[Show abstract][Hide abstract] ABSTRACT: Radio Frequency RF Distinct Native Attribute (RF-DNA) Fingerprinting is a PHY-based security method that enhances device identification (ID). ZigBee 802.15.4 security is of interest here given its widespread deployment in Critical Infrastructure (CI) applications. RF-DNA features can be numerous, correlated, and noisy. Feature Dimensional Reduction Analysis (DRA) is considered here with a goal of: 1) selecting appropriate features (feature selection) and 2) selecting the appropriate number of features (dimensionality assessment). Five selection methods are considered based on Generalized Relevance Learning Vector Quantization-Improved (GRLVQI) feature relevance ranking, and p-value and test statistic rankings from both the two-sample Kolmogorov-Smirnov (KS) Test and the one-way Analysis of Variance (ANOVA) F-test. Dimensionality assessment is considered using previous qualitative (subjective) methods and quantitative methods developed herein using data covariance matrices and the KS and F-test p-values. ZigBee discrimination (classification and ID verification) is evaluated under varying signal-to-noise ratio (SNR) conditions for both authorized and unauthorized rogue devices. Test statistic approaches emerge as superior to p-value approaches and offer both higher resolution in selecting features and generally better device discrimination. With appropriate feature selection, using only 16% of the data is shown to achieve better classification performance than when using all of the data. Preliminary first-look results for Z-Wave devices are also presented and shown to be consistent with ZigBee device fingerprinting performance.
[Show abstract][Hide abstract] ABSTRACT: Unauthorized network access and spoofing attacks at wireless access points (WAPs) have been traditionally addressed using bit-centric security measures and remain a major information technology security concern. This has been recently addressed using RF fingerprinting methods within the physical layer to augment WAP security. This paper extends the RF fingerprinting knowledge base by: 1) identifying and removing less-relevant features through dimensional reduction analysis (DRA) and 2) providing a first look assessment of device identification (ID) verification that enables the detection of rogue devices attempting to gain network access by presenting false bit-level credentials of authorized devices. DRA benefits and rogue device rejection performance are demonstrated using discrete Gabor transform features extracted from experimentally collected orthogonal frequency division multiplexing-based wireless fidelity (WiFi) and worldwide interoperability for microwave access (WiMAX) signals. Relative to empirically selected full-dimensional feature sets, performance using DRA-reduced feature sets containing only 10% of the highest ranked features (90% reduction), includes: 1) maintaining desired device classification accuracy and 2) improving authorized device ID verification for both WiFi and WiMAX signals. Reliable burst-by-burst rogue device rejection of better than 93% is achieved for 72 unique spoofing attacks and improvement to 100% is demonstrated when an accurate sample of the overall device population is employed. DRA-reduced feature set efficiency is reflected in DRA models requiring only one-tenth the number of features and processing time.
No preview · Article · Jun 2015 · IEEE Transactions on Information Forensics and Security
[Show abstract][Hide abstract] ABSTRACT: Device classification is important in many applications such as industrial quality control, through-wall imaging and network security. A novel approach has been proposed to use a digital noise radar (DNR) to actively interrogate microwave devices and classify defective units using ‘radio frequency distinct native attribute (RF-DNA)’ fingerprinting and various classifier algorithms. RF-DNA has previously demonstrated ‘serial number’ discrimination of numerous passive radio frequency signals, achieving classification accuracies above 80% using multiple discriminant analysis/maximum likelihood (MDA/ML) and generalised relevance learning vector quantisation-improved (GRLVQI) classifiers. It has also demonstrated above 80% classification of limited active interrogation responses with a DNR signal using these classifiers. The performance capabilities of the two different classifiers, MDA/ML and GRLVQI, on RF-DNA fingerprints produced from the ultra-wideband noise radar correlation response is expanded.
No preview · Article · May 2015 · Electronics Letters
[Show abstract][Hide abstract] ABSTRACT: Improved network security is addressed using device dependent physical-layer (PHY) based fingerprints from Ether-net cards to augment traditional MAC-based ID verification. The investigation uses unintentional Ethernet cable emissions and device fingerprints comprised of Constellation-Based, Distinct Native Attribute (CB-DNA) features. Near-field collection probe derivative effects dictated the need for developing a two-dimensional (2D) binary constellation for demodulation and CB-DNA extraction. Results show that the 2D constellation provides reliable demodulation (bit estimation) and device discrimination using symbol cluster statistics for CB-DNA. Bit Error Rate (BER) and Cross-Manufacturer Discrimination (CMD) results are provided for 16 devices from 4 different manufactures. Device discrimination is assessed using both Nearest Neighbor (NN) and Multiple Discriminant Analysis, Maximum Likelihood (MDA/ML) classifiers. Overall results are promising and include CMD average classification accuracy of %C = 76.73% (NN) and %C = 91.38% (MDA/ML).
[Show abstract][Hide abstract] ABSTRACT: The popularity of ZigBee devices continues to grow in home automation, transportation, traffic management, and Industrial Control System (ICS) applications given their low-cost and low-power. However, the decentralized architecture of ZigBee ad-hoc networks creates unique security challenges for network intrusion detection and prevention. In the past, ZigBee device authentication reliability was enhanced by Radio Frequency-Distinct Native Attribute (RF-DNA) fingerprinting using a Fisher-based Multiple Discriminant Analysis and Maximum Likelihood (MDA-ML) classification process to distinguish between devices in low Signal-to-Noise Ratio (SNR) environments. However, MDA-ML performance inherently degrades when RF-DNA features do not satisfy Gaussian normality conditions, which often occurs in real-world scenarios where radio frequency (RF) multipath and interference from other devices is present. We introduce non-parametric Random Forest (RndF) and Multi-Class AdaBoost (MCA) ensemble classifiers into the RF-DNA fingerprinting arena, and demonstrate improved ZigBee device authentication. Results are compared with parametric MDA-ML and Generalized Relevance Learning Vector Quantization-Improved (GRLVQI) classifier results using identical input feature sets. Fingerprint dimensional reduction is examined using three methods, namely a pre-classification Kolmogorov-Smirnoff Test (KS-Test), a post-classification RndF feature relevance ranking, and a GRLVQI feature relevance ranking. Using the ensemble methods, an SNR=18.0 dB improvement over MDA-ML processing is realized at an arbitrary correct classification rate (%C) benchmark of %C=90%; for all SNR ∈ [0, 30] dB considered, %C improvement over MDA-ML ranged from 9% to 24%. Relative to GRLVQI processing, ensemble methods again provided improvement for all SNR, with a best improvement of %C=10% achieved at the lowest tested SNR=0.0 dB. Network penetration, measured using rogue ZigBee devices, show that at the SNR=12.- dB (%C=90%) the ensemble methods correctly reject 31 of 36 rogue access attempts based on Receiver Operating Characteristic (ROC) curve analysis and an arbitrary Rogue Accept Rate of . This performance is better than MDA-ML, and GRLVQI which rejected 25/36, and 28/36 rogue access attempts respectively. The key benefit of ensemble method processing is improved rogue rejection in noisier environments; gains of 6.0 dB, and 18.0 dB are realized over GRLVQI, and MDA-ML, respectively. Collectively considering the demonstrated %C and rogue rejection capability, the use of ensemble methods improves ZigBee network authentication, and enhances anti-spoofing protection afforded by RF-DNA fingerprinting.
No preview · Article · Mar 2015 · IEEE Transactions on Reliability
[Show abstract][Hide abstract] ABSTRACT: Industrial control systems are used to operate critical infrastructure assets in the civilian and military sectors. Current industrial control system architectures are predominantly based on networked digital computers that enable reliable monitoring and control of critical functions via localized and distributed operations. Many industrial control systems, in particular, supervisory control and data acquisition (SCADA) systems, implement monitoring and control using programmable logic controllers, which have served as gateways through which cyber attacks have been orchestrated against high-profile industrial control system targets.
No preview · Article · Feb 2015 · International Journal of Critical Infrastructure Protection
[Show abstract][Hide abstract] ABSTRACT: Low-data-rate wireless networks incorporated in critical infrastructure applications can be protected through 128-bit encryption keys and address-based access control lists. However, these bit-level credentials are vulnerable to interception, extraction and spoofing using software tools available free of charge on the Internet. Recent research has demonstrated that wireless physical layer device fingerprinting can be used to defend against replay and spoofing attacks. However, radio frequency (RF) fingerprinting typically uses expensive signal collection systems; this is because fingerprinting wireless devices with low-cost receivers has been reported to have inconsistent accuracy. This paper demonstrates a robust radio frequency fingerprinting process that is consistently accurate with both high-end and low-cost receivers. Indeed, the results demonstrate that low-cost software-defined radios can be used to perform accurate radio frequency fingerprinting and to identify spoofing attacks in critical IEEE 802.15.4-based infrastructure networks such as ZigBee.
Full-text · Article · Jan 2015 · International Journal of Critical Infrastructure Protection
[Show abstract][Hide abstract] ABSTRACT: Device classification is important for many applications such as industrial quality controls, through-wall imaging, and network security. A novel approach to detection is proposed using a random noise radar (RNR), coupled with Radio Frequency “Distinct Native Attribute (RF-DNA)” fingerprinting processing algorithms to non-destructively interrogate microwave devices. RF-DNA has previously demonstrated “serial number” discrimination of passive Radio Frequency (RF) emissions such as Orthogonal Frequency Division Multiplexed (OFDM) signals, Worldwide Interoperability for Microwave Access (WiMAX) signals and others with classification accuracies above 80% using a Multiple Discriminant Analysis/Maximum Likelihood (MDAML) classifier. This approach proposes to couple the classification successes of the RF-DNA fingerprint processing with a non-destructive active interrogation waveform. An Ultra Wideband (UWB) noise waveform is uniquely suitable as an active interrogation method since it will not cause damage to sensitive microwave components and multiple RNRs can operate simultaneously in close proximity, allowing for significant parallelization of detection systems.
No preview · Article · Jan 2015 · IEEE Antennas and Wireless Propagation Letters
[Show abstract][Hide abstract] ABSTRACT: The widespread adoption of ZigBee devices in critical infrastructure applications has justifiably heightened security concerns. Attack methods exist that allow unauthorized rogue devices to insert themselves into established networks. Radio Frequency (RF) fingerprinting provides one countermeasure to spoofing attacks by identifying hardware devices by their unique RF characteristics. To make such methods more practical, this paper compares RF fingerprinting performance of a low-cost software defined radio receiver with that of a high-cost receiver using six like-model ZigBee devices of the same manufacturer, representing the most challenging scenario for RF fingerprinting. Comparable discrimination performance is achieved across a range of SNR using a random forest classifier and observations from both receivers. Network intrusion detection performance was comparable as well, with the high-cost receiver identifying on average 10% more rogue devices than the low-cost receiver. The viability of using low-cost receivers for RF fingerprinting is demonstrated, improving the practicality of RF-based antispoofing countermeasures.
[Show abstract][Hide abstract] ABSTRACT: Wireless networks are particularly vulnerable to spoofing and route poisoning attacks due to the contested transmission medium. Recent works investigate physical layer features such as received signal strength or radio frequency fingerprints to localize and identify malicious devices. In this paper we demonstrate a novel and complementary approach to exploiting physical layer differences among wireless devices that is more energy efficient and invariant with respect to the environment. Specifically, we exploit subtle design differences among transceiver hardware types. Transceivers fulfill the physicallayer aspects of wireless networking protocols, yet specific hardware implementations vary among manufacturers and device types. In this paper we demonstrate that precise manipulation of the physical layer header prevents a subset of transceiver types from receiving the manipulated packet. By soliciting acknowledgments from wireless devices using a small number of packets with manipulated preambles and frame lengths, a response pattern identifies the true transceiver class of the device under test. Herein we demonstrate a transceiver taxonomy of six classes with greater than 99% accuracy, irrespective of environment. We successfully demonstrate wireless multi-factor authentication, intrusion detection, and transceiver type fingerprinting through preamble manipulation.
Full-text · Article · Jan 2014 · IEEE Transactions on Dependable and Secure Computing
[Show abstract][Hide abstract] ABSTRACT: Side-channel analysis has been used to successfully attack many cryptographic systems. However, to improve trace quality and make collection of side-channel data easier, the attacker typically modifies the target device to add a trigger signal. This trigger implies a very powerful attacker with virtually complete control over the device. This paper describes a method to collect side-channel data using a software defined radio (SDR) in real-time without requiring a collection device trigger. A correlation-based frequency-dependent leakage mapping technique is introduced to evaluate a 32-bit microprocessor, revealing that individual key bytes leak at different frequencies. Key byte-dependent leakage is observed in both SDR collected and triggered oscilloscope-based collections (which serve to validate the SDR data). This research is the first to demonstrate effective differential attack using SDRs. Successful attacks are presented using two SDRs, including a US$20 digital television receiver with modified drivers.
Full-text · Article · Dec 2013 · IEEE Transactions on Information Forensics and Security
[Show abstract][Hide abstract] ABSTRACT: Cognitive Radio (CR) networks create an environment that presents unique security challenges, with reliable user authentication being essential for mitigating Primary User Emulation (PUE) spoofing and ensuring the cognition engine is using reliable information when dynamically reconfiguring the network. Unfortunately, wireless network edge devices increase spoofing potential as all devices can “see” all network traffic within RF range. Conventional bit-level security helps, but additional security based on physical-layer (PHY) attributes is required to ensure unauthorized devices do not adversely impact CR reliability during environmental assessment. RF Distinct Native Attribute (RF-DNA) fingerprinting is one PHY technique for reliably identifying devices based on inherent emission differences. These differences are exploited to uniquely identify, by serial number, hardware devices and aid cognitive network security. Reliable device discrimination has been achieved using Multiple Discriminant Analysis, Maximum Likelihood (MDA/ML) processing. However, MDA/ML provides no insight into feature relevance which limits its use for optimizing feature selection. This limitation is addressed here using Generalized Relevance Learning Vector Quantization-Improved (GRLVQI) and Learning from Signals (LFS) classifiers. Comparative assessment shows that GRLVQI and LFS classification performance rivals that of MDA/ML, overcomes inherent MDA/ML limitations, and provides benefit for CR network applications where reliable RF environment assessment and PUE mitigation is essential.
[Show abstract][Hide abstract] ABSTRACT: We propose a segment averaging matched-filter solution for recovering radar phase history data from orthogonal frequency division multiplex (OFDM) signals. The impact of digital communication features-guard bands, preambles, pilots, sync symbols, and cyclic prefixes-is discussed, and the derived matched-filter solution is modified accordingly. Experimental images using generic OFDM and IEEE 802.16 WiMAX signals demonstrate the success of the proposed signal processing approach for passive bistatic radar imaging.
[Show abstract][Hide abstract] ABSTRACT: Orthogonal Frequency Division Multiplexing (OFDM) has been considered as a strong candidate for next generation wireless communication systems. Compared to traditional OFDM, Single Carrier OFDM (SC-OFDM) has demonstrated excellent bit error rate (BER) performance, as well as low peak to average power ratio (PAPR). Similar to other multi-carrier transmission technologies, SC-OFDM suffers significant performance degradation resulting from intercarrier interference (ICI) in high mobility environments. Existing techniques for OFDM can be directly adopted in SC-OFDM to improve performance, however, this improved performance comes at costs such as decreased throughput. In this paper, we analyze the effect of ICI on an SC-OFDM system and propose a novel modulation scheme. The proposed Magnitude-Keyed Modulation (MKM) modulation provides SC-OFDM system immunity to ICI and with an easy implementation it significantly outperforms OFDM, SC-OFDM and MC-CDMA systems with Phase Shift Keying (PSK) modulation and Quadrature Amplitude Modulation (QAM) in severe ICI environment. Analysis also illustrates the proposed SC-OFDM system with MKM modulation maintains low PAPR compared to traditional OFDM and SC-OFDM systems with PSK and QAM modulations. Simulation results for different modulation schemes in various ICI environments confirm the effectiveness of the proposed system.
No preview · Article · Feb 2013 · IEEE Transactions on Communications
[Show abstract][Hide abstract] ABSTRACT: It is well known that Orthogonal Frequency Division Multiplexing (OFDM) systems suffer from intercarrier interference (ICI) in mobile environment due to loss of orthogonality among subcarriers caused by Doppler shifts. There exist many ICI mitigation techniques in the literature to improve the performance of OFDM systems. However, most of the existing ICI mitigation techniques assume the OFDM transmission bandwidth is narrow enough that the frequency offsets on all subcarriers are identical. In a wideband OFDM transmission or a non-contiguous OFDM spanning over large bandwidth, the Doppler shifts on different subcarriers are different, especially in high speed aerial vehicle communication systems. In this paper, we analyze the wideband OFDM system in high mobility environment where the frequency offsets vary from subcarrier to subcarrier. We then propose a novel ICI cancellation scheme to eliminate the ICI effect and offer the wideband OFDM system significantly improved BER performance. Simulation results in AWGN channel and multipath fading channel confirm the effectiveness of the proposed scheme in the presence of frequency offset and time variations in the channel, offering the best BER performance available which matches the BER performance of wideband OFDM system without ICI. To our knowledge, this paper is the first to address the ICI problem of varying frequency offsets across subcarriers in wideband OFDM system.
[Show abstract][Hide abstract] ABSTRACT: Security and privacy within existing wireless architectures remain a major concern and may be further compounded when considering multi-node wireless cognitive networks. However, the same computational capabilities that enable cognitive transceiver operation can also be used to enhance physical-layer security at each node. The approach here uses RF Distinct Native Attribute (RF-DNA) features that embody unique statistical properties of received RF emissions. The baseline system uses a Multiple Discriminant Analysis, Maximum Likelihood (MDA/ML) process to classify devices by exploiting RF-DNA uniqueness that enables serial number discrimination. MDA/ML limitations, to include a lack of feature relevance indication, are addressed using a previously investigated Learning From Signals (LFS) process. Of significance here is the expansion of LFS capability which will be readily implementable in envisioned cognitive network architectures. By coupling Kernel Regression (KR) with a Differential Evolution (DE) genetic algorithm, LFS is able to “learn” an improved model of the signal environment. Results here for experimentally collected 802.11a WiFi signals demonstrate recent improvements to the LFS engine that enable it to operate more effectively within a higher-dimensional RF-DNA feature space. The addition of a fractional Euclidean Distance (ED) similarity metric and vector class labeling provide improvement of 9 % to 23 % in average percent correct classification over the earlier LFS implementation.
[Show abstract][Hide abstract] ABSTRACT: The ZigBee specification builds upon IEEE 802.15.4 low-rate wireless personal area standards by adding security and mesh networking functionality. ZigBee networks may be secured through 128-bit encryption keys and by MAC address access control lists, yet these credentials are vulnerable to interception and spoofing via free software tools available over the Internet. This work proposes a multi-factor PHY-MAC-NWK security framework for ZigBee that augments bit-level security using radio frequency (RF) PHY features. These features, or RF fingerprints, can be used to differentiate between dissimilar or like-model wireless devices. Previous PHY-based works on mesh network device differentiation predominantly exploited the signal turn-on region, measured in nanoseconds. For an arbitrary benchmark of 90% or better classification accuracy, this work shows that reliable PHY-based ZigBee device discrimination can be achieved at SNR ≥ 8 dB. This is done using the entire transmission preamble, which is less technically challenging to detect and is over 1000 times longer than the signal turn-on region. This work also introduces a statistical, pre-classification feature ranking technique for identifying relevant features that dramatically reduces the number of RF fingerprint features without sacrificing classification performance.
[Show abstract][Hide abstract] ABSTRACT: Impersonation of authorized network devices is a serious concern in applications involving monitoring and control of battlefield operations and military installation infrastructure-ZigBee is among the ad hoc network alternatives used for such purposes. There are considerable security concerns given the availability of ZigBee “hacking” tools that have evolved from methods used for IEEE 802.11 Wi-Fi and IEEE 802.15.1 Bluetooth attacks. To mitigate the effectiveness of these bit-level attacks, RF waveform features within the lowest OSI physical (PHY) layer are used to augment bit-level security mechanisms within higher OSI layers. The evolution of RF 'Distinct Native Attribute' (RF-DNA) fingerprinting continues here with a goal toward improving defensive RF Intelligence (RFINT) measures and enhancing rogue device detection. Demonstrations here involve ZigBee burst collection and RF-DNA fingerprint generation using experimentally collected emissions from like-model CC2420 ZigBee devices operating at 2.4 GHz. RF-DNA fingerprints from 7 authorized devices are used for Multiple Discriminant Analysis (MDA) training and authorized device classification performance assessed, i.e. answering: “Is the device 1 of M authorized devices?” Additional devices are introduced as impersonating rogue devices attempting to gain unauthorized network access by presenting false bit-level credentials for one of the M authorized devices. Granting or rejecting rogue network access is addressed using a claimed identity verification process, i.e, answering: “Does the device's current RF-DNA match its claimed bit-level identity?” For authorized devices, arbitrary classification and verification benchmarks of %C>; 90% and %V >; 90% are achieved at SNR≈10.0 dB using a test statistic based on assumed Multivariate Gaussian (MVG) likelihood values. Overall, rogue device rejection capability is promising using the same verification test - tatistic, with %V