint device 300. For example, a
`communication impairment may comprise a decreased sig-
`nal-to-noise ratio (SNR), decreased signal-to-interference-
`and-noise (SINR) ratio, decreased received signal strength
`indication (RSSI) and/or an increased bit-error rate (BER)
`detected at the endpoint device 300, a failure to connect or
`synchronize the endpoint device 300 with the base station
`
`390, and so forth. In one embodiment, the communication
`impairment may affect one or more frequencies and/or chan-
`nels, or may affect an entire range of frequencies. In response
`to detecting such an impairment, the beam-forming engine
`310 thus creates a narrow beam (also referred to herein as
`radiation pattern or a gain pattern) by adjusting the gain and
`time delays for each antenna. The beam-forming engine 310
`then steers/sweeps the beam around the endpoint device in all
`directions in both azimuth and elevation.
`The wireless channel sensing engine 320 is for
`[0040]
`determining the SNR, SNIR, RSSI, BER, and the like as the
`beam-forming engine 310 sweeps a beam around an imagi-
`nary sphere surrounding the endpoint device 300. Using
`parameters such as the SNR, SINR, RSSI and BER,
`the
`wireless channel sensing engine 320 is able to determine the
`direction of the source of the communication impairment as
`well as the direction(s) of one or more desired signals; for
`example, a line-of-sight communication path with a base
`station, one or more multipaths to/from the base station, and
`so forth. In one embodiment, the wireless channel sensing
`engine 320 is also for detecting a communication impairment
`in the first instance. For example, wireless channel sensing
`engine 320 may detect a threshold drop in the SNR or SINR
`(e.g., a 20 percent drop as compared to a preceding time
`period) an increase in the BER (e.g., when the BER increases
`beyond one percent), and so forth. In one embodiment, when
`the wireless channel sensing engine 320 determines that one
`or more of such threshold conditions are met, the wireless
`channel sensing engine 320 may signal to the beam-forming
`engine 310 to begin the beam sweeping procedure.
`the orientation estimation
`In one embodiment,
`[0041]
`engine 330 is for determining the orientation of endpoint
`device 300, and for tracking changes in the orientation. For
`example, the orientation estimation engine 330 may use the
`gyroscope 335, the compass 336 and/or one of several other
`components to determine the orientation of the endpoint
`device 300 in three-dimensional space. Orientation estima-
`tion engine 330 may also use feedback from base station 390
`to determine the orientation and to track changes in the ori-
`entation.
`In accordance with the present disclosure, FIG. 44
`[0042]
`illustrates an example of an endpoint device 400 performing
`a sweep to locate a source of a communication impairment.
`As illustrated in FIG. 44, the endpoint device 400 includes a
`set of four antennas 423A-432D. However,
`in accordance
`with the present disclosure any number of antennas may be
`used by endpoint device 400 (e.g., two antennas, three anten-
`nas, five antennas, and so forth). Notably,
`the greater the
`number of antennas, the finer the control over the beam steer-
`ing and null generation that can be achieved. In one example,
`the antennas 423A-423D are arranged linearly. However,
`other configurations, e.g., a patch antenna, a plurality ofpatch
`antennas, antennas arranged along a conical curve, and so
`forth are possible in accordance with the present disclosure.
`Each antenna 4234-423D has a corresponding gain element
`4224-422D for controlling the gain of the respective antenna.
`In addition, delay elements 4214-421D are for introducing
`successive delays to the antennas 423A-423D. By controlling
`the gain (amplitude) and delay (phase) of copies of the signal
`transmitted by the antennas 423A-423D using well