[go: up one dir, main page]

WO2018170267A1 - Système, procédé et appareil d'identification de signal de fréquence sans fil et rétroconception de protocole - Google Patents

Système, procédé et appareil d'identification de signal de fréquence sans fil et rétroconception de protocole Download PDF

Info

Publication number
WO2018170267A1
WO2018170267A1 PCT/US2018/022639 US2018022639W WO2018170267A1 WO 2018170267 A1 WO2018170267 A1 WO 2018170267A1 US 2018022639 W US2018022639 W US 2018022639W WO 2018170267 A1 WO2018170267 A1 WO 2018170267A1
Authority
WO
WIPO (PCT)
Prior art keywords
signal
classification
measurements
wireless signal
wireless
Prior art date
Application number
PCT/US2018/022639
Other languages
English (en)
Inventor
Kurt W. Derr
Samuel Ramirez
Sneha K. Kasera
Christopher D. Becker
Aniqua Z. BASET
Original Assignee
Battelle Energy Alliance, Llc
University Of Utah Research Foundation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Battelle Energy Alliance, Llc, University Of Utah Research Foundation filed Critical Battelle Energy Alliance, Llc
Publication of WO2018170267A1 publication Critical patent/WO2018170267A1/fr
Priority to US16/569,565 priority Critical patent/US11251889B2/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B17/00Monitoring; Testing
    • H04B17/30Monitoring; Testing of propagation channels
    • H04B17/391Modelling the propagation channel
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01RMEASURING ELECTRIC VARIABLES; MEASURING MAGNETIC VARIABLES
    • G01R23/00Arrangements for measuring frequencies; Arrangements for analysing frequency spectra
    • G01R23/16Spectrum analysis; Fourier analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B17/00Monitoring; Testing
    • H04B17/20Monitoring; Testing of receivers
    • H04B17/29Performance testing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware

Definitions

  • Embodiments of the present disclosure relate, generally, to systems and methods for identifying wireless signals and protocols, and more particularly, systems and methods for protocol reverse engineering of wireless signals.
  • Wireless communications technology is becoming ubiquitous throughout society. Although Wi-Fi has grown to be the ubiquitous Internet access technology, many other wireless protocols are used, for example, wireless communication systems such as Bluetooth, Wi-Fi, cellular, Apple iBeacon, Z-Wave, and ZigBee. Wireless communications devices are widely used in residential homes, in public safety, emergency response, and critical infrastructure applications.
  • Some embodiments of the present disclosure relate to a computer-implemented wireless signal classification method.
  • the method may include: receiving a first wireless signal classification, the first wireless signal classification based on blocks of radio frequency (RF) measurements of a wireless spectrum over a period of time; receiving a second wireless signal classification, the second wireless signal classification based on part of the blocks of RF measurements; weighting the first wireless signal classification and weighting the second wireless signal classification; and merging the weighted first wireless signal classification and the weighted second wireless signal classification to arrive at a classification result.
  • RF radio frequency
  • the system may include an energy-based detector configured to analyze an entire set of measurements and generate a first single classification result; a cyclostationary -based detector configured to analyze less than the entire set of measurements and generate a second signal classification result; and a classification merger module configured to merge the first signal classification result and the second signal classification result.
  • FIGURE 1 is a block-diagram of a classification node according to an embodiment of the disclosure.
  • FIGURE 2A is a block-diagram of a classification and detection system according to an embodiment of the disclosure.
  • FIGURE 2B is a block-diagram for an energy-based detection path according to an embodiment of the disclosure.
  • FIGURE 2C is a block-diagram of a cyclostationary-based detection path according to an embodiment of the disclosure.
  • FIGURE 3 is a block-diagram of a classification and capture system according to an embodiment of the disclosure.
  • FIGURE 4 is a block-diagram of a protocol reverse engineering system according to an embodiment of the disclosure.
  • FIGURE 5A is a block-diagram of a classification and detection system according to an embodiment of the disclosure.
  • FIGURE 5B is a block-diagram of an energy-based detection path according to an embodiment of the disclosure.
  • FIGURE 5C is a block-diagram of a machine-learning-based detection path according to an embodiment of the disclosure.
  • wireless systems are deployed in critical infrastructures and the vulnerabilities of these wireless systems increases the vulnerability to these sectors and of the economy.
  • wireless communication is used in critical infrastructure (CI) applications for monitoring and providing data on the status of CI components and for intelligent transportation systems.
  • CI critical infrastructure
  • Malicious actors may compromise existing wireless devices or implant rogue wireless devices (RWDs) to feed false data to the operators of an operator station creating the potential for a catastrophe.
  • RWDs implant rogue wireless devices
  • spectrum analyzers may be used to analyze specific frequency ranges, first a user must know the spectrum ranges to analyze. It is difficult to capture a signal over time by a spectrum analyzer, the volume of data is large, and post processing (analyze the signal afterwards) resource intensive, accordingly, it is not possible to do it in real time analysis.
  • the wireless signal types may be restricted to just a limited number of authorized types for security reasons.
  • the presence of unauthorized wireless signals or the absence of authorized signals may indicate malicious activities or a problem that must be addressed quickly to avoid a breach or system failure.
  • the presence of unknown signals in an enterprise building might indicate malicious activities like the presence of wireless spying devices that may compromise an organization's confidential data and/or critical assets.
  • some embodiments of the present disclosure are related, generally, to an efficient wireless signal classification system capable of detecting known signal types as well as unknown signals in real-time.
  • the classification system may operate in conjunction with or be incorporated in detection systems, which detect problems in timely manner, raise alerts, and/or take appropriate actions.
  • Embodiments of a classification system may also be used to analyze black box devices to show that the devices act as intended (or as indicated), with no additional signals or interference being generated.
  • Other embodiments relate to a real-time wireless signal classification system used in, or operating in conjunction with, shared spectrum applications for detecting the presence of incumbent transmitters and/or spectrum usage violations by secondary users.
  • Embodiments also have a number of additional functionalities, including but not limited to signal recording, blind signal analysis, signal demodulation, signal localization, and protocol reverse engineering. As noted throughout the present disclosure, embodiments of the classification system may be used either as a standalone system or as a system integrated into other systems.
  • embodiments of the present disclosure facilitate real-time monitoring and analysis of: (1) CI applications that rely on wireless communication, (2) devices to detect possible spectrum violations, and (3) wireless signals in general to detect and interact with RWDs. Other benefits and advantages also exist.
  • the terms “computer” and “computer system” are to be understood to include at least one non-transitory computer readable memory and at least one processing unit.
  • the memory will store, at one time or another, at least portions of an executable program code, and the processor(s) will execute one or more of the instructions included in that executable program code.
  • executable program code and the term “software” mean substantially the same thing for the purposes of this description. It is not necessary to the practice of the various embodiments described herein that the memory and the processor be physically located in the same place. That is to say, it is foreseen that the processor and the memory might be distributed among physical pieces of equipment or even in geographically distinct locations.
  • the processing unit may be a general purpose "central processing unit,” but may use a wide variety of other technologies.
  • Specific-purpose hardware may also be used to implement the embodiments described herein, including a microcomputer, mini-computer, mainframe computer, programmed micro-processor, micro-controller, peripheral integrated circuit element, a CSIC (Customer Specific Integrated Circuit), ASIC (Application Specific
  • the processing unit may consist of a single core, or may be a multi-core processor that has two or more processing units that can operate executing instructions independently in parallel.
  • modules modules
  • engine(s) refer to the logic, embodied in hardware and/or software, to accomplish the features, functions, tasks or steps described herein.
  • the “modules” and “engines” may be embodied in software classes and applications executed by processor cores, and while the modules or engines are executing as instruction on a non-transitory storage medium a general purpose computer may be thought of as a special purpose computer or a specific purpose computer.
  • the “modules” and “engines” may also relate to specific purpose hardware, including the firmware and machine code, controlling its operation.
  • the "modules” and “engines” that enable a computer system to act in accordance with the invention may be stored on non-transitory storage mediums in any number of language forms including, but not limited to, original source code, assembly code, object code, machine language, compressed or encrypted versions of the foregoing, and any and all equivalents.
  • languages that may be used to write the software include, but are not limited to, C, C++, JAVA, MATLAB, MINITAB, EXPRESS, DRAKON, DYNA, PYTHON, MOOSE, and RUBY.
  • the software programs may be further translated into machine language or virtual machine instructions and stored in a program file in that form. The program file may then be stored on or in one or more of the articles of manufacture.
  • GUI graphical user interfaces
  • Embodiments of the monitoring techniques described herein generally, comprise signal detection and signal classification.
  • Energy-based detection is known to the inventors of the present disclosure to provide an efficient technique to detect signals.
  • EBD may detect a signal based on the energy observed in a received signal.
  • the detection process can be done in time-domain as well as frequency domain.
  • CBD cyclostationary-based detection
  • Cyclostationary features are periodic characteristics of a signal that result from modulation, sampling, multiplexing, and/or coding operations. These characteristics are unique for signal types and may be used to distinguish among signal types.
  • cyclostationary features may be extract from a signal by correlating a signal with a delayed version of itself, wherein a high correlation will be seen when the delay is equal to a period of a Cyclostationary feature.
  • Cyclostationary features of a signal may be represented by Spectral Correlation Functions (SCFs), which may be computed using a time smoothing method and FFTs, an FFT accumulation method, a strip spectral correlation analyzer, etc. Additional computations involving the SCF may be used to determine which shift(s), a, provides higher correlation.
  • SCFs Spectral Correlation Functions
  • a resulting N-sized array may be referred to as the a-profile that includes maximum values for all possible shifts, a.
  • Conventional CBD is very accurate, but computationally expensive, and so not well suited to real-time signal detection.
  • CBD CBD to signals and merge the results of each process to detect and classify the signals.
  • Such embodiments are both efficient and accurate, and maintain real-time detection capabilities.
  • the EBD path 131 is used continuously, while the M-CBD path 132 is "on" periodically but (relative to EBD) infrequently.
  • the results from the M-CBD path 132 are provided as feedback to the EBD path 131 to adjust parameters and improve detection accuracy.
  • the M-CBD path 132 may detect signals not detected by the EBD path 131 (e.g., because the signals are close to or below the noise floor).
  • FIG. 1 illustrates an embodiment of a classification node 100 according to an embodiment of the present disclosure.
  • the classification node 100 comprises a software defined radio (SDR) 1 10 and a computer 120.
  • SDR software defined radio
  • the architecture of the SDR 1 10 is of a type known to those of ordinary skill in the art, and each module in the SDR 1 10 may be implemented in software, hardware, an embedded system, and combinations thereof.
  • Software components of the SDR 1 10 may be executed on a general purpose computer.
  • the SDR 1 10 software may be based on GNU Radio, GNU Radio Companion, and GNU Radio Blocks.
  • hardware implementations of the SDR 1 10 may be based on USRP B210, X310, hackRF One, and the like.
  • Various embodiments of the SDR 1 10 may utilize application programming interfaces (API) from C++ and/or the software components associated with GNU Radio (or one of the other packages noted above) to interact with the hardware of X310 (or one of the other architectures noted above).
  • API application programming interfaces
  • the SDR 110 outputs sampled RF signals to the computer 120.
  • the computer 120 includes classification logic, including, in one embodiment, the
  • the classification and detection system 130 includes an EBD path 131 and an M-CBD path 132.
  • the EBD path 131 is illustrated with more detail in FIG. 2B
  • the M-CBD path 132 is illustrated with more detail in FIG. 2C.
  • the computer 120 is not limited to sampled RF signals received from an SDR, and may receive measurement information from other spectrum measurement sources, including, by way of non-limiting example, other spectrum capture devices, files (e.g., stored measurement information), network equipment (e.g., received over a network), and the like.
  • the EBD path 131 may include power spectral density (PSD) calculator 152, noise floor calculator 154, dynamic cutoff calculator 156, peak detector 158, bandwidth analyzer 160, timing analyzing 162, and pattern matcher 164.
  • PSD power spectral density
  • the PSD calculator 152 is configured to calculate the PSD from an
  • the noise floor calculator 154 may be configured to receive the PSD values (bins), find the lowest n values of that PSD and compute a mean and standard deviation of those n values, thereby enabling dynamic calculation of the noise floor
  • the mean and standard deviation may be provided to the peak detector 158.
  • the dynamic cutoff calculator 156 may be configured to determine a cutoff to remove noise from a PSD value.
  • the cutoff used to remove noise from a PSD value may be ⁇ + m*o, where ⁇ and ⁇ are the mean and standard deviation values obtained from the noise floor calculator 154 module, respectively, and m is a multiplier which may be adjusted by feedback.
  • the dynamic cutoff may be provided to the peak detector 158.
  • the peak detector 158 may be configured to determine and send a mask of the bins that were above the specified cutoff to bandwidth analyzer 160 and timing analyzer 162.
  • the bandwidth analyzer 160 may be configured to compute sets of contiguous bins above the cutoff using the mask received from the peak detector 158. For every set of inputs the bandwidth analyzer 160 receives, it looks for contiguous sets of bins that are above a threshold by looking for contiguous l 's (or another predefined indicator) in the mask it received from the peak detector 158.
  • the timing analyzer 162 may be configured to track active and inactive intervals for each bin, separately.
  • a bin may be considered active if it was considered part of a signal by the peak detector 158, and a bin may be considered inactive otherwise.
  • Information about the amount of time bins were active and inactive (after a state change) may be provided as output from the timing analyzer 162.
  • the timing analyzer 162 may include a two-state state machine (not shown) that it maintains for every entry in the mask it receives from the peak detector 158. By way of non-limiting example, responsive to a value of 1 for a particular mask entry, the state machine for that entry enters or maintains an active state.
  • the state machine for that entry enters or maintains an inactive state. Responsive to a state transition between states for an entry, an output entry for the state from which the entry left may be created and sent to an associated pattern matcher 164.
  • the pattern matcher(s) 164 may be configured to determine if a particular signal is present or not based on comparing the received bandwidth and/or timing results received from the previous blocks against a known set of parameters for the signal.
  • a known set of parameters for the signal For example, an IEEE 802.1 lg signal using OFDM uses approximately 16.6 MHz of spectrum, so the pattern is matched against bands found by the bandwidth analyzer.
  • timing patterns such as Short Interframe Spacing (SIFS) inactive intervals and active transmission times required for packets based on various data rates are compared against inactive and active timing information found by the timing analyzer 162.
  • the ZigBee pattern matcher takes just the bandwidth information from the bandwidth analyzer 160 and compares it against the expected 2 MHz of spectrum occupancy for ZigBee.
  • the pattern matcher(s) 164 may be configured to computer a classification score of the classification for a band (s, j) using Equation 1 : count s f
  • Results may be stored for a set time period, to, before being provided to the merger 133.
  • the results may include signal types, frequencies, scores, counts for detected signals, and the like.
  • embodiments of the peak detector 158 and protocol detector 166 may be configured based on specific wireless protocols (e.g., 802.11(b), ZigBee). For multiple protocols, multiple peak detector modules, protocol detector modules and/or components thereof, each configured for a signal class may be used. For example, a first pattern matcher 164 may be configured with band and timing information for 802.1 lg, and another pattern matcher 164 may be configured with bandwidth information for ZigBee (which occupies a specific 2 MHz spectrum). In other embodiments, a classification system including an EBD path may include a protocol detector for each protocol.
  • specific wireless protocols e.g., 802.11(b), ZigBee
  • multiple peak detector modules, protocol detector modules and/or components thereof, each configured for a signal class may be used.
  • a first pattern matcher 164 may be configured with band and timing information for 802.1 lg
  • another pattern matcher 164 may be configured with bandwidth information for ZigBee (which occupies a specific 2 MHz spectrum).
  • Embodiments of the merger 133 of the classification and detection system 130 are configured to take the classification results from both the EBD path 131 and the M-CBD path 132 and merge the results for a final classification.
  • the classification results may include a center frequency, a signal classification, count and a classification score.
  • Both EBD path 131 and M-CBD path 132 may also provide information about the scores of the classifications they make. Score levels are in the range (0:0; 1 :0] where a value around 0.0 corresponds to a very low confidence in a classification and a value near 1.0 corresponds to a very high confidence in the classification.
  • the merger 133 may be configured to apply pre-defined score weights to results from the two paths to make a final classification. Since the M-CBD path 132 provides higher accuracy of signal classification than the EBD path 131, the merger 133 may be configured to assign a higher weight to the results from M-CBD path 132 while merging the results.
  • the merger 133 may be initialized with classification score weights for the different classification sources (i.e. , M-CBD and EBD classification) and an update rate.
  • the merger 133 may be configured to switch between two states, a merging state and an update state.
  • the merger 133 may be in a merging state between updates. During the merging state, it receives classification results from the different sources consisting of signal classification, center frequency, classification score, and count. Values from different sources and of different signal class are kept separate, but values from the same source and signal class are merged. If multiple sets of results are be obtained from the same source while the merger 133 is in the merging state then the results are combined/merged. In various embodiments, classifications are merged based on their signal class and center frequency. For every new value received, if the signal class and center frequency match the signal class and center frequency of an existing entry then the entries are merged by updating the score to an average of the existing entry and the new entry, and the count is updated to be the sum of the existing count and the new count.
  • the new entry is added to the set of existing entries.
  • the merger 133 is in update state, then the previously merged results from the sources are merged to a final classification using the results and source classification score weights specified by the user.
  • the paths that provide classification results are counted and become the number of sources for that signal class.
  • the final merged entry has a score computed as shown in Equation 2, below:
  • score(f) ⁇ x ⁇ sesources(t) w s x score s (f) Equation 2
  • t is the signal type
  • c count(sources(t))
  • w s weight(s ) (the source weight as specified by the user)
  • scores (/) 0 if the frequency was not reported by the source, otherwise, it is the classification score value from the merged entry.
  • the entries for each signal class from both sources are provided as results.
  • the M-CBD path 132 finds Wi-Fi bands ⁇ 1, 2, 3, 4 ⁇ and ZigBee bands ⁇ 1, 2 ⁇
  • the EBD path 131 finds Wi-Fi bands ⁇ 1, 5, 6 ⁇ and ZigBee bands ⁇ 3, 4 ⁇
  • the final merged results would be Wi-Fi bands ⁇ , 2, 3, 4, 5, 6 ⁇ and ZigBee bands ⁇ 1, 2, 3, 4 ⁇ .
  • the merger 133 may provide feedback control signals to the
  • EBD path 131 based on the results of the M-CBD path 132.
  • Parameters of the Peak Detector maybe modified/adjusted based on the feedback.
  • differences in the classification results reached by the EBD path 131 and M-CBD path 132 are tracked. If the differences are exceed a threshold then commands are sent from the merger 133 to the peak detector module of the EBD path 131 and a cutoff multiplier used in peak detection is adjusted.
  • a command is sent to the peak detector module to increase the noise floor cutoff parameter by adjusting the multiplier.
  • the M-CBD path 132 reports detection and classification of eight (8) Wi-Fi bands and the EBD path 131 reports detection and classification of three (3) Wi-Fi bands, then a command is sent to the peak detection module to lower the noise floor cutoff parameter by adjusting the multiplier. This allows the classification and detection system 130 to adapt at run time and be less susceptible to bad initialization parameters.
  • FIG. 2C shows classification logic of the M-CBD path 132, in accordance with the present disclosure.
  • the M-CBD may include the following modules: a data reducer 134, a Spectral Correlation Function (SCF)/a-profile calculator 140 (merely referred to herein as an a-profile calculator), and a signal classifier 142.
  • SCF Spectral Correlation Function
  • a CBD typically cannot keep-up with the high-sample rates of SDRs such as the SDR 110.
  • SDRs such as the SDR 110
  • an SDR such as SDR 110 may generate 2 GB of data every 11 second at a 25 MHZ sample rate. It is also now understood that lowering the sample rate would result in poor signal detection and classification by the system.
  • the M-CBD path 132 may maintain the real-time detection capabilities by, in part, incorporating a data reducer 134.
  • Embodiments of a data reducer 134 module (“keep M in N") are illustrated in FIGS. 2A and 2C.
  • the data reducer 134 module turns "on" the M-CBD path 132 periodically as opposed to continuously “on” like the EBD path 131.
  • the limited operation is achieved by forming blocks of data where one block has enough contiguous samples to calculate one SCF, forwarding the one block to the next module, and discarding the remaining blocks.
  • the size of a block (c samples) is N * L where N is the number of bins from the fast Fourier transform (FFT) and L is the number of contiguous FFTs used to compute one SCF.
  • FFT fast Fourier transform
  • the data reducer 134 may implement a data reduction algorithm to select the first, last, nth, or a random block from the available N blocks to send to the next module. In one embodiment, un-forwarded blocks may be discarded. Random selection may avoid a situation where a signal is always transmitted during an off-period of the M-CBD path 132 and so is always missed by the M-CBD path 132. Random selection may also hinder third-parties from evading detection by taking advantage of the "on" "off periods of the M-CBD path 132.
  • FIG. 2C shows the data reducer 134 includes a data reducer 136 and a stream to vector 138 that is configured to collect the blocks of sampled data and provide the blocks to the a- profile calculator 140.
  • the computer 120 may include additional random- access-mem ory (RAM) to improve the operational speed of the EBD path 131 and/or the M- CBD path 132.
  • RAM random- access-mem ory
  • the higher read/write speeds of the RAM enable the computer 120 to keep up with the high rates at which data may be generated by the SDR.
  • Embodiments of the a-profile calculator 140 may be configured to compute an SCF and an a-profile to be used for signal classification by the signal classifier 142.
  • the a-profile calculator maybe configured to use a time smoothing process, such as Equation 3, below:
  • FFTi lf] is the /th FFT of a signal at frequency f
  • FFT [/— oc] is the complex conguate of the FFT of the signal at frequency bin,/ shifted by a.
  • the a-profile may calculated according to Equation 4, below:
  • the a-profile calculator 140 normalizes the computed a-profile by dividing all the entries with a maximum valued entry. The a-profile calculator 140 then passes the SCF and a- profile to multiple signal classifiers 142 for identification of the signal class. The forwarded a- profile is used to predict the signal class part of the SCF is used to estimate the center frequency of a detected signal.
  • Embodiments of the signal classifier 142 may be configured to classify the detected signals based on the SCF and a-profile provided by the a-profile calculator 140, and provide the classification results to the merger 133 of FIG. 2 A.
  • the signal classifier 142 for signal class c receives an a-profile and uses it as a feature vector to determine if it belongs to class c (or not).
  • the signal classifier makes the classification determination by using a previously trained one-class support vector machine (SVM) model.
  • SVM support vector machine
  • a one-class version of SVM is trained with data from just one "class,” learns the boundary of the class from the training data, and predicts if an input feature set belongs to the trained class (or not).
  • the signal classifier 142 uses a multi-class classifier model trained with different signals and noise data.
  • the model is trained with previous data for 1, 2, 1 classes and added data for class n.
  • the signal classifier 142 next computes the center frequency from the SCF if the prediction from the one-class SVM is 1 i.e., the input feature vector is predicted to belong to the signal class c.
  • the computation is performed using the 0th column of the SCF which contains the magnitudes of the input FFTs averaging over L FFTs. In one embodiment, this computation is carried out as follows: First, the 0th column is divided into blocks.
  • the signal classifier 142 sends two blocks that contain the most amount of the energy (or are above a threshold amount of energy). Next, the signal classifier 142 finds the location of a minimum value in a region bounded by the two blocks. This location is saved as the target center frequency location.
  • the signal classifier 142 stores the found center frequencies instead of immediately passing it to the merger 133. After a set time period s, the signal classifier 142 merges the stored results and outputs the merged information to the merger 133. While merging, for each different frequencies, /, the signal classifier 142 determines the number of times / has been detected in period s and uses the count to calculate a classification score for / following a similar calculation as a protocol detector module of the EBD path 131. Like the EBD path 131, the signal classifier 142 may send streams of detected signal data (signal class, frequency, score, count) to the merger 133.
  • the system may have multiple instances of a signal classifiers 142, each programmed/configured to detect a particular signal class and to work in parallel.
  • a signal classifiers 142 each programmed/configured to detect a particular signal class and to work in parallel.
  • one module configured to detect Wi-Fi one configured to detect ZigBee, etc.
  • the data reduction algorithm and the memory may be selected based on factors such as the sample rate of an SDR and the quantity of data it generates. These factors may necessitate different architecture based on different applications.
  • a system may comprise multiple SDR, each SDR scanning different RF bands to detect different classes of wireless signals.
  • the reverse engineering techniques described herein may be optimized for different classes of wireless signals and as such the architecture may be selected to accommodate a class of wireless signal.
  • FIG. 3 illustrates a classification and capture system (CCS) 300 according to an embodiment of the present disclosure.
  • the CCS 300 includes classification nodes 310, a coordination server 320 and signal processing nodes 330.
  • Each classification node 310 may include classification logic implemented, in one embodiment, in the manner(s) described with references to FIGS. 1, and 2 A to 2C, above.
  • Each classification node 310 may include classification logic optimized for a particular signal class. In some embodiments,
  • classification nodes 310 may be added to the CCS 300 for new or different signal classes, and thus, the CCS 300 is scalable.
  • Each classification node 310 may include a registration manager (not shown) that is configured to register the classification node 310 with other devices, including the
  • registration indicates to the coordination server 320 that a classification node 310 is a resource available to the coordination server 320, including to receive job requests/commands from the coordination server 320.
  • a classification node 310 may communicate to the coordination server 320 one or more of: the physical location of a classification node 310, identity of ports to receive updates and commands, RF spectrums with scan range and classification range, and the like.
  • the coordination server 320 may communicate to the classification node 310 initial values and patterns.
  • the initials patterns may comprise bandwidth and timing values (active/inactive, short interval spacing, etc.) for known signal classes, and the initial values may include initial cut-off values for the noise.
  • signal information may be entered manually (e.g., by a user), and in another embodiment signal information may be entered automatically (e.g., using a predefined database or through automated blind signal analysis).
  • the classification nodes 310 may include performance monitors configured to monitor for resource (i.e., CPU) usage of a host system as well as detect if processing overload occurs within a classification logic. Processing overload may happen when classification logic is not able to process the stream of samples from the spectrum measurement source fast enough (e.g., we are spending too much computation time on the MLBC path as described below).
  • the performance monitor may be configured to send commands to classification logic, which is configured to make appropriate adjustments responsive to such commands. This enables the CCS 300 to automatically adjust to changes in available resources.
  • Embodiments of the signal processing nodes 330 may be configured to have different features and functions, including recording a signal and demodulating a signal (or attempting to demodulate a signal).
  • Each signal processing node 330 may comprise specialized hardware and software, relevant to, for example, one or more signal classes.
  • a signal processing node 330 that specializes in recording signals may include an SDR for a specific RF band and memory architecture to record the signal.
  • a signal processing node 330 that specialize in demodulation of signals and data packet capture may include demodulation software, including software for demodulating specific signal classes.
  • a specialty SDR such as USRP B210 may be used to demodulate a signal and capture data packets.
  • BBN' s 802.1 1 demodulation software is used to demodulate the signal in software and capture data packets.
  • Each signal processing node 330 may include a registration manager (not shown) that is configured to register a signal processing node 330 with a coordination server 320.
  • the registration manager may send the signal processing node 330 a registration request that includes information about the capabilities of the signal processing node 330.
  • the coordination server 320 may direct a signal processing node 330 to perform additional processing on a signal, for example, responsive to capabilities of the signal processing node 330.
  • Each signal processing node 330 may include a controller (not shown) that receives commands and parameters from the coordination server 320, and controls the specific resources of the signal processing node 330 responsive to the commands/parameters.
  • classification nodes 310 may perform auto-tuning for performance using a monitoring function. This allows the
  • classification nodes 310 to automatically adjust based on available computational resources. This also allows a CCS 300 to be put in an operational state with minimal human intervention by automatically taking the necessary steps to determine its best configuration.
  • Embodiments of the coordination server 320 may include a classification node controller 321, a node database 322, a signal processing node controller 323, a classification result processor 324, a pattern database 325, and a processing feedback processor 326.
  • Various embodiments of the coordination server 320 may be configured to act as a centralized coordination point between the classification nodes 310 and the signal processing nodes 330.
  • Embodiments of the node database 322 may be configured to be used by the other component modules of the coordination server 320 to store and track registered nodes, node availability, node capability, etc.
  • Embodiments of the classification node controller 321 may be configured to manage registration/un-registration requests from classification nodes 310. Further, it may be configured to send commands to registered classification nodes 310 to monitor a specific frequency range and report the results to the coordination server 320. In some embodiments, the classification node controller 321 may be configured to update the pattern database 325 with new patterns and signals received, for example, from one or more classification nodes 310.
  • Embodiments of the signal processing node controller 323 may be configured to manage registration/un-registration requests, and work complete requests from the signal processing nodes 330.
  • the signal processing node controller 323 may also be configured to send commands to signal processing nodes 330 responsive to requests/commands received from the classification result processor 324.
  • the signal processing node controller 323 may be configured to inform the classification result processor 324 of the node status change.
  • Embodiments of the classification result processor 324 are configured to receive classification results from the classification nodes 310 and, responsive to a rules engine (not shown), determine whether to perform further processing of a signal and determine which signal processing node to assign a received signal for further processing.
  • a rules engine not shown
  • the classification result processor 324 may send a request/command to a recording-type of signal processing node 330 to record a specific center frequency at a specific sample rate for a specific amount of time.
  • the classification result processor determines that a demodulation attempt should be made on a signal, it may send a
  • Embodiments of the pattern database 325 may be configured to store, manage and update patterns used classification - e.g., by detectors and SCF classifiers - as well as information about the patterns.
  • the pattern database 325 may store, manage and update information about types of known and unknown signals.
  • Various embodiments of the pattern database 325 may be updated automatically or manually.
  • Embodiments of the processing feedback processor 326 may be configured to receive feedback from signal and demodulation attempts by one or more signal processing nodes 330. Further, the processing feedback processing 326 may be configured to update the pattern database 325 with patterns based on feedback received from one or more of the signal processing nodes 330.
  • the coordination server 320 may include one or more interfaces for users and external devices to access and/or communicate with the coordination server 320, including to retrieve classification results, detection results, load information, set
  • a user may interact with an interface by way of a graphical user interface or a command line interface.
  • Embodiments of the coordination server 320 may include core logic (not shown) that interacts with the other modules to run the system as a whole and is configured to decide about system operation.
  • the core logic may be configured to determine actions to take, such as node assignment and additional processing to be taken (activate a signal processing node, alert a user to suspicious activity, etc.), responsive to information received from the other modules, by way of non-limiting example, classification results, detection results, node availability, and user configuration.
  • FIG. 4 illustrates an embodiment of a protocol reverse engineering system (PRES) 400, in accordance with the present disclosure.
  • the PRES 400 is configured to receive packet capture (P-CAP) files, for example, from a signal processing node 330 (FIG. 3) that has demodulated a signal and captured packet data.
  • P-CAP packet capture
  • Embodiments of the PRES 400 may be implemented as one or more of the signal processing nodes 330 illustrated in FIG. 3, or as a separate application or tool.
  • Embodiments of the reverse engineering module 410 may be configured to receive the P-CAP files and infer vocabulary and grammar the application layer protocol associated with the received P-CAP files.
  • the reverse engineering module 410 may store the vocabulary and grammar in the database 420 for access by the traffic generator 430.
  • Embodiments of the traffic generator 430 may be configured to simulate
  • the traffic generator 430 may be programmed to perform simulations based on the vocabulary and grammar previously inferred. Dynamic vulnerability analysis using integrated fuzzing frameworks (mutation based or generation based), such as Sulley or Peach, may be used to generate optimized and specific fuzzing test cases that may reveal software programming errors which can lead to software security vulnerabilities.
  • the traffic generator 430 may be configured to generate malformed data packets to attempt to crash or disable a device that is operating over a specific wireless signal, and take over a device, as well as assess the robustness of an implementation.
  • PRES 400 is implemented in software, for example using the NetZob tool.
  • the modules of the PRES 400 may be implemented using tools such as ClusterFuzz and American Fuzzy Lop (AFL).
  • FIGS. 5A, 5B, and 5C show a classification and detection system 500, in accordance with an embodiment of the disclosure.
  • Embodiments of the classification and detection system 500 may be, by way of non-limiting example, incorporated into a classification and capture system, and a protocol reverse engineering system.
  • the classification and detection system 500 includes different classification logic than the classification and detection system 130.
  • the classification and detection system 500 may include an energy-based detection classification (EBDC) path 520 and a machine learning-based classification (MLBC) path 530 configured to receive RF measurements 510 from a spectrum measurement source 502.
  • EBDC energy-based detection classification
  • MLBC machine learning-based classification
  • the classification results from the EBDC path 520 and the MLBC path 530 are merged by a merger 550.
  • Merged classification results 552 may be provided to a server (e.g., in a classification or reverse engineering system) the noise floor calculator 522 of the EBDC path 520.
  • a server e.g., in
  • the spectrum measurement source 502 may provide measurement information (e.g., samples of RF signals) for classification.
  • spectrum measurement sources include, but are not limited to, files and SDRs.
  • the measurements may be processed according to the classification logic and provided, e.g., to a coordination server.
  • the measurements may come from local (e.g., files, attached SDR via USB, etc.) or remote (e.g., sent over a network) sources.
  • FIGS. 5B and 5C show classification logic associated with the EBDC path 520 and
  • MLBC path 530 respectively, in accordance with an embodiment of the disclosure.
  • Some functional modules of the classification logic of the EBDC path 520 shown in FIG. 5B have been simplified for ease of description, but may include, by way of non-limiting example, one or more of the modules of the classification logic shown FIGS. 2B.
  • the EBDC path 520 is shown to include a noise floor calculator 522, a parameter estimator 524, and pattern matchers 526.
  • the MLBC path 530 includes a data reducer 532, feature calculator 534, a noise detector 536, a signal classifier 538, and an MLBC merger 542.
  • the data reducer 532 and feature calculator 534 may be configured similar to the data reducer 134 and a-profile calculator 140 described with reference to FIG. 2C.
  • the data reducer 532 is configured to limit the RF measurements 510 that pass to the rest of the modules of the MLBC path 530 to maintain the real-time capability of a classification process.
  • the feature calculator 534 may be configured to compute a pre-defined feature set from RF measurements 510, such as cyclostationarity, higher order cumulants, etc.
  • the noise detector 536 may use a pre-trained machine learning model to determine if the input is noise or not.
  • the signal classifier 538 runs in parallel with the noise detector 536, and uses one or more signal class models 540, which may be one-class machine learning models, to determine a signal class. For example, one model may be for detecting WiFi, one model may be for detecting ZigBee, etc.
  • a one-class machine learning model is different than conventional models in that it is trained with data from just one class, "learns" the characteristics of the class from the training data, and predicts if an input feature set belongs to the trained class (or not).
  • one advantage of an one-class model is that, to detect class A signals, it may be trained with class A data, but does not necessarily need to be trained with non-class A data like conventional machine learning models.
  • the model does not necessarily need to be trained with noise data and data for other signals, e.g., Bluetooth, ZigBee, etc., - it may only be trained with WiFi data.
  • a representative non- WiFi dataset is not necessarily required, which may be otherwise difficult to create.
  • Non- limiting examples of one-class models that may be used with the signal classifier 538 include one-class SVM, autoencoder neural network, combinations thereof, and the like.
  • MLBC merger 542 may be configured to receive prediction results from both noise detector 536 and signal classifier 538, and to infer a final classification result to be sent to the Merger 550. If noise detector 536 predicts the input as a signal and none of the signal class models 540 recognize it, then an unknown signal type may be considered to be present and the MLBC merger 542 sends a result indicating the logic of the MLBC path 530 did not identify the signal type-
  • a particular advantage includes automated detection, classification, capture and protocol reverse engineering of signals, all automatically. Embodiments may be used to automatically analyze RF emanations (signals) and wireless protocols from unknown "black-box" devices, and perform automated wireless protocol reverse engineering of such signals. Other advantages and benefits include an automated solution to: identify and study exposed surfaces of wireless systems, assess the robustness of wireless protocol
  • reverse engineer wireless command and control protocols used by malicious actors such as anticipating a botnet's repertoire of nefarious activity
  • create protocol specifications for wireless IDS/IPS/Firewall or penetration testing monitor packets from life wireless connections or captured wireless network traffic that use a wide variety of protocols, perform smart fuzzing of unknown protocols using the discovered protocols vocabulary and grammar and determine the unknown protocols vulnerabilities
  • reverse engineer standard protocols so actual implementations may be compared to the standard specifications.
  • the system memory may include (or be part of) a distributed storage system that provides both storage and file-system, such as network- attached- storage (NAS), or a distributed storage system that provides only storage, such as a storage-area-network (SAN).
  • NAS network- attached- storage
  • SAN storage-area-network
  • NAS it may include software capable of file management services, including, without limitation, FreeNASTM, NASLiteTM, and NexentaStorTM.
  • the NAS may contain one or more hard disks, arranged into logical, redundant storage containers or RAID arrays.
  • the NAS may use one or more file-based protocols including, without limitation, Network File System (NFS), Windows NTTM File System (NTFS), File Allocation Table (FAT), Server Message Block/Common Internet File System (SMB/CIFS), or Apple Filling Protocol (AFP).
  • NFS Network File System
  • NTFS Windows NTTM File System
  • FAT File Allocation Table
  • SMB/CIFS Server Message Block/Common Internet File System
  • AFP Apple Filling Protocol
  • the information stored on a memory may be stored in a database.
  • the particular architecture of the database may vary according to the specific type of data, mode of access of the data, or intended use of the data stored in the database; including, without limitation, a row-oriented data-store architecture, a column-based database management system, extensible- markup language, a knowledgebase, a frame database, or combinations thereof.
  • a database management system may organize the storage of the data in the database, tailored for the specific requirements of the present system.
  • the DBMS may use any number of query languages to access the database, including, without limitation, structured query language (SQL).
  • embodiments of the invention may use any number of protocols to communicate between server and storage, including, without limitation, the SCSI protocol, HyperSCSCI protocol, iSCSI protocol, ATA over Ethernet, Fibre channel Protocol, and Fibre Channel over Ethernet.
  • a user interface such as a graphical user interface, invocable by an application program.
  • a user interface may be understood to mean any hardware, software, or combination of hardware and software that allows a user to interact with a computer system.
  • a user interface will be understood to include one or more user interface objects.
  • User interface objects may include display regions, user activatable regions, and the like.
  • a user interface may include input devices such as a keyboard and pointing device, commonly referred to as a mouse, trackball or touch pad.
  • Other input devices may include a microphone, joystick, game pad, satellite dish, scanner, voice recognition device, keyboard, touch screen, toggle switch, pushbutton, or the like.
  • These and other input devices are often connected to a processing unit through a user input interface that is coupled to the system bus, but may be connected by other interface and bus structures, such as a parallel port, a virtual port, game port or a universal serial bus (USB) type interface.
  • USB universal serial bus
  • a display region is a region of a user interface which displays information to the user.
  • a user activatable region is a region of a user interface, such as a button or a menu, which allows the user to take some action with respect to the user interface.
  • a user interface may be invoked by an application program.
  • an application program invokes a user interface, it is typically for the purpose of interacting with a user. However, it is not necessary that an actual user ever interact with the user interface. It is also not necessary, for the purposes of this invention, that an interaction with the user interface be performed by an actual user. That is to say, it is foreseen that the user interface may have interaction with another program, such as a program created using macro programming language statements that simulate the actions of a user with respect to the user interface.
  • the graphical user interface may provide a user feedback. Based on the feedback, the user may select, input, and/or accept additional parameters (which includes user defined constraints) or to change parameter values. Parameters may also be added or changed automatically.
  • a user may enter commands and parameters at a computer terminal via a user interface, including a graphical user interface such as is described herein
  • Embodiments described in this disclosure may be embodied wholly or partially in one or more computer program products supplied on any one of a variety of computer readable media.
  • the computer program product(s) may be embodied in computer language statements of the types already described herein.
  • media may include a diskette, a magnetic tape, a digital tape, a compact disc, an integrated circuit, a ROM, a CD, DVD, Blu- Ray, a cartridge, flash memory, PROM, a RAM, a memory stick or card, or any other nondestructive storage medium useable by computers, including those that are re-writable.
  • the enabling software might be "written on” a disc, “embodied in” an integrated circuit, “carried over” a communications circuit, “stored in” a memory chip, or “loaded in” a cache memory, it will be appreciated that, for the purposes of this application, the software will be referred to simply as being “in” or “on” the computer readable medium. Thus, the terms “in” or “on” are intended to encompass the above mentioned and all equivalent and possible ways in which software can be associated with a computer readable medium.
  • computer program product is thus used to refer to a computer readable medium, as defined above, which has on it any form of software to enable a computer system to operate according to any embodiment of the invention.
  • Software applications may include software for facilitating interaction with software modules, including user interface and application programming interfaces.
  • Software may also be bundled, especially in a commercial context, to be built, compiled and/or installed on a local computer.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Mathematical Physics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne des classificateurs de signal sans fil et des systèmes incorporant ces derniers qui peuvent comprendre un détecteur basé sur l'énergie configuré pour analyser un ensemble entier de mesures et générer un premier résultat de classification unique, un détecteur cyclo-stationnaire configuré pour analyser moins de l'ensemble entier de mesures et générer un second résultat de classification de signal ; et un dispositif de fusion de classification configuré pour fusionner le premier résultat de classification de signal et le second résultat de classification de signal.
PCT/US2018/022639 2017-03-16 2018-03-15 Système, procédé et appareil d'identification de signal de fréquence sans fil et rétroconception de protocole WO2018170267A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US16/569,565 US11251889B2 (en) 2017-03-16 2019-09-12 Wireless signal monitoring and analysis, and related methods, systems, and devices

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201762472387P 2017-03-16 2017-03-16
US62/472,387 2017-03-16

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2019/032845 Continuation-In-Part WO2020068176A2 (fr) 2017-03-16 2019-05-17 Surveillance et analyse de spectre, ainsi que procédés, systèmes et dispositifs associés

Related Child Applications (2)

Application Number Title Priority Date Filing Date
PCT/US2019/032845 Continuation-In-Part WO2020068176A2 (fr) 2017-03-16 2019-05-17 Surveillance et analyse de spectre, ainsi que procédés, systèmes et dispositifs associés
US16/569,565 Continuation-In-Part US11251889B2 (en) 2017-03-16 2019-09-12 Wireless signal monitoring and analysis, and related methods, systems, and devices

Publications (1)

Publication Number Publication Date
WO2018170267A1 true WO2018170267A1 (fr) 2018-09-20

Family

ID=63523333

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2018/022639 WO2018170267A1 (fr) 2017-03-16 2018-03-15 Système, procédé et appareil d'identification de signal de fréquence sans fil et rétroconception de protocole

Country Status (1)

Country Link
WO (1) WO2018170267A1 (fr)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109124635A (zh) * 2018-09-25 2019-01-04 上海联影医疗科技有限公司 模型生成方法、磁共振成像扫描方法及系统
EP3644652A1 (fr) * 2018-10-26 2020-04-29 Tata Consultancy Services Limited Procédé de détection de signal de communication sans fil de radiofréquence actif dans une zone
WO2020068176A3 (fr) * 2018-05-18 2020-06-04 Battelle Energy Alliance, Llc Surveillance et analyse de spectre, ainsi que procédés, systèmes et dispositifs associés
CN112202696A (zh) * 2020-10-12 2021-01-08 青岛科技大学 基于模糊自编码器的水声信号自动调制识别方法
EP3825703A1 (fr) * 2019-11-20 2021-05-26 Rohde & Schwarz GmbH & Co. KG Procédé et système de détection et/ou de classification d'un signal voulu
US11251889B2 (en) 2017-03-16 2022-02-15 Battelle Energy Alliance, Llc Wireless signal monitoring and analysis, and related methods, systems, and devices

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6175634B1 (en) * 1995-08-28 2001-01-16 Intel Corporation Adaptive noise reduction technique for multi-point communication system
US20090154291A1 (en) * 2007-12-17 2009-06-18 Ralf Ferber Attenuating Noise in Seismic Data
US20120263247A1 (en) * 2011-04-12 2012-10-18 Qualcomm Incorporated Method and apparatus for selecting reference signal tones for decoding a channel
US20130288734A1 (en) * 2007-03-08 2013-10-31 Apurva N. Mody Cognitive radio methodology, physical layer policies and machine learning

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6175634B1 (en) * 1995-08-28 2001-01-16 Intel Corporation Adaptive noise reduction technique for multi-point communication system
US20130288734A1 (en) * 2007-03-08 2013-10-31 Apurva N. Mody Cognitive radio methodology, physical layer policies and machine learning
US20090154291A1 (en) * 2007-12-17 2009-06-18 Ralf Ferber Attenuating Noise in Seismic Data
US20120263247A1 (en) * 2011-04-12 2012-10-18 Qualcomm Incorporated Method and apparatus for selecting reference signal tones for decoding a channel

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
LI, D.: "Mixed Signal Detection and Parameter Estimation based on Second-Order Cyclostationary Features", THESIS. WIGHT STATE UNIVERSITY, 1 December 2015 (2015-12-01), pages 1 - 42, XP055542948, Retrieved from the Internet <URL:https://etd.ohiolink.edu/!etd.send_file?accession=wright1448386709&disposition=inline> [retrieved on 20180423] *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11251889B2 (en) 2017-03-16 2022-02-15 Battelle Energy Alliance, Llc Wireless signal monitoring and analysis, and related methods, systems, and devices
WO2020068176A3 (fr) * 2018-05-18 2020-06-04 Battelle Energy Alliance, Llc Surveillance et analyse de spectre, ainsi que procédés, systèmes et dispositifs associés
US12418349B2 (en) 2018-05-18 2025-09-16 Battelle Energy Alliance, Llc Spectrum monitoring and analysis, and related methods, systems, and devices
CN109124635A (zh) * 2018-09-25 2019-01-04 上海联影医疗科技有限公司 模型生成方法、磁共振成像扫描方法及系统
EP3644652A1 (fr) * 2018-10-26 2020-04-29 Tata Consultancy Services Limited Procédé de détection de signal de communication sans fil de radiofréquence actif dans une zone
US11082148B2 (en) * 2018-10-26 2021-08-03 Tata Consultancy Services Limited Method for detecting active radiofrequency wireless communication signal in a region
EP3825703A1 (fr) * 2019-11-20 2021-05-26 Rohde & Schwarz GmbH & Co. KG Procédé et système de détection et/ou de classification d'un signal voulu
US12282049B2 (en) 2019-11-20 2025-04-22 Rohde & Schwarz Gmbh & Co. Kg Method and system for detecting and/or classifying a wanted signal
CN112202696A (zh) * 2020-10-12 2021-01-08 青岛科技大学 基于模糊自编码器的水声信号自动调制识别方法

Similar Documents

Publication Publication Date Title
US11251889B2 (en) Wireless signal monitoring and analysis, and related methods, systems, and devices
WO2018170267A1 (fr) Système, procédé et appareil d&#39;identification de signal de fréquence sans fil et rétroconception de protocole
US11638160B2 (en) System, method, and apparatus for providing dynamic, prioritized spectrum management and utilization
US11057407B2 (en) Detecting malware attacks using extracted behavioral features
Ravale et al. Feature selection based hybrid anomaly intrusion detection system using K means and RBF kernel function
Moustafa et al. Big data analytics for intrusion detection system: Statistical decision-making using finite dirichlet mixture models
US10936717B1 (en) Monitoring containers running on container host devices for detection of anomalies in current container behavior
US11316851B2 (en) Security for network environment using trust scoring based on power consumption of devices within network
US10462169B2 (en) Lateral movement detection through graph-based candidate selection
US10691795B2 (en) Quantitative unified analytic neural networks
CN112602081A (zh) 利用警报置信度分配来增强网络安全和操作监控
US9686687B2 (en) Method and system for monitoring and processing wireless signals
CA2926603A1 (fr) Correlation d&#39;evenements fondee sur des operations heterogenes
US12244630B2 (en) Security threat alert analysis and prioritization
WO2023218167A1 (fr) Analyse et priorisation d&#39;alerte de menace de sécurité
Rina et al. Can clustering be used to detect intrusion during spectrum sensing in cognitive radio networks?
KR101692982B1 (ko) 로그 분석 및 특징 자동 학습을 통한 위험 감지 및 접근제어 자동화 시스템
US12323813B2 (en) System, method, and apparatus for providing dynamic, prioritized spectrum management and utilization
Lah et al. Proposed framework for network lateral movement detection based on user risk scoring in siem
US12369039B2 (en) System, method, and apparatus for providing dynamic, prioritized spectrum management and utilization
KR102311997B1 (ko) 인공지능 행위분석 기반의 edr 장치 및 방법
Salem et al. A comparison of one‐class bag‐of‐words user behavior modeling techniques for masquerade detection
Rajasegarar et al. Pattern based anomalous user detection in cognitive radio networks
US12317084B2 (en) Detecting security vulnerabilities associated with transient radio frequency devices
Latha et al. An efficient security system in wireless local area network (WLAN) against network intrusion

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18768391

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18768391

Country of ref document: EP

Kind code of ref document: A1