A Review of Radio Frequency Fingerprinting Techniques - 2020

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JRFID.2020.2968369, IEEE Journal
of Radio Frequency Identification
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 1
A Review of Radio Frequency Fingerprinting

Techniques
Naeimeh Soltanieh, Member, IEEE, Yaser Norouzi, Yang Yang, Senior Member, IEEE and Nemai
Chandra Karmakar, Senior Member, IEEE
 [3, 10], cloning detection [11, 12] and secure localization [13].
Abstract—Radio frequency (RF) fingerprinting techniques have The most important merit of using physical imperfection as a
been used as an extra security layer for wireless devices. Unique signature for identification is that it is hard to spoof the
fingerprints are used to identify wireless devices in order to avoid signature by using other wireless devices [14-16]. Wireless
spoofing or impersonating attacks. These unique features can be
platforms for device identification using physical layer include
extracted from imperfections of analog components during the
manufacturing. This paper presents a general review of recent HF RFID transponders, UHF RFID transponders [17], VHF
progress on RF fingerprinting techniques. Several studies are transmitters and IEEE 802.11 transceivers [18, 19].
investigated for RF fingerprinting using different parts of a signal. The main stages of wireless device identification system
The majority of these studies have been focused on the transient based on RF fingerprinting are capturing signals, feature
part of the signal. For this purpose, the transient signal must be extraction, and classification. After capturing signals, it is
extracted precisely. A number of common techniques of transient
necessary to extract unique features from different parts of the
extraction are theoretically analyzed in this review. Then, some
other approaches using the modulated part of the signal are also signal. RF feature extraction is a serious concern in related
discussed. For all these approaches, the applied methodologies, the works. RF fingerprinting based on the steady-state part of signal
classification algorithms and a taxonomy of features are described. extracts features from the modulated part of the signal and can
A comprehensive overview of the methods in RF fingerprinting is exploit prior information about the known signals [20]. On the
presented to demonstrate the state-of-the-art works. other hand, transient based RF fingerprinting extracts
fingerprints from the transient part of signals. The essential part
Index Terms—Radio frequency, PHY layer security, transient-
based fingerprinting, steady-state based, transient detection
of transient based approaches is to detect the transient signal
correctly.
I. INTRODUCTION The transient signal is generated from the change of the
transmitter’s status [21]. The challenge of transient detection is
W ireless devices are traditionally identified by some
unique RF fingerprints caused by radio circuitry. There
are several forms of attacks for the wireless network; an
to find the exact position of the start point of the signal from
channel noise. This survey investigates common techniques for
transient extraction and their advantages and disadvantages in
impersonation attack is one of the most important and
detail.
threatening [1]. In this kind of attack, an attacker can copy most
The most challenging work in practical deployment of RF
of the identification information like the password and Media
fingerprinting is to use low-end devices instead of high-end
Access Control (MAC) address to spoof devices [2]. The radio
devices. Researchers consider different aspects of this research
frequency fingerprinting (RFF) from the unique features of
such as: 1) analysis and discussion of the practical limits that
electromagnetic waves emitted by the transmitter is unique [3-
low-end devices have for RFF, 2) understanding the effects of
5].
channel impairments on the classification efficiency [22].
In this review, we focus on methods that identify wireless
The main goal of this paper is to provide a comprehensive
devices by unique fingerprints that are called physical layer
review of radio frequency fingerprinting systems and methods.
device identification. Physical layer identification is the process
In this paper we discuss in depth classifications of radio
of fingerprinting the wireless device by extracting features due
frequency fingerprinting especially transient based algorithms.
to hardware imperfections in the analog circuitry [6]. These
We also discuss important methods of transient extraction.
hardware imperfections appear during the manufacturing
The rest of the paper is organized as follows: Section II
process. Physical layer device identification has been used for
provides a background of physical layer security and how
different purposes like intrusion detection [7-9], access control
N. Soltanieh is with the Department of Electrical Engineering, Amirkabir Y. Yang is with the School of Electrical and Data Engineering, University
University of Technology, Tehran 1591634311, Iran (e-mail: of Technology Sydney, Ultimo NSW 2007, Australia (e-mail: Yang.Yang-
n_soltanieh@aut.ac.ir) and also she is visitor student at School of Electrical and 1@uts.edu.au).
Data Engineering, University of Technology Sydney, Ultimo NSW 2007, Nemai Chandra Karmakar is with the Department of Electrical and
Australia (e-mail: naeimeh.soltanieh@uts.edu.au). Computer Systems Engineering, Monash University, 3800 Vic., Australia (e-
Y. Norouzi is with the Department of Electrical Engineering, Amirkabir mail: Nemai.Karmakar@eng.monash.edu.au).
University of Technology, Tehran 1591634311, Iran (e-mail:
y.norouzi@aut.ac.ir).
2469-7281 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Auckland University of Technology. Downloaded on May 25,2020 at 15:23:14 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JRFID.2020.2968369, IEEE Journal
(a) (b)
Fig. 1. Radiometric block diagram showing different sources of impairments in overall digital communication system. (a) Block diagram of transmitter and
its impairments, (b) Block diagram of receiver.
physical layer identification systems work. In Section III, we measure the fingerprints quantitively and with existing
classify RF fingerprinting methods and analyse both transient- equipment.
based and steady state-based RFF algorithms. We also present 5) Robustness, which means that the fingerprints should be
other approaches that do not fit into those categories. In section evaluated with respect to external environmental aspects
IV, we discuss features that are useful for both categories of like signal reflection, absorption, etc. and device-related
RFF techniques. Finally, we present a classification aspects like temperature, power, and voltage level.
methodology for transmitter identification in Section V and
conclude the article in Section VI. III. CLASSIFICATION OF RF FINGERPRINTING
RF fingerprinting is a well-known technique used to identify
II. PHYSICAL LAYER SECURITY wireless devices by extracting unique structures in the
Physical layer security is a new paradigm for securing the electromagnetic waves emitted from the transmitters. In the past
identity of wireless devices based on the unique features few years, many RF fingerprinting methods have been explored
extracted from signals emitted by wireless devices [23, 24]. The in commercial areas [24, 29-32]. For example, in the ADS-B
uniqueness of features arises from analog element system used in Air Traffic Control, RF fingerprinting
imperfections created in the manufacturing process [25]. techniques used to identify/classify aircraft [33]. Also, other
Physical layer security that uses these unique features is known wireless devices signal such as Bluetooth [34, 35], push-to-talk
as Radio Frequency (RF) fingerprinting [26]. Transmitter transmitters [29], RFID [5, 36, 37] are used to evaluate RF
imperfections that produce RF fingerprints are originated from fingerprinting methods. According to [10], every transmitter
its analog elements (phase noise, digital-to-analog converters, has a unique RF fingerprint that this uniqueness arises from
band-pass filters, frequency mixers, and power amplifiers) [12]. imperfections in analog components during the manufacturing
Fig. 1 shows physical imperfections of transceivers elements. process. The main step in RF fingerprinting is to extract useful
A physical layer identification system has three main tasks: features of a transmitted signal to identify the signal’s
1) capture the identification signal, 2) extract proper features transmitter [38]. Here we review important techniques for RF
and 3) create fingerprints from captured signals and classify and fingerprinting. Transmitter identification techniques are
identify fingerprints. A physical layer device identification classified based on essential differences. These methods are
system has two main modules: one for creating a library of divided into three categories, namely transient-based, steady
enrolled devices and another for identification. Initially, signals state-based and other approaches based on different signal parts
are captured from a device or set of devices with different or used for feature extraction. Fig. 2 shows the different parts of
same models and manufacturers [27]. Then the extracted an actual signal that are used in the special category. A structure
features of RF fingerprints are, stored in a library as a database. of wireless transmitter identification categories is shown in Fig.
In the second module, fingerprints extracted from a device are 3.
compared with the library of fingerprints in order to identify or
verify the device.
As mentioned, fingerprints are sets of features that are
extracted from the captured signal to identify and verify devices
[28]. To achieve a high accuracy identification, the fingerprints
need to have properties such as:
1) Universality, which means that every wireless device
should have the features that are used for its identification;
2) Uniqueness, which indicates that no two devices should
have the same fingerprints.
3) Permanence, which means that the fingerprints should be
time-invariant and environment invariant.
4) Collectability, which indicates that it should be possible to Fig. 2. Different parts of the Mode S signal.
Ramp change transient Step change

transient
(a) (b)
Fig. 4. Typical captured signal. (a) Ramp change signal from a Nokia 5230 mobile phone. (b) Step change signal from a VHF radio [35].
m; n(i) is channel noise; N is the number of samples and m is

Captured Signal the starting point of the transient signal.
The approaches to transient-based wireless device
identification can be traced back to the early 90s. In [9, 29],
seven VHF FM transmitters from different manufacturers but
in the same model were identified using multi-resolution
Transient Based Steady-state Based Other
RF Fingerprinting RF Fingerprinting Approaches wavelet analysis to characterize the features in the transient
signal. All the extracted features were classified using a genetic
algorithm. To measure the noise sensitivity of the algorithm,
Gaussian noise was added to the original transient signals.
Transient extraction: Modulation shape
Bayesian Step Change [11], frequency error, Power spectrum
Choe et al. [7] proposed a robust and adaptive device
Detection (BSCD) [42], SYNC correlation density (PSD) [58], identification system using a Daubechies-4 wavelet transform
Phase Detection (PD) [45],… [10], Modulation clock skew [56], etc.
Transient Envelope [31] domain parameters. combined with ANN. Also, an example of identifier and
classifier provided using transient signals of three different
transmitters. Hippenstiel and Payal [30] also used Daubechies
filter to obtain DWT coefficients of transients of 4 different
transmitters. Ellis and Serinken [41] analyzed the amplitude
Feature extraction,
Classification etc.
and phase information of the transients of VHF FM
transmitters. The authors used 28 transmitters from different
manufacturers and the same models and showed that
RF Fingerprinting
fingerprint profiles for devices from the same manufacturer and
(Transmitter Identification) model is indistinguishable, making the identification process
complex. Tekbas et al [42, 43] tested transmission from 10
Fig. 3. A structure of wireless transmitter identification and classification commercial VHF FM transmitters under ambient temperature,
of radio frequency fingerprinting techniques.
power supply, and additive channel noise. Amplitude and
A. Transient-Based RF Fingerprinting phase-based techniques were used to extract transient features.
A probabilistic neural network (PNN) was used as a classifier
Transient-based RF fingerprinting techniques use the
and the results showed that classification accuracy of low SNR
transition from the turn-off to the turn-on of a transmitter that is
transients could be improved by estimating SNR and modifying
occurs before the transmission of the actual data of a signal.
its level during the training. Hall et al. used 14 different
These approaches need accurate transient extraction (start point
(manufacturers and models) IEEE 802.11 devices and 10
and duration) before feature extraction and identification [39].
different (manufacturers and models) Bluetooth [43, 44]. The
Channel noise and hardware have an important effect on
capturing process was performed from close proximity with a
transient extraction methods. Fig. 3 shows different types of
spectrum analyzer. The authors used amplitude, phase, in-
transient signals in the captured signal [40]. Equation (1) shows
phase, quadrature, power and DWT coefficients information to
the modeled signal as follows:
create a profile for each transient signal. The average
n(i ) 1 i  m classification error rate was 8% and was strongly dependent on
Si   (1) the model and manufacturer. Ureten and Serinken [3] used the
 X (i )  n(i ) n0  n  N 0 amplitude envelope as a feature of IEEE 802.11 transient
where, Si is the i-th sample; X(i) is the discrete signal, when i < signals for device classification and identification. The authors
also used RF fingerprinting for enhancing the security of
wireless networks. Signals were captured from 8 different and k is the interval time and determines the number of subset
manufacturers and models and classified using PNN. The and X (m, k ) : X ( m), X ( m  k ),..., X ( m  [( N  m) / k ]  k )
proposed classifier could classify the signals with an error rate and ( N  1) / [( N  m) / k ]k is assumed to be the normalization
of 2%. In the above works, captured signals were from different
factor of curve length.
models and manufacturers and at close distance with the
Second, Lm (k ) is plotted against k on a log-log scale, so the
fingerprinting antenna. In [45], Rasmussen and Capkun used
RF fingerprinting techniques to identify 10 UHF data should fall on an axis as k varies from N to zero.
(Mica2/CC1000) sensor devices from same manufacturers and Third, a curve is fitted to the points ( Lm (k ) ) that calculated in
models. Each device has a profile of fingerprints including the last step according to the least-square procedure, and then
transient length, amplitude variance, number of peaks of the the slope of the curve is an estimation of the fractal dimension.
carrier signal, the difference between normalized mean and the Fourth, the following a posteriori probability density
normalized maximum value of the transient power, and the first function is used to detect transient. The maximum point of the
DWT coefficient. The feasibility of fingerprinting the radio of function is the start point of the transient signal [47].
Wireless Sensor Node (Chipcon 1000 radio, 433MHz) was N
1 1 m
demonstrated in [45]. The duration of the transient signal, the p ({m} | d )   [ d i2  ( d i ) 2 
number of peaks and the difference between the normalized m( N  m) i 1 m i 1 (3)
mean normalized maximum values of the peaks are used to 1 N N 2
create an RF fingerprint for each signal. ( )(  di ) 2 ] 2

N  m i  m 1
In summary, transient based analysis offers high
performance only whenever the transient is exactly extracted where, d is the fractal dimension, m is assumed to be the start
(the exact beginning and end point). The lack of transient point of transient and N is the number of samples in the sliding
analysis is the difficulty in distinguishing devices of same window. Although there is no need to define a threshold in the
manufacturer (same model). Finally, very high sampling rates BSCD method, this approach has a complex computation and
are needed for a good transient extraction, necessitating a poor detection for transient signals with small amplitude.
expensive receiver architectures. Fig. 5 shows the detection result of BSCD algorithm on net-
Separating the transient signal and detecting the start point in core transient.
channel noise are very difficult because of non-stationary
characteristics [46]. In the rest of this section, a number of Bayesian Step Change Detection
critical methods are theoretically analyzed for detecting the
Amplitude
start point of transient signals. Start of Transient
Method 1: Bayesian Step Change Detection (BSCD)

This approach was proposed by Fourteen which transforms a
change in variance into a change in the mean value based on the
Samples
fractality of the sampled data to detect the start point of the Probability Density
transient. In this approach, Higuchi’s method [47] was used to
calculate the fractal dimension for successive segments of the
Probability
Maximum Probability
signal. There is a close relation between the variance of fractal
Density
Density
dimension and the probability density function of start point of
transient, for example, the variance of fractal dimension
between two sequences are related to the probability density
function, so the maximum of the probability density function is Section of Signals
the start point of the transient signal. A non-stationary signal Fig.5. Bayesian Step Change Detection (signal of net-core). © [2013]
IEEE. Reprinted, with permission, from [51].
like a transient is not a pure fractal because its fractality is time
variant. Multi-fractality handles signals with local fractal
Method 2: Bayesian Ramp Change Detection (BRCD)
dimensions. For calculating the local fractal dimensions of
successive portions of the signal, a sliding window is used. The This method was proposed by Ureten and Serinken [48] and
principle of this approach is provided as follows: it is a modification to the BSCD scheme. In this approach,
First, the fractal dimension of the transient is calculated by transient detection is achieved by estimating the time instant
Higuchi’s method. Higuchi defines the length of the curves for when the power of signal gently increased. Its principals are
each subsets as follows: provided as follows:
As mentioned before, typical transmission data contain channel
 N m   noise before transmission of real data. The model of this signal
 k   N 1  / k
Lm (k )    X (m  ik )  X (m  (i  1)k (2) can be written in the form of a matrix equation:
  N m 
 i 1  [ ]k  d  Gb  e (4)
  k 
where d is an N  1 matrix of data samples, e is a matrix of
where, m is the initial time and the starting point of each subset
Gaussian noise samples with dimensions of N  1 , the matrix network card net-core is shown in Fig. 6. For example, if the
G is of size N  M that each column of G is a basis function value of n-th point and its m successive points are less than the
estimated at each sample in the time series and b is an M  1 threshold, then n is considered to be the start point of the
transient. It must contain at least T / 4 samples of channel
matrix of linear coefficients. The next step is to detect the
noise before the start of the transmission. It is proved that there
change point with a posteriori probability density which is
is a remarkable difference between the fractal dimension of
calculated as in the following equation [48]:
ambient channel noise and the actual data. This method is
[d T d  d T G (GT G ) 1 GT d ] ( N m )/2 simple and fast, but the threshold needs to be determined by
p({m} | d , I )  (5) trial and error and it is very sensitive to noise.
det(GT G )
Variance Fractal Dimension Threshold
where I defines the signal model. The start point position can Detection
be found in the structure of the matrix G that is given in Start of Transient
Amplitude
equation (6).
1 1 1 1 ... 1 1 1 1 ... 1 
GT    (6)
0 0 0 0 ... 0 1 2 3... N  m 
Difference Fractal Dimension Variance
Fractal Dimension
A Bayesian ramp change detector is a better candidate for
transient extraction for Wi-Fi radios in comparison with
Bayesian step change detector because of the lags behind the
start point of the transient signal and because the standard
deviation of the detection error for BSCD is three times higher
than BRCD [48].
Samples
Fig. 6. Variance Fractal Dimension Threshold Detection (signal of net-core).
Method 3: Variance Fractal Dimension Threshold Detection © [2013] IEEE. Reprinted, with permission, from [51].
This approach was proposed by Shaw and Kinser [49]. The Method 4: Phase Detection (PD)
main idea is to calculate the fractal dimension from the variance
of signal amplitude to detect the transient part of a signal. Phase Detection method was proposed by Hall et al. [50] and
The first step is to calculate the fractal dimension for each unlike the previous approaches which used the amplitude
portion of the signal in the sliding window by equation (7). characteristics of the signal for transient extraction, this
approach used phase characteristics to extract transient signals.
D(t )  2  H (7) This approach has advantages against the methods using
amplitude characteristics because the phase of the signal does
where H is a value called the Hurst index that is the correlation not represent the same degree of variation because the phase is
between X (ti , t ) and t that is the amplitude difference less sensitive to noise. Moreover, the implementation of PD is
between data samples and t . By setting as follows:
and t  ti 1  ti , the Hurst The instantaneous phase of the signal ( X (t )  I (t )  j Q(t ) )
X (ti , t )  X (ti , t )  X (ti )
can be calculated using equation (9) as follows:
index can be calculated by equation (8) based on the least
squares regression (LSR) scheme [49]. Q(t )
 (t )  tan 1 [ ] (9)
N N N I (t )
N  xi yi  ( xi )( yi )
(8)
2H  i 1
N
i 1
N
i 1
where,  (t ) is unwrapped to remove the discontinuities that
N ( x )( xi )
2
i
2
result at multiples of 2 radians. The absolute value of each
i 1 i 1
element in the unwrapped vector AV which is shown in
where ( xi , yi )  (log(ti ),log(var(X (ti , ti )))). It is equation (10):
necessary to ensure that there are a sufficient number of the  (t ) |  (t )   (t  1) |  

AV   (10)
pairs ( xi , yi ) and selecting a suitable sequence of time is very  (t )  2 others.
important. To detect the start point of the transient signal and magnify
The next step is to detect the start point of the transient signal the variation between channel noise and turn-on transient
from the fractal dimension obtained from the first step. The signal, the variance of the phase characteristics is calculated for
mean of the fractal dimension of channel noise is considered as each consecutive portion of AV [50].
a threshold. The threshold needs to be determined based on
experiments. The variance fractal dimension of wireless TV (i )  var( AV (d  1), AV (d  2),..., AV (d  g )) (11)
(11) Change Point Detection
Normalized Amplitude
where i  1, 2,..., N / S , g  i  S , d  g  S , S is non-
Start of Transient
overlapping window size and 𝑣𝑎𝑟 represents the variance of the
phase.
The last step is to create the fractal trajectory (FT) from the
difference of the phase variance. The start point of the turn-on
transient is when the fractal trajectory becomes near to zero
because the phase variance of the transient signal changes more
slowly than channel noise. The start point detection of net-core Start of Transient
signal using PD algorithm is shown in Fig.7.
Detection Value
Phase Detection
Start of Transient
Amplitude
Fig.8. Mean Change Point Detection (signal of net-core). © [2013]

IEEE. Reprinted, with permission, from [51].
Difference Phase Variance
Difference Phase
Method 6: Permutation Entropy (PE) and Generalized

Variance
Likelihood Ratio Test (GLRT) Detector

This method detects a transient signal based on permutation
entropy (PE) and a generalized likelihood ratio test (GLRT)
detector [40].
Samples Permutation Entropy (PE) is introduced by Bandt-Pompe and
Fig. 7. Phase Detection (signal of net-core). © [2013] IEEE. Reprinted, can evaluate the irregularity and complexity of time series [53].
with permission, from [51]. PE is simple, structurally robust and fast. Assume we have a
given time series X   x(i), i  1, 2,..., N  , to calculate PE of
Method 5: Mean Change Point Detection (MCPD)
The mean Change Point Detection approach detects the start it, the time series are embedded into an m- dimensional space:
point of the transient signal by statistical calculation [51]. There X i  [ x(i), x(i  1),..., x(i  (m  1))], (14)
is no need to define a threshold and nonparametric estimation
for the hypothesis test [52]. where m is the embedding dimension and determines how much
Assuming fractal trajectory as the sample sequence e.g. information is contained in each vector, l is time delay and Xi is
x1 , x2 ,..., xN , the process of the algorithm is provided as the i-th point in m-dimensional space; 1  i  N  (m  1)l .
follows. In the next step, the values of Xi are sorted in ascending
The first step is to divide the sample sequence into two order, so it can be written as follows:
sections x1 , x2 ,..., xi 1 and xi , xi 1 ,..., xN , then calculate the X i  [ x(i  ( j1  1)l )  x(i  ( j2  1)l )  ...  x(i  ( jm  1)l )], (15)
mean and the following statistics of each section for
The vector Xi can be mapped onto a permutation pattern  :
i  2, 3,..., N .
i 1 N
Si   ( xt  X t1 )2   ( xt  X t 2 ) 2 (12)  i  [ j1 , j2 ,..., jm ], (16)
t 1 t i
where, i is one of m! possible permutations of m different
where X is average of original samples. Statistics (S) of
symbols and j is the time index of the element in the
reconstruction vector. Let the occurrence number of  be
samples calculated according to equation (13).
N
Si   ( xt  X )2 (13) f ( i ) , then the occurrence probability of  i is
t 1
The last step is to define the position of the start point of the p( i )  f ( i ) / ( N  (m  1)l ) . Finally, the PE is computed as
transient signal by calculating the maximum point of S  Si . Shannon Entropy [54]:
The main idea of this approach is to magnify the difference 0  H P   p j ln( p j ) / ln(m!)  1 (17)
between static of samples before and after the section. As
shown in Fig. 8, the start point of the transient part of net-core where, K is the number of distinct symbols in
signal is accurately detected.
[ 1 ,  2 ,...,  N ( m 1)l ] . Using above knowledge about PE, the 1 1 n0

p ( x; A1 , A2 )  exp[ 2 ( ( x(n)  A1 ) 2 ) 
start point of transient signal can be detected. (2 )
2 N 0 /2
2 n 1 (23)
N0
In the first step, the PE trajectory of transient is calculated
using a rectangular window with the length of Lwnd that slides 
n  n0 1
( x(n)  A2 ) 2 )]
one sample each time. The PE of a noise series is bigger than

1 1 N0
the PE of a signal because there is no regularity in noise. PE p ( x ; A1 )  exp [  ( ( x(n)  A1 ) 2 )], (24)
trajectory can be modeled by the following equation: (2 2 ) N0 /2 2 2 n1
 H pn (n) 1  n  n0 To determine A0 under the two hypotheses H 0 and H1 , let the


H P (n)   H pt (n) n0  n  n1 (18) MLE of A0 under H 0 and H1 be Â00 and Â01 , respectively.

 H ps (n) n1  1  n  N
TABLE I
where n is the number of slides; H pn (n) is the PE of noise; PERFORMANCE COMPARISON OF TRANSIENT EXTRACTION ALGORITHMS
H ps (n) is the PE of stable signal; H pt (n) is the PE of slides that Algorithms Advantages Disadvantages Success Rate
contains transient signal. When the transient is in the sliding High detection
window, the PE starts to decrease and when the stable signal is rate for signals Complex
with suitable computation, poor 80-85%
in the sliding window, the PE changes a little. The PE for the BSCD [44] amplitude, no detection for 802.11b
slides that contains transient signal can be modelled as follows need to define a transient signal with transceiver
[40]: threshold small amplitude
Perform better
 A0  w(n) 1  n  n0
H P ( n)   (19) than BSCD Complex
 A0  k  (n  n0 )  w(n) n0  n  N 0 specially for Wi- computation, 95%

BRCD [45] Fi radios , no need effective on signal 802.11b
to define a models with linear transceiver
where, w( n) is a Gaussian noise with a standard deviation of threshold power increase
 and zero mean; A0 is the average of H pn (n) ; k is the slope Complex

computation, need
of decreasing after the n0 . n0 is the first slide that contains the VFDTD High detection
to define a threshold
Not Available
practically, very
transient signal; N0 is the changing point when n  N0 , [46] rate
sensitive against
noise
H pn (n)  T0 and H pn ( N 0  1)  T0 and T0 is the average PE,
Less sensitive to
calculated as follows: noise, need to define 85-90%
PD [47] Simple and fast a start point 802.11b
max( H P )  min( H P ) practically transceiver
T0  . (20)
2 90-92.5%
Simple, high 8 different
The transient detection problem can be solved in terms of the detection rate, no transmitters
Need a long
binary hypotheses test: MCPD [48] need to define a
computation time
including 3
threshold Kenwood, 3
H 0 : A0  w(n) Force and 2
Yaesu models
 A0  w(n) 1  n  n0 (21) High detection
H1 :  rate, extremely
 A0  k  (n  n0 )  w(n) n0  n  N 0 PE & GLRT accurate detection Complex Not Available
[37] of start point, no computation
In the second step, the GLRT detector of H p ( n) can be need to define a
threshold
represented as follows [55]:
N0
1
LG ( x) 
p( x; n0 , H1 ) p( x; A1  Aˆ0 , A2  Aˆ0  kˆ  (n  n0 ), H1 )
 ,
Aˆ00  Aˆ0 
N0
H
n 1
p ( n) (25)
p( x; H 0 ) p( x; A1  Aˆ0 )
(22) 1 n0
Aˆ01  Aˆ0   H p (n) (26)
where p ( x; n0 , H1 ) and p ( x; A1 ) are represented as in the n0 n 1
following equations; A0 and k are unknown can be estimated The MLE of the slope k can be estimated by the least-squares
by maximum likelihood (MLE) [40]. fitting algorithm as in the following equation [54]:
N0  n0 N 0  n0 N 0  n0
extract the transient signal due to its short period and reliability
( N 0  n0 )  n H p (n  n0 )   n H p (n  n0 ) of the phase and amplitude information is a serious challenge in
(27)
kˆ  n 1
N0  n0
n 1
N0  n0
n 1
this area [57]. Nowadays, there is no need to have a steady-state
( N 0  n0 )  n 2  (  n) 2
signal for these approaches because almost all wireless local
n 1 n 1
area network (WLAN), RFID, etc. have a preamble at the start
According to the above equations, the GLRT detector defines
of data transmission to make the receiver design simple [59].
as follows [40]:
N0 n0
Gerdes et al. [60] proposed a steady state-based RFF technique
1
Ln( LG ( H p (n)))  [ ( H p (n)  Aˆ00 ) 2  ( H p (n)  Aˆ01 ) 2  which is able to identify cards with same model and same
2 2
n 1 n 1
(28)
manufacturer. The preamble part of IEEE Ethernet 802.3 (16
N0

n  n0 1
( H p (n)  Aˆ01  kˆ  (n  n0 )) 2 ], devices with 3 different models) was used to provide a device
fingerprint profile, which help to identify the device the signal
The estimated start point of transient signal n̂0 is the maximum emitted from. A matched filter implementation and a simple
threshold were used to provide classification. They have shown
of the GLRT detector, defined in equation [40]:
that the characteristics of analog signals for these devices are
nˆ0  arg max n [ Ln( LG ( H p (n)))], (29) track able and also it is appropriate for network access control
According to the explanations about transient extraction schemes.
methods, a table of performance comparison is provided. Table- C. Other Approaches
I shows the advantages and disadvantages of common
Some of the proposed physical-layer identification
algorithms in transient extraction.
techniques could not be related to the mentioned classification
B. Steady State-Based RF Fingerprinting [61, 62]. These approaches usually use a special wireless
Steady-state based approaches focus on the unique features technology and/or extract other attributes of the signal and
extracted from the modulated part of the signal. Brike et al. [10] logical layer. Suski et al. [63] create an RF fingerprint profile
proposed a Passive RAdiometric Device Identification System by measuring the power spectrum density (PSD) of the
(PARADIS) using five specific features of the modulated signal preamble of IEEE 802.11a to uniquely identify wireless
such as: the frequency error, SYNC (synchronized) correlation, devices. This approach was tested on 3 devices and achieved an
I/Q origin offset, and magnitude and phase errors for physical- average classification error rate of 20% for packet frames that
layer identification. These features were used to make an RF were captured with SNR greater than 6 dB. In [62, 64], a
fingerprint profile that is classified with an SVM and k-NN complex wavelet transformation was applied to identify IEEE
classifier. The system used 138 same model IEEE 802.11b 802.11a (OFDM) devices. Multiple Discrimination Analysis
signals, captured by a high-end vector signal analyzer and at (MDA) used to classify extracted features and the classification
distance from 3 to 15m from the antenna, to test the accuracy of performance for this approach was tested on 4 same model
of the classifiers. Shi and Jensen [56] proposed a similar Cisco wireless devices. The results showed a classification error
approach to PARADIS and use radiometric features in the rate of 20% for SNR improvement of 8 dB. Recent research
modulation targeted different class of RFID for physical-layer identification
domain to identify Multiple Input Multiple Output devices. [36, 65]. Periaswamy et al. [65, 66] used UHF RFID tags for
Modulation-based methods were also used to classify RFID device identification. The authors showed that the minimum
devices. Danev et al. [11] also used the features extracted from power response characteristic can be used to identify devices
modulation shape and spectral features from RFID two independent sets of 50 tags from two different
transponders. The proposed method was tested on 4 different manufacturers with an accuracy of 94.4% (with False
classes and different models of ISO 14443 RFID transponder. Acceptance Rate (FAR) of 0.1%) and 90.7% (with FAR of
In number of researches like [57] frequency domain features 0.2%).
were used to perform transmitter identification. Eight Universal Danev et al. [11], used timing, modulation shape and spectral
Radio Peripherals (USRP) transmitters were used for laboratory features of device response signals for physical layer
experiments. This paper offers an excellent performance identification. The authors showed that of these features, timing
improvement by using flexible feature selection with a and modulation-shape only distinguished devices from
traditional discriminatory classifier (k-NN). The approach different manufacturers, but spectral features would be a
performs well with 97% accuracy rate at 30 dB SNR and the preferred fingerprint to identify devices from the same
performance is still good with accuracy of 66% at 0dB SNR. manufacturer and same model. Jana and Kasera [61] used clock
Suski et al. [58] used the Power Spectral Density (PSD) skews as a unique feature to identify access points (Aps) in a
coefficients as unique features from the preamble part of IEEE wireless local area network. The effectiveness of this technique
802.11a/g signal. has been shown in [67] for complex networks. The results
Initially, research was more about transient-based RF showed that different Aps are distinguishable with high
fingerprinting because the steady-state part of the signal is not accuracy. Recently, researchers investigated variety of signal
common to all transmitters. The transient signal always occurs characteristics, signal parts on GSM devices [68-70]. They used
in a transmission, so the research focused on transient-based used midamble and the near-transient part of GSM-GMSK
approaches. However, a higher sampling rate is required to burst signals for the aim of identification and classification of
devices from 4 different manufacturers. The results showed that should know the respective modulation scheme.
the accuracy of classification sharply decreases when the
B. Location-Dependent Features:
midable part is used but the near-transient part is suitable for
identifying GSM signals. RF fingerprinting techniques usually have two aims: 1) find
the device which emitted the signal and 2) find the location of
IV. TAXONOMY OF FEATURES FOR RF FINGERPRINTING the device which the signal originated from [77]. The most
common feature which is used in location based RFF
A large variety of features can be used for physical layer
techniques is radio signal strength (RSS) [78]. The value of RSS
identification. In this section, we investigate useful features in
depends on the attenuation of the channel and the transmission
the physical layer, whether they are active or passive. Physical
power at the transmitter. For example, two distant locations
layer features are extracted from the received RF waveform and
have different values of average signal power (RSS) at the
generally divided into two categories: location dependent
receiver with the same transmitter. However, if the two devices
features and location independent features or radiometrics. In
are close, their RSS will be similar. The other feature in this
this paper, we focused on location independent features.
classification is Channel State Information at the Receiver
A. Location-Independent Features (CSIR). This feature is very sensitive to moving. If we consider
Extracting radiometric features depend on the hardware small-scale fading, CSIR can have very different values by only
implementation of wireless devices. It has been shown that even a little movement of a receiver. Location-dependent features
with significant advancement in circuit design and cannot be used separately as a fingerprint because they are very
manufacturing, every transmitter has a unique RF fingerprint sensitive to environmental changes [72].
owing to imperfections in its analog components and
manufacturing process [71]. Imperfections such as channel V. CLASSIFICATION OF EXTRACTED FEATURES
width, channel doping and oxide thickness, which are small Classification algorithms can be divided into two categories:
enough to meet specifications of communication, can allow us supervised algorithms and unsupervised algorithms. Supervised
to detect unique features from devices and provide device algorithms represent the category that a set of observations is
fingerprints [72]. available, and classifiers are built based on a set of labeled data
The main purpose of feature extraction is to create a unique and the algorithms learn to be predicted [79]. In supervised
RF fingerprint profile to make a transmitter distinguishable algorithms, a set of labeled observations is available for training
from the rest of the transmitters. Previously, researchers [59] In supervised algorithms, a set of labeled observations is
used the coefficients of Power Spectral Density (PSD) and available for training.
normalized PSD to create an RF fingerprint. The K Nearest Neighbors algorithm (KNN) is one of the
Hall et al. [50] use unique features such as phase, amplitude, supervised methods [53]. This algorithm classifies a data set
phase angle and frequency that are extracted using the Discrete based on the distance to the nearest samples in the training set.
Wavelet Transform (DWT), from the turn-on transient portion A variety of functions can be used to determine the distance
of signals. between samples such as Euclidean distance, Mahalanobis and
Polak et al. [73] used the imperfection of the power amplifier Minkowski; Euclidean distance is the most common [80]. The
for physical layer identification because power amplifiers are KNN algorithm is very simple and computationally efficient in
the last elements in the circuit of transmitters and it is hard for the training phase but the classification phase could be
attackers to modify with software. Volterra series were used to computationally intensive in comparison with other algorithms.
model the nonlinear characteristics of power amplifiers. In addition, high dimension, KNN is less effective method for
As mentioned, Brik et al. [10] proposed a system called classification.
PARADIS that used features such as magnitude and phase SVM is also a supervised algorithm that learns to classify
errors, I/Q origin offset and SYNC correlation of the frame. observation samples from the reference samples. SVM uses a
Nguyen et al. [74] used carrier frequency differences (CFD) and function from different types such as: linear, Radial Basis
phase shift differences (PSD) as fingerprints for transmitters. Function (RBF), polynomial, sigmoidal to divide the labeled set
PSD is determined as the phase shift from one constellation to into several groups, depending on the problem, on a multi-
another in the neighborhood that may vary because of the dimensional surface [81]. This method provides a high level of
different amplifier for I-phase and Q-phase in each transmitter. accuracy and robustness and it is also efficient for binary
Nguyen et al. also proposed a second-order cyclostationary classification.
feature (SOCF) in addition to PSD and CFD to identify devices. A neural network is a supervised method that contains a set
of connected input and output and each connection has a
In radiometric techniques, feature extracting can be classified specific weight. The network predicts the class labels during the
into transient-based and steady state-based features because of process of adjusting the weight to each connection [82]. The
the way they treat signals [10]. Transient-based methods [75, most important advantage of neural networks is the tolerance of
76] use time- and frequency-based features which are flexible noisy data in RF fingerprints. This algorithm could be able to
but complex while steady state-based methods represent classify patterns without a training phase that is a very useful
features in terms of I/Q samples. Modulation based methods point for identifying new devices.
have better structure but the important issue is the fact that we Unsupervised learning algorithms do not have a training set
and the algorithm must find the function from unlabeled data. [2] J. Hall, M. Barbeau, and E. Kranakis, "Radio frequency fingerprinting for
intrusion detection in wireless networks," IEEE Transactions on
For wireless device identification, unsupervised algorithms Defendable and Secure Computing, vol. 12, pp. 1-35, 2005.
mean that we have similar fingerprints from different devices
[3] O. Ureten and N. Serinken, "Wireless security through RF fingerprinting,"
which are grouped together and belong to the same cluster. Canadian Journal of Electrical and Computer Engineering, vol. 32, pp.
These methods are very useful for identifying devices from the 27-33, 2007.
same models and the same manufacturers. In these approaches, [4] K. D. Hawkes, "Transient analysis system for characterizing RF
there is no need to create a reference library because the transmitters by analyzing transmitted RF signals," ed: Google Patents,
presence of valid phones is used for this purpose [83]. There are 1998.
various unsupervised algorithms. Here we described only the [5] C. Bertoncini, K. Rudd, B. Nousain, and M. Hinders, "Wavelet
methods applied to fingerprint identification. fingerprinting of radio-frequency identification (RFID) tags," IEEE
Transactions on Industrial Electronics, vol. 59, pp. 4843-4850, 2011.
K-Means clustering is an unsupervised algorithm in which
the observations are divided into a number of clusters and each
[6] H. Yuan and A. Hu, "Preamble-based detection of Wi-Fi transmitter RF
sample of observation is assigned to the cluster with the nearest
fingerprints," Electronics letters, vol. 46, pp. 1165-1167, 2010.
mean.
[7] H. C. Choe, C. E. Poole, M. Y. Andrea, and H. H. Szu, "Novel
PCA (Principal Component Analysis) is a multivariate identification of intercepted signals from unknown radio transmitters," in
method which is useful for data compression and Wavelet Applications II, pp. 504-518, 1995.
dimensionality reduction. The main purpose in PCA is to [8] J. Hall, M. Barbeau, and E. Kranakis, "Enhancing intrusion detection in
extract important information from data and construct a set of wireless networks using radio frequency fingerprinting," in
orthogonal variables called principal components. This feature Communications, internet, and information technology, pp. 201-206,
2004.
is very useful in phone identification to reduce a large set of
features [84]. [9] J. Toonstra and W. Kinsner, "Transient analysis and genetic algorithms
for classification," in IEEE WESCANEX 95. Communications, Power, and
Computing. Conference Proceedings, pp. 432-437, 1995.
VI. CONCLUSION
[10] V. Brik, S. Banerjee, M. Gruteser, and S. Oh, "Wireless device
This survey has reviewed RF fingerprinting methods for identification with radiometric signatures," in Proceedings of the 14th
wireless devices. Physical-layer identification has been studied ACM international conference on Mobile computing and networking, pp.
for a variety of wireless applications, but the primary usage of 116-127, 2008.
this technology is in wireless security enhancement. In this [11] B. Danev, T. S. Heydt-Benjamin, and S. Capkun, "Physical-layer
paper, we provide a comprehensive overview of physical-layer identification of RFID devices," in USENIX security symposium, pp. 199-
214, 2009.
identification and state-of-the-art techniques in RFF. The
detection of transients is considered one of the key steps in the [12] D. Kaplan and D. M. Stanhope, "Waveform collection for use in wireless
telephone identification," ed: Google Patents, 1999.
fingerprint detection of wireless devices; its accuracy directly
[13] N. O. Tippenhauer, K. B. Rasmussen, C. Pöpper, and S. Čapkun, "Attacks
affects the success of identification. This review has on public WLAN-based positioning systems," in Proceedings of the 7th
investigated some of the common approaches in transient international conference on Mobile systems, applications, and services,
detection and their advantages and disadvantages. The most pp. 29-40, 2009.
important problem in transient based algorithms is the [14] K. Zeng, K. Govindan, and P. Mohapatra, "Non-cryptographic
dependency of the extraction method on the sampling rate of authentication and identification in wireless networks," network security,
signals. Signal with high sampling rate could have a precise vol. 1, p. 3, 2010.
transient extraction which is needed to have a high-end devices [15] L. Xiao, L. Greenstein, N. Mandayam, and W. Trappe, "A physical-layer
for capturing the signal. The main gap in this area is the lack of technique to enhance authentication for mobile terminals," in 2008 IEEE
International Conference on Communications, pp. 1520-1524, 2008.
a reliable approach to optimize the sampling rate which can
reduce the costs. [16] P. V. Nikitin, R. Martinez, S. Ramamurthy, H. Leland, G. Spiess, and K.
Rao, "Phase based spatial identification of UHF RFID tags," in 2010 IEEE
The feature profiles used for different types of fingerprinting International Conference on RFID (IEEE RFID 2010), pp. 102-109, 2010.
methods have been elaborated in this review. The main idea is
to extract unique features from wireless devices to generate
[17] A. A. Larionov, R. E. Ivanov, and V. M. Vishnevsky, "UHF RFID in
non-forgeable signatures. Finally, the paper has taken into automatic vehicle identification: Analysis and simulation," IEEE Journal
consideration the classification process and methods. of Radio Frequency Identification, vol. 1, pp. 3-12, 2017.
[18] I. C. S. L. M. S. Committee, "IEEE 802.11: Wireless LAN medium access
ACKNOWLEDGMENT control and physical layer specifications," ed: August, 1999.
We are particularly grateful for the assistance given by Dr. [19] B. Kauffmann, F. Baccelli, A. Chaintreau, V. Mhatre, K. Papagiannaki,
and C. Diot, "Measurement-based self organization of interfering 802.11
Michael Pauly for English language editing. wireless access networks," in Infocom, pp. 1451-1459, 2007.
REFERENCES
[20] A. Candore, O. Kocabas, and F. Koushanfar, "Robust stable radiometric
[1] Q. Li and W. Trappe, "Detecting spoofing and anomalous traffic in fingerprinting for wireless devices," in 2009 IEEE International
wireless networks via forge-resistant relationships," IEEE Transactions Workshop on Hardware-Oriented Security and Trust, pp. 43-49, 2009.
on Information Forensics and Security, vol. 2, pp. 793-808, 2007.
[21] B. Danev and S. Capkun, "Transient-based identification of wireless [40] Y.-J. Yuan, X. Wang, Z.-T. Huang, and Z.-C. Sha, "Detection of radio
sensor nodes," in Proceedings of the 2009 International Conference on transient signal based on permutation entropy and GLRT," Wireless
Information Processing in Sensor Networks, pp. 25-36, 2009. Personal Communications, vol. 82, pp. 1047-1057, 2015.
[22] M. Debbah, "Mobile flexible networks: The challenges ahead," in 2008 [41] K. Ellis and N. Serinken, "Characteristics of radio transmitter
International Conference on Advanced Technologies for fingerprints," Radio Science, vol. 36, pp. 585-597, 2001.
Communications, pp. 3-7, 2008. [42] O. Tekbas, N. Serinken, and O. Ureten, "An experimental performance
[23] N. Hu and Y.-D. Yao, "Identification of legacy radios in a cognitive radio evaluation of a novel radio-transmitter identification system under diverse
network using a radio frequency fingerprinting based method," in 2012 environmental conditions," Canadian Journal of Electrical and Computer
IEEE International Conference on Communications (ICC), pp. 1597- Engineering, vol. 29, pp. 203-209, 2004.
1602, 2012. [43] Ö. Tekbaş, O. Üreten, and N. Serinken, "Improvement of transmitter
identification system for low SNR transients," Electronics Letters, vol. 40,
[24] M. Marcus, "Progress in vhf/nhf mobile transmitter identification, pp. 182-183, 2004.
University of Manitoba, Department of Electrical and Computer
Engineering," Tech. Rep1992. [44] M. Barbeau, J. Hall, and E. Kranakis, "Detection of rogue devices in
bluetooth networks using radio frequency fingerprinting," in proceedings
[25] K. G. Gard, L. E. Larson, and M. B. Steer, "The impact of RF front-end of the 3rd IASTED International Conference on Communications and
characteristics on the spectral regrowth of communications signals," IEEE Computer Networks, CCN, pp. 4-6, 2006.
Transactions on Microwave Theory and Techniques, vol. 53, pp. 2179-
2186, 2005. [45] K. B. Rasmussen and S. Capkun, "Implications of radio fingerprinting on
the security of sensor networks," in 2007 Third International Conference
[26] B. Danev, H. Luecken, S. Capkun, and K. El Defrawy, "Attacks on on Security and Privacy in Communications Networks and the
physical-layer identification," in Proceedings of the third ACM conference Workshops-SecureComm 2007, pp. 331-340, 2007.
on Wireless network security, pp. 89-98, 2010.
[46] C. Zhao, T. Y. Chi, L. Huang, Y. Yao, and S.-Y. Kuo, "Wireless local area
[27] B. Danev, A. d. Spindler, H. Luecken, and S. Cap 8kun, "Physical-layer
network cards identification based on transient fingerprinting," Wireless
identification: Secure or not?," Technical report/ETH Zurich, Department
Communications and Mobile Computing, vol. 13, pp. 711-718, 2013.
of Computer Science, vol. 634, 2009.
[47] T. Higuchi, "Approach to an irregular time series on the basis of the fractal
[28] R. M. Bolle, J. H. Connell, S. Pankanti, N. K. Ratha, and A. W. Senior,
theory," Physica D: Nonlinear Phenomena, vol. 31, pp. 277-283, 1988.
Guide to biometrics: Springer Science & Business Media, 2013.
[29] J. Toonstra and W. Kinsner, "A radio transmitter fingerprinting system
ODO-1," in Proceedings of 1996 Canadian Conference on Electrical and [48] O. Ureten and N. Serinken, "Bayesian detection of Wi-Fi transmitter RF
Computer Engineering, pp. 60-63, 1996. fingerprints," Electronics Letters, vol. 41, pp. 373-374, 2005.
[49] D. Shaw and W. Kinsner, "Multifractal modelling of radio transmitter
[30] R. D. Hippenstiel and Y. Payal, "Wavelet based transmitter
transients for classification," in IEEE WESCANEX 97 Communications,
identification," in Fourth International Symposium on Signal Processing
Power and Computing. Conference Proceedings, pp. 306-312, 1997.
and Its Applications, pp. 740-742, 1996.
[31] S. Xu, L. Xu, Z. Xu, and B. Huang, "Individual radio transmitter [50] J. Hall, M. Barbeau, and E. Kranakis, "Detection of transient in radio
identification based on spurious modulation characteristics of signal frequency fingerprinting using signal phase," Wireless and Optical
envelop," in MILCOM 2008-2008 IEEE Military Communications Communications, pp. 13-18, 2003.
Conference, pp. 1-5, 2008. [51] L. Huang, M. Gao, C. Zhao, and X. Wu, "Detection of Wi-Fi transmitter
transients using statistical method," in 2013 IEEE International
[32] G. O. M. Zamora, S. Bergin, and I. O. Kennedy, "Using support vector
Conference on Signal Processing, Communication and Computing
machines for passive steady state RF fingerprinting," in Novel Algorithms
(ICSPCC 2013), pp. 1-5, 2013.
and Techniques in Telecommunications and Networking, ed: Springer, pp.
183-188, 2010. [52] R. Klein, M. A. Temple, M. J. Mendenhall, and D. R. Reising, "Sensitivity
[33] M. Leonardi, L. Di Gregorio, and D. Di Fausto, "Air traffic security: analysis of burst detection and RF fingerprinting classification
aircraft classification using ADS-B message’s phase-pattern," Aerospace, performance," in 2009 IEEE International Conference on
vol. 4, p. 51, 2017. Communications, pp. 1-5, 2009.
[34] M. Woelfle, M. Temple, M. Mullins, and M. Mendenhall, "Detecting [53] Y. Cao, W.-w. Tung, J. Gao, V. A. Protopopescu, and L. M. Hively,
identifying and locating bluetooth devices using rf fingerprints," in 2009 "Detecting dynamical changes in time series using the permutation
Military Communications Conference (MILCOM 2009), 2009. entropy," Physical review E, vol. 70, p. 046217, 2004.
[35] S. U. Rehman, K. Sowerby, and C. Coghill, "RF fingerprint extraction [54] C. Bandt and B. Pompe, "Permutation entropy: a natural complexity
from the energy envelope of an instantaneous transient signal," in 2012 measure for time series," Physical review letters, vol. 88, p. 174102, 2002.
Australian Communications Theory Workshop (AusCTW), pp. 90-95,
2012.
[55] S. M. Kay, Fundamentals of statistical signal processing: Prentice Hall
PTR, 1993.
[36] D. Zanetti and B. Danev, "Physical-layer identification of UHF RFID
tags," in Proceedings of the sixteenth annual international conference on [56] Y. Shi and M. A. Jensen, "Improved radiometric identification of wireless
Mobile computing and networking, pp. 353-364, 2010. devices using MIMO transmission," IEEE Transactions on Information
Forensics and Security, vol. 6, pp. 1346-1354, 2011.
[37] X. Li, Y. Zhang, and M. G. Amin, "Multifrequency-based range
estimation of RFID tags," in 2009 IEEE International Conference on [57] I. O. Kennedy, P. Scanlon, F. J. Mullany, M. M. Buddhikot, K. E. Nolan,
RFID, pp. 147-154, 2009. and T. W. Rondeau, "Radio transmitter fingerprinting: A steady state
frequency domain approach," in 2008 IEEE 68th Vehicular Technology
[38] K. I. Talbot, P. R. Duley, and M. H. Hyatt, "Specific emitter identification Conference, pp. 1-5, 2008.
and verification," Technology Review, vol. 113, 2003.
[58] W. C. S. II, M. A. Temple, M. J. Mendenhall, and R. F. Mills, "Radio
[39] Y. Honglin and H. Aiqun, "Fountainhead and uniqueness of RF
frequency fingerprinting commercial communication devices to enhance
fingerprint," Journal of Southeast University (Natural Science Edition),
electronic security," International Journal of Electronic Security and
vol. 39, pp. 230-233, 2009.
Digital Forensics, vol. 1, pp. 301-322, 2008.
[59] P. Scanlon, I. O. Kennedy, and Y. Liu, "Feature extraction approaches to INFOCOM 2008-The 27th Conference on Computer Communications, pp.
RF fingerprinting for device identification in femtocells," Bell Labs pp. 1768-1776, 2008.
Technical Journal, vol. 15, pp. 141-151, 2010.
[77] N. Patwari and S. K. Kasera, "Robust location distinction using temporal
[60] R. M. Gerdes, T. E. Daniels, M. Mina, and S. Russell, "Device link signatures," in Proceedings of the 13th annual ACM international
identification via analog signal fingerprinting: a matched filter approach," conference on Mobile computing and networking, pp. 111-122, 2007.
in NDSS, 2006.
[78] R. S. Campos and L. Lovisolo, "Rf fingerprinting location techniques"
[61] S. Jana and S. K. Kasera, "On fast and accurate detection of unauthorized Handbook of Position Location: Theory, Practice, and Advances, pp. 487-
wireless access points using clock skews," IEEE transactions on Mobile 520, 2011.
Computing, vol. 9, pp. 449-462, 2009.
[79] S. Theodoridis and K. Koutroumbas, "Pattern recognition," IEEE
[62] R. W. Klein, M. A. Temple, and M. J. Mendenhall, "Application of Transactions on Neural Networks, vol. 19, p. 376, 2008.
wavelet-based RF fingerprinting to enhance wireless network security,"
Journal of Communications and Networks, vol. 11, pp. 544-555, 2009. [80] Z. Prekopcsák and D. Lemire, "Time series classification by class-specific
Mahalanobis distance measures," Advances in Data Analysis and
Classification, vol. 6, pp. 185-200, 2012.
[63] W. C. Suski II, M. A. Temple, M. J. Mendenhall, and R. F. Mills, "Using
[81] G. Baldini and G. Steri, "A survey of techniques for the identification of
spectral fingerprints to improve wireless network security," in IEEE
mobile phones using the physical fingerprints of the built-in components,"
GLOBECOM 2008-2008 IEEE Global Telecommunications Conference,
IEEE Communications Surveys & Tutorials, vol. 19, pp. 1761-1789, 2017.
pp. 1-5, 2008.
[64] R. W. Klein, M. A. Temple, and M. J. Mendenhall, "Application of

[82] B. Widrow and M. A. Lehr, "30 years of adaptive neural networks:
wavelet denoising to improve OFDM‐based signal detection and
perceptron, madaline, and backpropagation," Proceedings of the IEEE,
classification," Security and Communication Networks, vol. 3, pp. 71-82,
vol. 78, pp. 1415-1442, 1990.
2010.
[83] G. Zhang, W. Jin, and L. Hu, "Resemblance coefficient based intrapulse
[65] S. Chinnappa Gounder Periaswamy, D. R. Thompson, and J. Di, feature extraction approach for radar emitter signals," Chinese journal of
"Fingerprinting RFID tags," IEEE Transactions on Dependable & Secure electronics, vol. 14, pp. 337-341, 2005.
Computing, vol. 8, 2011.
[84] D. R. Reising, M. A. Temple, and J. A. Jackson, "Authorized and rogue
[66] S. C. G. Periaswamy, D. R. Thompson, H. P. Romero, and J. Di, device discrimination using dimensionally reduced RF-DNA
"Fingerprinting radio frequency identification tags using timing fingerprints," IEEE Transactions on Information Forensics and Security,
characteristics," in Proc. Workshop on RFID Security-RFID-sec Asia, vol. 10, pp. 1180-1192, 2015.
2010.
[67] T. Kohno, A. Broido, and K. C. Claffy, "Remote physical device
Naeimeh Soltanieh was born in Zanjan, Iran in 1991. She
fingerprinting," IEEE Transactions on Dependable and Secure
Computing, vol. 2, pp. 93-108, 2005. received her B.Sc. degree in electronics engineering from Zanjan
University and M.Sc. degree in telecommunication engineering
[68] D. R. Reising, M. A. Temple, and M. J. Mendenhall, "Improved wireless
security for GMSK-based devices using RF fingerprinting," International from Sahand University of Technology in 2012 and 2014
Journal of Electronic Security and Digital Forensics, vol. 3, pp. 41-59, respectively.
2010. She is currently a Ph.D. student in Telecommunication
[69] M. D. Williams, M. A. Temple, and D. R. Reising, "Augmenting bit-level engineering at Amirkabir University of Technology, focused on
network security using physical layer RF-DNA fingerprinting," in 2010 radio frequency fingerprinting. She has completed one year
IEEE Global Telecommunications Conference GLOBECOM 2010, pp. 1- visitor student program in Melbourne University. She is now
6, 2010.
attending same program with University of Technology Sydney,
[70] D. R. Reising, M. A. Temple, and M. J. Mendenhall, "Improving intra- researching about transient based radio frequency identification
cellular security using air monitoring with RF fingerprints," in 2010 IEEE and verification. Her research interests include signal processing,
Wireless Communication and Networking Conference, pp. 1-6, 2010. radio frequency identification, information theory,
communication systems.
[71] S. Dolatshahi, A. Polak, and D. L. Goeckel, "Identification of wireless
users via power amplifier imperfections," in 2010 Conference Record of Yaser Norouzi was born in Tafresh, Iran,
the Forty Fourth Asilomar Conference on Signals, Systems and in 1981. He received the B.S., M.S., and
Computers, pp. 1553-1557, 2010.
Ph.D. degrees from the Sharif University
[72] Q. Xu, R. Zheng, W. Saad, and Z. Han, "Device fingerprinting in wireless of Technology, Tehran, Iran, in 2002,
networks: Challenges and opportunities," IEEE Communications Surveys 2004, and 2008, respectively, all in
& Tutorials, vol. 18, pp. 94-104, 2015.
communication engineering. He is
[73] A. C. Polak, S. Dolatshahi, and D. L. Goeckel, "Identifying wireless users currently with the Department of
via transmitter imperfections," IEEE Journal on selected areas in
Electrical Engineering, Amirkabir
communications, vol. 29, pp. 1469-1479, 2011.
University of Technology (Tehran
[74] N. T. Nguyen, G. Zheng, Z. Han, and R. Zheng, "Device fingerprinting to
Polytechnique). His fields of research
enhance wireless security using nonparametric Bayesian method," in 2011
Proceedings IEEE INFOCOM, pp. 1404-1412, 2011. include radar waveform design, signal detection, and parameter
estimation.
[75] K. Remley, C. A. Grosvenor, R. T. Johnk, D. R. Novotny, P. D. Hale, M.
McKinley, et al., "Electromagnetic signatures of WLAN cards and
network security," in Proceedings of the Fifth IEEE International
Symposium on Signal Processing and Information Technology, 2005, pp.
484-488, 2005.
[76] Y. Sheng, K. Tan, G. Chen, D. Kotz, and A. Campbell, "Detecting 802.11

802.11 MAC layer spoofing using received signal strength," in IEEE
Yang Yang (S’11–M’14-SM’17) was

born in Bayan Nur, Inner Mongolia,
China and received the PhD degree from
Monash University, Melbourne,
Australia, in 2013.
Dr. Yang has 3 years industry
experience at Rain Bird Australia serving
as an Asia Pacific GSP Engineer, during
2012 to 2015. He received the corporate
2014 Global GSP Success Award (one
globally). In April 2015, he returned to academia working in the
field of microwave and antenna technologies, with Centre for
Collaboration in Electromagnetic and Antenna Engineering at
Macquarie University. In April 2016, he was appointed as a
Research Fellow with State Key Laboratory of Terahertz and
Millimeter Waves, City University of Hong Kong. Since
December 2016, Dr. Yang joined University of Technology
Sydney, Australia. He is currently a Senior Lecturer and a team
leader of Millimetre-Wave Integrated Circuits and Antennas. Dr.
Yang has over 150 international peer reviewed publications in
microwave and millimetre-wave circuits and antennas.
He is a current Associate Editor of IEEE ACCESS, and an Area
Editor of MICROWAVE AND OPTICAL TECHNOLOGY
LETTERS. Dr Yang is a global winner of CST University
Publication Award 2018, by CST, Dassault Systèmes.
Nemai Chandra Karmakar (S’91–

M’91–SM’99) received the Ph.D.
degree in information technology and
electrical engineering from the
University of Queensland, St. Lucia,
QLD, Australia, in 1999. He has 20
years of teaching, design, and research
experience in smart antennas,
microwave active and passive circuits,
and chipless RFIDs in both industry and
academia in Australia, Canada, Singapore, and Bangladesh. He
is currently an Associate Professor with the Department of
Electrical and Computer Systems Engineering, Monash
University, Melbourne, VIC, Australia. He has authored and co-
authored over 230 referred journal and conference papers, 24
referred book chapters and three edited and one co-authored
books in the field of RFID. He has two patent applications for
chipless RFIDs.

A Review of Radio Frequency Fingerprinting Techniques - 2020

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A Review of Radio Frequency Fingerprinting Techniques - 2020

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in a future issue of this journal, but has not been

A Review of Radio Frequency Fingerprinting

Ramp change transient Step change

m; n(i) is channel noise; N is the number of samples and m is

create an RF fingerprint for each signal. ( )(  di ) 2 ] 2

start point of transient signals. Start of Transient

Method 1: Bayesian Step Change Detection (BSCD)

necessary to ensure that there are a sufficient number of the  (t ) |  (t )   (t  1) |  

(11) Change Point Detection

Fig.8. Mean Change Point Detection (signal of net-core). © [2013]

Method 6: Permutation Entropy (PE) and Generalized

Likelihood Ratio Test (GLRT) Detector

transient signal by calculating the maximum point of S  Si . Shannon Entropy [54]:

[ 1 ,  2 ,...,  N ( m 1)l ] . Using above knowledge about PE, the 1 1 n0

one sample each time. The PE of a noise series is bigger than

 H pn (n) 1  n  n0 To determine A0 under the two hypotheses H 0 and H1 , let the

 A0  k  (n  n0 )  w(n) n0  n  N 0 specially for Wi- computation, 95%

 and zero mean; A0 is the average of H pn (n) ; k is the slope Complex

[64] R. W. Klein, M. A. Temple, and M. J. Mendenhall, "Application of

[76] Y. Sheng, K. Tan, G. Chen, D. Kotz, and A. Campbell, "Detecting 802.11

Yang Yang (S’11–M’14-SM’17) was

Nemai Chandra Karmakar (S’91–

You might also like