Sensitivity Analysis of Burst Detection and RF Fingerprinting Classification Performance R.W. Klein, M.A. Temple, M.J. Mendenhall and D.R. Reising Air Force Institute of Technology Wright-Patterson AFB, Ohio 45433 USA Email: michael.temple@afit.edu Abstract—There has been a recent shift toward improving wireless access security within the OSI PHY layer by exploiting RF features that are inherently device specific and difficult to replicate by an unintended party. This work addresses the extraction and exploitation of RF “fingerprints” to classify emissions and provide device-specific identification. Burst transient detection precedes RF fingerprint extraction and is generally the most critical step in the overall process. This work provides a much needed sensitivity analysis of burst detection capability. The analysis is conducted using instantaneous amplitude responses with both Fractal-Bayesian Step Change Detection (Fractal-BSCD) and Vari- ance Trajectory (VT) processes. The performance of each method is evaluated under varying SNR conditions using experimentally collected 802.11a OFDM signals. The impact of transient detection error on signal classification performance is then demonstrated using RF fingerprints and Multiple Discriminant Analysis (MDA) with Maximum Likelihood (ML) classification. The VT technique emerges as the better alternative for all SNRs considered and yields MDA-ML classification accuracy that is consistent with “perfect” transient estimation performance. I. I NTRODUCTION Considerable research has been conducted on detecting and/or mitigating spoofing within the Medium Access Con- trol (MAC) layer of the Open Systems Interconnection (OSI) stack [1], [2]. There has been a recent shift toward providing added security at the OSI Physical (PHY) layer by exploiting RF features that are inherently unique to a specific device and that are difficult to replicate by an unintended party. For ex- ample, some efforts have investigated Received Signal Strength (RSS) (a power-based metric) for detecting and/or locating a spoofing node [1], [2]. Both of these efforts demonstrated some success at detecting spoofing using experiments conducted with different hardware and in different physical environments. RF fingerprinting work provides an alternative PHY layer approach but is dismissed in [2] for “scale” reasons. For applications where size constraints may not be a dominant factor, RF fingerprinting remains a viable alternative and is considered in this work. Collectively, related works in RF fin- gerprinting, electromagnetic signatures, intrapulse modulation, and unintentional modulation [3]–[11], form a solid basis for developing techniques that may be applicable to commercial communication devices. If the inherent RF fingerprints are repeatedly extractable and unique, they may be used to identify the specific make, model, or serial number of a device. Previous work suggests that this uniqueness exists and is attributable to various manufacturing, aging, and environmental factors [3]. While several process- ing steps are required to effectively exploit RF fingerprints, transient detection is perhaps the most important [6], [8]. In this context, transient detection includes both the transient start time and signal duration over which fingerprints are ex- tracted. Both of these factors are important given that improper selection of either can bias the processing to favor channel noise effects or steady-state signal effects [3]. Burst transients can be estimated using various emission features. However, instantaneous amplitude and instantaneous phase features are perhaps the most extensively investigated [3], [6]–[8]. With the exception of more recent work in [12] and [13], these previous efforts lack a detailed sensitivity analysis of burst detection and fingerprint classification performance under varying channel noise conditions. This type of analysis is imperative for determining the minimum acceptable collected SNR that will provide consistent and accurate results. Establishing the minimum acceptable SNR also allows determination of the maximum transmitter-receiver separation distance which would aide in laying out the physical hardware for network security. Noise sensitivity performance can also provide a good discriminator for comparing various detection and classification techniques. For the work presented here, noise sensitivity analysis for transient detection perfor- mance is conducted for three noise-signal conditions, including: 1) noise only effects using a single collected 802.11a burst and multiple noise realizations, 2) signal only effects incorporating burst-to-burst signal variability with a single noise realization, and 3) combined noise-signal effects using multiple burst and noise realizations. The impact of transient detection error on signal classification performance is then demonstrated using Multiple Discriminant Analysis with Maximum Likelihood classification (MDA-ML). II. BACKGROUND A. Fractal-Bayesian Step Change Detector It has been demonstrated that transient detection can be accomplished using the fractal dimension measure followed by a Bayesian Step Change Detector [7]. This process is denoted here as Fractal-BSCD. The fractal derivation can be found in [14] and can be calculated using the following Higuchi method. This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2009 proceedings U.S. Government work not protected by U.S. copyright