Filetype PDF | Posted on 17 Sep 2022 | 3 years ago
Authentication
digital resources
171x Filetype PDF File size 0.43 MB Source: zenodo.org
International Conference on Computing, Networking and Communications, Communications and Information Security Symposium
Gabor-Based RF-DNA Fingerprinting for
Classifying 802.16e WiMAX Mobile Subscribers
Donald R. Reising, Michael A. Temple and Mark E. Oxley
US Air Force Institute of Technology
Wright-Patterson AFB, OH 45433 USA
Email: michael.temple@afit.edu
Abstract—Previous work has demonstrated the viability of The motivation for considering Worldwide Interoperability
using RF-DNA fingerprinting to provide serial number discrim- for Microwave Access (WiMAX) signals is provided by 1) the
ination of IEEE 802.11a WiFi devices as a means to augment continued proliferation of IEEE 802.16e last mile communica-
conventional bit-level security. This was done using RF-DNA tions, to include Long Term Evolution (LTE), and 2) potential
extracted from signal regions containing standard pre-defined adoption of an IEEE 802.16e compliant solution for next
responses (preamble, midamble, etc.). Using these responses,
proof-of-concept demonstrations with RF-DNA fingerprinting generation airport communication services as being pursued
have shown some effectiveness for providing serial number dis- by the FAA, Eurocontrol and International Civilian Aviation
crimination. The discrimination challenge increases considerably Organization (ICAO) [8], [9]. WiMAX architectures are based
whenpre-defined signal responses are not present. This challenge on Wireless Access Points (WAP) that are among the top
is addressed here using experimentally collected IEEE 802.16e 10 IT threats [10] and unauthorized access to public safety
WiMAX signals from Alvarion BreezeMAX Mobile Subscriber
(MS) devices. Relative to previous Time Domain (TD) and services is a major concern [9]. The goal here is to develop
Spectral Domain (SD) fingerprint features, joint time-frequency RF-DNAtechniquesthataregenerally adaptable to the class of
Gabor (GT) and Gabor-Wigner (GWT) Transform features are Orthogonal Frequency Division Multiplexed (OFDM) signals
considered here as a means to extract greater device discriminat- versus being limited to a given system implementation.
ing information. For comparison, RF-DNA is extracted from TD, The methodology here is consistent with [4]–[7], [11]
SD, GT, and GWT responses and MDA/ML feature extraction
and classification performed. Preliminary assessment shows that which extracted RF-DNA from near-transient (e.g., 802.11a
Gabor-based RF-DNA fingerprinting is much more effective than preamble) and non-transient (e.g., GSM midamble) signal
either TD or SD methods. GT RF-DNA fingerprinting achieves regions for RF-DNA fingerprinting. These regions contain
individual WiMAX MS device classification of 98.5% or better “pre-defined” standard responses that are commonly used for
for SNR ≥3 dB. device synchronization, channel estimation, network timing,
I. INTRODUCTION etc. Ideally, these standard responses would be identical for
Work continues on exploiting Physical (PHY) layer at- all devices and would not include the unintentional coloration
tributes of the Open System Interconnection (OSI) model to that produces RF-DNA uniqueness. The work reported here
augment bit-level security. The goal is to reduce or eliminate progresses toward signal regions that do not contain pre-
unauthorized network access while assuring access for autho- defined responses.
rized users [1]–[7]. The authors here are pursuing a better Theneedtoconsidersignal regions void of pre-defined stan-
understanding of inherent PHY layer benefits provided through dard responses was driven by empirical assessment using an
Radio Frequency “Distinct Native Attribute” (RF-DNA) Fin- Alvarion BreezeMAX Extreme 5000 system. As implemented,
gerprinting. Specifically, work in [4]–[7] has successfully used the Downlink (DL) Base Transceiver Station (BTS) signal
RF-DNAfromselectedportions of modulated signal responses includes a distinct preamble response while the Uplink (UL)
to achieve serial number discrimination. Mobile Subscriber (MS) signals do not. Thus, the challenge
Exploitable RF-DNA attributes are 1) “native” from the with classifying BreezeMAX BTS devices is consistent with
time of manufacture and vary according to hardware im- results reported in [12]. However, the challenge is greatly
plementation, component type, manufacturing processes, etc., increased when considering the MS signals which do not
and 2) sufficiently “distinct” to enable reliable cross-device contain a preamble or midamble response (consistent with the
discrimination. Ideally, RF-DNA is only a function of unin- 802.16e standard [13], [14]). Common options for increasing
tended “coloration” in modulated signal responses and when classification performance include 1) finding a feature space
extracted, it can be processed to provide reliable device that provides greater discrimination using a given classifier,
discrimination. Such processing generally involves feature se- 2) finding a more powerful classification engine for a given
lection, model generation, and device classification. To enable feature space, or 3) some combination thereof. As a first step,
qualitative comparative assessment of improvements gained by the authors here are considering an alternate feature space
introducing Gabor RF-DNA features, work here is based on involving joint Time-Frequency (T-F) signal responses.
Multiple Discriminant Analysis (MDA) feature selection with Benefits for using joint T-F features with RF-DNA finger-
Maximum Likelihood (ML) classification [4]–[7]. printing were demonstrated in [4], [5] using a Dual-Tree Com-
U.S. Government work not protected by U.S. copyright 7
plex Wavelet Transform (DT-CWT). In these works, statistical 10
RF-DNA was extracted from complex DT-CWT responses of ) 8
OFDM-based 802.11a preambles. The T-F resolution trade- V
m
( 6
off of the DT-CWT (increasing time resolution decreases e
d
u
frequency resolution and visa-versa) is potentially limiting. it 4
Given this T-F trade-off is not present with the Gabor (GT) agn
and Gabor-Wigner (GWT) Transforms, this work investigates M 2
their use as an alternate feature space for RF-DNA fingerprint 00 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6
generation. While both the GT and GWT transforms provide Time (ms)
T-F localization, the GWT combines the advantages of the GT (a) MS Data Only Sub-Frame Response.
(lack of cross-terms) with that of the Wigner-Ville Distribution
(higher clarity/resolution) [15].
The remainder of this paper is arranged as follows: Sect. II ) 8
provides an overview of the Alvarion BreezeMAX system V
m
( 6
used for demonstration; Sect. III provides the Demonstration e
d
u
Methodology, to include a description of Signal Collection and it4
Detection, RF-DNA Fingerprinting, and MDA/ML Process- agn
ing. Device Classification Results are presented in Sect. IV M 2
followed by a Conclusion in Sect.V. 00 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8
IMAXDEMONSTRATIONSYSTEM Time (ms)
II. W
Alvarion BreezeMax Extreme 5000 equipment was used (b) MS Range-Plus-Data Sub-Frame Response.
for demonstration [16]. The system uses 60/40 Time Division 10
Duplexing (TDD) with the first 60% of each TF =5mSec ) 8
TDDframe allotted for BTS DL transmission and the remain- V
m
(
ing 40% allotted for MS UL transmission. An RF channel e 6
d
u
bandwidth of W =5MHz centered at f = 5475 MHz it
ch c 4
was used for demonstration. Figure 1 shows experimentally agn
observed UL sub-frame responses (preceding DL sub-frame M 2
responses not shown), designated herein as Data Only, Range- 00 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8
Plus-Data,andRange Only responses–designations that were Time (ms)
neither confirmed with Alvarion nor readily apparent in doc- (c) MS Range Only Sub-Frame Response.
umentation. All subsequent discussion and results in Sect. IV
are based on MS Ranging Only operation. Fig. 1. Magnitude plots for three distinct UL sub-frame responses observed
Unlike previous GSM and 802.11 signals that have been during experimental collection of BreezeMAX 802.16e WiMAX Mobile
considered [4]–[7], [11], the BreezeMAX Extreme MS signals Subscriber (MS) signals–designated herein as “modes” to facilitate discussion.
lack a distinct region where identical modulation occurs across
all devices. However, as most observable in Fig. 1(c) and
expanded upon in Fig. 2, all responses contain a constant bias 12 bit analog-to-digital converter operating at fs =95mega-
that spans the UL sub-frame. This was observed for all devices samples-per-second (Msps). The IF signal is down-converted,
tested and believed to be incorporated by design to stabilize digitally filtered using a WBB =9.28 MHz filter, sub-
electronic component response and mitigate adverse peak-to- sampled (Nyquist satisfied), and stored as complex In-phase
average power ratio effects that commonly occur with OFDM. (I) and Quadrature (Q) data. The WiMAX MS devices and
The “near-transient” MS response in Fig. 2 ( ≈ 2.0 to 16.0
µSec) has thus far yielded the most useful RF-DNA and is
used exclusively for all results presented in this paper.
7
EMONSTRATIONMETHODOLOGY )
III. D V 6
m 5
A. Signal Collection & Detection (
e
d 4
The signal collection and post-collection process in [6] u
it3
was adopted for this work. All signal collections were made agn2
using the Agilent E3238S-based RF Signal Intercept and M
Collection System (RFSICS) that is tunable across f ∈ 1
RF 0
[0.02, 6.0] GHz with a WRF =36.0 MHz RF filter [17]. 0 0.002 0.004 0.006 0.008 0.01 0.012 0.014 0.016 0.018
The selected frequency band is down-converted to a f = Time (ms)
IF
70 MHz intermediate frequency (IF) and digitized by a b = Fig. 2. “Near-transient” region of Range Only magnitude response in Fig. 1(c)
showing pre-OFDM bias.
8
RFSICSwereco-locatedinatypical office environment during Φ(N 2π
s,n,k)= N (n1)(k1). (5)
collection. Collections were made using NMS =6MS s
devices operating in Ranging Only mode with subsequent burst The desired PSD sequence {p¯(k)} is obtained by dividing (4)
detection performed using the process in [4], i.e., the start by the signals average power,
of near-transient responses was located using amplitude-based 1
variance trajectory (VT) at the collected SNR. p¯(k)= |S(k)|2, (6)
Ps
B. Time Domain (TD) RF-DNA Fingerprinting where Ps is given by,
For Time Domain (TD) fingerprinting, RF-DNA is gener- Ns
ated from sequences representing the signals instantaneous Ps = 1 s(n)s(n)∗, (7)
N
amplitude, phase, and frequency responses. Results in Sect. IV s n=1
are based on TD fingerprints (F ) generated from N = 150
TD s and ∗ denotes complex conjugate. The PSD is normalized to
near-transient samples of signal s(n)=I(n)+jQ(n).For reduce potential biasing affects due to the collection process.
consistency with [6], [7], FTD is generated from the centered For consistency with [3], [12], the DC term (k=0)and
(subscript c) and normalized (over bar) amplitude {a¯c(n)}, redundant (N /2+1,N/2+2,...,N) terms are removed
¯ ¯ s s s
phase {φc(n)} and frequency {fc(n)} sequences. Each TD prior to SD RF-DNA fingerprint generation. Consistent with
sequence is centered and normalized through subtraction of the TD process in Sect. III-B, statistics are calculated over dis-
the mean, calculated across Ns samples, and then divided by tinct PSD regions, i.e., over contiguous sub-sequences within
the maximum value of the centered sequence. {p¯(k)}. Elements of the final F fingerprint are formed
The F fingerprint is generated by dividing each of the SD
TD according to (1). For SD classification results in Sect. IV,
TDsequencesintoN =5equallength,sequentialsubregions
R NR=5SDsubregionsareusedandtheresultant FSD contains
using the process in [12]. Features are generated by calculating a total of 24 elements (4 Statistics×6 Subregions).
statistics, standard deviation (σ), variance (σ2), skewness (γ)
and kurtosis (κ), over each of the N subregions as well as D. Gabor-Based RF-DNA Fingerprinting
R
the N +1subregion. Where the N +1subregion consists
R R Previous work in [4]–[7], [12] used RF-DNA extracted in-
of the full length of a TD sequence. The calculated statistics, dependently from either time or frequency domain responses.
for each of the selected subregions, are arranged as follows: In related applications improvement has been realized by
2 exploiting momentary and/or time localized signal energy
F =[σ ,σ ,γ ,k ] , (1)
Ri Ri Ri Ri Ri 1×4 as a function of frequency [19]. This can be done using
where i =1,2,...,N +1. The composite fingerprint for a Time-Frequency (T-F) localization whereby signal behavior
R
given TD sequence is formed by concatenating FRi from (1) is captured and can be displayed across a T-F plane. The
for all regions and is given by [12], Discrete Gabor Transform (DGT) provides one method for
δ . . T-F localization and is given by [19],
F = . . , (2)
FR1 . FR2 . FR3 ··· FRN +1 MN
R 1×4(NR+1) Δ
∗ j2πkn/K
where the superscript δ denotes a specific TD sequence, i.e., Gmk = s(n)W (nmNΔ)exp G, (8)
¯ ¯ n=1
{a¯c(n)}, {φc(n)} and {fc(n)}. When multiple TD sequences
δ where G are the Gabor coefficients, s(n)=s(n+lMN )
are used for RF-DNA fingerprinting (typical case), the F from mk Δ
is the periodic input signal, W(n)=W(n + lMN ) is
(2) are concatenated to form the final TD fingerprint: Δ
. . the periodic analysis window, NΔ is the number of samples
FTD= a . φ . f . (3) shifted, m =1,2,...,M for M total shifts, and k =
F . F . F 1×4(N +1)×3
R 0,1,...,K 1 for K ≥ N and mod(MN ,K )=0
For TD classification results in Sect. IV, N =5TD G G Δ Δ G
R satisfied. Transformation with K = N represents critical
subregions are used and the resultant F contains a total G Δ
TD sampling and K >N represents oversampling [19], [20],
of 72 elements (3 Features×4 Statistics×6 Subregions). G Δ
with some amount of oversampling desirable when processing
C. Spectral Domain (SD) RF-DNA Fingerprinting noisy data [21], [22]. For convenience, the oversampling factor
is defined here as N ≡ K /N . Given that the near-
For Spectral Domain (SD) fingerprinting, RF-DNA is gen- OS G Δ
erated per the process introduced in [12] to create SD RF- transient responses of Range Only bursts being considered
DNA Fingerprints (F ). The SD fingerprints are generated here are noisy, oversampled GT processing is appropriate and
SD enables reliable analysis with varying SNR.
from the power-normalized, Power Spectral Density (PSD) of In [15], the GT is combined with the Wigner-Ville Distri-
the near-transient sample sequence {s(n)}.GivenN near-
s bution (WVD) to form the Gabor-Wigner Transform (GWT).
transient samples, the desired PSD sequence {p¯(k)} is calcu- The GWTtakes advantage of the GTs lack of cross-terms and
lated via a Discrete Fourier Transform (DFT) as follows [18], faster computation as well as the higher clarity of the WVD.
Ns In this work the GWT is implemented as [15],
S(k)= 1 s(n)ejΦ(Ns,n,k), (4) 2.6 0.6
Ns GWTmk=G WVD . (9)
n=1 mk mk
9
NR
Patches
(a) Gabor Transform (GT). Fingerprint Elements
# Statistics x NR
N σ 2 γ κ . . .
T σ
NTxNFSamples/Patch
σ
Std Deviation
2
σ
Variance
NF γ
Skewness
κ
Kurtosis
Fig. 4. Gabor-based RF-DNA fingerprint generation using NT × NF 2-D
patches taken from the centered and normalized magnitude-squared GT and
GWTcoefficients
fingerprints are generated from the normalized (i.e., subtrac-
(b) Gabor-Wigner Transform (GWT). tion of the minimum value followed by division by the max-
imum value) magnitude-squared Gabor (|Gmk|2) and Gabor-
Fig. 3. Representative Gabor-based T-F magnitude responses for a 802.16e Wigner (|GWTmk|2) coefficients. As illustrated in Fig. 4, the
WiMAX MS device. Responses based on near-transient responses of bursts resultant T-F surface is subsequently divided into N ×N
collected during Range Only Mode at SNR =0dB. T F
2-D subregions (patches), vectorized to a length of NTF,and
statistics (standard deviation (σ), variance (σ2), skewness (γ),
The WVD in (9) is actually implemented using the Discrete and kurtosis (κ)) calculated. The N ×N dimensions were
Pseudo Wigner Distribution (DPWD) here [23] and calculated T F
chosen to ensure a minimum of N =15coefficients were
as follows: TF
used for statistical calculation.
KG/21 The total number of fingerprint regions is dependent on the
j2πkn/K
WVD = a(n)exp G, (10) total number of Gabor or Gabor-Wigner coefficients generated
mk
n=(KG/21) via (8) or (9), respectively. To facilitate comparative analysis,
the parameters M = 150, K = 150 and N =1were
a(n)=w(n)w∗(n)s(m+n)s∗(mn), (11) G Δ
selected for generation of both the GT and GWT. Therefore, an
where w(n) is a specific window function. Consistent oversampling of NOS = 150 was used in the calculation of the
with [23], a Hamming window function was implemented. GTandGWT.Theresulting150×150T-Fplaneisdividedinto
N =50patches where N =10(m = 75,74,...,75)
The complex IQ components of Gabor coefficients G R T
mk and N =5(k =21,20,...,28). Similar to TD and SD
and GWT , generated respectively in (8) and (9), can be F
mk RF-DNA fingerprint generation, statistics calculated over the
used to compute corresponding T-F magnitude and phase entire 150×150 T-F plane are included representing the N
responses. Figure 3 shows representative magnitude responses, R+1
at SNR =0dB, for the GT and GWT used for generation subregion. For GT and GWT classification results in Sect. IV,
of RF-DNA fingerprints and the results presented in Sect. IV. the resultant Gabor-based RF-DNA fingerprints are comprised
The T-F localization benefits of the GT and GWT transforms of a total of 204 elements (4 Statistics×51 Subregions).
were considered for characterizing and identifying types of E. MDA/ML Processing
power supply disturbances [23], [24].
For results in Sect. IV, the GT and GWT were implemented As in previous work [5]–[7], [12], [25], this work uses
using the Gaussian analysis window in (8) per [19]. RF-DNA Multiple Discriminant Analysis (MDA) for feature selection
10
no reviews yet
Please Login to review.
