Analysis of Receiver Front End on the Performanceof RF Fingerprinting

Saeed Ur Rehman∗Υ, Kevin Sowerby*, Colin Coghill**Department of Electrical and Computer Engineering, University of Auckland, New ZealandΥDepartment of Electrotechnology, Unitec Institute of Technology, Auckland, New Zealand

Email: {sreh008, kw.sowerby, c.coghill}@auckland.ac.nz,

Abstract—Radio Frequency (RF) fingerprinting is a technique,where a transmitter is identified from its electromagnetic emis-sion. Most existing RF fingerprinting techniques have been evalu-ated with high-end receivers and promising classification resultshave been reported in the literature. However, the realizationof RF fingerprinting in todays low-end (i.e. low cost) portabledevices requires the validation of the existing RF fingerprintingtechniques with low-end receivers. This contribution analyzesthe performance of RF fingerprinting for low-end receivers.Experiments are performed for three transmitters and signals arecaptured with one high-end receiver and three low-end receiversusing Universal Software Radio Peripheral (USRP). It is foundthat the classification accuracy of RF fingerprinting varies fordifferent low-end receivers. Results show that low-end receiversprovide good classification results at high receiver SNR buthigh receiver SNR is rare in a typical wireless communicationenvironment. Whereas high-end receiver performs well even atlow SNR.

Index Terms—Radio Fingerprinting, Wireless Receivers,USRP, Security

I. INTRODUCTION

THE ability to recognize a specific wireless device based

on the features present in its analog signal waveform

is called RF fingerprinting. A wireless transmitter can be

identified with its unique RF fingerprint due to the imper-

fection in the analog components. The imperfection is due

to the randomness in the manufacturing phase. Mainly, the

unique RF fingerprint is due to the analog components present

in the transmitter front end, which includes digital-to-analog

converters, the band-pass filters, the frequency mixers and the

power amplifiers [1].

RF fingerprinting is envisioned to provide an extra layer of

security along with the network layer of security, which relies

on cryptography algorithms [2–4]. Once the network layer of

security is compromised then it is hard to differentiate between

a cloned device or a cloned key [5]. However, forgery of the

RF fingerprint of a particular transmitter is difficult as it is

comparable to human fingerprint [6], which cannot be repro-

duced with any other device because the replicating device will

add its own impairments to the reproduced transmitted signal.

Previous research has evaluated RF fingerprinting for UMTS

[7], Wi-Fi [8, 9], push-to-talk transmitters [10], Bluetooth

[11, 12], RFID [13], WSN [14] and FM transmitters. The

research has shown that RF fingerprinting can be success-

fully used for identifying the transmitters. In addition, RF

fingerprints can be used to passively identify the source of

electromagnetic transmission. This makes RF fingerprinting

an excellent contender for the security of the cognitive radio

network and thwarting the PUE attack [8, 15].The main goal of RF fingerprinting is the detection of

unique signal (transmitter) features that form a valid device

RF fingerprint, based on which associations between observed

signal and their senders can be made. The RF fingerprint

of a transmitter should distinctly characterize it from rest

of the transmitters through its unique features present in the

radio waveform. However, this task becomes more difficult

due to analog components present in the receiver front end.

The different analog components present in the receiver front

end include the RF filters, the Low Noise Amplifier (LNA),

the mixer, the local oscillator and analog-to-digital converter.

These analog components have impairments that varies from

receiver to receiver due to variation in the manufacturing

process.In a majority of the reported work, high-end sophisticated

receivers (vector signal analyzers, high sampling oscilloscope,

spectrum analyzers) have been used to develop the RF fin-

gerprints of the transmitters [2, 3, 7, 8, 10–13]. The high-

end receiver is built with expensive analog components, which

is specially designed for highly sensitive measurements. The

high-end receivers can meticulously extract the unique features

from the analog signal to form a valid RF fingerprint of the

transmitter. However, low-end receivers are built with inex-

pensive analog components, which have its own impairments

and limitations. This paper analyzes the effect of receiver front

end on the performance of the RF fingerprinting.To the best knowledge of the authors, this paper is the first

work to experimentally analyze the effect of the receiver front

end on the classification accuracy of the RF fingerprinting. The

objective of the authors is to analyze the effect of the receiver

front end on fingerprinting rather than introducing a new

technique for feature extraction or classification. Therefore,

the approach adopted by Suski et.al is modeled as closely aspossible [16]. Suski et.al has identified wireless transmitterusing the Power Spectral Density (PSD) of the IEEE 802.11a

preamble signal. His work is evaluated for different receivers.

Three transmitters, one high-end receiver and three USRPs are

used as low-end receivers for the experiments as explained in

section 2. The reason for using USRPs is that it represents the

inexpensive receiver front end [17].This paper has the following main contributions

• Firstly, the impairments due to receiver front end is

2012 IEEE 23rd International Symposium on Personal, Indoor and Mobile Radio Communications - (PIMRC)

978-1-4673-2569-1/12/$31.00 ©2012 IEEE 2494

0 5 10 15−1

−0.5

0

0.5

1(a) Simulated preamble before transmission

Time (micro seconds)0 5 10 15

−1

−0.5

0

0.5

1(b) Tx1 received on low−end receiver 1

Time (micro seconds)

0 5 10 15−1

−0.5

0

0.5

1(c) Tx1 received on low−end receiver 2

Time (micro seconds)0 5 10 15

−1

−0.5

0

0.5

1(d) Tx1 received on low−end receiver 3

Time (micro seconds)

Figure 1. IEEE 802.11a preamble signal as received by three receivers. (a) shows the simulated preamble signal before transmission while (b), (c) and (d)show the variation in the received preamble signal due to environment, transmitter and receivers front ends.

introduced in the overall RF fingerprinting process.

• Secondly, the effect of a low-end receiver on the perfor-

mance of RF fingerprinting is analyzed for varying SNR.

• Thirdly, it is shown experimentally that low-end receiver

front ends deteriorate the classification accuracy of RF

fingerprinting with decrease in SNR while high-end re-

ceiver are less affected.

The rest of the paper is organized as follows. In section II, the

measurement setup for experiment, preamble extraction and

data collection is explained. In section III, feature extraction

process is explained. Performance evaluation and conclusion

are discussed in section IV and V, respectively.

II. METHODOLOGY

RF fingerprinting is mainly divided into two categories;

transient-based and steady state-based. In transient-based RF

fingerprinting, a transmitter transition from Off to On state

triggers a unique transient feature, which appears before

the transmission of the actual packet and can be utilized

to identify a transmitter [12]. Whereas the unique features

introduced by the transmitter in the modulated signal is utilized

in steady state-based RF fingerprinting. Initially, transient-

based detection has received more attention in the research

community due to the lack of a steady state signal common to

all transmitters. However, the detection and extraction of the

transient of a transmitter requires higher sampling rate due

to its relatively small period compared to steady state signal

[18]. Therefore, it poses serious technical challenges for its

real time implementation. In addition, the lacks of a common

steady state signal is no more an issue in the modern digital

communication era. Nowadays, almost all digital communi-

cation systems (UMTS, WLAN) introduce a preamble in the

start of the packet transmission in order to simply the receiver

design [7, 16]. Therefore, steady state-based RF fingerprinting

is considered for analysis in this paper.

A reference IEEE 802.11a preamble signal is generated in

MATLAB and transmitted with three different transmitters.

The preamble signal is then captured with the measurement

setup, explained in next subsection. The classification is

implemented by extracting the preamble from the signals

and generating the PSD coefficients. The PSD coefficients

are then used to develop the RF fingerprint for different

transmitters and classification are performed using a classifier.

The wireless signals of a specific transmitter are captured

with three different receivers as shown in Figure 1. The

responses of three different low-end receivers are different for

the same transmitter, shown in Figure 1. This implies that

the RF fingerprint varies across the receivers for the same

transmitter. In Figure 1, the SNR of the collected signal is high

approximately 35 dB but the accuracy of RF fingerprinting will

be analyzed for varying SNR.

A. Measurement setup

The measurement setup used for capturing the wireless

signals from three different USRP transmitters is shown in

Figure 2. Four receivers are used to capture the preamble

signal transmitted by each transmitter. Three of the receivers

are USRP devices, representing low-end receivers, while a

spectrum analyzer/oscilloscope setup represents a high-end

receiver. Three USRP N210 devices equipped with SBX

2495

Figure 2. Measurement setup for RF fingerprinting of IEEE 802.11a preamble. Only one transmitter is shown while three transmitters are used for experiments.Measurements are performed in an office environment. RX1, RX2, RX3 are low-end receivers while RX4 is a high-end receiver.

transceiver daughter boards and vert2450 antennas are used.

The SBX daughter boards act as a front end and have a

frequency range from 0.4 GHz to 4.4 GHz, which allows

transmitting and receiving in the 2.4 GHz ISM band. The

USRP N210 is equipped with a dual 14-bit Analog to Digital

Converter (ADC) operating at 100 MHz and dual 16-bit Digital

to Analog Converter (DAC) operating at 400 MHz. The USRP

N210 transmits complex base band samples at 25 MSample/s

to the host computer via a Direct gigabit Ethernet link [17].

The complex In-phase (I) and Quadrature (Q) components are

stored in the computer for further processing.

The preamble signal is captured through an antenna con-

nected to an Agilent spectrum analyzer in the high-end re-

ceiver setup. The spectrum analyzer acts as an Intermediate

Frequency (IF) converter. The IF signal is then fed to a

4GSample/s oscilloscope. The oscilloscope is used as an

analog to digital converter in order to get the time domain

signal. The captured signal is then transferred to computer via

GPIB Bus and stored in digital format for further processing.

B. Data collection

All the measurements were carried out in an office en-

vironment, representing a typical reception scenario. Each

802.11a signal includes the preamble information at the start of

each RF burst to aid in diversity selection, timing/frequency

acquisition and channel estimation [16]. The IEEE 802.11a

preamble is generated as per the standard, which consists of

10 short and 2 long training sequences [19]. The wireless

signal transmissions from the three different transmitters were

captured using the measurement setup shown in Figure 2. A

total of 300 signals from each transmitter were captured and

stored at each of the receivers, giving a total data set of 3600

received signals. MATLAB is used for feature extraction and

classification.

C. Preamble extraction

Both amplitude-based and phase-based variance transient

detection techniques have previously been investigated [20].

It has been found that amplitude-based variance detection

technique out performs the phase-based variance detection

technique for IEEE 802.11a signal. In order to extract the

preamble from each acquired signal, the signal is first normal-

ized and then the preamble is extracted from each acquired

signal using the amplitude-based variance detection technique

described in [12, 14, 20].

Vi = K1

w − 1w∑

n=1

(Xm−n − Xw)2 (1)

where Vi is a new variance signal created from the input

signal Xm, w is the sliding window size, Xwis the mean of

samples. K is the scaling factor to make the signal comparableto the measured received signal. In case of a RF burst signal,

the variance of the signal for a given window size w would

increase rapidly as compared to the variance of the last

measured w samples. The start of the preamble is the point

where Vi signal power rises while the end point of preamble

is 16 microseconds later, as per IEEE 802.11a standard [19].

III. FEATURE EXTRACTION

The goal of the feature extraction is to form a unique RF

fingerprint, which distinctly characterize a transmitter from

the rest of the transmitters. In previous work, the coefficients

of Power Spectral Density (PSD) are used to create the

RF fingerprint of transmitters [7, 16, 20]. Therefore in this

2496

evaluation, the RF fingerprint of a specific transmitter consists

of normalized Power Spectral Density (PSD) coefficient values

and is given by [16].

ψX(k) =|X(k)|2

∑Kk=1 |X(k)|2

(2)

where X(k) are the coefficients of discrete Fourier transformfor the input signal x(m) given by

X(k) =1

NF

NF∑

m=1

x(m)e

[−2πjNF

(m−1)(k−1)]

(3)

Figure 3. RF Fingerprinting classification process

IV. PERFORMANCE EVALUATION

The overall RF fingerprinting process is shown in Figure 3,

which consists of two phases: namely training and testing. In

the training phase a device profile is created; i.e. a number

of signals from a specific transmitter are used to create a

profile RF fingerprint. In the testing phase, a RF fingerprint is

created by extracting the features from an input signal. This

feature vector is then tested against the already stored profile of

the transmitters using a classifier. K Nearest Neighbor (KNN)

is used as a classifier with 3 nearest neighbors. The KNN

classifier classifies an input feature vector into one of the group

based on the closest training examples in the feature space [6].

MATLAB and its associated toolboxes are used for processing

and evaluation.

The profiles of the three transmitters are created with 30

preamble signals from each transmitter. The rest of the signals

from each transmitter are used for testing purposes. This

process is repeated for each of the four receivers; i.e. training

and testing is performed with signals captured by one specific

receiver and the same process is repeated for signals captured

with three other receivers. Classification is performed on a per

signal basis; i.e. PSD coefficients are used to create the RF

fingerprint of a signal. This RF fingerprint is then classified

using the KNN classifier. Simulated AWGN is added to the

collected signals to assess the effect of Signal-to-Noise Ratio

(SNR). The process is repeated for each of the four receivers

(three low-end and one high-end).

Figure 5 shows the classification accuracy for varying Signal

to Noise Ratio (SNR). Rx1, Rx2 and Rx3 are the low-end

receivers while Rx4 is the high-end receiver. Figure 5(a)

to (c) is the classification results using low-end receivers

while Figure 5(d) shows the classification results for high-

end receiver. As expected, the high-end receiver shows good

classification results and confirms the accurate results reported

in the literature, which are based on the high-end receivers

[7, 20]. However, the classification percentage varies for three

transmitters in low-end receivers. This shows that one low-end

receiver will correctly identify a specific transmitter at low

receiver SNR while other low-end receiver will misclassify

the same transmitter at low receiver SNR. For example, Tx1

is 70% classified accurately in Rx1 at 5 dB SNR while in Rx2

and Rx3, it is 1% and 20% classified accurately at 5 dB SNR,

respectively. Interestingly, all three low-end receivers perform

differently for the same transmitters signals. The reason is that

the receiver is acting like a distorting filter on the received

signal. This effect can be seen in Figure 4, where PSD of Tx1

as received by three low-end receivers is plotted. All low-end

receivers have different response for the same transmitter.

1 2 3 4 5 6 7 80

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Frequency (MHz)

Nor

mal

ized

Pow

er S

pect

ral D

ensi

ty

PSD of IEEE 802.11a preamble for transmitter 1 by three low−end receivers

Tx1 simulatedTx1 rcvd on Rx1Tx1 rcvd on Rx2Tx1 rcvd on Rx3

Figure 4. Power Spectral Density of the simulated 802.11a preamble and theaverage of 30 collected preamble by three low-end receivers for transmitter1.

In figure 5, the classifier training and testing is performed

at the same receiver SNR (i.e., if training is performed with 5

dB SNR signals then testing is carried out for the same SNR

signals). Whereas figure 6 shows the classification accuracy

when the classifier is trained with high SNR signals (15 to 30

dB) while testing is performed for low and high SNR signals.

Figure 6 shows that training data has a large impact on the

overall fingerprinting classification process. The results shows

that if KNN classifier is trained with high SNR signals then

classification accuracy increases for low-end receivers at low

SNR . However, high SNR signals are not always available

during the training phase. Therefore, an algorithm is required

which can be used to train the receivers even at low SNR and

provide high classification accuracy.

Our results suggest that the real-time implementation of

RF fingerprinting using today’s typical low-end receivers is

considerably more challenging than might be suggested by

experiments carried out with high-end receivers in controlled

environments. Our results suggest that the accuracy of classi-

2497

0 5 10 15 20 25 30 350

20

40

60

80

100(a) Accurate classification using low−end receiver RX1

Per

cent

age

of c

orre

ct d

ecis

ions

SNR dB

TX1Tx2Tx3

0 5 10 15 20 25 30 350

20

40

60

80

100(b) Accurate classification using low−end receiver RX2

Per

cent

age

of c

orre

ct d

ecis

ions

SNR dB

TX1Tx2Tx3

0 5 10 15 20 25 30 350

20

40

60

80

100(c) Accurate classification using low−end receiver RX3

Per

cent

age

of c

orre

ct d

ecis

ions

SNR dB

TX1Tx2Tx3

0 5 10 15 20 25 30 350

20

40

60

80

100(d) Accurate classification using high−end receiver RX4

Per

cent

age

of c

orre

ct d

ecis

ions

SNR dB

TX1Tx2Tx3

Figure 5. RF fingerprinting classification for four different receivers. (a), (b), (c), (d) shows the classification for Rx1, Rx2, Rx3 and Rx4, respectively. Theclassification accuracy is high for Rx4, which is the high-end receiver while the accuracy varies for low-end receivers as can been seen in (a), (b), (c).

fication results is dependent on the receiver as well as on the

training SNR. High receiver SNRs yield good classification

results for low-end receivers but high SNRs are not typical

in real situations. Furthermore, the research community is ad-

vised to use more than one low-end receiver for the evaluation

and validation of RF fingerprinting techniques.

V. CONCLUSIONS

This paper has experimentally analyzed the effect of receiver

front end on the performance of overall RF fingerprinting

process. Three low-end and one high-end receiver are used

for the analysis. The high-end receiver performed well and

resulted in accurate transmitter classification even at low re-

ceiver SNRs. However, the classification results for three low-

end receivers vary for the same set of transmitters and provide

less accurate results at low SNR. Nevertheless, the low-end

receivers were able to provide useful classification results at

receiver SNRs of 15dB or higher. The experimental results

suggest that low-end receivers have their own impairments

due to which the RF fingerprint of a specific transmitter

varies across different receivers. Therefore, the impairments

of the receivers should be considered in the analysis of the

RF fingerprinting techniques, which significantly deteriorate

the overall RF fingerprinting classification.

REFERENCES

[1] O. Ureten and N. Serinken, “Wireless security through

rf fingerprinting,” Electrical and Computer Engineering,Canadian Journal of, vol. 32, no. 1, pp. 27 –33, winter2007.

[2] D. R. Reising, M. A. Temple, and M. J. Mendenhall,

“Improving intra-cellular security using air monitoring

with rf fingerprints.” in WCNC’10, 2010, pp. 1–6.[3] A. Polak, S. Dolatshahi, and D. Goeckel, “Identifying

wireless users via transmitter imperfections,” SelectedAreas in Communications, IEEE Journal on, vol. 29,no. 7, pp. 1469–1479, 2011.

[4] Y. Shiu, S. Chang, H. Wu, S. Huang, and H. Chen,

“Physical layer security in wireless networks: a tutorial,”

Wireless Communications, IEEE, vol. 18, no. 2, pp. 66–74, 2011.

[5] S. Mathur, A. Reznik, C. Ye, R. Mukherjee, A. Rahman,

Y. Shah, W. Trappe, and N. Mandayam, “Exploiting the

physical layer for enhanced security [security and privacy

in emerging wireless networks],” Wireless Communica-tions, IEEE, vol. 17, no. 5, pp. 63–70, 2010.

[6] B. Danev, H. Luecken, S. Capkun, and K. El Defrawy,

“Attacks on physical-layer identification,” in Proc. ACMConf on Wireless network security, 2010, pp. 89–98.

[7] P. Scanlon, I. Kennedy, and Y. Liu, “Feature extraction

approaches to rf fingerprinting for device identification in

femtocells,” Bell Labs Technical Journal, vol. 15, no. 3,pp. 141–151, 2010.

[8] K. Kim, C. Spooner, I. Akbar, and J. Reed, “Specific

emitter identification for cognitive radio with application

to IEEE 802.11,” in Global Telecommunications Confer-ence, 2008. IEEE GLOBECOM 2008. IEEE, pp. 1–5.

[9] Y. Shi and M. Jensen, “Improved radiometric identi-

fication of wireless devices using mimo transmission,”

Information Forensics and Security, IEEE Transactions

2498

0 5 10 15 20 25 300

20

40

60

80

100Accurate classification using low−end receiver RX1

Per

cent

age

of c

orre

ct d

ecis

ion

SNR dB

TX1Tx2Tx3

0 5 10 15 20 25 300

20

40

60

80

100Accurate classification using low−end receiver RX2

Per

cent

age

of c

orre

ct d

ecis

ion

SNR dB

TX1Tx2Tx3

0 5 10 15 20 25 300

20

40

60

80

100Accurate classification using low−end receiver RX3

Per

cent

age

of c

orre

ct d

ecis

ion

SNR dB

TX1Tx2Tx3

0 5 10 15 20 25 300

20

40

60

80

100Accurate classification using high−end receiver RX4

Per

cent

age

of c

orre

ct d

ecis

ion

SNR dB

TX1Tx2Tx3

Figure 6. Training of the classifier is performed with signals from 15 to 30 dB while testing is carried out for varying SNR.

on, no. 99, 2011.[10] J. Toonstra and W. Kinsner, “A radio transmitter fin-

gerprinting system ODO-1,” in Electrical and ComputerEngineering, 1996. Canadian Conference on, vol. 1.IEEE, 2002, pp. 60–63.

[11] M. Woelfle, M. Temple, M. Mullins, and M. Mendenhall,

“Detecting, identifying and locating bluetooth devices

using rf fingerprints,” in 2009 Military CommunicationsConference (MILCOM 2009), 2009.

[12] S. Ur Rehman, K. Sowerby, and C. Coghill, “Rf fin-

gerprint extraction from the energy envelope of an in-

stantaneous transient signal,” in Communications TheoryWorkshop (AusCTW), 2012 Australian, 30 2012-feb. 22012, pp. 90 –95.

[13] D. Zanetti, B. Danev, and S. Capkun, “Physical-layer

identification of uhf rfid tags,” inMobiCom ’10: Proceed-ings of the 16th ACM Conference on Mobile Computingand Networking. ACM, 2010.

[14] K. Bonne Rasmussen and S. Capkun, “Implications of

radio fingerprinting on the security of sensor networks,”

in Security and Privacy in Communications Networksand the Workshops, 2007. SecureComm 2007. ThirdInternational Conference on. IEEE, 2007, pp. 331–340.

[15] O. Afolabi, K. Kim, and A. Ahmad, “On Secure Spec-

trum Sensing in Cognitive Radio Networks Using Emit-

ters Electromagnetic Signature,” in Computer Communi-

cations and Networks, 2009. ICCCN 2009. Proceedingsof 18th Internatonal Conference on. IEEE, 2009, pp.

1–5.

[16] W. Suski, M. Temple, M. Mendenhall, and R. Mills, “Us-

ing spectral fingerprints to improve wireless network se-

curity,” in Global Telecommunications Conference, 2008.IEEE GLOBECOM 2008. IEEE. IEEE, 2008, pp. 1–5.

[17] M. Ettus, “Universal software radio peripheral,” EttusResearch, Mountain View, CA, www.ettus.com, 2012.

[18] I. Kennedy, P. Scanlon, F. Mullany, M. Buddhikot,

K. Nolan, and T. Rondeau, “Radio transmitter finger-

printing: A steady state frequency domain approach,” in

Vehicular Technology Conference, 2008. VTC 2008-Fall.IEEE 68th. IEEE, 2008, pp. 1–5.

[19] L. standards Committee et al., “Part 11: Wireless lanmedium access control (mac) and physical layer (phy)

specifications,” IEEE-SA Standards Board, 2003.[20] W. Suski II, M. Temple, M. Mendenhall, and R. Mills,

“Radio frequency fingerprinting commercial communica-

tion devices to enhance electronic security,” InternationalJournal of Electronic Security and Digital Forensics,vol. 1, no. 3, pp. 301–322, 2008.

2499