[IEEE 2012 IEEE 23rd International Symposium on Personal, Indoor and Mobile Radio Communications -...
Transcript of [IEEE 2012 IEEE 23rd International Symposium on Personal, Indoor and Mobile Radio Communications -...
Analysis of Receiver Front End on the Performanceof RF Fingerprinting
Saeed Ur Rehman∗Υ, Kevin Sowerby*, Colin Coghill**Department of Electrical and Computer Engineering, University of Auckland, New ZealandΥDepartment of Electrotechnology, Unitec Institute of Technology, Auckland, New Zealand
Email: {sreh008, kw.sowerby, c.coghill}@auckland.ac.nz,
Abstract—Radio Frequency (RF) fingerprinting is a technique,where a transmitter is identified from its electromagnetic emis-sion. Most existing RF fingerprinting techniques have been evalu-ated with high-end receivers and promising classification resultshave been reported in the literature. However, the realizationof RF fingerprinting in todays low-end (i.e. low cost) portabledevices requires the validation of the existing RF fingerprintingtechniques with low-end receivers. This contribution analyzesthe performance of RF fingerprinting for low-end receivers.Experiments are performed for three transmitters and signals arecaptured with one high-end receiver and three low-end receiversusing Universal Software Radio Peripheral (USRP). It is foundthat the classification accuracy of RF fingerprinting varies fordifferent low-end receivers. Results show that low-end receiversprovide good classification results at high receiver SNR buthigh receiver SNR is rare in a typical wireless communicationenvironment. Whereas high-end receiver performs well even atlow SNR.
Index Terms—Radio Fingerprinting, Wireless Receivers,USRP, Security
I. INTRODUCTION
THE ability to recognize a specific wireless device based
on the features present in its analog signal waveform
is called RF fingerprinting. A wireless transmitter can be
identified with its unique RF fingerprint due to the imper-
fection in the analog components. The imperfection is due
to the randomness in the manufacturing phase. Mainly, the
unique RF fingerprint is due to the analog components present
in the transmitter front end, which includes digital-to-analog
converters, the band-pass filters, the frequency mixers and the
power amplifiers [1].
RF fingerprinting is envisioned to provide an extra layer of
security along with the network layer of security, which relies
on cryptography algorithms [2–4]. Once the network layer of
security is compromised then it is hard to differentiate between
a cloned device or a cloned key [5]. However, forgery of the
RF fingerprint of a particular transmitter is difficult as it is
comparable to human fingerprint [6], which cannot be repro-
duced with any other device because the replicating device will
add its own impairments to the reproduced transmitted signal.
Previous research has evaluated RF fingerprinting for UMTS
[7], Wi-Fi [8, 9], push-to-talk transmitters [10], Bluetooth
[11, 12], RFID [13], WSN [14] and FM transmitters. The
research has shown that RF fingerprinting can be success-
fully used for identifying the transmitters. In addition, RF
fingerprints can be used to passively identify the source of
electromagnetic transmission. This makes RF fingerprinting
an excellent contender for the security of the cognitive radio
network and thwarting the PUE attack [8, 15].The main goal of RF fingerprinting is the detection of
unique signal (transmitter) features that form a valid device
RF fingerprint, based on which associations between observed
signal and their senders can be made. The RF fingerprint
of a transmitter should distinctly characterize it from rest
of the transmitters through its unique features present in the
radio waveform. However, this task becomes more difficult
due to analog components present in the receiver front end.
The different analog components present in the receiver front
end include the RF filters, the Low Noise Amplifier (LNA),
the mixer, the local oscillator and analog-to-digital converter.
These analog components have impairments that varies from
receiver to receiver due to variation in the manufacturing
process.In a majority of the reported work, high-end sophisticated
receivers (vector signal analyzers, high sampling oscilloscope,
spectrum analyzers) have been used to develop the RF fin-
gerprints of the transmitters [2, 3, 7, 8, 10–13]. The high-
end receiver is built with expensive analog components, which
is specially designed for highly sensitive measurements. The
high-end receivers can meticulously extract the unique features
from the analog signal to form a valid RF fingerprint of the
transmitter. However, low-end receivers are built with inex-
pensive analog components, which have its own impairments
and limitations. This paper analyzes the effect of receiver front
end on the performance of the RF fingerprinting.To the best knowledge of the authors, this paper is the first
work to experimentally analyze the effect of the receiver front
end on the classification accuracy of the RF fingerprinting. The
objective of the authors is to analyze the effect of the receiver
front end on fingerprinting rather than introducing a new
technique for feature extraction or classification. Therefore,
the approach adopted by Suski et.al is modeled as closely aspossible [16]. Suski et.al has identified wireless transmitterusing the Power Spectral Density (PSD) of the IEEE 802.11a
preamble signal. His work is evaluated for different receivers.
Three transmitters, one high-end receiver and three USRPs are
used as low-end receivers for the experiments as explained in
section 2. The reason for using USRPs is that it represents the
inexpensive receiver front end [17].This paper has the following main contributions
• Firstly, the impairments due to receiver front end is
2012 IEEE 23rd International Symposium on Personal, Indoor and Mobile Radio Communications - (PIMRC)
978-1-4673-2569-1/12/$31.00 ©2012 IEEE 2494
0 5 10 15−1
−0.5
0
0.5
1(a) Simulated preamble before transmission
Time (micro seconds)0 5 10 15
−1
−0.5
0
0.5
1(b) Tx1 received on low−end receiver 1
Time (micro seconds)
0 5 10 15−1
−0.5
0
0.5
1(c) Tx1 received on low−end receiver 2
Time (micro seconds)0 5 10 15
−1
−0.5
0
0.5
1(d) Tx1 received on low−end receiver 3
Time (micro seconds)
Figure 1. IEEE 802.11a preamble signal as received by three receivers. (a) shows the simulated preamble signal before transmission while (b), (c) and (d)show the variation in the received preamble signal due to environment, transmitter and receivers front ends.
introduced in the overall RF fingerprinting process.
• Secondly, the effect of a low-end receiver on the perfor-
mance of RF fingerprinting is analyzed for varying SNR.
• Thirdly, it is shown experimentally that low-end receiver
front ends deteriorate the classification accuracy of RF
fingerprinting with decrease in SNR while high-end re-
ceiver are less affected.
The rest of the paper is organized as follows. In section II, the
measurement setup for experiment, preamble extraction and
data collection is explained. In section III, feature extraction
process is explained. Performance evaluation and conclusion
are discussed in section IV and V, respectively.
II. METHODOLOGY
RF fingerprinting is mainly divided into two categories;
transient-based and steady state-based. In transient-based RF
fingerprinting, a transmitter transition from Off to On state
triggers a unique transient feature, which appears before
the transmission of the actual packet and can be utilized
to identify a transmitter [12]. Whereas the unique features
introduced by the transmitter in the modulated signal is utilized
in steady state-based RF fingerprinting. Initially, transient-
based detection has received more attention in the research
community due to the lack of a steady state signal common to
all transmitters. However, the detection and extraction of the
transient of a transmitter requires higher sampling rate due
to its relatively small period compared to steady state signal
[18]. Therefore, it poses serious technical challenges for its
real time implementation. In addition, the lacks of a common
steady state signal is no more an issue in the modern digital
communication era. Nowadays, almost all digital communi-
cation systems (UMTS, WLAN) introduce a preamble in the
start of the packet transmission in order to simply the receiver
design [7, 16]. Therefore, steady state-based RF fingerprinting
is considered for analysis in this paper.
A reference IEEE 802.11a preamble signal is generated in
MATLAB and transmitted with three different transmitters.
The preamble signal is then captured with the measurement
setup, explained in next subsection. The classification is
implemented by extracting the preamble from the signals
and generating the PSD coefficients. The PSD coefficients
are then used to develop the RF fingerprint for different
transmitters and classification are performed using a classifier.
The wireless signals of a specific transmitter are captured
with three different receivers as shown in Figure 1. The
responses of three different low-end receivers are different for
the same transmitter, shown in Figure 1. This implies that
the RF fingerprint varies across the receivers for the same
transmitter. In Figure 1, the SNR of the collected signal is high
approximately 35 dB but the accuracy of RF fingerprinting will
be analyzed for varying SNR.
A. Measurement setup
The measurement setup used for capturing the wireless
signals from three different USRP transmitters is shown in
Figure 2. Four receivers are used to capture the preamble
signal transmitted by each transmitter. Three of the receivers
are USRP devices, representing low-end receivers, while a
spectrum analyzer/oscilloscope setup represents a high-end
receiver. Three USRP N210 devices equipped with SBX
2495
Figure 2. Measurement setup for RF fingerprinting of IEEE 802.11a preamble. Only one transmitter is shown while three transmitters are used for experiments.Measurements are performed in an office environment. RX1, RX2, RX3 are low-end receivers while RX4 is a high-end receiver.
transceiver daughter boards and vert2450 antennas are used.
The SBX daughter boards act as a front end and have a
frequency range from 0.4 GHz to 4.4 GHz, which allows
transmitting and receiving in the 2.4 GHz ISM band. The
USRP N210 is equipped with a dual 14-bit Analog to Digital
Converter (ADC) operating at 100 MHz and dual 16-bit Digital
to Analog Converter (DAC) operating at 400 MHz. The USRP
N210 transmits complex base band samples at 25 MSample/s
to the host computer via a Direct gigabit Ethernet link [17].
The complex In-phase (I) and Quadrature (Q) components are
stored in the computer for further processing.
The preamble signal is captured through an antenna con-
nected to an Agilent spectrum analyzer in the high-end re-
ceiver setup. The spectrum analyzer acts as an Intermediate
Frequency (IF) converter. The IF signal is then fed to a
4GSample/s oscilloscope. The oscilloscope is used as an
analog to digital converter in order to get the time domain
signal. The captured signal is then transferred to computer via
GPIB Bus and stored in digital format for further processing.
B. Data collection
All the measurements were carried out in an office en-
vironment, representing a typical reception scenario. Each
802.11a signal includes the preamble information at the start of
each RF burst to aid in diversity selection, timing/frequency
acquisition and channel estimation [16]. The IEEE 802.11a
preamble is generated as per the standard, which consists of
10 short and 2 long training sequences [19]. The wireless
signal transmissions from the three different transmitters were
captured using the measurement setup shown in Figure 2. A
total of 300 signals from each transmitter were captured and
stored at each of the receivers, giving a total data set of 3600
received signals. MATLAB is used for feature extraction and
classification.
C. Preamble extraction
Both amplitude-based and phase-based variance transient
detection techniques have previously been investigated [20].
It has been found that amplitude-based variance detection
technique out performs the phase-based variance detection
technique for IEEE 802.11a signal. In order to extract the
preamble from each acquired signal, the signal is first normal-
ized and then the preamble is extracted from each acquired
signal using the amplitude-based variance detection technique
described in [12, 14, 20].
Vi = K1
w − 1w∑
n=1
(Xm−n − Xw)2 (1)
where Vi is a new variance signal created from the input
signal Xm, w is the sliding window size, Xwis the mean of
samples. K is the scaling factor to make the signal comparableto the measured received signal. In case of a RF burst signal,
the variance of the signal for a given window size w would
increase rapidly as compared to the variance of the last
measured w samples. The start of the preamble is the point
where Vi signal power rises while the end point of preamble
is 16 microseconds later, as per IEEE 802.11a standard [19].
III. FEATURE EXTRACTION
The goal of the feature extraction is to form a unique RF
fingerprint, which distinctly characterize a transmitter from
the rest of the transmitters. In previous work, the coefficients
of Power Spectral Density (PSD) are used to create the
RF fingerprint of transmitters [7, 16, 20]. Therefore in this
2496
evaluation, the RF fingerprint of a specific transmitter consists
of normalized Power Spectral Density (PSD) coefficient values
and is given by [16].
ψX(k) =|X(k)|2
∑Kk=1 |X(k)|2
(2)
where X(k) are the coefficients of discrete Fourier transformfor the input signal x(m) given by
X(k) =1
NF
NF∑
m=1
x(m)e
[−2πjNF
(m−1)(k−1)]
(3)
Figure 3. RF Fingerprinting classification process
IV. PERFORMANCE EVALUATION
The overall RF fingerprinting process is shown in Figure 3,
which consists of two phases: namely training and testing. In
the training phase a device profile is created; i.e. a number
of signals from a specific transmitter are used to create a
profile RF fingerprint. In the testing phase, a RF fingerprint is
created by extracting the features from an input signal. This
feature vector is then tested against the already stored profile of
the transmitters using a classifier. K Nearest Neighbor (KNN)
is used as a classifier with 3 nearest neighbors. The KNN
classifier classifies an input feature vector into one of the group
based on the closest training examples in the feature space [6].
MATLAB and its associated toolboxes are used for processing
and evaluation.
The profiles of the three transmitters are created with 30
preamble signals from each transmitter. The rest of the signals
from each transmitter are used for testing purposes. This
process is repeated for each of the four receivers; i.e. training
and testing is performed with signals captured by one specific
receiver and the same process is repeated for signals captured
with three other receivers. Classification is performed on a per
signal basis; i.e. PSD coefficients are used to create the RF
fingerprint of a signal. This RF fingerprint is then classified
using the KNN classifier. Simulated AWGN is added to the
collected signals to assess the effect of Signal-to-Noise Ratio
(SNR). The process is repeated for each of the four receivers
(three low-end and one high-end).
Figure 5 shows the classification accuracy for varying Signal
to Noise Ratio (SNR). Rx1, Rx2 and Rx3 are the low-end
receivers while Rx4 is the high-end receiver. Figure 5(a)
to (c) is the classification results using low-end receivers
while Figure 5(d) shows the classification results for high-
end receiver. As expected, the high-end receiver shows good
classification results and confirms the accurate results reported
in the literature, which are based on the high-end receivers
[7, 20]. However, the classification percentage varies for three
transmitters in low-end receivers. This shows that one low-end
receiver will correctly identify a specific transmitter at low
receiver SNR while other low-end receiver will misclassify
the same transmitter at low receiver SNR. For example, Tx1
is 70% classified accurately in Rx1 at 5 dB SNR while in Rx2
and Rx3, it is 1% and 20% classified accurately at 5 dB SNR,
respectively. Interestingly, all three low-end receivers perform
differently for the same transmitters signals. The reason is that
the receiver is acting like a distorting filter on the received
signal. This effect can be seen in Figure 4, where PSD of Tx1
as received by three low-end receivers is plotted. All low-end
receivers have different response for the same transmitter.
1 2 3 4 5 6 7 80
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Frequency (MHz)
Nor
mal
ized
Pow
er S
pect
ral D
ensi
ty
PSD of IEEE 802.11a preamble for transmitter 1 by three low−end receivers
Tx1 simulatedTx1 rcvd on Rx1Tx1 rcvd on Rx2Tx1 rcvd on Rx3
Figure 4. Power Spectral Density of the simulated 802.11a preamble and theaverage of 30 collected preamble by three low-end receivers for transmitter1.
In figure 5, the classifier training and testing is performed
at the same receiver SNR (i.e., if training is performed with 5
dB SNR signals then testing is carried out for the same SNR
signals). Whereas figure 6 shows the classification accuracy
when the classifier is trained with high SNR signals (15 to 30
dB) while testing is performed for low and high SNR signals.
Figure 6 shows that training data has a large impact on the
overall fingerprinting classification process. The results shows
that if KNN classifier is trained with high SNR signals then
classification accuracy increases for low-end receivers at low
SNR . However, high SNR signals are not always available
during the training phase. Therefore, an algorithm is required
which can be used to train the receivers even at low SNR and
provide high classification accuracy.
Our results suggest that the real-time implementation of
RF fingerprinting using today’s typical low-end receivers is
considerably more challenging than might be suggested by
experiments carried out with high-end receivers in controlled
environments. Our results suggest that the accuracy of classi-
2497
0 5 10 15 20 25 30 350
20
40
60
80
100(a) Accurate classification using low−end receiver RX1
Per
cent
age
of c
orre
ct d
ecis
ions
SNR dB
TX1Tx2Tx3
0 5 10 15 20 25 30 350
20
40
60
80
100(b) Accurate classification using low−end receiver RX2
Per
cent
age
of c
orre
ct d
ecis
ions
SNR dB
TX1Tx2Tx3
0 5 10 15 20 25 30 350
20
40
60
80
100(c) Accurate classification using low−end receiver RX3
Per
cent
age
of c
orre
ct d
ecis
ions
SNR dB
TX1Tx2Tx3
0 5 10 15 20 25 30 350
20
40
60
80
100(d) Accurate classification using high−end receiver RX4
Per
cent
age
of c
orre
ct d
ecis
ions
SNR dB
TX1Tx2Tx3
Figure 5. RF fingerprinting classification for four different receivers. (a), (b), (c), (d) shows the classification for Rx1, Rx2, Rx3 and Rx4, respectively. Theclassification accuracy is high for Rx4, which is the high-end receiver while the accuracy varies for low-end receivers as can been seen in (a), (b), (c).
fication results is dependent on the receiver as well as on the
training SNR. High receiver SNRs yield good classification
results for low-end receivers but high SNRs are not typical
in real situations. Furthermore, the research community is ad-
vised to use more than one low-end receiver for the evaluation
and validation of RF fingerprinting techniques.
V. CONCLUSIONS
This paper has experimentally analyzed the effect of receiver
front end on the performance of overall RF fingerprinting
process. Three low-end and one high-end receiver are used
for the analysis. The high-end receiver performed well and
resulted in accurate transmitter classification even at low re-
ceiver SNRs. However, the classification results for three low-
end receivers vary for the same set of transmitters and provide
less accurate results at low SNR. Nevertheless, the low-end
receivers were able to provide useful classification results at
receiver SNRs of 15dB or higher. The experimental results
suggest that low-end receivers have their own impairments
due to which the RF fingerprint of a specific transmitter
varies across different receivers. Therefore, the impairments
of the receivers should be considered in the analysis of the
RF fingerprinting techniques, which significantly deteriorate
the overall RF fingerprinting classification.
REFERENCES
[1] O. Ureten and N. Serinken, “Wireless security through
rf fingerprinting,” Electrical and Computer Engineering,Canadian Journal of, vol. 32, no. 1, pp. 27 –33, winter2007.
[2] D. R. Reising, M. A. Temple, and M. J. Mendenhall,
“Improving intra-cellular security using air monitoring
with rf fingerprints.” in WCNC’10, 2010, pp. 1–6.[3] A. Polak, S. Dolatshahi, and D. Goeckel, “Identifying
wireless users via transmitter imperfections,” SelectedAreas in Communications, IEEE Journal on, vol. 29,no. 7, pp. 1469–1479, 2011.
[4] Y. Shiu, S. Chang, H. Wu, S. Huang, and H. Chen,
“Physical layer security in wireless networks: a tutorial,”
Wireless Communications, IEEE, vol. 18, no. 2, pp. 66–74, 2011.
[5] S. Mathur, A. Reznik, C. Ye, R. Mukherjee, A. Rahman,
Y. Shah, W. Trappe, and N. Mandayam, “Exploiting the
physical layer for enhanced security [security and privacy
in emerging wireless networks],” Wireless Communica-tions, IEEE, vol. 17, no. 5, pp. 63–70, 2010.
[6] B. Danev, H. Luecken, S. Capkun, and K. El Defrawy,
“Attacks on physical-layer identification,” in Proc. ACMConf on Wireless network security, 2010, pp. 89–98.
[7] P. Scanlon, I. Kennedy, and Y. Liu, “Feature extraction
approaches to rf fingerprinting for device identification in
femtocells,” Bell Labs Technical Journal, vol. 15, no. 3,pp. 141–151, 2010.
[8] K. Kim, C. Spooner, I. Akbar, and J. Reed, “Specific
emitter identification for cognitive radio with application
to IEEE 802.11,” in Global Telecommunications Confer-ence, 2008. IEEE GLOBECOM 2008. IEEE, pp. 1–5.
[9] Y. Shi and M. Jensen, “Improved radiometric identi-
fication of wireless devices using mimo transmission,”
Information Forensics and Security, IEEE Transactions
2498
0 5 10 15 20 25 300
20
40
60
80
100Accurate classification using low−end receiver RX1
Per
cent
age
of c
orre
ct d
ecis
ion
SNR dB
TX1Tx2Tx3
0 5 10 15 20 25 300
20
40
60
80
100Accurate classification using low−end receiver RX2
Per
cent
age
of c
orre
ct d
ecis
ion
SNR dB
TX1Tx2Tx3
0 5 10 15 20 25 300
20
40
60
80
100Accurate classification using low−end receiver RX3
Per
cent
age
of c
orre
ct d
ecis
ion
SNR dB
TX1Tx2Tx3
0 5 10 15 20 25 300
20
40
60
80
100Accurate classification using high−end receiver RX4
Per
cent
age
of c
orre
ct d
ecis
ion
SNR dB
TX1Tx2Tx3
Figure 6. Training of the classifier is performed with signals from 15 to 30 dB while testing is carried out for varying SNR.
on, no. 99, 2011.[10] J. Toonstra and W. Kinsner, “A radio transmitter fin-
gerprinting system ODO-1,” in Electrical and ComputerEngineering, 1996. Canadian Conference on, vol. 1.IEEE, 2002, pp. 60–63.
[11] M. Woelfle, M. Temple, M. Mullins, and M. Mendenhall,
“Detecting, identifying and locating bluetooth devices
using rf fingerprints,” in 2009 Military CommunicationsConference (MILCOM 2009), 2009.
[12] S. Ur Rehman, K. Sowerby, and C. Coghill, “Rf fin-
gerprint extraction from the energy envelope of an in-
stantaneous transient signal,” in Communications TheoryWorkshop (AusCTW), 2012 Australian, 30 2012-feb. 22012, pp. 90 –95.
[13] D. Zanetti, B. Danev, and S. Capkun, “Physical-layer
identification of uhf rfid tags,” inMobiCom ’10: Proceed-ings of the 16th ACM Conference on Mobile Computingand Networking. ACM, 2010.
[14] K. Bonne Rasmussen and S. Capkun, “Implications of
radio fingerprinting on the security of sensor networks,”
in Security and Privacy in Communications Networksand the Workshops, 2007. SecureComm 2007. ThirdInternational Conference on. IEEE, 2007, pp. 331–340.
[15] O. Afolabi, K. Kim, and A. Ahmad, “On Secure Spec-
trum Sensing in Cognitive Radio Networks Using Emit-
ters Electromagnetic Signature,” in Computer Communi-
cations and Networks, 2009. ICCCN 2009. Proceedingsof 18th Internatonal Conference on. IEEE, 2009, pp.
1–5.
[16] W. Suski, M. Temple, M. Mendenhall, and R. Mills, “Us-
ing spectral fingerprints to improve wireless network se-
curity,” in Global Telecommunications Conference, 2008.IEEE GLOBECOM 2008. IEEE. IEEE, 2008, pp. 1–5.
[17] M. Ettus, “Universal software radio peripheral,” EttusResearch, Mountain View, CA, www.ettus.com, 2012.
[18] I. Kennedy, P. Scanlon, F. Mullany, M. Buddhikot,
K. Nolan, and T. Rondeau, “Radio transmitter finger-
printing: A steady state frequency domain approach,” in
Vehicular Technology Conference, 2008. VTC 2008-Fall.IEEE 68th. IEEE, 2008, pp. 1–5.
[19] L. standards Committee et al., “Part 11: Wireless lanmedium access control (mac) and physical layer (phy)
specifications,” IEEE-SA Standards Board, 2003.[20] W. Suski II, M. Temple, M. Mendenhall, and R. Mills,
“Radio frequency fingerprinting commercial communica-
tion devices to enhance electronic security,” InternationalJournal of Electronic Security and Digital Forensics,vol. 1, no. 3, pp. 301–322, 2008.
2499