service discovery and device identification in cognitive ...wyxu/papers/sddi-sdr2007.pdf ·...
TRANSCRIPT
1
Service Discovery and Device Identification inCognitive Radio Networks
Rob Miller, Wenyuan Xu, Pandurang Kamat, Wade TrappeWireless Information Network Laboratory (WINLAB), Rutgers University.
Email: { wenyuan, pkamat, trappe }@winlab.rutgers.edu
Abstract— Cognitive Radios (CR) will be able to commu-nicate adaptively in an effort to optimize spectral efficiency.An integral step towards this goal involves obtaining arepresentative view of the various services operating ina local area. Although it is possible to load differentsoftware modules to identify each potential service, such anapproach is needlessly inefficient. Instead, rather than usea collection of complete protocols on a CR, we believe thatit is essential to have a separate identification module thatis capable of reliably identifying services and devices whileminimizing the code needed. In particular, by effectivelyleveraging protocol-specific properties, we show that it ispossible to utilize data from narrowband spectral samplingin order to identify broader band services and individualdevices. We demonstrate the feasibility of such service anddevice identification using GNU Radio and the UniversalSoftware Radio Peripheral (USRP) platform by identifyingradio services in the industrial, scientific, and medical(ISM) radio band. Further, we show that physical layersignatures may be used to reliably identify devices, therebyallowing CRs to exploit physical layer information insupport of basic authentication functionality.
Index Terms— Cognitive Radio, GNU Radio, USRP,Spectral Sensing.
I. INTRODUCTION
Traditional communication systems and devices areheavily constrained. Many functions associated with thephysical (PHY) layer (e.g. modulation) are hard-codedin hardware, and numerous operations in the mediaaccess control (MAC) layer are protected in firmware.Furthermore, it is infeasible to alter the protocol bound tothese devices once they are manufactured. For example,a typical WiFi (IEEE 802.11) PCMCIA card cannotbe reprogrammed to communicate with a device thatemploys the Bluetooth (IEEE 802.15.1) protocol. This istrue even though they use the same “open spectrum” (i.e.2.4 GHz). As wireless devices become more and morepervasive, problems of device-coexistence are inevitable.Not only will devices with different static-protocols beincapable of communicating with each other, but theyalso pose the risk of interference [1]. It is thereforedesirable to have a generic platform that can bridge thecommunication gap between devices that are otherwise
incompatible. Such communication can aid in interfer-ence avoidance and therefore result in more efficientspectral collaboration. Cognitive radios (CR) achieve thislevel of cross-protocol communication since they exposethe lower-layers of the protocol stack to researchers anddevelopers.
Because cognitive radios support dynamic physicallayer adaptation, future wireless networks will consist ofvarious wireless devices communicating with each otherusing one or more protocols. Figure 1 shows a futurewireless network where WiFi and Bluetooth devices areoperating amongst cognitive radios. In this scenario,WiFi device W can communicate with CR C and CRD via 802.11. Bluetooth device T can receive packetsfrom CR E and CR F using 802.15, while CR D andCR E can communicate via 802.11, 802.15 or any otherprotocol they desire. The success of communicationbetween these devices depends on many factors, suchas the availability of the spectrum and the interferenceconditions in the region. A CR may influence thesefactors with knowledge of the protocols and services thatthe existing wireless devices can support. In addition,it would be advantageous for a CR to know how manynetworks exist, how many users are associated with eachnetwork, and even certain properties about the devicesthemselves. To achieve this level of information, it isessential for a cognitive radio to gather an accuratepicture of the RF environment.
In this paper we investigate the problem of servicediscovery, where CRs identify different network services(e.g. Bluetooth, WiFi), and device identification, whereCRs identify distinct wireless devices and networks.Service discovery and device identification provide thenecessary building blocks for constructing efficient andtrustworthy CR networks. These processes can be per-formed in the PHY layer or the MAC layer by a CR.
The rest of the paper is organized as follows. Sec-tion II motivates the problem and describes the systemmodel. Section III focuses on service discovery, whileSection IV illustrates device identification using a cur-rent Software Defined Radio (SDR) platform. Finally,Section V summarizes our results.
2
CognitiveRadio
BluetoothWiFi Bluetooth
WiFi
Fig. 1. A future cognitive radio network will be composed of abroad array of simple-protocol devices, as well as cognitive radioscapable of adjusting their protocol stack.
II. MOTIVATION
Cognitive radios will play an integral role in thesuccess of future wireless networks. By taking advantageof information gathered during spectral sensing, cogni-tive radios will foster communication between protocol-disparate devices. CRs will also have the power tointelligently guide decisions within existing networks,and may also conduct spectrally-efficient operations withother CRs. Clearly, an essential technological require-ment of a CR is accurate service discovery and deviceidentification. However, a natural question that arises iswhether cognitive radios are needed to achieve this goal,and whether a powerful PC with the appropriate donglesprovide equivalent functionality.
A. Why Cognitive Radio?
While much functionality can be obtained by em-ploying multiple radio dongles (e.g. WiFi by way ofPCMCIA card, Bluetooth via a USB dongle), manyshortcomings and limitations exist:• The number of dongles/peripherals a PC can sup-
port limits the number of supportable protocols.• Dongles may interfere with each other.• Dongles connected to the same PC redo much of the
same processing (e.g. energy detection, filtering).• More dongles use more system power.• Dongles do not give full access to the PHY layer!While much can be gained by analyzing MAC layer
information, it may be more advantageous to considerraw PHY layer information [2]. In particular, a simpleconsequence of the data processing inequality is theimplication that there is more information contained ina PHY layer waveform than in the MAC-layer infor-mation that arises as a consequence of this waveform.Concrete examples of PHY layer information that areuseful for basing CR decisions upon, and are not readilyavailable at higher layers using the radio dongles, includecharacteristics such as amplitude variations, frequencydrifts, and phase offsets. Considering the limitations andconstraints of a multi-dongle solution, it is clear that CRsare a much better choice. Cognitive radios:
• Provide access to both the PHY and the MAC layer.• Give more control over intra-device and inter-device
interference.• Allow for re-use of processed data for different
protocols.• Don’t need to employ a full implementation of a
protocol. Instead, as we shall show later, CRs canextract the desired information by leveraging onlysmall portions of the protocols and/or using onlynarrowband data!
The capabilities of CR networks are closely tied to thetechnology of the underlying SDR platforms. Currently,there are several platforms that possess the processingpower and flexibility needed to support spectrum sens-ing, flexible waveform generation, spectrum negotiation,and other functions envisioned for true cognitive func-tionality. Notable amongst these platforms are the RiceWARP platform [3], the high-performance cognitiveradio platform being developed by WINLAB, GeorgiaTech, and Lucent [4], and the the small form factor SDRplatform from Texas Instruments [5].
B. Security ConcernsPhysical/network layer adaptability, coupled with the
open-source nature of supporting software, makes acognitive radio a powerful but dangerous device. It iseasily conceivable that inexpensive and widely avail-able CRs could become an ideal platform for abuse.It is therefore essential that next generation wirelessplatforms have methods to ensure that the radio deviceand the implementations of their lower layer protocolsare trustworthy, and that all CRs are held accountablefor not following locally acceptable spectrum etiquette.Towards this goal, we have proposed TRIESTE (ATrusted Radio Infrastructure for Enforcing SpecTrumEtiquettes) in [6], which employs two levels of eti-quette enforcement mechanisms. One is an on-boardenforcement mechanism, while the other is an externalinfrastructure consisting of police agents that monitorthe radio environment and punish CRs if violations aredetected.
At the heart of TRIESTE, and any other viable secu-rity mechanism for CR networks, is the ability to identifyboth the services and the individual devices that areoperating in a region. The ability to identify services willnot only allow individual devices to discover potentialnetworks to join, but will also allow users or externalmonitoring devices to detect the operation of prohibitednetworks (e.g. a Bluetooth network operating in a regionthat is deemed WiFi-only). Further, being able to identifyindividual devices in a manner that is not reliant uponhigher-layer authenticators (e.g. certificates) is essentialto rapid anomaly detection and response mechanisms.
3
Fig. 2. The experiment setup.
C. System Details
The SDR platform used within the context of thispaper consists of GNU Radio, the USRP board, andthe RFX-2400 daughterboard (shown in Figure 2). GNURadio is an open source, free software toolkit that pro-vides a library of signal processing blocks for developingcommunications systems and experiments. The USRPis the core hardware unit; it supports the simultaneoustransmission and reception of four real or two complexchannels in real-time. For reception it utilizes four 12-bit analog-to-digital converters (ADCs) operating at 64MHz, and four digital-downconverters (DDCs) with pro-grammable decimation rates. The transmit side of theUSRP incorporates four 14-bit digital-to-analog convert-ers (DACs) that operate at 128 MHz, and two digital-upconverters (DUCs) with programmable interpolationrates. Data is transferred between the host computer andthe USRP via a USB 2.0 interface. Given a sustainabledata rate of 32 MBps and complex 16-bit samples, theeffective total spectral bandwidth is limited to 8 MHz.However, due to limitations of our host computer’s USB2.0 controller, we were limited to a practical spectralbandwidth of 4 MHz using 16-bit complex samples.The USRP itself is not directly capable of RF trans-mit/receive. As such, daughterboards interface with it toprovide signal input/output. In our experiments, we usedthe RFX-2400 transceiver, which operates in the 2300-2900 MHz band.
III. SERVICE DISCOVERY
Spectral awareness plays an essential role in CognitiveRadio operation. In order for a CR to make intelligentoperational decisions it should be knowledgeable ofavailable services. For example, if a CR desires to accessthe Internet via WiFi networks, it may decide to joinone existing WiFi network, or perhaps set up its ownWiFi network. Here it is advantageous for the CR tomonitor various portions of the ISM band in order toestimate the best channel to use. The mere presence of
Fre
qu
ency
(M
Hz)
Time (s)0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45
2465
2465.5
2466
2466.5
2467
2467.5
2468
2468.5
Fig. 3. Spectrogram of the ISM band centered at 2467 MHz andspanning 4 MHz.
Fre
qu
ency
(M
Hz)
Time (s)
← Bluetooth
WiFi →
0.09 0.095 0.1 0.105 0.11 0.115 0.12 0.125 0.13 0.135
2465
2465.5
2466
2466.5
2467
2467.5
2468
2468.5
Fig. 4. A closer look into the spectrogram of Figure 3. Note theBluetooth bursts hopping through the band amidst the WiFi beacon.
other WiFi networks in addition to existing Bluetoothpiconets would be important information to be used toselect an optimal channel.
Using GNU Radio, the USRP board, and the RFX-2400 daughterboard [7], [8], we illustrate it is possible todetect services and devices with relatively narrow-bandspectral surveillance (i.e. 4 MHz), in spite of the factthat the underlying protocols themselves may employ abroader spectral range (e.g. 20 MHz in the case of WiFi).We note that, although we illustrate our techniques forBluetooth and WiFi, our strategies may be applied toidentify other wireless technologies.
Figure 3 shows the spectrogram of a snapshot fromour platform that was centered at 2467 MHz. Note thatthe data spans half of a second and lies within thespectral range of WiFi devices. Upon examination, oneimmediately notices various broadband, periodic bursts.These are in fact WiFi beacons being broadcast by an802.11g Access Point (AP) in range of our receiver. WiFi(802.11g) beacon signals are 20 MHz in bandwidth anddefault to a pulse-repetition interval (PRI) of 102.4 mson most APs.
Observe that there are other bursts hopping throughthe spectrogram. A zoomed-in view of the data collectionfrom 0.09 to 0.14 seconds (Figure 4) reveals that thebursts span 1 MHz and vary in burst length. Thesesporadic narrow-band bursts are in fact Bluetooth bursts.
4
The Bluetooth protocol mandates that transmissionsfrequency hop over 79 MHz of the ISM band whilemaintaining an instantaneous frequency of 1 MHz usingGaussian Frequency Shift Keying (GFSK) [9]. Bluetoothalso exhibits a time-division multiplexed (TDM) naturewhere timeslots exist to guide network transmissions. Atimeslot is 625 µs in length, and devices are allowed totransmit continuously for 1, 3, or 5 timeslots.
Detecting the presence of services is plausible by mon-itoring narrow-band activity and leveraging protocol-specific features. As listed in Algorithm 1, CRs firstcollect data and identify bursts. Then, properties ofindividual bursts are extracted. Finally, CRs decide thata service is present if the burst patterns and propertiesmatch the intrinsic time and frequency properties ofthe corresponding protocol. For example, the presenceof various 1 MHz GFSK bursts that do not exceed 5Bluetooth timeslots in length indicates the presence of aBluetooth piconet. Likewise, periodic, broadband burstssuggest the presence of a WiFi network.
Although using a small amount of spectrum to identifybroader band services is inherently desirable due to theassociated reduction in sampling and computation, a nat-ural questions that arises is whether there is any need fora bandwidth-limited CR device to know about servicesit cannot utilize. For example, with our experimentalsetup, we cannot join an 802.11g network due to thebandwidth limitation of the USRP and the USB 2.0interface. The most obvious answer is that knowledgeof services operating in the region plays an importantrole in choosing an optimal communication scheme. Toillustrate, consider the co-existence issues inherent toWiFi and Bluetooth [1]; knowledge of only 802.11gservices operating in a region may suggest that a CRshould not choose to implement a FHSS scheme.
While knowledge of the presence of certain servicescan guide CR operations by giving a hint of spectralactivity, it would be more advantageous for a CR to knowmore detailed information about the services present inthe RF environment. For example, it would be veryuseful to know how many WiFi networks and Bluetoothpiconets exist. It would be even more desirable to knowhow many distinct WiFi or Bluetooth devices are operat-ing in the region. We now discuss how this informationcan be extracted from our narrowband data by leveragingprotocol-specific properties.
IV. DEVICE IDENTIFICATION
In this section, we investigate the problem of deviceidentification in both Bluetooth and WiFi networks. ForBluetooth, we perform device identification on two lev-els. First, we detect distinct Bluetooth piconets; second,we identify individual Bluetooth devices. In a similar
while (1) do/*** Data Collection ***/Collect new samples;/*** Time/Frequency Analysis - detect individual bursts ***/num burst = 0;for ( each burst in time ) do
for ( each distinct frequency ) do/*** extract physical properties ***/leading edge[num burst] = start time;trailing edge[num burst] = end time;. . .bandwidth[num burst] = burst bw;num burst++;
endend/*** Service Discovery Phase ***/for ( each detected burst ) do
if ( ( burst width ≤ 5 timeslots ) && ( bandwidth ∼ 1 MHz ) ) thenBluetooth service found;
endif ( ( bandwidth ∼ min (sample rate, 20MHz) ) && ( periodic ) ) then
WIFI AP;end/*** Checks for other available services ***/. . .
endend
Algorithm 1: Service discovery in the ISM band
manner, we identify distinct WiFi Access Points andthen illustrate how our methodology can be extendedto identify individual WiFi devices.
A. Bluetooth Piconets
Every piconet has 1 device that acts as the Master, andup to 7 active devices operating as Slaves. A piconet isalways synchronized to its Master’s clock, and timeslotsare defined based on this reference. The Master is onlyallowed to begin transmitting its bursts at the beginningof even timeslots, while the Slaves may only begin theirtransmissions at the beginning of odd timeslots [9].
Time-binning approach: By analyzing the detected lead-ing edge times, we can determine a lower bound onthe number of piconets. Since piconets operate inde-pendently, we can view a particular piconet’s timeslotstructure as a uniformly distributed random variablebetween 0 and 625µs (U(0, 625)µs), where the randomvariable represents the relative starting point of a newtimeslot. By dissecting an arbitrary timeslot into sub-intervals, we can collapse all of the starting times intobins. Starting times that fall into the same bins arethen likely to belong to the same piconet. Since thespecification allows for 20µs of time uncertainty (±10µsof jitter), it is wise to choose a time bin resolution δslightly bigger than the maximum allowed uncertaintywindow (i.e. 20µs).
In our case, we chose δ = 25µs, resulting in 25time bins. Analysis of our data revealed all Bluetoothbursts falling into the same bin, validating that they allcame from the same piconet. As an example, considerthe leading edge times of the bursts transmitted at 2466MHz shown in Figure 4. The first burst is at t1 =0.09378 seconds while the second burst is detected att2 = 0.13127975 seconds. Thus, the second burst is
5
Fig. 5. Bluetooth Packet Structure. The Header information bits arerepetition encoded (by 3) for transmission.
250ns shy of 60 timeslots away from the first burst((t2− t1)/ts ≈ 60; (t2− t1) mod ts = −250ns). Since250ns is much smaller than the time uncertainty window20µs, we conclude that these bursts belong to the samepiconet.
It is possible that the time-binning approach willfalsely declare two independent piconets as the samepiconet when two piconets have overlapping uncertaintywindows. One way to detect this would be to look fora scenario where two bursts are transmitted at the sametime but on different frequencies. This would be a clearindicator of separate piconets. An alternative approachwould be to examine the actual bits transmitted.
Bit comparison approach: We emphasize that such anapproach does not require a full implementation of theBluetooth protocol, but merely requires some knowledgeof basic modulation schemes.
The general Bluetooth packet structure, as depictedin Figure 5, is comprised of an access code, a header,and a data payload. All packets must have an accesscode, while the presence of the header and the datapayload depends on the type of message conveyed. Foractions such as paging and inquiry scans, the packet onlycontains a 68-bit access code. During normal operationwithin a basic piconet, all packets begin with a 72-bitaccess code known as the Channel Access Code (CAC).This is followed by a header and when pertinent, payloaddata. The CAC is derived from the Master’s uniquedevice address and is therefore particular to a givenpiconet. By demodulating the bursts and comparingCACs, we can better estimate the number of distinctpiconets, even when the piconets are synchronized towithin the same time uncertainty window.
We now illustrate the CAC comparison procedurewith the two Bluetooth bursts that we analyzed earlier.In order to obtain the access codes, we must properlydemodulate the bursts. The second and third subplots inFigure 6 depict the demodulation, where the instanta-neous frequency is plotted versus the sample number foreach respective burst. The first subplot is the normalizedburst power. Since high energy indicates the presenceof a packet, the relative burst power plot is shown to
0 200 400 600 800 1000 1200 1400 1600 1800 20000
0.5
1
Mag
nitu
de
Normalized Burst Power
0 200 400 600 800 1000 1200 1400 1600 1800 2000
−200
0
200
Inst
Fre
q
Inst Freq (KHz) − Burst 1
0 200 400 600 800 1000 1200 1400 1600 1800 2000
−200
0
200
Inst
Fre
q
Inst Freq (KHz) − Burst 2
0 200 400 600 800 1000 1200 1400 1600 1800 20000
0.5
1
Mag
nitu
de
Sample Number
Bitwise Exclusive−or
Fig. 6. Analysis on Bluetooth bursts.
illustrate the actual start and end point of the packets.During the packet transmissions, the reader can clearlysee the fluctuation between two distinct frequencies asspecified in the protocol (i.e. GFSK).
The bit-wise comparison of our two demodulatedBluetooth bursts is shown in the fourth subplot in Fig-ure 6. An exclusive-or was performed using the twobit sequences. A value of 1 indicates bit disagreement,whereas a value of 0 signifies commonality. The bitdisagreement in the plot illustrates the location of thepacket header and payload. The leading 0s indicatedthat the 72-bit CACs from the two Bluetooth bursts areidentical. Therefore, these packets belong to the samepiconet.
B. Bluetooth Devices
The upper bound on the number of distinct activeBluetooth device in the region is 8× (number of activepiconets), since only 7 active Slaves are allowed perpiconet. A better estimation can be achieved by furtherleveraging some protocol-specific information.
As there can be multiple Slaves communicating withthe Master, each packet needs to contain the identityof the Slave involved in the communication. This in-formation is found in the Logical Transport Address(LT ADDR) in the packet header. The LT ADDR is a 3-bit information field derived from the first 9 transmittedbits of the packet header. (The packet header uses asimple 3-bit repetition procedure for its Forward ErrorCorrection (FEC)). The Master denotes the destination ofa transmitted packet by specifying the intended Slave inthe LT ADDR. In a similar manner, Slaves include theirown LT ADDR when transmitting packets to the Master.The LT ADDR of 0 (000) is reserved for broadcast pack-ets, while 1−7 (001-111) correspond to particular Slaves.By monitoring the LT ADDRs of the basic piconetpackets, we can identify distinct users of a particular
6
Fig. 7. Tracking bluetooth devices using CAC and LT ADDR.
piconet, and therefore obtain a better estimate of usagewithin the entire channel. The two Bluetooth bursts thatwe examined above had LT ADDRs of ’000’, indicatingthat they were broadcast packets. Other bursts revealedan LT ADDR of ’001’ for the same CAC, indicating thatthe specific piconet that we detected had 2 active users(i.e. the Master and 1 Slave).
We have shown that leveraging PHY layer informationclearly results in a reliable estimate of Bluetooth servicesand unique devices. However, a CR should also accountfor the stationarity or transience of the networks beingobserved. As such, it makes sense for a CR to maintaina table of information that is updated with the mostcurrent information. In this manner it can phase outold data due to periods of inactivity. This is especiallyimportant in Bluetooth, since the protocol allows Slavesto switch functionality with the piconet Master. As ageneral process, we propose that every burst we detecthave its CAC compared to a table of access codes forknown piconets. If it does not match any of the knownpiconets, then we insert the newly discovered piconetinformation into the table. Likewise, we can keep trackof individual Slaves by their LT ADDR and CAC. Thisgeneral process is illustrated in Figure 7.
C. WiFi Access Points
WiFi beacons are periodic, broadband bursts thatare broadcast by Access Points. These beacons containuseful identification information such as the service setidentifier (SSID) and the AP name. This informationcan be immediately extracted by properly demodulatingthe beacons. But, this is a bit more complicated giventhe limitations of our research hardware. Since the WiFi(802.11g) beacon is 20 MHz wide, it is out of scope ofour equipment (i.e. 4MHz). However, alternative meth-ods of AP identification can be pursued using our limitedspectral snapshot. One method performs an analysis onthe periodic structure of the beacons, while anotherexamines the physical properties of each beacon in moredetail.
Periodicity: By default, WiFi APs broadcast beaconsevery 102.4 ms. Given a situation where every APmaintains the default PRI, we can estimate the numberof APs by monitoring the number of beacons that occurwithin a 102.4 ms period. In cases where APs do notuse the default beacon PRI, an accurate estimation ofthe number of APs is also discernable by analyzing thestart times of the observed beacons. Assuming AP PRIsare stationary, all unique PRIs can be determined usingstandard deinterleaving algorithms [10]. We are thenback to the original task of identifying unique APs givenknowledge of a beacon PRI.
Channel estimation: A particular scenario arises, how-ever, where standard deinterleaving algorithms breakdown. Consider the case where a beacon frame is de-tected every 51.2 ms. There is an inherent uncertaintyhere in determining how many distinct APs exist. Therecould only be one with a PRI of 51.2 ms, or two withPRIs of 102.4 ms, or three with PRIs of 153.6 ms, etc. Byleveraging the unique capabilities inherent to CRs, thedilemma can in fact be resolved. Since a CR by naturehas direct access to the physically received waveform,it can exploit non-standard features to best determine aphysical differentiator (e.g. other than just bits). Let uselaborate by discussing the 802.11g protocol a bit morein detail.
WiFi beacons operating in 802.11g only mode beginwith an 8 µs training sequence followed by an 8 µsequalization sequence [11]. As previously stated, an802.11g WiFi channel is 20 MHz wide. Being an OFDMsignal, one channel contains 64 equally spaced sub-channels, where each sub-channel is 312.5 KHz wide.During the training sequence, every fourth sub-channelis active with a phase relationship such that the peak-to-average power ratio is minimized. Subsequently, theequalization sequence modulates every sub-channel withequal power [11]. It is therefore intuitive that theequalization sequence would make an excellent differ-entiator since it is in fact a channel sounding waveformbetween the AP and the CR. Figure 8 (a) shows boththe training sequence and the equalization sequence forone of our observed WiFi beacons. The reader cansee the distinguishing spectral characteristics of the twosequences, even given our narrowband snapshot.
A CR may wish to take advantage of this broadcastedchannel estimation signal by using it as a means ofunique AP identification. Note that an estimate of thechannel can be obtained by accounting for the spectrumof the transmitted waveform. This adjustment factor isknown a priori and it will remain common for all channelestimates since the waveform is always the same. Lets(t) be the transmitted equalization signal with S(f)corresponding to its Fourier Transform. If we denote the
7
channel between the AP and the CR as h(t), and channelnoise as n(t), then a basic linear time invariant modelfor the waveform received by the CR is:
r(t) = s(t) ∗ h(t) + n(t) (1)R(f) = S(f)H(f) + N(f) (2)
Estimating the channel spectrum yields:
H(f) =R(f)S(f)
= H(f) +N(f)S(f)
(3)
AP discrimination: With a valid channel estimate,it is proposed that unique APs can be differentiatedwithin the time-coherence of the channel by performingcross-correlations between new channel estimates andknown channel estimates. Given K known users andtheir corresponding channel estimates, Hi(f), where i =1, ..., K, we can obtain a vector of cross-correlations,v, between known channel estimates and the newestchannel estimate, HK+1(f), via:
v(i) =< Hi(f), H∗
K+1(f) >
‖Hi(f)‖‖H∗K+1(f)‖ (4)
If the largest correlation does not exceed a giventhreshold, then we can declare the presence of a newuser. Similar to the case of Bluetooth devices discussedearlier, a table can be maintained to aid in AP discovery.And, just like the Bluetooth user table, the WiFi AP tablecan be updated over time in order to remove old users.Note that it is also possible to update the table to accountfor the time-coherence of the channel.
However, it should be noted that the aforementionedchannel estimate, H(f), has one subtle flaw: the useof phase as a differentiator when considering burstytransmissions from a common source. This is becausethere is no deterministic way to estimate the initialphase of the transmitted waveform. Initial phase offsetscan be attributed to various factors not limited to localoscillator drifts and even software. We must thereforeconsider the initial phase to be random and thus shouldnot include it in our channel estimate. We can howeverbase our channel estimate on the magnitude response ofthe channel. Equation (5) illustrates the relationship ofthis new channel estimate, HM (f), to the old channelestimate, H(f). Utilizing solely the magnitude responsein performing the correlations has a performance effect.The typical correlation range of [-1,1] is now collapsedto [0,1], as seen by bounding HM (f) by ‖H(f)‖:
HM (f) =‖R(f)‖‖S(f)‖ (5)
=‖S(f)H(f) + N(f)‖
‖S(f)‖ (6)
≤ ‖S(f)H(f)‖+ ‖N(f)‖‖S(f)‖ (7)
≤ ‖H(f)‖+‖N(f)‖‖S(f)‖ = ‖H(f)‖ (8)
Experiment validation: To validate the feasibility ofusing channel estimation to identify APs, we conductedan experiment using the beacons of two APs at differentlocations. The devices were placed much further than awavelength away from each other and the USRP. Figure8 (b) shows the time-series magnitude of one of the datasequences. Two sets of periodic beacons with varyingamplitudes are evident.
Since our narrowband snapshot limits us to 32 samplesto represent the equalization sequence, our correlationswere performed over a longer data sequence. In orderto prevent this action from jeopardizing our experiment,both APs were set up with exactly the same parameters(e.g. Channel, SSID, PRI, name, etc.). This forced bothAPs to transmit identical bit-sequences. Our analysisused the appropriate waveform, S(f), to calculate ourchannel estimate, HM (f). With a wider bandwidth,however, it is desirable to only use the equalizationsequence for channel estimation.
Using our outlined methodology, every detected bea-con resulted in a channel estimate. That channel estimatewas then correlated against every channel estimate seenwithin the last 102.4 ms. In our experiment, this resultedin two correlations per detected beacon. Since our exper-iment consisted of two distinct APs alternately transmit-ting, one would expect to correlate best with the secondto last beacon detected. Figure 8 (c) presents our results.As can be seen, the correlation routine was reliable inits ability to differentiate between APs based solely onthe physical layer signature associated with the AP. Theresults were reproducible for various AP locations andover numerous days. It is quite clear that the proposedmethodology therefore provides a plausible solution tothe previously outlined deinterleaving dilemma.
D. WiFi DevicesNow that unique WiFi APs can be reliably detected,
we propose that the same correlation methodology canbe leveraged to estimate the number of distinct WiFidevices in the area. This includes both APs and clients.While data packets do not exhibit the periodicity ofthe beacon frames, they do in fact contain known bit-sequences. These bit-sequences can be utilized to obtain
8
2410 2410.5 2411 2411.5 2412 2412.5 2413 2413.5−30
−25
−20
−15
−10
−5
0
5
Frequency (MHz)
Mag
nit
ud
e (d
B)
2410 2410.5 2411 2411.5 2412 2412.5 2413 2413.5−30
−25
−20
−15
−10
−5
0
5
Frequency (MHz)
Mag
nit
ud
e (d
B)
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Time (s)
No
rmal
ized
Mag
nit
ud
e
4 6 8 10 12 14 16 180
0.2
0.4
0.6
0.8
1
Beacon Number
XC
orr
1 Beacon back2 Beacons back
(a) (b) (c)Fig. 8. (a) The first 8µs sequence of the WiFi beacon is used as a training sequence, while the second 8µs sequence is used to aid inequalization. (b) Normalized time-series beacon data for two active 802.11g APs. (c) Cross-correlating against the previous 2 beacons.
unique channel estimates, and these channel estimatescould be exploited to differentiate between distinct WiFidevices. One notable challenge, though, is that mobilitymight affect the temporal coherence of the channel and,consequently, necessitate more frequent comparisons.
E. SummarySo far, all of the spectral sensing techniques discussed
have been passive. If inclined, a CR can employ activetechniques to discover services and possibly devices inthe area. For instance, an active CR spectral sensingroutine may invoke the Bluetooth Service DiscoveryProtocol, whereby a CR may send a discovery request toBluetooth devices in its area in order to obtain a list ofservices available. A similar discovery packet also existsin the 802.11 protocol in the form of Probe RequestFrames. Note that this is of course dependent on thefunctional limitations of the CR itself.
We note that although only two protocols have beenexamined, the methodology proposed can be extended toother protocols both within and outside of the ISM band(e.g. cordless phones). Furthermore, spectral sensingtechniques could be developed to identify and avoidnon-communication based interferers such as microwaveovens.
V. CONCLUSION
Networks involving cognitive radios will supportspectrum-efficient communications by allowing individ-ual cognitive radios to dynamically adapt their wirelessprotocol to their operating environments. To select theappropriate protocol, CRs need to sense their local envi-ronment. In particular, two functionalities are needed:service discovery and device identification. We haveshown in Sections III and IV that current SDR plat-forms are already capable of accurate spectral sensingroutines. Furthermore, reliable and efficient informationcan be obtained using only narrowband sampling ofthe spectrum (rather than requiring a complete process-ing and implementation of the corresponding wireless
protocols) by exploiting protocol-specific differentiators.Using GNU Radio and the USRP, we were able to detectthe presence of Bluetooth and WiFi devices by samplingonly 4 MHz of the spectrum. We were also successfulin estimating the number of distinct Bluetooth devicesoperating in the region, and we were able to reliablydifferentiate between two WiFi access points by cross-correlating against channel estimates obtained based onknown waveforms specific to the 802.11 protocol.
While the increased usage of these unique CR devicesbrings the promise of better spectral efficiency, it alsobrings major security concerns. Device identification canfacilitate the identification of non-compliant devices (e.g.devices conducting spoofing). We envision that suchidentification may be used in a security system, suchas the TRIESTE framework, for CR networks.
REFERENCES
[1] M. Shoemake, “Wi-Fi (IEEE 802.11b) and Bluetooth: Coexis-tence Issues and Solutions for the 2.4 GHz ISM Band,” WhitePaper.
[2] Z. Li, W. Xu, R. Miller, and W. Trappe, “Securing wirelesssystems via lower layer enforcements,” in WiSe ’06: Proceed-ings of the 5th ACM workshop on Wireless security, New York,NY, USA, 2006, pp. 33–42, ACM Press.
[3] “The rice warp platform,” http://warp.rice.edu/news.php.[4] B. Ackland (PI), M. Bushnell, D. Raychaudhuri, C. Rose,
and T. Sizer, “NeTs-ProWin: High Performance CognitiveRadio Platform with Integrated Physical and Network LayerCapabilities,” National Science Foundation NeTS-0435370.
[5] “Texas instruments,” http://focus.ti.com/lit/ml/sprt406/sprt406.pdf.[6] W. Xu, P. Kamat, and W. Trappe, “TRIESTE: A Trusted Radio
Infrastructure for Enforcing SpecTrum Etiquettes,” Proceedingsof the IEEE Workshop on Networking Technologies for SoftwareDefined Radio (SDR) Networks, 2006.
[7] “Usrp,” http://www.ettus.com.[8] “Gnuradio,” http://www.gnu.org/software/gnuradio/.[9] Wireless Personal Area Networks Working Group, “IEEE
Std 802.15.1-2005 Part 15.1: Wireless medium access control(MAC) and physical layer (PHY) specifications for wirelesspersonal area networks (WPANs),” White Paper, 2005.
[10] H.K. Mardia, “New techniques for the deinterleaving ofrepetitive sequences,” IEE PROCEEDINGS, vol. 136, pp. 149–154, August 1989.
[11] Inc. Agilent Technologies, “MIMO Wireless LAN PHY Layer[RF] Operation and Measurement,” September 2005.