Vaka P T 2017

Security and Performance Issues in Spectrum Sharing between
Disparate Wireless Networks
Pradeep Reddy Vaka
Thesis submitted to the Faculty of the

Virginia Polytechnic Institute and State University
in partial fulfillment of the requirements for the degree of
Masters of Science
in
Electrical Engineering
Jung-Min Park, Chair

Yaling Yang
Haibo Zeng
May 05, 2017

Blacksburg, Virginia
Keywords: Location Privacy, Coexistence, Spectrum Sharing, NB-IoT, Radar Systems

Copyright 2017, Pradeep Reddy Vaka
Pradeep Reddy Vaka
(ABSTRACT)
The United States Federal Communications Commission (FCC) in its recent report and order
has prescribed the creation of Citizens Broadband Radio Service (CRBS) in the 3.5 GHz
band to enable sharing between wireless broadband devices and incumbent radar systems.
This sharing will be enabled by use of geolocation database with supporting infrastructure
termed as Spectrum Access System (SAS). Although using SAS for spectrum sharing has
many pragmatic advantages, it also raises potentially serious operational security (OPSEC)
issues. In this thesis, we explore OPSEC, location privacy in particular, of incumbent radars
in the 3.5 GHz band. First, we show that adversarial secondary users can easily infer
the locations of incumbent radars by making seemingly innocuous queries to the database.
Then, we propose several obfuscation techniques that can be implemented by the SAS for
countering such inference attacks. We also investigate obfuscation techniques’ efficacy in
minimizing spectral efficiency loss while preserving incumbent privacy.
Recently, the 3GPP Rel.13 has specified a new standard to provide wide-area connectivity
for IoT, termed as Narrowband IoT (NB-IoT). NB-IoT achieves excellent coexistence with
legacy mobile standards, and can be deployed in any of the 2G/3G/4G spectrum (450 MHz to
3.5 GHz). Recent industry efforts show deployment of IoT networks in unlicensed spectrum,
including shared bands (e.g., 3.5 GHz band). However, operating NB-IoT systems in the
3.5 GHz band can result in significant BLER and coverage loss. In this thesis, we analyse
results from extensive experimental studies on the coexistence of NB-IoT and radar systems,
and demonstrate the coverage loss of NB-IoT in shared spectrum.
Pradeep Reddy Vaka
(GENERAL AUDIENCE ABSTRACT)
Spectrum sharing has been viewed by spectrum regulators and industry stakeholders as the
most viable solution to overcome the spectrum congestion and to enable next generation wire-
less networks. Towards this end, the Federal Communications Commission in the United
States has prescribed rules to enable sharing between incumbent radars and broadband
wireless networks in the 3.5 GHz band. This sharing however will be enabled geolocation
databases and supporting infrastructure known as Spectrum Access System, which are prone
to privacy attacks by malicious secondary users. Preserving privacy of incumbent systems
is vital as they are mostly military radars. In this thesis, we demonstrate such attacks and
later propose efficient techniques to preserve the privacy of the incumbent systems while
enabling better spectrum utilization.
The phenomenal growth in smarter end-user devices and machine-to-machine (M2M) connec-
tions is a clear indicator of the growth of Internet of Things (IoT), and growing importance
of wide area IoT networks. Recently, the telecommunications standard development body,
3GPP, has defined Narrowband IoT (NB-IoT) optimized for IoT. Also, NB-IoT has many
features common to LTE, and it is likely that NB-IoT will also be deployed in bands where
LTE will be deployed, including shared bands (e.g., 3.5 GHz band). However, NB-IoT sys-
tems that operate in the 3.5 can be prone to harmful radar interference and directly impact
coverage of the NB-IoT basestation. In this thesis, we analyse results from extensive exper-
imental studies on the coexistence of NB-IoT and radar systems. We believe this study can
be leveraged by future studies to mititage the impact of radar on IoT networks.
Acknowledgments
First and foremost, my heartfelt thanks to Dr. Jerry Park, my advisor and mentor through
the graduate life. I owe my deepest gratitude for giving me an oppurtunity to be part of
the research group and letting me pursue interesting research problems. This thesis would
not have been possible without your invaluable guidance and constant support during each
stage of my research. Thanks again!
I would like to thank Dr. Yaling Yang and Dr. Haibo Zeng for their valuable time and
agreeing to be a part of my thesis defense committee. To all my lab mates : Gaurang, He
Li, Jinshan, Noah, Pranav, Sudeep, and Viresh thanks for making last couple of years fun
and enjoyable. I would also like to thank Dr. Vuk, Randall, Deven, Raghu and other folks
in Wireless@VT for their help in carrying out experiments on the testbed.
Also a big thanks to my friends in India : Arvind, Sandy, Harsh and Prathak for always
being there during fun and hard times. Finally, a special thanks to my parents and brother
for being just a call away and making me not miss home.
iv
Contents
List of Figures viii
List of Tables x
1 Introduction 1
1.1 Coexistence of Incumbent Radars and Communication Systems . . . . . . . 3
1.2 Impact on Coverage of NB-IoT Systems in Spectrum Sharing . . . . . . . . . 3
1.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Coexistence of Radar and Communication System 6
2.1 Introduction : Spectrum Sharing in the 3.5 GHz Band . . . . . . . . . . . . 6
2.2 Recent Developments in CBRS OPSEC . . . . . . . . . . . . . . . . . . . . . 9
2.2.1 Operational Security Requirements . . . . . . . . . . . . . . . . . . . 10
2.3 SAS’s Incumbent User Protection Rules . . . . . . . . . . . . . . . . . . . . 14
2.3.1 Spatial Separation Regions and SAS-SU Query Protocol . . . . . . . 15
v
2.3.2 SU Query and SAS Response Format . . . . . . . . . . . . . . . . . . 16
2.3.3 Exclusion Zone and Area Of Control Boundaries . . . . . . . . . . . . 19
2.4 Location Inference attack- Using Bayesian Inference for IU Localization . . 21
2.5 Metrics for Location Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.5.1 Uncertainty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.5.2 Inaccuracy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.5.3 Incorrectness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.6 Location Inference - Smart Adversary . . . . . . . . . . . . . . . . . . . . . . 25
2.7 Position Estimate Uncertainty . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3 Analysis of Obfuscation Techniques to Protect Incumbent Privacy 28
3.1 Enlarging the Exclusion Zone or Area of Control . . . . . . . . . . . . . . . . 28
3.2 Perturbation with Transfiguration . . . . . . . . . . . . . . . . . . . . . . . . 29
3.3 Random False Positives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.3.1 Randomized Transmit Inhibition . . . . . . . . . . . . . . . . . . . . 31
3.3.2 Moderated RTI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.3.3 Randomized Main-beam Avoidance . . . . . . . . . . . . . . . . . . . 32
3.4 Efficacy of Obfuscation Techniques - Simulation Results . . . . . . . . . . . . 32
3.4.1 Location Inference Attack- Random and Smart Adversary . . . . . . 33
3.4.2 Performance of Obfuscation Techniques . . . . . . . . . . . . . . . . . 33
vi
3.5 Trade-off between Location Privacy and Spectrum Utilization . . . . . . . . 40
3.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4 Coexistence of NB-IoT and Radar Systems 44
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.2 Narrowband IoT - Design Objectives . . . . . . . . . . . . . . . . . . . . . . 47
4.3 Shipborne Radar- SPN43 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5 Coverage Analysis of NB-IoT in Shared Spectrum 53
5.1 Experimental Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
5.1.1 LTE-CORNET testbed . . . . . . . . . . . . . . . . . . . . . . . . . . 54
5.1.2 Block Diagram and System Setup . . . . . . . . . . . . . . . . . . . . 56
5.2 NB-IoT BLER Performance - Experimentals results . . . . . . . . . . . . . . 57
5.2.1 Uplink BLER Performance . . . . . . . . . . . . . . . . . . . . . . . . 57
5.2.2 Uplink SINR Distribution . . . . . . . . . . . . . . . . . . . . . . . . 59
5.3 Irregular Terrain Model - Tool for Coverage Analysis . . . . . . . . . . . . . 60
5.4 Coverage and Capacity Analysis of NB-IoT with Radar Interference . . . . . 61
5.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
6 Conclusion 65
Bibliography 67
vii
List of Figures
2.1 Relationship between incumbent detection, protection zone, and incumbent

defined exclusion zone [1]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2 Region of operation of SU and corresponding SAS policy . . . . . . . . . . . 16
3.1 Example of transfiguration. The contour with center at o is transfigured into

a irregular polygon of N = 4 sides. The new boundary will be ABCD instead
of the circular boundary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.2 Performance of random adversary in inferring the radar’s location. Color bar
indicates probability of IU presence in a cell. . . . . . . . . . . . . . . . . . . 34
3.3 Localization performance of a random adversary and a smart adversary. . . . 35
3.4 Privacy with enlarging only EZ. . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.5 Privacy with enlarging only AOC. . . . . . . . . . . . . . . . . . . . . . . . . 36
3.6 Privacy enlarging EZ and AOC. . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.7 Privacy with RTI false positives. . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.8 Privacy with MRTI false positives. . . . . . . . . . . . . . . . . . . . . . . . 36
viii
3.9 Privacy with RMA false positives. . . . . . . . . . . . . . . . . . . . . . . . . 36
3.10 Performance of random adversary in inferring the radar’s location when SAS
obfuscates responses by RMA obfuscation. Color bar indicates probability of
IU presence in a cell. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.11 Performance of the obfuscation techniques in terms of position estimate un-

certainty. Results shown are from extensive monte-carlo simulation runs av-
eraging over 1000 iterations of the inference algorithm for Q = 200 queries (or
200 colluding SUs). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.12 Incorrectness vs. ASC for three obfuscation techniques which provide signifi-
cant location privacy improvement with obfuscation. The data points for the
lines are obtained at increasing obfuscation level in steps of 0.1. A linear fit of
the data points is obtained to compare the efficacy of each of the techniques.
RMA clearly performs the best in balancing the trade-off between spectrum
utilization and location privacy. . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.1 Three modes of operation of NB-IoT . . . . . . . . . . . . . . . . . . . . . . 45
5.1 Plots from the Tektronix spectrum analyzer used as a measurement device in
our experiments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5.2 Block diagram of the experimental setup . . . . . . . . . . . . . . . . . . . . 56
5.3 BLER versus SINR (Uplink). . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.4 CDF of SINR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
5.6 Effect of radar interference on NB-IoT coverage. . . . . . . . . . . . . . . . . 64
ix
List of Tables
2.1 Parameters to compute AOC boundary, R1 . . . . . . . . . . . . . . . . . . . 20
3.1 Parameters to compute area sum capacity . . . . . . . . . . . . . . . . . . . 41
4.1 NB-IoT System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
4.2 Radar characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
5.1 NB-IoT UL parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
x
Chapter 1
Introduction
Current wireless networks and radar systems are designed to be operated according to
static spectrum assignment policy as stipulated by the Federal Communications Commis-
sion (FCC). This static allocation of spectrum to disparate wireless networks has resulted
in inefficient usage of spectrum. For example, the 3.5 GHz band (3550-3650 MHz) used
by federal shipborne radars for air traffic control and other critical military exercises has
a mean spectrum occupancy of less than 40% [2]. On the other hand, increasing need for
bandwidth and growing use of mobile networks has lead to spectrum congestion in commer-
cial mobile bands. To meet this growing demand for spectrum, the Federal Communications
Commission (FCC), in the United States (U.S) has considered number of alternatives in-
cluding incentive auctioning and spectrum sharing. FCC as well as the industry stakeholders
have opined that spectrum sharing has a critical role in meeting this demand for more spec-
trum. Yet, this sharing is a challenging problem as incumbent users need to be protected
from harmful interference and privacy attacks that can originate due to operation of other
secondary systems in the shared band. Moreover, studies have shown that privacy of in-
cumbent users can be jeopardized by malicious secondary users in a spectrum-sharing setup
1
2 Chapter 1. Introduction
enabled by database technologies [3]. A secure and efficient sharing mechanism will thus
involve protecting the privacy of the incumbent user while effectively sharing the spectrum
with secondary users. In this thesis, we first illustrate how malicious secondary can launch
privacy attacks on incumbent systems, later we propose obfuscation techniques that can be
used by database administrator to improve the privacy of incumbents.
Internet of Thing is poised to connect more than 20 billion connected devices by 2020 [4].
Numerous Low Power Wide Area Networking (LPWAN) technologies are being researched
to enable connectivity among these IoT devices. One recent and most promising such tech-
nology standard is Narrowband IoT (NB-IoT) defined in Release 13 of Third Generation
Partnership Project (3GPP). With recent reports hinting at possible use of NB-IoT in the
3.5 GHz band, it is need of the hour to study the coexistence issues that can arise between
incumbent systems and NB-IoT in the 3.5 GHz. In this thesis, we provide an experimental-
study based analysis on the impact of NB-IoT coverage when it coexists with pulsed radar.
This analysis can help further research to mitigate the impact on entrant systems.
The rest of this introductory chapter is organized as follows. In Section 1.1, we introduce
coexistence studies between incumbent radars and commercial communication systems. We
also highlight the importance of incumbent privacy when it shares spectrum with secondary
users via database-driven technologies. In Section 1.2, we introduce the coexistence between
Narrowband IoT technology and pulsed radars. Specifically, we underline the significance
of performing extensive experimental studies to observe the impact of pulsed radars on the
design objectives of Narrowband IoT, and efficient sharing therefore. Finally, Section 1.3
summarizes the key contributions of this thesis and indicate organization of following chap-
ters.
1.1. Coexistence of Incumbent Radars and Communication Systems 3
1.1 Coexistence of Incumbent Radars and Communi-
cation Systems
Although using geolocation databases for spectrum sharing has many pragmatic advantages,
it also raises potentially serious operational security (OPSEC) issues. OPSEC is especially a
paramount consideration in the light of recent calls in the U.S. for spectrum sharing between
federal government (including military) systems and non-government systems (e.g., cellular
service providers). In this thesis, we explore the OPSEC, location privacy in particular, of
incumbent radars in the 3.5 GHz band. First, we show that adversarial secondary users (SUs)
can easily infer the locations of incumbent radars by making seemingly innocuous queries to
the database. Then, we propose several obfuscation techniques that can be implemented by
the database for countering the inference attacks. We also investigate the inherent tradeoff
between the degree of obfuscation and spectrum utilization efficiency. Finally, we validate
our discussions by providing results from extensive simulations.
1.2 Impact on Coverage of NB-IoT Systems in Spec-
trum Sharing
The 3GPP Release-13 has introduced a narrowband system, namely Narrowband Internet
of Things (NB-IoT), to provide low-power, wide-area cellular connectivity for the Internet
of Things. NB-IoT uses a design similar to Long Term Evolution (LTE), but it makes es-
sential modifications for reducing the device complexity. NB-IoT is optimized for machine
type communications, and it aims to increase coverage, reduce overhead and reduce power
consumption while increasing capacity. In this thesis, we present our testbed-based experi-
4 Chapter 1. Introduction
mental study on the operation of NB-IoT systems in the presence of pulsed radar signals. We
leverage results from our experiments in providing a comprehensive analysis on the impact
of coverage and capacity of a NB-IoT base-station when it shares an uplink channel with
S-band pulsed radars. Our results indicate that the NB-IoT cell coverage is affected in the
presence of radar interference.
1.3 Contributions
The contributions of this thesis are as follows:
We provide findings from our study on the location privacy of incumbent radars when
they coexist with commercial SU systems through SAS-driven spectrum sharing. We

demonstrate how an adversarial SU can employ a Bayesian learning-based inference al-
gorithm to accurately localize a non-stationary radar system using only the information
gathered from seemingly innocuous query replies obtained from a SAS.
We propose several obfuscation techniques for countering location inference attacks,
and illustrate their performance by using results from extensive simulations. We also
present quantitative results that show the tradeoff between efficacy of obfuscation and
spectrum utilization efficiency.
We perform an extensive experiment-based feasibility study on the co-existence of NB-
IoT system with pulsed radars.
Our results indicate that, in the presence of radar interference, NB-IoT devices that
are located at the cell edge will experience a shorter battery life because of increased
retransmissions. Stated differently, in order to satisfy a predefined battery-life require-
1.4. Organization 5
ment, the NB-IoT cell coverage region should be reduced in the presence of radar
interference.
1.4 Organization
The technical contributions of this thesis are covered in Chapters 2 through 5. Chapter 2
introduces the concept of operational security (OPSEC) of incumbent systems in spectrum
sharing. We define the system policy that SAS and SU use to share the spectrum, and
describe the potential attacks on such a database-driven sharing setup. In Chapter 3, We
also illustrate how a bayesian inference algorithm can be utilized by malicious secondary
users to undermine the location privacy of incumbents. Moreover, obfuscation techniques to
strengthen the privacy of the incumbent are suggested, and efficacy of each of these tech-
niques is discussed. Chapter 4 introduces the 3GPP narrowband IoT (NB-IoT) technology
and essential physical layer enhancements which help meet the IoT design objectives. A brief
introduction to the LTE-CORNET testbed is presented, and experimental setup to perform
coexistence studies between NB-IoT and radar is illustrated. In Chapter 5, we introduce the
Irregular Terrain Model (ITM) and apply it to conduct coverage analysis leveraging the ex-
perimental results from the testbed. The thesis concludes with Chapter 6, which summarizes
the key contributions and discusses promising future directions of research in coexistence of
disparate wireless networks.
Chapter 2
Coexistence of Radar and

Communication System
2.1 Introduction : Spectrum Sharing in the 3.5 GHz
Band
The regulators as well as the industry stakeholders have opined that spectrum sharing has a
critical role in meeting the explosive demand for more spectrum to support mobile broadband
applications [5]. In its recently published Report and Order [6], the U.S. Federal Communi-
cations Commission (FCC) prescribed the creation of a Citizens Broadband Radio Service
(CBRS) in the 3.5 GHz band (3500 − 3700 MHz) to enable spectrum sharing between federal
and commercial systems. Specifically, the FCC has made available 150 MHz of previously
government-held spectrum to non-federal users via database-driven spectrum sharing.
The CBRS Report and Order prescribed the use of the Spectrum Access System (SAS) and
the Environmental Sensing Capability (ESC) to enable spectrum sharing. Here, SAS refers
6
2.1. Introduction : Spectrum Sharing in the 3.5 GHz Band 7
to a network of geolocation databases (GDBs) and supporting infrastructure for enabling

spectrum sharing in the 3.5 GHz band. In this thesis, we will use the terms SAS and GDB
interchangeably, when appropriate. SAS monitors the incumbent’s spectrum usage infor-
mation, and performs real-time aggregate interference computations by using geolocation of
incumbent users (IUs) and secondary users (SUs). An ESC is envisioned to be a network of
dedicated sensor devices responsible for detecting IUs. ESC detects incumbent operations
and reports them to the SAS. The SAS then uses this information to update the spectrum
availability information.
Although using GDBs for spectrum sharing has many pragmatic advantages, it also raises
potentially serious security and privacy issues. For instance, SUs, through a sequence of
queries to a GDB can infer critical operational attributes of federal systems, such as their
geolocation, transmission parameters, etc [3]. The term operational security (OPSEC) is
often used to refer to the protection of such sensitive information from unfriendly or adver-
sarial entities.
OPSEC is especially a paramount consideration in the light of recent calls in the United
States for spectrum sharing between federal government (including military) systems and
non-government systems [7]. Many incumbent systems operating in the 3.5 GHz band are
military systems, including shipborne radars. In SAS-driven spectrum sharing, an adversary
may legitimately collect multiple query responses from a SAS and use them to make infer-
ences about an incumbent system’s operational attributes [8, 9]. We use the term “database
inference attack” to refer to such attacks.
Operational security (OPSEC) has been identified as one of the critical obstacles in realizing
federal-commercial spectrum sharing in the U.S., and a number of research and standard-
ization efforts have been launched recently to address the problem. In 2015, the Wireless
Innovation Forum created the Spectrum Sharing Committee that serves as a common in-
dustry and government standards body to support the development and advancement of
8 Chapter 2. Coexistence of Radar and Communication System
advanced spectrum sharing technologies [10]. The Security Requirements Working Group,
which is one of the Working Groups within the Spectrum Sharing Committee, has been
charged with defining the OPSEC requirements, including location privacy, as well as the
communications security requirements for spectrum sharing ecosystems. Moreover, under
the auspices of the Defense Advanced Research Projects Agencys (DARPAs) Shared Spec-
trum Access for Radar and Communications (SSPARC) program [11], research teams from
industry and academia are developing techniques for addressing OPSEC in the context of
spectrum sharing between military radars and commercial communications systems.
In this thesis, we provide findings from our study1 on the location privacy of incumbent
radars when they coexist with commercial SU systems through SAS-driven spectrum shar-
ing. We demonstrate how an adversarial SU can employ a Bayesian learning-based inference
algorithm to accurately localize a non-stationary radar system using only the information
gathered from seemingly innocuous query replies obtained from a SAS. In addition, we pro-
pose several obfuscation techniques for countering location inference attacks, and illustrate
their performance by using results from extensive simulations. We also present quantitative
results that show the tradeoff between efficacy of obfuscation and spectrum utilization effi-
ciency. In the later parts of the thesis we discuss the blind spot privacy of incumbent radar
systems in spectrum sharing.
The effectiveness of the dynamic spectrum sharing regime depends on proper spectrum
sharing authorization and management among the users that operate in the shared band.
In sections 2.2 and 2.3, we discuss the recent developments in CBRS OPSEC and present
the policy used by Spectrum Access System (SAS) to enable spectrum sharing between in-
1
A part of the chapters 2, 3 has been published as a conference paper in [12] and reprinted here with
permissions from IEEE.
2.2. Recent Developments in CBRS OPSEC 9
cumbent radar systems and commercial systems. We define the secondary user (SU) request
protocol and SAS response format. Also, we define and derive pragmatic values of spatial
separation regions to protect incumbent from SU-induced interference. Later in Section 2.5,
we define the metrics to quantify the location privacy of incumbent users in spectrum shar-
ing. Section 2.6 introduces the concept of Smart Adversary, and finally Section 2.7 defines
a more refined metric to measure location privacy.
2.2 Recent Developments in CBRS OPSEC
FCC in the recent notice of proposed rulemaking [6] prescribed the creation of Citizen’s
Broadband Radio Service (CBRS) to enable spectrum sharing between federal incumbent
systems and commercial systems. The rulemaking governs sharing of the 3.5 GHz band by
defining a SAS which organizes interference protection for incumbents and devices (Citizens
Broadband Service Devices, or CBSDs) operating in the Priority Access License (PAL) tier
and General Authorized Access (GAA) tier. CBRS operational privacy encompasses opera-
tional privacy of CBRS constituents, viz., Spectrum Access Systems (SASs), Environmental
Sensing Capabilities (ESCs) and Citizens Broadband Service Devices (CBSDs) together with
cybersecurity (protection of data exchanged). The Spectrum Sharing Committee [10], which
serves as a common industry and government standards body to support development of
spectrum sharing technologies in 3.5 GHz has set requirements [1] for operational security
presented in the sections below.
2.2.1 Operational Security Requirements
ESC Requirements
Environmental Sensing Capability (ESC) is a network of dedicated listening devices deployed

within the exclusion zones of an incumbent system. The ESC detects an incumbent activity
from within the EZ and communicates with SAS to reduce the aggregate interference at
incumbent’s location. Figure 2.1 shows the ESC incumbent detection activity and commu-
nication with the SAS to enable dynamic protection zones.
Figure 2.1: Relationship between incumbent detection, protection zone, and incumbent de-
fined exclusion zone [1].
The ESC shall meet the following requirements:
Sensors shall not store or transmit any time-series data for detected incumbent signals.
Sensors shall not store or transmit any incumbent radar signal characteristics other
than the minimum required for incumbent radar activity determination.
Sensors shall not tag incumbent detections with time stamps whose precision is suffi-
cient to enable geolocation techniques such as Time Difference of Arrival (TDoA).
Sensors shall only report quantized received signal strength indication (RSSI) measure-
ments.
Sensors shall not employ highly directional antennas for purposes of precision angle of
arrival (AoA) estimation
These requirements are intended to prevent the ESC from performing precise geolocation.
Lacking phase coherency and highly directional antennas, ESC will be fail to employ direction
of arrival/ angle of arrival techniques to locate incumbent user.
ESC Position Estimate Uncertainty To preserve the operational privacy of incum-

bents, ESCs and SASs should not reveal any information pertaining to movement or position
of incumbent systems. To ensure this ESC operators and SAS administrators must assure
that at all points of the design the location of incumbent cannot be accurately estimated
or tracked (assuming adversary has all the side knowledge). Given proposed ESC design
constraints and performance requirements, SSC proposes a position estimate uncertainty of
approximately 65 nmi or 120 km.
Protection Zone Activation
SAS monitors the aggregate interference to the incumbent user and reassigns spectrum grants
to CBSDs from channels causing interference to those that would not cause interference.
Given that SAS administrators must make anonymized spectrum grant information publicly
available, SAS should make it difficult to infer information about incumbent activity from
publicly available data.
SAS realizes this by seeking to reduce the correlation between grant reassignments and
geographic regions. This is accomplished in the following ways:
reassigning all users in a pre-defined protection zone to a new channel using pre-
computed interference criteria; or
randomly reassigning a subset of users over one or more protection zones to a new
channel in sufficient number to meet real-time estimates of interference criteria.
Regardless of the approach used, the probability density of channel reassignments shall be
kept uniform to minimize fidelity of any information regarding incumbent activity.
Exclusion/Protection Zone Activation Obfuscation
The FCC will, as necessary, add or modify Exclusion Zones or Protection Zones to pro-
tect current, future and temporary operations by federal Incumbent Users. Such modifi-
cations will be communicated to the SAS along with the expiration date and time of any
modification. Activation drills may be used by the FCC and/or DoD to obfuscate actual
Exclusion/Protection Zone modifications. SAS providers shall enforce Exclusion/Protection
Zone modifications due to FCC or DoD Activation Drills, e.g., reassign CBSD frequencies
as necessary given the modified Exclusion Zones or Protection Zones.
Obfuscating Incumbent Episodes
The time interval between when an incumbent activity first and last crosses the minimum
threshold for ESC detection is defined as an incumbent episode. To preserve incumbent
OPSEC, temporal obfuscation of incumbent episode may be performed by waiting a random
time duration after the incumbent activity ends before reporting to SAS.
Authorization Limiting
Continual queries to the SAS requesting spectrum grants may allow adversarial users to map
incumbent activity. To address this, SAS providers will implement authorization limiting
techniques when assigning spectrum grants to users. These techniques include:
to the extent possible, provide the same CBSD device the same allocation to avoid
repeated catch and release adversary tactics; and
do not authorize more spectrum than can be reasonably used by a CBSD device in
multiple, fragmented authorization requests; and
impose a minimum time separation between CBSD spectrum requests from the same
CBSD device but at locations separated by more than 50 m (horizontal) and/or 3 m

(vertical)
Colluding CBSD devices or devices with multiple virtual identities can allow an adversary
to increase the rate at which they make requests. This threat shall be principally addressed
through robust enrollment and revocation procedures.
Channel Availability Lists
SAS is permitted to provide CBSDs with a range of available frequencies, allowing the
CBSDs to select and utilize a subset of these available channels. An OPSEC concern is
that the SAS provided list of available channels could be used by an adversary to determine
the incumbent frequency. For instance, if the SAS provided list excludes the incumbent
frequency, an adversary may be able to infer information regarding the incumbent frequency.
One approach to obfuscate the incumbent frequency is for SAS, in the CBSD Spectrum
Request procedure, to provide the CBSDs with a set of available frequencies that sometimes
or always includes the incumbent frequency. If then the CBSD grant request includes opera-
tion on the incumbent frequency, SAS may direct that CBSD to choose a different frequency
from a revised set of available channels that does not include the incumbent frequency. Thus,
after SAS directs the CBSD to report its channel use and the chosen channels include the
incumbent frequency, SAS can redirect the CSBD to a new frequency. To avoid having this
frequency reassignment reveal information regarding the incumbent frequency, SAS could
randomly choose to direct CSBDs to new frequencies even if the utilized frequency is not an
incumbent frequency.
2.3 SAS’s Incumbent User Protection Rules
Assume that the region served by a SAS is divided into an M x N grid of square cells, c(i, j),
where 1 ≤ i ≤ M is the row index and 1 ≤ j ≤ N is the column index. We assume that the
adversary is a single mobile SU that can move throughout the region governed by the SAS,
and send queries to the SAS. Alternatively, we can assume that the adversary represents a
group of colluding stationary SUs that are located throughout the region. In the chapters
2.3. SAS’s Incumbent User Protection Rules 15
that follow, we use the terms “number of queries” (from a mobile SU) and “number of col-
luding SUs” (which are stationary) interchangeably, wherever applicable. We also assume
that there is a non-negligible time gap between two queries of a SU such that the SAS has
enough time to update its knowledge about the user before responding to another query
from the same user. There are a total of C channels, and the SAS may allow SUs to access
those channels if it determines that SU transmissions do not cause harmful interference to
the IUs. We also assume that the SAS dictates SUs’ access to the spectrum to protect an
incumbent radar (within the SAS’s governance region) from SU-induced interference.
2.3.1 Spatial Separation Regions and SAS-SU Query Protocol
One of the most important roles of a SAS is to protect IUs from SU-induced interference, and
the primary ex-ante approach employed by a SAS is the use of Exclusion Zones (EZs) [13].
An EZ is a spatial separation region defined around a IU, where co-channel transmissions,
and also possibly adjacent-channel transmissions, from SUs are prohibited. In this study,
we consider an EZ for protecting radar incumbents that prohibits both co-channel as well as
adjacent-channel transmissions inside the EZ. This is to enable interference rejection from
a secondary device operating on a different channel but within joint tunable bandwidth of
radar.
Typically, radars have a very small transmission beam-width (angular range of the antenna-
pattern in which at least half of the maximum power is emitted) and are highly directional.
For example, the SPN-43, which is a shipborne radar used by the U.S. Navy for air traffic
control, has a horizontal beam-width of approximately 1.75◦ and antenna gain of 32 dBi [14].
To afford more spectrum access opportunities to the SUs, we assume the declaration of an
Area of Control (AOC) immediately outside the EZ. In the AOC region, SUs are allowed
to transmit in the channels occupied by the radar, but they are required to pause their
transmissions when the main beam of the radar crosses them. This coexistence mechanism
is referred to as “main beam avoidance” (MA). Recent industry research has shown that MA
is extremely effective in enabling coexistence of radar and communication systems [15].
Figure 2.2: Region of operation of SU and corresponding SAS policy
Figure 2.2 describes our system model. EZ lies in the immediate vicinity of the incumbent
radar where no SU transmissions are allowed. Outside the EZ lies the AOC region where SUs
are required to implement MA for co-channel transmissions. MA is not required in the AOC
for non-co-channel transmissions. SUs operating in the UAZ have completely unrestricted
access to spectrum. For simplicity, we consider concentric circles to define the EZ (radius =
R0 ) and AOC (radius = R1 ) boundaries.
2.3.2 SU Query and SAS Response Format
Access to spectrum is authorized after successful communication and registration with the
geolocation database that SAS will use. In a well defined spectrum access protocol, the
spectrum query request should at least contain the device identifier, geolocation, radio tech-
nology and device capabilities of the querying device. Geolocation is described by including
the position coordinates, the radio technology is described by the antenna specifications,
and the device capabilities are described by specifying the capabilities that the device can
support. These parameters are important as they directly affect the database responses.
Prior to transmission, a SU queries the database with a query, Q = (IDi , loci , Ai ) where
IDi is the unique identifier of the SU, loci = (xi , yi ) are its location coordinates, and Ai
denotes antenna attribute information. After authenticating the SU, the database checks
the availability of all C channels at the SU’s location. Next, the database responds with a
response R = (chk , tk , ∆tk , τk , ζk , Pk ), where chk denotes the channel, tk is the time duration
for which the SAS response is valid, ∆tk is the time interval between SU’s query and start
of the first MA event (when MA is enabled), τk is the time period between successive MA
events (equal to the rotation time period of radar), ζk is the time duration of MA (i.e., dwell
time) which is a non-zero value when MA is enforced, and Pk denotes a binary variable which
is 1 when the SU is allowed to transmit on channel chk and 0 otherwise.
The SAS’s response to a SU querying from a location that is d distance away from the radar
is prescribed as follows.
Case 1: d < R0 . Transmissions are not allowed.
Case 2: R0 < d < R1 . Co-channel SUs are allowed to transmit, but MA has to be
employed. Non-co-channel SUs can transmit without any restrictions.
Case 3: d > R1 . SUs have unrestricted access to all channels.
We assume that the SAS’s incumbent protection policy (as defined above) is publicly avail-
able, and that an adversary has knowledge of the EZ and AOC boundaries shown in Fig-
ure 2.2.
Mainbeam Avoidance Duration, ζ
From the previous section, we saw that SUs in the AOC region have to perform mainbeam
avoidance for a finite time interval each time the radar main-beam crosses. Below is a
simple function which describes the SAS dwell time (MA time duration) assignment to SUs
depending on their distance d from the IU.





 0, d > R1


ζk = ζ, R 0 < d < R1 (2.1)





∞,
 d < R0
Note that the value of ζ is same for all SUs in the AOC region. Let us consider SU at a
distance d, R0 < d < R1 from the IU, and τ be the rotation period of the IU and θ be the
horizontal beam width of the radar. Dwell time is the time required by the radar main beam
to cross the SU,
dθ
ζ= , (2.2)
vb
2πd
where vb = τ
is the radial speed at distance d. The above equation can be simplified to
θτ
ζ= (2.3)
2π
Recall from the previous section that the SAS’s incumbent protection policy is publicly
available, and an adversary has knowledge of the EZ and AOC boundaries. We observe that
an adversarial SU can exploit the information gained from SAS response, specifically the MA
time duration to infer the incumbent’s location. This is called a location inference attack
and discussed in detail in subsequent chapters.
2.3.3 Exclusion Zone and Area Of Control Boundaries
Exclusion zone is defined in the immediate vicinity of the IU where no co-channel and
adjacent-channel transmissions are prohibited. This region is imposed to reject devices
whose transmission, even if on different channel (than IU) can cause interference at the IU
owing to the channel selectivity of the receiver. In [16], the authors studied the interference
caused to a S-band radar (a specific type of radar that operates in the 3.5 GHz band) from
an OFDM-based communication system. Results from [16] show that for S-band radars a
spatial separation of approximately 50 km for co-channel operation is required. We borrow
results from these study and set R0 boundary radius to 50 km.
Bhattarai et.al., in [17], devised a tool for computing the protection boundary of a IU
based on aggregate interference from SUs. More specifically, using a simplified log-normal
shadowing propagation model and assuming a well defined IU protection threshold, the
protection boundary is computed. While this technique is not as accurate as the ITM
propagation model, it provides us with pragmatic estimate of the AOC boundary (R1 ) to
carry out location inference simulations.
The area of control (AOC) boundary R1 is derived using a propagation model with expo-
nential path loss and log-normal shadowing. Beyond a reference distance d0 , the dB path
loss (PL ) in the channel that links the SU and IU is,
PL = a + blog10 d + ψ, (2.4)
where a = PL (d0 ) − blog10 d0 , PL (d0 ) is the path loss at the reference distance in dB, b = 10γ,
where γ is the path loss exponent, d is the distance between SU and IU in meters, and ψ is
the log-normal shadowing coefficient with zero mean and variance = σ 2 .
Based on interference protection requirement of IU, radius of the AOC boundary can be
calculated using IU interference threshold, outage probability and pathloss equations.
˜
Ith − ISU
= P (ISU ≥ Ith ) = Q( ), (2.5)
σ
˜ is the mean
where is the IU outage probability, Ith the IU interference threshold and ISU
interference power given as
˜ = Pts − a − 10γlog10 R1 ,
ISU (2.6)
where a = 10γlog10 4πf

c
. The value
σQ−1 ()+Pts −a−Ith

R1 = 10 10γ (2.7)
The below table shows the parameters used to calculate the distance R1 . Using equation 2.7
with the values from table 2.1, the value of R1 is computed as approximately 110km. We
use this value of R1 for our simulations.
Table 2.1: Parameters to compute AOC boundary, R1
Radio frequency, f 3.55 GHz

Radar transmit power, Pr 60 dBW
γ (Path loss exponent) 2.5
Standard deviation of shadow fading, σ 3 dB
SU radiation pattern Omni-directional
SU transmit power, Pts 22 dBm
IU outage probability, 0.01
Interference threshold, Ith -110 dBm
In this chapter, we describe how an adversary can infer the location of an incumbent radar
2.4. Location Inference attack- Using Bayesian Inference for IU
Localization 21
using a series of queries to a SAS, which by themselves do not directly reveal the radar’s
location. Later in the section, we define a metric to quantify location privacy, and present a
strategy that an adversary can employ to minimize the number of queries (to the SAS) that
is required to accurately infer the radar’s location..
2.4 Location Inference attack- Using Bayesian Infer-
ence for IU Localization
(k)
Let Eij be a Bernoulli random variable that represents existence of the radar in cell c(i, j)
(k) (k) (k) (k)
operating on channel chk . Specifically, let P (Eij = 1) = pij and P (Eij = 0) = 1 − pij .
(k)
The adversary infers the location of a IU operating on channel chk using the value pij . Let
(k) 1
us assume that the adversary has no side information; therefore, it initializes pij = MN
∀ i,
j and k. After receiving each query reply from the SAS, the adversary sequentially updates
(k) (k)
the value of pij for a group of cells. If the value of pij exceeds a threshold, δ, the adversary
infers that there is a IU in cell c(i, j) that operates on channel chk . To update the values of
(k)
pij , the adversary uses the following procedure.
After querying the SAS and obtaining the corresponding response, R = (chk , tk , ∆tk , τk , ζk , Pk ),
the adversary uses the channel information, chk , and MA time duration, ζk , to extract infor-
mation about the locations of IUs. For each channel, chk , where 1 ≤ k ≤ C, the adversary’s
inference for all possible cases is as follows:
Case 1: Channel chk is not available. The unavailability of channel chk implies that
there is a radar within a distance of R0 from the SU. We define the term p-cells to refer
to cells which have non-zero probability of IU presence. In this case, the adversary
(k)
updates pij values for p-cells (all candidate cells that are within R0 distance from the
query location) as follows:
Let χ denote the number of p-cells for channel chk , H denote the event of hypothesizing
the existence of a radar in a cell c(i, j) and O denote the event in which the adversary
observes the presence of a radar in a cell c(i, j). Then, according to Bayes’ rule, the
posterior probability P (H|O) can be computed as
P (O|H)P (H)
P (H|O) =
P (O|H)P (H) + P (O|H C )P (H C )
(k) (2.8)
pij
= (k)
1 − χ1 (1 − pij )
Here, P (H C ) = 1 − P (H). For the cells that are within distance R0 , the adversary
(k) (k)
updates pij to P (H|O), but it does not change the pij values for other cells.
Case 2: Channel chk is available, and MA is enforced. The response in this case will be
R = (chk , tk , ∆tk , τk , ζk , Pk ) where ζk > 0. The adversary infers that there is no radar
within distance R0 , but there exists a radar at a distance between R0 and R1 from the
query location. Assuming that there are χ cells in the annular region that is defined
(k)
by R0 and R1 from the querier, the adversary updates pij values using Equation (2.8).
(k)
The adversary sets pij = 0 for the cells within distance R0 from the querier.
Case 3: Channel chk is available without any restrictions. The SAS response is
R = (chk , tk , ∆tk , τk , ζk , Pk ) with ζk = 0. The adversary infers that there is no radar

within distance R1 from its location. However, this reply reveals no information about
(k)
the possible presence of radars beyond distance R1 . The adversary sets pij = 0 for
(k)
the cells within distance R1 from the querier and does not change the pij values for
the other cells.
2.5. Metrics for Location Privacy 23
2.5 Metrics for Location Privacy
In order to study the efficacy of the aforementioned location inference attack, we need to
define a metric to quantify the location privacy. Previous studies, including [3] and [18] , have
concluded that incorrectness, i.e., the expected distance between the location inferred by the
adversary and the true location, is the most appropriate metric to quantify location privacy.
In this section, we present some metrics to quantify the location privacy of incumbents and
justify why incorrectness is the best metric to quantify location privacy.
(k)
Assume that Yij denotes the database’s knowledge about the presence of a IU that operates
(k)
on a channel chk in cell c(i, j). Yij is a deterministic function that is equal to 1 if a IU
(k)
exists in a cell c(i, j) that operates on channel chk , and is 0 otherwise. Recall that Xij is a
Bernoulli random variable defined as


1, if IU exists in c(i, j)

(k)
Xij = (2.9)

0, otherwise

(k)
This random variable represents the attacker’s estimation of Yij . Using these notations, we
define three different metrics for location privacy.
2.5.1 Uncertainty
Suppose o denotes the observed sensory information (i.e., database’s reply to the query), the
attacker’s extracted information is in the form of p(x|o), which is a probability distribution
for the possible values of the IU’s location given the observed information. Uncertainty is
the ambiguity of this posterior distribution with respect to finding a unique answer (note
that a unique answer need not be the correct one). The uncertainty is maximized if the
result of a location inference attack is a uniform distribution of the locations. We employ

(k)
the concept of entropy to define hij , which is the attacker’s uncertainty about the presence
of a IU that operates on channel chk in cell c(i, j) as follows:
(k) (k) (k) (k) (k)

hij = −pij log(pij ) − (1 − pij )log((1 − pij )) (2.10)
Therefore, the total uncertainty about the location of IUs that are operating on channel chk
is :
M X
X N
(k) (k)
Hij = hij (2.11)
i=1 j=1
We contend that uncertainty, which is widely used metric for measuring privacy, is not
suitable for location privacy of IUs. The justification for this conclusion is that the metric
does not accurately quantify the privacy level when the attacker has a high level of certainty
about an incorrect distribution.
2.5.2 Inaccuracy
Because the attacker does not have infinite resources, the result of a location inference attack
is only an estimate, p̂(x|o), of the posterior distribution, p(x|o). Inaccuracy is the discrepancy
between the distributions p(x|o) and p̂(x|o). Mathematically, we define inaccuracy as:
M X
X N
(k) (k) (k)
IAij = (pij − Yij )2 (2.12)
i=1 j=1
Inaccuracy is not appropriate for measuring the veracity of an adversarys estimate of the
IUs geolocation because it does not take into account the distance between the true location
and the estimate.
2.6. Location Inference - Smart Adversary 25
2.5.3 Incorrectness
It is shown that uncertainty and inaccuracy are indirect measures for location privacy and
can only be used to quantify the location privacy of a user relatively [3]. Alternatively, the
database can calculate the distance (or expected distance) between the location inferred by
the attacker and the true location. This distance is called the incorrectness of the attack,
and we have shown in [3] that it is the most appropriate metric for quantifying location
privacy.
In this report, we use the same metric for quantifying the IUs’ location privacy. The location
privacy for IUs, IC, is defined as:
C X
X (k)
IC = pij d(i,j) , (2.13)
k=1 i,j
(k)
where pij is the probability of the existence of a IU operating on channel chk in cell c(i, j),
and d(i,j) is the distance between the cell c(i, j) and the location of the nearest IU operating
on channel chk .
2.6 Location Inference - Smart Adversary
The adversary aims to maximize the location information obtained from each query response,
and hence minimize the total number of queries required for achieving a desired level of
inference. To achieve this goal, the adversary implements an optimal strategy for choosing
the query locations. Intuitively, the best query location, loc∗ , is the one that minimizes the
expected incorrectness. Now, let us proceed towards finding loc∗ . Given a query location,
loc, the conditional expected incorrectness for an arbitrary response, R, and an arbitrary
incumbents location, IUloc , is given as
E[IC|loc, R, IUloc ] = IC(I, IUloc ), (2.14)
where E[.] denotes the expectation operator, I = u(I (−1) , R) is an inference matrix that
(k)
represents the updated inference probabilities, pij , after observing R, and u(I (−1) , R) is a
function (the location inference algorithm) that updates the previous inference matrix, I (−1) ,
to I after observing R. The above equation can be written as
XX
E[IC|loc] = P (R|loc)IC(I, IUloc )P (IUloc ) (2.15)
R IUloc
Then, the optimal query location, loc∗ , is the one that minimizes E[IC|loc].
XX
loc∗ = arg min E[IC|loc] = arg min P (R|loc)IC(I, IUloc )P (IUloc ) (2.16)
loc loc
R IUloc
The adversary solves Equation (2.16) to determine the next query location in each iteration
of the inference algorithm. Henceforth, we will use the term “random adversary” to refer to
an adversary that queries from randomly chosen locations, and the term “smart adversary”
to refer an adversary that computes loc∗ (given by Equation (2.16)) to select query locations.
2.7 Position Estimate Uncertainty
The incorrectness metric 2.5.3 excels at quantifying the adversarys overall ability to infer a
given targets location (with or without obfuscation), but it does not provide a clear assess-
ment of the accuracy of the adversarys estimate in localizing the target. For this reason,
we devise a second metric called position estimate uncertainty (PEU). PEU is defined as
2.7. Position Estimate Uncertainty 27
the mean distance between the adversary’s best location estimate and the incumbent’s true
location. PEU is computed as :
1 X
PEU = dij , (2.17)
|B| c ∈B
ij
where B is defined as the set of cells whose pij value is the maximum value among all cells in
the current iteration of the inference process. We compare the location inference performance
of adversary using incorrectness and PEU in Chapter 3.
Chapter 3
Analysis of Obfuscation Techniques to

Protect Incumbent Privacy
In this chapter, we propose obfuscation techniques that can be implemented by the SAS
to counter the location inference attack, and later analyze the efficacy of the techniques in
improving privacy while safeguarding SUs spectrum utilization. Sections 3.1-3.3 define the
various obfuscation techniques that strengthen the privacy of incumbent user. Section 3.4
first illustrates the location inference as launched by both a random and smart adversary,
later describes the efficacy of the proposed obfuscation techniques. Simulation results on
the tradeoff between privacy and spectrum utilization in the radar-communication spectrum
sharing study are presented in Section 3.5.
3.1 Enlarging the Exclusion Zone or Area of Control
A straightforward obfuscation technique to counter an adversary’s attempt to localize an

incumbent radar is to extend the boundary of exclusion or protection zones. For instance, the
28
3.2. Perturbation with Transfiguration 29
areas of the EZ and AOC can be enlarged by increasing R0 and R1 to R00 = R0 (1+) and R10 =
R1 (1 + ), respectively, where is a non-negative value that denotes the amount of increase
in the EZ’s or AOC’s radius. Note that cannot be negative, otherwise, the incumbent
protection requirement may not be satisfied. In the next chapter, we present simulation
results that show the obfuscation efficacy of three different approaches: (1) enlarging the
EZ while keeping the AOC fixed (EEZ); (2) enlarging the AOC while keeping the EZ fixed
(EAOC); and (3) enlarging both the EZ and AOC (EEZ-AOC).
3.2 Perturbation with Transfiguration
Another form of obfuscation is to perturb the shape of the protection contours. Replacing
the circular or non-circular protection contour with random shapes that envelop the actual
protection contour will increase the location privacy of IUs. Below we present the algorithm
to transfigure the boundaries for preserving the location privacy of IUs. This algorithm
replaces the protection contour of a IU with an irregular N-sided polygon. The value N
controls the level of privacy, i.e., a smaller value of N guarantees a higher level of privacy
but reduces efficiency of spectrum utilization by the SUs. As N → ∞, the irregular polygon
approaches the original shape of the protected contour.
3.3 Random False Positives
Another obfuscation strategy is to enable the SAS to randomly mix false positive replies with
true replies when responding to SU’s queries. Let us define a parameter fpr that denotes
the probability that a SU query is replied with a false positive response. In the spectrum
sharing model that is being considered in this study, there are three ways of creating false
Chapter 3. Analysis of Obfuscation Techniques to Protect Incumbent
30 Privacy
Figure 3.1: Example of transfiguration. The contour with center at o is transfigured into a
irregular polygon of N = 4 sides. The new boundary will be ABCD instead of the circular
boundary.
Algorithm 1 Algorithm to transfigure the circular contour

1: procedure GetRandomPoly
2: Input: Circular protected contour Cu of Incumbent user u, number of polygon sides N ,
3: Output: Coordinates of vertex of an N-sided irregular polygon
4: Divide Cu to N arcs of equal size,i.e., each arc is 360
N
degrees.
5: Choose a random point qi , on each arc i
6: for each i do
7: Compute li , the tangent line to Cu at point qi .
8: end for
9: for each i do
10: Compute Mi , the point of intersection between li and li+1 . lN +1 = l1 .
11: end for
12: return the set of coordinates Mi .
3.3. Random False Positives 31
positive replies, as explained below.
3.3.1 Randomized Transmit Inhibition
Recall from Section 2.4 that an adversarial SU that is not allowed to transmit at its location
infers the presence of a radar within a distance R0 from the query location. One straightfor-
ward way to obfuscate the radar’s location is to select fpr fraction of the queriers at random
and prohibit them from transmitting, irrespective of their location. This “false positive”
can trick the adversary into thinking that a radar is located within a distance of R0 from
the query location, which is not true. Let us use the term Randomized Transmit Inhibition
(RTI) to refer to this obfuscation technique.
3.3.2 Moderated RTI
Note that RTI is very disruptive in the sense that it restricts SUs from transmission op-
portunities, irrespective of their location. This adversely affects the spectrum utilization of
the SUs. A less disruptive approach is to prohibit randomly selected queriers from trans-
mitting, only if they are located in the AOC region. Recall that according to the database
protocol described in Section 2.3.1, co-channel SUs that operate in the AOC region would
need to implement MA each time the radar main beam crosses it. However, moderated RTI
(MRTI) prohibits fpr fraction of the queriers (chosen at random from the AOC region) from
transmitting, although allowing them to transmit with MA would not have caused harmful
interference to the incumbent radar. An adversarial SU receiving the obfuscated response
(using MRTI) in the AOC region is tricked into believing that the radar is located within
R0 from the query location, whereas in fact, the radar is located at a distance between R0
and R1 from the query location.
32 Privacy
3.3.3 Randomized Main-beam Avoidance
In our model, SUs have unrestricted access (no MA required) to the spectrum if they are
outside the AOC. The third approach for creating a false positive reply is to mandate SUs,
that query from locations outside the AOC, to invoke MA for a non-zero time duration. We
refer to this obfuscation technique as Randomized MA (RMA). Note that this technique has
less impact on spectrum utilization efficiency compared to RTI or MRTI, since the SUs (that
receive a false positive reply) are not completely prohibited from transmitting, but instead
mandated to adopt a short transmission blanking interval which is commensurate with the
horizontal beam-width of the radar.
3.4 Efficacy of Obfuscation Techniques - Simulation
Results
In this section, we first present simulation results to demonstrate the performance of the
location inference attack by a random adversary. Then, we demonstrate the performance
improvement of smart adversary in inferring incumbent location as compared to a random
adversary. Later, we present results to illustrate the performance of each of the proposed ob-
fuscation techniques. Finally, we define a metric to determine the efficacy of the obfuscation
technique in balancing the tradeoff between spectrum utilization efficiency and incumbent’s
privacy. A comparative analysis of the proposed obfuscation techniques is performed based
on the metric.
Let us define the database coverage area as a 450 km by 450 km square region which is
divided into 150 by 150 square cells, where the side of each square cell is 3 km. We assume
that a radar is located at cell (75,75). We assume there are 2 channels in the system, and
3.4. Efficacy of Obfuscation Techniques - Simulation Results 33
a radar operates on channel 1. To consider SU-SU coexistence, we ensure that the SAS
allocates channels to SUs such that, on average, the number of SUs operating co-channel
(i.e., on channel 1) is same as the non co-channel SUs (on channel 2).
3.4.1 Location Inference Attack- Random and Smart Adversary
An adversary performs a location inference attack by querying the GDB from the centers of
multiple random cells and collects corresponding responses. The adversary uses the database
response to update the probability of presence/absence of the radar in each cell. The location
privacy of the radar, i.e., the incorrectness of the adversary’s estimate of the radar’s location,
is calculated. These simulations are performed for different values of Q, where Q is the total
number of query responses (or number of colluding SUs.) collected by an adversary.
In Figure 3.2 we present the results of the location inference attack for a random adversary.
Note that after approximately 100 queries, the random adversary is able to accurately infer
the radar’s location. In Figure 3.3, we compare the performance of the smart adversary
and the random adversary. Clearly, the smart adversary outperforms the random adversary
in inferring the radar’s location. The number of queries required by a smart adversary to
achieve a certain level of inference accuracy is always less than that required by a random
adversary.
3.4.2 Performance of Obfuscation Techniques
Now, let us analyze the performance of our proposed obfuscation techniques. We discuss the
results in following subsections.
34 Privacy
−5 −5
x 10 x 10
140 140
3 3
120 120
2.5 2.5
100 100
2 2
Ygrids
Ygrids
80 80
1.5 1.5
60 60
1 1
40 40
20 0.5 20 0.5
0 0
50 100 150 50 100 150
Xgrids Xgrids
(a) Adversary Estimate after 25 queries. (b) Adversary Estimate after 50 queries.
−5 −5
x 10 x 10
3.5
140 140
3 3
120 120
2.5 2.5
100 100
2 2
Ygrids
Ygrids
80 80
1.5 1.5
60 60
1 1
40 40
20 0.5 20 0.5
0
50 100 150 50 100 150
Xgrids Xgrids
(c) Adversary Estimate after 75 queries. (d) Adversary Estimate after 100 queries.
Figure 3.2: Performance of random adversary in inferring the radar’s location. Color bar
indicates probability of IU presence in a cell.
Enlarging EZ and AOC
Here, we present results that illustrate the efficacy of enlarging EZ and AOC on countering
the adversary’s ability to infer the location of a radar. The results (averaged over 1000
simulation runs) are summarized in Figures 3.4, 3.5, and 3.6. Recall from Section 2.4 that
IC is the expected distance between adversary-inferred location and true incumbent location.
The value of IC is high when an adversary is highly confident that the IU is located far from
the actual location of IU. Unfortunately, the EEZ technique does not achieve the condition
200
Smart Adversary
Random Adversary
150
Incorrectness (km)
100
50
0
0 5 10 15
Number of colluding SUs
Figure 3.3: Localization performance of a random adversary and a smart adversary.
specified in the aforementioned statement. Rather, it enables an adversary to localize the

IU within cells that are close to the true location of the IU. Therefore, EEZ offers negligible
privacy improvement as seen in Figure 3.4.
However, unlike EEZ, EAOC provides significant improvement 3.5 in location privacy. It
tricks the adversary in inferring a radar location at a distance between R0 and R1 , while, in
fact, the radar is between R00 and R1 . Since R00 ≥ R0 , EAOC increases the value of IC, and
hence, it offers an improved location privacy. Finally, from Figure 3.6, we can observe that the
location privacy achieved by enlarging both EZ and AOC boundaries is closely comparable
to that achieved by enlarging only the AOC (for reasons explained above). Clearly, the level
of obfuscation increases with , and hence, location privacy improves accordingly.
Random False Positives
Now, let us discuss the performance of different type of false positives injected in the SAS
response. Figure 3.7 shows that adding false positives of the type RTI significantly improves
the location privacy. This is because, with a RTI response, an adversarial SU outside the
AOC wrongly infers that there is a radar within distance R0 from its location, whereas, in
fact, the radar is located at a distance greater than R1 . On the other hand, MRTI does not
36 Privacy
200 200
150 150
Incorrectness (km)
Incorrectness (km)
fpr=0
100 ε=0 100 fpr=0.15
ε=0.2 fpr=0.30
ε=0.4
fpr=0.45
50 ε=0.6 50
fpr=0.60
ε=0.8
ε=1 fpr=0.75
0 0
0 5 10 15 20 25 0 5 10 15 20 25
Number of colluding SUs Number of colluding SUs
Figure 3.4: Privacy with enlarging only EZ. Figure 3.7: Privacy with RTI false positives.
200 200
150 150
Incorrectness (km)
Incorrectness (km)
fpr=0
100 ε=0 100 fpr=0.15
ε=0.2 fpr=0.30
ε=0.4
fpr=0.45
50 ε=0.6 50
fpr=0.60
ε=0.8
ε=1 fpr=0.75
0 0
0 5 10 15 20 25 0 5 10 15 20 25
Figure 3.5: Privacy with enlarging only AOC.Figure 3.8: Privacy with MRTI false positives.
200 200
150 150
Incorrectness (km)
Incorrectness (km)
fpr=0
100 ε=0 100 fpr=0.15
ε=0.2 fpr=0.30
ε=0.4
fpr=0.45
50 ε=0.6 50
fpr=0.60
ε=0.8
ε=1 fpr=0.75
0 0
0 5 10 15 20 25 0 5 10 15 20 25
Figure 3.6: Privacy enlarging EZ and AOC. Figure 3.9: Privacy with RMA false positives.
Incumbent privacy with enlarging Incumbent privacy with obfuscation

exclusion zone and area of control. by random false positive responses.
offer improved location privacy. Finally, from Figure 3.9, we can observe that RMA-based
obfuscation offers an enhanced privacy. RMA ensures that inferred-location of the radar lies
far from the actual location, which results in increased value of IC. Thus, our results suggest
that RTI-based and RMA-based false positives are much more effective, compared to MRTI,
in obfuscating an incumbent’s location.
Figure 3.10 shows the adversary estimate of the incumbent’s location when the SAS im-
plements RMA obfuscation. The probability maps are obtained after Q = 25,50, 75 and
100 queries to the SAS, and SAS obfuscates responses with a false positive rate, fpr of 0.8.
Compared to the scenario with no obfuscation 3.2, observe that adversary fails to localize
the incumbent even after Q = 100 queries.
For PEU without obfuscation, we simulate an adversary which randomly queries from the
SAS governance area of 150 X 150 (or 450 X 450 km square region) square grids. After
obtaining the query response from the SAS, the adversary computes the position estimate
uncertainty by considering probable cells (p-cells) which have the maximum probability of
IU presence. As the query locations are randomly chosen, we average over 1000 simulation
runs for each query. Figure 3.11(a) shows PEU value for upto Q = 200 queries (or 200
queries from colluding SUs), when no countermeasure is implemented by SAS. With the
same simulation setup as before, we obfuscate the SAS responses with EEZ-AOC. The plot
in Figure 3.11(b) represents the PEU at increasing obfuscation levels from =0 to 1. Here,
is the percentage increase in the radius of the protection boundaries. Finally, Figures 3.11(c)
and 3.11(d) show the PEU for RMA and RTI obfuscation techniques respectively. Note that
PEU for RMA and RTI increases with obfuscation level similar to the incorrectness values
observed earlier. Also, PEU converges after sufficiently large number of adversarial SUs
collude and gain enough knowledge about incumbent’s location.
38 Privacy
−5 −5
x 10 x 10
140 140
3 3
120 120
2.5 2.5
100 100
2 2
Ygrids
Ygrids
80 80
1.5 1.5
60 60
1 1
40 40
20 0.5 20 0.5
0 0
50 100 150 50 100 150
Xgrids Xgrids
(a) Adversary Estimate after 25 queries. (b) Adversary Estimate after 50 queries.
−5
x 10
3.5
140 140
0.5
3
120 120
2.5 0.4
100 100
Ygrids
Ygrids
2 0.3
80 80
60 1.5 60
0.2
40 1 40
0.1
20 0.5 20
0
50 100 150 50 100 150
Xgrids Xgrids
(c) Adversary Estimate after 75 queries. (d) Adversary Estimate after 100 queries.
Figure 3.10: Performance of random adversary in inferring the radar’s location when SAS
obfuscates responses by RMA obfuscation. Color bar indicates probability of IU presence in
a cell.
200 200
150 150
PEU (km)
PEU (km)
100 100 ε=0

ε=0.2
ε=0.4
50 50 ε=0.6
ε=0.8
ε=1
0 0
0 50 100 150 200 0 50 100 150 200
(a) PEU without obfuscation. (b) PEU with obfuscation by EEZ-AOC.
200 200
150 150
PEU (km)
PEU (km)
fpr=0 fpr=0
100 fpr=0.15 100 fpr=0.15
fpr=0.30 fpr=0.30
fpr=0.45 fpr=0.45
50 50
fpr=0.60 fpr=0.60
fpr=0.75 fpr=0.75
0 0
0 50 100 150 200 0 50 100 150 200
(c) PEU with obfuscation by RMA. (d) PEU with obfuscation by RTI.
Figure 3.11: Performance of the obfuscation techniques in terms of position estimate uncer-
tainty. Results shown are from extensive monte-carlo simulation runs averaging over 1000
iterations of the inference algorithm for Q = 200 queries (or 200 colluding SUs).
40 Privacy
3.5 Trade-off between Location Privacy and Spectrum
Utilization
All the obfuscation techniques proposed in this study aim to deter an adversary’s abil-
ity to infer an incumbent radar’s location by injecting false positives into SAS responses.
Consequently, SUs’ spectrum access opportunities are reduced, resulting in lower spectrum
utilization. There is an inherent trade-off between location privacy (or equivalently, degree
of obfuscation) and spectrum utilization efficiency. To investigate the effect of obfuscation
on the SUs’ spectrum utilization, we first define a simple metric for quantifying spectrum
utilization efficiency called Area Sum Capacity (ASC). ASC is the sum of the channel ca-
pacity values of the SUs within the governance region of a SAS. A SU’s channel capacity
is determined by its transmission power, signal to interference and noise ratio (SINR), and
the probability of channel availability. Throughout the simulations, we assume that a single
incumbent radar system coexists with multiple SU cells, where each cell consists of a base
station at the center and a secondary receiver (SU-Rx) at the cell edge. Suppose that all
SUs use the same bandwidth W , then ASC is computed as
NT
X
ASC = W qi log2 (1 + SINRi ), (3.1)
i=1
where NT represents the total number of SUs in the system, qi = 1 − τζii denotes the channel
λPts
availability probability for the i-th SU, and SINRi = Ich
is the SINR at the SU-Rx associated
with the i-th SU. Here, λ is the scaling factor that represents the free-space path loss (FSPL)
between the SU and the SU-Rx, Pts is SU-Rx’s transmission power, and Ich is the aggregate
interference power received by the SU-Rx. The value of Ich is calculated as the IU-induced
interference at the SU-Rx location computed using FSPL. Table 3.1 lists the parameters that
3.5. Trade-off between Location Privacy and Spectrum Utilization 41
were used to compute the ASC.
Table 3.1: Parameters to compute area sum capacity
Radio frequency, f 3.55 GHz

Radar transmit power, Pr 60 dBW
SU-Rx transmit power, Pts 30 dBm
Cell radius, r 3 km
Blanking duration, ζ 1 second
Radar rotation period, τ 4 seconds
Figure 3.12 shows the plots of normalized incorrectness versus normalized ASC for three
obfuscation techniques discussed in Chapter 2—viz., (i) EEZ-AOC, (ii) RMA and (iii) RTI.
Normalized values for incorrectness and ASC are computed by scaling with maximum in-
1
correctness and ASC values. Maximum incorrectness is achieved when pij = MN
for all the
cells (adversary has no knowledge of IU’s location), and ASC is maximized when SAS does
not obfuscate replies to SU. In the figure, the slope of each line indicates the performance
of the corresponding obfuscation technique. That is, a line with a steeper negative slope
represents an obfuscation technique that makes a more favorable tradeoff between obfusca-
tion and spectrum utilization efficiency. In other words, it is able to achieve a greater level
of obfuscation while incurring a comparable loss of utilization efficiency (compared to other
techniques).
Figure 3.12 indicates that RMA is the best performer among the three, and RTI is the
worst performer. RMA performs the best because for any given level of required privacy, it
sacrifices the least amount of spectrum utilization which is attributed to the fact that SU
has to perform MA only for a fraction of the radar rotation period and transmit without
restriction otherwise. On the other hand, RTI performs the worst in terms of balancing this
trade-off as SUs are forced to SUs to completely stop their transmission, resulting in large
utilization losses.
42 Privacy
0.9 Slope= −0.60141 Slope= −3.0544

Privacy (Incorrectness)
Slope= −1.7318
0.8
0.7
0.6
0.5
EEZ−AOC
0.4 RMA
RTI
0.2 0.4 0.6 0.8 1
Area Sum Capacity (ASC)
Figure 3.12: Incorrectness vs. ASC for three obfuscation techniques which provide significant
location privacy improvement with obfuscation. The data points for the lines are obtained
at increasing obfuscation level in steps of 0.1. A linear fit of the data points is obtained to
compare the efficacy of each of the techniques. RMA clearly performs the best in balancing
the trade-off between spectrum utilization and location privacy.
3.6. Summary 43
3.6 Summary
In Chapters 2 and 3, we introduced protocol/policy that spectrum access systems follow

to enable spectrum sharing between federal incumbent radars and commercial system, and
described the key parameters that needs to be communicated between SUs and SAS. We
showed how adversary can use Bayesian inference techniques to launch location inference at-
tacks and localize incumbent systems by querying from multiple locations. We proposed two
metrics namely incorrectness and area sum capacity to quantify the privacy of incumbent
and spectrum utilization of the SUs respectively. We discussed the efficacy of number of ob-
fuscation techniques for thwarting such location inference atttacks. Finally, we discussed the
inherent tradeoff between the degree of obfuscation and spectrum utilization efficiency, and
showed that certain obfuscation techniques are able to make a more advantageous tradeoff
between the two compared to other approaches.
Chapter 4
Coexistence of NB-IoT and Radar

Systems
4.1 Introduction
The phenomenal growth in smarter end-user devices and machine-to-machine (M2M) con-
nections is a clear indicator of the growth of Internet of Things (IoT), which is bringing
together people, processes, data, and things to make networked connections more relevant
and valuable. For example, according to Cisco, the number of M2M connections will grow
from 780 million in 2016 to 3.3 billion by 2021, a 34 percent compound annual growth rate—
a fourfold growth [4]. Keeping this in mind, radio-access technologies for mobile broadband
have evolved effectively to provide connectivity to billions of subscribers and things [19].
Recently, as a part of Release 13, the 3rd Generation Partnership Project (3GPP) has spec-
ified a new radio interface to provide wide-area cellular connectivity for IoT. This system,
named Narrowband Internet of Things (NB-IoT), is based on Long Term Evolution (LTE),
and is a step towards the 5th generation (5G) evolution for providing low-power wide-area
44
4.1. Introduction 45
(a) In-band (b) Guard-band (c) Stand-alone
Figure 4.1: Three modes of operation of NB-IoT

networking for IoT.
NB-IoT can be deployed in three operation modes as illustrated in Figure 4.1—(i) in-band,
(ii) guard-band, and (iii) stand-alone. In in-band mode, NB-IoT works within the occupied
bandwidth of a wideband LTE carrier, where one or more LTE Physical Resource Blocks
(PRBs) are reserved for NB-IoT. In guard-band operation, NB-IoT is deployed within the
guard-band of an LTE carrier. In standalone operation, NB-IoT can either be used as a
replacement of one or more GSM carriers (200 kHz), or it can be operated in bands adjacent
to LTE. In any case, NB-IoT design is based on existing LTE functionalities, therefore, it
can be supported using the same eNodeB hardware, particularly when operated in in-band
mode. This makes in-band mode a favorable choice for cellular service providers.
Table 4.1: NB-IoT System Information
Parameter Uplink Downlink

Single tone : 15KHz and 3.75KHz
Subcarrier Spacing 15KHz
SC-FDMA : 15 KHz tone spacing
Maximum transmit power UE power class : 23dBm or 20 dBm 43dBm
π
Modulation Scheme 2
-BPSK, π4 -QPSK QPSK
Max. Transmit block size (TBS) 1000 bits 680 bits
Number of Repetitions 1 - 128 1- 2048
Coding Scheme Turbo Code TBCC
Maximum Coupling Loss 165.8dB (NPUSCH) 165.1dB (NPDSCH)
Recently, several spectrum-sharing initiatives have been put in motion, and in some cases,
regulations have been established with the aim of improving spectrum utilization efficiency
through shared spectrum access [20]. Examples include spectrum sharing between multi-
46 Chapter 4. Coexistence of NB-IoT and Radar Systems
tiered secondary users (primarily WiFi or small-cell LTE technologies) and federal incum-
bents (primarily ship-borne radars) in the 3.5 GHz band [21], spectrum sharing between sev-
eral flavors of unlicensed LTE (LTE-Unlicensed (LTE-U), Licensed Assisted Access (LAA),
Multefire, etc.) and WiFi in the 5 GHz band [22, 23], spectrum sharing between WiFi and
Dedicated Short Range Communications (DSRC) in the 5 GHz band [24], etc. Although
this is a not-yet-explored area, we envision a future scenario where NB-IoT systems might
have to co-exist with other technologies in the unlicensed bands (e.g., with pulsed radars in
the 3.5 GHz band). Also, since NB-IoT has many features common to LTE, it is likely that
NB-IoT will also be deployed in bands where LTE will be deployed, including shared bands
(e.g., 3.5 GHz band).
NB-IoT co-existence might specially be a concern in the U.S. if they are to operate in
Band 42 (3400 to 3600 MHz and Band 43 (3600 to 3800 MHz). If NB-IoT systems are
deployed in these bands, they have to share the spectrum with incumbent radars. The
Spectrum Access System (SAS) and Environmental Sensing Capacity (ESC)—which are the
core enabling technologies for dynamic spectrum access in the 3.5 GHz band—specify that
entrant technologies must tolerate a peak radar interference power upto −62 dBm (radar’s
peak EIRP = 122 dBm and the maximum path loss between ESC and the radar for which
the ESC must detect the presence of radar = 184 dB) [25]. Therefore, NB-IoT systems that
operate in this band are subject to a peak radar interference of −62 dBm. This might cause
disturbances to an NB-IoT network, resulting in an increase in the NB-IoT network’s block
error rate (BLER) that further affects the coverage of NB-IoT.
In the following chapters1 , we present an experiment-based feasibility study on the co-

existence of NB-IoT with pulsed radars when NB-IoT uses the shared channel in the uplink.
In particular, we use Virginia Tech’s LTE-CORNET testbed and perform extensive experi-
ments for investigating the effect of pulsed interference on the NB-IoT performance. Given
4.2. Narrowband IoT - Design Objectives 47
a minimum required BLER threshold that is defined based on the battery-life requirement
of NB-IoT User Equipment (UE), we show that the coverage of a NB-IoT cell is slightly
affected by the presence of radar interference. 2 .,
The rest of the chapter covers — i) design objectives of NB-IoT and physical layer enhance-
ments from existing LTE standards to achieve those objectives and ii) brief introduction to
the characteristics of radar waveform.
4.2 Narrowband IoT - Design Objectives
NB-IoT is a Low Power Wide Area Networking (LPWAN) technology standard defined in
Release 13 of 3GPP [27]. As discussed in the previous section, IoT networks have the common
design objectives of achieving extended coverage, low UE device complexity, long battery life,
and support large capacity. To meet these objectives, NB-IoT has been highly optimized
for machine type communications, providing features such as 20 dB additional maximum
coupling loss (MCL) compared to LTE, more than 10 years device battery life and support
for > 50K devices in a cell [28]. Table 4.1 provides an overview of underlying PHY/MAC
layer parameters which enable NB-IoT to achieve the following two main objectives.
Coverage
To cater devices in deep indoor coverage (such as apartment basement), NB-IoT requires a
maximum coupling loss 20 dB (MCL of 164 dB) higher than LTE. This coverage enhance-
ment is achieved using various PHY/MAC and higher layer modifications. One major, yet
simple modification, is to increase the number of repetitions for transmissions on both down-
2
A part of Chapters 4 and 5 has been published as Technical Report ARIAS Lab, Virginia Tech by same
author and can be accessed here [26]
link and uplink channels. For example, the narrowband physical downlink shared channel
(NPDSCH) allows upto maximum of 2048 repetitions, and the narrowband physical uplink
shared channel (NPUSCH) allows maximum 128 repetitions. These repeated transmissions
are then soft-combined at the receiving terminals to achieve better Signal to Noise Ratio
(SNR). Moreover, single-tone transmission in the uplink and π2 -BPSK modulation are used
to maintain close to 0 dB PAPR, thereby reducing the unrealized coverage potential due
to power amplifier (PA) backoff [28]. Also, NB-IoT allows upto three coverage levels to be
defined by a serving cell. Each coverage level is associated with a configuration defining the
number of repetitions to be used on each physical uplink/downlink channel. UEs choose one
among the three coverage levels based on the signal power they receive from the eNodeB.
Note that, for UEs in deep-coverage, higher bandwidth allocation is not spectrally efficient,
as UEs cannot benefit from it to transmit at higher data rates.
Device Battery Life
One of the important design objective for NB-IoT is to minimize device power consumption.
NB-IoT uses efficient techniques such as power saving mode (PSM), Idle Mode extended
discontinuous reception (I-eDRX) and Connected Mode eDRX (C-eDRX). These techniques
allow the UE to be in lower power consumption states for longer duration of time. For
example, PSM allows a device to be in unconnected state for 13 days and I-eDRX allows
idle mode discontinuous reception for maximum of 3 hrs. The PSM and eDRX mode power
consumption are significantly lower than battery power during transmission. Using reason-
able values of power consumption, it is shown that NB-IoT achieves a device battery life of
> 10 years operating at a coupling loss of 154 dB with a two hour reporting interval for 50
bytes and 200 bytes application loads [29]. However, note that similar levels of battery life
(> 10 years) cannot be achieved when the number of uplink repetitions is large or when the
4.2. Narrowband IoT - Design Objectives 49
uplink BLER is high.
NB-IoT requires a minimum system bandwidth of 180 kHz (1 Physical Resource Block) for
both uplink and downlink, and supports three different deployment scenarios—stand-alone
mode, in-band mode and guard-band mode (see Figure 4.1). In this thesis, we analyze
the co-existence of NB-IoT deployed in stand-alone mode with pulsed radar systems. Note
that the NB-IoT system bandwidth (180 kHz) is very small compared to the nominal radar
bandwidth (approx. 1.3 MHz) and the deployment mode of NB-IoT does not influence the
coexistence analysis presented here.
NB-IoT Physical Channels
The following sections describe both the downlink and uplink physical channels available in
NB-IoT.
Downlink Channels: NB-IoT provides the following physical channels in the downlink:
Narrowband physical broadcast channel (NPBCH)
Narrowband physical downlink control channel (NPDCCH)
Narrowband physical downlink shared channel (NPDSCH)
NB-IoT UE initially performs cell search using two downlink signals, viz., Narrowband
primary synchronization signal (NPSS) and Narrowband secondary synchronization signal
(NSSS). These two signals are redesigned from existing LTE signals which occupied six PRBs
in legacy LTE.
NPBCH carries the master information block (MIB). MIB contains all the information re-
quired to acquire subsequent system information blocks (SIBs). MIB is transmitted on
NPBCH with a periodicity of 640 ms transmission time interval (TTI).
NPDCCH carries scheduling informartion for both uplink and downlink data channels. It
further carries the HARQ acknowledgement information for the uplink data channel as well
as paging message, system information, and RAR message.
NPDSCH carries data from the upper layers along with system information, paging message
and RAR message. Moreover, to reduce the UE device complexity all the downlink channels
use tail-biting convolutional code (TBCC). Furthermore, NB-IoT supports only single layer
transmission (no spatial multiplexing like LTE) and maximum transmit block size (TBS) of
680 bits for NPDSCH.
Narrowband Reference Signals (NRS) are also used in the downlink to provide phase refer-
ence for the demodulation of the downlink channels. NRSs are time-frequency multiplexed
with information carrying symbols in downlink subframes.
Uplink Channels: For the NB-IoT uplink, following channels and signal are defined:
Narrowband Physical Random Access Channel (NPRACH)
Narrowband Physical Uplink Shared Channel (NPUSCH)
Demodulation Reference Signals (DMRS)
NB-IoT UE uses a newly designed channel for random access, as the legacy LTE physical
random access channel (PRACH) uses a bandwidth of 1.08 MHz, more than 180 KHz uplink
bandwidth available in NB-IoT. One NPRACH preamble consists of four symbol groups,
with each symbol group comprising one cyclic prefix (CP) and five symbols [30]. NPRACH
has a single-tone frequency hopping waveform, with the tone frequency index changing from
one symbol group to another.
For the uplink shared channel, NPUSCH, two formats are defined. Format 1 is for UL
transport channel data , with a maximum TBS of 1000 bits, and uses turbo code for error
correction. NPUSCH Format 1 provides multi-tone transmission, with possible UE alloca-
4.3. Shipborne Radar- SPN43 51
tions of 12, 6, and 3 tones. Unlike legacy LTE, the 6-tone and 3-tone formats are added to
support NB-IoT in deep coverage, which cannot benefit larger bandwidths. For single-tone
transmissions, 3.75 KHz and 15 KHz subcarrier spacing are supported. However, multi-tone
transmissions are based on Single Carrier FDMA (SC-FDMA) with 15 KHz spacing. To
reduce the peak-to-average power ratio (PAPR) problems, single-tone transmissions use π2 -
binary phase shift keying (BPSK) or π4 - quadrature phase shift keying (QPSK) with phase
continuity between symbols. NPUSCH Format 2 carries UL control information, specifically,
Hybrid Automatic Repeat Request (HARQ) acknowledgments for DL data.
DMRS are time-multiplexed with data symbols, and are used for channel estimation. De-
pending on the NPUSCH format, either one or three symbols are used DMRS in each slot.
NPUSCH Format 1 uses one OFDM symbol for DMRS while Format 2 uses three symbols.
Coverage enhancement is a crucial feature for NB-IoT systems. NB-IoT attains a maximum
coupling loss 20 dB higher than LTE, achieved by increasing the number of repetitions.
π
Moreover, single-tone transmission with 2
-BPSK modulation allows to operate UE near 0
dB PAPR, thereby reducing the unrealized coverage potential due to power amplifier (PA)
backoff.
4.3 Shipborne Radar- SPN43
The primary incumbent users of the U.S. 3.5 GHz band are the military ship-borne air traffic
control radars. This type of radar is also known as AN/SPN-43C radar which provides real
time aircraft surveillance, identification, and landing assistance data. It is a pulsed radar and
is used on medium and large aircraft carriers. SPN-43 has a nominal peak pulsed power of 1
MW and an antenna gain of 32 dBi [31]. SPN-43 has a range of 300 yards to 50 nautical miles
and an altitude span of 30, 000 ft. Other characteristics of the SPN-43 radar are outlined in
Table 4.2.
Table 4.2: Radar characteristics
Parameter Value
Frequency range 3500 − 3650 MHz
Pulse width MHz 900(±150) ns
Pulse repetition rate 1 kHz
Radar rotation rate 4 sec (15 rpm)
Peak EIRP 122 dBm (1.6 GigaWatts)
Horizontal beamwidth 1.75 deg (19 pulses)
Chapter 5
Coverage Analysis of NB-IoT in

Shared Spectrum
To understand the coverage performance of NB-IoT in the presence of Radar interference, we

first perform extensive experimental studies on the LTE-CORNET testbed. The results from
the experimental studies are leveraged by the path Irregular Terrain Model (ITM) — a path
loss computation tool to derive the coverage of the NB-IoT system. The rest of this chapter
is organized as follows: In Section 5.1, we describe our experimental setup followed by results
in Section 5.2. In Section 5.4, we provide detailed discussions and provide simulation results
to show the effect of radar interference on the coverage and capacity of NB-IoT cells. Finally,
we provide a summary of the NB-IoT vs. radar coexistence study in Section 5.5.
5.1 Experimental Setup
In this section, we describe our experimental setup. Firstly, we provide a brief overview of
the testbed that was used for our experiments. Secondly, we provide the block diagram of
53
54 Chapter 5. Coverage Analysis of NB-IoT in Shared Spectrum
our system setup and outline the system parameters.
5.1.1 LTE-CORNET testbed
To perform the co-existence study between NB-IoT and radar, we leveraged the LTE-
CORNET testbed at Virginia Tech [32]. The testbed’s main components are several LTE
base stations (eNodeBs) with their evolved packet cores (EPCs), and several LTE UEs.
Multiple eNodeBs can be emulated using Amarisoft software-based LTE100 system which is
installed on two PCs and a mobile workstation [33]. Another PC can be used to implement
interference waveforms, among others. The testbed includes a high-fidelity spectrum ana-
lyzer, the Tektronix SA2500, for indoor and outdoor measurement studies over a frequency
range of 10 kHz - 6.2 GHz. It is a mobile unit that can be connected to the testbed as
needed.
The Amarisoft LTE100 software supports NB-IoT standard based on 3GPP Release 13.
It allows us to configure various PHY and MAC layer parameters in the NB-IoT protocol
stack. Some of the important parameters which can be configured based on the coverage
level of operation are number of NPUSCH subcarriers (npusch n sc), number of NPUSCH
repetitions (npusch n rep), uplink sub-carrier spacing (ul sc spacing), NPUSCH transmit
block size (npusch i tbs), number of msg3 repetitions (msg3 n rep), and number of msg3
sub-carriers (msg3 n sc). Amarisoft also provides crucial PHY/MAC layer metrics which we
use to analyze the impact of radar interference on the NB-IoT system. Specifically, we utilize
the number of UL ACK/ NACK reported in the log files to compute the BLER. The uplink
Signal to Interference and Noise Ratio (SINR) values are also collected from the logs. Uplink
SINR is computed using the demodulation reference signals (DMRS) which are transmitted
along with data symbols on the NPUSCH subframe.
5.1. Experimental Setup 55
(a) NB-IoT uplink spectrum (b) Radar spectrum.
(c) Time domain plot of the radar.
Figure 5.1: Plots from the Tektronix spectrum analyzer used as a measurement device in
our experiments.
Figure 5.2: Block diagram of the experimental setup
5.1.2 Block Diagram and System Setup
Two high performance PCs running Amarisoft LTE100 eNodeB and LTE UE are connected
to USRP N210s equipped with SBX daughter-boards, emulating a NB-IoT eNodeB and UE
respectively. Amarisoft software allows NB-IoT cells to be operated in one of the possible
three deployment modes. We configure the NB-IoT cell to operate in stand-alone mode (Fig-
ure 5.1(a) shows the spectrum of the uplink NB-IoT signal). Suitable values of npusch n sc,
npusch n rep npusch i tbs, and ul sc spacing are used as outlined in Table 5.1. We used
GNU Radio as the platform for transmitting the synthesized SPN-43 radar waveform via an-
other USRP N210. The frequency and time domain characteristics of our synthesized radar
waveform are shown in Figures 5.1(b) and 5.1(c) respectively. As we are primarily interested
in the UL channels (note that as NB-IoT UEs are power limited, the NB-IoT coverage is
mainly determined from the uplink performance), the radar interference is injected on the
uplink channel only. Moreover, for analyzing the BLER of NB-IoT under different SINR (or
SNR in case of no radar interference) conditions, we vary the value of the variable attenuator
that is connected on the uplink path and note the uplink BLER at the eNodeB. Our system
block diagram is shown in Figure 5.2.
5.2. NB-IoT BLER Performance - Experimentals results 57
Table 5.1: NB-IoT UL parameters
Operation Mode Standalone

UL subcarrier spacing (ul sc spacing) 15 kHz
# of NPUSCH subcarrier (npusch n sc) 1
NPUSCH TBS (npusch i tbs = 0 ) 208 bits
# of NPUSCH repetitions (npusch n rep) 1
10 0
10 -1
BLER
10 -2
10 -3
NB-IoT only
NB-IoT with Radar Interference
10 -4
-20 -15 -10 -5 0
SINR (dB)
Figure 5.3: BLER versus SINR (Uplink).
5.2 NB-IoT BLER Performance - Experimentals re-
sults
In this section, we summarize the results of our experiments. In particular, the plots of
measured BLER versus measured uplink SINR and the distribution of measured uplink
SINR are discussed.
5.2.1 Uplink BLER Performance
To study the uplink BLER performance of NB-IoT system, we maintained a fixed transmit
power for the radar and varied the uplink SINR by varying the path loss (by using a variable
1
NB-IoT only
NB-IoT with Radar Interference
0.8
0.6
CDF
0.4
0.2
0
-20 -15 -10 -5 0 5 10
SINR (dB)
Figure 5.4: CDF of SINR.
attenuator) in the link connecting the NB-IoT UE and the eNodeB. Figure 5.3 shows the
uplink BLER for different SINR received at the eNodeB. As expected, for high SINR values
(SINR ≥ −1 dB), the BLER is almost zero, whereas when SINR is low (SINR < −5 dB),
the BLER increases and reaches 100% for SINR less than -9 dB. In some cases, the NB-IoT
system failed to establish a link at all because of the severity of the interference presented
by the radar.
Note that although the 3GPP Rel-13 specifications require a NB-IoT link to be alive for
worst-case SINR values as low as −12 dB (corresponding to the required maximum coupling
loss of 164 dB), we were not able to achieve this in our experiments mainly because the
eNodeB hardware (USRP N210 with SBX daughterboard) used in our experiments has
much lower output power and more limited receiver sensitivity than a typical eNodeB that
is designed for over-the-air experiments. Also, in our experiments, we used nominal values for
NB-IoT parameters (see Table 5.1) as opposed to the ones that are specified for the worst-case
scenario (e.g., maximum number of repetitions, lowest TBS index, etc.). Nevertheless, our
experimental results show a general trend that low SINR causes high BLER and vice-versa.
5.2. NB-IoT BLER Performance - Experimentals results 59
5.2.2 Uplink SINR Distribution
The radar interference to NB-IoT eNodeB is non-stationary because: (i) due to radar rota-
tion, the interference power varies periodically as a characteristic for search radars and it
depends on the rotation speed of the radar, and (ii) the transmitted signals by radar con-
sists of short pulses (see Figure 5.1 (c)) of very short duration (e.g., 1 microsec for SPN-43
radar). Therefore, even when the radar beam is directly aligned with NB-IoT eNodeB, there
are inter-pulse durations with zero interference [34]. Any NB-IoT packet that gets transmit-
ted in the time between radar pulses suffers no interference. Therefore, the SINR for each
received packet depends on whether a radar pulse is present during the time in which the
packet is transmitted.
Figure 5.4 shows the distribution of uplink SINR for the two cases: (i) without radar inter-
ference, and (ii) with radar interference. To generate these plots, we fixed the peak radar
interference at −90dBm, and varied the uplink path loss by using a variable attenuator in
the uplink path. The SINR at the eNodeB as reported by Amarisoft was logged continu-
ously. In our experiments, the change in path loss emulates transmissions from UEs located
at far-away distances (cell-edge) from the eNodeB. We changed the attenuation values such
that the eNodeB receives uplink signal at an SINR level ranging from −20 dB to 15 dB.
For both cases, with and without radar interference, we changed the value of the attenuator
in steps of 1 dB and logged the instantaneous SINR values at the eNodeB for over 2000
data packets. From the plots, we can observe that the radar interference causes the uplink
SINR to drop when compared against the case without interference. However, because of
the non-stationary nature of radar interference, the probability of low SINR values is not
very large. This is intuitive because, as explained earlier, the pulsed and rotational nature
of the radar leaves lots of interference-free (and hence, high SINR) time slots. In the next
section, we analyze how the change in the distribution of NB-IoT uplink SINR due to radar
interference, as shown in Figure 5.4, affects the NB-IoT coverage.
5.3 Irregular Terrain Model - Tool for Coverage Anal-
ysis
In this section, we first provide a brief overview of the ITM propagation model. Then, we
use the ITM propagation model and results from our experiments to study the coverage and
capacity of NB-IoT in the absence/presence of radar interference.
The ITM is a radio propagation model which predicts tropospheric radio transmission loss
over irregular terrain for a radio link. It is designed for use at frequencies between 20 MHz
and 20 GHz. The ITM model is based on electromagnetic theory and on statistical analyses
of both terrain features and radio measurements, and it predicts the median attenuation of
a radio signal as a function of distance and the variability of the signal in time and in space.
The ITM works in two modes: 1) area prediction mode—used when an exact terrain de-
scription is not available, and 2) point-to-point prediction mode—used when terrain profile
between the terminals is available. The ITM-PTP mode relates the statistical variance of
terrain elevations to classical diffraction theory, and predictions made by the model agree
closely with the measured data. Therefore, cellular operators often use ITM to predict their
cell coverage. Using ITM, a coverage region of a base station can be defined as the zone
where the path loss is less than a threshold, say Pth , with x% reliability. In other words, ITM
can compute the coverage region as the area around the base station where the probability
of path loss from the base station being less than a threshold, Pth , is equal to x%. The
parameter x can be specified in the ITM model according to the design requirement.
5.4. Coverage and Capacity Analysis of NB-IoT with Radar Interference61
5.4 Coverage and Capacity Analysis of NB-IoT with
Radar Interference
Let us assume that the battery-life requirement of NB-IoT UEs is such that the uplink BLER
should not exceed a threshold, say Bth . This is because high BLER results in large number
of re-transmissions which, in turn, deteriorates the battery life performance of NB-IoT UEs.
The one-to-one relation between uplink BLER and uplink SINR implies that the following
requirement must be met: the uplink SINR should be greater than a threshold, say Sth .
Note that Sth can be obtained from Figure 5.3 for any given Bth .
Now, from the distribution of SINR obtained from our experiments (Figure 5.4), we can
find the probability that SINR is greater than Sth . For the case with no interference, this
probability is,
P (SINR > Sth ) = 1 − pn (5.1)
where, pn denotes the probability that SINR ≤ Sth when NB-IoT operates in the absence of
radar interference.
Similarly, for the case with radar interference, the probability that SINR is greater than Sth
is,
P (SINR > Sth ) = 1 − pr (5.2)
where, pr denotes the probability that SINR ≤ Sth when NB-IoT operates in the presence
of radar interference.
From Figure 5.4, it is clear that pn < pr .
The uplink SINR can be expressed in terms of UE transmit power Ptx ; path loss between
the UE and the eNodeB PL ; and interference and noise power PI+N in the channel.
SINR = Ptx − PL − PI+N (5.3)
When NB-IoT operates in an interference-free channel (e.g., when NB-IoT operates in the
licensed spectrum where interference from neighboring cells can be neglected), Equation 5.3
can be simplified as,
SINR = Ptx − PL − PN (5.4)
where, PN denotes the thermal noise in the channel.
Using Equations (5.3) and (5.4), we can rewrite Equations (5.1) and (5.2)) in terms of path
loss, respectively, as follows,
(r)
P (PL ≤ Pth ) = 1 − pn (5.5)
and,
(n)
P (PL ≤ Pth ) = 1 − pr (5.6)
(r) (n)
where, Pth = Ptx − PN − Sth and Pth = Ptx − PI+N − Sth .
Finally, we can use Equations (5.5) and (5.6) to compute the coverage region of an NB-IoT
(n) (n)
cell. We define the coverage region as the zone where the path loss is less than Pth (or Pth
in case of radar interference) with 1 − pn (or 1 − pr in case of radar interference) reliability.
Using this definition in the ITM point-to-point mode, we can compute the coverage region for
both cases, where the right-hand sides of Equations (5.5) and (5.6) are specified as reliability
levels.
Figures 5.5(a) and 5.5(b) show the coverage map of NB-IoT cell in the absence and presence
of radar interference respectively. The coverage map was generated for the following set of
5.4. Coverage and Capacity Analysis of NB-IoT with Radar Interference63
(a) Without radar interference. (b) With radar interference.
Figure 5.5: Coverage area of NB-IoT base station (eNodeB).
values: PN = −120 dBm, PI = −116 dBm, Ptx = 23 dBm, and Bth = 10%. The value of
Sth (−3 dB) corresponding to Bth was obtained from Figure 5.3 and used in the coverage
analysis. We used ITM in PTP mode with reliability levels obtained from CDF curves of
SINR (Figure 5.4) to compute the path loss around the eNodeB, which is located at the
center of our analysis area. From the figures, it is clear that NB-IoT coverage area is smaller
for the case when radar interference is present.
We further study the change in NB-IoT coverage area (in square kilometers) for different
levels of peak radar interference power, PI , at the eNodeB. The value of PI is varied from
−150 dBm to −80 dBm and the coverage area of NB-IoT eNodeB is calculated. Figure 5.6
summarizes the results. Clearly, when the peak radar power is high, the NB-IoT uplink
BLER (and SINR) deteriorates, resulting in smaller coverage area. Also, as expected, the
coverage of NB-IoT eNodeB shrinks when the minimum required uplink BLER, Bth , is small
(recall that small Bth ensures a longer batter life). Thus, our results show that we can
compromise coverage for improving the battery life of NB-IoT UEs and vice-versa.
1000
B th = 10%
Coverage area (sq. km)

800 B th = 30%
600
400
200
0
-150 -140 -130 -120 -110 -100 -90 -80
Peak radar interference power (dBm)
Figure 5.6: Effect of radar interference on NB-IoT coverage.
The capacity of an NB-IoT cell is directly proportional to its coverage area. Given a coverage
area in sq. km, Acov , an average density of households per sq. km, ρ, and the average
number of NB-IoT devices in each household, NH , the total capacity, CN B−IoT , is given as,
CN B−IoT = Acov × ρ × NH . This value, however, may not always be achievable when the
capacity is limited by total available PHY/MAC-layer resources in the system.
5.5 Summary
In Chapters 4 and 5 , we presented an extensive experiments-based feasibility study on the

co-existence of NB-IoT with S-band radars when NB-IoT uses the shared channel in the
uplink. We showed that, given a battery-life requirement of NB-IoT UEs in terms of the
maximum tolerable BLER, the coverage of a NB-IoT system is affected by the presence of
radar interference. Our analysis show that the NB-IoT system can co-exist with S-band
radars; however, at the cost of increased block error rate (and hence, reduced battery-life
performance) for users at the cell-edge.
Chapter 6
Conclusion
In this thesis, we presented studies based on coexistence between disparate wireless net-
works in shared spectrum. Briefly, the two primary coexistence studies carried out can be
summarized as follow—
We introduced protocol/policy that spectrum access systems follow to enable spectrum
sharing between federal incumbent radars and commercial system, and described the
key parameters that needs to be communicated between SUs and SAS. We showed how
adversary can use Bayesian inference techniques to launch location inference attacks
and localize incumbent systems by querying from multiple locations. We proposed
two metrics namely incorrectness and area sum capacity to quantify the privacy of
incumbent and spectrum utilization of the SUs respectively. We discussed the efficacy
of number of obfuscation techniques for thwarting such location inference atttacks.
Further, we discussed the inherent tradeoff between the degree of obfuscation and
spectrum utilization efficiency, and showed that certain obfuscation techniques are able
to make a more advantageous tradeoff between the two compared to other approaches.
65
66 Chapter 6. Conclusion
We performed an extensive experimental study on the coexistence of NB-IoT and radar
in shared spectrum. Results proved that radar interference can cause significantly low
SINR and result in higher BLER for NB-IoT systems. Using results from experiments
and employing ITM PTP propagation model, we illustrated that the coverage area
of NB-IoT system is impacted due to radar interference. These studies, we strongly
believe, will fuel future research in coexistence studies and to design mechanisms that
mitigate the impact of radar interference on IoT networks.
Bibliography
[1] WINNF, “Spectrum sharing committee website.” http://www.wirelessinnovation.

org/assets/work_products/Specifications/winnf-15-s-0071-v1.0.0%20cbrs%
20operational%20security.pdf. Online, accessed 04-27-2017.
[2] NTIA, “Spectrum occupancy measurements of the 35503650 megahertz maritime

radar band near san diego, california.” https://www.ntia.doc.gov/report/2014/
spectrum-occupancy-measurements-3550-3650-megahertz-maritime-radar-band\
-near-san-diego-c. Online, accessed 27-04-2017.
[3] B. Bahrak, S. Bhattarai, A. Ullah, J. M. J. Park, J. Reed, and D. Gurney, “Protecting

the primary users’ operational privacy in spectrum sharing,” in Dynamic Spectrum
Access Networks (DYSPAN), 2014 IEEE International Symposium on, pp. 236–247,
April 2014.
[4] Cisco, “Cisco visual networking index: Global mobile data traf-
fic forecast update, 20162021.” http://www.cisco.com/c/en/us/
solutions/collateral/service-provider/visual-networking-index-vni/
mobile-white-paper-c11-520862.html. Online, accessed 04-10-2017.
[5] PCAST, “Report to the president realizing the full potential of government-held
spectrum to spur economic growth.” available at http://www.whitehouse.gov/
67
68 BIBLIOGRAPHY
sites/default/files/microsites/ostp/pcast_spectrum_report_final_july_20_
2012.pdf, July 2012.
[6] FCC, “Report and order and second further notice of proposed rulemaking, federal
communications commission.” https://apps.fcc.gov/edocs_public/attachmatch/
FCC-15-71A1.pdf. Online, accessed 04-14-2016.
[7] J. M. Park, J. H. Reed, A. A. Beex, T. C. Clancy, V. Kumar, and B. Bahrak, “Security

and enforcement in spectrum sharing,” Proceedings of the IEEE, vol. 102, pp. 270–281,
March 2014.
[8] Z. Zhang, H. Zhang, S. He, and P. Cheng, “Achieving bilateral utility maximization and
location privacy preservation in database-driven cognitive radio networks,” in Mobile
Ad Hoc and Sensor Systems (MASS), 2015 IEEE 12th International Conference on,
pp. 181–189, Oct 2015.
[9] M. Clark and K. Psounis, “Can the privacy of primary networks in shared spectrum
be protected?,” in 2016 IEEE International Conference on Computer Communications
(INFOCOM), Apr 2016.
[10] WINNF, “Spectrum sharing committee website.” http://www.wirelessinnovation.

org/ssc. Online, accessed 04-14-2016.
[11] DARPA, “Shared spectrum access for radar and commu-

nications (ssparc) website.” http://www.darpa.mil/program/
shared-spectrum-access-for-radar-and-communications. Online, accessed
04-14-2016.
BIBLIOGRAPHY 69
[12] P. R. Vaka, S. Bhattarai, and J. M. Park, “Location privacy of non-stationary incum-

bent systems in spectrum sharing,” in 2016 IEEE Global Communications Conference
(GLOBECOM), pp. 1–6, Dec 2016.
[13] B. Bahrak, Ex Ante Approaches for Security, Privacy, and Enforcement in Spectrum
Sharing. PhD thesis, Virginia Tech, 2013.
[14] S. Wiki, “Spn-43 shipborne radar, spectrum wiki.” http://www.spectrumwiki.com/

wiki/DisplayEntry.aspx?DisplyId=225. Online, accessed 04-14-2016.
[15] Leidos, “Darpa awards leidos prime contract, leidos website.” http://investors.
leidos.com/mobile.view?c=193857&v=203&d=1&id=2106132. Online, accessed 04-14-
2016.
[16] M. Hamid and N. Björsell, “Geo-location spectrum opportunities database in downlink

radar bands for ofdm based cognitive radios,” in IEEE Conference on Communication,
Science & Information Engineering CCSIE 2011 IEEE, pp. 39–43, 2011.
[17] S. Bhattarai, A. Ullah, J. M. J. Park, J. H. Reed, D. Gurney, and B. Gao, “Defining

incumbent protection zones on the fly: Dynamic boundaries for spectrum sharing,” in
Dynamic Spectrum Access Networks (DySPAN), 2015 IEEE International Symposium
on, pp. 251–262, Sept 2015.
[18] R. Shokri, G. Theodorakopoulos, J. Y. L. Boudec, and J. P. Hubaux, “Quantifying

location privacy,” in 2011 IEEE Symposium on Security and Privacy, pp. 247–262, May
2011.
[19] Ericsson, “Nb-iot: a sustainable technology for connecting billions of devices.”

https://www.ericsson.com/publications/ericsson-technology-review/archive/2016/nb-
70 BIBLIOGRAPHY
iot-a-sustainable-technology-for-connecting-billions-of-devices. Online, accessed

04-10-2017.
[20] S. Bhattarai, J. M. J. Park, B. Gao, K. Bian, and W. Lehr, “An overview of dynamic
spectrum sharing: Ongoing initiatives, challenges, and a roadmap for future research,”
IEEE Transactions on Cognitive Communications and Networking, vol. 2, pp. 110–128,
June 2016.
[21] A. Khawar, A. Abdel-Hadi, and T. C. Clancy, “Spectrum sharing between s-band radar
and lte cellular system: A spatial approach,” in 2014 IEEE International Symposium
on Dynamic Spectrum Access Networks (DYSPAN), pp. 7–14, April 2014.
[22] Signals Research Group, “The Prospect of LTE and Wi-Fi Sharing Unlicensed Spec-
trum: Good Fences Make Good Neighbors,” tech. rep., Feb. 2015.
[23] Qualcomm Research, “LTE in Unlicensed Spectrum: Harmonious Coexistence with Wi-
Fi,” tech. rep., Jun. 2014.
[24] FCC, “Revision of Part 15 of the Commissions Rules to Permit Unlicensed National
Information Infrastructure (U-NII) Devices in the 5 GHz Band (NPRM 13-22),” Feb.
2013.
[25] Wireless Innovation Forum, “Requirements for Commercial Operation in the U.S. 3550-
3700 MHz Citizens Broadband Radio Service Band, Document WINNF-15-S-0112,”
tech. rep., May 2016.
[26] V. P. Reddy, S. Bhattarai, and J. Park, “Coverage analysis of nb-iot in the presence
of radar interference.” http://www.arias.ece.vt.edu/publications.html. Online,
accessed 05-1-2017.
BIBLIOGRAPHY 71
[27] 3GPP, “Standardization of nb-iot completed.” http://www.3gpp.org/news-events/

3gpp-news/1785-nb_iot_complete. Online, accessed 04-10-2017.
[28] Y. P. E. Wang, X. Lin, A. Adhikary, A. Grovlen, Y. Sui, Y. Blankenship, J. Bergman,

and H. S. Razaghi, “A primer on 3gpp narrowband internet of things,” IEEE Commu-
nications Magazine, vol. 55, pp. 117–123, March 2017.
[29] 3GPP, “Tr 45.820, cellular system support for ultra-low complexity and low
throughput internet of things (ciot).” https://portal.3gpp.org/desktopmodules/
Specifications/SpecificationDetails.aspx?specificationId=2719. Online, ac-
cessed 04-10-2017.
[30] 3GPP, “Evolved universal terrestrial radio access (e-utra); physical channels and
modulation.” https://portal.3gpp.org/desktopmodules/Specifications/
SpecificationDetails.aspx?specificationId=2425. Online, accessed 04-10-2017.
[31] J. H. Reed, A. W. Clegg, A. V. Padaki, T. Yang, R. Nealy, C. Dietrich, C. R. Anderson,

and D. M. Mearns, “On the co-existence of td-lte and radar over 3.5 ghz band: An
experimental study,” IEEE Wireless Communications Letters, vol. 5, pp. 368–371, Aug
2016.
[32] V. Tech, “Lte-enhanced cognitive radio testbed (lte-cornet).” https://cornet.

wireless.vt.edu/lte.html. Online, accessed 04-10-2017.
[33] Amarisoft, “Amarisoft enb and ue.” https://www.amarisoft.com/

software-enb-epc-ue-simulator/. Online, accessed 04-10-2017.
[34] F. Hessar and S. Roy, “Spectrum sharing between a surveillance radar and secondary wi-
fi networks,” IEEE Transactions on Aerospace and Electronic Systems, vol. 52, pp. 1434–
1448, June 2016.
72 BIBLIOGRAPHY

Vaka P T 2017

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vaka P T 2017

Uploaded by

Copyright:

Available Formats

Security and Performance Issues in Spectrum Sharing between

Disparate Wireless Networks

Pradeep Reddy Vaka

Thesis submitted to the Faculty of the

Jung-Min Park, Chair

May 05, 2017

Keywords: Location Privacy, Coexistence, Spectrum Sharing, NB-IoT, Radar Systems

(GENERAL AUDIENCE ABSTRACT)

List of Figures viii

1.1 Coexistence of Incumbent Radars and Communication Systems . . . . . . . 3

1.2 Impact on Coverage of NB-IoT Systems in Spectrum Sharing . . . . . . . . . 3

2 Coexistence of Radar and Communication System 6

2.1 Introduction : Spectrum Sharing in the 3.5 GHz Band . . . . . . . . . . . . 6

2.2 Recent Developments in CBRS OPSEC . . . . . . . . . . . . . . . . . . . . . 9

2.2.1 Operational Security Requirements . . . . . . . . . . . . . . . . . . . 10

2.3 SAS’s Incumbent User Protection Rules . . . . . . . . . . . . . . . . . . . . 14

2.3.1 Spatial Separation Regions and SAS-SU Query Protocol . . . . . . . 15

2.3.3 Exclusion Zone and Area Of Control Boundaries . . . . . . . . . . . . 19

2.4 Location Inference attack- Using Bayesian Inference for IU Localization . . 21

2.5 Metrics for Location Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.6 Location Inference - Smart Adversary . . . . . . . . . . . . . . . . . . . . . . 25

2.7 Position Estimate Uncertainty . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3 Analysis of Obfuscation Techniques to Protect Incumbent Privacy 28

3.1 Enlarging the Exclusion Zone or Area of Control . . . . . . . . . . . . . . . . 28

3.2 Perturbation with Transfiguration . . . . . . . . . . . . . . . . . . . . . . . . 29

3.3 Random False Positives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.3.1 Randomized Transmit Inhibition . . . . . . . . . . . . . . . . . . . . 31

3.3.2 Moderated RTI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.3.3 Randomized Main-beam Avoidance . . . . . . . . . . . . . . . . . . . 32

3.4 Efficacy of Obfuscation Techniques - Simulation Results . . . . . . . . . . . . 32

3.4.1 Location Inference Attack- Random and Smart Adversary . . . . . . 33

3.4.2 Performance of Obfuscation Techniques . . . . . . . . . . . . . . . . . 33

4 Coexistence of NB-IoT and Radar Systems 44

4.2 Narrowband IoT - Design Objectives . . . . . . . . . . . . . . . . . . . . . . 47

4.3 Shipborne Radar- SPN43 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

5 Coverage Analysis of NB-IoT in Shared Spectrum 53

5.1 Experimental Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

5.1.1 LTE-CORNET testbed . . . . . . . . . . . . . . . . . . . . . . . . . . 54

5.1.2 Block Diagram and System Setup . . . . . . . . . . . . . . . . . . . . 56

5.2 NB-IoT BLER Performance - Experimentals results . . . . . . . . . . . . . . 57

5.2.1 Uplink BLER Performance . . . . . . . . . . . . . . . . . . . . . . . . 57

5.2.2 Uplink SINR Distribution . . . . . . . . . . . . . . . . . . . . . . . . 59

5.3 Irregular Terrain Model - Tool for Coverage Analysis . . . . . . . . . . . . . 60

5.4 Coverage and Capacity Analysis of NB-IoT with Radar Interference . . . . . 61

2.1 Relationship between incumbent detection, protection zone, and incumbent

2.2 Region of operation of SU and corresponding SAS policy . . . . . . . . . . . 16

3.1 Example of transfiguration. The contour with center at o is transfigured into

3.3 Localization performance of a random adversary and a smart adversary. . . . 35

3.4 Privacy with enlarging only EZ. . . . . . . . . . . . . . . . . . . . . . . . . . 36

3.5 Privacy with enlarging only AOC. . . . . . . . . . . . . . . . . . . . . . . . . 36

3.6 Privacy enlarging EZ and AOC. . . . . . . . . . . . . . . . . . . . . . . . . . 36

3.7 Privacy with RTI false positives. . . . . . . . . . . . . . . . . . . . . . . . . . 36

3.8 Privacy with MRTI false positives. . . . . . . . . . . . . . . . . . . . . . . . 36

3.11 Performance of the obfuscation techniques in terms of position estimate un-

4.1 Three modes of operation of NB-IoT . . . . . . . . . . . . . . . . . . . . . . 45

5.2 Block diagram of the experimental setup . . . . . . . . . . . . . . . . . . . . 56

5.3 BLER versus SINR (Uplink). . . . . . . . . . . . . . . . . . . . . . . . . . . 57

5.4 CDF of SINR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

5.6 Effect of radar interference on NB-IoT coverage. . . . . . . . . . . . . . . . . 64

2.1 Parameters to compute AOC boundary, R1 . . . . . . . . . . . . . . . . . . . 20

3.1 Parameters to compute area sum capacity . . . . . . . . . . . . . . . . . . . 41

4.1 NB-IoT System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

4.2 Radar characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

We propose several obfuscation techniques for countering location inference attacks,

We perform an extensive experiment-based feasibility study on the co-existence of NB-

Case 1: d < R0 . Transmissions are not allowed.

Case 3: d > R1 . SUs have unrestricted access to all channels.

σQ−1 ()+Pts −a−Ith