IMPORTANT. The following is presented as opinion and not fact. It is not guaranteed for accuracy and may contain errors. It is important that the reader do their own research and make their own decisions. Any financial decision should not rely upon this information and may be subject to the full loss of any related transaction. This information is not intended to guide any decision of the reader, but is presented as a guide to activity in the related areas of research.
Many attempts to provide a resilient RF fingerprint have been pursued in academic research [31]. Most work has focused on phenomena of a wireless signal which result from variances in circuitry of the transmitting device [32][33]. This includes such attributes as carrier frequency offset, phase noise, oscillator offset, and onset rise-times [34][35][36][37]. Some methods even include unusual attributes like signal-to-noise ratio, direction of arrival, and time dispersion [38][39]. Carrier frequency offset, as an example, is a characteristic caused by the mismatch between clocking oscillators in the transmitter and receiver, as well as influences of Doppler shift, if the two are not stationary. The effect at the receiver will be an attenuation of magnitude and an introduction of phase shift. It would seem that using such characteristics as a fingerprint for a transmitting device would hold promise as a viable solution. One Air Force Research Laboratory report concludes that frequency error offers the best opportunity of those mentioned thus far for intrusion detection [40]. Dr. Jingyu Hua of Nanjing University reports a method using carrier frequency offset yields a 94% favorable detection rate [41]. And, yet, as Dr. Hua says in his abstract, “we still need a practical solution.” Unfortunately, even five years after this paper, we find this is still true.
In practical applications, like industrial plants, the sampling clock drifts due to changes in temperature, altering a proposed fingerprint based on carrier frequency offset. Other factors also affect the stability, including electromagnetic noise from large motors, effects of multipath transmission, and improvements in oscillator technology over time. Like many other academic pursuits for RF fingerprinting, this technique suffers in its performance degradation in actual industrial environments [20]. Frequency hopping adds complexity, as well.
One class of fingerprinting research may be eliminated from serious consideration in industrial applications; those which rely upon Channel State Information (CSI). CSI is a part of packet data that consists of a set of measurements characterizing the transmitter/receiver pair. By relying on CSI, one limits the solution to only protocols supporting such data; mostly those based on IEEE 802.11 standards. However, even older 802.11 devices may not have the same CSI available as newer models. A better solution would be a system that is independent of protocol, since there are many protocols actively used in industrial plants; such as, ZigBee, LoRa, WirelessHART, 5G cellular, radio, Thread, 6LoWPAN, and ZWave, to name a few; some of which support CSI consistent with the 802.11 standards and some of which do not.
Vladimir Brik and his associates [42] propose to use radio frequency signal characteristics which can be measured as each signal is received. This approach does not rely on CSI data in a particular protocol, opening the method to broader applications. Bric reports accuracy of 99.66% using a training set size of 20 frames for a support vector machine classifier and groups of 4 frames as classifier inputs. The optimal features set were found to be, in order of positive effect on performance: frequency error, SYNC correlation, I/Q offset, magnitude and phase errors. However, the recorded tests were conducted in a lab-like environment with transmitters placed in a 20x20 meter grid, spaced 1 meter apart; thus, the negative effects of an industrial environment, including rich multipaths and high levels of electromagnetic interference were not involved.
Author Amani Al-Shawabka and her associates studied the effects of a real-world environment on various RF fingerprinting techniques employing convolutional neural networks in which the author notes that “the environmental conditions affect the learning process significantly” [20]. This results from tests performed in a 560 square meter facility with 64 antennas again arranged in a grid similar to that above, except now involving a rich multipath environment. The experimental results conclude that the wireless channel impacts the classification accuracy significantly, i.e., from 85% effective to 9%. A factory environment will make it much worse, introducing high levels of electromagnetic interference and even more difficult multipath obstructions. A method of RF fingerprinting that is resilient to interference causing changes in amplitude and phase is needed.
By using polarization characteristics of a signal as the key component, one circumvents most of the challenges of a harsh environment, like that found in a factory or refinery. The angle at which a signal travels may be measured from a series of 2,048 samples or 4,096 samples, making it less sensitive to transient events in the environment. Additionally, electromagnetic interference emitting from large electrical equipment is typically non-polarized and, thus, invisible to the methods employed by Endpoint.
Currently, two prototypes capture and record raw I/Q sample data for a given span of time, recording both the background noise and the signals that are received. Data is collected simultaneously from two orthogonal antennas. Those records are replayed into a host processor which performs signal conditioning, pulse detection, discrete Fourier transforms, and Stokes parameter calculations on the incoming signal. The result is made into a “fingerprint,” a specifically sized subset of the data, and compared to a bank of previously collected fingerprints, one for each source previously identified. The algorithm concludes by either matching the fingerprint with a known source or creating a new source. If a matched source is both known and authenticated, it is updated; otherwise, an alert is sent to a network administrator.
The prototypes have been used to collect data in actual operating environments, in warehouses and production facilities. In the production facilities, tests were run both when robotic assembly took place along with autonomous robots delivered parts, and when the factory floor was quiet and no production was taking place. These field tests have created a library of data at Endpoint with more than 200 tests collected under various conditions, including low signal-to-noise ratio transmissions, narrowband and wideband signals, transmissions near large electric motors, motion in the multipath, motion in the transmitters, microwave energy bursts and more.
References
[20] A. Al-Shawabka, et al., Exposing the Fingerprint: Dissecting the Impact of the Wireless Channel on Radio Fingerprinting, IEEE INFOCOM 2020 - IEEE Conference on Computer Communications, Toronto, ON, Canada, July 2020, pp. 646-655, doi: 10.1109/INFOCOM41043.2020.9155259
[31] B. Danev, D. Zanetti, and S. Capkun, “On physical-layer identification of wireless devices,” ACM Computing Surveys (CSUR), vol. 45, no. 1, p. 6, 2012.
[32] J. Toonstra and W. Kinsner, “Transient analysis and genetic algorithms for classification,” in WESCANEX 95. Communications, Power, and Computing. Conference Proceedings., IEEE, vol. 2. IEEE, 1995, pp. 432–437.
[33] M.-W. Liu and J. F. Doherty, “Specific emitter identification using nonlinear device estimation,” in Sarno Symposium, 2008 IEEE. IEEE, 2008, pp. 1–5
[34] Danev, B., & Capkun, S. (2009, April). Transient-based identification of wireless sensor nodes. In Proceedings of the 2009 International Conference on Information Processing in Sensor Networks (pp. 25-36).
[35] D. Zanetti, B. Danev et al., “Physical-layer identification of UHF RFID tags,” in Proceedings of the sixteenth annual international conference on Mobile computing and networking. ACM, 2010, pp. 353–364.
[36] S. Jana and S. K. Kasera, “On fast and accurate detection of unauthorized wireless access points using clock skews,” Mobile Computing, IEEE Transactions on, vol. 9, no. 3, pp. 449–462, 2010
[37] A. C. Polak, S. Dolatshahi, and D. L. Goeckel, “Identifying wireless users via transmitter imperfections,” Selected Areas in Communications, IEEE Journal on, vol. 29, no. 7, pp. 1469–1479, 2011
[38] L. Xiao, L. Greenstein, N. Mandayam, and W. Trappe, Fingerprints in the ether: Using the physical layer for wireless authentication, Communications, 2007. ICC’07. IEEE International Conference on. IEEE, 2007, pp. 4646–4651
[39] Muaddi, Albert B., and Albert A. Tomko. Intrusion detection system for wireless networks. U.S. Patent No. 7,366,148. 29 Apr. 2008
[40] A. Tomko, C. Rieser, L. Buell, D. Zaret and W. Turner, Wireless Intrusion Detection, Final Technical Report, John Hopkins University, AFRL-IF-RS-TR-2007-62, March 2007
[41] J. Hua, H. Sun, Z. Shen, Z. Qian, and S. Zhong, Accurate and Efficient Wireless Device Fingerprinting Using Channel State Informaiton, IEEE INFOCOM 2018 - IEEE Conference on Computer Communications, Honolulu, HI, USA, 2018, pp. 1700-1708, doi: 10.1109/INFOCOM.2018.8485917
[42] V. Brik, S. Banerjee, M. Gruteser, and S. Oh, Wireless Device Identification with Radiometric Signatures, MobiCom ’08: Proceedings of the 14th ACM International Conference on Mobile Computing and Networking, pp 116-127, San Francisco, CA, September 14, 2008