Opportunistic Wiretapping/Jamming: A New Attack Model in Millimeter-Wave Wireless Networks

While the millimeter-wave (mmWave) communication is robust against the conventional wiretapping attack due to its short transmission range and directivity, this paper proposes a new opportunistic wiretapping and jamming (OWJ) attack model in mmWave wireless networks. With OWJ, an eavesdropper can opportunistically conduct wiretapping or jamming to initiate a more hazardous attack based on the instantaneous costs of wiretapping and jamming. We also provide three realizations of the OWJ attack, which are mainly determined by the cost models relevant to distance, path loss and received power, respectively. To understand the impact of the new attack on mmWave network security, we first develop novel approximation techniques to characterize the irregular distributions of wiretappers, jammers and interferers under three OWJ realizations. With the help of the results of node distributions, we then derive analytical expressions for the secrecy transmission capacity to depict the network security performance under OWJ. Finally, we provide extensive numerical results to illustrate the effect of OWJ and to demonstrate that the new attack can more significantly degrade the network security performance than the pure wiretapping or jamming attack.


I. INTRODUCTION
T HE past decades have witnessed the explosive growth of wireless devices and the demand for high-speed data traffic, posing a significant challenge to the capacity of wireless communication systems.To address this challenge, both industry and academia have advocated communications over the millimeter-wave (mmWave) bands between 30 and 300 GHz, where the available bandwidths are orders of magnitude greater than conventional sub-6 bands [1].In addition, the small wavelength of mmWave signals enables large antenna arrays to be deployed in areas as small as a cellphone or even a chip, achieving significantly high antenna gain for both the transmitting and receiving ends [2].Thanks to the above benefits, mmWave communication has been regarded as one of the key enabling technologies in future wireless systems like 5G/6G cellular networks [3], unmanned aerial vehicle (UAV) communications [4] and satellite communications [5].
Despite the great potential of mmWave communication, its security issue still has been a critical concern due to the broadcast nature of the wireless medium.Physical layer security techniques have been considered as an important approach to ensuring secure mmWave communication [6]- [10], since they reveal the fundamental capability of achieving informationtheoretic and quantifiable security at the physical layer regardless of the computation capabilities of eavesdroppers.Current research on the physical layer security of mmWave communication mainly focuses on combating the conventional wiretapping attack in various mmWave systems, such as mmWave multiple-input and multiple-output (MIMO) systems [11]- [15], mmWave non-orthogonal multiple access (NOMA) systems [16]- [19], intelligent reflecting surface (IRS)-aided mmWave systems [20]- [22], hybrid mmWave-free space optical (FSO) systems [23]- [26] and mmWave ad hoc networks [27]- [29], etc (See Section II for related works).
The aforementioned works help us to understand the impacts of the conventional wiretapping attack on the security performance of mmWave wireless systems, while the recent real-world measurements on mmWave propagation characteristics indicate that mmWave signals are actually less susceptible to the conventional wiretapping attack [30]- [33].This is mainly due to the following two reasons.First, mmWave signals suffer from severe atmospheric absorption, rain attenuation and penetration loss, leading to a limited transmission range and also the intermittent connectivity of wiretapping links (especially when the links are blocked by obstacles like buildings and human bodies).Second, to combat the severe signal attenuation, transmitters are usually equipped with highly directional antennas with narrow beams, rendering wiretapping on mmWave links much more difficult.
To further identify the potential threats to mmWave communication security, this paper integrates the jamming technique with wiretapping and proposes a more hazardous opportunistic wiretapping and jamming (OWJ) attack model in a mmWave ad hoc network consisting of multiple transmitters, receivers and eavesdroppers distributed according to Poisson Point Processes (PPPs).With OWJ, an eavesdropper can opportunistically conduct wiretapping or jamming based on the instantaneous costs of conducting wiretapping and jamming, aiming at achieving a more significant attack effect.This paper extends its conference version in [34] by adding more OWJ attack realizations and secrecy performance analysis.The main contributions of this paper are summarized as follows.
• By combining the jamming technique with wiretapping, we propose a new and more hazardous OWJ attack model in mmWave wireless networks, which allows eavesdroppers to conduct wiretapping and jamming opportunistically.This model covers the conventional wiretapping attack and jamming attack as special cases.We also provide three realizations of the OWJ attack, namely distance-related OWJ (DOWJ), loss-related OWJ (LOWJ) and power-related OWJ (POWJ), where the cost of an eavesdropper in wiretapping/jamming is characterized by the distance, path losses and received power, respectively.• To understand the impact of the OWJ attack on mmWave network security, we first develop novel approximation techniques to characterize the irregular distributions of the wiretappers around a target transmitter, the jammers around a target legitimate receiver and the interferers around a target wiretapper under the three OWJ realizations.With the help of the results of these node distributions, we then derive analytical expressions for the secrecy transmission capacity (STC) to depict the network security performance under the OWJ attack model.• We finally provide numerical results to illustrate the network STC performance under the OWJ attack model.The results revealed that, in general, the OWJ can more significantly degrade the network security performance than the pure jamming or pure wiretapping attack.In particular, among the three realizations, the POWJ serves as the most hazardous attack, while the DOWJ and LOWJ lead to almost the same attack effect.The remainder of this paper is organized as follows.We present the related work regarding security performance analysis in mmWave systems under the conventional wiretapping attack in Section II.We introduce the system model in Section III and conduct theoretical performance analysis in Sections IV and V. Section VI presents the numerical results and discussions, and Section VII concludes this paper.

II. RELATED WORK
Existing works on combating the conventional wiretapping attack in mmWave systems mainly focus on the corresponding system security evaluation therein.We categorize these works according to the considered system models as follows.

A. MmWave MIMO Systems
MIMO has been regarded as an appealing technology to reap the benefits of mmWave communication, motivating a plethora of work investigating the security performance of mmWave MIMO systems [11]- [15].For instance, the joint design of the analog and digital precoders of the secondary transmitter (ST) was investigated to maximize the secrecy rates of the secondary users (SRs) in a mmWave cognitive network with one ST broadcasting information to multiple SRs in the presence of multiple primary users and eavesdroppers [11].A sparse mmWave massive MIMO network was considered in [12], where a security scheme was proposed to send information signals through dominant angles of the sparse channel and broadcast AN over the remaining non-dominant angles to interfere only with the eavesdropper.The optimal sparsity parameter was determined to maximize the network secrecy rate.In [13], the secrecy rate was analyzed for a mmWave lens antenna array transmission system and the optimal power allocation between signal and AN was explored to maximize the system secrecy.The optimal beamformer design was investigated for various scenarios, like the downlink communication of mmWave cloud radio access networks (C-RANs) [14] and the dual-polarized mmWave communication systems [15].

B. MmWave NOMA Systems
The combination of the NOMA technology and mmWave communication for enhanced security has recently been a hot research topic [16]- [19].The authors in [16] considered the downlink transmission in a mmWave NOMA network and proposed a minimal angle-difference user paring scheme and two maximum ratio transmission beamforming schemes to enhance the network security.In [17], a cognitive mmWave NOMA network was introduced, where each resource block is shared by a user pair consisting of a primary user and a secondary user.The security and reliability performances of the secondary users were investigated under a power allocation scheme that prioritizes the security and QoS requirements of the primary users.The authors in [18] focused on a UAV-toground communication scenario, where the UAV base station (BS) adopts the NOMA technology to serve multiple ground users via mmWave downlinks.They proposed a protected-zone approach to suppress the eavesdroppers outside the user region and analyzed the system security performance in terms of the secrecy rate.The NOMA-assisted mmWave UAV downlink scenario was also considered in [19], whereas, different from [18], part of the ground users are energy-constrained and thus use a portion of the power from the BS for energy harvesting and the remaining power for information processing.

C. MmWave IRS Systems
The IRS technology, also known as reconfigurable intelligent surface (RIS), has also been introduced to enhance the security of mmWave communication systems recently [20]- [22].The authors in [20] considered a mmWave network consisting of BSs, users and RISs, where the locations of BSs and RISs are modeled by homogeneous PPPs.They proposed a two-step association rule to link BSs, users and RISs, and analyzed the area spectrum efficiency and energy efficiency to show the performance gain achieved by the RISs.In [21], an IRS was introduced to assist the BS in securely broadcasting information to users while sending its own information to an IoT device.The precoder at the BS and the beamformer at the IRS were jointly designed to maximize the minimum secrecy rate of multiple users.In [22], the secrecy rate maximization problem was solved for a RIS-aided massive MIMO mmWave downlink scenario with constrained hardware cost and power budget at the transmitter.

D. Hybird mmWave-FSO Systems
As a promising candidate for backhaul solutions of 5G and beyond 5G networks, hybrid communication systems with mmWave links coexisting with FSO links have attracted considerable attention, and so does the security performance therein [23]- [26].The authors in [23] conducted security performance analysis in terms of average secrecy capacity, secrecy outage probability and strictly positive secrecy capacity in a parallel FSO-mmWave communication system, where the transmitter sends information to the receiver via an FSO link and a mmWave link concurrently.Three wiretapping scenarios were considered, where the FSO link, mmWave link or both links are wiretapped, respectively.A similar scenario was considered in [24] but with different channel fading randomness, i.e., exponential atmospheric turbulence and Weibull fading channels.The parallel FSO-mmWave system was also considered in [25], while, unlike [23], the authors focused on a wiretapping channel that is correlated to the main channel and hybrid eavesdroppers that can wiretap both the FSO and mmWave links.Apart from the parallel FSO-mmWave system, a serial two-hop FSO-mmWave system consisting of one FSO link and one mmWave link has been introduced in [26], where the average secrecy capacity and secrecy outage probability were analyzed for system security performance analysis.

E. mmWave Ad Hoc Networks
Research efforts have also been devoted to the security performance analysis of mmWave ad hoc networks.The authors in [27] considered a mmWave ad hoc network with transmitters, receivers, potential jammers and eavesdroppers distributed according to PPPs.They proposed a sight-based cooperative jamming scheme, where each potential jammer that has a non-Line-of-Sight (NLoS) link to its nearest receiver but may have LoS links to eavesdroppers is selected with a certain probability to radiate AN such that channel advantages at the receivers can be achieved.The network STC performance was analyzed to show the secrecy gain achieved by the proposed scheme.In [28], a similar scenario without potential jammers was considered and the average achievable secrecy rate was analyzed under a simple ANbased transmission scheme, where each transmitter allocates a fraction of its transmit power to radiate AN.A 3D ad hoc network was considered in [29], where UAVs transmit to ground receivers in the presence of ground eavesdroppers.The secrecy rate performance was investigated under a simple cooperative jamming scheme that allows part of the UAVs to radiate AN without taking their link conditions to the ground receivers into consideration.

III. SYSTEM MODEL
In this section, we introduce the network, antenna, blockage and propagation models, followed by the proposed OWJ attack model and the performance metrics.

A. Network Model
We consider a Poisson bipolar network comprising a set of mmWave transmitter-receiver pairs, where each receiver is

Parameters
Transmitter Receiver Wiretapper Jammer located at a fixed distance r 0 away from its transmitter but at random orientation.The locations of the transmitters and receivers are modeled by two dependent PPPs Φ T and Φ R of the same intensity [35], denoted by λ.To simplify the analysis, we neglect the dependence between Φ T and Φ R , which still achieves accurate approximations, as can be seen from [27] and the results in this paper.Also present in the network is a set of half-duplex eavesdroppers, whose locations are modeled by another independent and homogenous PPP Φ E of intensity λ E .Each eavesdropper independently selects to conduct the wiretapping attack or the jamming attack based on a certain OWJ strategy, as introduced in Section III-D.The resulting wiretappers and jammers form two independent PPPs, denoted by Φ W and Φ J , respectively.Using 1 z J to indicate whether an eavesdropper z is a jammer (i.e., 1 z J = 1) or not (i.e., 1 z J = 0), we have

B. Antenna Model
Each node is equipped with an antenna array to form a directional antenna.To approximate such antennas, we adopt the sectored antenna model [6]- [10], [27], where each antenna consists of a main lobe and a side lobe.The key antenna parameters of different node types are summarized in Table I.Due to the isotropic feature of the PPPs, the effective antenna gain between a transmitting node a of type t 1 ∈ {T, J} (T : transmitter, J: jammer) and a receiving node b of type t 2 ∈ {R, W } (R: receiver, W : wiretapper) can be represented by the following random variable where w.p. stands for with probability.Prior to transmissions, each pair of transmitter and receiver align their antennas to achieve the largest antenna gain G T M G R M .

C. Blockage and Propagation Model
Due to the existence of blockages, communication links can be LoS or NLoS.According to the blockage model in [36]

D. OWJ Attack Molde
In the OWJ attack, each eavesdropper measures the costs of wiretapping and jamming and conducts the wiretapping attack if cost of wiretapping < ρ • cost of jamming, and conducts the jamming attack otherwise.The bias factor ρ here represents the preference of the eavesdroppers for the wiretapping attack.The larger the ρ is, the more likely eavesdroppers will wiretap.Note that the OWJ attack covers the pure wiretapping (resp.jamming) attack, as ρ tends to ∞ (resp.0).In this paper, we consider the following three representations of the costs of a typical eavesdropper z ∈ Φ E , giving rise to three different realizations of the OWJ attack, i.e., DOWJ, LOWJ, POWJ, respectively.This is motivated by the fact that eavesdroppers manage to improve their attack effect with all the available network knowledge.
• Smallest distances: We use the smallest distances from z to the transmitters and receivers to represent the costs of wiretapping and jamming, which are denoted by D z T = min x∈ΦT d x,z (wiretapping) and D z R = min y∈ΦR d y,z (jamming), respectively.This applies to the case where only the location information of the transmission pairs is known to the eavesdroppers.
• Smallest path losses: We use the smallest path losses from z to the transmitters and receivers as the costs.Formally, the costs are given by L z T = min x∈ΦT d α x,z (wiretapping) and L z R = min y∈ΦR d α y,z (jamming), respectively.This applies to the case where both the locations of the transmission pairs and the link status to the transmission pairs are known to the eavesdroppers.
• Smallest reciprocals of power: We use the smallest reciprocal of the power received by z (resp.receivers) from the transmitters (resp.z) as the cost of wiretapping (resp.jamming).The costs are formally given by P z T = min x∈ΦT d α x,z /(P T G x,z T,W ) (wiretapping) and P z R = min y∈ΦR d α y,z /(P J G z,y J,R ) (jamming), where P T and P J denote the transmit power and jamming power of the transmitters and jammers, respectively.This applies to the case where the information of instantaneous antenna gains to the transmitters and receivers is also available.The three OWJ attack realizations cover scenarios with different network knowledge available to the eavesdroppers.By analyzing the security performance under the attacks, we can identify the knowledge that has a significant impact on the attack effect.

E. Performance Metrics
Transmitters adopt the Wyner encoding scheme [27] for transmissions, where each confidential message is encoded into a codeword that is randomly selected from multiple candidates.Such randomness is used to confuse eavesdroppers.Two code rates are defined in this scheme, i.e., the code rate for the codeword R t and that for the confidential message R s .The difference R e = R t − R s reflects the code rate sacrificed for generating the randomness.We assume that R t , R s and R e are fixed throughout this paper.
We adopt the STC metric to model the security performance, which defines the average sum rate of transmissions in perfect secrecy per unit area.Formally, the STC is given by where p c denotes the connection probability of transmissions (i.e., the probability that receivers can successfully recover the confidential messages), p s denotes the secrecy probability of transmissions (i.e., the probability that the eavesdroppers fail to decode the confidential messages).We can see from (3) that p c and p s are the key parameters for determining the STC.Thus, we focus on the analyses of these two probabilities in the subsequent sections.

IV. CONNECTION PROBABILITY ANALYSIS
In this section, we first derive a unified expression for the connection probability of a typical transmission pair x 0 → y 0 , which involves a key term, i.e., the Laplace transform of the interference at y 0 from the jammers.We then derive this Laplace transform under the DOWJ, LOWJ and POWJ attacks in Sections IV-B, IV-C and IV-D, respectively.

A. Connection Probability
According to the definition, the connection probability is where SINR x0,y0 is the signal-to-interference-plus-noise ratio (SINR) of y 0 and given by Here, σ 2 is the noise power at y 0 and I T y0 (resp.I J y0 ) denotes the interference at y 0 caused by the transmitters in Φ T (resp.jammers in Φ J ).Based on (4) and ( 5), p c can be derived as follows.
Theorem 1.The unified connection probability of the typical transmission pair x 0 → y 0 under the DOWJ, LOWJ and POWJ attacks can be approximated by where Proof: Conditioned on the event that the link x 0 → y 0 is in status k (i.e., S x0,y0 = k, k ∈ {L, N }), p c is given by according to Theorem 1 in [27].Applying the law of total probability in terms of the link status completes the proof.We can see from ( 6) that the key terms to determine p c is the Laplace transforms L t1 y0 (•).Note that L T y0 (•) is independent of the OWJ attack model, while L J y0 (•) is not.Prior to deriving L T y0 (•), we present the following functions for any k ∈ {L, N }, i ∈ {M, S}, j ∈ {M, S}, t 1 ∈ {T, J} and t 2 ∈ {R, W }, which will be used extensively in this paper.
Now, we are ready to derive L T y0 (•) in the following lemma.Lemma 1.The Laplace transform of I T y0 under the DOWJ, LOWJ and POWJ attacks is Proof: According to the definition, we have where (a) follows after applying the probability generating functional of PPP [35].
Next, we derive L J y0 (•) under the three OWJ attacks in the following subsections, respectively.
B. Derivation of L J y0 (s) under DOWJ Attack Before deriving L J y0 (s), we first establish the following lemma for the probability that an eavesdropper z with distance v to y 0 is a jammer (i.e., 1 z J = 1) under the DOWJ attack.
Lemma 2. The probability that an eavesdropper z with distance v to the typical receiver y 0 is a jammer under the DOWJ attack is where is the complementary cumulative distribution function (CCDF) of d x0,z and is the corresponding probability density function (PDF).
Proof: See Appendix A. Based on Lemma 2, we derive L J y0 (s) under the DOWJ attack in the following lemma.Lemma 3. The Laplace transform of I J y0 under the DOWJ attack can be lower bounded by Proof: First, we have Hence, Applying the Jensen's inequality yields C. Derivation of L J y0 (s) under LOWJ Attack Similar to the analysis in Section IV-B, we first establish the following lemma.
Lemma 4. The probability that an eavesdropper z with distance v and link status τ ∈ {L, N } to y 0 is a jammer under the LOWJ attack is for u ακ < ρv ατ and is for u ακ ≥ ρv ατ , where and Λ ′ (λ, w) is the derivative of Λ(λ, w).
Proof: See Appendix B. With the help of Lemma 4, we derive the Laplace transform of I J y0 under the LOWJ attack in the following lemma.Lemma 5.The Laplace transform of I J y0 under the LOWJ attack can be lower bounded by where Ω τ J,R (s, v) can be obtained from (9).Proof: We divide Φ E into independent sub-PPPs Φ τ E of eavesdroppers with link status τ ∈ {L, N } to y 0 , i.e., Φ E = ∪ τ Φ τ E .Formally, Φ τ E is given by Φ τ E = {z ∈ Φ E : S z,y0 = τ }.Hence, we have I J y0 = τ I J,τ y0 , where , and thus where L J,τ y0 (s) is the Laplace transform of I J,τ y0 .It follows from Lemma 3 that Substituting ( 26) into ( 25) completes the proof.

D. Derivation of L J y0 (s) under POWJ Attack
The probability of being a jammer also depends on the effective antenna gain to the receiver y 0 under the POWJ attack and is given by the following lemma.Lemma 6.The probability that an eavesdropper z with distance v, link status τ ∈ {L, N } and effective antenna gain ) to y 0 is a jammer under the POWJ attack can be approximated by where κ ∈ {L, N }, l ∈ {M, S}, m ∈ {M, S}, ζ τ,n,o κ,l,m (u, v) is η 1 ρ 0 e −( Λ1(λ,ρw)+ Λ2(λ,w)) Λ′ 2 (λ, w)dw (28) , and is for η 1 ≥ ρη 2 , where Λ′ 1 (λ, w) and Λ′ 2 (λ, w) are the derivatives of Λ1 (λ, w) and Λ2 (λ, w), respectively.Proof: See Appendix C. Note that the approximation in ( 27) is due to the fact that we neglect the dependence between G x0,z T,W and G z,y0 J,R .Given the probability ζ τ,n,o (v), we derive the Laplace transform of I J y0 under the POWJ attack as follows.Lemma 7. The Laplace transform of I J y0 under the POWJ attack can be approximated by where Ω τ,n,o J,R (s, v) can be obtained from (8).Proof: Similar to the proof of Lemma 5, L J y0 (s) can be rewritten as where L J,τ,n,o y0 (s) is the the Laplace transform of the interference caused by the eavesdroppers with link status τ and effective antenna gain G J n G R o to y 0 .Based on Lemma 3, L J,τ,n,o y0 (s) can be given by Substituting ( 34) into (33) completes the proof.

V. SECRECY PROBABILITY ANALYSIS
In this section, we focus on the typical link x 0 → y 0 again and derive a unified expression of the secrecy probability.We then analyze the key term involved in the unified expression, i.e., the Laplace transforms of the interference from the concurrent transmitters to any eavesdropper under the DOWJ, LOWJ and POWJ attacks in Sections V-B, V-C and V-D, respectively.

A. Secrecy Probability
The secrecy probability is formulated as where SINR x0,z denotes the SINR of a wiretapper z ∈ Φ W .
We consider an equivalent formulation of p s by assuming that all eavesdroppers wiretap on the typical link.Since jammers actually do not wiretap, we remove their impact by setting their interferences to infinity.We divide the PPP Φ E into sub-PPPs Φ κ,l,m E of eavesdroppers with link status κ ∈ {L, N } and antenna gain G T l G W m (l, m ∈ {M, S}) to x 0 .Hence, p s can be rewritten as We assume that eavesdroppers can eliminate the interference from the jammers.Thus, for any eavesdropper z ∈ Φ κ,l,m E , we have where denotes the interference from concurrent transmitters.Here, x,z .We now derive the secrecy probability based on the above formulations.
Theorem 2. The secrecy probability of the typical transmission pair x 0 → y 0 under the DOWJ, LOWJ and POWJ attacks can be approximated by Proof: According to (36), we first derive p κ,l,m s , which is given by following from Theorem 2 in [27].Substituting (40) into ( 36) completes the proof.From (39), we know that the key term involved in p s is the Laplace transform L T z,κ,l,m (s, u).In what follows, we will derive the expressions of L T z,κ,l,m (s, u) under the DOWJ, LOWJ and POWJ attacks, respectively.Prior to the derivation, we first give the following functions for any k ∈ {L, N }, i ∈ {M, S}, j ∈ {M, S}, t 1 ∈ {T, J} and t 2 ∈ {R, W }.

B. Derivation of L T
z,κ,l,m (s, u) under DOWJ attack We can see from Section III-D that the DOWJ attack is dependent solely on the distances from z to the transmitters and receivers, which means that the Laplace transform L T z,κ,l,m (s, u) varies with only d x0,z = u.Thus, we rewrite L T z,κ,l,m (s, u) as L T z (s, u) under the DOWJ attack, whose expression can be given in the following lemma.
Lemma 8.The Laplace transform of the interference caused by the concurrent transmitters at any eavesdropper z ∈ Φ κ,l,m E with distance u to the typical transmitter x 0 under the DOWJ attack is given by where is the CCDF of d y0,z and is the corresponding PDF.
Proof: See Appendix D.
C. Derivation of L T z,κ,l,m (s, u) under LOWJ attack The LOWJ attack depends on both the distances and link status from z to the transmitters and receivers.Thus, the Laplace transform L T z,κ,l,m (s, u) under the LOWJ attack varies with both d x0,z = u and S x0,z = κ.Rewriting L T z,κ,l,m (s, u) as L T z,κ (s, u), we give the Laplace transform L T z,κ (s, u) in the following lemma.Lemma 9.The Laplace transform of the interference caused by the concurrent transmitters at any eavesdropper z ∈ Φ κ,l,m E with distance u and link status κ to the typical transmitter x 0 under the LOWJ attack is where L T,τ z,κ (s, u, v) is given by (47).Proof: See Appendix E. the typical transmitter x 0 under the POWJ attack can be approximated by where L T,τ,n,o z,κ,l,m (s, u, v) is given by (48).Proof: See Appendix F.

VI. NUMERICAL RESULTS
In this section, we provide simulation results to validate the derived secrecy and connection probabilities, followed by discussions on the impacts of system parameters on the STC performance.We also compare the attack effect of the three OWJ attacks in terms of the STC performance.

A. Simulation and Validation
A dedicated simulator was developed to simulate the transmission process in a Poisson mmWave bipolar network.Using this simulator, we conducted simulations for the secrecy probability and connection probability of the network under the DOWJ, LOWJ and POWJ attacks for the settings of λ = 0.0001 m −2 , λ E = 0.0001 m −2 , P J = 10 W, R t = 4 bps/Hz and R e = 2 bps/Hz.The other parameters are summarized in Table II.
We summarize the simulation results and also the theoretical ones in Figs. 1 and 2. We can see from the figures that the theoretical results provide good approximations or tight bounds for the secrecy probability and connection probability under all three OWJ attacks, implying the effectiveness of the derived analytical expressions.We can also see from the figures that, as the bias factor ρ (i.e., the preference for the wiretapping attack) increases, the secrecy probability decreases while the connection probability increases under all three attacks.This is intuitive since a larger ρ leads to more wiretappers and thus fewer jammers in the network.

B. STC Performance Evaluation
1) STC vs. λ E : We first explore the impact of the eavesdropper density λ E on the network STC performance, for which we show in Fig. 3 STC vs. λ E under all the three OWJ attacks for the settings of λ = 0.0001, ρ = 0.5, P J = 10 W, R t = 4 bps/Hz and R e = 2 bps/Hz.The results show that the STC decreases as λ E increases for a given ρ under all the three OWJ attacks, which is due to the more wiretappers and jammers resulting from the increased λ E .
2) STC vs. λ: Next, we investigate how the density of transmission pairs (i.e., λ) affects the network STC performance.Fig. 4 plots the STC vs. λ under all the three OWJ attacks for the settings of λ E = 0.0001, ρ = 0.5, P J = 10 W, R t = 4 bps/Hz and R e = 2 bps/Hz.We can see from Fig. 4 that, as λ increases, the STC first increases and then decreases under all three OWJ attacks.The reason is that the increase of λ dominates the trend of the STC for small λ's, while as λ continues to increase, the secrecy probability remains almost unchanged and the decrease of the connection probability becomes the dominant factor, leading to the decrease of the STC.The results in Fig. 4 reveal the existence of the optimal density of transmission pairs given a network and its key parameters, which should be taken into consideration during the network design.
3) STC vs. P J : We then investigate the impact of the jamming power P J on the network STC performance in Fig. 5, which plots STC vs. P J under all the three OWJ attacks for the settings of λ = 0.0001, λ E = 0.0001, ρ = 0.5, R t = 4 bps/Hz and R e = 2 bps/Hz.We can observe from Fig. 5 that, as P J increases, the STC under the DOWJ and LOWJ attacks decreases while that under the POWJ attack first increases and then decreases.This is because the selections of attack patterns in the DOWJ and LOWJ attacks are independent of P J and thus the increase of P J leads to only the increase of the interference level to the receivers, decreasing the connection probabilities.For the POWJ attack, as P J increases, the probability of wiretapping decreases while that of jamming increases, leading to increased secrecy probability and decreased connection probability.The STC is dominated by the secrecy probability for small ρ's and dominated by the connection probability for large ρ's.4) STC vs. ρ: We finally explore the impact of the bias factor ρ on the network STC performance under the three OWJ attacks.Fig. 6 shows the results of STC vs. ρ under the settings of R t = 4 bps/Hz, R e = 2 bps/Hz, λ = 0.0001 and P J = 15 W. In addition, we consider two different settings of λ E (i.e., λ E = 0.0001 and λ E = 0.0002).We can see from Fig. 6 that, as ρ increases, the STC first decreases and then increases under all the three OWJ attacks, implying the existence of the optimal ρ for eavesdroppers to minimize the network STC performance, i.e., maximizing the attack effect.This shows that neither pure jamming (i.e., ρ → 0) nor pure wiretapping (i.e., ρ → ∞) is the optimal strategy and the OWJ attacks are more favorable for eavesdroppers.
Careful observation shows that the optimal ρ decreases as λ E increases, indicating that eavesdroppers prefer the jamming attack more as their density increases.To compare the attack effect of the three OWJ attacks, we focus on the worst STC performance they can achieve.Fig. 6 shows that the worst STC achieved by the POWJ attack is the smallest among the three OWJ attacks, which implies that the POWJ attack represents the most hazardous attack and the information of effective antenna gain plays a significant role in improving the attack effect.We can also see that the worst STC achieved by the LOWJ attack is almost the same as that achieved by the DOWJ attack, which indicates that the information of link status has little impact on improving the attack effect.
To show the generality of our findings, we also plot STC vs. ρ in Fig. 7 under the settings of λ = 0.0001, λ E = 0.0001, R t = 4 bps/Hz, R e = 2 bps/Hz and two different jamming powers, i.e., P J = 10 W and P J = 20 W, and in Fig. 8 under the settings of λ E = 0.0001, R t = 4 bps/Hz, R e = 2 bps/Hz, P J = 10 W and two different densities of transmission pairs, i.e., λ = 0.0001 and λ = 0.00012.Findings similar to those in Fig. 6 can be observed from both figures.We can also see from Fig. 7 and Fig. 8 that the optimal ρ decreases as the jamming power P J and the transmission density λ increase, respectively, suggesting that eavesdroppers prefer the jamming attack more if they can choose a larger jamming power, or when more transmissions exist in the network.

VII. CONCLUSIONS
This paper proposed a new opportunistic wiretapping and jamming (OWJ) attack model for millimeter-wave (mmWave) wireless networks and provided three realizations, namely DOWJ, LOWJ and POWJ, each with a different cost model.Analytical expressions of secrecy transmission capacity (STC) were also derived to depict the network security performance under the OWJ attack.The results showed that the OWJ attack model causes more significant network security performance degradation than the pure wiretapping or jamming attack.In addition, POWJ is the most hazardous, while DOWJ and LOWJ achieve almost the same attack effect.This reveals that the effective antenna gain can be exploited to significantly improve the attack effect, whereas the link status has little impact on the improvement.APPENDIX A PROOF OF LEMMA 2 Suppose d x0,z = u.We define Dz W = min x∈ΦT \{x0} d x,z and Dz J = min y∈ΦR\{y0} d y,z .The event 1 z J = 1 occurs in the following cases: • x 0 is the nearest transmitter to z (i.e., Dz W ≥ u), y 0 is the nearest receiver to z (i.e., Dz J ≥ v) and u ≥ ρv; • x 0 is the nearest transmitter to z (i.e., Dz W ≥ u), y 0 is not the nearest receiver to z (i.e., Dz J < v) and u ≥ ρ Dz J ; • x 0 is not the nearest transmitter to z (i.e., Dz W < u), y 0 is the nearest receiver to z (i.e., Dz J ≥ v) and Dz W ≥ ρv; • x 0 is not the nearest transmitter to z (i.e., Dz W < u), y 0 is not the nearest receiver to z (i.e., Dz J < v) and Dz W ≥ ρ Dz J .Combining the four cases, we have Note that Dz W (resp. Dz J ) has the same PDF and CDF as those of D z W (resp. D z J ).With the help of the PDFs and CCDFs of Dz W and Dz J , we obtain the probability of 1 z J = 1 conditioned on d x0,z = u as follows: From [27], we know that the CCDF and PDF of d x0,z can be given by ( 14) and (15), respectively.Calculating the expectation of (52) in terms of d x0,z yields ζ(v) in (13).

APPENDIX B PROOF OF LEMMA 4
Similar to the proof of Lemma 2 in Appendix A, we first derive the probability of 1 where Lz For u ακ ≥ ρv ατ , the probability is T,W = G T l G W m of the link x 0 → z.From Appendix A, we can see that where Pz T = min x∈ΦT \{x0} d α x,z /(P T G T,W ) and Lz R = min x∈ΦR\{y0} d α y,z /(P J G J,R ).Letting Lz,i,j T = min x∈Φ i,j T \{x0} d α x,z , where Φ i,j T is the PPP of transmitters with antenna gain G T i G W j to z, we have , a link of length r is LoS with probability p L (r) = e −βr and NLoS with probability p N (r) = 1 − p L (r), where β denotes the blockage density.We use S a,b to represent the status of the link a → b between nodes a and b. S a,b = L (resp.S a,b = N ) means that the link is LoS (resp.NLoS).Links suffer from both large-scale path loss and small-scale fading characterized by the Nakagami fading model.The path loss of the link a → b is d α a,b , where d a,b denotes the distance between nodes a and b, and α is the random path-loss exponent, which equals α L (resp.α N ) if S a,b = L (resp.S i,j = N ) .The corresponding channel gain h a,b follows the gamma distribution with shape N and rate N .Here, N = N L (resp.N = N N ) if S a,b = L (resp.S a,b = N ).Throughout this paper, we assume α L < α N and N L > N N .

D
. Derivation of L T z,κ,l,m (s, u) under POWJ attack Note that the Laplace transform L T z,κ,l,m (s, u) under the POWJ attack varies with d x0,z = u, S x0,z = κ and G x0,z T,W = G T l G W m .The following lemma summarizes the Laplace transform L T z,κ,l,m (s, u) under the POWJ attack.Lemma 10.The Laplace transform of the interference caused by the concurrent transmitters at any eavesdropper z ∈ Φ κ,l,m E with distance u, link status κ and antenna gain G T l G W m to

z J = 1 (
denoted by ζ τ κ (u, v)) given the distance d x0,z and status S x0,z of the link x 0 → z.Suppose d x0,z = u and S x0,z = κ ∈ {L, N }.It follows from Appendix A that 1

TABLE II PARAMETERS
USED IN SIMULATIONS.