Detecting Malicious Pilot Contamination in Multiuser Massive MIMO Using Decision Trees

TL;DR

The paper tackles the vulnerability of massive MIMO to pilot contamination attacks by casting PCA detection as a classification problem solvable with a Decision Tree (DT) at the base station. It shows that a depth-1 DT using the instantaneous channel-estimate energy $E$ (and the number of users $K$ as a contextual cue) can outperform a likelihood-ratio-test baseline, particularly in low-SNR and low-eavesdropper-power regimes, without needing priors on noise power $\sigma^2$ or attacker power $P_e$. A systematic data-generation pipeline is developed to train and evaluate the DT, and the approach is validated across varying SNR, $K$, $M$, and $P_e$, demonstrating robustness and practical viability for fast PCA detection in 5G/6G settings. The work contributes a lightweight, high-signal detector design with offline training, offering favorable complexity and resilience compared with conventional LRT-based PCA detectors. Practical impact includes improved physical-layer security for MMIMO systems through real-time PCA detection at the BS without requiring knowledge of uncertain parameters.

Abstract

Massive multiple-input multiple-output (MMIMO) is essential to modern wireless communication systems, like 5G and 6G, but it is vulnerable to active eavesdropping attacks. One type of such attack is the pilot contamination attack (PCA), where a malicious user copies pilot signals from an authentic user during uplink, intentionally interfering with the base station's (BS) channel estimation accuracy. In this work, we propose to use a Decision Tree (DT) algorithm for PCA detection at the BS in a multi-user system. We present a methodology to generate training data for the DT classifier and select the best DT according to their depth. Then, we simulate different scenarios that could be encountered in practice and compare the DT to a classical technique based on likelihood ratio testing (LRT) submitted to the same scenarios. The results revealed that a DT with only one level of depth is sufficient to outperform the LRT. The DT shows a good performance regarding the probability of detection in noisy scenarios and when the malicious user transmits with low power, in which case the LRT fails to detect the PCA. We also show that the reason for the good performance of the DT is its ability to compute a threshold that separates PCA data from non-PCA data better than the LRT's threshold. Moreover, the DT does not necessitate prior knowledge of noise power or assumptions regarding the signal power of malicious users, prerequisites typically essential for LRT and other hypothesis testing methodologies.

Figures (8)

• Figure 1: In a scenario without pilot contamination, the users send pilot signals to the BS, which uses this information to estimate the channels and perform beamforming. With PCA, the eavesdropper sends the same pilot signal to the BS, who will estimate the eavesdropper's channel as legitimate so that information will leak during DL.
• Figure 2: PCA detection mechanism.
• Figure 3: The resulting DT of depth one, showing the threshold of $1.289$. Larger values of energy of the channel estimate are classified as containing PCA.
• Figure 4: Probability of detection of the DT and the LRT in the presence ($P_{e}=1$) and absence ($P_{e}=0$) of PCA for different values of SNR and a 256 antennas BS.
• Figure 5: Probability of PCA detection for with 256 antennas BS and 10 dB SNR.