Detection and Localization of the Eavesdropper in MIMO Systems

The pilot spooﬁng attack (PSA) is one kind of active eavesdropping that happens in the channel training phase, in which an intelligent eavesdropper transmits identical pilot sequences synchronously with the legitimate user to spoof the transmitter. This attack leads to the estimated channel being a mix of a legitimate channel (the channel from the transmitter to the legitimate user) and an eavesdropper channel (the channel from the transmitter to the eavesdropper). And as a result, conﬁdential information is leaked to the eavesdropper during the data transmission phase. Especially when the eavesdropper utilizes sufﬁciently large power, the channel rate at the legitimate user end decreases observably and increases dramatically at the eavesdropper. To against the active PSA, we propose a new effective scheme called the spatial spectrum method (SSM) which can be applied in situations in which the eavesdropper attacks not only the transmitter but also the legitimate user in multiple-input multiple-output (MIMO) communication systems. Speciﬁcally, this method utilizes the spatial spectrums that are attained by the uplink training phase to detect the eavesdropper. Besides it also can locate the legitimate user and the eavesdropper by identifying the direction-of-arrival (DOA) of the legitimate user and the eavesdropper based on the symmetry of the uplink and downlink channels in a time-division-duplex (TDD) system and estimating the geographical distance between the legitimate user and the eavesdropper. Consequently, the secure transmission of secret information can be guaranteed by utilizing spatial information, such as by adopting beamforming technology. Numerical results show that our method can effectively detect and locate the eavesdropper.


I. INTRODUCTION
Confidential information may suffer the threat of eavesdropping when it is transmitted in the wireless medium due to the openness and broadcast nature of wireless communication. Cryptography technology is a traditional method to protect secret information by encrypting the confidential message to an unreadable message. However, this method consumes more resources (such as secret key distribution and management [1], [2]) and the encrypted message may be cracked with sufficiently advanced computational capabilities. To protect secret information, researchers have begun to pay increased The associate editor coordinating the review of this manuscript and approving it for publication was Qilian Liang . attention to physical layer security (PLS) [3]- [6], which utilizes the characteristics of the wireless channel to improve the legitimate channel rate with lower complexity than cryptographic technology.
PLS is a promising method for ensuring the security of the information; hence, many studies have been dedicated to investigating effective PLS technologies. The most popular of these are artificial noise (AN) [7]- [9] and beamforming technologies [10]- [13]. To confuse eavesdroppers, the transmitter can add AN to the transmission signal and reduce the channel rate of the eavesdropper. Beamforming can achieve a positive secrecy rate even if the eavesdropping channel is stronger than the legitimate channel [14]- [16]. However, most works on PLS assume that the channel state information (CSI) is perfectly or at least partially known, which is impossible in practice.
As the CSI is critical to realize secure transmission, a channel training phase should be implemented before the data transmission phase. During the training phase, as the reciprocity of the uplink and downlink channels in a timedivision-duplex (TDD) system, the transmitter estimates the channel based on the received pilot information that is transmitted by the legitimate user. However in a wiretap channel (which consists of a transmitter, a legitimate user and an eavesdropper) [17], [18], the eavesdropper can also attain the pilot signal due to the nature of the pilot signal (as it is repeatedly use and publicly known). Therefore, during the training phase, the eavesdropper broadcasts the pilot signal simultaneously with the legitimate user, resulting in an estimated channel that consists of a combination of the legitimate channel and the eavesdropping channel. When the transmitter transmits confidential messages through the estimated channel during the data transmission phase, the information rate may decrease for legitimate user and increase for the eavesdropper. This active attack is called the pilot spoofing attack (PSA) and it may cause terrible consequences. For example, in the worst case, the eavesdropper can obtain all confidential messages by improving its own transmit power and reducing the information rate at the legitimate user end to zero.

A. RELATED WORKS AND MOTIVATION
The PSA was first studied in [19], which mainly analyzed the damage caused by a PSA. Subsequently, various studies have been done on detecting PSA. One representative method involves modifying the pilot sequences [20]- [24]. References [20] and [21] adopted two random phase-shift keying (PSK) symbols and newly designed stochastic signals as the pilot signal. References [22] and [23] proposed an effective detection method by adding a random sequence into the pilot sequences rather than redesigning pilot signals. Reference [24] adjusted the training length and the transmit power of the pilot sequences to detect PSA. However, altering the pilot sequences is not practical as pilot signals are used not just for channel estimation but also for eliminating the interference of the legitimate users by applying orthogonal pilot sequences. Ref. [25] designed a three-phase uplink training method (TPUT) to detect the eavesdropper efficiently by introducing a trusted user. An energy ratio detector (ERD) method was introduced in [26], in which the author utilized the unequal power of the transmitter and the legitimate user to detect PSA when the eavesdropper conducts PSA. In a later study, the authors studied a two-way training method (TWTD) in the multiple-input single-output (MISO) system [27], this method not only has a good detection performance but also can estimate the legitimate channel and the eavesdropping channel (if PSA happens). However, this method assumed that the adversary only conducts the uplink training attack and would be ineffective if the adversary also conducts the downlink training attack. Moreover, given the limited training length, the channel estimation accuracy and the detection reliability would be seriously degraded in the low signal-to-noise ratio (SNR) regime. Most importantly, most of the above studies focus on the MISO case, and their results may be less effective for the more popular multiple-input multiple-output (MIMO) scenarios, due to the significantly increased training overhead and less attractive reliability.

B. OUR WORK AND CONTRIBUTIONS
In this paper, we propose a new scheme to combat the PSA by using the nature of the spatial spectrum in TDD MIMO systems. In our model, we propose a two-way channel training based scheme to detect the presence of the eavesdropper (Eve) and locate the positions of the legitimate user (Bob) and Eve. We assume that Eve is highly intelligent and can also launch the downlink training attack when it detects the transmitter executing downlink training, as shown in Fig.1. The new method utilizes the spectrum peak value to detect Eve. Besides, the transmitter (Alice) can locate Bob and Eve (the direction-of-arrivals (DOAs) of Bob and Eve and the geographical distance of the Alice-Bob and Alice-Eve). Such as, it can obtain the DOAs of Bob and Eve by recognizing which peak values come from Eve with the symmetry of the uplink and downlink channels in a TDD system, which makes the latter beamforming becomes possible.
The main contributions of our work are summarized as follows: • Our scheme provides a new spatial spectrum method (SSM) to detect and locate Eve based on a two-way channel training scheme. The new method works not only in the scenario in which Eve only launches uplink spoofing attack but also in new scenarios in which Eve launches both uplink and downlink spoofing attacks. Besides, the SSM need not redesign the pilot signals or insert the safe pilot sequence into pilot signals as in [20]- [24].
• The SSM utilizes the information of the spatial to detect the PSA and it can dramatically improve the detection probability in low SNR conditions. What's more, it can save training length compares to existing methods in MIMO scenarios; alternatively, it can obtain higher detection probabilities under the same training length than existing methods.
• The greatest contribution of our work is that it can locate the position of Bob and Eve even in low SNR conditions which enables the latter beamforming from Alice to Bob becomes possible. It also can improve the secrecy capacity of the system by trapping waves in the direction of Eve.
The rest of this paper is organized as follows. Section II introduces the system model and the damages caused by PSA. Section III introduces the detection process of the malicious eavesdropper. Section IV illustrates the process for locating the eavesdropper. In section V, we introduce the simulation set-up and analyze the numerical results. Finally, the conclusions are drawn in section VI.
Notations: Bold lowercase and uppercase letters represent vectors and matrixes, respectively, i.e., a and A. (·) T and (·) † represent the transpose and Hermitian transpose, respectively. The Euclidean norm of a vector or a matrix is denoted by · . The absolute value of a scalar is denoted by |·|. C n×m represents a complex space of the dimension n × m, and I n×n denotes an n-by-n identity matrix. CN 0, σ 2 denotes the distribution of a circularly symmetric complex Gaussian (CSCG) random variable with mean zero and variance σ 2 . The distribution of a Gaussian random variable with zero mean and variance σ 2 is denoted as N 0, σ 2 . P r (·) denotes the probability measure.

II. SYSTEM MODEL AND PROBLEM STATEMENT
This analysis adopts a wiretap channel model and we adopt the polar coordinate system as shown in Fig.1, Alice is selected as the origin, Bob's location is denoted as (D ab , θ b ), Eve's location is denoted as (D ae , θ e ), θ b = θ e and they respectively equipped with n t , n r , n e (n t = n r ≥ 2, n e ≥ 2) antennas. The downlink channel and the uplink channel are assumed to be reciprocal as this scheme operates in a TDD system. What's more, we assume that the channels are block fading and that the CSI remains constant during the training length. In order to achieve data secure transmission, Alice should estimate the channel during the training phase.
Next we will briefly introduce the PSA and the damage it may cause. During the uplink training phase, each antenna of Bob broadcasts pilot signal x p (n), n = 1, . . . , N 1 , N 1 n=1 x p (n) 2 = N 1 , N 1 is the pilot length of each antenna. And then Alice estimates each channel between that antenna of Bob and the antenna of its own h i ∈ C n t ×1 (i ∈ {1, 2, · · · , n r }). Hence to estimate the CSI of the legitimate channel (the channel between Alice and Bob) H = h 1 , · · · , h i , · · · , h n r ∈ C n t ×n r , the total training length of uplink training is N 1 = n r N 1 . The illegitimate channel (the channel between Alice and Eve) is denoted by G = g 1 , · · · , g i , · · · , g n e ∈ C n t ×n e , g i ∈ C n t ×1 . Each entry of H and G is assumed to be an independent and identically distributed (i.i.d) CSCG random variable. If Eve launches PSA in the uplink training process, the received signal at Alice is: where P B and P E denote the power budgets of Bob and Eve, respectively. y a,i (n) , u (n) ∈ C n t ×1 . u (n) represents CSCG noise vector and each entry is i.i.d with zero mean and variance σ 2 u , i.e., u (n) ∼ CN 0, σ 2 u I n t ×n t . The estimated CSI based on the least square (LS) method [28] is denoted byĥ i , when Alice isn't aware of the PSA, the estimated CSI will be misguided and given by: whereẽ i is the estimation error. The estimated legitimate channelĤ = ĥ 1 , · · · ,ĥ i , · · · ,ĥ n r is contaminated by G if PSA happens.
In the data transmission phase, Alice transmits signal x d = Ws, x d ∈ C n t ×1 , s is the data symbols, the precoding matrix W is: The received signal at Bob and Eve are: where P A is the power budget of Alice. v b and v e are the CSCG noises at Bob and Eve, respectively, i.e., v b ∼ CN 0, σ 2 I n r ×n r , v e ∼ CN 0, σ 2 I n e ×n e . Assuming Bob and Eve apply maximal ratio combining (MRC) to combine the received signals at different antennas, the average SNRs at Bob and Eve are If there is no PSA, In this situation SNR b can achieve to the maximum as the antennas are aligned to Bob. When Eve exists, the W would not perfectly point to Bob, which leads to a decrease in SNR b and an increase in SNR e . Especially when P E is large enough the SNR at Eve will be larger than that at Bob, which means that Bob will get a negative secrecy rate. What's more, the pilot length of channel training phase N 1 = n r N 1 will be greatly increased in MIMO systems and this is impossible in practical applications as this will lead to a decrease of the data transmission length.
From the analysis above, it is critical to detect PSA and guarantee secure transmission. To do so, we propose an SSM by exploiting the spatial spectrums to detect Eve by a given threshold and locate Eve by comparing spatial spectrums attained respectively at Alice and Bob ends as shown in Fig.1. The advantage of SSM is that the spatial information (the geographic location, i.e., the DOA and the distance) can be estimated with only one transmit antenna during the training process, which saves the training time and energy consumption compared to the method above. Hence, the channel model of the legitimate and the illegitimate channel are modeled as [29]: which represents the propagation over L paths, η b,l and η e,l denote the large-scale fading coefficients. a θ b,l and a θ e,l are the array steering vectors of Bob and Eve, respec- . θ b,l and θ e,l respectively denote the DOAs of Bob and Eve. The detailed process of our method is as follows: in the first stage, Bob sends pilot signals with one antenna and then Alice detects if PSA happens based on the received signals. In the second stage, Alice either launches the downlink training with one antenna if PSA happens or it directly estimates the channel. If Eve was detected, Bob estimates the spatial spectrum and feeds back the results to Alice. The localization of Bob and Eve (identify the DOA of Bob and Eve and get the geographical distance of Alice-Bob and Alice-Eve) will down at Alice end.

III. DETECTING THE EAVESDROPPER BASED ON THE SPATIAL SPECTRUM
From the analysis in section II, we can see PSA would cause serious damage to data transmission, which has motivated researchers to find effective methods to cope with PSA. In this paper, we focus on an SSM to detect Eve during the pilot training phase. In this phase, the antenna works in omnidirectional emission mode and Bob would use only one single antenna to launch the uplink training. Different from other two-way training method, this idea only needs uplink training in the detection process. The downlink training process is required only when Eve is detected, otherwise, we can directly estimate the channel and transmit confidential information.
In this section, we define two hypotheses H 0 and H 1 . H 0 denotes that Alice is not under PSA and H 1 means that Eve conducts the PSA. Next, we will introduce the spatial spectrum detection method in detail.
To realize secure transmission, Bob transmits the assigned pilot signals with one antenna, Eve also broadcasts the same pilot signals with one antenna synchronously with Bob to spoof Alice if PSA happens. The received signal under H 0 and H 1 are respectively denoted by: Alice obtains the spatial spectrum of the received signal based on spatial matched filtering [30]: The spatial spectrum S A (θ ) will reach its peaks when θ is aligned to the DOAs of the incoming signals from (12) [31], i.e., θ = θ b,l or θ = θ e,l (if PSA happens). In a narrow band channel model, the losses of reflective and scattering paths are relatively high; hence, the line-of-sight (LOS) path usually dominates in the multipath. And the spatial peaks caused by the non-line of sight paths are usually very low or may be submerged in noise. Hence, the channel model in our analysis equivalent to h → η ab a (θ b ) and g → η ae a (θ e ) [32], [33], η ab ∈ η b,l |l = 1, · · · , L , η ae ∈ η e,l |l = 1, · · · , L . η ab = D −α/2 ab and η ae = D −α/2 ae represent the large-scale fading coefficients for the LOS path of the and illegitimate channels, respectively, whereby α is the path loss exponent. The spatial spectrum is an important step in our algorithm, and there is no need to estimate the channel by inversion in our model, which greatly reduces the complexity of the algorithm. The complexity based on (12) is 2n 2 t + n t . According to the new scheme of the SSM method, S A (θ ) can be estimated by a finite pilot length N 1 = N 1 which significantly reduces the training length compared to the training length N 1 = n r N 1 in the time domain, i.e., From (13), for a fixed θ , y a (n) = a † (θ ) y a (n) follows a CSCG random variable. And then y a (n) 2 is a non-central Chi-square distribution with 2 degrees of freedom. Based on the central limit theorem (CLT),Ŝ A (θ ) can be approximated by a Gaussian random variable for a given θ when the sampling point N 1 (the degree-of-freedom is 2N 1 ) is sufficiently large.
If H 0 is true, one major peakŜ A (θ b ) can be observed. If H 1 is true, two major peaksŜ A (θ b ),Ŝ A (θ e ) can be observed. In addition, some fake smaller peaksŜ A (θ i ) (i = 1, 2, · · · ) also can be observed, i.e., aroused by the noise or oscillation effects in the spatial spectrum. Based on the analysis above, when the number of degrees of freedom 2N 1 is large, Then we derive the threshold γ based on the false alarm probability P fa : where B = Ŝ A (θ m ) |Ŝ A (θ m ) > γ , m = b, e, i denotes the set of detected peaks and card(·) denotes the number of elements in the set. f 0i (x) and F 0i (γ ) are the probability density function (PDF) and corresponding cumulative density function (CDF) ofŜ A (θ i ), and f 1 (x) and F 1 (γ ) are the PDF and corresponding CDF ofŜ A (θ b ). γ i is derived from the different fake peaksŜ A (θ i ) with a given P fa . Then the detection threshold is γ = max {γ i }.
The hypothesis test problem is: Based on the threshold γ , we can obtain the detection probability P d of Eve as follows: where f 2 (x) and F 2 (γ ) are the PDF and corresponding CDF ofŜ A (θ e ). In fact, we have excluded a special case in the above derivation, whereby Bob and Eve are spatially close to each other. I.e., if Bob and Eve have the same DOAs or the DOAs of them are very close, then our method will have difficulty in detecting pilot spoofing attack. After the PSA detection process, we execute the downlink training process to locate Bob and Eve if PSA happens; otherwise, we will directly estimate the location of Bob and transmit confidential information.

IV. LOCALIZATION OF THE EAVESDROPPER A. IDENTIFICATION OF THE EAVESDROPPER
If we detect the PSA happens, then we obtain two DOAs according to theθ = arg (−π / 2,π / 2]Ŝ A (θ ). Then we further identify the two incoming signals as being transmitted by Eve by executing the downlink training phase based on the symmetry of the uplink and downlink channels in a timedivision-duplex (TDD) system. In this paper, we consider the case where Alice and Bob are both under the PSA; this means Eve also launches PSA during the downlink training process as in Fig.1 (it is obvious our method also applies for the case where Eve keeps silent during the downlink training process). Therefore, during the downlink training phase, Bob can detect two peaksŜ B (θ a ) andŜ B (θ e ) that arise by the incoming signals from Alice and Eve. θ a and θ e are separately the DOAs of the incoming signal from Alice and Eve at the Bob end. As withŜ where Here, N 2 = N 1 is the training length of the downlink training, σ 2 v = σ 2 u is the variance of noise at Bob end and v (n) ∼ CN 0, σ 2 v I n r ×n r . η be represents the large-scale fading coefficients for the channels of Eve to Bob. In the training process, we set P A = P B .
Then we have four peaksŜ A (θ b ),Ŝ A (θ e ),Ŝ B (θ a ), and S B (θ e ). And we can conclude from the four peaks which is coming from Eve by using the reciprocity of the uplink and downlink channels between Alice and Bob in a TDD system. Specifically, the differences betweenŜ A (θ e ) andŜ B (θ a ), S A (θ e ) andŜ B (θ e ),Ŝ A (θ b ) andŜ B (θ e ) will be larger than the difference betweenŜ A (θ b ) andŜ B (θ a ) even if P E = P B as D ae = D ab , D ae = D be and D be = D ab (except for three cases: case 1, when P E = P B , Eve is located along the central axis between Alice and Bob, D ae = D be ; case 2, when P E = P B , Eve is located on a circle centered on Alice with radius D ab , D ae = D ab ; case 3, when P E = P B , Eve is located on a circle centered on Bob with radius D ab , D be = D ab ). However, as the randomness of Bob and Eve, Eve can be correctly identified. From (15) and (21), the mean values of the peaks are not only affected by their own signal but also by the other incoming signals. In order to better illustrate the identification process, we omit the influence of the other signals in the representation of the means and variances (as the influence of the other signals is limited), but we will not omit it in the simulation results. Therefore, Then, we have In order to identify the DOA of Eve, the test statistics are designed as: Then the problem of identifying the DOA of Eve based on (24) is becoming which is the minimum value min among the four test statistics 1 , 2 , 3 , and 4 .
If 1 is the minimum value, then we can correctly identify the DOA of Eve at the Alice end as θ e and the DOA of Eve at the Bob end as θ e : If 2 is the minimum value, then we can correctly identify the DOA of Eve at the Alice end as θ e and falsely recognize the DOA of Eve at the Bob end as θ a : If 3 is the minimum value, then we can falsely recognize the DOA of Eve at the Alice end as θ b and correctly identify the DOA of Eve at the Bob end as θ e : If 4 is the minimum value, then we can falsely recognize the DOA of Eve at the Alice end as θ b and falsely recognize the DOA of Eve at the Bob end as θ a : According to (25), (26), (27) and (28), if min = 1 or min = 2 , the incoming signals at the Alice end would have a correct judgment; if min = 1 or min = 3 , the incoming signals at the Bob end would have a correct judgment, as follows: To obtain the ratio of the correct recognition ofŜ A (θ b ) and S A (θ e ) orŜ B (θ a ) andŜ B (θ e ), we use the minimum error probability method. As the recognition method ofŜ B (θ a ) andŜ B (θ e ) is similar to that ofŜ A (θ b ) andŜ A (θ e ), we will only discuss the ratio of correct recognition P c ofŜ A (θ b ) and S A (θ e ), i.e., P c = 1−P e . P e is the minimum error probability of recognizingŜ A (θ b ) andŜ A (θ e ) as in (31), as shown at the bottom of the page. In (31), f 1 (x), f 2 (x), f 3 (x), and f 4 (x) are the PDFs of 1 , 2 , 3 , and 4 , respectively. F 1 (·), F 2 (·), F 3 (·), and F 4 (·) are the CDFs of 1 , 2 , 3 , and 4 , respectively. γ is the decision threshold that minimizes the above P e , which can be determined based on There is more than one minimum value among 1 , 2 , 3 , and 4 in some special situations, such as min = 1 = 2 , min = 1 = 3 , min = 1 = 4 and so on. It may occur when Eve exactly stays on a circle centered on Alice's location and with a radius of D ab , i.e., D ae = D ab and P E = P B or when Eve exactly stays on a circle centered on Bob's location with a radius of D ab , i.e., D be = D ab and P E = P B , or when Eve is located along the central axis between Alice and Bob, i.e., D ae = D be and P E = P B . However, these situations are rare in practical applications due to the randomness of the location distribution. Thus, our proposed scheme can potentially be used to recognize Eve (i.e., determine the DOAs of Bob and Eve).

B. GEOGRAPHIC DISTANCES
To achieve secure data transmission in the data transmission phase, we locate Bob and Eve by estimating the geographic distances D ab , D ae , and D be after obtaining the DOAs of P e = P r (min | 3 ) P r ( 3 ) + P r (min | 4 ) P r ( 4 ) + P r (err| 1 ) P r ( 1 ) + P r (err| 2 ) P r ( 2 )

VOLUME 8, 2020
Bob and Eve. Then, we have two methods to estimate the geographic distances.

1) DEDUCTION METHOD
We can estimate the geographic distances according to the relationship between spatial spectrum and geographic distance, such as from (12) we can obtain: Based on (32), the geographic distances D ab , D ae , and D be are (33), as shown at the bottom of this page, where Therefore we can estimate the geographic distances D ab , D ae , and D be through the equation set (33).

2) NEAREST NEIGHBOR METHOD
To achieve secure data transmission in the data transmission phase, we can estimate D ab with fingerprint-based localization [34] by matching the received signal spatial spectrum peaks against the information in the fingerprint database. Then, we can locate Eve according to the triangle rule. Fingerprint-based localization includes two steps: populating the fingerprint database and fingerprint matching. The fingerprint database should be constructed in advance. In our method, as we have recognized Bob and obtained its DOA, we can locate Bob if we obtain the geographic distance D ab . Fingerprint-based localization estimates the location of Bob by exploring the relationship of the geographic distance D and the spatial spectrum peaks S (θ ). The signal fingerprint form used in this paper is as follows: where F (D) is the signal fingerprint with geographic distance D. J is the number of the reference location and S j is the spatial spectrum peak at location D j . The second step in fingerprint-based localization is fingerprint matching. In this paper, we adopt the nearest neighbor algorithm to select the closest fingerprint. The nearest neighbor algorithm measures the Euclidean distances between the received spatial spectrum peak and each reference location in the fingerprint database, i.e., (36) Then, the geographic distance ofD ab can be obtained by the nearest fingerprint min{dist j }.
When we finish the positioning of Bob, we will obtain a triangle that consists of Alice, Bob and Eve. Then, we can  use the triangle rule to deduce the distance between Alice and Eve D ae . Based on the above elaborations, our designed method is illustrated by the following flowchart.

V. SIMULATION RESULTS
In this section, we execute computer simulations and provide numerical results to validate our theoretical analysis in an MIMO system with n t = n r = n e = 32 antennas. All simulation results are obtained from 10000 Monte Carlo runs. Generally, we set the path loss index to be 3. The transmission power budgets of Alice and Bob are set to 10 dB, and the noise variance is normalized to 1, i.e., σ 2 u = σ 2 v = 1. Without special instructions, the locations of Alice, Bob, and Eve are fixed, and the distances between Alice and Bob and between Alice and Eve are D ab = 10m and D ae = 13m, respectively. We conduct several simulations to evaluate the detection and localization performance (identifying the DOA and the geographic distance of Bob and Eve) under different conditions. As in Fig. 3, we can investigate the detection performance of our SSM method and the other TWTD method under different power budgets of Eve P E . This validates our theoretical analysis, as the simulation results almost overlap with those of the theoretical analysis. The detection probability  P d improves with increasing power P E . This means that the risk of being detected increases as Eve's power increases, although this also improves the eavesdropping rate. Fig. 3 evaluates the detection performance under different false alarm probabilities P fa = 0.01, 0.1, and Fig. 3 shows that a larger false alarm probability can lead to a higher detection probability. Fig. 3 also compares the detection performance of our SSM and the TWTD method for different cases. The SSM suppresses the TWTD method when P E is greater than -4dB. This is reasonable, as the spatial peak value suppresses the interference noise by spectrum decomposition in the spatial domain and hence improves the SNR of the received signal. Moreover, the training length of each antenna for the TWTD method in the MIMO scenario is much smaller than that observed in [27] when the total training length is fixed. Hence, the TWTD method may not be suitable for MIMO scenarios, which may require a large training length, which itself is unrealistic. Fig. 4 evaluates the detection performance of the proposed SSM method and the other TWTD method for P E = −3.7dB under different training lengths N 1 . It is easy to observe that the simulation results overlap with the theoretical results, which further validates the accuracy of our theoretical analysis. In Fig. 4, we can see that the detection performance of the SSM method and the TWTD method increase with increasing training length N 1 and that even with a limited N 1 , VOLUME 8, 2020 FIGURE 6. Ratio of correct recognition P c versus P E , under N 1 = N 2 = 100, n t = n r = 32 and P A = P B = 10dB. the SSM can obtain perfect detection performance. Moreover, unlike the TWTD method, the SSM method does not require downlink training in the detection process, which reduces the training length. The downlink training length of the TWTD method N 2 = N 1 . Therefore, our method has great promise in practical applications because the training length is considerable in practical applications. Fig. 5 shows the ratio of correct recognition under SNR which changes from 0dB to 10dB. It shows that the ratio of correct recognition increases with increasing SNR and the recognition performance can achieve a satisfying result even when SNR = 0dB. We also can observe the accuracy of the theoretical analysis, as its result match the simulation result well. Fig. 6 evaluates the ratio of correct recognition P c under the power budgets of Eve P E which changes from 5dB to 13dB. The locations of Alice, Bob, and Eve are fixed and the distances of Alice-Bob and Alice-Eve are D ab = D ae = 10m. It can be observed that the ratio of correct recognition P c decreases when P E ≈ 10dB. We also can observe that the ratio of correct recognition is below 0.5 when P E = P B = 10dB. This means that we cannot recognize Bob from Eve. This is because Eve and Bob are located on the same circle centered on Alice, and so any recognition of Eve would be invalid. However, the ratio of correct recognition achieves satisfactory results when P E is not approximately equal to P B . As Eve and Bob are randomly distributed (D ab = D ae in most situations) we believe that our method would yield good performance even if P E = P B . Fig. 7 shows the mean square error (MSE) of the geographic distance estimation methods (the deduction method and the fingerprint-based method) for θ b = π/3, θ b = π/6. The figure shows that the fingerprint-based method would have better performance for low SNRs and the deduction method would have better performance in better environments. Fig. 7 also indicates that both methods can yield good performance in estimating geographic distances.

VI. CONCLUSION
In this paper, we studied the PSA problem in a MIMO system. Since this attack could cause considerable damage, we propose an SSM method to address the problem. First, the new method can effectively detect the eavesdropper by using the spatial spectrum peaks and improve the detection accuracy by effectively suppressing the interference noise. Second, this method utilizes the differences between the peaks attained in the uplink training phase and the downlink training phase to identify the eavesdropper. In addition, this method can obtain the relative geographic locations of Alice, Bob and Eve, making secure transmission possible. The most important contribution of our work is that it can not only detect if PSA occurs but also obtain the locations of Alice, Bob and Eve. Numerical results validate the effectiveness of the SSM and demonstrate that our method can dramatically improve the detection performance even with a limited sampling length over that of a TWTD method. The simulation results also demonstrate the accuracy of the estimated geographical distance. Hence, this method has great promise for realizing secure transmission with DOAs and geographical distances by using beamforming technology.