A Channel-Based Hypothesis Testing Approach to ... - Semantic Scholar

A Channel-Based Hypothesis Testing Approach to Enhance User Authentication in Wireless Networks Jitendra K. Tugnait & Hyosung Kim Department of Electrical & Computer Engineering Auburn University, Auburn, Alabama, USA

Channel-Based Authentication Three entities: Alice, Bob and Eve. Alice is the legitimate transmitter to Bob. Eve is the potential spoofer who hopes to impersonate Alice. Objective: to provide authentication between Alice and Bob, despite the presence of Eve. PACKET 1:

ˆ AB H

Bob measures and stores the freq. response of the channel between Alice and him.

PACKET 2: 1

Bob receives · · · Is it from Alice?

L. Xiao, L.J. Greenstein, N.B. Mandayam, W. Trappe, “Using the physical layer for wireless authentication in time-variant channels,” IEEE Trans. Wireless Commun., 7/08.

Approach of Xiao et al, 2008 ˆ t of channel Bob estimates the frequency response H of packet 2. Binary hypothesis test: H0 : Ht = HAB H1 : Ht 6= HAB where ˆ AB = HAB ejφ1 + N1 , H

ˆ t = Ht ejφ2 + N2 H

Xiao et al (2008) use frequency response and a χ2 test.

Approach of Xiao et al, 2008: continued ... Wireless channel impulse response is doubly-selective in a way that is location-specific. The physical properties of the wireless medium are a powerful source of domain-specific information that can be used to complement and enhance traditional security mechanisms. In a richly scattered multipath environment, it is difficult for an adversary to create or precisely model a waveform that is transmitted and received by entities that are more than a wavelength away from the adversary.

Proposed Approach 1: Channel Impulse Response Comparison Assume a quasi-time-invariant channel y(n) =

L X

h(l)s(n − l) + v(n),

n = 1, 2, · · · .

l=0

Estimate the Alice-Bob channel vector of packet 1 hAB := [h(0) h(1) · · · h(L)]T ˆ AB using the training symbols. as h ˆ AB ∼ CN (hAB , Σ). h

Proposed Approach 1: continued ... Training symbols: s(n), n = n1 , n1 + 1, · · · , nm . iT y := y(n1 + L) y(n1 + L + 1) · · · y(nm ) h iT v := v(n1 + L) v(n1 + L + 1) · · · v(nm )   s(n1 + L) s(n1 + L − 1) · · · s(n1 )    s(n1 + L + 1) s(n + L) · · · s(n + 1) 1 1   S :=  . . . . .   .. .. .. ..   s(nm ) s(nm − 1) · · · s(nm − L) h

⇒ y = Sh + v.

Proposed Approach 1: continued ... ⇒ y = Sh + v. For channel identifiability, we need S to have full column-rank; so we need nm − n1 ≥ 2L. ˆ of h given We consider a least-squares channel estimate h by ˆ = (SH S)−1 SH y. h It then follows that ˆ ∼ CN (h, Σ), h

Σ := σv2 (SH S)−1

Proposed Approach 1: continued ... ˆt Estimate the ?-Bob channel vector ht of packet 2 as h using the training symbols. ˆ t ∼ CN (hAB + δhAB , Σ). Under H0 , h δhAB accounts for the change in the channel response from packet 1 to packet 2. Under H0 ,conditional on the channel,  ˆt − h ˆ AB ∼ CN (δhAB , 2Σ) . h

Proposed Approach 1: continued ... To get a handle on δhAB , assume that the channel is stationary, zero-mean, Gaussian random process with correlation function Rh (m) = E{h(n + m)hH (n)}. Under H0 ,averaging over the channel,  ˆ AB ∼ CN (0, Σδh ) where ˆt − h h

Σδh = 2Σ + 2 (Rh (0) − Re{Rh (ntd )}) ,

ntd = time difference between the two packets.

Proposed Approach 1: continued ... Under H0 ,   H  ˆt − h ˆ AB ∼ χ2 (2(L + 1)) ˆt − h ˆ AB h Σ−1 T := h δh A CFAR test with false-alarm rate PF A is H1

T R η H0

Proposed Approach 2: Residual Whiteness Testing Using the CSI acquired from packet 1, generate the linear innovations of packet 2 transmission and test to see if it is white. If the two transmissions have the same underlying channel, the residuals should be white. Construct a linear state-space model and apply Kalman prediction to generate residuals sd (n|n − 1). ǫ(n) := y(n) − yˆ(n|n − 1) = y(n) − hTd ˆ

Proposed Approach 2: continued ...STATE SPACE MODEL sd (n) = Φsd (n − 1) + Γ¯ s (n) + Γ˜ s (n) , y (n) = hTd sd (n) + v (n) , iT sd (n) := s (n) s (n − 1) · · · s (n − d) , h

s¯ (n) := E {s (n)} , s˜ (n) := s (n) − s¯ (n) ,   iT h 01×d 0  , Γ : = 1 01×d , Φ: =  Id 0d×1 h iT hd : = h(0) h(1) · · · h(L) 01×(d−L)

Approach 2: ... Kalman Predictor 1. Time update: ˆ sd (n | n − 1) = Φˆ sd (n − 1 | n − 1) + Γ¯ s(n), P (n | n − 1) = ΦP (n − 1 | n − 1) ΦH + Q(n) where

2. Kalman gain:

  σ 2 ΓΓH s Q(n) =  0

if s(n) is a data symbol if s(n) is a training symbol.

r(n) = σv2 + hH d P(n | n − 1)hd ,

k(n) = P(n | n − 1)hd /r(n);

3. Measurement update: n

hT sd (n dˆ

ˆ sd (n | n) = ˆ sd (n | n − 1) + k (n) y (n) − i h T P (n | n) = Id+1 − k (n) hd (n) P (n | n − 1) .

o

| n − 1) ,

Proposed Approach 2: continued ... Let ǫ(n) = ǫr (n) + jǫi (n). Estimate the real and imaginary parts of the autocorrelation function of the residuals as N −τ 1 X ǫr (n+τ )ǫr (n), rˆǫr (τ ) = N n=1

N −τ 1 X rˆǫi (τ ) = ǫi (n+τ )ǫi (n). N n=1

Under H0 , T := N

τ¯ X τ =1

"

rˆǫr (τ ) rˆǫr (0)

2

+



rˆǫi (τ ) rˆǫi (0)

2 #!

∼ χ2 (2¯ τ) H1

A CFAR test with false-alarm rate PF A is T R η H0

Simulation Example There are two frames of 200 symbols each (duration 200 µs) with a “gap” of 200 symbols. That is, first the “authenticated” user transmits a frame of 200 symbols; 200 µs later another frame is received. In simulations, when the second frame originates from the authentic user, in each run we generate a “long” doubly-selective channel spanning both frames and with the specified parameters. When the second frame is from the spoofer, in each run an independent doubly-selective channel is generated just for the second frame.

Simulation Example: continued ... We picked PF A = 0.02, uniform power delay profile, 3-tap channel with independent tap-gains following Jakes’ spectrum. τ¯ = 10 for residual whiteness testing Doppler shift fd =100Hz for threshold design in channel impulse response comparison.

Probability of authentic user detection vs Doppler: residual whiteness Wh−Test(98%),Jakes(100),L=2,SNR=20dB,T =1µs,m =100,5000Runs s

b

1 0.9

Prob { Authentic User }

0.8 0.7 0.6 0.5

"past packet" origin: authentic user origin: spoofer

0.4 0.3 0.2 0.1 0 0

10

20

30

40

50

f (Hz) d

60

70

80

90

100

Probability of authentic user detection vs SNR: residual whiteness Wh−Test(98%), Jakes(100), L=2, f =10Hz, T =1µs, m =100, 5000Runs d

s

b

1 0.9

Prob { Authentic User }

0.8

"past packet" origin: authentic user origin: spoofer

0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0

2

4

6

8

10

SNR (dB)

12

14

16

18

20

ROC: residual whiteness Wh−Test(98%),L=2,Jakes(100),SNR=20dB,T =1µs,m =100,5000Runs s

b

1 0.99

1

Prob { Spoofer | H }

0.97

0.95

0.93

0.91

0.89

0.87

0.85 0

fd=10Hz fd=40Hz fd=80Hz 0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

False Alarm Rate ( Prob { Spoofer | H } ) 0

0.45

0.5

ROC: residual whiteness Wh−Test(98%),L=2,Jakes(100),fd=10Hz,T =1µs,m =100,5000Runs s

b

1 0.99

1

Prob { Spoofer | H }

0.97

0.95

0.93

0.91

0.89

0.87

0.85 0

SNR=10dB SNR=14dB SNR=20dB 0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

False Alarm Rate ( Prob { Spoofer | H } ) 0

0.45

0.5

Probability of authentic user detection vs Doppler: CSI comparison CH−Test(98%),Jakes(100),L=2,SNR=20dB,Ts=1µs,mb=100,5000Runs

1 0.9

Prob { Authentic User }

0.8 0.7 0.6 0.5 0.4

design f =100Hz d

design f =200Hz d

origin: authentic user origin: spoofer

0.3 0.2 0.1 0 0

50

100 f (Hz) d

150

200

Probability of authentic user detection vs SNR: CSI comparison CH−Test(98%),Jakes(100),L=2,fd=10Hz,Ts=1µs,mb=100,5000Runs

1 0.9

Prob { Authentic User }

0.8 0.7 design fd=100Hz

0.6

design f =200Hz

0.5

d

origin: authentic user origin: spoofer

0.4 0.3 0.2 0.1 0 0

5

10 SNR(dB)

15

20

ROC: channel impulse response comparison CH−Test(98%),L=2,Jakes(100),SNR=10dB,T =1µs,m =100,5000Runs s

b

1 0.995

Prob { Spoofer | H1 }

0.99 0.985 0.98 0.975 0.97 0.965 0.96 fd=40Hz fd=80Hz fd=100Hz

0.955 0.95 0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

False Alarm Rate ( Prob { Spoofer | H } ) 0

0.45

0.5

ROC: channel impulse response comparison CH−Test(98%),L=2,Jakes(100),fd=80Hz,T =1µs,m =100,5000Runs s

b

1 0.995

Prob { Spoofer | H1 }

0.99 0.985 0.98 0.975 0.97 0.965 0.96 SNR=10dB SNR=12dB SNR=14dB

0.955 0.95 0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

False Alarm Rate ( Prob { Spoofer | H } ) 0

0.45

0.5

Thank you!