[Show abstract][Hide abstract] ABSTRACT: Side-channel analysis has been used to successfully attack many cryptographic systems. However, to improve trace quality and make collection of side-channel data easier, the attacker typically modifies the target device to add a trigger signal. This trigger implies a very powerful attacker with virtually complete control over the device. This paper describes a method to collect side-channel data using a software defined radio (SDR) in real-time without requiring a collection device trigger. A correlation-based frequency-dependent leakage mapping technique is introduced to evaluate a 32-bit microprocessor, revealing that individual key bytes leak at different frequencies. Key byte-dependent leakage is observed in both SDR collected and triggered oscilloscope-based collections (which serve to validate the SDR data). This research is the first to demonstrate effective differential attack using SDRs. Successful attacks are presented using two SDRs, including a US$20 digital television receiver with modified drivers.
IEEE Transactions on Information Forensics and Security 01/2013; 8(12):2101-2114. · 1.90 Impact Factor
[Show abstract][Hide abstract] ABSTRACT: Security and privacy within existing wireless architectures remain a major concern and may be further compounded when considering multi-node wireless cognitive networks. However, the same computational capabilities that enable cognitive transceiver operation can also be used to enhance physical-layer security at each node. The approach here uses RF Distinct Native Attribute (RF-DNA) features that embody unique statistical properties of received RF emissions. The baseline system uses a Multiple Discriminant Analysis, Maximum Likelihood (MDA/ML) process to classify devices by exploiting RF-DNA uniqueness that enables serial number discrimination. MDA/ML limitations, to include a lack of feature relevance indication, are addressed using a previously investigated Learning From Signals (LFS) process. Of significance here is the expansion of LFS capability which will be readily implementable in envisioned cognitive network architectures. By coupling Kernel Regression (KR) with a Differential Evolution (DE) genetic algorithm, LFS is able to “learn” an improved model of the signal environment. Results here for experimentally collected 802.11a WiFi signals demonstrate recent improvements to the LFS engine that enable it to operate more effectively within a higher-dimensional RF-DNA feature space. The addition of a fractional Euclidean Distance (ED) similarity metric and vector class labeling provide improvement of 9 % to 23 % in average percent correct classification over the earlier LFS implementation.
Computing, Networking and Communications (ICNC), 2013 International Conference on; 01/2013
[Show abstract][Hide abstract] ABSTRACT: Cognitive Radio (CR) networks create an environment that presents unique security challenges, with reliable user authentication being essential for mitigating Primary User Emulation (PUE) spoofing and ensuring the cognition engine is using reliable information when dynamically reconfiguring the network. Unfortunately, wireless network edge devices increase spoofing potential as all devices can “see” all network traffic within RF range. Conventional bit-level security helps, but additional security based on physical-layer (PHY) attributes is required to ensure unauthorized devices do not adversely impact CR reliability during environmental assessment. RF Distinct Native Attribute (RF-DNA) fingerprinting is one PHY technique for reliably identifying devices based on inherent emission differences. These differences are exploited to uniquely identify, by serial number, hardware devices and aid cognitive network security. Reliable device discrimination has been achieved using Multiple Discriminant Analysis, Maximum Likelihood (MDA/ML) processing. However, MDA/ML provides no insight into feature relevance which limits its use for optimizing feature selection. This limitation is addressed here using Generalized Relevance Learning Vector Quantization-Improved (GRLVQI) and Learning from Signals (LFS) classifiers. Comparative assessment shows that GRLVQI and LFS classification performance rivals that of MDA/ML, overcomes inherent MDA/ML limitations, and provides benefit for CR network applications where reliable RF environment assessment and PUE mitigation is essential.
Communications (ICC), 2013 IEEE International Conference on; 01/2013
[Show abstract][Hide abstract] ABSTRACT: Orthogonal Frequency Division Multiplexing (OFDM) has been considered as a strong candidate for next generation wireless communication systems. Compared to traditional OFDM, Single Carrier OFDM (SC-OFDM) has demonstrated excellent bit error rate (BER) performance, as well as low peak to average power ratio (PAPR). Similar to other multi-carrier transmission technologies, SC-OFDM suffers significant performance degradation resulting from intercarrier interference (ICI) in high mobility environments. Existing techniques for OFDM can be directly adopted in SC-OFDM to improve performance, however, this improved performance comes at costs such as decreased throughput. In this paper, we analyze the effect of ICI on an SC-OFDM system and propose a novel modulation scheme. The proposed Magnitude-Keyed Modulation (MKM) modulation provides SC-OFDM system immunity to ICI and with an easy implementation it significantly outperforms OFDM, SC-OFDM and MC-CDMA systems with Phase Shift Keying (PSK) modulation and Quadrature Amplitude Modulation (QAM) in severe ICI environment. Analysis also illustrates the proposed SC-OFDM system with MKM modulation maintains low PAPR compared to traditional OFDM and SC-OFDM systems with PSK and QAM modulations. Simulation results for different modulation schemes in various ICI environments confirm the effectiveness of the proposed system.
IEEE Transactions on Communications 01/2013; 61(2):658-668. · 1.75 Impact Factor
[Show abstract][Hide abstract] ABSTRACT: It is well known that Orthogonal Frequency Division Multiplexing (OFDM) systems suffer from intercarrier interference (ICI) in mobile environment due to loss of orthogonality among subcarriers caused by Doppler shifts. There exist many ICI mitigation techniques in the literature to improve the performance of OFDM systems. However, most of the existing ICI mitigation techniques assume the OFDM transmission bandwidth is narrow enough that the frequency offsets on all subcarriers are identical. In a wideband OFDM transmission or a non-contiguous OFDM spanning over large bandwidth, the Doppler shifts on different subcarriers are different, especially in high speed aerial vehicle communication systems. In this paper, we analyze the wideband OFDM system in high mobility environment where the frequency offsets vary from subcarrier to subcarrier. We then propose a novel ICI cancellation scheme to eliminate the ICI effect and offer the wideband OFDM system significantly improved BER performance. Simulation results in AWGN channel and multipath fading channel confirm the effectiveness of the proposed scheme in the presence of frequency offset and time variations in the channel, offering the best BER performance available which matches the BER performance of wideband OFDM system without ICI. To our knowledge, this paper is the first to address the ICI problem of varying frequency offsets across subcarriers in wideband OFDM system.
Computing, Networking and Communications (ICNC), 2013 International Conference on; 01/2013
[Show abstract][Hide abstract] ABSTRACT: Radio-frequency distinct native attribute (RF-DNA) fingerprinting is adapted as a physical-layer technique to improve the security of integrated circuit (IC)-based multifactor authentication systems. Device recognition tasks (both identification and verification) are accomplished by passively monitoring and exploiting the intrinsic features of an IC's unintentional RF emissions without requiring any modification to the device being analyzed. Device discrimination is achieved using RF-DNA fingerprints comprised of higher order statistical features based on instantaneous amplitude, phase, and frequency responses as a device executes a sequence of operations. The recognition system is trained using multiple discriminant analysis to reduce data dimensionality while retaining class separability, and the resultant fingerprints are classified using a linear Bayesian classifier. Demonstrated identification and verification performance includes average identification accuracy of greater than 99.5% and equal error rates of less than 0.05% for 40 near-identical devices. Depending on the level of required classification accuracy, RF-DNA fingerprint-based authentication is well-suited for implementation as a countermeasure to device cloning, and is promising for use in a wide variety of related security problems.
IEEE Transactions on Information Forensics and Security 01/2012; 7(1):14-24. · 1.90 Impact Factor
[Show abstract][Hide abstract] ABSTRACT: Impersonation of authorized network devices is a serious concern in applications involving monitoring and control of battlefield operations and military installation infrastructure-ZigBee is among the ad hoc network alternatives used for such purposes. There are considerable security concerns given the availability of ZigBee “hacking” tools that have evolved from methods used for IEEE 802.11 Wi-Fi and IEEE 802.15.1 Bluetooth attacks. To mitigate the effectiveness of these bit-level attacks, RF waveform features within the lowest OSI physical (PHY) layer are used to augment bit-level security mechanisms within higher OSI layers. The evolution of RF 'Distinct Native Attribute' (RF-DNA) fingerprinting continues here with a goal toward improving defensive RF Intelligence (RFINT) measures and enhancing rogue device detection. Demonstrations here involve ZigBee burst collection and RF-DNA fingerprint generation using experimentally collected emissions from like-model CC2420 ZigBee devices operating at 2.4 GHz. RF-DNA fingerprints from 7 authorized devices are used for Multiple Discriminant Analysis (MDA) training and authorized device classification performance assessed, i.e. answering: “Is the device 1 of M authorized devices?” Additional devices are introduced as impersonating rogue devices attempting to gain unauthorized network access by presenting false bit-level credentials for one of the M authorized devices. Granting or rejecting rogue network access is addressed using a claimed identity verification process, i.e, answering: “Does the device's current RF-DNA match its claimed bit-level identity?” For authorized devices, arbitrary classification and verification benchmarks of %C>; 90% and %V >; 90% are achieved at SNR≈10.0 dB using a test statistic based on assumed Multivariate Gaussian (MVG) likelihood values. Overall, rogue device rejection capability is promising using the same verification test - tatistic, with %V
MILITARY COMMUNICATIONS CONFERENCE, 2012 - MILCOM 2012; 01/2012
[Show abstract][Hide abstract] ABSTRACT: Considerable effort has been put forth to exploit physical layer attributes to augment network bit-level security mechanisms. RF-DNA fingerprints possess such attributes and can be used to uniquely identify authorized users and mitigate unauthorized network activity. These attributes are unique to a given electronic device and difficult to replicate for cloning, spoofing, etc. Device discrimination (identification) of WiMAX devices has been successfully demonstrated using a one-to-many comparison against a pool of unknown device fingerprints. The work here now addresses device authentication using a one-to-one comparison against the specific fingerprint associated with a claimed bit-level identity (MAC, SIM, IMEI, etc). The concept is demonstrated using Gabor-based RF-DNA extracted from near-transient burst responses of 802.16e WiMAX mobile subscriber devices-device identification of better than 96% is achieved with verification EER ≤ 1.6% for SNR ≥ -3 dB.
Communications (ICC), 2012 IEEE International Conference on; 01/2012
[Show abstract][Hide abstract] ABSTRACT: The ZigBee specification builds upon IEEE 802.15.4 low-rate wireless personal area standards by adding security and mesh networking functionality. ZigBee networks may be secured through 128-bit encryption keys and by MAC address access control lists, yet these credentials are vulnerable to interception and spoofing via free software tools available over the Internet. This work proposes a multi-factor PHY-MAC-NWK security framework for ZigBee that augments bit-level security using radio frequency (RF) PHY features. These features, or RF fingerprints, can be used to differentiate between dissimilar or like-model wireless devices. Previous PHY-based works on mesh network device differentiation predominantly exploited the signal turn-on region, measured in nanoseconds. For an arbitrary benchmark of 90% or better classification accuracy, this work shows that reliable PHY-based ZigBee device discrimination can be achieved at SNR ≥ 8 dB. This is done using the entire transmission preamble, which is less technically challenging to detect and is over 1000 times longer than the signal turn-on region. This work also introduces a statistical, pre-classification feature ranking technique for identifying relevant features that dramatically reduces the number of RF fingerprint features without sacrificing classification performance.
Global Communications Conference (GLOBECOM), 2012 IEEE; 01/2012
[Show abstract][Hide abstract] ABSTRACT: Previous work has demonstrated the viability of using RF-DNA fingerprinting to provide serial number discrimination of IEEE 802.11a WiFi devices as a means to augment conventional bit-level security. This was done using RF-DNA extracted from signal regions containing standard pre-defined responses (preamble, midamble, etc.). Using these responses, proof-of-concept demonstrations with RF-DNA fingerprinting have shown some effectiveness for providing serial number discrimination. The discrimination challenge increases considerably when pre-defined signal responses are not present. This challenge is addressed here using experimentally collected IEEE 802.16e WiMAX signals from Alvarion BreezeMAX Mobile Subscriber (MS) devices. Relative to previous Time Domain (TD) and Spectral Domain (SD) fingerprint features, joint time-frequency Gabor (GT) and Gabor-Wigner (GWT) Transform features are considered here as a means to extract greater device discriminating information. For comparison, RF-DNA is extracted from TD, SD, GT, and GWT responses and MDA/ML feature extraction and classification performed. Preliminary assessment shows that Gabor-based RF-DNA fingerprinting is much more effective than either TD or SD methods. GT RF-DNA fingerprinting achieves individual WiMAX MS device classification of 98.5% or better for SNR ≥ -3 dB.
Computing, Networking and Communications (ICNC), 2012 International Conference on; 01/2012
[Show abstract][Hide abstract] ABSTRACT: Wireless communication networks remain under attack with ill- intentioned "hackers" routinely gaining unauthorized access through Wireless Access Points-one of the most vulnerable points in an Information Technology (IT) system. The goal here is to demonstrate the feasibility of using Radio Frequency (RF) air monitoring to augment conventional bit-level security at WAPs. The specific networks of interest include those based on Orthogonal Frequency Division Multiplexing (OFDM), to include 802.11a/g WiFi and 4G 802.16 WiMAX. Proof-of-concept results are presented to demonstrate the effectiveness of a "Learning from Signals" (LFS) classifier with Gaussian kernel bandwidth parameters optimally determined using Differential Evolution (DE). The resultant DE-optimized LFS classifier is implemented within an RF "Distinct Native Attribute" (RF-DNA) fingerprinting process with both Time Domain (TD) and Spectral Domain (SD) features input to the classifier. The RF-DNA is used for intra-manufacturer (like-model devices from a given manufacturer) discrimination of IEEE compliant 802.11a WiFi devices and 802.16e WiMAX devices. A comparative performance assessment is provided using results from the proposed DE-optimized LFS classifier and a Bayesian-based Multiple Discriminant Analysis/Maximum Likelihood (MDA/ML) classifier as used in previous demonstrations. The assessment is performed using identical TD and SD fingerprint features for both classifiers. Preliminary results of the DE-optimized classifier are very promising, with correct classification improvement of 15% to 40% realized over the range of signal to noise ratios considered.
Computer Communications and Networks (ICCCN), 2011 Proceedings of 20th International Conference on; 01/2011
[Show abstract][Hide abstract] ABSTRACT: Computer and communication network attacks are commonly orchestrated through Wireless Access Points (WAPs). This paper summarizes proof-of-concept research activity aimed at developing a physical layer Radio Frequency (RF) air monitoring capability to limit unauthorized WAP access and improve network security. This is done using Differential Evolution (DE) to optimize the performance of a "Learning from Signals" (LFS) classifier implemented with RF "Distinct Native Attribute" (RF-DNA) fingerprints. Performance of the resultant DE-optimized LFS classifier is demonstrated using 802.11a WiFi devices under the most challenging conditions of intra-manufacturer classification, i.e., using emissions of like-model devices that only differ in serial number. Using identical classifier input features, performance of the DE-optimized LFS classifier is assessed relative to a Multiple Discriminant Analysis / Maximum Likelihood (MDA/ML) classifier that has been used for previous demonstrations. The comparative assessment is made using both Time Domain (TD) and Spectral Domain (SD) fingerprint features. For all combinations of classifier type, feature type, and signal-to-noise ratio considered, results show that the DE-optimized LFS classifier with TD features is superior and provides up to 20% improvement in classification accuracy with proper selection of DE parameters.
13th Annual Genetic and Evolutionary Computation Conference, GECCO 2011, Proceedings, Dublin, Ireland, July 12-16, 2011; 01/2011
[Show abstract][Hide abstract] ABSTRACT: Interest in Cognitive Radio (CR) remains strong as the communications community strives to solve the spectrum congestion problem. In conventional CR implementations, interference to primary users is minimized using either overlay waveforms that exploit unused (white) spectrum holes or underlay waveforms that spread their power spectrum density over an ultra-wide bandwidth. In Part I, we proposed a novel hybrid overlay/underlay waveform that realizes benefits of both waveforms and demonstrated its performance in an AWGN channel. This was done by extending the original Spectrally Modulated Spectrally Encoded (SMSE) framework to enable soft decision CR implementations that exploit both unused (white) and underused (gray) spectral areas. In Part II, we analyze and evaluate performance of the proposed hybrid overlay/underlay waveform in frequency selective fading channels. A simulated performance analysis of overlay, underlay and hybrid overlay/ underlay waveforms in frequency selective fading channels is presented and benefits discussed.
IEEE Transactions on Communications 07/2010; · 1.75 Impact Factor
[Show abstract][Hide abstract] ABSTRACT: Applicability of Spectrally Modulated, Spectrally Encoded (SMSE) waveform design has been expanded for future Cognitive Radio (CR)-based Software Defined Radio (SDR) applications. As previously demonstrated, the SMSE waveform design process can exploit statistical knowledge of PU spectral and temporal behavior to maximize SMSE system throughput (bits/second) while adhering to SMSE and Primary User (PU) spectral constraints. The capacity of SMSE systems is extended here using spectral partitioning with carrier-interferometry (CI) coding to increase SMSE waveform agility in the presence of a spectrally diverse transmission channel. By adaptively varying the modulation order and optimally allocating power within each spectral partition, inherent SMSE flexibility is more fully exploited and substantially increases system throughput while meeting Power Spectral Density (PSD) constraints. A coexistent scenario is provided in which the analytic optimization of the SMSE waveform is demonstrated while meeting spectral mask requirements. Results show that spectrally partitioned CI-SMSE waveforms have a significantly greater ability to adapt to varying spectral requirements.
Communications (ICC), 2010 IEEE International Conference on; 06/2010
[Show abstract][Hide abstract] ABSTRACT: The impact of channel estimation error is investigated for Spectrally Modulated, Spectrally Encoded (SMSE) waveform designs in a coexistent environment containing multiple 802.11 Primary User (PU) systems. As previously demonstrated, the SMSE waveform design process can exploit statistical knowledge of PU spectral and temporal behavior to maximize SMSE system throughput (bits/second). This can be done by enforcing SMSE and PU bit error rate constraints while limiting mutual coexistent interference limited to manageable levels. Since maximum system performance requires accurate channel state knowledge at the SMSE transmitter, the presence of channel estimation error decreases the ability to design spectrally agile signals that optimally exploit coexistent spectral regions. Relative to a spectrally-only adapted system, the spectrally-temporally adapted SMSE system provides significant performance improvement by leveraging knowledge of PU temporal statistics to design temporally agile signals while maintaining desired performance levels for each system. Superiority of spectrally-temporally adapted signals is demonstrated here in terms of increased SMSE throughput (bits/symbol) and greater tolerance to increased channel estimation error.
Wireless Communications and Networking Conference (WCNC), 2010 IEEE; 05/2010
[Show abstract][Hide abstract] ABSTRACT: RF distinct native attribute (RF-DNA) fingerprinting is introduced as a means to uniquely identify embedded processors and other integrated circuit devices by passively monitoring and exploiting unintentional RF emissions. Device discrimination is accomplished using RF-DNA fingerprints comprised of higher-order statistical features based on instantaneous amplitude and frequency responses as a device executes a sequence of operations. The resultant fingerprints are input to a Multiple Discriminant Analysis/Maximum Likelihood (MDA/ML) processor for subsequent device discrimination. Using devices from a given manufacturer and experimentally collected side channel signals, 90-100% identification accuracy is achieved for SNR ≥ 12 dB for devices with identical part numbers from the same production lot. Depending on the level of required classification accuracy, RF-DNA fingerprinting is well-suited for realistic environments and practical operating distances. Applications of device RF-DNA fingerprints include supplementary physical layer authentication of secure tokens (e.g. smart cards), detection of counterfeit electronic devices or unauthorized modification, and forensic attribution of a device's unique identity in criminal or other investigations.
MILITARY COMMUNICATIONS CONFERENCE, 2010 - MILCOM 2010; 01/2010
[Show abstract][Hide abstract] ABSTRACT: Wireless communication security is addressed using device-specific RF-DNA fingerprints in a localized regional air monitor. The targeted application includes IEEE 802.16 WiMax-based airport communications such as being proposed by the Euro control and FAA organizations-concept validation is currently underway using the Aeronautical Mobile Airport Communications System (AeroMACS) network. Security enhancement via RF-DNA fingerprinting is motivated by earlier RF-DNA work using GMSK-based intra-cellular GSM signals and OFDM-based 802.11a peer-to-peer WiFi signals. The commonality that WiMax shares with these two existing communication systems, i.e., the cellular control structure of GSM and the multi-carrier OFDM modulation of 802.11a, suggests that RF-DNA fingerprinting may be effective for WiMax device discrimination. This is important given that WiMax shares some common features that may prove detrimental, to include bit-level authentication, privacy, and security mechanisms. It is reasonable to assume that these bit-level mechanisms will come under attack as ``hackers'' apply lessons learned from their previous successes. The contributions of this paper include: 1) the introduction of a Spectral Domain (SD) RF-DNA fingerprinting technique to augment previous Time Domain (TD) and Wavelet Domain (WD) techniques, and 2) a first look at AeroMACS physical waveform features and the potential applicability of RF-DNA fingerprinting using operationally collected signals.
Fourth International Conference on Network and System Security, NSS 2010, Melbourne, Victoria, Australia, September 1-3, 2010; 01/2010
[Show abstract][Hide abstract] ABSTRACT: Analysis of variance (ANOVA) is applied to RF DNA fingerprinting techniques to ascertain the most significant signal characteristics that can be used to form robust statistical fingerprint features. The goal is to find features that enable reliable identification of like-model communication devices having different serial numbers. Once achieved, these unique physical layer identities can be used to augment existing bit-level protection mechanisms and overall network security is improved. ANOVA experimentation is generated using a subset of collected signal characteristics (amplitude, phase, frequency, signal-to-noise ratio, etc.) and post-collection processing parameters (bandwidth, fingerprint regions, statistical features, etc.). The ANOVA input is percent correct device classification as obtained from MDA/ML discrimination using three like-model devices from a given manufacturer. Full factorial design experiments and ANOVA are used to determine the significance of individual parameters, and interactions thereof, in achieving higher percentages of correct classification. ANOVA is shown to be well-suited for the task and reveals parametric interactions that are otherwise unobservable using conventional graphical and tabular data representations.
WINSYS 2010 - Proceedings of the International Conference on Wireless Information Networks and Systems, Athens, Greece, July 26 - 28, 2010, WINSYS is part of ICETE - The International Joint Conference on e-Business and Telecommunications; 01/2010