Research and implementation of an authentication system fusing physical layer and behavioral fingerprinting for power systems

Abstract

With the rapid growth of resource integration in modern power systems, these resources are diverse, large-scale, and situated in complex and open physical environments, making them relatively vulnerable to cyber-attacks due to weaker security measures. To address this challenge, this paper proposes an identity authentication architecture system that integrates software and hardware. In the software fingerprint section, we extract packet characteristics and statistical features through network probing, and combine them with time difference sequence features obtained from side-channel monitoring to generate the software fingerprint of the power smart terminal by direct concatenation. This method incorporates various characteristic informations, enhancing the recognition accuracy of the fingerprint features. In the hardware fingerprint section, we generate hardware fingerprints by extracting the preamble signal and performing statistical feature analysis. Finally, using an ensemble learning method, we integrate the software and hardware fingerprints to generate device fingerprint features. This approach effectively addresses the security authentication issue of power equipment based on High-Level Power Line Communication (HPLC), achieving a recognition rate of over 95% under most machine learning classification methods.

Full text

Translate

Turn on search term navigation

Introduction

As China’s power demand continues to increase, the requirements for power supply are also rising, leading to continuous expansion and gradual enhancement of the intelligence of the power grid. To manage the vast number of power grid terminal devices, centralized processing is no longer sufficient. Edge IoT systems, which process data at the network edge (close to the user end), have emerged. In these systems, data processing relies not on remote servers or the cloud but on the devices generating the data or nearby power gateways. This approach reduces latency, speeds up data processing, and enhances data security.

Power gateways play a crucial role in constructing edge IoT, widely used in power systems’ communication, monitoring, and management. Their primary function is to connect different power devices with monitoring centers or cloud platforms and enabling data collection, transmission, and command delivery.

In power control systems, power gateways are mainly deployed between the field control network and the process control network. In this architecture, programmable logic controllers and other related devices are classified as edge devices, responsible for data collection and processing and real-time control execution. Power gateways enable these devices to respond more quickly and accurately to changes in the production process. The key to improve responsiveness is data preprocessing: by preprocessing data on edge devices, the data volume transmitted to monitoring and data acquisition systems or control systems is reduced, thereby enhancing system efficiency. The current data interactions of power gateways face the following risks [1]:

Data Leakage: Power gateways transmit data in plaintext during upstream and downstream processes, making sensitive information easily interceptable by attackers, facilitating forgery or tampering of upstream messages;
Data Tampering or Forgery: If the upstream and downstream interactive data of power gateways lack integrity protection measures, the system might make incorrect decisions and issue erroneous control commands, leading to power outages in non-fault areas;

Therefore, researching and developing security protection strategies suitable for edge IoT environments are crucial. Although traditional digital technologies offer various identity authentication and security protection methods, they face some challenges in the power environment:

Password Authentication: This method identifies and verifies users by requiring them to provide a preset username and password. However, passwords are easily cracked or leaked and are not well-suited to the diversity and complexity of devices under power gateways.
Certificate Authentication: Using digital certificates for identity verification can enhance security. Certificates contain the holder’s public key and other identity information and are issued by trusted third parties. However, certificate management is complex, and deployment and maintenance in large-scale systems are challenging.
Encryption Technology: Encrypting data ensures its security and integrity during transmission and storage. Common encryption algorithms include RSA and AES. However, in edge IoT networks of power systems, plaintext transmission is typically used. Encrypting data would require modifying each edge device on the line, which is labor-intensive and has low scalability.

In this paper, we introduce an identity authentication system integrating physical layer and software behavioral fingerprints for power systems, playing a crucial role in device recognition. This authentication method fully considers the immutable characteristics of devices’ hardware fingerprints and the dynamic characteristics of device behavior, enabling the detection of any device on the power line. The main contributions of this paper are as follows:

For the behavioral fingerprint part of the device, we consider the packet characteristics and statistical characteristics of the device transmission signal, proposing a feature extraction method based on behavioral fingerprints, detailed in Sect. 3.1.
For the hardware fingerprint part of the device, we fully consider the transmission characteristics of power line devices and capture the most effective signal part as the physical layer fingerprint information of the device. The specific acquisition method and theoretical support are introduced in Sect. 3.2.
We propose an identity authentication method that integrates physical layer and behavioral fingerprints of devices. This method utilizes the physical layer fingerprint information of devices on the power line and the behavioral fingerprint information during device transmission, integrating both as the final fingerprint information of the device. The details are introduced in Sect. 3.3.
For the final integrated fingerprint, we adopt a multi-similarity identity authentication method, significantly improving over conventional feature classification models. Extensive implementations also demonstrate the scientific validity and practicality of this method, as analyzed in Sect. 3.4.

The rest of the paper is structured as follows: Chapter 2 analyzes the current state of research on physical layer fingerprinting and software fingerprinting as well as common attack models in power grids, Chapter 4 describes the experimental validation part of the paper and provides specific evaluation results, and Chapter 5 is the summary and outlook of the paper.

Research background

Device fingerprints refer to unique characteristics that can be used to identify a device. These fingerprints include inherent, hard-to-tamper identifiers specific to the device. For example, hardware IDs and the unique IMEI number assigned to mobile phones during production identify each device uniquely. Similarly, a computer’s network card is given a unique MAC address during production. These unique device identifiers can be considered device fingerprints [2].

Additionally, a collection of device features can serve as device fingerprints. This includes combining characteristics such as the device’s name, model, shape, color, and functions to create an identifier for the device. This is akin to how we remember people by their appearance and facial features [3].

Terminal authentication technology based on device fingerprints is “knowledge-based” identity authentication method. The process of generating device fingerprints can be divided into three steps:

Collection of Device Feature Information: Collecting the required feature information through browsers, operating systems, network protocols, etc.
Processing of Device Feature Information: Processing and refining the collected device feature information to generate a feature code for the device.
Comparison of Device Feature Codes: Comparing the generated device feature code with those in the device fingerprint database to find matching feature information.

Common terminal fingerprint authentication technologies include software fingerprint feature authentication and hardware fingerprint feature extraction:

Software Fingerprint Feature Authentication: This technique identifies IoT terminal identities by collecting software traffic characteristics related to the terminal, such as those from browsers and wireless drivers.

Hardware Fingerprint Feature Authentication: Based on physical layer hardware fingerprint recognition technology, this technique reflects the random process deviations in device manufacturing and the environmental information of the device location. It can extract and generate fingerprints from the wireless signals emitted by the device.

Physical layer fingerprint authentication technology

Physical layer security strategies typically follow three core steps: refined signal processing, fingerprint feature extraction, and precise identity verification. These three stages form a research framework widely recognized by global researchers.

Signal Processing: In this stage, research primarily focuses on using advanced algorithms to improve the signal capture process and enhance its robustness in adverse environments. The goal is to optimize algorithms to improve signal quality, enabling it to withstand various interferences.
Fingerprint Extraction: This stage aims to identify and extract unique attributes of the device or environment from the transmitted signals. The research focus is on creating device fingerprinting techniques that are highly distinctive and maintain long-term stability.
Identity Authentication: In the final identity verification stage, researchers apply data analysis techniques to improve the accuracy of device identity recognition and the efficiency of the verification process. This step ensures that identity verification is both fast and reliable.

The integrated advancements in these research areas not only propel the development of physical layer security technologies but also significantly enhance their performance and operational efficiency.

Physical layer signal processing research

In the field of physical layer security, the primary task of signal processing is to extract unique identifiers from signals. The analysis of signal characteristics can be conducted from three main aspects: transient signals, steady-state signals, and the preamble of signals.

Transient Signals: These signals are captured when a radio transmitter starts up and exhibit unique properties for identification. Ureten O and Serinken N proposed a Bayesian theory-based method to detect the start-up transients of radio transmitters, effectively separating these transients from background noise [4]. This method highlighted the potential of transient signals as reliable fingerprints for radio transmitters. Ureten O et al. also studied transient detection at change points and proposed Bayesian methods that utilized the transient changes when the radio transmitter is activated, surpassing traditional methods in detecting Wi-Fi transmitter start-up transients [5].

Steady-State Signals: Unlike transient signals, steady-state signals provide continuous waveforms with unique spectral characteristics that can be analyzed. Kennedy I O et al. developed a frequency-domain-based method for steady-state transmitter fingerprinting [6], successfully distinguishing between transmitters of the same model. This technique underscores the critical role of spectral analysis in radio frequency (RF) fingerprinting. Hall J et al. proposed a variance trajectory detector [7], a change point detection method specifically for RF fingerprinting. By capturing transient signals and extracting fingerprints, this method achieved wireless device identification, supporting various device authentication schemes in the wireless domain.

Preamble of Signals: Rondeau C M et al. pioneered research on fingerprinting based on the preamble of signals [8]. They proposed a constellation-based DNA (CB-DNA) fingerprinting technique that enhanced the security of ZigBee networks. By analyzing the fingerprints of authorized devices and applying a multiple discriminant analysis (MDA) classifier, malicious devices were effectively identified.

In signal processing, the detection of change points is crucial for recognizing shifts in signal states, adding an additional layer of information for transmitter identification.

By integrating these research findings, we can compare different signal fingerprint extraction methods in terms of accuracy, computational complexity, stability, and data requirements. Overall, the complexity and data requirements of each method have a direct impact on its accuracy and stability.

Research on physical layer security fingerprinting

Once device fingerprints are identified as identifiers, researchers have focused on developing RF fingerprint recognition technologies with high discriminatory ability and stability. This development is based on two main dimensions: the time-frequency characteristics and modulation characteristics of signals.

(1) Extraction of Time–Frequency-Domain Characteristics for RF Fingerprinting

Fourier transform and wavelet transform are key tools in waveform-domain analysis, primarily used to study the frequency-domain and time-frequency characteristics of signals. Danev B et al. utilized Fourier transform to study the radio characteristics of wireless sensor nodes, demonstrating its potential in identifying nodes within wireless network security [9]. Bertoncini et al. [10], on the other hand, employed wavelet transform to extract unintentional modulations from RF transmitter electromagnetic signals, enhancing RF fingerprinting capabilities and showing potential in preventing unauthorized access and detecting device cloning. Furthermore, Hilbert-–Huang transform (HHT) and bispectrum transform have been used to explore more details of signals, improving the accuracy and reliability of transmitter identification. Yuan et al. analyzed the time–frequency energy distribution of transient communication signals using HHT [11], proposing a specific transmitter identification method based on these distributions. Wang Huanhuan et al. combined improved bispectral and time-domain analysis techniques to solve the problem of individual identification of radiation source signals [12], further enhancing identification accuracy.

With the introduction of new technologies such as Intrinsic Time-Scale Decomposition (ITD) and Synchronous Swept Time-frequency Transform (SST), waveform-domain analysis methods have made new strides in physical layer security research. Ren Dongfang et al. proposed a novel radiation source individual identification method based on ITD [13], transforming the time–frequency energy spectrum of signals into images and extracting texture features from images for identification, demonstrating its advancement and efficiency. Baldini G et al. utilized SST technology to improve the accuracy of identifying and authenticating RF devices from actual wireless transmissions [14], expanding the application scope of waveform-domain methods.

Researchers are increasingly exploring advanced methods that provide finer signal characteristic analysis, starting from the microscopic properties of signals, thereby providing more complex and refined identification mechanisms for physical layer security. Chen et al. addressed the limitations of traditional fractal box counting dimension algorithms in extracting fine features of radiation source signals by proposing a doubly improved generalized fractal box counting dimension feature vector algorithm [15], better extracting signal fine distribution characteristics under different reconstruction phase spaces. Klein R W’s study on RF-DNA fingerprint features demonstrated the effectiveness of using subtle waveform differences for wireless device identification [16].

(2) Extraction of Modulation Characteristics of Wireless Signals for RF Fingerprinting

In-depth analysis of the subtle features of RF signals has led to the development of more refined and efficient feature extraction methods, further improving recognition accuracy and efficiency. Huang and colleagues proposed an RF fingerprint extraction technique based on I/Q imbalance of orthogonal modulation signals [17], revealing the sources of RF fingerprints and their impact on signals, providing new insights for modulation domain physical layer security research. Brik V and team utilized PARADIS technology to capture minor defects in transmitter hardware manufacturing processes [18], providing identifiable emission signal features for each NIC, significantly enhancing identification accuracy and adapting well to environmental noise and channel variations. Peng L and colleagues from Southeast University used Constellation Trajectory Figure (CTF) RF fingerprint extraction technology to further enhance the access security of wireless devices [19]. This method allows RF fingerprints to be directly extracted from constellation diagrams without relying on prior knowledge of transmitted signal information, thereby improving the reliability and practicality of device identification.

Cross-environment device identification technologies leverage constellation trajectory figures and other technologies such as channel fluctuations and noise-level changes to enhance system resilience and applicability. Carbino et al. extended the application of modulation domain methods [20, 21], using Constellation-Based Native Attributes (CB-DNA) to enhance traditional MAC address-based authentication. They utilized natural fluctuations in wireless signals to generate unique device fingerprints, opening new avenues for network security enhancement. Peng et al. employed a mixed adaptive classification scheme based on constellation trajectory figures to improve the classification accuracy and robustness of ZigBee devices [22], demonstrating the effectiveness of modulation domain methods in resisting malicious device attacks.

In conclusion, current research focuses on adopting more advanced analysis methods, finer signal features, and more complex fusion technologies to achieve precise identification of wireless devices. However, these technological advancements also pose challenges. Accuracy of identification may be affected in complex and changing environmental conditions, necessitating further enhancement of system robustness and adaptability. Additionally, some advanced methods may have higher algorithmic complexity, leading to increased costs and reduced real-time performance. Balancing the efficiency and performance of these methods will be a key focus of future research.

Physical-layer secure authentication study

The core objective of physical-layer security solutions is to ensure the security and integrity of network systems by accurately distinguishing device identities. Researchers have employed mathematical models and statistical methods to deeply analyze device fingerprints, achieving precise classification of device identities. Various methods, from Generalized Relevance Learning Vector Quantization (GRLVQI) improvements to stochastic approximation methods and integrated classifiers, complement each other in exploring and utilizing the unique physical layer properties of signals.

(1) Traditional Machine Learning Methods

Traditional machine learning methods such as GRLVQI and Signal Learning Methods (LFS) have made significant advances in the field of Cognitive Radio (CR) network security. Harmer P K et al. emphasized the importance of reliable user authentication in dynamic networks [23], highlighting the role of physical layer properties in enhancing security. RF-DNA fingerprinting technology utilizes inherent emission differences in hardware devices and combines multiple discriminant analysis and maximum likelihood methods to achieve reliable device authentication. Despite limitations in feature selection optimization, these methods overcome these constraints by applying GRLVQI and LFS classifiers, providing more reliable RF environment assessment and PUE mitigation in CR networks.

On the other hand, stochastic approximation methods, particularly the Kiefer and Wolfowitz stochastic approximation method used by Steeneck et al. [24], offer a new path for optimizing the learning rate selection of GRLVQI neural networks. This method demonstrates superiority in quickly converging to high classification rates, especially in handling large datasets, significantly improving computational efficiency. Bihl et al. further enhanced the security of RF fingerprinting using multivariate stochastic approximation methods [25], particularly in supporting e-government applications for Wireless Personal Area Networks (WPANs), where improved GRLVQI classifiers achieved breakthroughs in high-fidelity classification.

The application of integrated classifiers provides another avenue to improve RF fingerprint recognition accuracy. Patel H J introduced non-parametric random forest and multi-class AdaBoost integrated classifiers into the field of RF-DNA fingerprint recognition [26], demonstrating enhanced ZigBee device authentication. This integrated approach not only enhances malicious suppression capability in noisy environments but also significantly improves device identification accuracy in low signal-to-noise ratio environments. Research by Zhang and team further confirmed the effectiveness of RF fingerprint recognition in wireless multimedia device security [27], effectively addressing new threats and challenges.

(2) Deep Learning Methods

In the realm of RF fingerprint recognition and wireless security, deep learning methods have emerged as key drivers of technological advancement. Ding et al. proposed the Specific Emitter Identification (SEI) method [28], which uses deep learning to extract features of steady-state signals, particularly through dual spectrogram computation and supervised dimension reduction methods, achieving effective emitter identification. They further compressed and identified dual spectrograms using convolutional neural networks (CNNs), demonstrating superiority over many existing technologies and showcasing the powerful capability of deep learning in extracting hidden features.

Zhao Caidan’s research focused on transfer learning for Internet-of-Things (IoT) devices [29], effectively addressing identification issues caused by changes in physical layer feature space over time and environmental changes. This method not only increases the number of target samples but also opens new paths for constructing multi-class transfer learning. Subsequently, the research group adopted an improved model based on Generative Adversarial Networks (OCC-GAN) [30], effectively solving the identification problem of unknown target categories, showing excellent performance in identification rate and data recall rate.

Merchant et al. demonstrated the application potential of deep learning in Cognitive Radio device identification by directly training CNNs using time-domain baseband error signals [31], proving robustness across a wide range of signal-to-noise ratios and achieving high identification accuracy.

Chatterjee proposed the concept of RF-PUF [32], combining physical unclonable functions with deep neural networks, providing a new framework for real-time authentication with high security and accuracy. Yu Jiabao’s Multi-Sampling CNN (MSCNN) and denoising autoencoder deep learning RFF recognition model significantly improved the accuracy and stability of RF fingerprint recognition in low signal-to-noise ratio scenarios [33, 34]. Liu et al. introduced the Deep Sparse Capsule Network [35], demonstrating the potential of deep learning in electromagnetic signal classification through automated hierarchical feature representation and optimized temporal costs.

These studies not only enhance the accuracy of identification and classification but also expand the application scope of RF identification technologies through new algorithms and models. As deep learning technologies continue to evolve and improve, we can anticipate more innovations and breakthroughs in RF fingerprint recognition and wireless security. However, despite the powerful feature extraction capabilities and adaptability of deep learning, it requires a large amount of annotated data for training and demands significant computational resources, which may not be suitable in situations with limited computational resources, such as in power gateways and edge networks.

Software fingerprint authentication technology

The terminal authentication technology based on software fingerprints refers to identifying IoT terminals by collecting software traffic characteristics related to browsers, wireless drivers, and other terminal-specific features. By gathering network traffic data and layering protocol information, basic communication details and behavioral attributes of network users can be derived. Depending on the collection method, current methods for terminal identification based on software fingerprints are classified into active and passive approaches.

The active method was initially introduced by Fifield et al., who used the enumerate Fonts method to retrieve all installed fonts on a device and sorted them by the font Name property to create a device fingerprint. Eckersley et al. introduced the concept of entropy into device fingerprints. Subsequently, Laperdrix et al. found through their research that 90% of desktop device fingerprints and 81% of mobile device fingerprints were unique, corroborating Eckersley’s findings. As the variety of JavaScript API interfaces increased, Starov et al. proposed using the installed extension list as a new entropy source, suggesting that installed browser extensions facilitate fingerprint recognition. In 2017, Ren Chunlin et al. proposed a method to extract specific device characteristics from the web management pages of a large number of IoT devices, enhancing the PU algorithm (FE-PU) with positive sample feedback to filter out IoT device types meeting certain criteria. They conducted an experiment on one million web management pages in cyberspace to identify types of video surveillance devices.

Passive device fingerprinting uniquely identifies devices by extracting features during device-server communication. Franklin et al. proposed a passive fingerprinting method capable of identifying different wireless drivers on network-connected devices with high detection accuracy. Corbett et al. used spectrum analysis techniques to identify wireless network cards, which are not applicable to wired devices. Yang et al. summarized a series of statistical features by analyzing large volumes of network traffic. Subsequently, Kaushal Kumar et al. used Bayesian regularization and quantized conjugate gradient methods to generate device fingerprints using Inter-Arrival Time (IAT) and Transmission Time (TT) of data packets.

Attack models for power gateways

Edge IoT refers to the specific application of edge computing in the IoT industry. As the “processor” at the edge of the electric power IoT, the power gateway integrates core capabilities of networking, computing, storage, and applications near physical or data sources. It provides nearby computation and intelligent services to meet basic needs such as real-time operations, smart applications, and security and privacy protection.

Due to the distance between the cloud and terminal devices (such as circuit breakers, meters, etc.) and users, placing computation in the cloud leads to issues like long network delays, network congestion, and decreased service quality, especially for high real-time computing demands. Terminal devices typically have limited computing capabilities compared to the cloud. In this context, edge IoT services have emerged to extend cloud computing and intelligent capabilities to edge nodes close to terminal devices, addressing these challenges.

However, despite the relative maturity of edge IoT technologies, its security research is still in its early stages. Due to inherent vulnerabilities, attackers can infiltrate systems through network segments in covert and unpredictable ways. For example, attackers may disrupt packet coordination in the middle access control layer by injecting malicious software such as viruses and worms, or by compromising network components. Moreover, once attackers obtain encryption keys, they can illegally access monitoring centers and disrupt normal operations. This underscores that without adequate hardware or software strategies for security protection, attackers can disrupt system dynamics at will or induce disturbances, making network attacks a major threat to edge IoT.

Currently, in edge IoT networks, power gateways face four main security threats: unauthorized information retrieval, node spoofing, malicious code attacks, and privacy breaches.

Unauthorized Information Retrieval: Attackers can capture various types of sensitive information stored in perception-layer terminals through physical capture or logical compromise of smart terminal and gateway devices using specialized tools.
Node Spoofing: Attackers can inject malicious code or information into the perception-layer field network system by forging or impersonating terminals or gateway devices. Additionally, by monitoring network transmission information, attackers can issue false routing information or replay previously sent data, leading to replay attacks, falsification of data, and other forms of attack.
Malicious Code Attacks: After gaining access to illegal or counterfeit terminals, attackers can launch Trojan horse, virus, and spam attacks, rendering smart terminals unusable or controlling them to launch denial-of-service attacks as part of a zombie network. Privacy Breaches: Some smart terminals contain extensive personal privacy data related to users, such as personal privacy data, browsing and usage habits, and location data. Attackers can access illegal or counterfeit terminals to attack smart terminals or obtain this information, conducting malicious user behavior analysis

Fusion of physical-layer fingerprints and behavioral fingerprints for authentication technique

In the process of constructing the smart grid for the Internet of Things (IoT) in the electric power sector, the significant increase in terminal devices provides great convenience to users, the power sector, and society. However, it also poses significant security risks to the power grid. Faced with a large number of IoT perception terminals, especially concerning the leakage of user information and data interaction with applications, identifying and allowing compliant terminal access while excluding illegal terminals have become core steps in constructing the electric power IoT. Existing boundary-based security protection systems have established a relatively complete security framework for the power system.

On this basis, this paper innovatively proposes an authentication technique that integrates physical layer fingerprints and behavioral fingerprints to enhance the recognition capability of behavioral fingerprints of smart power terminals; firstly, it is a software fingerprint partial feature extraction method, which uses message features extracted from network probes, statistical features, and time difference sequence features extracted directly from bypass monitoring as the behavioral fingerprints of devices. Next is the hardware fingerprint part, which uses the method of extracting fingerprint features based on the leading code. Finally, an intelligent algorithm of integrated learning is used to integrate the extracted device behavioral fingerprint and physical layer fingerprint to achieve feature dimensionality reduction for smart power terminal device authentication.

Fingerprint extraction based on behavioral patterns

Applications in networks exhibit distinct behavioral characteristics, which can be utilized as methods for traffic identification. Behavior-based traffic identification methods work by observing the connection behaviors of network applications to determine the type of application. This method does not require packet content but instead needs extensive offline traffic analysis, making it less suitable for real-time identification and practical use. Additionally, this method relies on the behavioral properties of application traffic, which may become obsolete as network applications evolve.

Each type of network application ti can correspond to one or several behavior models $P {p_{1}, p_{2}, . . ., p_{n}}$ . By identifying the characteristics $C {c_{1}, c_{2}, . . ., c_{n}}$ exhibited by each flow or group of flows and mapping them to the set P , the application type $c_{i}$ corresponding to $t_{i}$ can be determined.

Behavior-based classification methods analyze behaviors at three levels: social layer, functional layer, and application layer.

Social Layer: This layer mainly analyzes which IP addresses a host communicates with over a certain period. It requires only the source IP address and destination IP address from the flow.
Functional Layer: This layer assesses whether a host is a service provider or a service user. It requires the analysis of the source IP address, destination IP address, source port, and destination port.
Application Layer: This layer combines the results from the first two layers with the number and size of packets to infer the original application type. It necessitates an understanding of other flow characteristics to derive a representative flow information model called graphlets. A graphlets library is established, and the classification process involves matching behaviors to graphlets.

This method’s advantage is that it does not depend on network ports or packet payloads, requiring only basic flow information without additional overhead. Its drawback lies in the graphlets library, which significantly impacts classification structure. When behavior rules are stringent, accuracy is high but detection is low; when rules are lenient, detection is high but accuracy is low.

Over time and with task changes, devices exhibit different network behaviors. IoT device traffic information also has global and regional characteristics. Here, we introduce two commonly used traffic features from these perspectives: packet features and statistical features. Packet features reflect local detail information of the traffic, while statistical features display the global information of the traffic.

(1) Packet Features

Network logic is generally divided into three layers: network layer, transport layer, and application layer. The network layer collects all input data, the transport layer securely and reliably transmits information collected by the perception layer to the application layer via network communication technology. The data collection module gathers information from the network layer, transport layer, and application layer in cyberspace as raw data for feature extraction.

Packet Protocol Features: These are typical packet features that reflect protocol information of the traffic. It focuses on the application layer of the network, where different communication protocols are used depending on the service type.

For example, Table 1 shows 14 protocols involved in the use of IoT devices, including consumer IoT protocols and cross-industry IoT protocols. The packet protocol characteristics of a device can be represented as a vector (http, https, ssh, ftp, rtsp, telnet, raw, snmp, onvif, dns, nfs, dhcp, tftp, pop). The encoding rule is: if the protocols listed in Table 1 are present in the packet, it is marked as 1; otherwise it is marked as 0.

Table 1. Packet protocol

Type	Application layer protocol (ALP)
TCP-based	http, https, ssh, ftp, rtsp, telnet, raw
UDP-based	snmp, onvif, dns, nfs, dhcp, tftp, pop

(2) Statistical characteristics

Traffic statistical features reflect the traffic profile of IoT devices performing network behavior. Statistical features of traffic are widely used in anomaly detection. Table 2, for example, lists the statistical traffic characteristics of several typical IoT devices.

Table 2. Statistical traffic features

Type	Name	Connotation
Stream feature	Stream duration	Average flow duration of the device
	Flow interval	Average time between streams
	Turnover rate	Number of packets transmitted by the device per second
	Rate of flow of bytes	Number of bytes of packets transmitted by the device per second
	Download/upload ratio	Ratio of downloaded to uploaded packets

Physical layer fingerprinting in HPLC environment

In power systems, physical layer security holds significant advantages when addressing the aforementioned attack models. The physical layer, being the lowest layer in the OSI reference model, is primarily responsible for establishing, managing, and releasing physical connections through transmission media, enabling transparent transmission of bitstreams. In the communication environment of power gateways, the physical layer transmits signals via power lines using the HPLC protocol, which falls under the category of physical layer protocols for broadcast communication lines.

The main advantage of physical layer security lies in its inherent characteristics. Features of the physical layer, such as signal properties, electromagnetic radiation, and hardware noise, are intrinsic and not easily replicated or mimicked. This effectively addresses identity spoofing issues that are challenging to resolve in software security solutions. Moreover, physical layer authentication techniques utilize the inherent properties of hardware for identity verification. This technique not only has low maintenance costs but also adapts well to the distributed and decentralized environment of power gateways and edge IoT systems. Its verification process is rapid and consumes minimal resources, making it suitable for resource-constrained devices.

Before extracting device fingerprints, it is crucial to determine the signal acquisition location, namely the signal identifier. The frame structure of the physical layer for the two communication methods is introduced, laying the foundation for subsequent signal identifier positioning. In security technology research, this method is mainly used for clustering during legitimate fingerprint generation, reducing the impact of periodic noise on fingerprint extraction.

In the high-speed power line communications (HPLC) system of power gateways, physical layer authentication technology relies on the unique fingerprint characteristics of devices. This technology collects signals transmitted over power lines and analyzes their characteristics in real-time to identify the source device based on the embedded device fingerprints. The effectiveness of this method is based on two premises: first, the fingerprint characteristics of the device remain unaffected by the device’s behavior; even if the device’s data output or behavior pattern changes, its fingerprint remains constant. Second, the fingerprint must exhibit identifiable differences in attenuation and reflection characteristics within the signal’s operating frequency band.

This study first analyzes the frame structure and physical layer protocol of power line carrier signals to determine the extraction position and acquisition scheme for device fingerprints. Subsequently, by deriving the amplitude-frequency characteristics of the power line network, the study digitally models the device fingerprints and conducts a theoretical analysis of the differences between various device fingerprints.

Signal identifier extraction for HPLC devices

In order to reduce the impact of changes in device data output or behavioral patterns on fingerprint features, we need to extract as stable a segment of data as possible from a device’s physical layer signals. In this section, we will explore the common parts in the physical layer signals of different devices and extract unique identifiers from them based on the high-speed power line carrier communication protocol.

High-speed power line carrier communications

Power Line Communication (PLC) technology enables data transmission by superimposing high-frequency signals on power transmission lines without affecting the transmission function of electrical energy. This technology enables power lines to carry both electrical energy and data signals, dramatically increasing the efficiency of the use of existing power infrastructure and reducing the cost of establishing new communication networks [36]. PLC technology integrates the power network with the data network, providing the basis for applications such as smart grids and smart homes.

In power line carrier communication systems, data signals need to be modulated first to superimpose low-frequency data signals onto high-frequency carriers to adapt to the transmission environment of power lines. Commonly used modulation techniques include frequency keying (FSK), phase keying (PSK) and quadrature amplitude modulation (QAM), which help to improve bandwidth utilization. Modulated high-frequency signals may be affected by electromagnetic interference, signal reflection and attenuation during transmission over power lines. After the signal has been transmitted to the destination, demodulation is performed at the receiving end to recover the original data signal, and processing such as filtering, gain control, and error detection and correction is performed to improve the accuracy and reliability of data transmission.

Multi-user communication needs to be managed in a power line carrier communication network through network protocols and access control mechanisms such as Carrier Supervisory Multiple Access/Collision Detection (CSMA/CD) or Time Division Multiple Access (TDMA). These mechanisms ensure that each node in the network transmits and receives data at the appropriate time, thus improving network performance.

The high-speed power line carrier communication technology used in this paper is suitable for power IoT environments and complies with the Technical Specification for Low Voltage Power Line Broadband Carrier Communication Interconnection. The HPLC used in the power gateway adopts orthogonal frequency division multiplexing (OFDM) technology, which is a significant improvement over the traditional carrier technology with a fixed single frequency point and simple modulation method.

In OFDM technology, the operating bandwidth is typically divided into hundreds or even thousands of mutually orthogonal subcarriers, as shown in Fig. 1. At the sampling point of any subcarrier, the components of other subcarriers are zero, and the spectra overlap each other, but when reading the data, the signals at the sampling frequency of each subcarrier are valid signals, which enables the system bandwidth to be used effectively. The data are mapped onto all subcarriers in the frequency domain after forward error correction (FEC) coding and interleaving processing, and subsequently converted to the time domain for simultaneous transmission, at which point the signal is shown in Fig. 2.

[See PDF for image]

Fig. 1

OFDM subcarrier spectrum

[See PDF for image]

Fig. 2

Ideal case HPLC signal time-domain plot

At the receiving end, the time-domain signal is first converted back to the frequency domain, and the data are recovered through demodulation, de-interleaving, and decoding processes in the frequency domain. OFDM’s unique signal processing technology shows several advantages in harsh channel environments, including its inherent ability to adapt to frequency-selective channels. The OFDM data are spread over a large number of subcarriers, and the combination of the FEC coding and interleaving techniques makes it possible to receive the entire packet correctly, even if an individual subcarrier has errors due to fading or interference, as shown in Fig. 3. Even if individual subcarriers have errors due to fading or interference, the entire packet may still be received correctly, and the signal at the receiving end is shown in Fig. 3. These interferences, along with the effects of the internal circuitry of the signal-generating equipment, leave a fingerprint on the signal, which can be exploited to generate its unique identity.

[See PDF for image]

Fig. 3

Receiver-side HPLC signal time-domain plot

High-speed power line carrier communications

The HPLC data frame consists of a leading segment, an address field, a control code, and a data field, as shown in Table 3. Together, these components build the framework for communication.

Table 3. Packet protocol

Leading section	Address field	Control code	Data domain
0x68	A0–A5	1 byte	1 byte

Leading Segment: The leading segment has an important synchronization role in HPLC frames and is used to help the receiving device correctly identify and locate the start of the frame. The lead-in segment usually consists of a specific sequence that is used for frame synchronization to ensure that the receiving device can accurately parse the data that follows. This helps to capture and identify HPLC frames efficiently.

Address field: the address field is used to identify the target device or group for the frame. It contains information about the destination to which the packet was sent to ensure that the data are properly routed to the target device. This address field usually includes the unique identifier of the device or the identifier of the device group so that devices in the network can correctly identify and process the frame.

Control Code: The Control Code field contains information about the operation and control of the frame. This information can indicate the type of frame, request, response, acknowledgment, or other control operation. Control codes are critical in defining the behavior of a communication protocol because they determine how the frame operates.

Data Field Length: The Data Field Length field indicates the length of valid data contained in the data field. This helps the receiving device parse the data correctly and determine the amount of information contained in the frame. The data field usually contains the actual data being transmitted, such as commands, configuration information, or sensor readings.

In HPLC communication, devices communicate with each other in a master–slave mode. The master acts as a center for controlling and directing the data transfer, sending master request frames to the target device to trigger a specific operation or to obtain information. When the target device receives the request, it generates a slave answer frame and sends it back to the master to respond to the request or provide the required data.

The physical layer signals of the HPLC receive input from the data link layer at the transmitter side. The physical layer uses two separate links to process frame control data and load data, respectively. The frame control data is processed through Turbo coding, channel interleaving and frame control diversity copy; the load data is scrambled, Turbo coded, channel interleaved and load diversity copy processed, and then mapped with the frame control data to the constellation points. The mapped data is processed by IFFT and a cyclic prefix is added to form OFDM symbols. The physical layer signal with the addition of the leading symbols and windowing is fed to the analogue front end and finally sent out over the power line channel.

The signal consists of the leading, frame control and load data. The preamble is a periodic sequence with 512 carriers per symbol for frame control and load data. The types of protection intervals for the symbols include protection intervals for the frame control, protection intervals for the 1st and 2nd symbols of the load data, and protection intervals for the 3rd symbol of the load data and beyond.

Theoretically, the leading code portion of the HPLC signal is easy to capture and will not be affected by data variations, and in this paper, we will demonstrate the leading code properties in the identifier extraction of the device fingerprint.

Extraction of signal identifiers by leading codes

Analysis of the data frame shows that the length of the signaling segment is recorded in the length field of the physical layer header. The physical layer uses the value of this field to determine the number of bits transmitted between the MAC layer and the physical layer. In addition, information such as the data transmission rate, modulation method, and coding rate is stored in the rate bit field of the physical layer header, so that the contents of the signal segment and the data segment are subject to change depending on the actual data contents transmitted and the transmission rate.

Although devices communicating with each other using power line carriers usually have the same data rate, modulation method, and coding rate, the data frames vary due to the different addresses and behaviors of each device. In order to minimize the impact of these differences on device fingerprinting, we should find as many consistent parts of the signal frames as possible for extraction. When analyzing the signal composition of HPLC frames, we found that the leading code of the signal is used in the physical layer to identify the starting point of the signal. If the definition of the leading code is consistent across devices, we can extract the part we need. The leading code portion of the data frame is shown in Fig. 4:

[See PDF for image]

Fig. 4

HPLC data frame leading code structure

The precursor consists of 10.5 SYNCPs with 2.5 SYNCMs. SYNCPs are defined as:

\begin{matrix} [h] S_{synCP} (n) = \frac{10^{3 / 20}}{\sqrt{N}} \sum_{k \in C} cos (\frac{2 π n k}{N} + \frac{Π}{8} φ (k)), 0 \leq n \leq N - 1 \end{matrix}

where C is the set of available carriers and here in this paper N is taken as 1024. Also, the IFFT is given as:

\begin{matrix} x (n) = \frac{1}{N} \sum_{k = 0}^{N - 1} X (k) e^{j \frac{2 π n k}{N}}, 0 \leq n \leq N - 1 \end{matrix}

retrieval signal:

\begin{matrix} X (k) = \{\begin{matrix} e^{j \frac{π}{8} φ (k)} & if k \in C, 0 \leq k \leq N - 1 \\ 0 & else \end{matrix}) \end{matrix}

available to:

\begin{matrix} S_{synCP} (n) = 10^{3 / 20} \cdot \sqrt{N} \cdot Re IFFT (X (k)) \end{matrix}

That is, SYNCP can be obtained by taking the real part of the IFFT transform of . SYNCM = -SYNCP. where the 0.5 SYNCP at the beginning of the lead is the second half of SYNCP and the last 0.5 SYNCM is the first half of SYNCM.

From the above definition, it can be seen that the leading code of each data frame is related to , which is determined by , i.e., SYNCP is determined by the subcarrier, independent of the data portion. Devices communicating on an HPLC line use the same subcarrier, so even though different devices send different interaction data, they still have the same leading code field. When analyzing the device fingerprint, the leading code field is intercepted from the signal as an identifier for the signals of the different devices, and only by analyzing the characteristics of this signal can it be ensured that the device fingerprint is not interfered with by the different behaviors of the devices. Therefore, device fingerprints can be used for identification of different devices and verification of device access.

Fingerprint extraction based on identifier frequency domain

According to the State Grid Corporation’s “Functional Specification of Electricity Consumption Information Collection System”, the technical specifications related to carrier communication of electricity consumption information collection system and the requirements of each network and provincial company’s carrier energy meter, collector and the technical specifications related to carrier communication. The maximum working bandwidth in this scheme is 240, the number of OFDM subwaves in the bandwidth is 240, the bit rate of carrier channel in QPSK continuous mode (user data rate) is about, and the average data rate in the IF over-zero transmission mode is about.

In the physical-layer analysis of the HPLC signal, we know that the pilot of an OFDM signal frame consists of 10.5 SYNCPs with 2.5 SYNCMs, where each symbol has 1024 samples. According to the physical layer protocol, the signal frame for HPLC is generated based on the clock sample rate, let each SYNCP symbol duration be

\begin{matrix} T_{SYNCP} = \frac{N}{f_{s}} = \frac{1024}{25 MHz} = 40.96 μ s \end{matrix}

In the physical-layer authentication technique for high-speed power line carrier devices, the sampling rate of the acquisition device is 15.625 MHz, at which time there is a sampling point of the acquisition device .

\begin{matrix} N_{acq} = T_{SYNCP} \cdot f_{s} = 40.96 μ s \cdot 15.625 MHz = 640 \end{matrix}

The first 10.5 characters of the leading frame are SYNCP. In order to extract the ?fingerprint? of the media device from the amplitude–frequency characteristics of SYNCP, in the signal acquisition process, after the signal collector is triggered, 10 consecutive character signals are intercepted from 160 positions after the trigger position, that is, a total of 6400 dots from 161 positions after the trigger position to 6560 positions. That is, from 161 to 6560 after the trigger position, there are 6400 points. Taking the average value of these 10 characters, a relatively stable SYNCP symbol can be obtained. The FFT of this symbol can get the frequency response curve as shown in Fig. 5, and the value of this interval will be used as the fingerprint feature vector of the current communication equipment in the actual working environment.

[See PDF for image]

Fig. 5

Frequency-domain waveform of a SYNCP

With the standard of fingerprint feature vectors, different devices communicating on the power line are repeatedly collected their device fingerprint feature vectors in the model training phase, and then, the respective mean values are taken to generate the model features of the corresponding devices, and the set of all of them constitutes a whitelist, which is used for similarity judgment with the collected signal features in the process of real-time authentication and thus serves as a function of identity recognition and authentication.

Behavioral and physical layer fingerprint feature fusion and dimensionality reduction

Due to the complexity of distributed resource aggregation and regulation services in heterogeneous networks, in software fingerprinting feature extraction, the obtained traffic features tend to be more complex and less bound to the terminal, while hardware fingerprinting is easily affected by the signal transmission environment. Compared with a single software or hardware fingerprint feature, fusion of hardware and software features has obvious advantages: fusion of hardware and software features can increase the security of authentication. If only one feature type is relied upon, an attacker may be able to specifically attack the weaknesses of that feature type. Fusing multiple feature types makes the attack more difficult because the attacker needs to attack both software and hardware features. At the same time, fusion reduces the risk of forging devices. If relying only on hardware features, an attacker may try to copy the hardware, but fusion of software features can make it more difficult to identify the real device because software features are usually protected by hardware features. In addition, the fusion of hardware and software features can increase the robustness of the authentication system. Even if a feature is damaged or unavailable, it is still possible to use other features for authentication, thus increasing the usability of the system. Therefore, the fusion of hardware and software fingerprint features of a device helps to achieve highly accurate security authentication. In view of this, this paper designs the fusion of extracted device software fingerprints and hardware fingerprints based on integrated learning intelligent algorithms, and at the same time, feature dimensionality reduction can be realized for identity authentication of electric power intelligent terminal devices.

The fusion of the software and hardware features of the device will lead to an increase in the amount of data, while the feature dimension is too high that may have an impact on the performance of the classification to identify the identity of the terminal; in view of this, it is necessary to introduce feature dimensionality reduction. Feature dimensionality reduction is an important concept in machine learning and data analytics that aims to reduce the data dimensionality while retaining the key information of the data. This helps to reduce computational costs, reduce noise, improve model performance, and increase visualization feasibility. Feature dimensionality reduction can usually be achieved by two main methods: feature selection and feature extraction.

(1) Feature Selection

Feature selection is the process of selecting a subset of features from the original feature set as the final feature set in order to preserve the key information of the data and reduce noise and redundant information. Feature selection helps to improve model performance, reduce computational cost, and improve interpretability. Feature selection is based on feature relevance and redundancy with respect to the goal. In feature selection, a subset of features is selected from the original feature set based on feature redundancy and relevance. Based on relevance and redundancy features, feature subsets are classified into four types:

(1) noisy and irrelevant, (2) redundant and weakly correlated, (3) weakly correlated and non-redundant, and (4) strongly correlated.

Weakly relevant features may not always be necessary for the optimal subset, which may depend on certain conditions. It is not necessary to include uncorrelated features at all. Features that are not required for predictive accuracy are called irrelevant features. The relevance of a feature is measured based on the characteristics of the data rather than its value. Statistics is a technique that shows the relationship between features and their importance. Redundant features are those features that are weakly correlated but can be completely replaced with a set of other features so that the target distribution is not disturbed. Therefore, redundancy is always checked in the multivariate case (when examining a subset of features), while correlation is established for individual features. The distortion of uncorrelated and redundant features is not due to the presence of useless information; it is because these features are not statistically related to other features. Alone, any feature may be uncorrelated, but correlated when combined with other features. A strongly correlated feature is always necessary for the optimal subset of features; it cannot be removed without affecting the original conditional target distribution.

In summary, the aim of feature selection is to maximize relevance and minimize redundancy.

(2) Feature Extraction

Feature extraction is the conversion of original features into a new set of features by linear or nonlinear transformation to reduce the dimensionality of the data while retaining as much information as possible. Firstly, the main components of the data are found, and then, the whole data is projected onto these components to reduce the data dimensionality, and linear changes are used to map the original features to a new coordinate system, and the newly generated coordinate system is used as the main components of the data in the following way:

Firstly the raw data is processed uniformly to ensure that each feature makes the mean of each feature to be 0 and variance to be 1. This can be done by going to the mean and then dividing by the standard deviation. Calculate the mean by column first:

\begin{matrix} {\bar{Y}}_{j} = \frac{1}{n} \sum_{i = 1}^{n} Y_{ij} \end{matrix}

The standard deviation formula was used to calculate the division standard deviation S, and finally the processed data was calculated:

\begin{matrix} Y_{ij} = \frac{Y_{ij} - {\bar{Y}}_{j}}{S_{j}} \end{matrix}

Then for the above obtained dataset its covariance matrix is calculated by the following formula.

\begin{matrix} A = \frac{1}{n - 1} Y^{T} Y \end{matrix}

where n is the number of samples and A is the normalized data matrix with each column representing a feature. The resulting covariance matrix is then decomposed to obtain the eigenvectors corresponding to the corresponding eigenvalues. Subsequently, the eigenvectors corresponding to the top k eigenvalues are selected as the main components according to the magnitude of eigenvalue contribution.

\begin{matrix} Contribution Rate = \frac{λ_{i}}{\sum_{k = 1}^{p} λ_{k}} (i = 1, 2, 3, \dots p) \end{matrix}

Finally, the original data is projected onto the selected principal components to obtain the dimensionality reduced dataset. This is used as the hardware and software features to fuse the final fingerprint features, after which the subsequent classification and authentication part is performed.

Multi-similarity authentication model based on fused fingerprints

After extracting the fusion device fingerprints, this paper proposes a multi-similarity authentication model for identity authentication. The model maintains high authentication efficiency by integrating the judgment of the three metrics while satisfying the need for light weighting.

Similarity indicators

For the processed signal features, which can be regarded as a folded line, the signal feature curve to be tested can be classified by comparing it with the model curve. When classified in this way, the feature similarity is calculated using the following three geometric metrics to obtain quantitative similarity metrics to provide a basis for similarity judgment for the multi-similarity authentication model for easy invocation by other systems and overall evaluation [37].

The IDX Euclidean metric (also known as Euclidean distance) is a commonly adopted definition of distance as the true distance between two points in m-dimensional space, or the natural length of a vector (i.e., the distance from that point to the origin). The Euclidean distance in 2D and 3D space is the actual distance between two points. For a probabilistic feature of a signal, whose feature vector is a point in the space of its feature dimensions, the similarity between the signal feature and the model feature can be judged using the Euclidean distance.

The formula for the distance between two points in two-dimensional space is:

\begin{matrix} ρ = \sqrt{{(x_{2} - x_{1})}^{2} + {(y_{2} - y_{1})}^{2}} \end{matrix}

At feature dimension K, the similarity between signal feature and model feature can be expressed as:

\begin{matrix} d_{E} ({tr}_{1}, {tr}_{2}) = \frac{1}{x} \sum_{n = 1}^{x} \sqrt{{(S_{1} (n) \cdot x - S_{2} (n) \cdot x)}^{2} - {(S_{1} (n) \cdot y - S_{2} (n) \cdot y)}^{2}} \end{matrix}

Cosine Similarity is a metric that evaluates the similarity of the directions of two vectors in a multidimensional space. This method is based on the vector space model or the Euclidean space model in physical space and determines the similarity between two vectors by measuring the cosine of the angle between them. The value of cosine similarity ranges from

- 1

to 1. The value of cosine similarity is 1 when the directions of the two vectors are exactly the same,

- 1

when the directions of the two vectors are exactly opposite, and 0 if the two vectors are not related at all, i.e., the angle between them is 90 degrees.

The formula for cosine similarity is:

\begin{matrix} cos (\vec{a}, \vec{b}) = \frac{\vec{a} \cdot \vec{b}}{| \vec{a} | | \vec{b} |} \end{matrix}

where A and B are two vectors, the numerator denotes the inner product

\vec{a}

\vec{b}

and , and

\vec{a}

and

\vec{b}

denote the modulus of the

\vec{a}

and

\vec{b}

vectors, respectively. With the formula, it can be intuitively assumed that it somewhat eliminates the effect of vector length and that the cosine similarity reflects the difference in direction.

When the angle is 0, the two vectors are isotropic, which corresponds to the highest similarity, and the cosine value is 1.

When the angle is $90^{\circ}$ , the two vectors are perpendicular and the cosine is zero.

When the angle is $180^{\circ}$ , the two vectors are reversed and the cosine is $- 1$ .

SSIM (structural similarity) is a metric used to assess image and video quality, which is widely used in the fields of image processing and computer vision. SSIM is mainly used to measure the structural similarity between two images, i.e., the extent to which they are perceptually similar, which is more in line with the characteristics of the human visual system compared to the traditional image quality assessment methods. Traditional image quality assessment methods (e.g., mean square error) only consider the difference in image brightness and ignore the sensitivity of the human eye to structural information.

SSIM compares the brightness, contrast and structural information of the corresponding blocks in the original and distorted images by dividing the images into non-overlapping chunks.

Given two images and the structural similarity of the two images can be derived as follows:

\begin{matrix} SSIM (x, y) = \frac{(2 μ_{x} μ_{y} + c_{1}) (2 σ_{xy} + c_{2})}{(μ_{x}^{2} + μ_{y}^{2} + c_{1}) (σ_{x}^{2} + σ_{y}^{2} + c_{2})} \end{matrix}

where

μ_{x}

is the mean,

μ_{y}

is the average,

σ_{x}^{2}

is the variance,

σ_{y}^{2}

is the variance, and

σ_{xy}

is the covariance of x and y.

c_{1} = {(k_{1} L)}^{2}

c_{2} = {(k_{2} L)}^{2}

are constants used to maintain stability. L is the dynamic range of the pixel values.

k_{1}

= 0.01,

k_{2}

= 0.03.

Structural similarity ranges from $- 1$ to 1. The value of SSIM is equal to 1 when two images are identical.

As an implementation of the structural similarity theory, the structural similarity index (SSIM) defines structural information as a property that reflects the structure of objects in a scene, independent of luminance and contrast, from the perspective of image composition. SSIM models distortion as a combination of three different factors: luminance, contrast and structure. Specifically, the mean is used as an estimate of luminance, the standard deviation as an estimate of contrast, and the covariance as a measure of structural similarity. Since the comparison is between the structural similarity of the folds, only the covariance portion is taken, and the comparison of $x - μ_{x}$ / $σ_{x}$ and $y - μ_{y}$ / $σ_{y}$ after normalization can be measured by the correlation coefficient:

\begin{matrix} σ_{x}^{2} S (x, y) = \frac{σ_{xy} + c_{3}}{σ_{x} σ_{y} + c_{3}} \end{matrix}

where

c_{3} = c_{2}

/2.

Multi-similarity authentication model

For the above three similarity measures, Euclidean distance directly calculates the actual distance between two points in the multidimensional space. When dealing with device fingerprints, Euclidean distance can reflect the magnitude feature relationship of device fingerprints. Cosine similarity focuses on the direction of two vectors, not on their magnitude, so cosine similarity can reflect the trend of device fingerprints. And SSIM algorithm is a complex similarity metric that considers the brightness, contrast and structural information of the image, which is closer to the human eye’s subjective perception of image quality. The hybrid geometric similarity judgment method (HG-SJM) is to combine the three metrics to judge the identity of real-time captured signals, and the judgment process will be carried out in three steps under the condition of setting the legal similarity threshold of each method:

Three metrics are used to compare the similarity between the real-time captured device signal features $S_{real}$ and the whitelisted fingerprint library $S_{whitelist} [n]$ to obtain the respective similarity arrays $S E M_{IDX} [n]$ , $S E M_{COS} [n]$ and $S E M_{SSIM} [n]$ , respectively, where n is the identification of the device in each fingerprint library.

Find out the maximum value of similarity and its corresponding device fingerprint serial number n for each metric.

Select the device with the higher number n of the device fingerprints identified by the three methods, which is the source of the current real-time acquired device signals.

With these three similarity measures, different aspects of the device features can be focused on: the Euclidean distance focuses on the absolute difference of the values, the cosine similarity focuses on the relative relationship of the features, and the SSIM algorithm focuses on the visually relevant features. By using multiple similarity measures, we can help us understand and compare the similarities and differences of device fingerprints in a more comprehensive way, thus improving the recognition rate of fingerprints.

Experimentation

Experimental environment

The core of this system is the non-intrusive authentication module, which connects to the bus of the power system network. It demodulates and identifies real-time signals such as HPLC signals and determines the legal or illegal status of a device based on the analysis of extracted device fingerprints. The normal pathway for terminal device access to the integrated terminal involves connecting the terminal to the bus network. The system’s authentication module passively monitors the terminal signals, analyzes their physical layer fingerprints and behavioral fingerprints, and then transmits this analysis to the continuous trust evaluation module and the dynamic access control module, finally reaching the upper server through the secure gateway. When an attacking device connects to the bus, the non-intrusive authentication module captures the signal from the device and generates its device and behavioral fingerprints. The continuous trust evaluation module identifies it as an untrusted device and informs the dynamic access control module to blacklist the device. The structure of the experiment is shown in Fig. 6, and the actual test environment is shown in Fig. 7.

[See PDF for image]

Fig. 6

Experimental architecture diagram

[See PDF for image]

Fig. 7

Experimental environment

For the device signal acquisition method in the experiment, the signals from power line communication are usually transmitted in 220 V or even higher voltage power systems to meet the needs of remote monitoring and automation systems. However, common lightweight acquisition devices usually only work in low voltage environments below 20 V. In order to effectively acquire signals in high-voltage environments, access to filter circuit modules is required. Since the OFDM signal in the power line signal only occupies a very small frequency band, after passing through the filter circuit, the low-frequency component of the AC power is effectively blocked, and only the OFDM signal emitted by the device can pass through the filter. At this time, the strength of the signal is reduced to a range that can be captured by the acquisition device, so that the signals acquired by the final acquisition device are all valid signals emitted by the device. The filter module is crucial in the whole acquisition scheme, which is mainly responsible for the three functions of voltage reduction, filtering and impedance matching. Given that the operating voltage of HPLC signals is usually within 5 V, the module first utilizes a transformer to step down the high-voltage signals on the power line up to 220 V to a safe voltage level of 5 V and then further filters out the low-frequency signals at 50 Hz and the DC component through a high-pass filter to ensure that only the required high-frequency HPLC signals are retained. Subsequently, the noise interference is blocked by a low-pass filter and the filtered signal is passed through a low-noise amplifier for signal amplification. The connection of the specific acquisition device is shown in Fig. 8.

[See PDF for image]

Fig. 8

Collection device connection method

Overall design

(1) Training Signal Collection Module:

This module is responsible for recording the communication between each device on the power line and the power gateway, passing the collected signals to the device fingerprint generation module as a training signal set. This process uses the Dragonfruit development board’s RF input function, similar to using an oscilloscope, by setting a trigger to locate the effective signal position on the line. When the voltage on the line reaches the trigger value, the data in the buffer is saved for display. The buffer in the Dragonfruit board is a queue structure, continuously recording the instantaneous voltage on the line. When the queue is full, it discards the oldest value and records the current value. The training signal collection module saves the signals from all devices on the line after reaching the trigger value, stores the content in the buffer, and generates “training signal set file” for each corresponding device for use in the subsequent device fingerprint generation process.

Specific steps are as follows:

Connecting the collection device and setting parameters: This module needs to control the Dragonfruit development board to open the serial port and record the bus signals. After connecting the computer and the Dragonfruit development board on the same network segment, start the Dragonfruit SCPI service. In the experimental environment, the maximum working bandwidth of the HPLC device is X, with the sampling rate set to Y, far exceeding the signal bandwidth of the corresponding device, thus extracting the out-of-band features. After filtering and transformer attenuation, the signal amplitude of the HPLC device remains at about Z, which can be used to obtain higher resolution with the range, and the trigger voltage is set to ensure the collection of HPLC device signals.
Saving data: For each edge device, save 10 sets of filtered device signals, approximately two complete communications, for use in the subsequent device fingerprint generation phase. Since the power gateway’s request frequency to each edge device is low, with a maximum setting of 10 s per request and a complete meter reading requiring multiple data packets and about 20 s, all data is saved.

(2) Device Fingerprint Generation Module: The device fingerprint generation module processes the collected training signal set. For the HPLC device fingerprint generation module, both input and output, and its role in the overall system are the same, but the internal implementation and adopted technology are targeted, requiring separate design and implementation.

Specific steps are as follows:

HPLC device hardware fingerprint generation: After reading the training signal set, each device’s 10 sets of signals are processed cyclically. Use the preamble part as the signal identifier, intercepting 10 consecutive character signals from position 160 after the trigger position, i.e., 6400 points from position 161 to 6560. Average the 640 points of each character bit by bit to eliminate signal attenuation and noise interference, then perform a fast Fourier transform. Intercept the device’s working frequency range in the spectrum as the fingerprint and record it in the whitelist array.
HPLC device software fingerprint: Demodulate the collected training signals to obtain corresponding address information. Since the data sent and received by terminal devices in the power grid are relatively uniform, the useful information in the parsed data packet is mainly the time information. Different devices have inconsistent send and receive processing times. Use the average flow duration and address information as the device’s software fingerprint, as another dimension of the final fused fingerprint to improve its robustness.
Software and hardware feature fusion and dimensionality reduction: Use the fusion and dimensionality reduction techniques of software and hardware features mentioned in Chapter 2 to fuse and reduce the dimensions of the software and hardware fingerprints obtained in steps 1 and 2 to get the final device fingerprint.

(3) Real-time Identity Authentication Module:

The real-time identity authentication module needs to keep the Dragonfruit development board’s serial port continuously open to extract the fingerprint information of each device signal in real time and compare it with the device fingerprint whitelist. This module’s fingerprint extraction process and structure are consistent with the previous modules, differing only in not needing to repeatedly collect device signals but extracting fingerprints during each signal collection, and adding an identity authentication process. Identity determination uses multi-similarity identity authentication to classify the extracted fingerprint features, then categorizes the real-time collected device fingerprints to determine the final result. Below is the accuracy analysis of applying common classifications to classify the extracted fingerprints.

In this paper, the training dataset is constructed by iteratively obtaining hardware and software fusion feature information for each device. Table 4 shows the accuracy results of training and testing the classification models using several classical machine learning methods.

Table 4. Classification performance table

Machine learning model	Verification of accuracy (%)	Testing accuracy (%)
Linear SVM	94.2	95.2
Quadratic SVM	95.2	96.1
Cubic SVM	95.1	95.8
Decision tree	94.2	94.8
Neural network	94.2	95.2
Plain Bayes	94.2	95.5
K-means (Euclidean distance)	95.2	95.4

Through the above table, the multi-similarity authentication model proposed in this paper can achieve more than 99% authentication rate. Training device A and device B take the center of mass of each training set to generate the corresponding device fingerprint library $S_{whitelist} [n]$ . For the real-time captured signals, its Euclidean distance, cosine similarity, and structural similarity $S_{whitelist} [n]$ are computed and tested for similarity with according to these three similarity measures.

As shown in Fig. 9, using the Euclidean distance as the metric, the similarity distribution in each interval is analyzed. The similarity distribution with device A’s fingerprint is concentrated around 96.53%, while the similarity distribution with device B’s whitelist is concentrated around 48.77%.

[See PDF for image]

Fig. 9

Euclidean distance similarity between signal features of device A and fingerprint library

[See PDF for image]

Fig. 10

Euclidean distance similarity between signal features of illegal device C and fingerprint library

The signal characteristics of illegal device C and their Euclidean distance similarity to the real-time collected fingerprint library are shown in Fig. 10. The similarity between the illegal device and legitimate devices A and B does not exceed 60%. Therefore, setting an appropriate threshold is sufficient to distinguish between legitimate and illegal devices, achieving the experimental objectives.

Similarly, using cosine similarity as the criterion, the similarity with device A is 98.83% and with device B is 81.73%. Using structural similarity as the criterion, the similarity distribution with devices A and B is 93.21% and 64.38%, respectively.

In order to verify the stability of the method, two sets of samples, each with 1000 samples, were collected one week apart to test the recognition rate. The data collected in the first week consisted of only two devices, A and B. The classification results are shown in Fig. 11, with a probability of correctly recognizing devices A and B of more than 98.5%. After one week, the signals of three devices are collected and device C is recorded as an illegal device, and the classification result is shown in Fig. 12. The recognition rate of the data collected in real time reaches 98.7%, which shows good time stability.

[See PDF for image]

Fig. 11

Equipment A And B identification results

[See PDF for image]

Fig. 12

Device identification result

System performance

During the real-time identity authentication phase, the authentication module can correctly capture the communication signals on the bus and display the names of the devices transmitting data on the line in real-time, distinguishing between different legitimate devices. It can also issue alerts for the access of illegal devices. Each test involved conducting 100 identity authentication experiments on HPLC devices, and performance metrics were recorded from the moment the signal was triggered on the line by the FireDragon signal collector to the display of the corresponding device name or alert. The average signal response speed of the identity authentication module for HPLC devices was 0.094151 s.

The system’s security protection capability is evaluated using two metrics: the identity misrecognition rate and the identity authentication rate. The identity misrecognition rate refers to the probability of a legitimate device being recognized as another legitimate or illegal device. The calculation method is as follows:

\begin{matrix} Recognition Rate = \frac{N}{M} \end{matrix}

where N is for the number of times legitimate equipment was identified as other equipment, M is for the number of equipment communications on the line.

The identity misrecognition rate indicates the system’s ability to recognize legitimate devices. A lower probability signifies a stronger recognition capability for legitimate devices. In three experiments conducted in an HPLC communication environment, there were two instances where a photovoltaic grid-connected circuit breaker was mistakenly identified as an illegal device. This occurred because the photovoltaic grid-connected circuit breaker was located relatively far from the signal collector, and random significant interference on the line caused the software-hardware integrated method’s indicators to drop to 74% and 77%, below the preset device security threshold. The overall performance of the system is shown in Table 5.

Table 5. Packet protocol

	Average response time of training signal acquisition module	Average response time for device fingerprint generation module	Average response time for real-time authentication module	Authentication rate
HPLC	59.42222 s	0.37010 s	0.09420 s	99.6%

These test cases and performance test results validate the effectiveness and efficiency of the identity authentication module in signal acquisition, device fingerprint generation, and real-time identity authentication. Through these detailed test analyses, the system’s reliability and applicability are clearly demonstrated, providing a robust security measure for the edge IoT environment in the power grid.

Conclusions

This paper proposes an identity authentication architecture system that integrates software and hardware features. It demodulates and identifies real-time collected HPLC and other signals, authenticating device identities through extracted device fingerprints. The continuous trust evaluation module and dynamic access control module enable long-term dynamic management of devices, effectively preventing unauthorized network behavior of abnormal devices. The experiments presented in this paper are conducted in relatively simple scenarios. To better validate and apply this method for identifying power grid devices, extensive experiments are needed to prove its effectiveness in various different scenarios. Additionally, due to the nature of the protocol, the transmitted signal data in the software fingerprint part is too uniform to capture other useful information, having a minimal impact on the final experimental results. Future research can delve into other angles to improve the recognition rate.

Outlook:

In the process of researching RF fingerprint feature extraction, facing a large number of terminals, due to the use of a single scenario involved in this paper, it is necessary to apply the mentioned RF fingerprint feature extraction technology to more use scenarios to verify the scientificity and effectiveness of the method proposed in this paper.

There are many other available features in terms of hardware and software fingerprint features of the device, which can be explored in this direction to find more feature parameters that can be combined with high authentication rate.

Author contributions

CM and LNG wrote the main text of the manuscript. LY and ZB prepared the experimental figures. XYC, WTY, and LZA prepared the experiments and tables.

Funding

This work is supported by the science and technology project of State Grid Corporation of China: “Defense System Design and Key Technologies Research on Cyber Security of New Power System” (Grant No. 5700-202358388A-2-3-XG).

Data availability

The datasets generated/supporting this study cannot be made openly available due to confidentiality agreements with State Grid Corporation of China. Data access requires special authorization from the institution.

Declarations

Conflict of interest

The authors declare no conflict of interest.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

References

1. Lianjie, H; Chaoqun, K; Zhida, S; Erxia, L; Yuling, L. Research on security protection of edge IoT agent on the power distribution IoT. Distrib. Util.; 2021; 38, 02 pp. 12-18.

2. Poor, HV; Schaefer, RF. Wireless physical layer security. Proc. Natl. Acad. Sci.; 2017; 114, 1 pp. 19-26. [DOI: https://dx.doi.org/10.1073/pnas.1618130114]

3. Hall, J; Barbeau, M; Kranakis, E et al. Detection of transient in radio frequency fingerprinting using signal phase. Wirel. Opt. Commun.; 2003; 1, 1 pp. 13-18.

4. Ureten, O; Serinken, N. Detection of radio transmitter turn-on transients (vol 35, pg 1996, 1999). Electron. Lett.; 2000; 36, 8 774.

5. I.O. Kennedy, P. Scanlon, F.J. Mullany, M.M. Buddhikot, K.E. Nolan, T.W. Rondeau, Radio transmitter fingerprinting: a steady state frequency domain approach, in Vehicular Technology Conference (2008)

6. Rondeau, CM; Betances, JA; Temple, MA. Securing zigbee commercial communications using constellation based distinct native attribute fingerprinting. Secur. Commun. Netw.; 2018; 2018, pp. 1489347-1148934714. [DOI: https://dx.doi.org/10.1155/2018/1489347]

7. Communications Research Centre, C. Ottawa, Communications Research Centre, C. Ottawa: Bayesian detection of Wi-Fi transmitter RF fingerprints. Electron. Lett. 41(6), 373–374 (2005)

8. J. Hall, M. Barbeau, E. Kranakis, Detection of transient in radio frequency fingerprinting using signal phase (2003)

9. B. Danev, S. Capkun, Transient-based identification of wireless sensor nodes, in International Conference on Information Processing in Sensor Networks (2009)

10. Bertoncini, C; Rudd, K; Nousain, B; Hinders, M. Wavelet fingerprinting of radio-frequency identification (RFID) tags. IEEE Trans. Ind. Electron.; 2012; 59, 12 pp. 4843-4850. [DOI: https://dx.doi.org/10.1109/TIE.2011.2179276]

11. Yuan, Y; Huang, Z; Wu, H; Wang, X. Specific emitter identification based on Hilbert–Huang transform-based time-frequency-energy distribution features. Commun. IET; 2014; 8, 13 pp. 2404-2412. [DOI: https://dx.doi.org/10.1049/iet-com.2013.0865]

12. Huanhuan, W; Tao, Z. Extraction algorithm of communication signal characteristics based on improved bispectra and time-domain analysis. J. Signal Process.; 2017; 33, 06 pp. 864-871.

13. Dongfang, R; Tao, Z; Jie, H; Huanhuan, W. Specific emitter identification based on ITD and texture analysis. J. Commun.; 2017; 38, 12 pp. 160-168.

14. Baldini, G; Giuliani, R; Steri, G. Physical layer authentication and identification of wireless devices using the synchrosqueezing transform. Appl. Sci.; 2018; 8, 11 2167. [DOI: https://dx.doi.org/10.3390/app8112167]

15. Xiang, C; Jingchao, L; Hui, H; Yulong, Y. Improving the signal subtle feature extraction performance based on dual improved fractal box dimension eigenvectors. R. Soc. Open Sci.; 2018; 5, 5 180087. [DOI: https://dx.doi.org/10.1098/rsos.180087]

16. Klein, RW; Temple, MA; Mendenhall, MJ. Application of wavelet-based RF fingerprinting to enhance wireless network security. J. Commun. Netw.; 2009; 11, 6 pp. 544-555. [DOI: https://dx.doi.org/10.1109/JCN.2009.6388408]

17. Zhuo, F; Huang, Y; Chen, J. Radio frequency fingerprint extraction of radio emitter based on i/q imbalance. Procedia Comput. Sci.; 2017; 107, pp. 472-477. [DOI: https://dx.doi.org/10.1016/j.procs.2017.03.092]

18. V. Brik, S. Banerjee, M. Gruteser, S. Oh, Wireless device identification with radiometric signatures. ACM (2008)

19. Linning, P; Aiqun, H; Changming, Z; Yu, J. Radio fingerprint extraction based on constellation trace figure. J. Cyber Secur.; 2016; 1, 01 pp. 50-58.

20. T.J. Carbino, M.A. Temple, T.J. Bihl, Ethernet card discrimination using unintentional cable emissions and constellation-based fingerprinting. IEEE (2015)

21. T.J. Carbino, M.A. Temple, J. Lopez, Conditional constellation based-distinct native attribute (CB-DNA) fingerprinting for network device authentication, in 2016 IEEE International Conference on Communications (ICC)

22. Aiqun, Z; Junqing, J; Yu, J; Yan, P. Linning: design of a hybrid RF fingerprint extraction and device classification scheme. IEEE Internet Things J.; 2019; 6, pp. 349-360. [DOI: https://dx.doi.org/10.1109/JIOT.2018.2838071]

23. P.K. Harmer, D.R. Reising, M.A. Temple, Classifier selection for physical layer security augmentation in cognitive radio networks. IEEE (2013)

24. D.W. Steeneck, T.J. Bihl, Stochastic approximation for learning rate optimization for generalized relevance learning vector quantization. IEEE (2017)

25. T. Bihl, D. Steeneck, Multivariate stochastic approximation to tune neural network hyperparameters for criticial infrastructure communication device identification, in Hawaii International Conference on System Sciences (2018)

26. Patel, HJ; Temple, MA; Baldwin, RO. Improving zigbee device network authentication using ensemble decision tree classifiers with radio frequency distinct native attribute fingerprinting. IEEE Trans. Reliab.; 2015; 64, 1 pp. 221-233. [DOI: https://dx.doi.org/10.1109/TR.2014.2372432]

27. Zhang, Z; Li, Y; Wang, C; Wang, M; Wang, J. An ensemble learning method for wireless multimedia device identification. Secur. Commun. Netw.; 2018; 2018, 1 pp. 1-9. [DOI: https://dx.doi.org/10.1002/sec.519]

28. Ding, L; Wang, S; Wang, F; Zhang, W. Specific emitter identification via convolutional neural networks. IEEE Commun. Lett.; 2018; PP, 99 pp. 1-1.

29. C. Zhao, Z. Cai, M. Huang, M. Shi, M. Guizani, The identification of secular variation in IoT based on transfer learning, in 2018 International Conference on Computing, Networking and Communications (ICNC) (2018)

30. Zhao, C; Shi, M; Cai, Z; Chen, C. Research on the open-categorical classification of the internet-of-things based on generative adversarial networks. Appl. Sci.; 2018; 8, 12 2351. [DOI: https://dx.doi.org/10.3390/app8122351]

31. Kevin, M; Shauna, R; George, S; Bryan, N. Deep learning for RF device fingerprinting in cognitive communication networks. IEEE J. Sel. Top. Signal Process.; 2018; 12, 1 pp. 160-167. [DOI: https://dx.doi.org/10.1109/JSTSP.2018.2796446]

32. Chatterjee, B; Das, D; Maity, S; Sen, S. RF-PUF: Enhancing IoT security through authentication of wireless nodes using in-situ machine learning. IEEE Internet Things J.; 2019; 6, 1 pp. 388-398. [DOI: https://dx.doi.org/10.1109/JIOT.2018.2849324]

33. Yu, J; Hu, A; Li, G; Peng, L. A robust RF fingerprinting approach using multisampling convolutional neural network. IEEE Internet Things J.; 2019; 6, 4 pp. 6786-6799. [DOI: https://dx.doi.org/10.1109/JIOT.2019.2911347]

34. J. Yu, A. Hu, F. Zhou, Y. Xing, Y. Yu, G. Li, L. Peng, Radio frequency fingerprint identification based on denoising autoencoders. CoRR arXiv:abs/1907.08809 (2019)

35. Liu, M; Liao, G; Yang, Z; Song, H; Gong, F. Electromagnetic signal classification based on deep sparse capsule networks. IEEE Access; 2019; 7, pp. 83974-83983. [DOI: https://dx.doi.org/10.1109/ACCESS.2019.2924798]

36. Nguyen, T. Power line communications. IEEE Potentials; 2004; 23, 4 pp. 4-8. [DOI: https://dx.doi.org/10.1109/MP.2004.1343222]

37. S. Aksoy, R.M. Haralick, Probabilistic vs. geometric similarity measures for image retrieval, in IEEE Conference on Computer Vision & Pattern Recognition (2000)

Word count: 12559

Show less

© The Author(s) 2025. This work is published under http://creativecommons.org/licenses/by-nc-nd/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.

Research and implementation of an authentication system fusing physical layer and behavioral fingerprinting for power systems

Content area

Abstract

Full text