Abstract

Applying channel information for user authentication is gaining attention in the area of wireless network security. Similarly, reconfigurable antennas capable of generating multiple decorrelated channel realizations have become increasingly popular in wireless systems. In this paper we propose and evaluate a channel-based authentication scheme that applies the capabilities of a pattern reconfigurable antenna for improved performance in user authentication. Field measurements of the channel frequency response employing such an antenna were performed to quantify the performance of the proposed scheme. Based on these measurements, we show the effect of correlation that exists between the different modes on the authentication performance. Furthermore, the performance gain that can be achieved by the scheme is studied as a function of the number of antenna modes. Offline mode analysis is performed to give a loose upper bound on performance while online mode analysis results are presented to quantify achievable authentication performance in realtime. A general guideline on how to choose the different elements of the decision metric in order to realize better performance for physical layer-based authentication schemes based on any diversity scheme is also developed.

1. Introduction

Large-scale proliferation of wireless technology coupled with the increasingly hostile information security landscape, is of serious concern. The fundamental broadcast nature of wireless data transmission aggravates the situation since unlike wired networks it introduces multiple avenues for attack and penetration into a network. Currently known security risks include denial of service attacks, man-in-the-middle attacks, MAC address spoofing attacks, client-to-client attacks, network injection and brute force attacks against access point passwords [1]. These risks will continue to increase in number and sophistication as wireless networks start to carry increasingly more sensitive information.

While several established protection mechanisms such as cryptography-based techniques and wireless intrusion prevention systems exist, each method has its own weaknesses and is susceptible to failure under different circumstances [24]. The resulting uncertainties have led to a significant paradigm shift in the design and implementation of wireless security in recent times, where an increasingly cross-layer approach is being pursued to protect wireless networks [510]. One such avenue for security has been to use the physical layer information to protect against intruders and attackers. The idea of using physical layer information to enhance security has been approached under two broad categories. The first category of work focuses on cryptography-based techniques that utilizes physical layer information to generate and share keys [1114]. In the second approach, some form of the physical layer information associated with a device, such as channel frequency response or RSSI, is used as an identifier to differentiate between different devices and thus provide a mechanism for authentication [1521].

In parallel to these developments, significant progress has been made in the design of reconfigurable antennas resulting in numerous designs that are reconfigurable in frequency, pattern, polarization, or a combination of these parameters [22]. For many new and emerging high data rate applications, pattern reconfigurable antennas are of special interest due to their ability to generate highly uncorrelated radiation patterns which can produce uncorrelated channel realizations in a multipath rich wireless medium for a given frequency [23]. Such antennas have gained widespread attention due to their ability to improve throughput and are gradually finding their way into commercial wireless systems. We contend that the uncorrelated nature of the channel realizations due to such an antenna also holds great potential to enhance physical layer based security schemes.

Previous work that explored the idea of physical layer information based authentication are based on the use of conventional antennas [1620]. The main purpose of this paper is to demonstrate how the capabilities of reconfigurable antennas to generate decorrelated channels can be used to enhance physical layer information-based device authentication schemes for wireless systems. However, it should be noted that the proposed security scheme is not meant to be a replacement for existing higher layer security algorithms. Instead it leverages the capabilities of reconfigurable antennas to provide an additional layer of security for wireless systems. Moreover this paper also develops a general guideline on how to choose the different elements of the decision metric in order to realize better performance for physical layer-based authentication schemes based on any diversity scheme.

The paper is organized as follows: we start with an overview of the security problem we are trying to solve in Section 2. The underlying wireless channel model is described in Section 3. An identification metric to be used in our authentication scheme and the associated identity test is introduced next in Section 4. Section 5 describes our channel measurement methodology and the reconfigurable antenna used for this study. The correlation that exists in the measured channels is analyzed in Section 6 which will serve to explain the results of our analysis that is discussed in Section 7. We will discuss practical systems issues in Section 8 before concluding our paper.

2. The Problem of Device Authentication

The problem that is being addressed in this paper is one of establishing the identity of a stationary transmitting device in a wireless network. Spoofing attacks in network security encompasses a wide range of attacks that are based on one entity deceiving another to accept the attacking entity’s identity to be something else. Many variants of this attack rely on the attacker monitoring the packet flow between the victims to obtain some sensitive information that identifies one or both of the victims. Information obtained thus serves as the launching pad for more sophisticated attacks. Due to the unbounded nature of the medium employed, such information can be obtained easily in a wireless network making them especially vulnerable to such attacks. Hence an additional mechanism for protection at the physical layer that can thwart such attacks can significantly enhance the security of a wireless network.

The proposed authentication scheme is based on the basic idea that the channel between the legitimate transmitter and receiver is difficult to replicate by a malicious entity. Different modes in a reconfigurable antenna present different views of this channel, and thus emulating all the channels seen by the different modes becomes a more difficult proposition for the intruder. Therefore associating a stationary device with a unique channel-based identifier or fingerprint could yield a robust authentication mechanism. It should be emphasized that this identifier utilizes the raw complex channel information rather than any abstracted power-based metrics such as RSSI. This allows the scheme to be more robust to attacks that try to circumvent it through simple power control. Moreover it should be noted that we do not attempt to localize the stationary transmitting device; rather, our goal is to find an unique identifier for each stationary transmitting device in the network based on its location. A data packet that generates the proper location fingerprint at the receiver can be then trusted to be arriving from the legitimate user and vice versa.

The problem scenario consists of three different players: a receiver (), a transmitter (), and an intruder (). In practice could correspond to a wireless access point while and correspond to two users trying to connect to . In practice it is more likely that a wireless access point would be equipped with a comprehensive reconfigurable antenna system due to space and cost constraints. Therefore we assume that a reconfigurable antenna with different configurations is employed only at with and equipped with conventional omnidirectional antennas.

The problem evolves as shown in Figure 1. and initiate a connection at the outset of the session and are in the process of exchanging information Figure 1(a). At this stage, measures and stores the channel between itself and for different antenna modes. starts monitoring this exchange during this session until it obtains the identifying information corresponding to Figure 1(b). After obtaining this information, tries to pose as to mislead , Figure 1(c). The goal now is to enable to distinguish between and at the physical layer based on the stored channel information. makes this distinction by comparing the estimated channels for the antenna modes for the incoming packet with the most recent copy stored in memory Figure 1(d). Based on the outcome of this test, makes a decision on whether the packet arrived from or not. It is assumed that performs this comparison periodically and holds the most recent copy of the channel information that passes the test in its memory for the next comparison.

3. Channel Model

Unlike mobile phone-based services, a multitude of current and emerging wireless data services involve stationary terminals at both ends of the link. The terminal locations are usually fixed or movements are localized to a very small area near the seated user for the duration of a session. Temporal variations in such channels, termed as nomadic mobility channels, mostly arise due to movements of people and objects in the vicinity of the terminals. In this paper we limit our focus to such channels since they represent a common usage scenario for current high data rate applications. Challenges posed by large-scale terminal mobility is left for future study.

For a fixed link, the directional channel impulse response for an environment with clusters and rays per cluster is given by: where and are the transmit and receive angles, is the complex ray gain of the th ray in the th cluster, and and are their corresponding angles of departure and arrival. The narrowband channel impulse response corresponding to this cluster model is given by: where and are the antenna gain patterns at the transmitter and receiver, respectively. If we assume an omnidirectional radiation pattern at the transmitter, substituting (1) in (2) simplifies to For a sufficiently narrowband channel, we can assume flat fading, and will be given by a single complex number with distributed according to a Rayleigh or Ricean distribution. (3) quantifies the dependence of on the antenna configuration at the receiver. For the th receiver antenna configuration , we denote the corresponding channel by .

Previous measurement campaigns on nomadic mobility channels have shown that for stationary terminals, the temporal channel variations are imparted primarily due to shadowing and scattering by the moving scatterers in the vicinity of the link [2426]. Figure 2 shows the temporal variation in the measured frequency response corresponding to a single link for a single-antenna mode (Section 5). The entire shaded region constitutes the total power variation in the channel over a period of approximately 6 hours during regular working hours when there was considerable human movement between the two ends of the link. The results follow similar trends that have been reported in earlier measurements where most of the variations are confined to narrow regions [24]. Consistent with the models proposed in the earlier works, we therefore model the channel as follows: where denotes the shadowing imposed on the time invariant component , is the additional small scale fading component induced by the scatterers, and denotes receiver noise. and can be modeled as a complex Gaussian process with 0 means and variances and , respectively. is modeled as a random variable with a log-normal distribution with 0 mean and variance .

4. Identification Metric and Identity Test

In order to perform the channel comparison, would require an authentication metric based on the channel information. The metric corresponding to the two channel realizations can be then used to make a decision about the transmitter’s identity. We start with a decision vector that is given by: where is a vector that consists of channel amplitudes corresponding to different receiver antenna modes. The vector can be considered as the spatial signature or fingerprint associated with a terminal at a particular location. The angle between two spatial signatures and in the dimensional space is now proposed as the test statistic to test if the signatures correspond to the same terminals: where and denote the packet indices whose corresponding channel vectors are compared. Other candidates for a test statistic include the Euclidean distance between the channels [1517, 19] and difference in total channel power. However the angle-based statistic has two properties that makes it attractive for a reconfigurable antenna-based authentication scheme. Depending on the environmental conditions, channels from certain modes may be stronger than the others. Such stronger channels tend to dominate the value of the computed test statistic in distance- or power-based metrics, rendering the information contained in the weaker channels useless. However the angle-based test statistic weights channels from all the modes equally, resulting in better utilization of all the available information. Second, the support of the test statistic is naturally limited () and hence smoother distribution functions can be formed with limited number of training samples. This same property will also be desirable when offline learning techniques based on standard wireless channel models are employed to train the system in the future. Since the test statistic is the angle between the two spatial signatures, the vectors can be normalized without altering its value. Therefore can now be written as: where and denotes the elements of the normalized vector. Moreover a bar denotes the modified quantity after normalization in the proceeding discussion. The duration of shadowing is long compared to the packet transmission times and considered to be constant for all antenna configurations at any channel estimation period. Therefore at time instant , the channel corresponding to a terminal is given by: From (9) and (8), the angle between this vector and another spatial signature at time instant is given by: involves the sum of a log-normal random variable and a normal random variable for which a tractable closed form pdf expression does not exist. Therefore we will resort to empirical density functions for obtained from measurements in our analysis.

However, previous studies have shown that that the variable component is usually between 20 to 50 dB lower than the static component for majority of the time [24]. Therefore for a simpler case where , can be written as:

Normalizing removes the effect of and can be written as: which is the “true” angle between the two channels corresponding to the two locations from which packets and originated.

Given the authentication metric , the problem of classifying the transmitter now becomes a hypothesis testing problem. We pick the null hypothesis to be that the incoming packet is from the same legitimate transmitter and the alternate hypothesis to be otherwise. Denoting the transmitter corresponding to as , the test can be written as: The conditional probability distributions of the authentication metric and the corresponding cumulative distribution functions will be denoted as follows: For a given false alarm rate a threshold can be found such that The probability of missed detection can be defined for this threshold as: For a given authentication metric we can now form estimates for and .

5. Measurement Setup and Reconfigurable Antenna

Channel measurements to evaluate the performance of the reconfigurable antenna-based user identification scheme were performed using a four-port vector network analyzer (VNA) (Agilent N5230A) by measuring between the transmitter and receivers. The location chosen for the measurements was a medium-sized laboratory on Drexel University campus. The laboratory is 20 m long, 8 m wide, and 4 m high. The lab has a back room separated from the main lab by a plaster wall and several cubicles segmented by metallic walls and has other typical laboratory furniture, electronic equipment, and cabling scattered throughout the room. The measurement layout and setup is shown in Figure 3. and locations were chosen so that there were a combination of both LOS and NLOS links. was equipped with the reconfigurable antenna to be described shortly. and were equipped with omnidirectional whip antennas. The antenna at the receiver was mounted at a height of 2.5 m while the antennas at the transmitters were mounted at the desk level of approximately 0.75 m.

The frequency was swept over a 22 MHz bandwidth centered at 2.484 GHz which corresponds to channel 14 of the IEEE 802.11n standard. 64 evenly spaced frequency samples were measured over this bandwidth. Two locations for and four locations for were chosen yielding a total of eight links. For each of these links, ten different locations were considered. For each (, , ) pair, channels corresponding to the - and - links were measured for 5 different antenna configurations at every 10 seconds for a total of 1000 samples. The time to complete each sweep was automatically set by the VNA to 130 msec. Due to speed limitations in the control board for changing antenna modes, a 0.25 second delay was introduced while switching between different antenna modes. Measurements were taken over several days during both morning and evening hours when the human traffic was moderate and low, respectively.

The reconfigurable antenna used in this work is a two-port microstrip composite right/left-hand (CRLH) transmission line leaky wave antenna (LWA) which is an antenna design inspired by metamaterial transmission lines [27]. Pattern reconfiguration in this antenna is achieved by varying the right and left handed capacitances of a leaky CRLH transmission line by means of varactor diodes placed on the structure. The phase constant of the unit cells that constitute the antenna is changed by varying the bias voltage on the varactor diodes which results in beams directed in different directions for a fixed frequency of operation. The patterns in the elevation plane for the five modes used in this study are shown in Figure 4. The choice of this antenna is justified by its ability to electrically steer the antenna beam while having a significantly compact form factor.

6. Channel Correlation

The elements of the decision vector correspond to channel estimates for the different antenna modes used in the reconfigurable antenna (i.e., this scheme is based on exploiting pattern diversity). However, we could devise a similar scheme by utilizing channel coefficients corresponding to different frequencies (frequency diversity) or spatial snapshots (spatial diversity). In this section we will empirically quantify the amount of correlation that exists between the elements in for different diversity schemes.

The pattern correlation coefficient between radiation patterns corresponding to antenna modes and is defined as [23]: where is the radiation pattern for the th mode and denotes complex conjugation. The correlation coefficients generated by this definition between azimuthal patterns for five different modes used in our study is listed in Table 1.

Channel correlation coefficients with respect to the first antenna mode, averaged over the eight - links are shown in Figure 5. The first row of Table 1 is superimposed on Figure 5 to illustrate the influence of pattern correlation on the resulting channel correlations. Figure 5 follows the conventional wisdom that uncorrelated patterns lead to uncorrelated channels in rich multipath environments. The channel correlation coefficients with respect to the first measured frequency for the other frequencies are also shown in the figure. This result agrees with well known published results as well [28]. However, of interest to us is the comparison between the correlations arising from pattern and frequency correlations.

In our measured environment, approximately a 5 MHz frequency separation was required to achieve a correlation factor of 0.2 and 11 MHz separation for 0.1. However relying on frequency separation for channel decorrelation presents two problems. The first problem is that it is not straightforward to estimate the frequency separation required for a given level of decorrelation without proper knowledge of the RMS delay spread of the environment. Second, most wireless systems are band limited and our ability to span the frequency axis to achieve a required level of decorrelation may not be possible for many applications. On the other hand, using pattern diversity for applications requiring decorrelated channel realizations is a more “controlled” approach where antenna modes can be designed to exhibit a certain level of decorrelation which will translate to a similar level of decorrelation in the realized channels. For example with just two modes (mode 1 and 5) we are able to achieve correlation levels of less than 0.05. These correlation trends will serve to gain insights on some of the results to be discussed in the next section.

7. Numerical Results

The measurements gathered as described in Section 5 were analyzed to quantify the performance of the reconfigurable antennas-based authentication scheme.

For a given , and were obtained as follows.(1)Pick a (, , ) combination and a frequency.(2)Pick antenna modes. (e.g., for , there are possible selections.) ’s used in the following steps are formed by stacking the channels corresponding to the modes present in this combination.(3)Compute by gathering ’s corresponding to -’s  at time instants and ().(4)For different determine the corresponding from this distribution.(5)Compute by gathering corresponding to - at time instant and - at time instant ().(6)From the different computed in step (3), determine the corresponding miss rate .(7)Repeat steps (3–6) for all possible mode combinations.(8)Repeat steps (2–7) for all possible (, , ) combinations.(9) is averaged over all the possible combinations repeated in steps (7) and (8).

Similarly for frequency diversity, different antenna modes instead of frequencies are picked in step (1) and adjacent frequencies are chosen instead of antenna modes in step (2).

Figure 6 shows the ROCs obtained for three different mode pairs (out of ten possible pairs) when two modes are used for authentication. The worst performing mode corresponds to the mode pair of (2, 3). This pair can be seen to have the highest pattern correlation from Table 1. The best performing mode corresponds to the mode pair (1, 4) which is near the lowest correlation level observed among the radiation patterns. Similar trends can be observed when frequency diversity is employed as well. However, large frequency separations (more decorrelation) are required between the frequency points used to obtain good performance.

The reason for the detection rate dependence on the correlation between the elements in can be explained: let us assume two modes or frequencies that are highly correlated. Due to environmental conditions or by deliberate manipulation (such as transmit power control, trying out different locations), the intruder’s channel corresponding to one mode may fall close to that of the legitimate transmitter. Now the probability of the other mode to fall close to that of the transmitter is also increased due to the high correlation and thus the addition of the new mode does not increase the quality of the spatial signature contained in . However if the modes are decorrelated, the ability for another user to accidentally or intentionally match all the channels of another user becomes probabilistically more difficult. Thus more decorrelated elements in the decision vector lead to improvement in detection rates. It is therefore clear that higher levels of pattern correlation impede performance and hence the different antenna modes used in the scheme should have low decorrelation between them.

Figure 7 shows the performance of the pattern diversity-based scheme in detecting intruders for different values of . For an of 1% decreases from 30% to 3% when is increased from 2 to 5. For a given , decreases with . As grows higher, the probability for the intruder channel to closely match all the channel elements in such that falls below threshold becomes low and hence detection rate improves.

It can be observed that the improvement in performance starts to reduce as is increased. For example for an of 1%, improves by 15% when goes from 2 to 3. This improvement reduces to 2% when increases from 4 to 5. Introducing an additional mode into does not necessarily keep the average interelement correlation at the same level before its introduction due to the different levels of correlation that exists between different modes. Due to the limited number of modes used in our study, this is especially true for higher (≥4) since consists of highly correlated modes and their contribution to the detection rate is only minimal. Hence we observe the diminishing returns in performance improvement as the number of modes increases. To demonstrate this effect, we resort to frequency diversity where the multiple elements in are picked to have low correlation between each other and the average correlation does not change when a new element is introduced. We pick frequencies that are separated by 5 MHz (resulting channel correlation <0.2 from Figure 5) for different values of . Figure 8 shows the resulting ROCs which indicates that as long as the average correlation among the elements is not diminished, introducing new modes or frequencies in will maintain the rate of improvement in detection rates. However this phenomena should not discourage the use of a reconfigurable antenna-based solution since a multitude of reconfigurable antenna geometries exist that can generate several modes with very low correlation between all their patterns [29].

Finally, the performance of this scheme when operating in an online mode was analyzed. During this analysis, the number of samples from used for initially estimating is denoted by . corresponding to all the samples are used to form this distribution from which was computed for different . The most recent channel estimate to pass the authentication process was held in memory for the next test. Figure 9 shows the realized during this online operation for two different values of . The ideal curve for realized versus designed should be a straight line with gradient 1, since the designed and realized false alarm rates should be the same. However this behavior cannot be achieved perfectly in practice: the resolution of the support of is determined by the number of training samples used and therefore a smaller results in coarse estimates for . This in turn will result in a significant variation between the designed and achieved false alarm rates. Therefore the realized versus designed curve can be expected to approach the ideal case as increases which can be observed in Figure 9.

Achievable ROCs in real time with respect to the achieved are shown in Figure 10. The observed trends with respect to are comparable to that of the loose upper bound for performance obtained from the offline mode of analysis shown in Figure 7. Again it can be observed that due to better estimates for , higher yields better detection performance for a given . Interestingly, the ROC corresponding to can be observed to terminate near the region. This is due to the fact that, with at most 45 different s can be computed which sets the smallest resolvable false alarm rate to approximately 0.02. Similarly, though not shown in the figure, for , the curve will terminate near the region where . Therefore using a larger value for will improve the agreement between designed and achieved false alarm rates, improve the detection rate for a given false alarm rate, and enable the user to set much lower values for if required. Practical considerations regarding number of training packets are discussed in Section 8.

8. Practical Considerations

There are several practical issues that need to be addressed in order to implement this reconfigurable antenna layer-based authentication system. We will briefly point out some of the issues and proposed solutions.

8.1. Channel Estimation

A key issue is on how the channel estimates can be obtained for all the different modes without degrading throughput and power consumption. Figure 11 shows a possible structure of a transmit frame for use with this security scheme. The antennas can cycle through the modes during the transmission of an extended packet during which the channel estimation is also performed for the different modes. Padding is inserted between the payload and next training sequence to leave sufficient time for the antenna to change modes. Switches with speeds on the order of picoseconds do exist currently and can lead to shorter pad lengths required while switching between modes.

8.2. Missed Detections/False Alarms

As in the case of any intruder detection systems, certain conditions may trigger too many false alarms such as significant changes in environmental conditions near the transmitter or receiver in our scheme. Upper-layer-based protocols can be designed to handle such situations. Similarly due to finite missed detection rates, intruder packets may go undetected. As noted previously, the purpose of this scheme is to add an additional layer of security to the system. Hence higher layer security measures should continue to play their part and should secure the system from such undetected malicious packets. Moreover the scheme is designed to thwart spoofing and man-in-the-middle attacks. Therefore it is assumed that the intruder will not commence transmission until the connection has been established between the legitimate transmitting ends during which initial training is performed and the scheme is initialized.

8.3. Training

As discussed in the previous section, more training packets will significantly enhance system performance. However training for long periods of time can have detrimental effects in terms of system throughput and power consumption. Therefore the amount of training required should be adaptively picked based on the required minimum false alarm rate as well as throughput requirements.

9. Conclusion and Future Work

A novel reconfigurable antenna-based physical layer authentication scheme for stationary devices was presented and analyzed. By taking channel measurements on a VNA it was shown that the ability to combine channel information from different antenna configurations can result in improved intruder detection. The relationship between the correlation among the elements in the decision metric and the authentication performance was analyzed. The results showed that the achieved performance improves as the average decorrelation that exists between the different antenna modes decreases. It was shown that by choosing modes that are highly decorrelated, high performance levels can be obtained even when operating in a system with very limited bandwidth. It was also seen that the performance of the scheme improves with more training in terms of detection rates as well as with realized false alarm rates approaching designed false alarms rates. Therefore next generation wireless systems that will be equipped with reconfigurable antennas can benefit from this scheme by employing the antennas to add an additional layer of security at the physical layer.

As a concluding remark, we would like to point out some research aspects of this scheme that are currently being pursued. As discussed in Section 4, the proposed scheme requires a decision threshold based on which the channel comparisons are made. Algorithms to adaptively pick and adjust the decision threshold during runtime is a topic for future research. Better authentication metrics than can be formulated by resorting to more complex signal processing techniques to extract the spatial features found within the channels arising from the different antenna modes is another topic for future research. The end goal of this research would be a complete system capable of employing the reconfigurable antenna adaptively to provide an additional layer of reliable and robust security.

Acknowledgment

This paper is based upon work supported by the National Science Foundation under Grant no. 1028608.