FID: Function Modelingbased DataIndependent and ChannelRobust PhysicalLayer Identification
Abstract
Trusted identification is critical to secure IoT devices. However, the limited memory and computation power of lowend IoT devices prevent the direct usage of conventional identification systems. RF fingerprinting is a promising technique to identify lowend IoT devices since it only requires the RF signals that most IoT devices can produce for communication. However, most existing RF fingerprinting systems are datadependent and/or not robust to impacts from wireless channels. To address the above problems, we propose to exploit the mathematical expression of the physicallayer process, regarded as a function , for device identification. is not directly derivable, so we further propose a model to learn it and employ this function model as the device fingerprint in our system, namely ID. Our proposed function model characterizes the unique physicallayer process of a device that is independent of the transmitted data, and hence, our system ID is dataindependent and thus resilient against signal replay attacks. Modeling and further separating channel effects from the function model makes ID channelrobust. We evaluate ID on thousands of random signal packets from different devices in different environments and scenarios, and the overall identification accuracy is over .
I Introduction
Every InternetofThings (IoT) device shall have its own identity to form a trusted ecosystem. Generally, there are two widelyused identification methods for IoT devices, i.e., cryptographybased and hardwarebased methods. Cryptographybased scheme provides a unique key for each user or device as the identity. However, all those schemes require the extra computational resource that lowend IoT devices don’t have. Hardwarebased systems exploit additional hardware to provide security functionalities including identification. Hardware like Intel SGX and TrustZone is a good developing bed for such hardwarebased systems [1]. However, for massively deployed lowend IoT devices, additional hardware is unaffordable. Even for more expensive devices such as laptops and smartphones that already have a cryptographybased or hardwarebased identification system, a lowcost identification system can also support multifactor identification in case that the original system is compromised.
Radio Frequency (RF) fingerprinting is a promising technique to build lowcost identification systems. RF aims at identifying a device by its RF signals, because RF signals reflect the unique hardware imperfections of their source devices which are introduced in the manufacturing process [2]. Since almost all IoT devices can produce RF signals for communication and RF fingerprinting only leverages these signals, no additional computational resource and hardware are required by RF fingerprinting systems to be embedded in IoT devices.
However, most existing RF fingerprinting systems are datadependent and/or not robust to spatial variations and wireless channel effects, mainly including locationbased, transientbased, and preamblebased systems. For locationbased systems, the features they use entirely depend on the device’s unique location, and hence these systems are sensitive to any spatial variations. Transientbased and preamblebased systems are typical datadependent systems since the features they use are extracted from fixed segments of the RF signals, i.e., transition signal or preamble signal. Using a fixed signal segment for identification makes this kind of systems vulnerable to signal replay attacks. An existing partially dataindependent and channelrobust RF fingerprinting system is the modulation errorbased system [3]. However, this system completely relies on a 5feature space for classification. Therefore, the number and types of devices that can be classified by this system are constrained by this lowdimensional feature space.
To address the above problems, we propose a Function modelingbased dataIndependent and channelRobust physicallayer IDentification system, namely ID. We propose to exploit a mathematical function that takes the transmitted data as input and the transmitted RF signal as the output in ID. is the mathematical expression of the physicallayer process from modulation to power amplification, and hence it can represent all the uniqueness of the hardware and the signal processing procedures within a RF transmitter. However, is not directly derivable. Hence, we propose an accurate and efficient model, which utilizes several insights about those physicallayer procedures and a widelyused functionlearning method (i.e., Kernel Regression) to model for each authenticated device. This function model is employed as the device fingerprint in ID, i.e., we match the received RF signal and the signal computed/predicted by the function model to identify a device. Since our proposed function and function model characterize the inherent properties of the physicallayer process that remain unchanged regardless of the transmitted data, ID built on our function model is also dataindependent and thus can be resilient against signal replay attacks. Also, the spatial variations and multipath channels can be modeled in our scheme. The impacts of these environmental factors are approximately separable from our function model. Using the remaining part of our proposed function model for identification makes ID robust to the environmental impacts. Additionally, since can represent all the uniqueness of the hardware and the signal processing procedures within a device’s physicallayer process, all the dataindependent features are derivable from . Therefore, ID is not constrained by lowdimensional feature spaces, which implies ID has the potential to identify the devices that can not be classified by the existing featurebased systems.
Contribution. Our contributions can be summarized as follows:

We summarize the limitations of the existing RF fingerprinting systems and propose to exploit the mathematical expression of the physicallayer process (i.e., ) in our RF fingerprinting system to solve those problems.

We propose an accurate and efficient function model to learn since is not directly derivable, and we design a dataindependent channelrobust RF fingerprinting system based on our function model, namely ID.

We implement ID and provide an extensive evaluation to verify the data independency, the outstanding performance, and the robustness of ID.
The remainder of the paper expands on the above contributions. We begin with brief introduction of the existing RF fingerprint schemes and detailed analysis of their limitations for further explanation of our objectives, followed by the establishment of our proposed function model and the associated ID system, and evaluation of ID in different environments and scenarios.
Ii Problem Statement and Objectives
In this section, we first briefly introduce the RF fingerprinting system model. The existing RF fingerprinting schemes and their limitations are summarized in section IIB and IIC. To tackle those limitations, we develop a function modeling method and design ID. Our research objectives are presented in section IID.
Iia RF Fingerprinting
RF fingerprinting is a technique to identify wireless devices by their transmitted RF signals. As illustrated in Fig. 1, an RF fingerprinting system consists of an identifier and massively deployed wireless devices, which follow certain communication protocols to generate RF signals for communication. The identifier, regarded as a central server in Fig. 1, is responsible for leveraging the received RF signals and certain algorithms and principles to identify the transmitters of the RF signals.
IiB Existing RF Fingerprinting Scheme and System
Locationbased RF Fingerprinting
Locationbased RF fingerprinting systems are built on features like Radio Signal Strength (RSS) [4], Channel State Information (CSI) [5], and Channel Frequency Response (CFR) [6] that contain the location information of the target devices. Therefore, these systems aim to take advantage of the devices’ unique locations for device identification.
Transientbased and Preamblebased RF Fingerprinting
Transientbased and preamblebased RF fingerprinting systems are built on features extracted from the transition signals and preamble signals [8, 9, 11, 10, 12, 13, 14, 15]. These systems attempt to leverage the uniqueness of a certain fixed segment in all the RF signal packets transmitted by the authenticated devices for device identification.
Modulation Errorbased RF Fingerprinting
A partially dataindependent and channelrobust RF fingerprinting system is the modulation errorbased system that assigns statistics of the modulation errors as device fingerprint [3, 16]. The main five statistics of modulation errors proposed by [3] include SYNC correlation, carrier frequency offset, averaged magnitude error, averaged phase error and I/Q original offset. Among those five features, carrier frequency offset, SYNC correlation and I/Q original offset are the three most discriminative features [17], and SYNC correlation is undoubtedly a datadependent feature. Therefore, if random RF signals are used for device classification in this system, the carrier frequency offset and I/Q original offset will determine the number and the types of devices that can be classified.
RF Power Amplifier Modelingbased Identification
In the wireless communication system, the RF power amplifier is a critical hardware component that has been studied for a long time. In previous works, Volterra series and Recurrent Neural Network (RNN) have been successfully used to model the behavior of RF power amplifiers [18, 19]. Adam et al. [20] exploit the Volterra series model to identify different power amplifiers, and they show that the commercial power amplifier chips can be easily identified by very short output sequences. However, to our best knowledge, we are the first to model the whole wireless device rather than a hardware component for device identification. To model such a combination of multiple hardware components, we propose a function model totally different from the Volterra series model.
Deep Learningbased RF Fingerprinting
Recently, [21] and [22] exploit convolutional neural network (CNN) and Recurrent Neural Network (RNN) to classify wireless signals for IoT device identification. [21] demonstrated identification accuracy on seven ZigBee devices, and [22] achieved over overall accuracy on LoRa lowpower wireless chipsets. They are the first trials to apply Deep Learning to device identification (classification), and future work might be needed to reduce their computational cost for further application in reality. Compared with those Deep Learningbased approaches, our model teases apart linear and nonlinear effects in the wireless signals rather than a blind use of machine learning. Therefore, our model is more explainable and efficient.
IiC Limitations of Existing Work
Data Dependency
Transientbased and preamblebased RF fingerprinting systems are typical datadependent systems, because each time these systems only use the same signal segment (i.e., the transient signal and/or the preamble signal) for identification. A significant weakness of datadependent RF fingerprinting systems is that they are vulnerable to signal replay attacks in which the attackers simply record the RF signals from an authenticated device and replay the same signal segment to the server to impersonate the authenticated devices.
Robustness
Most existing RF fingerprinting systems are not robust to spatial variations and/or channel effects. These systems mainly include locationbased systems, transientbased systems, and preamblebased systems. For locationbased systems, what these systems really identify is the device’s unique location, hence these systems are sensitive to any spatial variations. For transientbased and preamblebased systems, the transientbased and preamblebased features are always derived by spectral transformations, such as Fast Fourier Transform or Discrete Wavelet Transform. These kinds of features are proved to be sensitive to distance and orientation variations [7, 17].
Constrained Feature Space
Most existing RF fingerprinting systems completely rely on certain features and their performance is constrained by the associated lowdimensional feature space. For instance, the performance of the modulation errorbased system is mainly determined and thus constrained by the aforementioned two features, i.e., carrier frequency offset and I/Q original offset. In order to justify our statement, we randomly select 10 telosb sensors and plot those two features computed by the random signal packets collected from these 10 sensors in Fig. 2. Here we use 10 colors to represent those 10 sensors. Each point represents those two features computed by a random signal packet. As shown in Fig. 2, I/Q original offset is also a datadependent feature since it shows a significant difference between different random signal packets from one device. Therefore, in this case, the carrier frequency offset is the only determinant, and it is unable for the modulation errorbased system to distinguish between several sensors only by their carrier frequency offsets. Specifically, two pairs of sensors are indistinguishable in this fivefeature space (i.e., actually only a singlefeature space).
IiD Research Objectives
Our core objective is to design an RF fingerprinting system that can get rid of the above limitations. To this end, we aim to design a scheme/system that has the following characteristics: First, our system should be able to identify the IoT devices by the random RF signal packets collected from those devices, and hence it can be completely immune to signal replay attacks with the help of a challenge and response protocol. Second, our system should also be robust to spatial variations and multipath channels so that it can be applied in reality. Third, our system should not be constrained by a certain lowdimensional feature space, or in another word, our system should have the potential to identify the IoT devices that are indistinguishable in any lowdimensional feature space.
Iii ID Function Modeling for Fingerprinting
In ID, we propose to exploit a mathematical function that takes the transmitted data as input and outputs the RF signal , i.e., . As shown in Fig. 3, is the mathematical expression of the physicallayer process from modulation to power amplification. Hence, it can represent all the impacts of hardware imperfections, including modulation errors, timing errors, frequency offset and power perturbation, within the physicallayer process of a wireless device. Moreover, is apparently independent of the transmitted data and the external wireless channels. Therefore, using the expression/model of to identify a wireless device can realize all the aforementioned objectives. However, to our best knowledge, is not directly derivable, and there is also not a welldeveloped model to learn . Therefore, in section IIIA, we first propose an accurate and efficient model to learn and employ this function model as the device fingerprint in ID. In section IIIB, we further model the spatial variations and multipath and mobile channels to mitigate the impacts of those environmental factors.
Iiia Function Modeling of Hardware Imperfections
In our function model, instead of directly modeling , we choose to model a simpler intermediate function . The input of this intermediate function is transformed from the transmitted data into the ideal signal, which is defined as the baseband signal generated by the input data and an imaginary transmitter without hardware imperfection. The output is still the RF signal transmitted by the wireless device. Modeling is equivalent to modeling , since the transformation from the transmitted data to the ideal signal is already defined by the communication protocol., i.e., , where is known in advance. Moreover, it is more convenient to use our insights about the hardware imperfections if modeling .
Definition and Notation
We regard the ideal signal and output RF signal as and respectively. Hence, we have . This is the continuous form of the immediate function. We assume that the signals are sampled at , where is the sampling interval and is the sampling phase. Their samples are denoted by and . The relationship between and or s is defined as the discrete form of the immediate function.
’s discrete form
Our first insight is that is affected not only by , but also by the signal on both sides of , i.e., is the function of a segment of the ideal signal, and the sampling phase, . Here we regard as . Then, the discrete form of can be expressed as
(1) 
As a sample in RF signal, y[n] can be expressed as , thus we can further express the discrete form of as
(2) 
Here is the magnitude of and is the phase of . is the carrier frequency of the transmitter. Our second insight is that a carrier frequency offset exists due to the imperfections of the local oscillator. Hence, can be rewritten as
(3) 
where is the offset.
Decomposition of
In order to model different portions of the function accurately and efficiently, we decompose the amplitude and the phase into linear parts and nonlinear parts:
(4)  
where is the nonlinear part of the amplitude and is the nonlinear part of the phase. is added in the modulation stage.
in reality
In reality, it is hard to know the exact output RF signals of a device. Strictly speaking, what we can collect are only the RF signals received by an RF receiver. To address this problem, we can refine as a function whose input is the ideal signal and output is the received signal. Similar to Eq. 4, can be expressed as
(5)  
In this equation, the extra term is the channel coefficient. is the carrier frequency offset of the receiver. The nonlinear terms and are are the nonlinear parts of the received signal, determined by both the transmitter and the receiver.
Kernel regression
Based on Eq. 5, our problem is reduced from modeling a ”black box” to modeling two nonlinear terms, i.e., and . This is because all the other linear terms can be directly computed, which is clarified in section IVA. We propose to use Kernel Regression to learn those two nonlinear terms. In order to implement Kernel Regression, some representative digital samples in the signal segment are used to replace as the input vector. These samples are where is the digital sample sampled at in the ideal signal. According to Nyquist Theorem, once the sampling period is smaller than half of the symbol period, these digital samples are equivalent to . Hence, the input vector can expressed as
(6) 
and the target values are those two nonlinear terms. Section V shows that if our function model is applied, the modeling accuracy can be very high and the computational cost is also acceptable for a commodity server.
IiiB Function Modeling of Environmental Factors
Modeling Spatial Variations
Here we model two main spatial variations, i.e., communication distance and orientation variations. Varying communication distance changes the amplitude of the received signal, then will become
(7)  
where is not a constant but a function of communication distance . In this case, our function model is still workable for device identification, since the other linear terms and two normalized nonlinear terms will not be significantly affected by , and those terms can be used for device identification.
Another spatial variation considered here is the communication orientation variation. Communication orientation refers the polarization mismatching angle between the transmitter’s antenna and the receiver’s antenna. The impact of the polarization mismatch is equivalent to multiplying the received RF signal by a projection factor, . is the mismatching angle between the transmitter’s and the receiver’s antennas. The impact of orientation variation is similar to the impact of varying the communication distance, and hence it can be addressed in the same way.
Modeling Multipath Channel
Multipath channel is always caused by signal reflection and refraction. If multiple paths occur in the wireless communication process, then the received signal can be seen as the summation of RF signals coming from these paths. A conventional method to model the multipath channel is channel estimation, where the received signal is expressed as
(8) 
Here can be approximated by linear regression. After the channel taps are computed, we can deconvolve out of for device identification.
Iv ID System Design
ID is designed based on the function model derived in section IIIA. As shown in Fig. 4, our system consists of 3 modules. The first module (i.e., Preprocessing Module) is used to extract the linear terms and parameters from the received signal. The second module (i.e., Function Model Training Module) is used to train the function model. The last module (i.e., RF Signal Identification Module) utilizes the results from the first and second module to identify the received RF signal.
Iva Preprocessing Module
For the first module, the input is the received signal and the outputs include the digital samples of the ideal signal , sampling phase , channel coefficient or channel taps , and carrier frequency offset. This module consists of 3 submodules as shown in Fig. 5. Power filter is used to find the start and the end of each signal packet. This submodule compares the absolute value of every received sample with a power threshold to localize each signal packet.
The second submodule is used to synchronize the received packet to compute the carrier frequency offset. We propose an algorithm, where a modified phase locked loop is used to realize synchronization. We regard the deconvolved received samples as and compute the phase difference between two adjacent received digital samples by
(9) 
Based on the eq. 5, can also be expressed as
(10)  
where is the phase change between two adjacent ideal digital samples. Since
(11) 
the carrier frequency offset can be computed by
(12) 
where . The s in the preamble are known in advance and thus used to calculate the expectation, i.e., .
Finally, the ideal digital samples following the preamble are computed. We first compute the ideal phase difference between the following ideal samples, i.e., . Here can be determined by its approximation, i.e., : In the commonlyused communication protocols, there are possible values for if the is fixed. For instance, for the protocols using BPSK (e.g., ), there are possible values, i.e., and . For the protocols using QPSK, there possible values, i.e., , and . For the protocols using OQPSK (e.g., , there are possible values and they are opposite numbers, which depend on . Hence, given a protocol and , is determined as the possible value closest to . Besides, in the protocols using OQPSK, two consecutive samples might be sampled at both sides of a transition point (i.e., the intersection point of two adjacent symbol periods) and the distances between them and the transition point can be very similar. Therefore, the phase difference between those two consecutive samples is close to (i.e., the middle of the possible values), and then a correct decision can not be guaranteed. To tackle this problem, we could double the sampling frequency and make the decision by the phase difference between the digital samples at and using the same method. After obtaining , the following ideal samples can be easily computed by , where is the phase of the last digital sample in the preamble.
After these operations, we obtain all the linear parts in the received signal. Some of these linear parts serve as the input for the next two modules. Some unique dataindependent linear parameters (e.g., carrier frequency offset) are used for device identification. To check the correctness of this module, we demodulate the transmitted data using this module, and the bit error is less than .
IvB Function Model Training Module
Since all the linear parts can be directly computed by the first module, here only the nonlinear terms need to be learnt to establish the function model, i.e., Eq. 5. A widelyused functionlearning method, i.e., Kernel Regression (KR), is incorporated to learn those two nonlinear terms in this stage. To train the KR models, we use the outputs of the first module, i.e., the ideal digital samples and sampling phase , to construct training vectors (i.e., input vectors). The target values are those nonlinear terms. Linear Kernel, Polynomial Kernel, and Radial Basis Function (RBF) kernel are tested, and RBF Kernel model provides the best performance. Aside from training the KR models, this module also serves as a database to seal the function model, including the KR models and those linear parameters.
IvC RF Signal Identification Module
This module leverages the first two modules to identify the received RF signal. Specifically, the identification principles and procedures are incorporated in this module. In order to identify the received RF signal, this module matches the received RF signal with the signal computed/predicted by the function model. In practice, we only match the carrier frequency offset and those two nonlinear terms. This is because all the other linear parts are highly related to the transmitted data and/or the environment as illustrated in section III.
We define a metric named matching score () as
(13) 
to evaluate the similarity between the real nonlinear terms and the predicted (computed) nonlinear terms. If equals , then the is 1. If they are totally different, then the can be negative. can also interpreted as a metric to evaluate the accuracy of the predicted nonlinear terms.
The detailed procedures for device identification are shown in Fig. 6. A challenge and response protocol is applied here: Every time a device wants to be identified, it first sends a request containing its identity (e.g., Device A) to the identification server. Next, the server generates a random data sequence and send it to the device. Then the device needs to modulate the data and send the data back to the server by RF signals. After the server receives the RF signal, the first module of ID is used to extract linear parts and nonlinear terms and try to match the carrier frequency offset (i.e., ) with the reference. If is matched, then ID computes the nonlinear terms by the pretrained function model (e.g., model A) and the between the computed nonlinear terms and the extracted nonlinear terms. Finally, we compare the with a predefined threshold (e.g., 0.9) for identification. If the is higher than this predefined threshold, then the received signal is identified as coming from the genuine device (e.g., Device A). Otherwise, the received signal is considered as coming from an unauthenticated device. This predefined threshold can be adjusted based on the required accuracy, the communication environment, and the similarity between devices.
V Experiments and Analysis
We implemented ID on an Ubuntu16.04.2 PC with an Intel Core i52400 CPU @ 3.10GHz processor, and this PC is connected to an Ettus USRP transceiver to form an identification server. ID is tested on multiple types of devices, including highend devices like Software Defined Radio (SDR) transmitters (i.e., Ettus USRP and HACKRF) and lowend devices like micaz and telosb sensors, as shown in Fig. 7. Specifically, for the SDR transmitters, the modulation scheme is Quadrature PhaseShift Keying (QPSK), and the RF center frequency and symbol rate are configured as and respectively. For lowend Zigbee sensors, the communication protocol is , where the symbol rate is and the RF center frequency is configured as . Here the sampling rate of the receiver (i.e., Ettus USRP transceiver) connected to the PC is configured as . To verify the data independency of ID, transmitted data is generated by the softwarebased random number generators developed in the Gnuradio (for SDR) and the TinyOS (for Zigbee devices).
The results in section VA demonstrate that ID can model those two nonlinear terms with high accuracy and efficiency. And since all the other linear parts can be directly computed by the preprocessing module, we can say that our function model is a highprecision model.
In order to evaluate the identification performance of ID, metrics are applied, including Genuine Acceptance Rate (GAR), Genuine Rejection Rate (GRR), False Acceptance Rate (FAR), and False Rejection Rate (FRR). GAR/GRR refer to the rate at which ID succeed/fail to identify the genuine device using its function model. FAR/FRR refer to the rate at which ID accepts/rejects other devices using the genuine device’s function model. In the experiments, each time we choose one device as the genuine device and test the signal packets from it and other devices by this genuine device’ function model. Then we compute the GAR, GRR, FAR, and FRR for different devices. We define Balanced Identification Accuracy (BIA) as
(14) 
to evaluate the overall performance of ID. The experiment results show that BIA is in the lineofsight environments and over in the multipath environments. We also show that ID is able to identify the sensor nodes that the modulation errorbased system can not classify.
Va Function Model Evaluation
Function Modeling Accuracy
Since all the linear parts in the collected RF signals can be simply computed by the first module of ID, our task is reduced to verifying the accuracy of those KR models for and . Aside from verifying that our model is a highprecision model, we also want to study the impacts of those two parameters in the input vector (Eq. 6), i.e., and , on the modeling accuracy. We regard the matching score between the real and predicted power nonlinear term as , and the matching score between the real and predicted phase nonlinear term as . Figure (a)a and (b)b display the modeling accuracy by the statistics of the and of the testing signals. Here all the testing signals are collected from those devices and tested only by their own function models. Figure (a)a shows that the highest testing is nearly . Considering the existence of the ambient noise, it is hard to improve this result even with a much more complicated model. It is also shown that once and , it is enough for our model to capture most information in the power nonlinear term. Figure (b)b shows that the highest testing is above and once and , our model is able to capture most information in the phase nonlinear term. In the following experiments, we set and to train the KR models.
Function Modeling Efficiency
During the experiments, we found that the training time of a function model highly depends on the training data size, i.e., number of digital samples. Therefore, we tune the training data size and plot the corresponding testing accuracy and training time in Fig. 9. When the training data size is larger than , the modeling accuracy is enough for device identification. The averaged time for training a function model is less 10 minutes when the training data size is 40000. Compared with RNN that takes tens of hours or even more than a day to learn , our function model is undoubtedly more timeefficient.
VB Data Independency Verification
As stated above, all input data is generated by softwarebased random number generators, and the preamble part is dropped from the received RF signals. Therefore, all the RF signal packets for training, testing, and identification are random signal packets. To prove this, we compute the correlation between the collected signal packets. The average of the correlation coefficients is , and variance is approximately . For comparison, we also compute the correlation between the preamble signals, and the average of the correlation coefficients is . Besides, we also randomly select 10 signal packets and 10 preambles collected from one device and plot the FFT spectrums of these preamble signals and random signal packets in Fig. 10. We found the FFT spectrums of the preamble signals are very similar, but the FFT spectrums of these 10 random signal packets are distinct despite coming from the same device. These results indicate that the signal packets we utilize for identification are random signal packets. Therefore, the attackers can not replay those packets under the challenge and response protocol introduced in section IVC. In another word, even the adversaries can record the RF signals from authenticated devices with a highend RF transceiver, but they can not replay those signals for identification as long as the ”challenge” changes each time.
ID  Modulation errorbased System  

overall performance  two most similar devices  overall performance  two most similar devices  
GAR, GFR  0.97, 0.03  1.0, 0.0  0.94, 0.06  1.0, 0.0  0.91, 0.09  0.58, 0.42 
FAR, FFR  0.0, 1.0  0.0, 1.0  0.0, 1.0  0.0, 1.0  0.12, 0.88  0.44, 0.56 
BIA  0.99  1.0  0.97  1.0  0.90  0.57 
VC Identification Performance Evaluation
To show the performance of ID, we first try to identify the RF signals collected in the lineofsight environments, where the communication distance and orientation can vary. Here we use the method introduced in section IVC to identify the received RF signals. The thresholds for and are set as and respectively based on the function modeling results. Since all the experiments are conducted indoor with uncertain ambient noise (e.g., ambient wifi signals), for every signal packets from the genuine device, there might exist one bad packet. To address this problem, we make the identification decision by testing two adjacent packets, and if one of them results in s higher than those two thresholds, then the request is accepted.
For all the tested devices, regardless of the communication distance and orientation, the GAR and FRR can be both and the GRR and FAR can be both by testing two consecutive packets each time. Moreover, two pairs of sensors that are indistinguishable by the modulation errorbased system can be recognized by ID accurately. As shown in Fig. 12, two devices are indeed very similar, since the s are and the s are when testing the RF signals from one device by the other device’s function model. However, ID can still identify them accurately, as shown in table I.
VD Robustness Analysis
We mainly consider scenarios: spatial variation scenario and multipath scenario. In spatial variation scenario, as stated in section VC, we conduct experiments in lineofsight environments where the communication distance and orientation can vary. The experiment results indicate that ID is robust to these two significant spatial variations.
In the multipath scenario, we arbitrarily place or metal boxes between the transmitter and the receiver to create multipath channels. When testing ID on wireless sensor nodes working with the protocol, we found that ID can still work well even without channel estimation and deconvolution. The reason is that the symbol rate for is only , and hence in one symbol period, the RF signal can travel for . However, in reality, the distinctions between different paths are approximately tens of meters. So the RF signal coming from the lineofsight path is very similar to the signals from the other paths. Therefore, the combination of those signals is similar to multiplying the RF signal from the lineofsight path by a factor. And since the nonlinear terms are extracted from normalized RF signals, this factor does not affect the identification results. However, if we want to identify wifi signals whose symbol rate is 20M/s in multipath environments, channel estimation and deconvolution is an indispensable step, which should be added into the first module of ID. Besides, considering that the multipath fading might attenuate the RF signal strength severely, before identifying the received RF signal, we need to confirm that the SNR should be at least and make the decision based on two adjacent packets as mentioned before. Since the channel situation is more complicated, the and can not be that high as in the lineofsight environments. Therefore, we need to adjust the predefined thresholds. Specifically, for , the threshold is reduced to , and for , the threshold is reduced to for some devices and remains for the others based on the previous modeling results. After all these modifications, the GAR and FRR remain for most of the tested devices except Device No.3, No. 8, No. 16, No. 20, and No. 23. For these devices, the can vary a lot even in one symbol period, and hence the combination of the signals from different paths can not be simplified as the product of the RF signal from the lineofsight path and a factor. Therefore, using the aforementioned simplification assumption will degrade and thus the GARs for those devices in this case. To alleviate this problem, we implement two workarounds for those devices: 1. Implement channel estimation and deconvolution and identify the deconvoluted . 2. Identify the RF signal only by carrier frequency offset and . Fig. 12 shows that the GARs for those devices are improved to over so that the overall in multipath environments is over .
Vi Conclusion and Future Work
RF fingerprinting is a costefficient identification method for lowend IoT devices. In this paper, we propose a function model, which is a highprecision approximation of the mathematical expression of the physicallayer process from modulation to power amplification, as RF fingerprint for device identification. A dataindependent and channelrobust RF fingerprinting system is further designed based on our function model, namely ID. ID is evaluted in various scenarios, and it achieves over accuracy overall.
ID is a successful trial to break the convention of designing a featurebased RF fingerprinting system. Our basic idea is straightforward since similar approaches have been used for identifying power amplifiers [20]. However, we are the first to demonstrate that such kind of methods can work on real devices, and our function model is also a novel accurate and efficient model. These are our two main technical contributions in this paper. However, there are several open issues related to ID that require further study. For instance, ID will bring a new challenge for the security research in this area, because ID can reproduce almost the same RF signals as the authenticated devices produce. Specifically, by using ID, the attackers can simply compute the transmitted signal by the references of the linear parts and the nonlinear terms by the pretrained KR models. If the attackers use a highend RF transceiver, the reproduced signals will be very similar to the genuine signals. Therefore, our function modeling method can be applied to attack most existing RF fingerprinting systems, and it is challenging to defend this attack.
Acknowledgement: This research is mainly supported by National Science Foundation under Grant No. 1421903.
References
 [1] Victor Costan and Srinivas Devadas. Intel sgx explained. IACR Cryptology ePrint Archive, 2016:86, 2016.
 [2] Boris Danev, Davide Zanetti, and Srdjan Capkun. On physicallayer identification of wireless devices. ACM Computing Surveys (CSUR), 45(1):6, 2012.
 [3] Vladimir Brik, Suman Banerjee, Marco Gruteser, and Sangho Oh. Wireless device identification with radiometric signatures. In Proceedings of the 14th ACM international conference on Mobile computing and networking, pages 116â127. ACM, 2008.
 [4] Wondimu K Zegeye, Seifemichael B Amsalu, Yacob Astatke, and Farzad Moazzami. Wifi rss fingerprinting indoor localization for mobile devices. In Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON), IEEE Annual, pages 1â6. IEEE, 2016.
 [5] Jitendra K Tugnait and Hyosung Kim. A channelbased hypothesis testing approach to enhance user authentication in wireless networks. In Communication Systems and Networks (COMSNETS), 2010 Second International Conference on, pages 1â9. IEEE, 2010
 [6] Liang Xiao, Larry Greenstein, Narayan Mandayam, and Wade Trappe. Fingerprints in the ether: Using the physical layer for wireless authentication. In Communications, 2007. ICCâ07. IEEE International Conference on, pages 4646â4651. IEEE, 2007.
 [7] Boris Danev and Srdjan Capkun. Transientbased identification of wireless sensor nodes. In Proceedings of the 2009 International Conference on Information Processing in Sensor Networks, pages 25â36. IEEE Computer Society, 2009.
 [8] M Barbeau, J Hall, and E Kranakis. Detection of rogue devices in bluetooth networks using radio frequency fingerprinting. In proceedings of the 3rd IASTED International Conference on Communications and Computer Networks, CCN, pages 4â6, 2006.
 [9] J Toonstra and W Kinsner. A radio transmitter fingerprinting system odo1. In Electrical and Computer Engineering, 1996. Canadian Conference on, volume 1, pages 60â63. IEEE, 1996.
 [10] OH Tekbas, Nur Serinken, and O Ureten. An experimental performance evaluation of a novel radiotransmitter identification system under diverse environmental conditions. Canadian Journal of Electrical and Computer Engineering, 29(3):203â209, 2004.
 [11] D Shaw and W Kinsner. Multifractal modelling of radio transmitter transients for classification. In WESCANEX 97: Communications, Power and Computing. Conference Proceedings., IEEE, pages 306â312. IEEE, 1997.
 [12] Irwin O Kennedy, Patricia Scanlon, Francis J Mullany, Milind M Buddhikot, Keith E Nolan, and Thomas W Rondeau. Radio transmitter fingerprinting: A steady state frequency domain approach. In Vehicular Technology Conference, 2008. VTC 2008Fall. IEEE 68th, pages 1â5. IEEE, 2008.
 [13] WenhaoWang, Zhi Sun, Sixu Piao, Bocheng Zhu, and Kui Ren. Wireless physicallayer identification: Modeling and validation. IEEE Transactions on Information Forensics and Security, 11(9):2091â2106, 2016.
 [14] Patricia Scanlon, Irwin O Kennedy, and Yongheng Liu. Feature extraction approaches to rf fingerprinting for device identification in femtocells. Bell Labs Technical Journal, 15(3):141â151, 2010.
 [15] Chen, Songlin, Feiyi Xie, Yi Chen, Huanhuan Song, and Hong Wen. ”Identification of wireless transceiver devices using radio frequency (RF) fingerprinting based on STFT analysis to enhance authentication security.” In Electromagnetic Compatibility (EMCBeijing), 2017 IEEE 5th International Symposium on, pp. 15. IEEE, 2017.
 [16] Zhou Zhuang, Xiaoyu Ji, Taimin Zhang, Juchuan Zhang, Wenyuan Xu, Zhenhua Li, and Yunhao Liu. 2018. FBSleuth: Fake Base Station Forensics via Radio Frequency Fingerprinting. In Proceedings of the 2018 on Asia Conference on Computer and Communications Security (ASIACCS ’18), pp. 261272. ACM, 2018. .
 [17] Boris Danev, Heinrich Luecken, Srdjan Capkun, and Karim El Defrawy. Attacks on physicallayer identification. In Proceedings of the third ACM conference on Wireless network security, pages 89â98, ACM. 2010.
 [18] Anding Zhu and Thomas J Brazil. Behavioral modeling of rf power amplifiers based on pruned volterra series. IEEE Microwave and Wireless components letters, 14(12):563â565, 2004.
 [19] OâBrien, Bill, John Dooley, and Thomas J. Brazil. ”RF power amplifier behavioral modeling using a globally recurrent neural network.” In IEEE MTTS International Microwave Symposium Digest, pp. 10891092. 2006.
 [20] Adam C Polak, Sepideh Dolatshahi, and Dennis L Goeckel. Identifying wireless users via transmitter imperfections. IEEE Journal on Selected Areas in Communications, 29(7):1469â1479, 2011.
 [21] Merchant, Kevin, Shauna Revay, George Stantchev, and Bryan Nousain. ”Deep learning for RF device fingerprinting in cognitive communication networks.” IEEE Journal of Selected Topics in Signal Processing 12, no. 1: 160167, 2018
 [22] Das, Rajshekhar, et al. ”A Deep Learning Approach to IoT Authentication.” 2018 IEEE International Conference on Communications (ICC). IEEE, 2018.