Iowa State University Capstones, Theses and Graduate Theses and Dissertations Dissertations 2011 Physical layer identification: methodology, security, and origin of variation Ryan Gerdes Iowa State University Follow this and additional works at: https://lib.dr.iastate.edu/etd Part of the Electrical and Computer Engineering Commons Recommended Citation Gerdes, Ryan, "Physical layer identification: methodology, security, and origin of variation" (2011). Graduate Theses and Dissertations. 10257. https://lib.dr.iastate.edu/etd/10257 This Dissertation is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Graduate Theses and Dissertations by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. Physical layer identification: methodology, security, and origin of variation by Ryan Michael Kepke Gerdes A dissertation submitted to the graduate faculty in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY Major: Electrical Engineering Program of Study Committee: Mani Mina, Co-major Professor Thomas E. Daniels, Co-major Professor John P. Basart Dianne H. Cook Arun Somani Iowa State University Ames, Iowa 2011 Copyright c Ryan Michael Kepke Gerdes, 2011. All rights reserved. ii DEDICATION To the Memory of My Father So, they are not underground, But as nerves and veins abound In the growths of upper air, And they feel the sun and rain, And the energy again That made them what they were! from Transformations by Thomas Hardy iii TABLE OF CONTENTS LIST OF TABLES . vi LIST OF FIGURES . vii ACKNOWLEDGEMENTS . x ABSTRACT . xii CHAPTER 1. OVERVIEW . 1 1.1 Physical layer identification . 2 1.2 Rationale and scope of work . 4 CHAPTER 2. REVIEW OF LITERATURE . 7 CHAPTER 3. METHODOLOGY . 12 3.1 The open- vs. closed-world assumption . 13 3.2 Closed-world PLIS . 14 3.3 Open-world PLIS . 17 3.4 Conclusion . 19 CHAPTER 4. IDENTIFICATION . 20 4.1 Background material: matched filters . 21 4.2 The signal profile . 22 4.2.1 Identifying a common signal . 22 4.2.2 Creating a signal profile . 25 4.2.3 Pre-processing data . 28 4.2.4 Using the signal profile . 31 4.3 Experimental approach . 31 iv 4.3.1 Data collection . 31 4.3.2 Filter application . 35 4.3.3 Threshold calculation . 38 4.3.4 Classifying filter output . 39 4.3.5 Combining tests . 40 4.4 Analysis of results . 42 4.4.1 Variety and scope of tests . 42 4.4.2 Results . 45 4.5 Conclusion . 66 CHAPTER 5. DIFFERENCE SENSITIVITY . 67 5.1 Limitations of analysis . 68 5.2 Constraint on signal differences . 69 5.3 Type I attack . 70 5.3.1 Threat model . 70 5.3.2 Signal deviation . 72 5.3.3 Arbitrary waveform generator characterisation . 74 5.3.4 Results for Type I attack . 82 5.4 Type II attack . 91 5.5 Conclusion . 92 CHAPTER 6. POPULATION SENSITIVITY . 94 6.1 Matched filter population sensitivity . 94 6.2 Conclusion . 97 CHAPTER 7. ORIGIN OF VARIATION . 98 7.1 Modelling components . 98 7.1.1 ABCD parameters . 100 7.1.2 Proposed model . 100 7.2 Measuring parameters . 102 7.3 Determining component significance . 103 v 7.3.1 Constructing model input . 104 7.3.2 Producing model output . 104 7.3.3 Evaluating model output . 105 7.4 Conclusion . 106 CHAPTER 8. FUTURE WORK . 108 8.1 Extent of variation . 108 8.2 Increasing difference sensitivity . 110 CHAPTER 9. CONTRIBUTIONS . 112 APPENDIX A. MATLAB data acquisition routine . 113 APPENDIX B. Code for type one attack . 117 BIBLIOGRAPHY . 125 vi LIST OF TABLES Table 4.1 Details of Ethernet cards used for experiments (dataset1: m4c1–3, m5c1– 10, m6c1–3; dataset2/3: all). 43 Table 4.2 Bandwidths of filters used in BPF pre-processing. 44 Table 4.3 Confusion matrix for the generic matched filter (dataset1) . 49 Table 4.4 Confusion matrix for the generic matched filter (dataset2) . 50 Table 4.5 Confusion matrix for the generic matched filter (dataset3) . 51 Table 4.6 Intra-model APRS values for the generic matched filter (dataset1) . 52 Table 4.7 Intra-model APRS values for the generic matched filter (dataset2) . 52 Table 4.8 Intra-model APRS values for the generic matched filter (dataset3) . 53 Table 4.9 Confusion matrix for combined matched filters (dataset1) . 57 Table 4.10 Confusion matrix for combined matched filters (dataset2) . 58 Table 4.11 Confusion matrix for combined matched filters (dataset3) . 59 Table 4.12 Intra-model APRS values for combined matched filters (dataset1) . 60 Table 4.13 Intra-model APRS values for combined matched filters (dataset2) . 60 Table 4.14 Intra-model APRS values for combined matched filters (dataset3) . 61 Table 4.15 Confusion matrix for dataset2 generic matched filters used on dataset3 64 Table 4.16 Intra-model APRS values for for dataset2 generic matched filters used on dataset3 . 65 Table 5.1 AWG Characteristics for Type I Attack. 83 vii LIST OF FIGURES Figure 1.1 (Top) A single period of the synchronisation signals from two 10Mb Ethernet devices, aligned. (Bottom) The difference of the two signals. 5 Figure 4.1 Beginning of an Ethernet frame (dataset1): (left) noise and transient, (centre) synchronisation signal, and (right) destination MAC address. 23 Figure 4.2 Beginning of an Ethernet frame (dataset2/3): (left) noise then transient, (centre) synchronisation signal then transition to MAC addresses, and (right) destination MAC address and portion of source address. 24 Figure 4.3 Filter output for 25 frames of an Ethernet device (cve 0.0011); the outputs for frames 26–45 must lie between the dashed lines. 27 Figure 4.4 Experimental setup for dataset1: (left) DAQPC and (right) TPC; Tek- tronix 3052 DSO oscilloscope not shown. 32 Figure 4.5 Experimental setup for dataset2/3: (left) DAQPC and (right) TPC; oscilloscope below DAQPC (partial view). 33 Figure 4.6 Oscilloscope connected to DAQPC for dataset2/3: (top) DAQPC and (bottom) Tektronix 4032 DPO oscilloscope. The oscilloscope is con- nected to the receive pins on the secondary side of the DAQPC’s trans- former; the ground clip of each probe is connected to the common ground of the transformer IC. 34 j Figure 4.7 Control filter output, ci (ta), for 10,000 records of an Ethernet device (cve 0.0011). 36 Figure 4.8 Filter output for 10,000 records of two different Ethernet devices using the same filter. 37 viii Figure 5.1 The components of settling time (Source: [62]). 76 Figure 5.2 Settling time: optimal signal to use for attack, savg (green) with max- imum, s+, and minimum values, s−, of attack signal (red). In moving from savg[3396] to savg[3397] an attacker only need reach s−[3397] by the next sampling period. 77 Figure 5.3 Calculating minimum settling time: at time t1 attacker DAC is alerted to change output from savg[1] = V1 to savg[2] = V2; DAC output begins r to change at t2 and achieves steady state by t3; at t = 1/fs , the inverse of the PLI system’s sampler, the output of the DAC must be at least s−[2] (red) to guarantee acceptance by the system (Source: [63]). 78 Figure 5.4 Linearisation of slew and recovery times to calculate settling time. Out- put of DAC is guaranteed to always be greater than purple line. 79 Figure 5.5 Optimal signal to use for attack (green), 12-bit realisation thereof (black), and maximum and minimum values of attack signal (red). 84 Figure 5.6 Optimal signal to use for attack (green), 5-bit realisation thereof (black), and maximum and minimum values of attack signal (red). 85 Figure 5.7 Close view of optimal signal to use for attack (green), optimal signal with SNR of ∼28 dB (black), and maximum and minimum values of attack signal (red). 86 Figure 5.8 View of optimal signal to use for attack (green) with optimal signal with SNR of ∼28 dB (black) to highlight extent of visible differences. 87 Figure 5.9 Minimum THD, measured with respect to carrier, necessary to produce attack signal guaranteed to be accepted by PLIS. 89 Figure 5.10 Minimum THD+N, measured with respect to carrier (left-to-right, scale is 10MHz)and distortion level (front-to-back, scale is [0:1]), necessary to produce attack signal guaranteed to be accepted by PLIS. 90 ix Figure 6.1 Graphical representation of population sensitivity estimation. Parti- tioning space between c+ (blue) and c− (red) by thresholds of width δ (green-to-green) allows the classifier to distinguish up to five devices. 95 Figure 6.2 Voltage and timing limits of 10Mb Ethernet signal; differential output, half of a bit period (Source: [58]). 96 Figure 7.1 Depiction of a two-port model for a component (input voltage/current denoted by V 1/I 1 and output voltage/current by V 2/I 2). Note: it is assumed that voltage/current measurements are carried out at device terminals. 99 Figure 7.2 Model to examine how an input signal (V S) is affected by a compo- nent with ABCD parameters of M (Z S is the impedance of the source generating V S and Z L is the impedance of a.