Bayesian Detection of Wi-Fi Transmitter RF Fingerprints

Home , Transmitter

Bayesian detection of Wi-Fi transmitter RF using data collected from a number of Wi-Fi radios and it is shown that fingerprints its performance is better than that of the step change detector in detecting the turn-on transients of Wi-Fi radios. O. Ureten and N. Serinken Signal model: Typical transmission data, such as that shown in Fig. 1, A transient detection technique is presented for the detection of the contain ambient channel noise followed by the start of a radio transmis- turn-on transients of Wi-Fi radios. The turn-on transients are detected sion. Data samples form a piecewise signal, which can be modelled as: by a Bayesian change detector, which estimates the time instant when the transmitter starts to power up. The proposed technique is verified m þ u if 1 i < m with the transient data collected from a number of Wi-Fi radios and it d ¼ i ð1Þ i m þ aði mÞþu if m i N is shown that the ramp detector outperforms the abrupt change i detector in detecting the turn-on transients of Wi-Fi transmitters. where di is the data sample at time instant i, N is the number of data points, m is the change point, m is the mean of the samples before the Introduction: In military and civilian spectrum management operations, change point, a is the slope of the linear ramp-up and u is a zero-mean identification of a specific RF transmitter is often used in traffic analysis white Gaussian process with a standard deviation of s. The model or in the determination of sources of interference. As wireless platforms assumes a linear increase in the power level of the radio during start-up. grow in popularity and store valuable information, attacks on such The model can be written in the form of a matrix equation: systems are increasing. These RF attacks can take the form of intrusion, disruption of services, theft of bandwidth and=or denial of service. d ¼ Gb þ e ð2Þ To improve the safety and security of mobile VHF radio networks, where d is an N 1 matrix of data points and e is an N 1 matrix of transmitter identification systems relying on the unique turn-on char- Gaussian noise samples. The matrix G is of size N M. Each column acteristics of the radios have been reported [1]. The unique turn-on of G is a basis function evaluated at each point in the time series and characteristics are called ‘RF fingerprints’, and can be applied to each element of the M 1 matrix b is a linear coefficient. The wireless systems, such as 802.11x, to identify individual transmitters. a posteriori probability density of the change point given the data Security of wireless networks can be enhanced by challenging a user to and the signal model is calculated as [4] prove its identity if the fingerprint of a network device is unidentified or deemed to be a threat. Access to services could also be restricted or ½dTd dTGðGTGÞ1GTdðNMÞ=2 interference could be reduced by smart antennas. pðfmgjd; IÞ/ pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð3Þ detðGTGÞ RF fingerprinting from the turn-on transients requires three stages: detection of the turn-on transients, extraction of the characteristic features where I denotes the signal model defined in (1). The change point of the transients and classification of the fingerprints. The performance of position is built into the structure of the matrix G and for a ramp change the detection stage is significant because inaccurate detection adversely it can be written as: affects the feature extraction stage thereby reducing classification performance. The objective of the detection stage is to determine the exact time 11111... 1111... 1 GT ¼ ð4Þ instant when the transmitter is turned on. In the case of VHF radios, 00000... 0123... N m detection of the turn-on transients is based on the change point detection principle, in which the detector determines the instant when the received The a posteriori probability in (3) can be evaluated using only the data power level exhibits a sudden increase. The abrupt change detector values without the knowledge of the noise level s or any other linear system was used successfully for VHF radios where there is a sudden parameter in b (m and a). The maximum a posteriori (MAP) estimate of change in the power level at the transition from the channel noise to the the change point is then obtained by finding the index of the maximum turn-on instant of the radio [2]. However, the Wi-Fi standard specifies that of the a posteriori probability density function. the output power level is ramped-up smoothly [3]. The reason for a gradual increase in the power level is to ensure that power is not spread to transmitter adjacent frequency channels. Fig. 1 shows amplitude and phase profiles of a received Wi-Fi turn-on transient. Following the channel noise, the received power level increases gradually after the transmitter is turned on. The transient starting point as estimated by a step change detector and the Wi-Fi actual transient starting points are marked on the Figure. As the step 2.412 GHz data acquisition change detector lags behind the actual starting point, phase characteristics and control important for classification are lost. Watkins Johnson IF out Tektronix Ethernet receiver TDS3054 WJ-8633 160 MHz digital scope

Fig. 2 Experimental setup for data collection

Experimental study: A transient capture system, shown in Fig. 2, was designed to analyse 802.11b Wi-Fi signals in the 2.4 GHz ISM band. Wi-Fi cards were installed in computers and set to ad hoc networking mode on radio channel 1 at 2.412 GHz. Wi-Fi radios transmit packets at regular intervals to announce their presence to the other devices that are listening on the same radio frequency. A Watkins Johnson model WJ-8633 receiver was tuned to Wi-Fi channel 1 and connected to an omnidirectional antenna for the reception of burst transmissions. The WJ-8633 is a VXI bus receiver controlled by a personal computer. The IF output of the WJ-8633 at 160 MHz was connected to a Tektronix Fig. 1 Example of 802.11b transmission data showing channel noise and TDS3054B 5 GS=s digital oscilloscope which has an Ethernet interface turn-on envelope and phase of transient waveform for control and data acquisition=transfer functions. An oscilloscope control program was written for a personal computer to collect tran- In this Letter, a modiﬁcation to the step change detection scheme is sients from the Wi-Fi transmitters. Signals were sampled at a rate of proposed for transmitters that increase their transmit power gradually, 5GS=s with 9 bit resolution. One hundred transmissions were collected such as Wi-Fi radios. Transient detection is achieved using a Bayesian from nine different Wi-Fi radios. The in-phase and quadrature compo- ramp change detector that estimates the time instant where the signal nents of the sampled signals were obtained using a Hilbert transforma- power starts to increase gradually. The proposed technique is veriﬁed tionfollowedbydown-conversiontobase-bandinsoftware.

ELECTRONICS LETTERS 17th March 2005 Vol. 41 No. 6 From the captured signal, the transmission starting point was Conclusions: In this Letter, a Bayesian ramp change detector is determined visually by an observer utilising both the amplitude and proposed for the detection of the turn-on transients of the Wi-Fi phase characteristics of the captured signals. The starting point of each radios. By comparison, a Bayesian step change detector, which is captured signal was then estimated using the Bayesian ramp change suitable for other applications, lags behind the transient turn-on method given by (3) and (4). The detection error was calculated as the starting point and has a standard deviation of the detection error difference between the actual observed values and the estimated values. that is three times higher than that of the ramp detector. This makes The histogram of the detection error is plotted in Fig. 3. The mean and the Bayesian ramp detector a better candidate as a turn-on transient the standard deviation of the error were calculated as 20 and 28 detector for Wi-Fi radios. samples, respectively. In this work, a signal model assuming a linear power increase at the turn-on is used. Although a raised cosine or an exponential increase 350 ramp would be a more accurate model for the transmit power shaping, the use step of a linear ramp model allows an analytical solution within the Bayesian 300 framework with acceptable error performance. The same technique can 250 also be used in detecting the turn-on transients of BlueTooth radios where the signal is shaped using a Gaussian window. 200 In a future study, a complete classiﬁcation system will be imple- mented and the effect of the detection algorithm on the classiﬁcation 150 rate will be investigated.

number of occurences number 100 Acknowledgment: The work described herein was supported by the 50 Industry Canada Spectrum Engineering Branch.

0 -200 -100 0 100 200 300 400 500 error, samples # IEE 2005 8 November 2004 Electronics Letters online no: 20057769 Fig. 3 Histograms showing detection error for two different methods doi: 10.1049/el:20057769 compared to visual identification of start of transient O. Ureten and N. Serinken (Communications Research Centre, P.O. Box 11490 Station ‘H’ Ottawa, ON, Canada K2H 8S2) To compare the performance of the proposed ramp change detector to a step change detector, a signal model containing a step change was E-mail: [email protected] used: References m1 þ ui if 1 i < m di ¼ ð5Þ 1 Ureten, O., and Serinken, N.: ‘Detection, characterisation and m2 þ ui if m i N classification of radio transmitter turn-on transient signals’. Proc. of the NATO ASI on Multisensor Data Fusion, 2002, pp. 611–616, Kluwer where m1 and m2 are mean values before and after the change point. The Academic Publishing model assumes an abrupt change in the received signal level after the 2 Ureten, O., and Serinken, N.: ‘Detection of radio transmitter turn-on transmitter is turned-on. In this case, matrix G becomes: transients’, Electron. Lett., 1999, 35, (23), pp. 1996–1997 3 IEEE Std 802.11b-1999 Part 11: Wireless LAN Medium Access Control 11111... 1000... 0 GT ¼ ð6Þ (MAC) and Physical Layer (PHY) specifications, 1999 00000... 0111... 1 4 Ruanaidh, J.K., and Fitzgerald, W.J.: ‘Numerical Bayesian methods applied to signal processing’ (Springer-Verlag, New York, 1996) Substituting (6) into (3) the a posteriori probability of each data point being a change point was calculated. The detection error of the step change detector was calculated as the difference between the visually determined values and the estimated values. The histogram of the step change detection error is plotted in Fig. 3. The mean and standard deviation of the detection error were calculated as 345 and 84 samples, respectively.

ELECTRONICS LETTERS 17th March 2005 Vol. 41 No. 6