2015 IEEE Global Conference on Signal and Information Processing (GlobalSIP)
A Novel Physical Layer Spoofing Detection Based
on Sparse Signal Processing
Ning Wang * , Shichao Lv † , Ting Jiang * Ge Zhou *
*
Key Laboratory of Universal Wireless Communication Ministry of Education
Beijing University of Posts and Telecommunications Beijing, China
†
Beijing Key Laboratory of IOT information security technology
Institute of Information Engineering, CAS Beijing, China
E-mail: *
[email protected]
, †
[email protected]

Abstract— In wireless communication systems, spoofing
attack significantly impact the information security, for this
attack is not hard to launch with little effort. Although
traditional cryptographic authentication can be utilized for
node identification, it is not desirable in some low power
requirements application scenarios such as Wireless Sensor
Networks (WSNs). In this paper, we formulate this problem as
one of sparse signal processing. In order to identify the
existence of the spoofing attacker, we explore using the feature
extraction and fusion to establish an automatic representative
selection algorithm. By examining the correlation between the
two selected targets, we can determine the attacking situation.
We evaluate our scheme through an experimental system, and
the experimental results on real measured data show that our
sparse signal processing can reach desired identification
performance.
Keywords—physical layer security; spoofing attack; signal
processing; sparse representation
I. INTRODUCTION
In wireless communication, security is threatened by the
development of computer and wireless technology.
Although most existing wireless networks have some
security mechanisms such as Wi-Fi Protected Access (WPA)
and 802.11i, these wireless systems still have security
vulnerabilities [1]. Through disguising the identity such as
MAC address, an attacker can spoofs some management
control messages to claim to be a legitimate node. In
addition, spoofing attack is the foundation of other senior
attacks such as denial-of-service (Dos) and man-in-the-
middle attacks [2].
About this problem, traditional methods are actually key
distribution schemes. However, even if the security
mechanism is based on the most recent advanced encryption
standard (AES), spoofing attack is easy to launch because
these security mechanisms are established at the higher
layers of the protocol stack [3]. Furthermore, in some low
power requirements application scenarios such as Wireless
Sensor Networks (WSNs) and Wireless Body Area Network
(WBAN), traditional cryptographic security mechanisms are
not desirable [4].
To overcome this hurdle, the inimitable feature of the
physical layer is exploited to enhance or supplement
978-1-4799-7591-4/15/$31.00 ©2015 IEEE
security in wireless communication by numerous
researchers [3]-[8] recently. In previous works, the channel
response was used to detect the spoofing attack, either
received signal strength (RSS) [6], or channel state
information (CSI) [7] [8]. However, little work has been
attempted to utilize spares signal processing to implement
physical layer spoofing detecting.
In this paper, we present a new process model to detect
the spoofing attitude based on sparse representation. After
sparse decomposition and principal component analysis
(PCA), the original channel impulse response becomes a
little of sparse coefficients. Then, we utilize the feature
extraction and combination to establish a novel automatic
representative selection algorithm to choose the optimal
targets. Finally, examining the correlation between the
targets, we can determine whether there is existing spoofing
attack in this communication.
A. Related work
Many physical layer authentication scheme related
spoofing detection such as [6]-[9]. But, the works that are
closely related to us are [6] [9] [10]. [6] proposed the use of
Received Signal Strength (RSS) traces for spoofing
detection. They develop a DEMOTE system to utilize the
temporal constraints to predict the RSS traces for partition
and use the spatial correlation for the attack detection.
Instead of RSS traces reconstruction of [6], we focus on the
features extraction from sparse representation to make a
distinction between the signals. [9] utilized the K-means
cluster to identify the channel response of the nodes. They
propose detecting the attacker as well as locating the
positions. And [6] proposed using matches rules to detect
identity-based spoofing. Different from them also, we first
investigate channel sparse representation for spoofing
detection.
B. Our Contributions
There have two contributions in this paper as follow:
(1) We propose that utilizing the sparse signal
processing to implement spoofing detection.
(2) For examining the correlation, we establish an
Automatic Representative Selection Algorithm
(ARSA) to search for the optimal target.
582
 2015 IEEE Global Conference on Signal and Information Processing (GlobalSIP)

II. SYSTEM SETUP

A. Sparse Representation
(1)
X
First feature as concentration ratio:
2n−1+i
,X2n−1
F = d(i) d(i) (5)
In this subsection, sparse representation contains two phase:
k=2n−1−i k=0

!
sparse decomposition and principal component analysis (P-

X X
CA). Second feature as the middle section variance:
1) Sparse decomposition: Suppose that a received signal 2n−1+i 2n−1+i 2
1
set isY = [y1 , ..., yN ] ∈ Rm×N , N is the number of data F (2)
= d(i) − d(i) (6)
samples and eachyi ∈ Rm×1 , i = 1, 2, ..., N . We want to 2i − 1
k=2n−1−i k=2n−1−i
find a dictionaryD = [d1 , ..., dn ] ∈ Rm×n and sparse vector

X X
The shape imbalance as the third feature:
matrixX = [x1 , ..., xn ] ∈ Rm×n that satisfy

y = Dx =
X
N
dk xk (1)
F (3) =
2n−1

k=2n−1+i
d(i) −
2n−1−i

k=1
d(i) (7)
k=1

where the atoms dk is the column vector of redundant com- In this way, one feature space [F (1) , F (2) , F (3) ] is established.
plete dictionary. Sparse representation model is given by Then, we directly resort to the equal combination (EC) rule
for combination the features,
min x0 s.t. y = Dx (2)
F = μ1 F (1) + μ2 F (2) + μ3 F (3) (8)
where 0 denotes 0 norm, its role is to count the number of 1
nonzero entries. where, μi = mean(F (i) )
This problem is equivalent to a convex optimization problem Up to now, we have already established an integrated feature
under 1 norm. The model is F to measure the difference levels of obtained signal sparse
representation. Thus, each received signal sparse representa-
min x1 s.t. y = Dx (3)
tion xi = [xi1 , ..., xiv ] can be mapped to a single point in the
where 1 denotes 1 norm. feature vector F = [F1 , ..., Fk ] and k ∈ [1, ..., L]. Suppose
Many algorithms can solve this optimization problem, such that the number of signals at level Fk is denoted by nk and
as gradient projection, greedy pursuit algorithms, etc. In this the total number of signals by N = n1 + n2 + ... + nL . Then

P
study, we use the popular orthogonal match pursuit algorithm the probability distribution of each value Fk is
(OMP) to solve the problem and the used redundant over L
complete dictionary is wavelet dictionary. p(Fk ) = nk /N, p(Fk ) ≥ 0, p(Fk ) = 1 (9)
2) Principal component analysis (PCA): After sparse rep- k=1

resentation, we use principal component analysis (PCA) to In this study, we utilize an unsupervised approach to search the
decrease the dimension of the sparse coefficient vector. optimal threshold (denoted by ε). According to [11], choosing
Suppose that the input sparse vector x = [x1 , ..., xn ] is then the optimal threshold is an optimization problem,

¨
transformed into xV = [x1 , ..., xv ] by the following way:
k ∗ = arg max σB
2
(k), k ∈ [1, ..., L]
k
XV = V(x − μx ) (4) ω(k)(1 − ω(k)) > 0 (10)
Subject to
or 0 < ω(k) < 1
P
where μx denotes the mean of the samples, V is the projection
vector. k
The objective of PCA is to choose a set of projection vectors 2
where, ω(k) = p(Fi ) and σB (k) is between-class variance
xV that can represent the original sparse coefficient vector x i=1
with the minimum mean square error. [11]:
2
2 [μT ω(k) − μ(k)]
Thus, the received signals sets is Y = [y1 , ..., yN ], its cor- σB (k) = (11)

P
responding sparse representation is X = [x1 , ..., xN ] and each ω(k)[1 − ω(k)]
element of sparse coefficient is xi = [xi1 , ..., xiv ],i ∈ {1, ..., N } L

after PCA processing. N denotes the number of signals and v
is the vector dimension of sparse coefficient.
B. Automatic representative selection algorithm
In this subsection, we present a new automatic represen-
tative selection algorithm (ARSA) to dichotomize the sparse
representation in two classes, and get the target sparse coeffi-
cients x(a) and x(b) .
Firstly, in order to reflect the distinction of the obtained
sparse representation, we extract three quantifiable features
according to the following processing.
P
where, μT is the total mean level ,i.e., μT = Fi p(Fi ), and
i=1
k
μ(k) is the class mean levels ,i.e., μ(k) = Fi p(Fi ).
i=1
Thus, the optimal threshold k ∗ is selected, and the feature
vector F = [F1 , ..., Fk ] is dichotomized into two classes
[F1 , ..., Fk∗ ] and [Fk∗ , ..., FL ] by this optimal threshold at level
k ∗ . Then, we choose the middle level as the representative,
and the corresponding sparse coefficients is selected, .i.e., the
sparse coefficients x(0) and x(1) that corresponding to the
feature F(k∗ +1)/2 and F(k∗ +1)/2 are obtained.

583
 2015 IEEE Global Conference on Signal and Information Processing (GlobalSIP)

0.8
Spoofing situations
DŽďŝůĞŶŽĚĞƐ Normal situations
0.7

0.6

0.5

Correlation
ŶƚĞŶŶĂ
0.4

Fig. 1: Mobile node and Software defined radio platform 0.3

(Sora) in experiment.
0.2

4 original signal (a) 4 original signal (b) 0.1

x 10 x 10
1 1
0
0 0 0 10 20 30 40 50
Sample index

−1 −1
0 50 100 150 0 50 100 150 Fig. 4: The correlation analysis of the experiment .
4sparse representation 4
x 10 x 10 sparse representation
2 2
TABLE I: The composition of the training phase
0 0

−2 −2 Testing phase Spoofing scenario Normal scenario

0 100 200 300 0 100 200 300
PCA PCA Transmitting Two mobile node One mobile node
0.05 0.05
Received One MAC address One MAC address
0 0

−0.05 −0.05
0 10 20 30 0 10 20 30

P €X − X Š€Y − Y Š
Pearson correlation coefficient:
n

r= Ê
P €X − X Š Ê P € Y − Y Š
Fig. 2: Signal processing under normal situations. i i
i=1
(12)
n 2 n 2
4 original signal (a) 4 original signal (b)
i i
1
x 10
1
x 10 i=1 i=1

where Xi and Yi are the values of the packet of each party,

0 0
X and Y are the mean values of a sequence of packets
−1
0 50 100 150
−1
0 50 100 150
respectively.
x 10
4sparse representation 4
x 10 sparse representation Under normal situations, the correlation rate should be high
2 2
since they have the same channel and within the coherent
0 0 time. However, under the spoofing situations, the two selected
signals are uncorrelated to each other as they have different
−2 −2
0 100 200 300 0 100 200 300 transmitters and different channels even in the coherent time.
PCA PCA
0.2 0.05
III. EVALUATION
0 0
The detection performance of the proposed scheme is eval-
−0.2
0 10 20 30
−0.05
0 10 20 30
uated by an experimental system.

Fig. 3: Signal processing under spoofing attack situation.
C. Correlation detection
When the target sparse coefficients x(0) and x(1) are select-
ed, we examine the correlation between the two selected sparse
coefficients to determine the attacking situation. In this study,
Pearson correlation coefficient is used to depict the degree of
correlation.
A. Data acquisition
We configure two mobile nodes (homemade hardware based
on IEEE 802.15.4) worn on the chest and the arms as signal
transmitters. And Software defined radio platform (SDR) is
used to emulate the controller. The utilized SDR is Microsoft
Research Software Radio, also known as Sora. Sora is a
high-performance fully programmable software radio based
on general purpose processors (i.e., CPU) in commodity PC
architecture. Fig. 1 shows the mobile nodes and the SDR
platform respectively in our experiments.

584
 2015 IEEE Global Conference on Signal and Information Processing (GlobalSIP)
In the testing phase, the experiment is repeated 300 times
to obtain the normal signals and spoofing attack signals,
respectively. Table 1 indicates the composition of testing data.
The two mobile node have the same MAC address and as
the role of the spoofing attack sources. While, in the normal
scenario, there is only one mobile node to play legitimate
signals.
B. Signal processing
After the experimental data are collected, we classify these
signals into two groups: one is a normal situation and the
other is spoofing attack situation. In order to simplify the
discussion, we randomly selected two signals (denote (a) and
(b)) to display.
Fig. 2 shows the signal processing under normal situations.
We can notice that the original signals are similar, but these
signals exhibit the difference after sparse representation. Al-
though there is only one transmitter, the sparse representation
of the received signals are differences in performance. The
reasons may be that dynamic environment and the movement
of the transmitter leads to differences in channel. Fig. 3
shows spoofing attack normal situations, and this difference
between the two received signals is more profound after sparse
representation. Because these signals come from different
transmitters, their channel is hard to similar.
Fig. 4 shows that the correlation rate ranges from 0.5 to 0.8
under the normal situation, while this rate range is from 0 to
0.25 under the spoofing attack situation. We can see a clear
difference between the two situations. After the processing
of ARSA, two signals representing the most difference are
elected. As the above analysis, the same transmitter has the
similar channel, so their sparse representation is more relevant.
On the contrary, in spoofing attack situation, their channels are
hard to parallel, so the correlation rate is very low.
IV. REMARK
Accommodation. In practical, moving action and complex
environment will reduce the correlation of the received signal.
If the observation time interval is within the coherence time,
spoofing detection will adopt the mobile object for the channel
reciprocity.
Consumption. In the process of authentication, the algorith-
m is low-power design. Instead of traditional cryptographic
authentication, our scheme is more suitable for low-power
requirements of the application, and without communication
costs and additional operation.
Scalability. The proposed authentication can be used in
combination with other security programs (for example key-
based authentication). Reasonable combination scheme can
improve the safety performance.
Security. In various attacks, spoofing attack is prerequisites.
This attack model is the foundation of other senior attacks.
Therefore, preventing spoofing attacks can greatly enhance the
security of wireless communication.
585
V. CONCLUSION
In this paper, we have formulated spoofing detection as a
sparse signal processing. Based on the feature extraction and
fusion, we presented a novel automatic representative selection
algorithm (ARSA) to choose the optimal inspection target.
In order to verify this process model, we performed indoor
experiments, and the result showed the better performance. In
our future work, extending the channel sparse representation
to other wireless security application will be an interesting
topic.
ACKNOWLEDGMENT
This work was supported by National Nature Science Foun-
dation of China (61171176) and the Innovation Program of
Institute of Information Engineering Chinese Academy of
Sciences (Y4Z0033102).
R EFERENCES
[1] H. Yang, F. Ricciato, S. Lu, and L. Zhang, “Securing a wireless world,”
Proceedings of the IEEE, vol. 94, no. 2, pp. 442–454, 2006.
[2] J. Bellardo and S. Savage, “802.11 denial-of-service attacks: Real
vulnerabilities and practical solutions.” in USENIX security, 2003, pp.
15–28.
[3] X. Wu and Z. Yang, “Physical-layer authentication for multi-carrier
transmission,” IEEE Communications Letters, vol. 19, no. 1, pp. 74 –
77, 2015.
[4] L. Shi, M. Li, S. Yu, and J. Yuan, “Bana: Body area network authenti-
cation exploiting channel characteristics,” Selected Areas in Communi-
cations, IEEE Journal on, no. 9, pp. 1803–1816, 2013.
[5] F. Zheng, Z. Xiao, S. Zhou, J. Wang, and L. Huang, “Message authenti-
cation over noisy channels,” Entropy, vol. 17, no. 1, pp. 368–383, 2015.
[6] J. Yang, Y. Chen, W. Trappe, and J. Cheng, “Determining the number
of attackers and localizing multiple adversaries in wireless spoofing
attacks,” in INFOCOM 2009, IEEE. IEEE, 2009, pp. 666–674.
[7] X. Liang, L. J. Greenstein, L. Fellow, and B. M. Narayan, “Channel-
based spoofing detection in frequency-selective rayleigh channels,” IEEE
Transactions on Wireless Communications, vol. 8, no. 12, pp. 5948 –
5956, 2009.
[8] L. Xiao, A. Reznik, W. Trappe, C. Ye, Y. Shah, L. Greenstein, and
N. Mandayam, “Phy-authentication protocol for spoofing detection in
wireless networks,” in Global Telecommunications Conference (GLOBE-
COM 2010), 2010 IEEE. IEEE, 2010, pp. 1–6.
[9] Y. Chen, W. Trappe, and R. P. Martin, “Detecting and localizing wireless
spoofing attacks,” in Sensor, Mesh and Ad Hoc Communications and
Networks, 2007. SECON’07. 4th Annual IEEE Communications Society
Conference on. IEEE, 2007, pp. 193–202.
[10] D. B. Faria and D. R. Cheriton, “Detecting identity-based attacks in
wireless networks using signalprints,” in Proceedings of the 5th ACM
workshop on Wireless security. ACM, 2006, pp. 43–52.
[11] N. Otsu, “A threshold selection method from gray-level histograms,”
Automatica, vol. 11, no. 285-296, pp. 23–27, 1975.