Reconfigurable Antenna Assisted Intrusion Detection in Wireless Networks

Intrusion detection is a challenging problem in wireless networks due to the broadcast nature of the wireless medium. Physical layer information is increasingly used to protect these vulnerable networks. Meanwhile, reconfigurable antennas are gradually finding their way into wireless devices due to their ability to improve data throughput. In this paper, the capabilities of reconfigurable antennas are used to devise an intrusion detection scheme that operates at the physical layer. The detection problem is posed as a GLRT problem that operates on the channels corresponding to the different modes of a reconfigurable antenna. The performance of the scheme is quantified through field measurements taken in an indoor environment at the 802.11 frequency band. Based on the measured data, we study the achievable performance and the effect of the different control parameters on the performance of the intrusion detection scheme. The effect of pattern correlation between the different modes on the scheme's performance is also analyzed, based on which general guidelines on how to design the different antenna modes are provided. The results show that the proposed scheme can add an additional layer of security that can significantly alleviate many vulnerabilities and threats in current fixed wireless networks.


Introduction
Attacks on wireless networks have become increasingly sophisticated with the increasing pervasiveness of these networks. It is challenging to detect and counteract intrusions in wireless networks due to the inherent broadcast nature of the medium. Among many known security risks, man-inthe-middle attacks and spoofing attacks [1] pose a significant intrusion threat to wireless networks since such attacks allow intruders to hijack a connection already established by a legitimate user. Though advanced wireless intrusion protection and detection systems have been developed and deployed to mitigate such threats, it has been repeatedly demonstrated that each method has its point of failure and no single method guarantees protection against all attacks [2,3].
Such a hostile landscape requires multiple levels of defense for network protection. This requirement has gradually led to a more cross-layer approach to wireless security in recent times where security mechanisms are being deployed at different layers of the network. Particularly channel information available at the physical layer is being increasingly used to provide an additional degree of protection against intruders. Schemes that employ channel based security techniques can be categorized into encryption and authentication schemes. The former uses the wireless channel as a source for encryption key generation [4][5][6][7][8][9], while the latter utilizes a metric derived from the channel information as an identifier for authentication [10][11][12][13][14][15][16].
Intrusion detection has traditionally been categorized into misuse detection or anomaly detection techniques. While the former uses patterns characteristic of known attacks to detect known intrusions, the latter relies on detecting deviations from the established behavior patterns in the system [17]. In many usage scenarios, where the physical link remains unchanged over a session, the wireless channel response corresponding to the link can be considered to represent the established behavior pattern for that link. Any changes that violate this pattern abruptly beyond a certain limit can be then checked for adversarial behavior. In this paper, we follow this approach where the channel is monitored for any abrupt changes in its statistics through repeated applications of the generalized likelihood ratio test (GLRT) [18]. The scheme is based on the idea that the statistics of the link corresponding to an intruder who is physically located at a different location will be different from that of the legitimate user and when the intruder tries to inject packets over the same connection, it will trigger an abrupt change in the GLR value.
Additionally we utilize a pattern reconfigurable antenna to improve the performance of the intrusion detection scheme. The ability of pattern reconfigurable antennas to enhance system throughput has been well demonstrated [19]. By picking antenna modes that are decorrelated in their radiation patterns, decorrelated channel realizations can be obtained to enhance system performance. Hence channels corresponding to different modes of the antenna can be expected to have different statistics, a property which is exploited to the benefit of the proposed detection scheme. However, the use of reconfigurable antennas (pattern diversity) should be differentiated from schemes that use multiple antennas (spatial diversity) with perfect decorrelation between the elements [11,14,16]. We relax any assumptions about channel correlation between the different diversity branches and specifically quantify the effect of correlation on detection performance. Moreover, a reconfigurable antenna provides a more practically viable solution to generate multiple channel realizations than spatially separated multiple antenna elements due to cost and space constraints.
In many public open networks (e.g., coffee shops) higher level authentication solutions are usually not implemented. Freely available software tools such as Firesheep can be used to simply execute session hijacking attacks when users visit insecure websites in such networks [20]. A wireless access point equipped with reconfigurable antennas that can implement the proposed method can be used to provide a layer of security that can significantly alleviate such security threats in these networks. In networks with higher level security mechanisms for encryption, authentication, and integrity, the proposed scheme can complement those mechanisms while they continue to play their part in securing the wireless link.
The rest of the paper is organized as follows. The intrusion detection problem and the threat model are described in Section 2. The detection scheme is described and the GLRT for intrusion detection is developed in Section 3. The channel measurement procedure is described in Section 4. We justify our assumption regarding the probability distribution of the channels in Section 5. The performance of the scheme is analyzed and the results are presented in Section 6. Some practical considerations are discussed in Section 7 before we conclude this paper in Section 8.

Problem Definition and Threat Model
The problem that is addressed in this paper is one of detecting an intruder who has gained access into the system by means of hijacking a connection already established by a legitimate user. The problem scenario consists of three players: the receiver R, transmitter T, and an intruder I. Transmitter T and receiver R have established a connection and are in the process of exchanging information as shown in Figure 1(a). Intruder I eavesdrops into this connection and waits till he gathers sufficient information to spoof T. A surprisingly large number of vulnerabilities exist in modern wireless access technologies that allow I to obtain this information with relative ease. Once this information is obtained, I launches a spoofing attack by posing as T to R as shown in Figure 1 To gain a practical perspective of the problem, R can be thought of as a wireless access point through which T is connected to the organizational network. I can be an adversarial entity whose objective is to gain entry into the organizational network, hijack T's connection with R, or launch a man-in-the-middle attack on the connection between T and R among other possibilities. The objective of the security scheme is to detect this change in the real transmitter at R in order to initiate counter measures.
To achieve his goal, I can be equipped with a powerful transceiver capable of passively monitoring and capturing all traffic between T and R and sufficient computational resources to analyze the traffic to exploit the vulnerabilities in relatively quick time. I can be an external adversary attempting to launch an attack on the network from outside the organization's premises or an internal entity who is interested in launching an attack on T. In both cases, we note that I cannot be physically colocated with T which forms the basis of our method for intrusion detection.
It should be noted that I's motive is to compromise T's identity in the network and therefore it is imperative for I that T first initiates and establishes a connection with R. Therefore, it is assumed that I will not resort to jamming attacks to prevent T from establishing a successful connection with R.
International Journal of Distributed Sensor Networks 3 Additionally, we assume that only R is equipped with a reconfigurable antenna with modes since it is more likely that an access point is equipped with such an antenna than a user terminal due to cost and space constraints. Therefore, we also assume T and R to be equipped with standard omnidirectional antennas.
As stated earlier, the proposed solution exploits the fact that T and I have to be located in two different physical locations which would be manifested by two different channel distributions sensed by R. Due to the multipath structure of the environment, I cannot methodically manipulate the channel between itself and R in such a way as to imitate the channel between T and R. This is because it does not and cannot know the channel between T and R. Introducing reconfigurable antennas to the solution adds multiple channel distributions corresponding to each mode used in the antenna. This makes the problem of closely matching the channel corresponding to T even more challenging for I which results in enhanced protection. However, it should be noted that our scheme does not attempt to localize T or I. Instead, channel information pertaining to the different antenna modes is used to detect I if it compromises the existing link between T and R.

Description of Scheme
With the notable exception of mobile networks, many current and emerging wireless data networks are associated with stationary terminals at both ends of the link. Temporal variations in channels related to such networks arise mainly due to movements of people and objects in the vicinity of the terminals as well as small localized movement of the terminals within a very small area [21][22][23]. A typical example for such a scenario would be a user seated at a bench in a public place accessing the network from a laptop connected to an access point in the vicinity. This work addresses intrusion problems that pertain to such wireless network usage scenarios and does not address large-scale terminal mobility.
The amplitude of the estimated complex channel coefficient, corresponding to a single frequency carrier , is denoted by ℎ. The probability distribution of ℎ follows a Ricean or Rayleigh distribution. We choose the latter distribution with parameter to describe ℎ for reasons that will be discussed in Section 5: During the connection establishment process, = 0 corresponding to T is estimated through a sequence of training packets. At some time instant when I succeeds in spoofing T, it will hijack this connection. However, since I is at a physically different location, = 1 , corresponding to this link, will be different from 0 and will be unknown. Let ℎ ( ∈ Z, > 0) be a sequence of observed i.i.d. channel estimates from the incoming packets after the initial training stage and h = [ℎ , . . . , ℎ ]. can be taken to denote the packet or time index. = − + 1 is the block size. If we denote (h) as the value of the Rayleigh distribution from which the elements of h originated, the intrusion detection problem can be now formulated as a hypothesis testing problem as follows: We employ a Neyman-Pearson detector which decides H 1 if the likelihood ratio exceeds a threshold: However, 1 is not known in our case. In this case, it is well known that the GLRT which replaces 1 with its maximum likelihood estimate (MLE) is asymptotically the uniformly most powerful among all tests [18]. Hence, we resort to the GLRT that uses the MLE of 1 denoted bŷ1. Estimation is done over the elements in block h. The MLE for 2 1 is given by [ Substituting (4) into (3) and simplifying yields: The use of multiple antenna modes will result in different channel realizations at each time instant. The environment "seen" by the different modes of the antennas will be different due to the differences in their radiation patterns and therefore the distribution for each of these channel realizations will be characterized by different 's. Assuming that the channel realizations yielded by the different antenna modes are independent, we can now write where 0 and 1 are the distributions' parameters for mode under the null and alternate hypothesis, respectively, h represents the channel vector for mode . The decision function and is simplified to: where = ∑ = ℎ 2 and ℎ denotes the channel realization at time instant for the th antenna mode.
The control parameters that can be used to tune the performance of this scheme are listed in Table 1.
A graphical depiction of these parameters are shown with respect to a sample evolution of (h) in Figure 2.

Steps of the Detection Scheme
(1) During the outset of the session, R estimates 0 through training. The number of packets used for training is denoted by T .
(2) R also computes (h) for = − + 1 and = based on these channel estimates at each instant ( ≤ ≤ T ). (3) Actual transmissions begin from T and R continues to compute (h) for each packet transmission. I is assumed to hijack this connection and starts transmitting to R after transmissions from T.
(4) Based on these computed (h) during the training phase, a threshold is picked such that an alarm is raised whenever (h) > .
(5) In the event of an alarm, a higher layer reauthentication procedure can be evoked to reverify the identity of the transmitter.

Threshold Selection.
The value of will be chosen based on the values observed for (h) during the training period.
If the maximum value of (h) observed during training is (h), we can express as (h) where is the scaling factor that needs to be controlled in order to achieve the desired detection and false alarm rates. In our scheme, selection of is performed in an adaptive manner. We start with = 1 and gradually increase its value till an acceptable false alarm rate is achieved.
The connection can be vulnerable to an attack during this threshold selection phase as well. Therefore, higher layer authentication protocols (e.g., 802.11i) should be evoked to verify false alarms during this adaptation process to ensure security until the target value of is reached though this may cause some processing overhead due to frequent reauthentication. Optionally, depending on the level of threat to which the network is exposed to, this reauthentication process can be relaxed during this adaptive threshold determination  phase for more efficient operation and all alarms may be treated as false alarms.

Channel Measurements
Channel measurements were performed on Drexel University campus using a four-port vector network analyzer. The measurement environment and node locations are shown in Figure 3. The environment is a large laboratory which is 20 m long, 8 m wide, and 4 m high with plaster walls. The room has several cubicles partitioned using metallic walls and laboratory equipment and furniture distributed throughout the room.  The measurements were performed with R equipped with a reconfigurable leaky wave antenna (LWA) [25]. The radiation patterns corresponding to the five modes used in the study are shown in Figure 4. T and I were equipped with standard monopoles. Measurements were performed at 2.484 GHz which corresponds to the center frequency of channel 14 of the 802.11 band. Two R, four T, and ten I locations were chosen which yielded a total of eight R − T links each with then corresponding R − I links. For each (R, T, I) combination, 1000 time snapshots were recorded for the R − T and R − I links for the 5 different antenna modes. Measurements were performed during different hours of the day over several days during which there was low to moderate movement in the environment.

Why Rayleigh Distribution?
It has been assumed that the channel amplitudes follow a Rayleigh distribution instead of the more general Ricean distribution for the purposes of this study. In order to justify this assumption, the empirical distribution functions obtained for each link from the measured data was compared to a Rayleigh or Ricean distribution whose parameters were estimated from the measurements. The similarity between the empirical distribution ( ) and standard distribution ( ) for each link is quantified through two metrics: the total variation distance between the distributions and the Kullback-Leibler (KL) divergence.
The total support is defined as where and are the supports of the empirical and standard distributions, respectively. is discretized into evenly spaced discrete points. The total variation distance between the two distributions is defined as where (ℎ ) and (ℎ ) denote the values of the distributions evaluated at the th discrete point in . The KL divergence between and is defined as Table 2 lists the trends in the observed values over all the measured links for the difference between the empirical distribution and the two standard distributions. As can be observed, though the channel distributions are not "purely" Rayleigh nor Ricean, which is to be expected, they resemble these distributions sufficiently enough which provides us with the ability to develop an analytical framework for the problem. Moreover, as the values indicate, on average, due to the combination of line-of-sight (LOS) and nonline-of-sight (NLOS) links, modeling the channel as Rayleigh does not lead to a large error compared to modeling it as Ricean in the system, though the observed distributions marginally resemble the Ricean distribution more than the Rayleigh. Nevertheless, Rayleigh distribution was picked over Ricean for three reasons. Closed form MLE estimates do not exist for the parameters that characterize Ricean distributions and it requires recursive methods that are computationally intense [26]. The second reason is that when small values of are used in the scheme, the recursive scheme does not achieve convergence resulting in very poor estimates that will have a significantly negative effect on the scheme's performance. Finally, a simpler form of GLRT function cannot be formulated due to the Bessel functions that characterize Ricean distributions which will lead to higher computational complexity. Based on these observations and reasons, the channel was modeled as Rayleigh distributed.

Analysis and Results
The performance of the intrusion detection scheme was studied in terms of the probability of missed detection ( ) and false alarm rates ( ) as a function of the different control parameters listed in Section 3. and characteristics presented in this section were computed from the measured channels as follows.
(1) For each (R, T, I) combination, a detection threshold was obtained through the first T training samples.  (4) This process was repeated for 100 trials with different subsets of friendly and adversary samples and the average and were computed. Unless specifically otherwise stated, the presented results also reflect the average over the different antenna combinations possible for a given ; that is, for a given , the presented missed detection probabilities are averages obtained over the ( 5 ) possible combinations for a given . Figure 5 shows the average detection error tradeoff (DET) curves for a single antenna mode for different values of block size . The nonlinear scaling of the axes in a DET curve is designed to yield a straight line when (h) from the system follows a normal distribution [27]. The diagonal line defined by = − represents completely random performance and curves that lie on the quadrant left of this line represent positive levels of performance.

Single Antenna Mode ( =1).
It can be observed that the performance improves with block size. This is due to two reasons. A larger block size gives a better estimate for 1 and hence when the intruder starts injecting packets, the difference between 0 and 1 becomes more clear which in turn results in (h) growing above the threshold rapidly. Moreover, when is large, the increased contribution from channels corresponding to I in (h) after the intrusion will result in a rapid increase in its value as well.
Moreover, the values of used in the computation of (h) are not sufficiently large enough to yield a Gaussian behavior and therefore the DET curves do not exhibit a linear trend. While such a Gaussian behavior is preferred since it allows us to resort to standard normal distributions to set the threshold , it will not be possible to employ a sufficiently large to yield this behavior since a meaningful minimum detection delay is determined by the block size. However, with just a single antenna mode, the achievable detection rates are unacceptably low at low regions. In cases where 1 and 0 are not well separated, the level of increase in (h) after intrusion will not be sufficient enough to match the that is required to maintain a low which in turn leads to poor detection rates. To gain insights into this, we define the maximum percentage difference between 's among the different antenna modes as = max =1,...,  is equal to for each curve. T = 25. For a given , decreases with the block size. However, at low levels, the corresponding levels remain unacceptably high for a single antenna mode even at relatively large block sizes.  Figure 6 shows the CDF of for different values of . Table 3 lists some of the quantities extracted from these CDFs. When a single antenna mode is employed, the mean maximum percentage difference is 75.5% and the probability of this percentage difference being greater than 100% is as low as 0.07. This observation clearly elucidates the challenge with designing a GLRT based detection scheme using a single antenna. Though the links can be differentiated in terms of , the amount of separation in 0 and 1 may not be sufficient in any given scenario for the GLRT to yield acceptable performance levels with a single antenna mode. Figure 7 shows the variation of probability of detection as a function of detection delay in terms of number of packets. Understandably, detection rate improves with the allowable detection delay. However, it should be noted that timely detection of the intruder is very critical and therefore cannot be increased to arbitrarily large values to achieve the required detection rates. Again, it can also be observed that the performance improves with block size. However, to be effective, higher values of require that the detection delay to be at least as long as the block size so that the block will contain samples entirely from the intruder. The effect of International Journal of Distributed Sensor Networks   is equal to for each curve. The dashed segments correspond to points where < . Longer delays result in only marginal improvements in detection. Larger improves performance, but the minimum required detection delay is longer for larger 's.
being less than the detection delay can be observed by the dotted lines in Figure 7 where the detection performance is significantly deteriorated.
The false alarm rate, as a function of the number of friendly transmissions from T before I takes over, is shown in Figure 8. As one would expect, the chances of raising a false is equal to for each curve. Longer number of transmissions from T increases the probability of false alarms. Larger improves performance due to better 0 estimates. alarm rises with more friendly packets. A larger results in a better estimate for 0 during the training phase. Additionally, it will yield a value for (h) that is closer to the true 0 as well. Thus, the probability of (h) to exceed picked based on the estimated 0 will be lower and hence improves with .
To summarize the preceding trends, higher lowers while improving detection rates. Though a longer detection delay can help detection rates, in practice it is undesirable to have such long delays. However, due to the marginal difference between the values for the T − R and T − I links, it is challenging to obtain acceptable detection rates while keeping the false alarm rates very low when using a single mode antenna system. Hence, we resort to multimode antenna systems.

Multiple Antenna Modes.
We begin our analysis of the multiple antenna mode case with Figure 9 which shows the DET curves achievable through the combination of channel information corresponding to multiple antenna modes. For each incoming packet, (h) is computed as in (7) based on the channel information corresponding to the chosen configurations from which subsequent detection rates and false alarm rates are computed. It can be clearly seen that the detection rate significantly improves with the number of modes for a given . Referring again to Figure 6 and Table 3, it can be observed that the maximum percentage difference between 's among the different antenna modes increases with . This is by virtue of the fact that different antenna modes will exhibit different values and hence the probability that the difference between 0 and 1 is very small for all the modes will be lower. Thus, modes that exhibit a larger difference in will contribute more to the GLRT resulting in better performance. Increasing increases the probability of finding modes that exhibit a larger difference in 's and hence performance significantly improves with . Again, due to the lower value of , a non-Gaussian trend is observed in the observed DET curves. Figure 10 shows the achievable detection rates as function of detection delay for the different values. Comparing this with Figure 7, it can be seen that the level of improvement achievable in detection rates is quite high with than . For example, increasing from 10 to 25 results in a mere 5% improvement in detection when a single mode is used. Moreover, this improvement comes at the cost of a longer detection delay. By introducing an additional mode, can be lowered from around 20% to 9% while keeping and at 10. Figure 11 shows as a function of the number of friendly packets. As described in step (2) in Section 6, is defined as the probability that there will be at least one packet that exceeds the threshold during the friendly transmissions. Improvements in is also observed with increasing . Naturally false alarms increase with increasing friendly packets regardless of . For relatively smaller values of and a single antenna mode, when certain samples in h come from the tail region of the underlying Rayleigh distribution, the resulting estimate of̂1 can significantly diverge from 0 resulting in excursions of (h) above the threshold . However, when multiple antenna modes are employed, the probability that the channels corresponding to most of the modes belong to the tail region at any given instant is reduced. Therefore, at every time instant, the "well-behaved" modes help dampen is equal to for each curve. decreases with . the hikes in̂1 due to the "stray" modes and therefore help keep the excursions of̂1 above low and hence reduce the probability of false alarm.
We conclude this section by providing a list of key statistical measures for and that were observed for various values of in 100 trials. These measures are shown in Table 4. It can be observed that the standard deviation is  limited to 1.5% for false alarm rates and to less than 1% for missed detection rates. The data shows that, for a given set of parameters, false alarm rates and missed detection rates are stable across multiple trials.

Which Modes to Choose?
From the previous results it is clear that introducing multiple antenna modes improves the system's overall performance. However, these results do not provide insights into how to pick the mode combinations and most importantly if there is any benefit in increasing the number of modes beyond a certain level. Some insights into this problem can be found by analyzing Figure 12 and Table 5. Table 5 lists the spatial pattern correlation that exists between the radiation patterns corresponding to the different antenna modes used in the study. The best, worst, and average detection rates achieved by different individual mode combinations for = 2 and = 3 are shown in the figure. For = 2, it is evident that the detection rate is a function of the antenna correlation coefficient. The best performance is achieved by the mode combination (5, 1) which also has the lowest correlation between patterns. The combination with the highest correlation of 0.82 achieves the worst performance. Similarly, for = 3, detection rates exhibit the same trend with respect to the average correlation between the different pair of modes within the combinations. Moreover, it can be seen that the performance achieved by the best combination for = 3 outperforms the = 5 case as well.
The preceding behavior can attributed to the well-known phenomenon of decorrelated antenna patterns resulting in decorrelated channel realizations [28]. The information provided by more decorrelated channel realizations serves to improve the "quality" of (h) and hence enables the scheme to distinguish between T and I more accurately.
Based on these trends, two guidelines are suggested for picking the different antenna modes. Antenna modes should be picked such that the pattern correlation coefficient between the different modes should be kept as low as possible. Many reconfigurable antenna architectures exist that can generate patterns with a very low correlation coefficient between their modes [19,29]. The second is that adding new modes will improve detection rates as long as the newly introduced mode does not diminish the average correlation coefficient among the modes. This can be seen by observing the different circled pairs of DET curves in Figure 12, where adding a new mode improves detection when the addition of the mode lowers the average correlation coefficient among the modes.

Effect of
Training. The quality of training will have a significant effect on the performance of the scheme as the estimated 0 forms the basis for the likelihood ratio based on which it operates. Figure 13 shows the effect of the amount of training on the DET curves. As evidenced by the figure, longer training leads to better performance at the lower regions as expected. But interestingly more training has a negative effect on system performance at the larger regions. Recall that the threshold is computed as (h) where (h) is the maximum of (h) observed during training. Longer training on average leads to marginally larger values for (h). At high regions, ≈ 1 and hence the threshold is more sensitive to (h). Therefore, for a given , keeping all other parameters constant while increasing only T results in an increased estimate of the threshold , which in turn deteriorates detection. Although the estimate of 0 does improve with T , the increase in (h) overweighs its benefit in the high region leading to performance degradation. Nevertheless, meaningful utilization of this scheme will involve operating in the low false alarm region and therefore longer training will be still preferred.

Practical Considerations
Some key practical issues need to be considered in order to make this scheme work in practice. The most critical issue is the problem of obtaining channel estimates over all the antenna modes on a packet-by-packet basis. Figure 14 shows the possible candidate for a frame structure at the physical layer that can be used to achieve this operation. An extended payload is interspersed with the necessary training symbols for each mode along with padded intervals to allow for switching the antenna to a new mode and resynchronization. High-speed switches with switching speeds in the order of picoseconds currently exist that can allow the antenna to  switch modes at a rate compatible with current high data rate applications.
As noted previously, this scheme is proposed to complement existing higher level security protocols. Therefore, such protocols should continue to play their role in protecting the wireless link. An adaptive approach can be pursued when the GLRT triggers an alarm at the physical layer. When an alarm is raised by the physical layer scheme, the system can reconfigure the GLRT to operate in a point on the DET curve that prioritizes low missed detection over false alarms. Subsequent alarms should be handled by the upper layer authentication protocols such as 802.11i till it is ensured that the perceived threat does not exist after which point the GLRT can prioritize over false alarms again. Moreover, successfully adapting the alarm threshold will also rely on these reauthentication protocols.
Channel statistics may also gradually change with time which can lead to arbitrarily high false alarm rates. Periodic retraining can be implemented to keep the system performance within acceptable levels. Therefore, this scheme can benefit from more comprehensive training algorithms that continually update 0 based on packets that pass the intrusion detection test at the physical as well as upper layers.

Conclusion
An intrusion detection scheme that utilizes physical layer information based on a reconfigurable antenna was proposed. The intrusion detection problem was setup as a generalized likelihood ratio test under the assumption of Rayleigh fading channels for different antenna modes. The assumption was justified based on channel measurements gathered in an indoor environment using a network analyzer. The measurements were then used to study the performance of the scheme as a function of several control parameters available to the user. It was observed that large block sizes lower false alarm rates while yielding high detection rates as well. By utilizing multiple modes in a reconfigurable antenna concurrently in the likelihood function, it was shown that the detection rates can be improved and false alarm rates can be decreased while keeping the block size low. The pattern correlation coefficient that exists between the radiation patterns of the different antenna modes was shown to have a direct correlation with the resulting detection performance, with lower pattern correlation resulting in better performance. In networks with very limited or nonexistent security such as public WiFi spots, the proposed scheme can add a layer of security that can provide improved levels of protection against intrusion. In more secure networks operating in hostile environments, this scheme in conjunction with existing higher layer based security mechanisms can provide a much needed extra layer of security.
Future work to make the scheme more robust includes smart training algorithms that continuously train the system and keep the system up-to-date as well as algorithms that adaptively tweak the different control parameters to keep the system operating at the required performance level.