Authentication using radio frequency fingerprinting

The network node's hybrid RFF method using passive and active techniques with machine learning and threshold-based authentication improves the precision and trustworthiness of wireless device authentication, addressing false negatives and positives.

WO2026130716A1PCT designated stage Publication Date: 2026-06-25TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)

Patent Information

Authority / Receiving Office
WO · WO
Patent Type
Applications
Current Assignee / Owner
TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)
Filing Date
2024-12-20
Publication Date
2026-06-25

Smart Images

  • Figure EP2024087828_25062026_PF_FP_ABST
    Figure EP2024087828_25062026_PF_FP_ABST
Patent Text Reader

Abstract

The present disclosure relates to a network node (113) configured to perform authentication of a wireless communication device (110) using radio frequency fingerprinting, and a method performed by the network node (113). In an aspect, a network node (113) is provided configured to perform authentication of a wireless communication device (110) using radio frequency fingerprinting. The network node (113) comprises a processing unit (114) and a memory (116), said memory (116) containing instructions executable by said processing unit (114), whereby the network node (113) is operative to extract (S201) a set of radio frequency features from a signal received from the wireless communication device (110), and in response to a determined (S202) measure of similarity between the extracted set of radio frequency features and a first reference set of radio frequency features associated with the wireless communication device (110) neither indicating successful device authentication (S203) nor device rejection (S204) request (S205) the wireless communication device (110) to provide a response signal from which a further set of radio frequency features is extracted (S206), and in response to a determined (S207) measure of similarity between the extracted further set of radio frequency features and a second reference set of radio frequency features associated with the wireless communication device (110) indicating a feature match, the network node (113) successfully authenticating (S208) the wireless communication device (110).
Need to check novelty before this filing date? Find Prior Art

Description

P110047W0011AUTHENTICATION USING RADIO FREQUENCY FINGERPRINTINGTECHNICAL FIELD

[0001] The present disclosure relates to a network node configured to perform authentication of a wireless communication device using radio frequency fingerprinting, and a method performed by the network node. Further disclosed are computer programs and computer program products.BACKGROUND

[0002] For wireless communication devices comprising RF circuitry such as e.g. smart phones, smart phones, tablets, desktops, gaming consoles, connected vehicles, Internet-of-Things (loT) devices and so on, imperfections in the device communication hardware may introduce distortions and errors in transmitted signals, which in turn cause a constellation of the transmitted signal to deviate from its ideal shape. For example, imperfections in transmit or receive filters may cause frequency-dependent distortions in the signal, which can cause the constellation of the signal to become skewed or tilted. Similarly, imperfections in analog-to-digital converters (ADCs) or digital-to-analog converters (DACs) of the device may cause quantization errors, which can cause the constellation of the signal to become distorted or irregular. Moreover, nonlinearities in amplifiers or mixers of the device may cause intermodulation distortion, which commonly introduces additional unwanted signals in the spectrum of the transmitted signal

[0003] Hardware designers aim to mitigate hardware imperfections utilizing various techniques in transmitters such as digital predistortion (DPD), postdistortion, interference cancellation circuits, dynamic biasing of amplification elements, etc. However, even when applying a great care in the design, it is impossible to mitigate all these imperfections in transmitters. The imperfections are also unique and vary from one transmitter to another, impacted by (but not limited to) circuit architectures, implementation, technology, etc. Further sources for causing unique hardware impairments include operating conditions, operational temperature, aging, memory types being used, etc.

[0004] An approach referred to as Radio Frequency Fingerprinting (RFF) technique has recently emerged as a promising technique for Physical Layer Security (PLS) for 5G wireless communication networks and beyond. The concept ofP110047W0012RFF is to exploit these unique hardware impairments in transmitters to uniquely identify and authenticate radio equipment such as (and not limited to) UEs and access points, to increase the trustworthiness and security of telecommunications.

[0005] However, RFF is challenging in that authentication occasionally fails, where both false negatives (i.e. a UE being incorrectly rejected when it in fact should have been authenticated) and false positives negatives (i.e. a UE being incorrectly authenticated when it should have been rejected) occur. There is thus room for improvement in the field of RFF authentication.SUMMARY

[0006] One objective is to solve, or at least mitigate, the problems in the art and thus to provide an improved approach of a network node of performing authentication of a wireless communication device using radio frequency fingerprinting.

[0007] This objective is attained in a first aspect by a network node configured to perform authentication of a wireless communication device using radio frequency fingerprinting. The network node comprises a processing unit and a memory, said memory containing instructions executable by said processing unit, whereby the network node is operative to extract a set of radio frequency features from a signal received from the wireless communication device, and in response to a determined measure of similarity between the extracted set of radio frequency features and a first reference set of radio frequency features associated with the wireless communication device neither indicating successful device authentication nor device rejection request the wireless communication device to provide a response signal from which a further set of radio frequency features is extracted, and in response to a determined measure of similarity between the extracted further set of radio frequency features and a second reference set of radio frequency features associated with the wireless communication device indicating a feature match, the network node successfully authenticating the wireless communication device.

[0008] This objective is attained in a second aspect by a method of a network device of authenticating a wireless communication device using radio frequency fingerprinting. The method comprises extracting a set of radio frequency features from a signal received from the wireless communication device, and in response toP110047W0013 determining a measure of similarity between the extracted set of radio frequency features and a first reference set of radio frequency features associated with the wireless communication device neither indicating successful device authentication nor device rejection requesting the wireless communication device to provide a response signal from which a further set of radio frequency features is extracted, and in response to determining a measure of similarity between the extracted further set of radio frequency features and a second reference set of radio frequency features associated with the wireless communication device indicating a feature match, the network node successfully authenticating the wireless communication device.

[0009] Advantageously, disclosed embodiments benefit from both passive and active RFF approaches in that the method performed by the network node relies on a passive RFF approach when confidence in the authentication is high, thereby avoiding the increase in overhead caused by using an active RFF approach. On other hand, the increased precision of the active RFF approach as compared to the passive approach is achieved by involving challenge-based authentication when the confidence is lower.

[0010] In an embodiment, the determined measure of similarity is configured to indicate successful device authentication upon exceeding an upper similarity threshold value, while being configured to indicate device rejection upon being below a lower similarity threshold value.

[0011] In an embodiment, the lower and upper similarity threshold values are configured to indicate a probability that an extracted set of radio frequency features matches a prestored reference set of radio frequency features.

[0012] In an embodiment, the network node is further operative to acquire the first prestored reference sets of radio frequency features for the wireless communication device by passively receiving signals from the wireless communication device from which the first reference set of radio frequency features is extracted and stored.

[0013] In an embodiment, the network node is further operative to acquire the first prestored reference sets of radio frequency features for the wireless communication device by requesting the wireless communication device to provideP110047W0014 response signals from which the first set of radio frequency features is extracted and stored.

[0014] In an embodiment, the request to provide response signals from which the first set of radio frequency features is extracted and stored for the wireless communication device is configured to have the wireless communication device operate under linear conditions upon providing the response signals.

[0015] In an embodiment, the network node is further operative to acquire the second prestored reference set of radio frequency features for the wireless communication device by requesting the wireless communication devices to provide response signals from which the second set of radio frequency features is extracted and stored.

[0016] In an embodiment, the network node is further operative to acquire the second prestored reference set of radio frequency features for the wireless communication device by requesting the wireless communication devices to provide response signals from which the second set of radio frequency features is extracted and stored.

[0017] In an embodiment, the request to provide response signals from which the second set of radio frequency features is extracted and stored for the wireless communication device is configured to have the wireless communication device operate under non-linear conditions upon providing the response signals.

[0018] In an embodiment, the network node is further operative to instruct the wireless communicate device to store the device configuration being applied upon providing the response signal and an associated time stamp for the provision.

[0019] In an embodiment, the network node is further operative to, upon requesting the wireless communication device to provide a response signal from which a further set of radio frequency features is extracted, request the wireless communication device to apply the stored device configuration used to provide the response signal at the time indicated by the associated time stamp, wherein the measure of similarity is determined between the extracted further set of radio frequency features and the second reference set of radio frequency signals corresponding to the second reference set acquired at said time.P110047W0015

[0020] In an embodiment, the network node is further operative to, upon requesting the wireless communication device to provide a response signal from which a further set of radio frequency features is extracted, request the wireless communication device to provide a response signal from which the further set of radio frequency features is extracted by applying a device configuration that was previously utilized upon providing the response signal from which the second reference set of radio frequency features associated with the wireless communication device was extracted.

[0021] In an embodiment, the network node is further operative to store the extracted further set of radio frequency features as a further reference set of radio frequency features associated with the wireless communication device if the further set of radio frequency features results in successful authentication of the wireless communication device.

[0022] In a third aspect, a computer program is provided comprising computerexecutable instructions for causing a network node to perform steps recited in the method of the second aspect when the computer-executable instructions are executed on a processing unit included in the network node.

[0023] In a fourth aspect, a computer program product is provided comprising a computer readable medium, the computer readable medium having the computer program according to the third aspect embodied thereon.

[0024] Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein. All references to "a / an / the element, apparatus, component, means, step, etc." are to be interpreted openly as referring to at least one instance of the element, apparatus, component, means, step, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.BRIEF DESCRIPTION OF THE DRAWINGS

[0025] Aspects and embodiments are now described, by way of example, with reference to the accompanying drawings, in which:

[0026] Figure 1 illustrates a wireless communication network in which embodiments may be implemented;P110047W0016

[0027] Figure 2 shows a network node in the form of a radio base station gathering radio frequency features from wireless communication devices;

[0028] Figure 3 illustrates the probability of successful device authentication or rejection;

[0029] Figure 4 shows a flowchart illustrating a method according to an embodiment;

[0030] Figure 5 illustrates extracting a first set of radio frequency features from a wireless communication device;

[0031] Figure 6 illustrates extracting a second set of radio frequency features from a wireless communication device; and

[0032] Figure 7 illustrates a network node according to an embodiment.DETAILED DESCRIPTION

[0033] Aspects of the present disclosure will now be described more fully hereinafter with reference to the accompanying drawings, in which certain embodiments of the invention are shown.

[0034] These aspects may, however, be embodied in many different forms and should not be construed as limiting; rather, these embodiments are provided by way of example so that this disclosure will be thorough and complete, and to fully convey the scope of all aspects of invention to those skilled in the art. Like numbers refer to like elements throughout the description.

[0035] Figure 1 illustrates a schematic illustration of a wireless communication system 100 in which embodiments maybe implemented. In the wireless communication system 100, a first set of devices no, 111, 112 in the form of User Equipment (UE), e.g. smart phones, tablets, desktops, gaming consoles, connected vehicles, Internet-of-Things (loT) devices, etc., are served by a first network node 113 which in this example is embodied in the form of a radio base station (RBS). In a 5G wireless communication system, the radio base station is commonly referred to as gNodeB.

[0036] The network node 113 may be composed of multiple physically separate components (e.g., a gNodeB component and a radio network controller (RNC) component, or a base transceiver station (BTS) component and a base stationP110047W0017 controller (BSC) component, etc.), which may each have their own respective components. In certain scenarios in which the network node 113 comprises multiple separate components (e.g., BTS and BSC components), one or more of the separate components maybe shared among several network nodes (not illustrated). For example, a single RNC may control multiple gNodeBs. In such a scenario, each unique gNodeB and RNC pair, may in some instances be considered a single separate network node. In some embodiments, the network node 113 may be configured to support multiple radio access technologies (RATs). In such embodiments, some components may be duplicated (e.g., separate memory for different RATs) and some components maybe reused (e.g., a same antenna maybe shared by different RATs). The network node 113 may also include multiple sets of the various illustrated components for different wireless technologies integrated into network node 113, for example Global System for Mobile Communications (GSM), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), New Radio (NR), sixth generation (6G) wireless communication radio networks, WiFi, Zigbee, Z-wave, Long Range Wide Area Network (LoRaWAN), Radio Frequency Identification (RFID) or Bluetooth wireless technologies. These wireless technologies may be integrated into the same or different chip or set of chips and other components within the network node 113. The network node 113 will in the following be exemplified in the form of a radio base station RBS 113.

[0037] The radio bese station RBS 113 is connected to a core network 130, such has e.g., a 3rd Generation Partnership Project (3GPP) 5thgeneration core (5GC) network, and the 5GC network 130 is typically in turn connected to the Internet, in this example illustrated with the 5GC network connected to a cloud server 150.

[0038] As previously mentioned, the concept of RFF is utilized to exploit unique hardware impairments in radio transmitters to uniquely identify and authenticate radio equipment in UEs and access points in order to increase the trustworthiness and security of telecommunications.

[0039] Figure 2 illustrates the use of RFF at the radio base stationRBS 113 for authenticating the three UEs 110-112.

[0040] There are two types of RFF approaches; passive and active.P110047W0018

[0041] Active RFF involves sending Sioi active probing signals or sequence of signals from the radio base stationRBS 113 to the UEs 110-112 in the form of signals5101, S103 and S104 and measuring the corresponding RF signals in S102, S104, S106 received for each UE to identify unique characteristics and build an RF fingerprint database. This approach can provide more accurate and reliable fingerprints, especially in environments with high levels of noise or interference. However, it may be more intrusive and may require more resources to implement. Thus, an RF fingerprint dataset maybe built, which dataset may comprise multidimensional vectors extracted by utilizing machine learning (ML).

[0042] Passive RFF has been studied for decades and involves analysing signals5102. S104 and S104 that are already being transmitted by the UEs 110-112 in an opportunistic way, i.e. without first triggering the UEs 110-112 by sending probing signals in S101, S103 and S105. The probing signals S101, S103 and S105 maybe the same or different for each of the UEs no, 111 and 112.

[0043] A receiver at the 113 is listening to the transmissions from the UEs no, 111 and 112 and receives symbols. ML algorithms may then perform the identification.

[0044] Both passive and active RFF approaches come with their distinct advantages and drawbacks. The passive approach is beneficial as it does not demand extra bandwidth or introduce latency, since there is no need for unique data packets or transmissions. However, passive RFF may result in a higher false positive rate if signatures extracted by the radio base station RBS 113 from the signals of the UEs 110-112 received in S102, S104 and S106 are not distinct enough. Additionally, the effectiveness of passive RFF can be influenced by environmental changes, such as noise and interference.

[0045] Also, both passive and active RFF approaches have issues in terms of trustworthiness in authentication. For instance, passive RFF approaches are vulnerable to impersonation attacks by adversaries who can generate fake RF features which resemble the prestored RF features to such an extent than the adversary is authenticated. Further, with passive RFF approaches, it maybe difficult to maintaining the accuracy of the RF feature database over time due to changes in the RF environment or device hardware. Active RFF approaches on the other handP110047W0019 causes additional power consumption of the device due to the active triggering, which impacts battery life and user experience.

[0046] The active RFF approach, with its designated signals for RFF, can potentially offer a higher accuracy in device authentication. Active RFF generally consumes more bandwidth and the continuous challenging by the radio base station RBS 113 of the UEs 110-112 can be more intrusive and might affect regular operations of the UEs 110-112. Further, in terms of resource demands and energy efficiency, the active approach typically requires more power due to the continuous transmissions and challenge-response mechanisms, whereas the passive approach is generally more energy-efficient as it merely observes existing transmissions without initiating new ones.

[0047]

[0048] Recently, the use of machine learning (ML) algorithms for automated RFF recognition has emerged. Using ML for RFF involves training a model by using a set of labelled data, dedicated to RFF extraction which consists of a collection of signals transmitted by the UEs. Labelled data can be obtained during a registration phase when the radio base station RBS 113 collects RF fingerprint data from each UE no- 112 and labels it with a unique identifier or device ID for each UE 110-112. Once the machine learning model has been trained, the unique fingerprint for each UE no- 112 is stored in a database to which the radio base station RBS 113 has access.During a subsequent RFF authentication phase, when a UE 110 sends a connection request signal, RF fingerprint data is extracted by the radio base station RBS 113 from the connection request signal and fed into the machine learning model, which compares the RF fingerprint data extracted to the stored RF fingerprints data in the database to authenticate the UE upon successful match of the two sets of RF fingerprint data and grant network access to the UE

[0049] To conclude, an RF signal is received in S102, S104 or S106 from the UEs no, 111 and 112. These RF signals maybe received at the same or different time instants, since the UEs no, 111 and 112 are each RFF authenticated separately. In case of active RFF, these signals are triggered in S101, S103 and S105 by the radio base station RBS 113, whereas in case of passive RFF, this is the result of normal communications between the UEs 110, 111 and 112 and the radio base station RBS 113. Regardless whether or not active or passive RFF is utilized, the radio baseP110047W00110 station RBS 113 will from the signals received in S102, S104 and S106 extract unique RF features caused by hardware impairments of the UEs no, 111 and 112 and store these RF features for each UE 110, 111 and 112 for later authentication. Upon the UEs no, 111 and 112 subsequently sending their connection request signal to the radio base station RBS 113, the radio base station RBS 113 will again extract RF features from these connection request signals and compare the RF features of each of the connection request signals to the stored RF features and if there is a match, one or more of the UEs no, 111 or 112 are authenticated by the radio base station RBS 113.

[0050] As is understood, the gathered sets of RF features associated with the UEs 110-112 may be stored locally at the radio base station RBS 113 or remotely from the radio base station RBS 113, such as at the server 150.

[0051] The training of an ML model for both passive and active approaches would be similar with some small variations, as described in the following.

[0052] During passive RFF, ambient RF signals from each of the UEs 110-112 are collected in S102, S104 and S106 by the radio base station RBS 113 over various sessions. From these RF signals, relevant RF features that represent the hardware impairments or unique characteristics of the transmitters of each of the UEs 110-112 are extracted. Each extracted feature set is labelled or associated with a corresponding UE ID. A machine learning model is trained on this labelled dataset. The model learns to associate specific RF characteristics / features with a particular UE ID.

[0053] During active RFF, specific challenges are sent in S101, S103 and S105 to each of the UEs 110-112, and their responses in S102, S104 and S106 are recorded. The response signals are processed to extract features that highlight unique hardware characteristics of each UE 110-112. The nature of these features may vary based on configuration of the challenge signals sent in S101, S103 and S105. Similar to the passive approach, each set of features is labelled with the ID of the UE 110-112 that the response signals originate from. A supervised machine learning model is trained on this labelled dataset. Given the controlled nature of the active approach (i.e. sending specific challenge signals), there might be a chance for clearer distinctions between the UEs 110-112, potentially leading to better model performance. The process of Figure 2 of extracting RF features from the incomingP110047W00111 signals of S102, S104 and S106 is sometimes referred to as a training phase which can be stored later as numerical vectors..

[0054] In other words, during passive RFF, the radio base station RBS 113 receives signals in S102, S104 and S106 from the UEs 110-112 for RF feature extraction as a result of regular UE transmissions, whereas during active RFF, the radio base station RBS 113 sends probing signals in S101, S103 and S105 to cause the UEs 110-112 to provide response signals in S102, S104 and S106 for RF feature extraction.

[0055] Figure 3 illustrates the probability of a device (such as the UEs 110-112) being successfully authenticated (or rejected), in this particular example by the radio base station RBS 113. The x-axis represents probability while the y-axis represents the number of signals received for the RFF authentication. Thus, Figure 3 illustrates distribution of devices being successfully authenticated or rejected.

[0056] As is understood, when determining whether or not a set of extracted RF features of e.g. the UEs 110-112 matches a corresponding prestored set of RF features previously extracted by the radio base station RBS 113 from the received signal in S102, S104 and S106 (as previously described), the radio base station RBS 113 will compare the currently extracted set of RF features for each signal in S102, S104 and S106 with the prestored set of RF features, and if the two sets of RF features are sufficiently similar - i.e. if an estimated probability that the currently extracted set of RF features indeed corresponds to the prestored set of RF features for the UEs 110-112 is sufficiently high - then there is a match between the two RF feature sets, and the one or more UEs no, 111 or 112 are successfully authenticated by the radio base station RBS 113.

[0057] As illustrated in Figure 3, successful authentication occurs if a determined measure of similarity exceeds an upper threshold value TU, i.e. in practice exceeding a certain probability.

[0058] On the other hand, it the determined measure of similarity falls below a lower threshold value TL, i.e. in practice being below a given probability due to the two sets of RF features showing poor resemblance, one or more of the UEs no, 111 or 112 are rejected.P110047W00112

[0059] As further can be seen, there is a slight risk of both false negatives (i.e. a UE being incorrectly rejected when it in fact not should have been) and false positives (i.e. a UE being incorrectly authenticated when it should have been rejected). As is understood, such incorrect decisions can in practice not be completely avoided but should preferably be as few as possible.

[0060] In other words, the probabilities reflect the confidence of the feature matching process that the set of features extracted from the incoming RF signal originates from the particular device under consideration. A high predicted probability indicates a strong match between the current features of the RF signal and the features extracted in the training phase and stored at the radio base station RBS 113. Conversely, a lower probability might suggest a weaker match or potential discrepancies.

[0061] However, there is another scenario where the determined measure of similarity is neither below the lower threshold value TL nor above the upper threshold value TU, which is problematic since the UEs 110-112 under consideration neither can be successfully authenticated nor correctly rejected by the radio base station RBS 113, and further verification will be performed according to an embodiment.

[0062] Figure 4 shows a flowchart illustrating a method according to an embodiment for resolving this issue, where additional actions are taken for further verification as will be described in the following. Although in this example the decision for additional actions to be taken is based on the probabilities illustrated in Figure 3, such actions may also be initiated in situations where any one of the UEs 110-112 is considered suspicious. For instance, this may occur if a UE has previously been compromised in an attack, if the user is deemed untrustworthy based on other security measures, or if there are irregularities in the UE’s positioning data.

[0063] Thus, similar to what has previously been described, a set of RF features is extracted by the radio base station RBS 113 in S201 from a signal received from the UE no. This maybe performed during normal operation of the UE no (i.e. at this stage, a passive RFF approach maybe utilized).

[0064] However, if in this embodiment the radio base station RBS 113 concludes from the measure of similarity determined in S202, upon comparing the extractedP110047W00113 set of RF features for the UE no to a first prestored reference set of RF features associated with the UE no, that the measure of similarity neither indicates successful device authentication in S203 nor device rejection in S204, the radio base station RBS 113 proceeds to requesting in S205 that the UE 110 responds with an RF signal from which a further set of RF features can be extracted in S206. In other words, an active RFF approach is applied in S205 where the radio base station RBS 113 sends a probing signal to which the UE 110 provides a response signal (cf. S101 and S102 of Figure 2).

[0065] As illustrated in Figure 4, in this exemplifying embodiment, the radio base station RBS 113 will authenticate the UE no in S203 if in S202 the measure of similarity exceeds the upper threshold value TU or reject the UE no in S204 if in S202 the measure of similarity is below the lower threshold value TL

[0066] Now, if in this embodiment the radio base station RBS 113 concludes from the measure of similarity determined in S207, upon comparing the extracted further set of RF features for the UE 110 to a second prestored reference set of RF features associated with the UE 110, that the measure of similarity indicates a match for the two sets of RF features, the UE 110 is authenticated in S208. If not, the UE 110 is rejected in S209.

[0067] In an embodiment, the two sets of RF features are considered to match if the measure of similarity exceeds the upper threshold value TU. However, the radio base station RBS 113 may determine that a match occurs also in a scenario where the measure of similarity exceeds another threshold value which may be set higher or lower than the upper threshold value TU.

[0068] Reasons for rejecting the UE no in S209 or successfully authenticating the UE 110 in S208 (which decisions could not be taken in S202 with sufficient confidence) maybe - in case of rejection in S209- that a malicious attack is performed involving one or more signal spoofing, encryption, or deliberate signal distortion. In case of successful authentication in S208, the determining in S202 may have been affected by environmental factors such as temperature or humidity, or changes in the location or orientation of the UE no, which could lead to degradation of the prediction process.P110047W00114

[0069] Advantageously, the method according to the described embodiment benefits from both passive and active RFF approaches in that the method relies on a passive RFF approach when the confidence in the authentication is high, thereby avoiding the increase in overhead caused by using an active RFF approach. On other hand, the increased precision of the active RFF approach as compared to the passive approach is achieved by involving challenge-based authentication when the confidence is lower.

[0070] Figures 5 and 6 illustrate embodiments showing the extracting and storing of RF features performed by the radio base station RBS 113, i.e. what is commonly referred to as the training phase. For brevity, only a single UE no is illustrated but as is understood, RF features of hundreds or even thousands of UEs are in practice extracted.

[0071] As previously described, the radio base station RBS 113 extracts at least a first and a second set of RF features for the UE 110.

[0072] In the exemplifying embodiment of Figure 5, the first set of reference RF features is extracted, and two methods of the radio base station RBS 113 acquiring the first set of reference RF features will be described.

[0073] In a first example, the radio base station RBS 113 requests in S301 the UE no to provide response signals in S302 from which the first set of RF features is extracted and stored in S303 for the UE 110. In this exemplifying embodiment, in addition to the RF features themselves and a UE ID, a timestamp is optionally stored indicating when the first set of RF features is acquired.

[0074] The request sent from the radio base station RBS 113 in S301 is configured to instruct the UE 110 to replicate conditions typically present during passive RFF operation. This strategy aims to elicit a response from the UE no that is indistinguishable from (or at least mimics) its standard emissions as seen during normal transmission scenarios. For the UE no, this request results in a response signal in S302 that aligns with its usual operational behaviour, thereby maintaining the natural characteristics of its RF emissions for accurate fingerprinting. For example, the radio base station RBS 113 might emulate a standard communication request that the UE 110 would respond to during its regular use. Also, by carefully selecting the parameters such as output power, carrier frequency, supply voltage,P110047W00115 bias conditions, etc., the active request can closely match the typical operating conditions of the UE no. For instance, the UE 1110 maybe operated with a certain output power back-off, ensuring power amplifier(s) of the UE no to operate in a linear region, and not distorting the transmission heavily. This would cause the UE no to generate a response that has similar characteristics to those observed when no active request is made.

[0075] In a second example, the radio base station RBS 113 does not actively request the UE 110 to provide response signals in S302 from which the first set of RF features is extracted and stored in S303 for the UE 110, but passively receives the response signals during normal operation of the UE 110 (i.e. a passive RFF approach is utilized). In other words, in the second example, no probing signal is sent in S301. Again, in addition to the RF features themselves and a UE ID, a timestamp is optionally stored indicating when the first set of RF features is acquired.

[0076] In the exemplifying embodiment of Figure 6, the second set of reference RF features is extracted, where the radio base station RBS 113 requests in S401 the UE no to provide response signals in S402 from which the first set of RF features is extracted and stored in S403 for the UE no. In this exemplifying embodiment, in addition to the RF features themselves and a UE ID, a timestamp is optionally stored indicating when the second set of RF features is acquired.

[0077] In this embodiment, when extracting the second set of RF features for the UE 110, the aim of the radio base station RBS 113 is in S401 to trigger the UE 110 to provide a response signal in S402 that deviates from the normal operation of the UE no to elicit a response under atypical conditions, thereby making the RF features more distinct and easier to detect. For example, the UE 110 maybe operated at high output power for which the power amplifier, close to saturation, will have a highly non-linear behaviour, enhancing non-ideal properties of the transceiver and distorting the transmitted signal.

[0078] Thus, received signals from N UEs for a certain request may be used for ML training to attain RFF data which reflects typical hardware imperfections and operational behaviour as well as atypical conditions for the UEs.

[0079] Again with reference to Figure 6, the request in S401 for the UE no to provide the response signal in S402 may in an embodiment include an instructionP110047W00116 to the UE no to store the device configuration being applied upon providing the response signal in S402, and an associated time stamp for the provision.

[0080] In such an embodiment, upon the radio base station RBS 113 requesting the UE no in S205 to provide a response signal from which a further set of RF features is extracted, the radio base station RBS 113 may further request the UE no to apply the stored device configuration used to provide the response signal at the time indicated by the associated time stamp (i,e. the response signal previously sent to the radio base station RBS 113 in S402 at said time), wherein the measure of similarity is determined in S207 between the extracted further set of RF features and the second reference set of RF signals corresponding to the second reference set acquired at said time.

[0081] In another embodiment, upon the radio base station RBS 113 requesting the UE no in S205 to provide a response signal from which a further set of RF features is extracted, the radio base station RBS 113 may further request the UE no to provide a response signal from which the further set of RF features is extracted by applying a device configuration that was previously utilized upon providing the response signal from which the second reference set of RF features associated with the wireless communication device no was extracted(i,e. the response signal previously sent to the radio base station RBS 113 in S402).

[0082] In yet another embodiment, upon the radio base station RBS 113 requesting the UE 110 in S205 to provide a response signal from which a further set of RF features is extracted, the radio base station RBS 113 may store the extracted further set of RF features as a further reference set of RF features associated with the UE 110, if the further set of RF features results in successful authentication of the UE 110 in S208. Advantageously, this maybe used to populate the database of the radio base station RBS 113 with trusted sets of RF features. Such RF features may help to learn the changing RF features due to the UE 110 aging.

[0083] Figure 7 illustrates a network node in the form of the radio base station RBS 113 configured to perform authentication of a wireless communication device no using radio frequency fingerprinting according to an embodiment. The steps of the method performed by the radio base station RBS 113 are in practice performed by a processing unit 114 embodied in the form of one or more microprocessors arranged to execute a computer program 115 downloaded to a storage medium 116P110047W00117 associated with the microprocessor, such as a Random Access Memory (RAM), a Flash memory or a hard disk drive. The processing unit 114 is arranged to cause the radio base station RBS 113 to carry out the method according to embodiments when the appropriate computer program 115 comprising computer-executable instructions is downloaded to the storage medium 116 and executed by the processing unit 114. The storage medium 116 may also be a computer program product comprising the computer program 115. Alternatively, the computer program 115 may be transferred to the storage medium 116 by means of a suitable computer program product, such as a Digital Versatile Disc (DVD) or a memory stick. As a further alternative, the computer program 115 may be downloaded to the storage medium 116 over a network. The processing unit 114 may alternatively be embodied in the form of a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field-programmable gate array (FPGA), a complex programmable logic device (CPLD), etc. The radio base station RBS 113 further comprises a communication interface 117 (wired or wireless) over which it is configured to transmit and receive data.

[0084] Thus, while various aspects and embodiments have been disclosed herein, other aspects and embodiments will be apparent to those skilled in the art. The various aspects and embodiments disclosed herein are for purposes of illustration and are not intended to be limiting, with the true scope and spirit being indicated by the following claims.

Claims

P110047W00118CLAIMS1. A network node (113) configured to perform authentication of a wireless communication device (110) using radio frequency fingerprinting, the network node (113) comprising a processing unit (114) and a memory (116), said memory (116) containing instructions executable by said processing unit (114), whereby the network node (113) is operative to: extract (S201) a set of radio frequency features from a signal received from the wireless communication device (110); and in response to a determined (S202) measure of similarity between the extracted set of radio frequency features and a first reference set of radio frequency features associated with the wireless communication device (110) neither indicating successful device authentication (S203) nor device rejection (S204): request (S205) the wireless communication device (110) to provide a response signal from which a further set of radio frequency features is extracted (S206); and in response to a determined (S207) measure of similarity between the extracted further set of radio frequency features and a second reference set of radio frequency features associated with the wireless communication device (110) indicating a feature match, the network node (113) successfully authenticating (S208) the wireless communication device (110).

2. The network node (113) of claim 1, wherein the determined measure of similarity is configured to indicate successful device authentication upon exceeding an upper similarity threshold value (TU), while being configured to indicate device rejection upon being below a lower similarity threshold value (TL).

3. The network node (113) of claim 1, wherein the lower and upper similarity threshold values (TU, TL) are configured to indicate a probability that an extracted set of radio frequency features matches a prestored reference set of radio frequency features.

4. The network node (113) of any one of the preceding claims, further being operative to: acquire the first prestored reference sets of radio frequency features for the wireless communication device (110) by passively receiving (S302) signals from theP110047W00119 wireless communication device (no) from which the first reference set of radio frequency features is extracted (S303) and stored.

5. The network node (113) of any one of claims 1-3, further being operative to: acquire the first prestored reference sets of radio frequency features for the wireless communication device (no) by requesting (S301) the wireless communication device (no) to provide (S302) response signals from which the first set of radio frequency features is extracted (S303) and stored.

6. The network node (113) of claim 5, wherein the request (S301) to provide (S302) response signals from which the first set of radio frequency features is extracted (S303) and stored for the wireless communication device (110) is configured to have the wireless communication device (no) operate under linear conditions upon providing the response signals.

7. The network node (113) of any one of the preceding claims, further being operative to: acquire the second prestored reference set of radio frequency features for the wireless communication device (no) by requesting (S401) the wireless communication devices (no) to provide (S402) response signals from which the second set of radio frequency features is extracted (S403) and stored.

8. The network node (113) of claim 7, wherein the request (S401) to provide (S402) response signals from which the second set of radio frequency features is extracted (S403) and stored for the wireless communication device (110) is configured to have the wireless communication device (no) operate under non-linear conditions upon providing the response signals.

9. The network node (113) of any one of claims 7-8, further being operative to, upon acquiring the second prestored reference set of radio frequency features: instruct (S401) the wireless communicate device (no) to store the device configuration being applied upon providing the response signal and an associated time stamp for the provision.

10. The network node (113) of claim 9, further being operative to, upon requesting (S205) the wireless communication device (no) to provide a response signal fromP110047W00120 which a further set of radio frequency features is extracted: request the wireless communication device (no) to apply the stored device configuration used to provide the response signal at the time indicated by the associated time stamp, wherein the measure of similarity is determined between the extracted further set of radio frequency features and the second reference set of radio frequency signals corresponding to the second reference set acquired at said time. n. The network node (113) of any one of the preceding claims, further being operative to, upon requesting (S205) the wireless communication device (110) to provide a response signal from which a further set of radio frequency features is extracted: request the wireless communication device (110) to provide a response signal from which the further set of radio frequency features is extracted by applying a device configuration that was previously utilized upon providing the response signal from which the second reference set of radio frequency features associated with the wireless communication device (110) was extracted.

12. The network node (113) of any one of the preceding claims, further being operative to: store the extracted further set of radio frequency features as a further reference set of radio frequency features associated with the wireless communication device (no) if the further set of radio frequency features results in successful authentication (S208) of the wireless communication device (no).

13. A method of a network device (113) of authenticating a wireless communication device (no) using radio frequency fingerprinting, the method comprising: extracting (S201) a set of radio frequency features from a signal received from the wireless communication device (no); and in response to determining (S202) a measure of similarity between the extracted set of radio frequency features and a first reference set of radio frequency features associated with the wireless communication device (110) neither indicating successful device authentication (S203) nor device rejection (S204): requesting (S205) the wireless communication device (110) to provide a response signal from which a further set of radio frequency features is extracted (S206); andP110047W00121 in response to determining (S207) a measure of similarity between the extracted further set of radio frequency features and a second reference set of radio frequency features associated with the wireless communication device (110) indicating a feature match, the network node (113) successfully authenticating (S208) the wireless communication device (110).

14. A computer program (115) comprising computer-executable instructions for causing the network node (113) to perform steps recited in claim 13 when the computer-executable instructions are executed on a processing unit (114) included in the network node (113).

15. A computer program product comprising a computer readable medium (116), the computer readable medium (116) having the computer program according to claim 14 embodied thereon.