This work provides development of Constellation Based DNA (CB-DNA) Fingerprinting for use in systems employing quadrature modulations and includes network protection demonstrations for ZigBee offset quadrature phase shift keying modulation. Results are based on 120 unique networks comprised of seven authorized ZigBee RZSUBSTICK devices, with three additional like-model devices serving as unauthorized rogue devices. Authorized network device fingerprints are used to train a Multiple Discriminant Analysis (MDA) classifier and Rogue Rejection Rate (RRR) estimated for 2520 attacks involving rogue devices presenting themselves as authorized devices. With MDA training thresholds set to achieve a True Verification Rate (TVR) of TVR = 95% for authorized network devices, the collective rogue device detection results for SNR ≥ 12 dB include average burst-by-burst RRR ≈ 94% across all 2520 attack scenarios with individual rogue device attack performance spanning 83.32% < RRR < 99.81%.
1. Introduction
The need to establish reliable and secure communications remains a challenge across commercial Industrial Internet of Things (IIoT) applications that support Critical Infrastructure (CI) elements (water treatment, petroleum product distribution, transportation, etc.) that are commonly operated through Industrial Control System (ICS) architectures. ZigBee networks are common within the IIoT and CI/ICS domains and remain a mainstay for implementing wireless sensor and automation networks supporting medical, smart home and building automation, and consumer electronics [1–3]. The degree of required ZigBee antihacking security varies with application criticality and will increase as the number of deployed ZigBee devices under 802.15.4 market expansion grows to 1 billion units being shipped annually by 2022 and the next generation multiprotocol 802.15.4/Bluetooth/WiFi hardware becomes available [4]. As device makers strive to take advantage of market opportunity and satisfy consumer wants for the next “greatest” interface device, it remains unclear that they have taken necessary prudent steps to address legacy security concerns.
In light of vital asset vulnerability, protection of IIoT CI and ICS elements has become a national-level priority for both the public and private sectors [5–7]. Mitigation strategies against cyberattacks have traditionally focused on bit-level solutions targeting the higher communication protocol layers and until recently there has been minimal emphasis on physical (PHY) layer development [8–10]. This work addresses hardware device identity (ID) verification as a means to enhance network security by preventing unauthorized access through the PHY doorway through which a preponderance of malicious cyberattacks occur. The focus on ZigBee device security is motivated by two factors, including the following: (1) ZigBee and related 802.15.4 communication systems are deployed world-wide and (2) ZigBee serves as a representative protocol for broader IIoT applications [11, 12]. This work expands previous wireless device ID discrimination activity that has successfully exploited various Distinct Native Attribute (DNA) features extracted from selected signal responses to reliably discriminate transmitting hardware devices.
The Constellation Based DNA (CB-DNA) development here is motivated by concepts introduced in [13] used to discriminate Ethernet cards with features extracted from a contrived (nonconventional) binary constellation. The extension to this earlier work includes (1) formal analytic development of CB-DNA Fingerprinting for systems using conventional M-ary Quadrature Amplitude Modulation (M-QAM) signaling, (2) demonstration of CB-DNA Fingerprinting applicability to ZigBee and related 802.15.4 communication protocols, and (3) proposition of a network device ID process that incorporates mechanisms of localised RF air monitors that have been vetted for other wireless networks [14–17] while achieving security benefits of verification-based Multifactor Authentication (MFA). This proposition includes use of wireless MFA processing with success of the first “something you have” (network compliant device) and second “something you know” (authorized device bit-level ID) checks followed by a final “something you are” (biometric-like CB-DNA fingerprint) check to boost overall security [18, 19]. While comparison of the proposed verification-based rogue detection process with fielded and/or emerging commercial approaches is certainly of interest, a meaningful comparison is not viable given that (1) implementation details of commercial methods are generally proprietary and (2) the statistical effectiveness of such methods is generally unpublished. Regardless, the computational efficiency and speed of biometric-based MFA [18] make it a top-ranked choice for communication device discrimination [19] and it is reasonable to expect similar advantages in MFA-based CB-DNA security applications.
The general development for the class of complex M-ary QAM modulated signals having in-phase/quadrature-phase (I/Q) components includes the mth complex data modulated symbol given by(1)Smt=ISm+jQSm,for 0<t<TSym where TSym is the total symbol duration, m=1,2,…,M, and ISm and QSm are real-valued modulation components in the I/Q constellation space with ISm∈IS1,IS2,…,ISM and QSm∈QS1,QS2,…,QSM. For complex symbols given by (1), a transmitted (Tx) burst of NSym QAM modulated symbols is given by(2)STxt=∑m=1NSymSmt-kTSymexp2πfct+ϕTx,STxt=∑m=1NSymSmt-kTSymcos2πfct+ϕTx+j∑m=1NSymSmt-kTSymsin2πfct+ϕTx,for 0 < t < NSymXTSym with fc being the transmitted carrier frequency and ϕTx = ϕ/2 accounting for quadrature-phase error induced by hardware components [21]. The sequence of ideal transmitted QAM symbols in STxt is denoted by vector Sm=S1,S2,…,Sm,…,SNSym-1,SNSym where Sm∈S1,S2,…,SM. For the case of M = 4-ary signaling, the QAM STxt expression in (2) can be used to effectively represent the 4-ary Offset Quadrature-Phase Shift Keyed (O-QPSK) used here for ZigBee demonstration.
Considering channel amplitude ACh and transmitter-to-receiver propagation delay τCh factors, the received (Rx) burst corresponding to STxt in (2) is given by(3)SRxt=AChSTxt-τChwhich has baseband received IRx(t) and QRx(t) components that can be expressed as(4)IRxt=GI/Q∑k=1NSymISkt-kTSym-τD+OIt,(5)QRxt=GI/Q∑k=1NSymQSkt-kTSym-τD+OQt,where GI/Q is the I/Q gain imbalance, τD accounts for τCh and relative time delay between receiver I/Q channels, and OIt and OQt represent I/Q offset factors [21]. The GI/Q, τD, OIt, and OQt factors in (4) and (5) collectively account for transmitter ϕTx error in (2) and additional receiver imperfections. The sequence of corrupted received QAM symbols in SRxt is denoted by vector Sk=S1,S2,…,Sk,…,SNSym-1,SNSym.
The cumulative effect of transmitter-receiver imperfections and channel errors captured in IRx(t) and QRx(t) components is a degradation in received QAM symbol estimates, denoted here as S^k=S^1,S^2,…,S^k,…,S^NSym-1,S^NSym for a given Sk, induced by a location shift of receivedCSk=ISk+jQSk QAM constellation points relative to the corresponding ideal transmittedCSm=ISm+jQSm constellation points. In addition to potential QAM symbol estimation error induced by received CSk deviation, there are two other receiver processes that are key for achieving reliable QAM symbol estimation, including (1) received carrier frequency offset fRx estimation and (2) phase recovery for symbol constellation derotation.
2.1.1. Received Carrier Estimation
Following downconversion by fc and baseband filtering, samples of the received M-QAM signal at the receiver’s Matched Filter (MF) output can be modeled as [22](6)SMFn=KRSknexpj2πfRxt+NBn,where n=1,2,…NMF, KR is a real-valued scalar, Sk are the transmitted QAM symbols in (2), fRx is relative received carrier frequency offset, and NB is communication channel background noise [22]. The residual fRx in SRxt can be estimated by raising SMFn in (6) to the Mth power to remove the modulation effects. This effectively creates a multitone spectral response with a dominant (highest power) tone occurring at M×fRx [23]. This is illustrated for 4-QAM where SMF4n can be expanded as(7)SMF4n=KRSmn4expj8πfRxt+4KRSmn3expj6πfRxtNBn+4KRSmnexpj2πfRxtNB3n+6KRSmn2expj4πfRxtNB2n+NB4nwhich includes a dominant 8πfRx=2π4fRx frequency component. The estimated received carrier frequency offset is given by f^Rx=4argmaxnFSMF4n where F· denotes the discrete Fourier transform.
2.1.2. Constellation Phase Recovery
Receivers commonly use a Phase Locked Loop (PLL) to reconstruct the suppressed carrier via dynamic feedback that autocompensates for phase errors [24]. While generally beneficial, this within-burst autocompensation can potentially obscure subtle DNA feature differences that may help discriminate transmitters. Therefore, burst-by-burst discrete phase estimation and constellation derotation was implemented here using an algorithm that rotates the received CSk constellation points for each burst from 0 to π/2 radians in NΔ = 100 increments and selects the phase rotation angle yielding the minimum variance between the incrementally rotated pool of received CSk and the ideal CSm constellation points. The pseudocode for implementing this algorithm is presented in Table 1.
Constellation phase derotation algorithm.
Require: Received Constellation Projection CSk
RotationVariances ← ∞
forNΔ=1 to 100 do
θ←(NΔ⋅π)/(2×100)
Rot(CSk)←CSk⋅ejθ
Temp←|Re[Rot(CSk)]|+j|Im[Rot(CSk)]|
RotationVariances (NΔ) ← Variance(Temp)
end for
NΔ←argminNΔRotationVariances
returnCSk⋅ej(NΔ⋅π)/(2×100)
There are four different phase angle ambiguities that can exist after derotating the constellation using the algorithm in Table 1. These are resolved using estimated rotation angles of known preamble (training) symbols. The rotated constellation projections can also be normalized by scaling (dividing) each Rot(CSk) point by the mean RotCSk which locates the center of all constellation clusters on the unit circle.
2.2. ZigBee Communications
The ZigBee Communication protocol includes a Medium Access Control (MAC) layer, where device IDs are verified using bit-level credentials, that interfaces with the RF communications channel through the PHY layer using RF hardware and firmware [25]. The PHY layer is implemented according to the IEEE 802.15.4 standard for low data-rate, low-power, and short range RF communications [20]. It is estimated that more than one billion 802.15.14 compliant components will be sold by the end of this decade with a majority of them supporting localised smart home networks [4]. One such component is the Atmel AT86RF230 radio transceiver that is hosted on RZUSBSTICK devices [26]. These are small low-power devices that support ZigBee operation at 2.4 GHz through an integrated folded dipole antenna with a net peak gain of GA = 0 dB. Accounting for GA = 0 dB and maximum AT86RF230 output power of POut = +3.0 dBm [27], the effective transmit power of the RZUSBSTICK is PTx = +3.0 dBm which make it a viable alternative for not only smart home networks but other wireless sensor networks, industrial control system, and building automation [27]. Details for the specific RZUSBSTICK devices used for demonstration are provided in Table 2 which shows the unique ZigBee Communication (ZC) device IDs assigned for experimentation.
ZigBee RZUSBSTICK device details showing the device ID, the digital MAC address, and two unique physical markings appearing on the device AT86RF230 transceiver chips.
ID
MAC
Mark 1
Mark 2
ZC1
A0:F6:9F:E7
1442 PH
1R8338-7
ZC2
A0:01:43:70
0923 PH
8P0772
ZC3
A0:01:5D:34
0936 PH
9P0187-2
ZC4
A0:F6:A0:68
1442 PH
1R8338-7
ZC5
A0:F6:A0:4E
1442 PH
1R8338-7
ZC6
A0:F6:9F:FF
1442 PH
1R8338-7
ZC7
A0:F6:A0:0C
1442 PH
1R8338-7
ZC8
A0:F6:A0:04
1442 PH
1R8338-7
ZC9
A0:F6:9F:EA
1442 PH
1R8338-7
ZC10
A0:F6:9F:E0
1442 PH
1R8338-7
The use of PHY layer O-QPSK modulation is mandatory for ZigBee operation at 2.4 GHz, with the O-QPSK modulator preceded by a 4-to-32 (information bit-to-spread chip) Pseudorandom Noise (PN) mapping such that the information bits are transmitted at an effective rate of (2M Chips/Sec) × (4/32 Bits/Chip) = 250K Bits/Sec [20, 25]. Accounting for I/Q channel offset processing in the modulator, the corresponding output O-QPSK communication symbol rate for a transmitted STxt burst given by (2) is RSym=1/TSym = (250K Bits/Sec)/(2 Bits/Sym) = 125K Sym/Sec.
The required 4-to-32 PN mapping for 2.4 GHz ZigBee operation is shown in Table 3 [20]. Given this mapping, there are specific transmitted O-QPSK Sm symbol sequences that occur with varying probability. For example, the bold highlighted {100100} 6-bit pattern in the output chip sequences in Table 3 is among the most frequently occurring ones (appears in 13 of 16 chip sequences) and produces the O-QPSK transmitted symbol sequence Sm=S2,S2,S3,S3,S3. This 5-symbol Sm vector is denoted in Table 4 by an ∗ and is among the 30 highest probability transmitted O-QPSK Sm used for conditional CB-DNA demonstration.
Input-output sequences for ZigBee 4-to-32 premodulation PN mapping [20]. Bold entries highlight one of 30 highest probability 6-bit sequences.
Input {b0,b1,b2,b3}
Output Chip Sequence {c0,c1,c2,…,c31}
0000
11011001110000110101001000101110
1000
11101101100111000011010100100010
0100
00101110110110011100001101010010
1100
00100010111011011001110000110101
0010
01010010001011101101100111000011
1010
00110101001000101110110110011100
0110
11000011010100100010111011011001
1110
10011100001101010010001011101101
0001
10001100100101100000011101111011
1001
10111000110010010110000001110111
0101
01111011100011001001011000000111
1101
01110111101110001100100101100000
0011
00000111011110111000110010010110
1011
01100000011101111011100011001001
0111
10010110000001110111101110001100
1111
11001001011000000111011110111000
30 highest probability 5-symbol Sm for Table 3 mapping with ∗ denoting Sm for the output bit sequence 100100 highlighted in Table 3.
(S1,S1,S1,S1,S2)
S3,S1,S1,S3,S3
(S1,S3,S3,S4,S4)
S3,S3,S4,S4,S4
(S2,S2,S2,S4,S3)
S4,S2,S2,S4,S4
(S2,S4,S4,S4,S3)
S1,S3,S3,S1,S2
S3,S3,S4,S4,S4∗
S2,S2,S1,S3,S3
(S4,S2,S2,S2,S2)
S2,S4,S4,S2,S1
(S1,S1,S1,S3,S4)
S3,S1,S1,S3,S4
(S1,S3,S4,S2,S1)
S4,S2,S1,S1,S2
(S2,S4,S3,S1,S1)
S4,S4,S3,S1,S2
(S3,S3,S1,S1,S2)
S1,S3,S3,S1,S2
(S3,S3,S4,S2,S2)
S2,S2,S2,S2,S1
(S4,S2,S2,S4,S3)
S2,S4,S4,S2,S2
(S1,S1,S2,S4,S4)
S3,S1,S2,S2,S2
(S1,S3,S4,S2,S2)
S4,S2,S1,S3,S3
(S2,S4,S3,S1,S2)
S4,S4,S3,S3,S4
2.3. Device Classification and Device ID Verification
Device discrimination (classification and ID verification) is performed using DNA fingerprints with a Multiple Discriminant Analysis/Maximum Likelihood (MDA/ML) process adopted from [11]. This includes MDA model training for NCls classes (ZC devices) with components of (1) an NF x NCls-1 dimensional matrix W for projecting 1x NF dimensional input fingerprints (F) into the NCls-1 discrimination space containing fingerprint projection PF=FW; (2) an 1x NF dimensional fingerprint scaling vector α; and (3) the NCls training means (μ) and covariances (Σ). MDA models are generated using a pool of 4400 total fingerprints per class that are equally divided into NTNG = 2200 Training (even indexed fingerprints) and NTST = 2200 Testing (odd indexed fingerprints) subsets. The even-odd indexing assignment ensures the models account for temporal channel variation, collection bias, etc., effects occurring during the course of emission collection.
The TNG fingerprints at a given SNR are used for MDA model training that includes K = 5-fold cross-validation [Dud1] with the best projection matrix WBest selected as the fold W producing the highest cross-validation accuracy. The TST fingerprints are then input to the model and a 1 versus NCls best match ML classification decision is made based on a selected classification test statistic (ZCls). The trained class yielding highest conditional probability P(ZCi∣ZCls) for all i=1,2,…,NCls is the called class (right or wrong) assigned to the unknown input fingerprint F. Classification performance at a given SNR is presented in an NCls x NCls (input versus called) classification confusion matrix, with (1) average cross-class percent correct classification (%C) calculated as the sum of diagonal (correct) matrix entries divided by the total number of classification trials (NCls x NTST) and (2) individual class %C for each class Ci calculated as the sum of ith row entries divided by NTST. Alternately, classification performance is presented in %C versus SNR plots.
The device ID verification process uses the selected MDA model components (W, α, μ, and Σ) and device TST fingerprints to estimate both (1) authorized network device True Verification Rate (TVR) (true positive) and (2) unauthorized device Rogue Rejection Rate (RRR) (true negative). For a given claimed (unknown) authorized device ID to be verified, the process includes the following: (1) projecting TST F fingerprints for the device under test into the NCls-1 discrimination space using PF=α⊗FW where ⊗ denotes element-by-element vector multiplication, (2) calculating the selected verification test statistic (ZV) for NTST total fingerprints using training μ and/or Σ for the claimed authorized device ID, (3) forming a normalized (unit area) Probability Mass Function (PMF) using NTST total ZV, (4) overlaying a desired training verification threshold (tV), and (5) calculating the PMF area above/below tV to estimate the desired verification rate. Common ZV measures of similarity include (1) distance-based metrics such as the Euclidean distance between projected PF and the claimed training class mean μ and (2) probability-based metrics that map the calculated PF Euclidean distance to a normalized multivariate Gaussian probability distribution having mean μ and covariance Σ. Euclidean distance is perhaps the most easily conceptualised and was chosen here for proof-of-concept demonstration.
The PMFs in Figure 1 are used to illustrate Device ID verification for Euclidean distance “lower-is-better” measure of similarity [11]. Given these PMFs, the ID verification process includes (1) using network ZC TNG fingerprint ZV to set the training verification threshold tV(i) shown in Figure 1(a) to achieve the desired TVR (blue PMF1 area) where PMF1 is for ZCi TNG and PMF2 is based on accumulated TNG ZV for all “other” network ZCk (k=1,2,…,NCls and k≠i) and (2) calculating the corresponding RRR (true negative, blue PMF2 area) in Figure 1(b) where PMF1 is the same and PMF2 is based on TST fingerprint ZV for the rogue ZRj device. ID verification performance can be based on TNG tV(i) set for either (1) equal error rate conditions with False Verification Rate (FVR) given by FVR = 1-TVR or (2) a specific desired authorized TVR.
PMFs showing device dependent tV(i) set to achieve desired network ZCi TVR (true positive) given by blue PMF1 area in (a) and resultant RRR (true negative) for ZRj device given by blue PMF2 area in (b) [11].
Network ZCk versus Network ZCi (ZCk:ZCi): PMF1 for ZCi TNG and PMF2 for all “other” network ZCk
Rogue ZRj versus Network ZCi (ZRj:ZCi): PMF1 for ZCi TNG and PMF2 for ZRj versus ZCi
The authorized TVR (true positive) versus FVR (false positive) trade-off is effectively captured in a Receiver Operator Characteristic (ROC) curve [Faw1] as shown in Figure 2 using Figure 1 PMFs with varying the TNG verification threshold tV varied from Min[ZV] to Max[ZV]. Figure 2(a) shows TVR versus FVR with the indicated operating point (■) corresponding to desired TVR = 90% and yielding FVR ≈ 1.2%. Figure 2(b) shows TVR versus RAR where Rogue Accept Rate (false positive) is used to estimate the RRR ≈ 1-RAR shown along the x-axis for three arbitrary ZR devices (▼, ▲, and ▸) and the TVR = 90% operating point.
ROC curves for Figure 1 PMFs with indicated operating points based on desired TVR = 90%.
Network ZC Training ROC
Rogue ZR Testing ROCs
3. CB-DNA Fingerprinting Development
Time domain RF-DNA Fingerprinting has historically exploited statistical features extracted from partial-burst responses where invariant (data independent) synchronisation and channel estimation (preamble, midamble, etc.) symbols are transmitted [15, 28–30]. The CB-DNA Fingerprinting method developed here differs considerably and exploits features extracted from full-burst responses, including regions where variant (data dependent) symbols are transmitted. The CB-DNA Fingerprinting development here is motivated by concepts first used in [13] to discriminate Ethernet cards but it fundamentally differs in that work in [13] is based on features extracted from a contrived (nonconventional) binary constellation while the development here is for any application using conventional M-QAM signaling as introduced in Section 2.1. The development for unconditional and conditional fingerprinting is supported by the process depicted in Figure 3.
Illustration of unconditional and conditional 4-QAM constellation processing.
Ideal 4-QAM Transmitted Constellation
Projection CSk of received symbol
Estimation of received symbols
Conditioning into G11 subgroup
For ideal transmitted symbols having constellation projections CSm such as those shown in Figure 3(a), the kth received QAM symbol in burst SRx(t) of (3) is denoted as Sk for tk<t<tk+TSym where tk is the symbol start time, TSym is the symbol duration, and k=1,2,…,NSym where NSym is the total number of symbols in a received burst. Following synchronisation to the kth symbol interval, the QAM receiver extracts symbol Sk and projects it to a single point CSk in the QAM constellation space (Figure 3(b)). The corresponding estimated transmitted symbol is determined as S^k=Sm:argminmCSk-CSm for Sm∈S1,S2,…,SM (Figure 3(c)). For generating unconditional CB-DNA statistical fingerprint features, the NSym received CSk in each SRx(t) burst are grouped based on their corresponding S^k=Sm estimate with the group of CSk yielding the mth QAM symbol estimate denoted by the sequence CmSk for m=1,2,…,M.
While some prior works have investigated constellation error differences as a means for device discrimination [31], e.g., mean and variance, of Euclidean distances between received CSk and ideal CSm, the approach here exploits constellation spatial statistical differences in CmSk groups which are induced by channel propagation and hardware variability (e.g., I/Q imbalance) resulting from component differences (oscillator phase noise, spurious mixer tones, manufacturing processes, etc.) [21]. The exploitation of these differences was first demonstrated for the contrived binary constellation work in [13] which showed that the statistical distribution of CmSk elements around the corresponding ideal CSm point is conditional, i.e., the location of a given CmSk for Sk in the received QAM constellation space is dependent upon symbols received just prior to and immediately following Sk; these two symbols are denoted as Sk-1 and Sk+1, respectively.
The device discrimination improvement in [13] using conditional fingerprint features from the contrived binary constellation motivated formal development of the multisymbol constellation conditioning (subgrouping) method for M-QAM signaling. For the S^k dependent CmSk group sequences, the basic process includes considering multiple consecutive received QAM symbols in a SRx(t) burst which are denoted here by vector Sk=…,Sk-2,Sk-1,Sk,Sk+1,Sk+2,… where Sk is the central reference symbol. These received symbols have corresponding estimates that are used to form vector S^k=…,S^k-2,S^k-1,S^k,S^k+1,S^k+2,… where S^k is the estimate for reference symbol Sk. Multisymbol constellation conditioning involves parsing each of the unconditionalCmSk groups into conditionalCmSkn subgroups for n=1,2,…,NSG total subgroups with Skn denoting the nth subgroup. The parsing of unconditionalCmSk sequences and selection of NSG subgroups is somewhat arbitrary but performed with a goal of maximising cross-subgroup distribution differences that will be captured in statistical fingerprint features.
The subgrouping of CmSk is illustrated (as shown in Figure 3(d)) by considering three received symbols of Sk=Sk-1,Sk,Sk+1 and a set of NSG desired subgroup conditioning vectors Gn of equivalent dimension and denoted by Gn=G1n,G2n,G3n where Gin∈S1,S2,…,SM. The process for assigning each element of the mth CmSk group to one of NSG subgroups based on Gn conditions includes (1) taking each received Sk producing CmSk, (3) estimating received S^k-1 and S^k+1 and forming S^k=S^k-1,S^k,S^k+1, and (4) comparing the resultant S^k with each desired Gn. If S^k-Gn=0 for some n=1,2,…,NSG the CmSk under evaluation is assigned to the nth conditional CmSkn subgroup. If S^k-Gn≠0 for all n the CmSk under evaluation is assigned to an “other” conditional subgroup. Formation of the NSG+1 “other” subgroup is required when all possible combinations of estimated S^k symbols are not included as desired Gn conditions and ensures that all elements of CmSk are accounted for. Accounting for all possible M-QAM symbols, the total number of conditional subgroups formed for fingerprint generation is either M × NSG or M × NSG+1 if an “other” subgroup is required.
There are many possible symbol combinations that could be used for conditioning Gn vectors and formation of conditional subgroups. In light of noted M-QAM I/Q phase imbalance effects, there are some specific Gn that may accentuate cross-subgroup differences based on how the phase in consecutive SRx(t) symbols changes during QAM signaling. The two extreme phase changes are captured using (1) Gn=S^k,S^k,S^k which represents the case of no symbol-to-symbol phase change across S^k symbols and (2) Gn=-S^k,S^k,-S^k which represents the case of maximum ± 180 degrees’ symbol-to-symbol phase change across S^k symbols. Considering 4-QAM and accounting for all possible symbol combinations in the 1x3-dimensional Gn vectors, there are a total of NSG=16 conditional CmSkn subgroup sequences for m=1,2,3,4 with no “other” subgroup formed. The effect of conditional subgrouping is illustrated with the aid of Figure 4 which shows an unconditioned QAM received constellation for an SRx(t) burst at SNR = 12 dB and containing approximately NSym ≈ 3400 total symbols (approximately 850 CmSk projections per quadrant).
Received unconditioned QAM constellation at SNR = 12 dB for a burst of NSym ≈ 3400 symbols producing approximately 850 total projections in the indicated C1Sk, C2Sk, C3Sk, and C4Sk quadrant groups.
Considering the S1 quadrant and selected conditional Gn symbol vectors yields the pairwise conditional C1Skn projections plotted in Figure 5. Of note in Figure 5 is that all plots are presented on the same scale over the same I-Value and Q-Value ranges. Thus, the observable similarities and/or differences in the illustrated conditional C1Skn subgroups exhibit behavior that is indicative of I/Q imbalance and increase the potential for device characterisation. Assuming identical channel conditions and receiver imperfection effects (I/Q imbalance, etc.) during the signal collection interval, the visually discernable differences in conditional C1Skn subgroup distributions in Figure 5 are attributable to transmitter component differences and aid in uniquely identifying transmitting devices using conditional CB-DNA Fingerprinting.
Received conditional QAM constellation points for S1 quadrant projections in Figure 4 showing pairwise relationship of five conditioned C1Skn subgroups with elements assigned using the indicated Gn conditions.
G1=(S3,S1,S2) (○) versus G2=(S2,S1,S3) (●)
G3=(S3,S1,S4) (▲) versus G4=(S4,S1,S3) (★)
G1=(S3,S1,S2) (○) versus G5=(S2,S1,S2) (▼)
G2=(S2,S1,S3) (●) versus G3=(S3,S1,S4) (▲)
Statistical features of unconditionalCmSk sequences and conditionalCmSkn sequences are used to form CB-DNA fingerprints. The construction processes for unconditionalFCBUNC and conditionalFCBCND CB-DNA fingerprint vectors are identical and presented for an arbitrary complex sequence {X} having NX elements. The fingerprint statistics are calculated using (1) polar magnitude (Mag) and angle (Ang) components and (2) rectangular real (Re) and imaginary (Im) components of {X}. While any number of statistics could be used, the specific statistical CB-DNA features used for polar representation include variance (σ2), skewness (γ), and kurtosis (κ) statistics of both the magnitude {Mag[X]} and angle AngX sequences for a total of 6 polar statistics. For the rectangular ReX:ImX2×NX matrix representation, the calculated statistics include three unique covariance σ2σ21:3 values, two nontrivial coskewness moments γγ(1:2), and three nontrivial cokurtosis κκ1:3 moments [32]. Accounting for all possible statistics, the Statistical Fingerprint vector for complex sequence X is formed as(8)FX=σMagX2γMagXκMagXσAngX2γAngXκAngXσσX1:32γγX1:2κκX1:31×NStat,where NStat = 14 if all indicated statistics are included.
For unconditional CB-DNA Fingerprinting FX in (8) is calculated for all m=1,2,…,M constellation symbols with X=CmSk and the resultant FmX concatenated to form the final composite unconditional CB-DNA Fingerprint vector FCBUNC given by(9)FCBUNC=F1X⋮F2X⋯FMX1×NFUNC,where NFUNC=NStat×M is the total number of unconditional CB-DNA features.
For conditional CB-DNA Fingerprinting FX in (8) is calculated for all n=1,2,…,NSG subgroups of each m=1,2,…,M constellation symbol using X=CmSkn. The resultant FSGm,nCND vectors are used form the mth Conditional CB-DNA Fingerprint vector FmCNDgiven by(10)FmCND=FSGm,1CND⋮FSGm,2CND⋮⋯⋮FSGm,NSGCND1×NStat×NSG,which are concatenated for all m=1,2,…,M to form the composite conditional CB-DNA Fingerprint vector(11)FCBCND=F1CND⋮F2CND⋮⋯⋮FMCND1×NFCND,where NFCND=NStat×NSG×M is the total number of conditional CB-DNA features. In general, unconditional and conditional CB-DNA fingerprint features can be generated using all or a subset of noted statistics, calculated for all or a subset of available projected CmSk groups or CmSkn subgroups. The choice of which statistics and which groups to use may vary with the specific communication application (fixed, mobile, urban, city, etc.) and determines the final number of NFUCB and NFCCB features generated.
4. CB-DNA Fingerprinting Demonstration
ZigBee transmissions were collected for all RZUSBSTICK devices listed in Table 2 using an X310 Software Defined Radio (SDR) having an RF bandwidth of WRF = 10 MHz and operating at a sampling rate of fS = 10 MSps in both the I/Q channels. Subsequent postcollection signal processing was performed using MATLAB and included burst-by-burst (1) center frequency estimation, (2) baseband (BB) downconversion and filtering using a 16th-order Butterworth filter having a -3 dB bandwidth of WBB = 2 MHz, (3) constellation phase derotation, and (4) unconditional and conditional CB-DNA fingerprint generation per Section 3. The CB-DNA fingerprints were used to generate demonstration results for a total of NNC = 10-choose-3 = 120 unique network configurations with the NZR = 3 chosen devices serving as unauthorized attacking ZigBee Rogue (ZR) devices and the remaining NZC = 7 devices serving as authorized ZC network devices.
For each network configuration, the RRR was estimated for the NZR = 3 rogue devices using the device ID verification process detailed in Section 2.3. For each network configuration, each of the NZR = 3 ZR devices presents false ID credentials for all NCls = 7 authorized ZC network devices for a total of 7 × 3 = 21 ZRj:ZCi assessments per network configuration. Considering all networks, a total of 120 × 21 = 2520 ZRj:ZCi device ID verification (rogue detection) assessments were completed. Alternately, each ZC device in Table 2 served as an attacking ZR device 36 times for a total of 36 × 7 = 252 ZRj:ZCi device ID verification assessments per RZUSBSTICK device. The RRR estimates are based on a total of 4400 fingerprints per ZR device that are presented on a fingerprint-by-fingerprint basis for ID verification; the assessments here do not include nor account for envisioned benefits to be realised by averaging fingerprints, features, etc., prior to making a final authorized versus rogue verification decision. For presentation brevity, limited results are presented herein that are representative of the poorest (lowest RRR) and best (highest RRR) results obtained across all NNC = 120 network configurations and are sufficient for supporting proof-of-concept demonstration conclusions.
4.1. Authorized Network Device Classification
Device classification is first required to generate the MDA/ML models (W, α, μ, and Σ) required for device ID verification. The CB-DNA Fingerprinting results in Figure 6 were generated using unconditional and conditional features for all NNC = 120 networks. Results show %C versus SNR for all 120 networks along with cross-network average %C (solid lines) and extreme bounds (dashed lines with ○ markers) for highest and lowest %C. The benefit of constellation conditioning is evident by comparing cross-network averages which show that the %C = 90% benchmark is achieved for conditional features (■) at SNR ≈ 11 dB and unconditional features (▲) at SNR ≈ 14 dB. For presentation brevity, additional results in this section are presented for conditional CB-DNA Fingerprinting only given its superiority.
Classification for 120 networks with (a) unconditional and (b) conditional CB-DNA features. Mean results show that the %C=90% benchmark is achieved at SNR ≈ 14 dB (unconditional) and SNR ≈ 11 dB (conditional).
Results for NFUNC=36 unconditional features with conditional mean from Figure 6(b) overlaid for comparison
Results for NFCND=270 conditional features with unconditional mean from Figure 6(a) overlaid for comparison
For conditional CB-DNA Fingerprinting at SNR = 12 dB in Figure 6(b), the extreme results include (1) lowest %C ≈ 86.78% performance for Model #1 (excludes ZC1, ZC2, and ZC3 devices) and (2) highest %C ≈ 98.75% performance for Model #90 (excludes ZC4, ZC5, and ZC10 devices). The classification confusion matrices for these extreme cases are provided in Tables 5 and 6 and suggest that the inclusion of ZC4, ZC5, ZC6, and ZC10 devices in Model #1 is most detrimental (italic entries in Table 5). Of note from Table 2 is that package markings for the ZC2, ZC3 pair differs from all other package markings. Thus, Model #1 versus Model #90 performance is consistent with historical DNA discrimination given that the ZC2, ZC3 pair is (1) excluded in the poorest Table 5 results (model includes all like-model, similarly marked devices) and (2) included in the highest Table 6 results (model includes a higher number of like-model dissimilarly marked devices).
Confusion matrix for lowest performing Model #1 in Figure 6(b) at SNR = 12 dB with %C ≈ 86.78% (sum of diagonals divided by 15,400 trials) and italic to highlight the largest error contributors (ZC4, ZC5, ZC6, and ZC10).
CALLED CLASS
ZC4
ZC5
ZC6
ZC7
ZC8
ZC9
ZC10
INPUT CLASS
ZC4
1868
152
64
16
0
0
100
ZC5
152
1700
236
4
0
0
108
ZC6
128
232
1608
12
0
0
220
ZC7
4
0
0
2188
8
0
0
ZC8
0
0
0
24
2172
4
0
ZC9
0
0
0
8
4
2120
68
ZC10
100
108
264
8
0
12
1708
Confusion matrix for highest performing Model #90 in Figure 6(b) at SNR = 12 dB with %C ≈ 98.75% (sum of diagonals divided by 15,400 trials) and italic to highlight the largest error contributors (ZC6 and ZC7).
CALLED CLASS
ZC1
ZC2
ZC3
ZC6
ZC7
ZC8
ZC9
INPUT CLASS
ZC1
2184
4
0
12
0
0
0
ZC2
0
2132
0
16
40
4
8
ZC3
0
0
2200
0
0
0
0
ZC6
12
24
0
2164
0
0
0
ZC7
0
36
0
0
2156
8
0
ZC8
0
0
0
0
4
2192
4
ZC9
0
4
0
8
8
0
2180
4.2. Authorized Network Device ID Verification
SNR dependent MDA/ML model components (W, α, μ, and Σ) from Section 4.1 are used to assess authorized network ZC device ID verification at selected verification SNRV. Results are presented for conditional CB-DNA fingerprints at SNRV = 12 dB where average MDA/ML performance in Figure 6(b) achieves the %C ≈ 90% benchmark. For each network, device TNG fingerprints are used to set device dependent tV(i) for all authorized devices to achieve TVR ≈ 95%. tV(i) for the worst and best performing MDA/ML models in Figure 6(b) are shown in Figure 7(a) (Model #1) and Figure 7(b) (Model #90). tV(i) are overlaid with Euclidean distance TNG statistics (ZV) and ID verification identified as either accept (○) or reject (X) decisions. The accept/reject decisions and final performance are based on ZV for NTNG = 2200 fingerprints per authorized device with ZV<tV(i) (○ markers) representing correct ID verification (proper access granted) and ZV>tV(i) (X markers) representing incorrect ID verification (improper access denial). The resultant TVR for individual ZC devices is shown along the x-axis and yields an overall cross-ZC average TVR ≈ 94.84% for both models.
Authorized device ID verification for Conditional CB-DNA Fingerprinting at SNRV = 12 dB for (a) worst case Model #1 and (b) best case Model #90 MDA/ML classification in Figure 6(b). Device dependent training thresholds tV (horizontal lines) set for TVR = 95% with resultant per device TVR shown along the x-axis.
Model #1 Authorized Network Devices
Model #90 Authorized Network Devices
4.3. Unauthorized Rogue Device Detection
Accounting for all NNC = 120 network configurations with each of the NZR = 3 held-out ZRj (j=1,2,…,10,j≠i) devices serving in an attacking ZRj:ZCi role a total of 252 times (including multiple attacks against a given ZCi device present in multiple networks), the cumulative per ZRj RRR performance averaged across all networks for 8≤SNRV≤20 dB is shown in Table 7. Of note here is the average cross-ZRj RRR ≈ 89.42% at SNRV = 12 dB which is approximately the same SNR where MDA/ML device classification in Figure 6(b) achieves the %C = 90% benchmark. As shown in Table 7SNRV = 12 dB results, the lowest RRR occurs for ZR4 and ZR6 devices and the highest RRR occurs for ZR1 and ZR3 devices. Excluding SNRV = 8 dB performance, collective rogue device results for SNRV ≥ 12 dB include (1) cumulative cross-ZR RRR ≈ 94% across all ZR:ZC attack scenarios and (2) individual cross-ZR performance across 252 attacks spanning 83.32% < RRR < 99.81%.
Conditional rogue ID verification performance showing cumulative average RRR (%) for indicated ZRj. The highest and lowest RRR per SNRV and row/column averages are denoted by bold text and italic, respectively.
SNRV (dB)
ZR Rogue ID
Cross-ZR Ave
ZR1
ZR2
ZR3
ZR4
ZR5
ZR6
ZR7
ZR8
ZR9
ZR10
8
95.55
65.76
97.90
67.74
72.40
69.69
85.82
94.86
83.60
71.38
80.47
12
99.24
83.17
99.60
79.17
82.16
76.29
97.78
98.80
95.78
82.24
89.42
16
99.64
92.78
99.84
88.72
89.49
82.77
99.83
99.80
99.37
92.96
94.45
20
99.66
98.64
99.99
95.93
95.65
90.90
99.99
99.99
99.95
98.34
97.90
Cross- SNRV Ave
99.51
91.53
99.81
87.94
89.10
83.32
99.20
99.53
98.37
91.18
93.95
For the overall poorest ZR4 and ZR6 results in Table 7 at SNRV = 12 dB there are eight network models (#17, #45, #66, #86, #91, #92, #93, and #94) that include both ZR4 and ZR6 serving as rogue devices. Considering only these models, the cumulative ZR4 and ZR6 results include RRR ≈ 85.25% and RRR ≈ 82.03%, respectively. The overall poorest ZR4 and ZR6 RRR results for these eight models at SNRV = 12 dB are presented in Figure 8 and occur for Model #45 with ZC1, ZC3, ZC5, ZC7, ZC8, ZC9, and ZC10 authorized devices. As estimated by averaging individual ZRj:ZCi RRR presented along Figure 8 x-axes, the average performance for ZR4:ZCi is RRR ≈ 84.14% and for ZR6:ZCi is RRR ≈ 77.56%. These are higher than the cumulative 120 model averages in Table 7 and thus do not represent the overall poorest ZR4 and ZR6 device results.
Rogue ID verification for (a) ZR4 and (b) ZR6 devices attacking Model #45 with ZC1, ZC3, ZC5, ZC7, ZC8, ZC9, and ZC10 network devices and contributing to poorest (minimum) RRR shown in Table 7 at SNRV = 12 dB.
ZR4 versus Model #45: Average RRR ≈ 84.14%
ZR6 versus Model #45: Average RRR ≈ 77.46%
For completeness, the overall poorest ZR4 and ZR6 RRR results across all 120 models are presented in Figure 9 which shows that the lowest RRR results are obtained for separate models and include average RRR ≈ 73.27% in Figure 9(a) for ZR4 with Model #19 and average RRR ≈ 64.84% in Figure 9(b) for ZR6 with Model #4. While it is not immediately obvious why these are the two poorest cases, these ID verification results are consistent with the increased MDA/ML classification challenge noted in Section 4.1 for models based on similarly marked authorized devices. Specifically, the poorest RRR < 80% results in Figure 9 are all attributable to ZCj:ZCi combinations of similarly marked ZC4, ZC5, ZC6, and ZC10 devices.
Overall poorest Rogue ID verification performance across 120 models for (a) ZR4 and (b) ZR6 with indicated network devices and contributing to poorest (minimum) RRR shown in Table 7 at SNRV = 12 dB.
ZR4 versus Model #19: Average RRR ≈ 73.27%
ZR6 versus Model #4: Average RRR ≈ 64.84%
For the overall best RRR ZR1 and ZR3 results in Table 7 at SNRV = 12 dB there are eight network models (#1, #9, #10, #11, #12, #13, #14, and #15) that include both ZR1 and ZR3 serving as rogue devices. The overall best rogue ZR1 and ZR3 detection results for these models at SNRV = 12 dB are presented in Figure 10 and include assessments for Model #11 with ZC2, ZC4, ZC5, ZC7, ZC8, ZC9, and ZC10 authorized devices. As estimated by averaging the individual ZRj:ZCi RRR indicated along Figures 10(a) and 10(b) x-axes, the average RRR performance across best case ZR1:ZCi is RRR ≈ 99.31% and across all ZR3:ZCi is RRR ≈ 99.98%; this best case cross-ZRj RRR was observed for a majority of models and ZRj:ZCi considered.
Rogue ID verification for (a) ZR1 and (b) ZR3 devices attacking Model #11 with ZC2, ZC4, ZC5, ZC7, ZC8, ZC9, and ZC10 network devices and contributing to best (maximum) RRR shown in Table 7 at SNRV = 12 dB.
ZR1 versus Model #11: Average RRR ≈ 99.31%
ZR3 versus Model #11: Average RRR ≈ 99.98%
5. Conclusion
An analytic development of CB-DNA Fingerprinting for conventional QAM features is presented as well as its application to verification-based rogue detection demonstrated using ZigBee RZSUBSTICK communication devices. Results are based on experimentally collected signals with postcollection fingerprint generation and authorized versus rogue device ID verification performed for 120 unique networks consisting of seven authorized and three unauthorized attacking rogue devices. Collective authorized device discrimination results for all 120 network configurations using an MDA classifier included (1) average cross-class percent correct classification of %C > 90% achieved for SNR ≥ 12 dB and (2) identification of device dependent verification thresholds yielding True Verification Rates (true positive) of TVR = 95% for all authorized network devices. The MDA network models were used for rogue device ID verification and Rogue Rejection Rate (RRR) (true negative) estimated for all rogues presented to the networks. Collective rogue device detection results for SNR ≥ 12 dB included (1) cumulative average burst-by-burst RRR ≈ 94% across 2520 total rogue attack scenarios and (2) performance across 252 attacks per individual devices spanning 83.32% < RRR < 99.81%. As a first successful proof-of-concept demonstration using CB-DNA Fingerprinting with conventional communication constellation features, these results are promising and further research is warranted.
Data Availability
The data used to support the findings is generally unavailable due to public releasability constraints. However, please contact the corresponding author for special release consideration.
Disclosure
The views expressed in this paper are those of the authors and do not reflect the official policy or position of the Air Force Institute of Technology, the Department of the Air Force, the Department of Defense, or the US Government. This paper is approved for public release, Case#: 88ABW-2018-2040.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
GoldenbergN.WoolA.Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems20136263752-s2.0-8487977969810.1016/j.ijcip.2013.05.001ZhengZ.ReddyA. L.Safeguarding Building Automation Networks: THE-Driven Anomaly Detector Based on Traffic AnalysisProceedings of the 26th International Conference on Computer Communication and Networks (ICCCN)July 2017Vancouver, BC, Canada11110.1109/ICCCN.2017.8038393JiangJ.YasakethuL.Anomaly Detection via One Class SVM for Protection of SCADA SystemsProceedings of the International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC '13)October 2013Beijing, China828810.1109/CyberC.2013.22802.15.4 IoT Markets: A Market Dynamics Report,” Research and Markets, Market Report, ID: 4392927, Jul 2017Homeland SecurityRecommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth StrategiesSep 2016156https://ics-cert.us-cert.govErinleB.201010.4018/978-1-59140-991-5MehtaA.2017LennvallT.SvenssonS.HeklandF.A comparison of wirelessHART and ZigBee for industrial applicationsProceedings of the 7th IEEE International Workshop on Factory Communication SystemsMay 2008858810.1109/WFCS.2008.46387462-s2.0-56349109631Field Communications GroupConnecting the World of Process Automation, 2017StefanidisK.VoyiatzisA. G.An HMM-Based Anomaly Detection Approach for SCADA Systems20169895ChamSpringer International Publishing8599Lecture Notes in Computer Science10.1007/978-3-319-45931-8_6TalbotC. M.TempleM. A.CarbinoT. J.BetancesJ. A.Detecting rogue attacks on commercial wireless Insteon home automation systems2018742963072-s2.0-85033675172DubendorferC.RamseyB.TempleM.ZigBee device verification for securing industrial control and building automation systems201341747622-s2.0-8495187117810.1007/978-3-642-45330-4_4CarbinoT. J.TempleM. A.BihlT. J.Ethernet card discrimination using unintentional cable emissions and constellation-based fingerprintingProceedings of the International Conference on Computing, Networking and Communications (ICNC '15)Feburary 2015Garden Grove, CA, USA36937310.1109/ICCNC.2015.7069371ReisingD. R.TempleM. A.MendenhallM. J.Improving Intra-Cellular Security Using Air Monitoring with RF FingerprintsProceedings of the Networking Conference (WCNC)April 2010Sydney, Australia1610.1109/WCNC.2010.5506229WilliamsM. D.TempleM. A.ReisingD. R.Augmenting Bit-Level Network Security Using Physical Layer RF-DNA FingerprintingProceedings of the IEEE Global Communications Conference (GLOBECOM '10)December 2010Miami, FL, USA1610.1109/GLOCOM.2010.5683789WilliamsM. D.MunnsS. A.TempleM. A.MendenhallM. J.RF-DNA fingerprinting for airport WiMax communications securityProceedings of the 4th International Conference on Network and System Security (NSS '10)September 2010Melbourne, Australia323910.1109/nss.2010.212-s2.0-78650413543BucknerM. A.Enhancing Network Security Using ‘Learning-from-Signals’ and Fractional Fourier Transform Based RF FingerprintsProceedings of Wireless Innovation Forum Conference on Communications Technologies and Software Defined Radio (SDR 11-WInnComm)201131732510.1109/CNT.2014.7062753GuptaU.Application of Multi Factor Authentication in Internet of Things Domain20151231293110.5120/ijca2015905221PCI Security Standards Council, Information Supplement: Multi-Factor Authentication, 2017IEEE Computer Society, IEEE Std 802.15.4, Sep 2011zhuoF.HuangY.chenJ.Radio Frequency Fingerprint Extraction of Radio Emitter Based on I/Q Imbalance201710747247710.1016/j.procs.2017.03.092AlaghaN. S.Cramer-Rao bounds of SNR estimates for BPSK and QPSK modulated signals200151101210.1109/4234.9018102-s2.0-0035085309StremlerF. G.19903rdReading, MAAddison-Wesley Publishing CompanyJohnson JrC. R.SetharesW. A.KleinA. G.2011CambridgeCambridge University Press10.1017/CBO9781139005227ShiG.LiK.Fundamentals of ZigBee and WiFi2017ChamSpringer International Publishing927Wireless Networks10.1007/978-3-319-47806-7_2Atmel Corporation2008Atmel CorporationAVR Low Power 2.4 GHz Transceiver for ZigBee, IEEE 802.15.4, 6LoWPAN, RF4CE and ISM Applications, AT86RF230 Spec Sheet, 5131E-MCU Wireless-02/09, 2009ReisingD. R.TempleM. A.MendenhallM. J.Improved wireless security for gmsk-based devices using rf fingerprinting20103141592-s2.0-7795063305210.1504/IJESDF.2010.032330ReisingD. R.TempleM. A.JacksonJ. A.Authorized and Rogue Device Discrimination Using Dimensionally Reduced RF-DNA Fingerprints20151061180119210.1109/TIFS.2015.2400426RehmanS. U.SowerbyK. W.CoghillC.Radio-frequency fingerprinting for mitigating primary user emulation attack in low-end cognitive radios201488127412842-s2.0-8490192026410.1049/iet-com.2013.0568HuangY.ZhengH.Radio frequency fingerprinting based on the constellation errorsProceedings of the 18th Asia-Pacific Conference on Communications: "Green and Smart Communications for IT Innovation", APCC 2012October 2012Republic of Korea9009052-s2.0-84872541834Miller MichaelB.2nd.2014Hoboken, New JerseyJohn Wiley & Sons, IncZbl1282.91003