Professional Documents
Culture Documents
Abstract— The potential vulnerability to wireless spoofing bandwidth–hungry applications [1]–[3]. Due to their opera-
attacks is still a critical concern for Next Generation Internet tion at Super High Frequency (SHF) and Extremely High
of Things (NGIoT) networks which may result in catastrophic Frequency (EHF) bands, mmWave systems provide ultra-high
consequences in mission–critical applications. Conventional solu-
tions may impose additional signal processing, protocol, and speed and reliable communications in relatively short dis-
latency overheads which are inappropriate for NGIoT networks tances. This makes them a suitable communication approach
designed to provide high–speed and low–latency connections for for NGIoT applications that are deployed in populated envi-
a large number of resource–constrained IoT devices. In this ronments or in application scenarios in which a very high level
paper, we utilize the uniqueness of beam pattern features in of network connectivity is needed, e.g., V2X communications
mmWave–enabled devices and propose a scalable security mech-
anism for the detection of wireless spoofing attacks in NGIoT in Intelligent Transportation Systems (ITS), real-time sur-
networks. This uniqueness is proven to exist due to the non–ideal veillance cameras, Industrial IoT applications, high-precision
manufacturing of antenna arrays used in mmWave–enabled navigation systems, etc. In these applications, the detection
devices. In our approach, when legitimate mmWave–enabled of illegitimate network accesses is an open issue since they
IoT devices enrol into the network, their unique beam features are potentially vulnerable to wireless spoofing attacks, e.g.,
are learned by a learning model developed at the network
server. Then, during data transmission, network base stations Man–in–the–Middle attacks, device impersonation, session
(gNBs)/Access Points (APs) measure the beam features from hijacking, sinkhole attacks, etc. [4]–[6].
the received RF signals and send them to the network server There are several issues that render the conventional security
for the detection of anomalies. We develop our learning model solutions ineffective and/or inefficient to address wireless
based on Deep Autoencoders (DAEs) that are an effective tool spoofing attacks in NGIoT networks. (1) The lack of an
for anomaly detection. Fortunately, the beam feature extraction
can be performed using the beam searching mechanism that effective public key infrastructure (PKI) in large–scale IoT
is already provided in mmWave standards (5G–NR and IEEE networks prevents the employment of public key encryption
802.11ad). Thus, feature extraction does not introduce any signal techniques to perform secure device authentication and the
processing overheads to the system. Moreover, the proposed exchange of symmetric shared keys between IoT devices
mechanism imposes zero computation/communication overhead and gNBs/APs [7], [8]. (2) Limited computation and energy
to the resource—constrained IoT nodes. In our experiments,
we reached 98.6% accuracy in the detection of illegitimate devices resources of IoT devices may make the security solutions
which confirms the effectiveness of the proposed approach. inefficient [7], [9]. (3) IoT devices are usually vulnerable
to physical attacks (i.e., they might be physically accessed
Index Terms— 5G–NR, deep learning, Internet of Things (IoT),
IoT security, mmWave communication, physical layer security, by an attacker to obtain sensitive information, e.g., root
wireless spoofing attack detection. keys) [10], [11]. (4) NGIoT mission–critical applications
are latency–sensitive, thus, can not tolerate any additional
I. I NTRODUCTION latency overhead introduced by security solutions [6], [12].
(5) Security solutions based on public key cryptography rely
T HE Next Generation Internet of Things (NGIoT)
facilitates the development of innovative IoT applications
by integrating different technologies into conventional IoT
on the computational hardness of a mathematical problem
(e.g., discrete logarithm) which can be effectively solved by
systems. In this regard, millimeter wave (mmWave) wire- a quantum–enabled attacker in future [8]. (6) For highly
less communication (offered in 5G–NR and IEEE 802.11ad) dynamic IoT applications, e.g., Internet of Vehicles (IoV), IoT
is considered as a promising technology to address the devices may join or leave the network repeatedly and at any
energy efficiency and low latency requirements of these time. This results in large authentication overheads for the
devices as well as the network gNBs/APs [7], [13].
Manuscript received December 12, 2021; revised March 18, 2022; accepted To address these issues, physical layer security (PLS)
April 8, 2022. Date of publication April 28, 2022; date of current version
May 6, 2022. The associate editor coordinating the review of this manuscript is considered as a promising approach to provide light-
and approving it for publication was Prof. George Loukas. (Corresponding weight security solutions for IoT networks [7], [14], [15].
author: Mohammad Reza Nosouhi.) In PLS–based security approaches, the provenance of data
Mohammad Reza Nosouhi, Keshav Sood, and Robin Doss are with
the Centre for Cyber Security Research and Innovation, Deakin Uni- is checked by extracting and analysing the intrinsic features
versity, Geelong, VIC 3220, Australia (e-mail: m.nosouhi@deakin.edu.au; of Radio Frequency (RF) signals (known as RF signature)
keshav.sood@deakin.edu.au; robin.doss@deakin.edu.au). that are unique for every wireless IoT device. This feature
Marthie Grobler is with CSIRO’s Data61, Melbourne, VIC 3008, Australia
(e-mail: marthie.grobler@data61.csiro.au). uniqueness is a result of the non-ideality of RF circuits in the
Digital Object Identifier 10.1109/TIFS.2022.3170276 transmitter module (Tx) of wireless IoT devices. It is caused
1556-6021 © 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:43:16 UTC from IEEE Xplore. Restrictions apply
1670 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
by the non-ideality of Tx manufacturing processes and is very learning–based detection model. (2) The beam features are
expensive to avoid making the unique RF features difficult independent of the transmitted data. Thus, the proposed mech-
to forge (unlike the software–based characteristics) [16]–[18]. anism is a preamble–less physical layer security mechanism.
Thus, they could be utilized to ensure data provenance in IoT (3) The unique beam features of a single mmWave–enabled
networks [16], [19]. device are stable since they do not depend on variable device
In this regard, a number of device authentication mecha- parameters (e.g., power supply voltage) [24]. (4) The beam
nisms have been proposed based on RF signature (RF fin- features can be extracted using the beam searching mech-
gerprint) of IoT devices [16], [20]–[22], [23]. However, they anism which is a built–in procedure in mmWave standards
suffer from at least one of the following practical issues which (5G–NR and IEEE 802.11ad). Thus, feature extraction does
make them weak/inefficient for practical implementations. not impose additional protocol and signal processing over-
(1) They use RF modulation features (e.g., frequency and heads to the system. (5) No additional hardware/software
phase offsets) that are very limited in numbers. Consequently, modules are required at the transmitter side. Thus, it results
in large–scale IoT scenarios, the obtained low–dimensional in zero computation/communication overhead on the resource
feature space results in poor classification accuracy. (2) The constrained IoT nodes.
deployed RF features might be data dependent causing them Our experiments confirm the effectiveness of the proposed
to change when IoT devices send different bit streams. This mechanism in the detection of wireless spoofing attacks.
may degrade the classification performance [16], [24]. (3) In We achieved 98.6% of accuracy for 100 legitimate devices.
preamble–based approaches, the transmitter needs to include a Our main contributions are as follows:
specific preamble bit stream in the transmitted data to enable • We propose a lightweight security solution for the detec-
the receiver device to accurately extract RF features from the tion of wireless spoofing attacks in 5G mmWave–enabled
received signal. This results in additional bandwidth overheads NGIoT networks. The proposed mechanism is a practical
and may degrade the performance of IoT applications [16]. (4) approach that addresses the drawbacks of the current RF
The current RF fingerprint mechanisms may suffer from lack fingerprinting security solutions and can be integrated into
of stability in the RF features since a change in environment 5G–NR and IEEE 802.11ad mmWave communication
and/or device parameters (e.g., power supply voltage) may systems with no additional protocol overheads.
change the RF modulation features [16]. In addition to the • To address the scalability problem of the current RF
mentioned challenges, these approaches may introduce addi- fingerprinting mechanisms, we propose a scalable DAE
tional signal processing and protocol overheads to gNBs/APs. model that (regardless of the number of devices) performs
This is an important issue in IoT networks with a large number the recognition of legitimate devices in the form of a
of wireless IoT devices [21], [24]. binary classification problem.
Motivated by this, we propose a lightweight and • To make the malicious replay efforts unsuccessful,
learning–based security mechanism for the detection of wire- we propose a novel time–based solution that makes it
less spoofing attacks in 5G mmWave–enabled NGIoT net- infeasible for an attacker device to reuse the RF signals
works. In our system design, we utilize the unique beam of legitimate devices (obtained through eavesdropping
pattern features of the legitimate mmWave—enabled IoT attempts) and conduct a spoofing attack.
wireless devices to recognize an illegitimate device. Since In the reminder of the paper, we review the related work
the mmWave communication systems work at frequencies in Section 2 and present the proposed security mechanism
above 6 GHz (24 GHz to 52.6 GHz licensed band for 5G–NR in Section 3. Our security analysis and the results of our
and 60 GHz unlicensed band for IEEE 802.11ad [2], [25]) experiments are provided in Section 4 and 5 respectively.
the wavelength is in the mm range (5-12.5 mm). Thus, Finally, we conclude the paper in Section 6 by presenting a
large–scale array antennas can be fabricated on small physical summary and future work.
platforms. It has been proved that the non–ideal manufacturing
of theses antenna arrays makes the beam pattern features
of an emitted signal unique to the transmitter device [24]. II. R ELATED W ORK
However, authenticating a large number of IoT devices (using Previous research on the detection of wireless spoofing
a lightweight and learning–based classification model) may attacks focus on the utilization of unique characteristics of
result in poor classification accuracy (the scalability issue). radio communication channels [21], [27]. These approaches
For this reason, we propose a Deep Autoencoder (DAE) model work based on the fact that wireless channel impairments
that learns the device dependent beam features of legitimate such as path loss, shadowing, and multipath fading make the
IoT devices to identify illegitimate devices (anomalies). Using channel–dependent features location specific. Consequently,
this approach, the classification task is performed in a way RF signals sent from devices at different locations provide
that is similar to a binary classification problem. DAEs are features with different values at the receiver (e.g., received
known as effective Deep Learning–based models to perform signal strength (RSS), channel state information (CSI), channel
anomaly detection tasks [26]. Beside scalability, the significant frequency response (CFR), etc.). In [28], channel states of data
characteristics of our proposed mechanism are as follows: packets are used to detect spoofing attacks in dynamic wireless
(1) High–dimensional beam features are utilized to develop the networks. In this work, the interactions between spoofers
anomaly detection DAE model. Having a high–dimensional and a legitimate receiver during the authentication process
feature space improves the reliability and accuracy of the are formulated as a zero–sum authentication game. Using
Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:43:16 UTC from IEEE Xplore. Restrictions apply
NOSOUHI et al.: TOWARDS SPOOFING RESISTANT NEXT GENERATION IoT NETWORKS 1671
reinforcement learning, a player obtains the optimum test Since the mmWave wireless networks have been recently
threshold in a dynamic environment. In [29], the authors have emerged (e.g., IEEE 802.11ad and 5G-NR), the detection
utilized signal processing and feature recognition techniques of wireless spoofing attacks in these networks has not been
to improve the attack detection performance. In this regard, thoroughly investigated so far. As far as we know, three
they introduce a novel pre–treatment mechanism based on research works have been published in this field so far. In the
sparse representation (SR) to reinforce signal characteristics. first work [34], the authors introduced a virtual channel model
To further increase the attack detection accuracy, the authors to enable spoofing detection in mm–Wave massive MIMO
have developed a fuzzy C–mean clustering algorithm to solve networks. In the proposed approach, the Euclidean distance
the recognition problem. of virtual channels are used to establish a binary hypothesis
An attack detection approach has been proposed in [30] test. Moreover, a novel solution has been proposed based on
that works based on the extraction and analysis of channel Neyman–Pearson testing to find the optimum threshold for the
fingerprints in a slow time–varying fading channel. In [31], Euclidean distance between channel matrices. However, their
a machine learning–based mechanism has been proposed to approach is based on the assumption that successive message
detect spoofing attacks in wireless sensor networks (WSNs) transmissions are occurred within the coherence time of the
based on the RSS parameter. The main idea behind the pro- communication channel. This can make the solution ineffec-
posed mechanism is based on the fact that due to shadowing, tive for applications with low message exchange rate. The
slow variations occur in the average RSS. The significant second work is a novel learning–based mechanism proposed
characteristic of the proposed algorithm is that it is optimized by Wang et al. [27] for the detection of spoofing attacks in
for scenarios where the legitimate node and the attacker are IEEE 802.11ad networks. In this work, it is proposed to utilize
located at a very close physical distance from each other signal to noise ratio (SNR) traces obtained at the receiver
which is the worst–case attack scenario. Another RSS–based during the sector level sweep (SLS) process to distinguish
mechanism has been proposed in [32] for the detection malicious signals from legitimate transmissions. Regarding
of identity attacks in IEEE wifi–based ad hoc networks. the learning model, backpropagation and forward propagation
In the proposed distributed mechanism, each wireless node neural networks have been proposed to provide effective
utilizes the channel characteristics and obtains the distance performance with small sample learning and allow for quick
parameters to detect malicious identities in its own radio model construction. However, scalability and device mobility
range. are two main concerns that have not been discussed in this
The attack detection mechanism introduced in [33] works work.
based on the analysis of time series of physical layer features Another interesting research in the field of device finger-
in a network of wearable devices. The novel idea of this work printing in mmWave wireless networks is presented in [24].
is based on the fact that body movement makes the RSS behav- Findings from this paper forms the basis of our work, specifi-
ior of off–body devices different from on–body devices. This cally the uniqueness of beam patterns. As far as we know, the
diversity in feature dynamics is used to distinguish legitimate uniqueness of beam features in mmWave wireless networks is
devices from malicious attackers. To find the optimum model introduced in [24] for the first time. The authors used several
for the prediction of RSS time series, the autoregression (AR) off-the-shelf mmWave devices to show that the identification
and long short term memory (LSTM) learning models have of these devices using their beam features is feasible. They
been used and a comparison based on the obtained results has achieved 99% identification accuracy. They also proposed a
been presented [33]. multiple access point architecture to utilize the spatial features
A number of RF fingerprinting mechanisms have been of device beam patterns since their findings show that a signal
proposed in the literature for the detection of wireless spoofing replay attack is feasible with high success rate in scenarios
attacks. In one of the most recent studies, Huan et al. [20] with a single access point. They have shown that the success
propose a novel mechanism to perform node identification rate of a replay attack is significantly reduced when using the
and spoofing attack detection in WSNs. In this approach, the proposed multiple access point architecture. In the following,
inherent (device dependent) clock skews of wireless nodes we describe the main characteristics that distinguish our work
are utilized to identify the legitimate wireless nodes in the from [24].
network. Two variations of this approach are proposed in the As pioneering work, the target of [24] is to show the feasi-
paper, i.e., centralized and distributed, to be used in single–hop bility of device identification using beam patterns, i.e., to iden-
and multi–hop WSNs, respectively. In [16], a learning—based tify each individual mmWave-enabled device using its unique
mechanism has been proposed to authenticate IoT devices beam features (i.e., device authentication). In this regard, they
based on the uniqueness of RF features. The authors have used have performed their experiments with a small number of
a supervising machine learning model to identify 10000 differ- devices (12 devices). However, further research efforts are
ent wireless devices and achieved the high accuracy of 99% required to develop a classification model that can classify
in their experiments. However, the deployed learning model a large number of devices using the proposed technique (i.e.,
has not been clearly discussed in the paper. This is very the scalability property). Our work, however, focuses on the
important since supervised machine learning models usually recognition of intruder devices from legitimate devices whose
have poor classification performance in the scenarios with a beam features have been already learned by the DAE model.
large number of classes. In addition, they have not proposed In other words, we do not employ a classification model to
a defence mechanism against replay attacks. identify specific devices (with specific access rights). Instead,
Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:43:16 UTC from IEEE Xplore. Restrictions apply
1672 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
Fig. 1. (a) The proposed system architecture. (b) Basic geometry of an array antenna and a single antenna element.
we utilize the anomaly detection capabilities of DAE-based This process is performed during the beam searching phase
models for the accurate detection of intruder devices among a that is a built–in procedure of the mentioned protocols.
larger number of legitimate devices (100 devices). We assume the network gNBs/APs are trusted entities that
Moreover, in [24], to prevent signal replay attacks, the have been connected to a network server (through secure
authors have proposed a multiple gNB/AP architecture that connections) that is responsible for developing and running
uses the spatial features of beam patterns to address replay the learning-based anomaly detection model. Thus, any
attacks. In the proposed solution, the deployment position of wireless spoofing attack in the network is detected by the
gNBs/APs is critical because the beam features obtained by network server.
them will be very similar if they are placed too close to The proposed mechanism consists of a learning phase which
each other (i.e., no additional knowledge is obtained) [24]. is a one–time procedure and is performed when IoT devices
However, in our work, the security solution proposed in are enrolled into the network. In this phase, the beam pattern
Section 4.3 works in scenarios with a single gNB/AP as well. features of each individual IoT device are extracted by the
Motivated by this, we propose a DAE–based anomaly network gNBs/APs and sent to the network server where a
detection model that does not suffer from the scalability issue. dataset of the received features is created which is used to train
This is because using a DAE–based model, we solve the attack the learning–based anomaly detection model. In case of mobile
detection problem in the form of a binary classification prob- IoT devices, we assume the learning phase is performed at
lem (i.e., legitimate or spoofer). Thus, increasing the number different locations of the IoT devices such that the beam
of IoT devices does not change the required output classes of features are extracted from different orientation angles.
the learning model. Furthermore, our approach addresses the After the learning phase is completed, (during the normal
device mobility issue by performing the learning (training) data transmission phase) the trained model at the network
phase at different locations of the IoT devices such that the server applies the beam features (extracted from the RF signals
beam features are extracted from different orientation angles. of IoT devices) to the anomaly detection model to ensure data
provenance in the network. If a feature vector is extracted
III. T HE P ROPOSED S ECURITY M ECHANISM from a signal transmitted by an illegitimate device, the learning
model will detect it as an anomaly (since it has not learned it
In this section we present the proposed data provenance
before).
approach for the detection of wireless spoofing attacks in
NGIoT networks. We first describe the system model and
discuss the uniqueness of beam pattern features for every B. Beam Pattern Features
device. Then, we explain the feature extraction process and In this subsection, we discuss the uniqueness of beam
present the proposed DAE–based learning model for anomaly pattern features for each mmWave–enabled IoT device. Con-
detection. sidering the URPA antenna array discussed in the previous
subsection (which is the most common type of array antenna
A. System Model used in mmWave applications), the antenna beam pattern of
We consider a 5G–based IoT network with the array antenna is represented by
mmWave–enabled IoT devices (see Fig. 1–a). Each IoT device A P(θ, φ) = E P(θ, φ).AF(θ, φ) (1)
is equipped with a uniform rectangular planar array (URPA)
antenna. The number of antenna elements along the x and where E P(.) is the element pattern which represents the
y directions are M and N, respectively (Fig. 1–b). The radiation pattern of a single element. E P(.) is considered
feature extraction process is done at the gNB/AP which has equal for all the elements of the antenna if the array size
established a direct wireless communication link to the IoT is large [35], [36]. θ and φ are the azimuth and elevation
device based on either 5G–NR or IEEE 802.11ad protocols. angles, respectively. AF(.) is the array factor that is obtained
Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:43:16 UTC from IEEE Xplore. Restrictions apply
NOSOUHI et al.: TOWARDS SPOOFING RESISTANT NEXT GENERATION IoT NETWORKS 1673
by applying the complex weight parameters wmn = αmn e jβmn used in mmWave circuits, the dimensional parameters of the
(antenna elements excitation) to the following steering vector antenna array need to be smaller (e.g., the dimensions of
S(θ, φ): patch, substrate, and microstrip line). Thus, the fabrication of
antenna arrays should be performed using extremely accurate
S(θ, φ) = SxT (θ, φ).Sy (θ, φ), (2)
instruments and procedures which is very expensive. Thus, the
The steering vector is used to perform beam steering which is variations in dimensional parameters result in final antenna
done to dynamically change the direction of the main lobe of arrays with unique dimensional features. Note that these
a radiation pattern in real time without making any change in variations do not degrade performance of the Tx module since
the antenna elements. In (2), Sx (.) and Sy (.) are the steering they are effectively compensated at the receiver circuit (Rx)
vectors on the x and y directions, respectively, that are given (see [24] for more detail).
by the following equations [36]: The third source of beam feature uniqueness in mmWave
2π 2π array antennas is the relative permittivity (r ) of the substrate
Sx (θ, φ) = [1 e j λ x 1 sin(θ)cos(φ) ej λ x 2 sin(θ)cos(φ) ... material used in each antenna element. As Fig 1–b shows, the
j 2π
... e λ x M sin(θ)cos(φ) T] , basic geometry of an antenna element consists of a substrate
Sy (θ, φ) = [1 e j 2π
λ y1 sin(θ)sin(φ) ej
2π
λ y2 sin(θ)sin(φ) ... material that supports the metallic patch over a ground plane.
The main function of the substrate is to concentrate the electro-
j 2π
... e λ y N sin(θ)sin(φ) T] magnetic fields beneath the patch [38]. According to Equation
In these equations, λ is the carrier wavelength and (x m , yn ) (4), the relative permittivity (r ) of the substrate material is an
is the coordinates of the antenna elements, for m = important parameter with a significant impact on the resonance
1, 2, . . . , M and n = 1, 2, . . . , N (see Fig. 1–b). After apply- frequency. Thus, the unwanted and unavoidable variations in
ing the excitation weights wmn on (2), the array factor AF(.) r of the substrate material used in the antenna fabrication
is obtained as: process acts as a sources of beam feature uniqueness. In [24],
LTCC Ferro A6–S [41] has been deployed in the experiments
M
N
j 2π
λ sin(θ )(x m cos(φ)+yn sin(φ)) which is a popular substrate used for mmWave antenna. This
AF(θ, φ) = αmn e jβmn e
substrate has a relative permittivity of 5.9 with 7% error which
m=1 n=1
results in the final r of 5.9 ± 0.2 [41].
Assuming x m+1 − x m = dx ∀m ∈ {1, 2, . . . , M − 1} and Therefore, the discussed variations in the parameters of
yn+1 − yn = d y ∀n ∈ {1, 2, . . . , N − 1}, we have antenna arrays created during the fabrication process generate
M
N
j 2π
unique device dependent beam pattern features that can be
λ sin(θ )(mdx cos(φ)+nd y sin(φ))
AF(θ, φ) = αmn e jβmn e (3) recognized using a learning–based model to identify illegiti-
m=1 n=1 mate wireless IoT devices that attempt to perform a wireless
From equations (1) and (3), it is concluded that the array spoofing attack. Fortunately, unlike most of the RF modulation
factor (and the beam pattern of the array antenna, conse- features deployed in the current RF fingerprint mechanisms,
quently) depends on a number of device dependant parameters. the discussed antenna array features do not change over time
Firstly, the non–ideality of the phase shifter units used to (e.g., by a change in power supply voltage). This provides a
generate βmn creates unique excitation phase shifts in each high level of stability for our proposed security approach.
device. In fact, low resolution phase shifters that are typically
deployed to generate the phase shifts make the generated βmn C. Feature Extraction
phase shifts unique for every device [24]. For example, the
passive 3–bit phase shifter proposed in [37] results in a phase In this subsection, we discuss the extraction of beam
error of 10.4◦ at 57–67 GHz. This indeed creates a unique features from the mmWave signals received by the network
RF signature for every mmWave–enabled device considering gNBs/APs. In this regard, we focus on the of 5G–NR and
a large number of antenna elements (M and N). show that the beam features can be measured based on the
Secondly, the beam pattern is a function of the dimensional Sounding Reference Signals (SRSs) that are transmitted by
parameters that are implemented through non-ideal fabrication mmWave–enabled mobile devices during the beam manage-
processes during the manufacturing. Specifically, E P(.) is a ment procedure defined in the 5G–NR standard protocol. For
function of the width and length of the element’s patch as well IEEE 802.11ad, the measurement of beam features has been
as the thickness of the substrate [24], [38]. For example, the discussed in [24].
resonance frequency of the antenna patch is represented by 1) Beam Searching: Unlike the conventional cellular tech-
nologies, in 5G–NR, the network base stations (called gNBs in
C
fc = √ , (4) 5G) are equipped with large–scale antenna arrays to cover each
2L e (L, W, h) e (r , W, h) of the three 120◦ sectors. In fact, the beam–based cell sector
where C is the speed of light in vacuum. L e and e are coverage is deployed to increase bandwidth efficiency, system
effective length and effective dielectric parameter that are a capacity, and throughput [42]. In other words, every mobile
function of dimensional parameters of the antenna elements device connects to a gNB through a single beam only that is
(L and W are length and width of the patch, respectively, determined through a set of beam management phases. Note
and h λ is thickness of the substrate) [39], [40]. In par- that these different beams can be transmitted at the same time
ticular, with the higher frequencies (smaller wavelengths) using the same frequency. This creates a significant increase in
Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:43:16 UTC from IEEE Xplore. Restrictions apply
1674 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
the system capacity and throughput. In the following, we first beam features required in both training and anomaly detection
provide a brief explanation of the beam management phases phases of the proposed security mechanism. In this regard,
in 5G–NR. Then, we show how the beam features can be the antenna pattern A P j (θ, φ) for the j th received beam
measured based on the standard SRS signals. ( j = 1, 2, . . . , J ) which is measured by the gNB during
2) Beam Management: In 5G–NR, a set of beam man- the periodic beam management procedure is labelled with
agement operations are performed to effectively provide both the ID of the associated device and sent to the network
initial access (for idle mobile devices) and beam tracking server through the secure backhaul link. As we discussed
procedures (for already connected mobile devices). Unlike in the previous subsection, the measurement of A P j (θ, φ) is
LTE, in 5G–NR, the signalling (control) procedures are per- carried out by the gNB based on the received uplink SRS
formed using the beam–based approach. In LTE, these pro- beams. Note that the measurement of beam features should
cedures are carried out using omnidirectional signals, i.e., be performed during the beam tracking phase. This is because
the (small scale) beamforming and directional transmissions in 5G–NR, no uplink beam is used during the initial access
are provided for data plane transmissions only [43]. The phase (it is the gNB that starts the beam sweeping procedure).
5G–NR beam management framework consists of four dif- In fact, for the sake of simplicity and to take advantage of
ferent operations [42], [44]: the standard functionality of 5G–NR beam management, our
A) Beam sweeping which is a technique for sequential security mechanism ignores the initial access phase and starts
transmission of a set of beams such that they cover (sweep) to work (measuring the beam features of the mobile devices)
a spatial area. These beams called Synchronization Signal once their connection with the gNB is established (the initial
Blocks (SSBs) and are formed/steered using the predefined access phase is completed). However, this has no negative
direction codebooks (identified by specific beamforming vec- effect on the performance of the proposed security mechanism
tors) that cover the whole space in both azimuth and elevation since no sensitive data is transferred during the initial access
directions. phase. In other words, if an illegitimate device can successfully
B) Beam measurement that is performed to evaluate quality initiate a connection with the gNB, it will be immediately
of the received signal at the gNB or mobile devices (for recognized as a illegitimate device once it sends the SRS
uplink and downlink communications). For the initial access beams.
procedure (when a mobile device is in the idle mode), the Thus, considering a specific mobile device, the network
mmWave–based measurement is done by the mobile device server receives a set of J different beam features mea-
based on the received SSB bursts (In 5G–NR, uplink signals sured from J consecutive beams transmitted by the device,
are not used for initial access [42]). However, in the beam i.e., B F = [ A P1 (θ1 , φ1 ), A P2 (θ2 , φ2 ), . . . , A PJ (θ J , φ J )]T .
tracking procedure, the operation of beam measurement is As you see, the size of the feature vector BF can be increased
different for uplink and downlink paths. In the downlink path, by selecting a large J , i.e., by increasing the number of
the beam measurement is done by the mobile device based device’s consecutive beams that are used for feature measure-
on the received synchronization and reference signals (SSB ment. This improves the accuracy of the DAE learning model
blocks and CSI–RSs) transmitted by the gNB. The CSI–RSs used for the detection of anomalies. Moreover, each feature
(Channel State Information Reference Signal) are reference measurement is a function of the azimuth and elevation angles
signals that are used in the beam tracking phase only (for the (i.e., θ j and φ j ). If the device is considered to be stationary,
connected devices). In the uplink path, the measurements are the azimuth and elevation angles do not change at different
done by the gNB based on the SRSs transmitted by the mobile beam transmissions. Thus, we have θ1 = θ2 = . . . = θ J
device. In our proposed security mechanism, the beam feature and φ1 = φ2 = . . . = φ J in the vector of beam features.
can be measured by gNBs using the received SRS beams. In this case, assuming the DAE–based anomaly detection
C) Beam determination is the selection of the beam with model has been trained using the beam features obtained at the
the highest quality based on the measurements done in the same angles, the model can effectively recognize the feature
previous step. It is done by either the gNBs or by the mobile vector as either normal or anomaly. However, for mobile
device to determine the best uplink and downlink beams, devices, the angles may change at each beam transmission.
respectively. The determined beams are used for the subse- In this case, the collected feature vector may have too much
quent transmissions until another beam with higher quality distance from the vectors used in the training of the DAE
is detected (this may happen due to device movements and model. This would result in the degradation of the DAE’s
changes of channel conditions). detection accuracy. To address this issue, the training dataset
D) Beam reporting which is used by the mobile device to should be created based on the beam features measured at
send beam quality information to the network. different azimuth and elevation angles. This has a significant
The periodic repetition of the above–mentioned opera- impact on the performance of the proposed security approach
tions enables the mobile devices and gNBs to collaboratively because if the dataset misses the feature vectors collected at
choose/update the best transmitter and receiver beam pairs specific angles, it may later ruin the effect of beam feature
over the lifetime of their communication. uniqueness that is the foundation of this approach. Therefore,
3) Measurement of Beam Features: As explained in the pre- having a comprehensive and large training dataset is critical
vious subsection, beam measurement is an important built–in for the DAE model to provide the maximum attack detec-
operation of the standard 5G–NR beam management proce- tion accuracy in mobile scenarios. This can be achieved by
dure. We take advantage of this operation to generate the defining specific procedures for beam feature collection at
Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:43:16 UTC from IEEE Xplore. Restrictions apply
NOSOUHI et al.: TOWARDS SPOOFING RESISTANT NEXT GENERATION IoT NETWORKS 1675
Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:43:16 UTC from IEEE Xplore. Restrictions apply
1676 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
(MSE), Euclidean Distance, etc.), the relevant autoencoder to reach the optimum parameters. Using larger values for
problem is to find α and β such that the expected value of results in faster training but at the risk of missing the optimum
the dissimilarity function
is minimized, i.e. values (loss in accuracy). On the other hand, a smaller makes
i the convergence of algorithm slower. When the optimization
min E x p i (
(fi , f̂ )) = min E x p(
(fi , gθ ◦ gψ (fi ))) problem is solved, parameters α and β are obtained. This
(α,β) (fi ,f̂ )∼ρ (α,β)
means that the autoencoder model has been built and vectors
Because the probability distribution ρ is unknown, it is i
f̂ = gθ ◦ gψ (f j ) can be obtained as the reconstructed vectors.
not feasible to obtain the expected value of the dissimilarity
function. Thus, we limit the autoencoder problem to the space
of the training vectors, i.e. Algorithm 1 The Detection Mechanism
Inputs: xi (The RF signal claiming to be from the ith legitimate
i
n
IoT device)
i
mi n
(f , f̂ ) = mi n
( f j , gθ ◦ gψ ( f j )) di (address of the ith legitimate IoT device)
(α,β) (α,β)
j =1 J (number of features)
et hr (error threshold)
The above autoencoder problem is solved for every fi and Output: R ∈ {“Authorized Access”, “Spoofing Device Detected"}
i
f̂ in F and F̂ (respectively), i.e., all the vectors in the training 1: f(xi , t) = Beam Measurement(xi )
i
dataset are learnt. Different types of autoencoders can be 2: f̂ = DAE(f(xi , t))
i
derived from this general model depending on the choice of 3: err or =
(f(xi , t), f̂ ) = n1 nj =1 ( f j (xi , t) − fˆji )2
functions f α , fβ , and the dissimilarity function
. More- 4: if err or ≤ et hr :
over, applying additional constraints such as regularization return “Authorized Access”
else:
can change the type of autoencoder. For example, if MSE return “Spoofing Device Detected”
is selected as the dissimilarity function, for the autoencoder
problem we have
1 1
n n
mi n ( f j − fˆ j )2 = mi n ( f j − gθ ◦ gψ ( f j ))2 D. Complexity Analysis
(α,β) n (α,β) n
j =1 j =1
In this subsection, we analyze the computational complexity
To solve the above autoencoder problem, gradient–based of the proposed anomaly detection model. We firstly empha-
optimization approach is a popular and effective method to size that the proposed scheme imposes zero computation and
choose. There exists several versions of gradient–based opti- communication overhead to the IoT devices. This is because
mization algorithms. For example, in Batch Gradient Descent the scheme does not rely on the cooperation of IoT devices
(BGD), the gradients of all samples are calculated at first. and their beam features (i.e., RF signature) are extracted from
Then, based on the obtained gradients, the neural network the RF signals transmitted for their normal communications.
parameters are updated. However, it is used in offline training Instead, the main computation burden of the scheme is carried
applications in which the whole set of the training dataset is by the backend server that runs the DAE–based anomaly
available. However, in online (real–time) applications, training detection algorithm. Assume the DAE model consists of L
samples may become available after the model is employed. layers where layer 1 and L are the input and output layers,
On the other hand, Stochastic Gradient Descent (SGD) can respectively. Consider the DAE model as a fully connected
be used in online training applications. Each time, it updates network of neurons (see Fig. 2), i.e., the worst-case scenario
the parameters using an instant training sample [34], [35]. in terms of computational complexity. We refer to the size of
In other words, in BGD, all the training samples must be learnt i th layer as n (i) (i ∈ {1, 2, . . . , L}) which is the number of
before a single update is done on the network parameters. neurons in that layer. In this case, we have n (1) = n (L) = n,
However, in SGD, one or a subset of the training samples where n is the size of feature vectors. The output of i th layer
can be learnt in order to update the network parameters. This is written as
makes SGD an efficient optimization algorithm. Specifically,
in high–dimensional optimization problems, SGD performs y (i) = [y1(i) y2(i) . . . yn(i)(i) ],
very efficient in terms of speed and computational overhead. (i) n(i−1) (i) (i−1) (i)
Since we build the autoencoder for an online (real–time) where, y j = g( k=1 w j k yk ) in which w j k is the weight
(i−1)
application with a huge number of data points, we solve of j th neuron in layer i applied to yk , and g is the
the autoencoder problem using the SGD approach. Therefore, activation function deployed in layer i . Therefore, the number
we have of multiplications and additions required to compute y (L) (the
final output of the DAE network) are obtained as follows.
α (k+1) = α (k) − (k) ∇α
i (α (k) )
At each layer i (i ∈ {2, 3, . . . , L}), n (i) output values
β (k+1) = β (k) − (k) ∇β
i (β (k) ) (i) (i) (i))
must be computed (i.e., y1 , y2 , . . . , yn(i) ). The computa-
(i)
where ∇α
i (α (k) ) and ∇β
i (β (k) ) are the gradients taken tion of each value y j requires n (i−1) multiplications and
(n (i−1) − 1) additions. Thus, the total number
using α and β, respectively (considering a training sample L of required
fi ). is the learning rate that is used to adjust the speed of multiplications and additions are N M = i=2 n (i) n (i−1) and
L
convergence. It determines the size of steps that are taken N A = i=2 n (i) (n (i−1) − 1), respectively.
Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:43:16 UTC from IEEE Xplore. Restrictions apply
NOSOUHI et al.: TOWARDS SPOOFING RESISTANT NEXT GENERATION IoT NETWORKS 1677
we identified the following critical challenges that the attacker ing phase while it measures B Fat t = [ A Pat1 t (θat 1 , φ 1 ),
t at t
needs to address them before conducting such an attack. A Pat t (θleg , φat t ), . . . , A Pat t (θleg , φat t )] from the relayed
2 2 2 J J J T
Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:43:16 UTC from IEEE Xplore. Restrictions apply
1678 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
j j j j
signal, where (θleg , φleg ) = (θat t , φleg ) for j = 1, 2, . . . , J . respond to duplicate authentication requests. Assume the D L
To overcome this challenge, the attacker device has to be and D A ’s requests are the only unhandled A Req messages
placed on the direct communication path between the legit- in the network. The network server then replies to D L by
imate device and the gNB such that both the attacker device sending the Authentication Response (A Res) message to it
and the gNB experience the same azimuth and vertical angles. which includes a random number r1 . In fact, it asks D L to
Therefore, the security properties of our proposed mecha- send r1 back to the network. At the same time, it starts a
nism combined with the unique characteristics of the massive timer initialized with a short and predefined period of time τ .
MIMO technology create the above–mentioned challenges for However, when the network server receives the A Req message
the attacker. However, in this paper, we assume a powerful of D A , it does not send an A Res message to it until the timer
attacker who is able to address these challenges and proceed is up. Upon receiving the A Res message, D L transmits a
with the attack. In this regard, we propose a delay–based reply signal (with r1 in it) which is processed by the gNB
supplementary technique to fully address the issue. Before we to extract its beam features. This signal is targeted by D A
explain this solution, we present the attack model in the next to be intercepted and relayed to the gNB. However, D A has
subsection. not received any A Res message from the network yet, thus,
it can not relay the signal immediately. In other words, the
B. Attack Model eavesdropped signal must be delayed by D A until the relevant
A Res message is received which includes the random number
The target of the attacker device D A is to gain access to
r2 . This is an infeasible task for D A to perform if τ is
the network by taking advantage of the authentication signals
large enough (e.g., >1 msec). In fact, creating delay in the
transmitted by a legitimate device D L . To do this, D A attempts
transmission of a radio signal without making changes on the
to intercept and relay D L signals that are sent during the
signal features is infeasible. The current passive delay line
network authentication procedure. We assume our proposed
solutions work mostly based on either coaxial/optical fibre
security mechanism is used by the network to ensure the prove-
cables [48] or electro–acoustic devices [49], [50]. However,
nance of the authentication messages received from wireless
when delays in the millisecond (or larger) ranges are required,
devices. Regarding the network architecture, we consider all
these solutions are impractical. For example, considering the
the assumptions that we made in Section III.A. In addition,
speed of light in a coaxial/optical fibre cable, 200 metres of
we assume that the network server authenticates the devices
the cable is required to delay the signal by 1 microsecond.
in the network. It is supposed that the server does not respond
Therefore, the selection of τ in the millisecond range
to duplicate authentication requests (that belong to the same
prevents the attacker to deploy the required delay line. On the
device ID) and accepts only the first requests.
other hand, adopting a large τ may negatively affect the
We assume D A has been equipped with a mmWave–enabled
performance of the IoT application. In this regard, if we
transceiver and has the knowledge of communication channel
consider τ = 1 msec, the server will be able to authenticate
between D L and the gNB. Moreover, D A can be placed in
1000 devices per second (regardless of other delays caused
a position close enough to D L such that it can effectively
by signal propagation, processing, software running, etc.).
eavesdrop its communications. This position is assumed to be
Moreover, in this case, the created delay is smaller than
on the communication path between D L and the gNB, thus, the
the latency requirements of most of the latency critical IoT
discussed azimuth and elevation angles do not change during
applications [51].
the signal relay. We assume the DAE–based model has been
trained with the beam features of D L and other legitimate
devices. Thus, it effectively distinguishes the legitimate beam V. P ERFORMANCE E VALUATION
features from illegitimates. In this section, we present the results of our experiments
and discuss the feasibility of the proposed security mechanism.
C. Delay–Based Supplementary Technique We first explain the setups of our experiments and discuss the
method used to create the dataset of device features for the
To fully address the relay–based attacks, we propose a training of the DAE module. Then, we present the results of
delay—based technique using which the network service our experiments.
schedules the transmission of authentication responses to the
network IoT devices who have submitted a network access
request. This is done in such a way that the signal relay A. Experimental Setup
attempts made by D A become ineffective and are not con- To perform our experiments, we used 5G Toolbox, Antenna
sidered by the network. Array Designer App, and Phased Array System Toolbox of
To better explain this, assume D A (that is eavesdropping MATLAB [52] to generate and customize mmWave wave-
on the communications of D L ) is able to successfully identify forms to use as training data. The 5G Toolbox provides
the Authentication Request (A Req) messages of D L . To start standard–compliant functions for the modelling and verifi-
conducting the attack, D A submits its own A Req message cation of the 5G communications systems that work based
immediately after it detects D L ’s A Req message (with the on 3GPP 5G–NR Release 15 [53]. In this toolbox, we used
minimum time gap between the two authentication proce- several components from the Phased Array System Toolbox to
dures). Note that D A has to submit its request with an ID perform beamforming functions on the generated waveforms.
different than D L ’s ID. This is because the server does not In addition, we used the Antenna Array Designer App for the
Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:43:16 UTC from IEEE Xplore. Restrictions apply
NOSOUHI et al.: TOWARDS SPOOFING RESISTANT NEXT GENERATION IoT NETWORKS 1679
Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:43:16 UTC from IEEE Xplore. Restrictions apply
1680 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
Fig. 5. (a) and (b) The effect of SNR on the detection accuracy.(c) Increasing the number of training locations improves the detection accuracy.
Fig. 6. (a) The effect of activation function on the detection accuracy. (b) Average detection accuracy for different number of devices and different values
of number of hidden layers. (c) The effect of number of epochs on the detection accuracy.
Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:43:16 UTC from IEEE Xplore. Restrictions apply
NOSOUHI et al.: TOWARDS SPOOFING RESISTANT NEXT GENERATION IoT NETWORKS 1681
Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:43:16 UTC from IEEE Xplore. Restrictions apply
1682 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
[14] D. Wang et al., “A survey of optimization approaches for wireless [37] J. Elkind, E. Goldberger, and E. Socher, “57–67-GHz highly compact
physical layer security,” IEEE Commun. Surveys Tuts., vol. 21, no. 2, bidirectional 3-bit phase shifter in 28-nm CMOS,” IEEE Microw. Wire-
pp. 1878–1911, 2nd Quart., 2019. less Compon. Lett., vol. 28, no. 11, pp. 1017–1019, Nov. 2018.
[15] J. M. Hamamreh, H. M. Furqan, and H. Arslan, “Classifications and [38] N. Sharma and V. Sharma, “A design of microstrip patch antenna using
applications of physical layer security techniques for confidentiality: A hybrid fractal slot for wideband applications,” Ain Shams Eng. J., vol. 9,
comprehensive survey,” IEEE Commun. Surveys Tuts., vol. 21, no. 2, no. 4, pp. 2491–2497, Dec. 2018.
pp. 1773–1828, 2nd Quart., 2019. [39] A. Ghosh, V. Kumar, G. Sen, and S. Das, “Gain enhancement of triple-
[16] B. Chatterjee, D. Das, S. Maity, and S. Sen, “RF-PUF: Enhancing IoT band patch antenna by using triple-band artificial magnetic conductor,”
security through authentication of wireless nodes using in-situ machine IET Microw., Antennas Propag., vol. 12, no. 8, pp. 1400–1406, 2018.
learning,” IEEE Internet Things J., vol. 6, no. 1, pp. 388–398, Feb. 2019. [40] M. Abbasi Layegh, C. Ghobadi, and J. Nourinia, “The optimiza-
[17] M. Andraud, H.-G. Stratigopoulos, and E. Simeu, “One-shot non- tion design of a novel slotted microstrip patch antenna with multi-
intrusive calibration against process variations for analog/RF circuits,” bands using adaptive network-based fuzzy inference system,” Tech-
IEEE Trans. Circuits Syst. I, Reg. Papers, vol. 63, no. 11, pp. 2022–2035, nologies, vol. 5, no. 4, p. 75, Nov. 2017. [Online]. Available:
Nov. 2016. https://www.mdpi.com/2227-7080/5/4/75
[18] S. Sen, “Context-aware energy-efficient communication for IoT sensor [41] Ferro A6–S High Frequency LTCC System, Ferro Electronic Mate-
nodes,” in Proc. 53rd ACM/EDAC/IEEE Design Automat. Conf. (DAC), rials. Accessed: May 21, 2021. [Online]. Available: https://ostec-
Jun. 2016, pp. 1–6. materials.ru/upload/iblock/0bb/0bb9ac1ff67ce748dfb231486fb13f5e.pdf
[19] W. Wang, Z. Sun, S. Piao, B. Zhu, and K. Ren, “Wireless physical- [42] M. Giordani et al., “A tutorial on beam management for 3GPP NR at
layer identification: Modeling and validation,” IEEE Trans. Inf. Forensics mmWave frequencies,” IEEE Commun. Surveys Tuts., vol. 21, no. 1,
Security, vol. 11, no. 9, pp. 2091–2106, Sep. 2016. pp. 173–196, 1st Quart., 2018.
[20] X. Huan, K. S. Kim, and J. Zhang, “NISA: Node identification and [43] T. Inoue, “5G standards progress and challenges,” in Proc. IEEE Radio
spoofing attack detection based on clock features and radio information Wireless Symp. (RWS), Jan. 2017, pp. 1–4.
for wireless sensor networks,” IEEE Trans. Commun., vol. 69, no. 7, [44] Study on New Radio (NR) Access Technology—Physical Layer
pp. 4691–4703, Jul. 2021. Aspects—Release 14, TR 38.802. Accessed: 13th Feb. 2021.
[21] G. Baldini and G. Steri, “A survey of techniques for the identification Accessed: Feb. 13, 2021. [Online]. Available: https://www.3gpp.org/
of mobile phones using the physical fingerprints of the built-in com- ftp/Specs/archive/38_series/38.802/
ponents,” IEEE Commun. Surveys Tuts., vol. 19, no. 3, pp. 1761–1789, [45] D. Kapetanovic, G. Zheng, and F. Rusek, “Physical layer security for
3rd Quart., 2017. massive MIMO: An overview on passive eavesdropping and active
[22] K. Merchant, S. Revay, G. Stantchev, and B. Nousain, “Deep learning for attacks,” IEEE Commun. Mag., vol. 53, no. 6, pp. 21–27, Jun. 2015.
RF device fingerprinting in cognitive communication networks,” IEEE [46] Intel Core I7-8086K Processor. Accessed: Mar. 7, 2022. [Online].
J. Sel. Topics Signal Process., vol. 12, no. 1, pp. 160–167, Feb. 2018. Available: https://www.intel.com.au/content/www/au/en/products/sku/
[23] T. J. Bihl, K. W. Bauer, and M. A. Temple, “Feature selection for 148263/intel-core-i78086k-processor-12m-cache-up-to-5-00-
RF fingerprinting with multiple discriminant analysis and using ZigBee ghz/specifications.html
device emissions,” IEEE Trans. Inf. Forensics Security, vol. 11, no. 8, [47] U. Ruhrmair and M. van Dijk, “PUFs in security protocols: Attack
pp. 1862–1874, Aug. 2016. models and security evaluations,” in Proc. IEEE Symp. Secur. Privacy,
[24] S. Balakrishnan, S. Gupta, A. Bhuyan, P. Wang, D. Koutsonikolas, May 2013, pp. 286–300.
and Z. Sun, “Physical layer identification based on spatial–temporal [48] J. Wang et al., “Subwavelength grating enabled on-chip ultra-compact
beam features for millimeter-wave wireless networks,” IEEE Trans. Inf. optical true time delay line,” Sci. Rep., vol. 6, no. 1, pp. 1–10, Sep. 2016.
Forensics Security, vol. 15, pp. 1831–1845, 2020. [49] R. Lu, T. Manzameque, Y. Yang, and S. Gong, “S0-mode lithium
[25] S.-Y. Lien, S.-L. Shieh, Y. Huang, B. Su, Y.-L. Hsu, and H.-Y. Wei, niobate acoustic delay lines with 1 dB insertion loss,” in Proc. IEEE
“5G new radio: Waveform, frame structure, multiple access, and initial Int. Ultrason. Symp. (IUS), Oct. 2018, pp. 1–9.
access,” IEEE Commun. Mag., vol. 55, no. 6, pp. 64–71, Jun. 2017. [50] T. Manzaneque, R. Lu, Y. Yang, and S. Gong, “Low-loss and wideband
[26] Z. Zhang, P. Cui, and W. Zhu, “Deep learning on graphs: A survey,” acoustic delay lines,” IEEE Trans. Microw. Theory Techn., vol. 67, no. 4,
IEEE Trans. Knowl. Data Eng., vol. 34, no. 1, pp. 249–270, Jan. 2022. pp. 1379–1391, Apr. 2019.
[27] N. Wang, L. Jiao, P. Wang, W. Li, and K. Zeng, “Machine learning- [51] P. Schulz et al., “Latency critical IoT applications in 5G: Perspective on
based spoofing attack detection in mmWave 60 GHz IEEE 802.11ad net- the design of radio interface and network architecture,” IEEE Commun.
works,” in Proc. IEEE Conf. Comput. Commun. (INFOCOM), Jul. 2020, Mag., vol. 55, no. 2, pp. 70–78, Feb. 2017.
pp. 2579–2588. [52] MATLAB Products and Services. Accessed: Jan. 21, 2021. [Online].
[28] L. Xiao, Y. Li, G. Han, G. Liu, and W. Zhuang, “PHY-layer spoofing Available: https://au.mathworks.com/products.html
detection with reinforcement learning in wireless networks,” IEEE Trans. [53] 3GPP 5G–NR, Release 15. Accessed: Jan. 21, 2021. [Online]. Available:
Veh. Technol., vol. 65, no. 12, pp. 10037–10047, Dec. 2016. https://www.3gpp.org/release-15
[29] N. Wang, W. Li, T. Jiang, and S. Lv, “Physical layer spoofing detection [54] D. B. Johnson and D. A. Maltz, “Dynamic source routing in ad hoc
based on sparse signal processing and fuzzy recognition,” IET Signal wireless networks,” in Mobile Computing. Boston, MA, USA: Springer,
Process., vol. 11, no. 5, pp. 640–646, Jul. 2017. 1996, pp. 153–181.
[30] S. Liu, “MAC spoofing attack detection based on physical layer char-
acteristics in wireless networks,” in Proc. IEEE Int. Conf. Comput.
Electromagn. (ICCEM), Mar. 2019, pp. 1–3.
[31] E. M. D. L. Pinto, R. Lachowski, M. E. Pellenz, M. C. Penna, and
R. D. Souza, “A machine learning approach for detecting spoofing
attacks in wireless sensor networks,” in Proc. IEEE 32nd Int. Conf.
Adv. Inf. Netw. Appl. (AINA), May 2018, pp. 752–758.
[32] M. Faisal, S. Abbas, and H. Ur Rahman, “Identity attack detection sys-
tem for 802.11-based ad hoc networks,” EURASIP J. Wireless Commun.
Netw., vol. 2018, no. 1, pp. 1–16, Dec. 2018.
[33] W. Yan, S. Hylamia, T. Voigt, and C. Rohner, “PHY-IDS: A physical-
layer spoofing attack detection system for wearable devices,” in Proc. Mohammad Reza Nosouhi received the master’s
6th ACM Workshop Wearable Syst. Appl., 2020, pp. 1–6. degree in telecommunications engineering from the
[34] N. Wang, J. Tang, and K. Zeng, “Spoofing attack detection in mm-wave Isfahan University of Technology, Isfahan, Iran,
and massive MIMO 5G communication,” in Proc. IEEE Conf. Commun. in 2007, and the Ph.D. degree from the University
Netw. Secur. (CNS), Jun. 2019, pp. 1–5. of Technology Sydney, Ultimo, NSW, Australia,
[35] W. Tan, S. D. Assimonis, M. Matthaiou, Y. Han, X. Li, and S. Jin, in 2020. He has more than ten years of industry
“Analysis of different planar antenna arrays for mmWave massive experience in ICT field. He is currently working
MIMO systems,” in Proc. IEEE 85th Veh. Technol. Conf. (VTC Spring), as a Research Fellow with the Centre for Cyber
Jun. 2017, pp. 1–5. Security Research and Innovation (CSRI), Deakin
[36] J. Chen, “When does asymptotic orthogonality exist for very large University, Australia. His research interests are post-
arrays?” in Proc. IEEE Global Commun. Conf. (GLOBECOM), quantum cryptography, next generation authentica-
Dec. 2013, pp. 4146–4150. tion systems, applied cryptography, and blockchain systems.
Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:43:16 UTC from IEEE Xplore. Restrictions apply
NOSOUHI et al.: TOWARDS SPOOFING RESISTANT NEXT GENERATION IoT NETWORKS 1683
Keshav Sood is currently a Lecturer with the Centre Robin Doss (Senior Member, IEEE) received the
for Cyber Security Research and Innovation, School B.Eng. degree in electronics and communications
of IT, Deakin University, Melbourne, Australia. from the University of Madras, India, in 1999,
Previously, he worked as a Research Fellow with and the M.Eng. and Ph.D. degrees from RMIT
the Advanced Cyber Security Engineering Research University, Australia, in 2000 and 2004, respec-
Centre (ACSRC), The University of Newcastle, tively. He is currently the Director of the Centre
NSW, Australia. for Cyber Security Research and Innovation (CSRI),
Deakin University, Australia. In addition, he leads
the “Development of Next Generation Authentica-
tion Technologies” theme within the National Cyber
Security Cooperative Research Centre (CSCRC).
He has an extensive research publication portfolio. His research program
has been funded by the Australian Research Council (ARC), Government
Agencies, such as the Defence Signals Directorate (DSD), Department of
Marthie Grobler received the Ph.D. degree from Industry, Innovation and Science (DIIS), and industry partners. His research
the University of Johannesburg, South Africa. interests include the broad areas of system security, protocol design, and secu-
She currently holds a position as a Princi- rity analysis, with a focus on smart, cyber-physical, and critical infrastructures.
pal Research Scientist with CSIRO’s Data61, He is a member of the Research Council of the Oceania Cyber Security
Melbourne, Australia, where she drives the research Centre (OCSC) and the Executive Council of the IoT Alliance Australia
group’s work on human centric cybersecurity. She is (IoTAA). In 2019, he was a recipient of the Cyber Security Researcher of the
passionate about making cybersecurity more accessi- Year Award from the Australian Information Security Association (AISA).
ble for people in the pathway of the fourth industrial
revolution. From applying governance models in
the digital space to teaching children in rural areas
about technology, she works towards a thorough
and effective approach to maximise cybersecurity knowledge and practical
application.
Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:43:16 UTC from IEEE Xplore. Restrictions apply