Improving ZigBee Device Network Authentication Using Ensemble Decision Tree Classifiers With Radio Frequency Distinct Native Attribute Fingerprinting

Abstract

The popularity of ZigBee devices continues to grow in home automation, transportation, traffic management, and Industrial Control System (ICS) applications given their low-cost and low-power. However, the decentralized architecture of ZigBee ad-hoc networks creates unique security challenges for network intrusion detection and prevention. In the past, ZigBee device authentication reliability was enhanced by Radio Frequency-Distinct Native Attribute (RF-DNA) fingerprinting using a Fisher-based Multiple Discriminant Analysis and Maximum Likelihood (MDA-ML) classification process to distinguish between devices in low Signal-to-Noise Ratio (SNR) environments. However, MDA-ML performance inherently degrades when RF-DNA features do not satisfy Gaussian normality conditions, which often occurs in real-world scenarios where radio frequency (RF) multipath and interference from other devices is present. We introduce non-parametric Random Forest (RndF) and Multi-Class AdaBoost (MCA) ensemble classifiers into the RF-DNA fingerprinting arena, and demonstrate improved ZigBee device authentication. Results are compared with parametric MDA-ML and Generalized Relevance Learning Vector Quantization-Improved (GRLVQI) classifier results using identical input feature sets. Fingerprint dimensional reduction is examined using three methods, namely a pre-classification Kolmogorov-Smirnoff Test (KS-Test), a post-classification RndF feature relevance ranking, and a GRLVQI feature relevance ranking. Using the ensemble methods, an ${\rm SNR}=18.0$ dB improvement over MDA-ML processing is realized at an arbitrary correct classification rate $(\hbox{\%}C)$ benchmark of $\hbox{\%}C=90\hbox{\%}$ ; for all ${\rm SNR}\in [0, 30]$ dB considered, $\hbox{\%}C$ improvement over MDA-ML ranged from 9% to 24%. Relative to GRLVQI processing, ensemble methods again provided improvement for all SNR, with a best improvement of $\hbox{\%}C=10\hbox{\%}$ achieved at the lowest tested ${\rm SNR}=0.0$ dB. Network penetration, measured using rogue ZigBee devices, show that at the ${\rm SNR}=12.0$ dB $(\hbox{\%}C=90\hbox{\%})$ the ensemble methods correctly reject 31 of 36 rogue access attempts based on Receiver Operating Characteristic (ROC) curve analysis and an arbitrary Rogue Accept Rate of ${\rm RAR} . This performance is better than MDA-ML, and GRLVQI which rejected 25/36, and 28/36 rogue access attempts respectively. The key benefit of ensemble method processing is improved rogue rejection in noisier environments; gains of 6.0 dB, and 18.0 dB are realized over GRLVQI, and MDA-ML, respectively. Collectively considering the demonstrated $\hbox{\%}C$ and rogue rejection capability, the use of ensemble methods improves ZigBee network authentication, and enhances anti-spoofing protection afforded by RF-DNA fingerprinting.