A Novel Hybrid Physical-Layer Authentication Scheme for Multiuser Wireless Communication Systems

Guaranteeing decent secrecy levels in future wireless network generations has gained crucial importance due to the unprecedented increase in wireless connectivity worldwide. In this article, an enhanced hybrid channel/device-based physical-layer authentication (PLA) scheme is proposed. The channel state information (CSI) and device-dependent carrier frequency offset (CFO) are employed to discriminate various malign and benign devices in a wireless network. In particular, CSI-based hypothesis testing (HT) is applied initially on the received authentication requests of several unknown transmitters, relying on legitimate CSI values from previous transmissions to classify such nodes. Then, a second stage takes place using the CFO HT on either the interval containing misclassified legitimate or illegitimate nodes to improve the initial stage’s classification results. Approximate expressions for the authentication and detection probabilities are retrieved, whose tightness is endorsed by extensive Monte Carlo simulations. Results show that the proposed scheme enhances the single-attribute PLA performance (CSI- and CFO-based). Also, the authentication probability improves by the increase in the average legitimate signal-to-noise ratio (SNR) and lower nodes’ speed. In addition, the detection probability (DP) rises at high legitimate and intruder links SNRs, while it degrades for low SNR (i.e., noisy attributes observations). Finally, the more significant the difference between the actual malign and benign nodes’ CFOs, the better the DP.


I. INTRODUCTION
M ASSIVE connectivity has been among various key targets posed by the third-generation partnership project (3GPP) entities for the fifth generation (5G) and beyond [1].The dense amount of resource-constrained connected Internet of Things (IoT) devices in multiple applications; e.g., e-health, factories, and smart home sensors; is a significant contributor to the 5G multitier heterogeneous network.In this context, the Elmehdi Illi and Marwa Qaraqe are with the College of Science and Engineering, Hamad Bin Khalifa University, Qatar Foundation, Doha, Qatar (e-mail: elmehdi.illi@ieee.org;mqaraqe@hbku.edu.qa).
Digital Object Identifier 10.1109/JIOT.2023.3304519myriad of connected IoT devices possesses limited computing and communication resources onboard.On the other hand, ensuring information security has been an omnipresent concern in wireless communication, especially with the prominent flourishing of IoT technology and the unprecedented connectivity levels reached around the globe [2].Physical layer security (PLS) has been driving special scrutiny over the past years as a prominent tool to realize secure transmissions and combat continuous security threats [3].Thus, confidentiality can be ensured by leveraging the physical layer parameters, such as the random channel fading, spatial/time/frequency diversity, and channel coding, by fulfilling transmissions at certain rate values guaranteeing a target equivocation rate at the eavesdropper [4].Such a PLS paradigm, aiming to achieve confidentiality, has been widely inspected over the literature, inspired by Wyner's pioneering wiretap channel model [5].However, Wyner's PLS model assumes that the attacker is a passive node in the network, uniquely interested in overhearing the legitimate message, where the sender aims to obfuscate the secret message from the attacker.This latter can also perform active eavesdropping, message forging, or legitimate node impersonation to fool the authentic receiver, whereby reliable authentication mechanisms are needed to identify the legitimacy of the transmitter.Traditionally, upper layer complex cryptographic-based algorithms take charge of this task, whose implementation in IoT devices remains questionable due to the limited power and computing resources onboard compared to the inherent schemes' complexity [2].
To this end, physical layer authentication (PLA), a subcategory of PLS, has been gaining remarkable momentum as a lightweight framework to support device authentication with a much-reduced overhead [2].It mainly relies on physical layer parameters, such as the wireless channel indicators, inevitable hardware imperfections from the manufacturing phase, or tag signals superposed with the information one to discriminate between users.In particular, passive PLA, referring to the channel-and device-based PLA category, relies on the channel spatial decorrelation property that ensures independent channel realizations at a half wavelength in a rich scattering environment [6].Therefore, it is improbable for an eavesdropper to fake the channel realizations of the legitimate transmitter.Also, successive channel realizations are strongly correlated over time [7].Thus, channel indicators, c 2023 The Authors.This work is licensed under a Creative Commons Attribution 4.0 License.
For more information, see https://creativecommons.org/licenses/by/4.0/Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
such as channel state information (CSI) and received signal strength (RSS), can be employed to discriminate between legitimate nodes from impersonators.On the other hand, devicebased PLA harnesses the imperfections in the transceivers' hardware to identify transmitters, that uncontrollably arise from the manufacturing process [3].Therefore, ideally, every pair of devices from the same manufacturer cannot manifest the same impairment level.Carrier frequency offset (CFO), in-phase/quadrature imbalance (IQI), and clock skew are some of the well-known device-based attributes used for authentication.

A. Related Work
The corresponding literature on PLA is rich in a plethora of relevant work elaborated in this context.Particularly, we can subcategorize passive PLA's work into the ones dealing with channel-based or device-based PLA, also known as radio frequency fingerprinting (RFF).Additionally, PLA schemes can be established either through machine learning (ML) classification techniques or statistical hypothesis testing (HT).While the former relies on implementing well-known ML classifiers to discriminate between malign and benign users through the features set, the latter relies on a simpler threshold-based HT.Importantly, the same performance metrics are used to assess both ML-and HT-based PLA schemes, namely, the authentication or false alarm and detection/misdetection probabilities/rates.For instance, the work [8] proposed a channel-based PLA scheme leveraging the wireless channel frequency response (CFR) as a feature to authenticate transmitters.Such a CFR-based scheme takes into account the time-varying nature of the wireless channel.The generalized likelihood ratio test (GLRT) is applied to determine whether two consecutive signals are transmitted from the same node, relying on the underlying successive CFR realizations.Furthermore, Liu et al. [9] proposed a 2-D channel impulse response (CIR)-based PLA scheme whereby a multilevel quantizer processes the channel taps' amplitudes and delays to reduce the noise and channel dynamics effects.Notably, such a scheme is sensitive to nonnegligible quantization errors induced by the channel characteristics changes.Therefore, an interesting extension was proposed by Liu and Wang [10] whereby a one-bit quantization is used by comparing the difference between two consecutive values of complex gains and delays over multiple taps with respect to fixed thresholds.Furthermore, Xie et al. [6] proposed the exploitation of several CIRs leveraging multiple antennas onboard the legitimate node and the intruder.In light of this, two enhanced test statistics (TSs) were proposed to improve the performance of the one-bit quantized testing used in [10].In particular, the first proposed scheme uses a soft GLRT where the underlying TS is the squared norm of the difference of two consecutive CIR vectors, as was performed in [6].On the other hand, the second is based on exploiting an estimate of the correlation coefficient in a tweaked GLRT.Tomasin [11] analyzed a channel-based keyless PLA scheme, along with a physical layer key generation-based PLA technique.Findings showed that channel-based authentication is asymptotically secure for a higher number of samples within a single channel observation.Also, the work in [12] proposed a key-based PLA, where the channel phase is used alongside a shared key between Alice and Bob.A CIR phase-based key establishment is used to generate a key at both legitimate ends initially, which is obfuscated within the sent challenge signal phase.Armed by the perfect channel reciprocity assumption and the known shared key, Bob builds a TS from the received signal to perform authentication.Zhang et al. [13] extended further CSI-based PLA schemes' analysis by considering the effect of residual hardware impairments on authentication performance.In addition, Zhang et al. [14] assessed the authentication performance of a CIR-based PLA scheme over a dual-hop network, whereby an untrusted amplify-and-forward (AF) relay node assists the legitimate transmission.Furthermore, works, such as [15], [16], [17], and [18], analyzed the secrecy performance of various RSS-based authentication schemes in different network architectures experimentally.
On another front, a remarkable amount of works was dedicated to assessing the authentication performance of RFF schemes.The work in [19] analyzed the secrecy performance of a CFO-based PLA scheme on static nodes.The same authors performed a notable extension in [20] by considering time-varying CFO as a unique fingerprint to detect spoofing attacks.An USRP-based experimental setup was implemented for validating and assessing the proposed scheme.Moreover, the CFO was used to identify LoRa devices in [21], whereby it was involved in compensating the frequency shift of inphase/quadrature (IQ) samples and improving the FFT-and spectrogram-based classifications.The work in [22] used statistical HT to inspect the secrecy performance of power amplifier impairments-based PLA.Hao et al. proposed a cooperative authentication scheme employing numerous receivers relying on the IQI as a fingerprint.Notably, a transmitter is declared legitimate if and only if all receivers claim together a legitimate transmission.The same authors extended the lastmentioned scheme to identify an AF relay in a dual-hop communication system.Furthermore, Xie et al. [23] provided an analytical framework for the authentication performance of a multiple-input multiple-output (MIMO) network by leveraging various phase noise (PN) observations.

B. Motivation
CSI is a widely used physical layer indicator that can be used, in addition to PLA, in multiple applications (e.g., node positioning).Several commercial off-the-shelf device manufacturers have involved CSI capturing tools.Furthermore, the CFO is considered a steady-state hardware impairment, whereby its short-term fluctuations are negligible [19].Nonetheless, it has been widely shown from the above work that channel-based PLA's limitation lies in the rapid channel decorrelation over time in high-mobility cases, rendering it single-handedly an unreliable fingerprint for node identification [2].Furthermore, Jakes' model spatial decorrelation property requires a large number of scatterers uniformly distributed over elevation and azimuth angles, which is challenging to fulfill generally in practice.On the other hand, steady-state hardware impairments, such as the IQI and CFO, suffer from the inherent noise in the received estimation preamble sequences.To this end, a notable interest has been paid to hybrid or multifeature PLA schemes relying on multiple channel-and/or device-based attributes.As far as the related literature dealing with statistical HT-based hybrid/multifeature PLA is concerned, we highlight the presence of a limited number of works in such a class.For instance, the work of [24] used both the PN along with the CSI in a MIMO communication system, whereby the transmitter's legitimacy is decided based on the number of antennas claiming legitimate transmission.Zhang et al. [25] extended their previous work to analyze it in a massive MIMO system with spatial correlation.Furthermore, a new PLA scheme for satellite wireless networks was proposed and assessed in [26] whereby both the Doppler shift and the estimated distance were used to authenticate a legitimate satellite transmitter and spot a spoofing one.Li et al. [27] proposed a channel-assisted PLA scheme relying on the estimated CFR along with the transmit signal characteristics.Results show that the joint use of channel and signal enlarges the gap between legitimate and illegitimate CFR observations.From another front, several works inspected experimentally ML-based hybrid or multifeature PLA schemes, such as the work in [28], where the authors incorporated the RSS, CSI, and CFO metrics for an enhanced PLA scheme, and the linearly combined and normalized features' values are involved in a proposed Gaussian Kernel function.Thus the proposed ML-based PLA scheme reduces the N-dimensional feature space to a single-dimensional one.Peng et al. [29] developed an ML-assisted PLA scheme to experimentally identify various ZigBee devices, whereby four RFF features are exploited, namely, the CFO, IQI, differential constellation trace figure (DCTF), and modulation offset.Support vector machines and artificial neural network classifiers were implemented.Das et al. [30] exploited both time and frequency domain hardware imperfections (frequency offset, phase offset, and time offset), along with the wireless channel uniqueness (multipath delay) for device authentication, whereby several ML classifiers were evaluated.An ML-aided classification was proposed in [31] using the power spectral density and the covariance jointly between a given RFID device's preamble pulses to perform node authentication.Finally, Xing et al. [32] proposed a multiattribute PLA protocol for direct sequence spread spectrum (DSSS) systems incorporating the IQ gain imbalance, IQ DC offset, and IQ phase mismatch.
It is understood that the adoption of HT-based PLA has several merits compared to its ML-based counterpart, namely: 1) HT-based schemes can be adopted online without the need for an offline training phase and 2) ML-based PLA schemes are environment/network-dependent, where changing the experimental/setup or environment requires reperforming the training with a new data set, which grows exponentially in terms of nodes, features, and setup cases.On the other hand, HT-based schemes are independent of the adopted propagation environment or system, whereby the use of analytical models can provide a view of the performance [2].
On the other hand, it is worth noting that none of the HT-based PLA schemes discussed above (i.e., [24], [25], [26], and [27]) employed the CFO as an attribute.This last mentioned one, classified as a steady-state hardware-based feature, fluctuates over relatively long periods and can exhibit a reliable feature for node authentication [20].In addition to this, the aforementioned related HT-based PLA schemes [24], [25], [26], [27] were analyzed over a single benign/malign transmitters pair and lacked a generalization of the authentication performance assessment over a multiuser scenario, whereby various system parameters values can differ from each user to another (e.g., actual CFO values per device, path-loss/distance from the transmitters, signal-to-noise ratios (SNRs), etc.).
Adopting a robust hybrid PLA scheme is of utmost importance in real-time multiuser networks.Statistical-based HT PLA schemes can provide an online lightweight authentication way as they are based on building simple TSs corresponding to the used features, leveraging the estimated attributes' values during two successive transmissions and then comparing them to certain thresholds.Thus, proper feature statistical modeling and PLA scheme's performance analysis are crucial for accurate scheme design.Additionally, it is of paramount importance to provide an overall analytical evaluation of the scheme's performance when multiple devices are incorporated, whereby features and other physical layer parameters can change from one node to another (e.g., SNR, randomly distributed CFO values over nodes, etc.).

C. Contributions
Thus, motivated by the above, we aim in this work to propose and analyze the performance of a hybrid HT-based PLA scheme using the CSI and CFO as attributes.We assume that numerous legitimate nodes (Alices) are transmitting to an authenticating entity (Bob), while each legitimate transmitter can potentially be impersonated by another malign node (Eves).Therefore, a two-stage authentication protocol is performed whereby the CSI-based HT is used to perform an initial node classification.Next, a CFO HT is employed to improve the classification results of the CSI, whereby it is applied for either the interval of misclassified Alices or Eves.To the best of our knowledge, this is the first work to 1) propose a statistical HT-based hybrid PLA scheme using the CSI and CFO jointly as attributes and 2) incorporate the effect of randomly distributed CFO over the set of nodes in order to provide an overall system performance analysis.In detail, the main contributions of this article can be summarized as follows.
1) A novel hybrid CSI/CFO PLA scheme for a multiuser wireless communication system (WCS) is developed to improve the secrecy performance of single-attribute PLA (i.e., CSI-and CFO-based ones).Two strategies are identified, namely, a) when CFO is applied uniquely on nodes with a CSI's TS belonging to the interval of misclassified Eves (Strategy I) or b) when applied to nodes in the interval of misclassified Alices (Strategy II). 2) Relying on the statistics of the CSI and CFO estimates and uniformly distributed values of the true CFO across all users, an average authentication probability (AP) and detection probability (DP) expressions are computed in terms of main system parameters.3) We demonstrate analytically that the proposed scheme's AP is an upper bound for both CSI-and CFO-based ones when using Strategy I, while the DP is an upper bound for DP of the two aforementioned single-attribute schemes when using Strategy II.4) We made insightful observations from the derived analytical expressions of the AP and DP to showcase the impact of key system parameters on the secrecy performance of the proposed authentication scheme.5) Extensive numerical simulations are conducted to show the tightness of the approximate derived AP and DP expressions.The AP increases with the increase of legitimate links' SNR and/or decrease in mobility speed.Also, the DP increases as well at high legitimate and intruder links' SNR and/or higher difference between the CFO of legitimate and malign nodes.The receiver operating characteristics (ROC) curves also show the superiority of the proposed scheme compared to singleattribute CSI-and CFO-ones.

D. Paper Organization
The remainder of this article follows this outline: we present the underlying system model and considered assumptions on the analyzed network in Section II.In Section III, the proposed hybrid authentication protocol is detailed.Section IV is dedicated to deriving AP and DP expressions for the proposed scheme, while Section V presents indicative numerical results.Finally, this article concludes with Section VI.

E. Notations
The following notations are adopted throughout the manuscript: CN (μ, σ 2 ) stands for complex Gaussian distribution with mean μ and variance σ 2 , J n (.) is the nth order Bessel function of the first kind [33, eq. (8.411.1)],E[.] refers to the expected value, x is the estimate of x, (z) and (z) are the imaginary and real parts of a complex number z, and N (μ, σ 2 ) indicates the Gaussian distribution with mean μ and variance σ 2 .Also, Pr [A] indicates the probability of an event A, L n (.) is the Laguerre polynomial of order n [33,

II. SYSTEM MODEL
We consider a multiuser cellular WCS, as shown in Fig. 1, whereby K legitimate users; Alices (A i ) i=1,...,K ; are connected to a base station; i.e., Bob (B) ; acting as an authenticator.In the meantime, K malign nodes, i.e., Eves (E i ) i=1,...,K , aim at impersonating the legitimate Alices.We assume that each E i impersonates its nearest legitimate counterpart A i by faking its medium access control and/or Internet Protocol address.In addition, we assume that all nodes are single-antenna devices located in a rich-scattering urban dense environment, whereby constructive and destructive interference from received signal copies produces randomly fluctuating signal envelopes according to the Jakes' model [35].Furthermore, all A i and E i are mobile nodes, while B is assumed to be in a fixed location.To this end, according to Jakes' model, the channel realizations between B and every pair of nodes decorrelates spatially at half wavelength [2], [6].On the other hand, each pair of channel realizations between each device and B are strongly correlated in time with a mobility-dependent correlation coefficient.Thus, assuming B already has a record of the CSI values of A i 's from their previous transmissions, he aims to exploit both the spatial decorrelation and time-correlation properties of the channel to infer if the currently received packets are still from Alices or Eves.
Considering a flat-fading scenario, the channel realizations of the X i -B (X ∈ {A, E}) link can be modeled through the well-known autoregressive model as follows [36]: where the superscript n and p refer to the current (new) and outdated (previous) channel fading realizations, respectively.In addition to this is the mobility-dependent correlation coefficient, where v X i B denotes the relative speed between X i and B, f is the carrier frequency, τ is the sampling duration separating every two successive channel realizations, and c is the speed of light.Furthermore, h (u) . These last two mentioned ones are zeromean complex Gaussian random variables (ZMCGRVs) with variance , Rayleigh fading scaled by the free-space path-loss (FSPL) with P s being the transmit power of A i and E i , and is the respective FSPL with G denote the gains of X i 's transmit antenna and B's receive one, respectively, and d X i B is the distance between nodes X i and B.
Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
Due to the presence of a rich-scattering environment, h In addition to this, B can obtain only a noisy version of the true complexvalued CSI due to the inherent estimation errors due to noise.Therefore, the relationship between the estimated and actual CSI values can be manifested by the following: where e (u) X i B is a zero-mean complex Gaussian estimation noise with equal power over all frames; i.e., E e (u) N .Generally, as mentioned above, the CSI-based PLA schemes take place in two phases.
1) Phase I: B estimates the complex-valued CSI using the received signals from A i 's signals.Without loss of generality, it is assumed that Phase I's transmission is protected through a higher layer authentication mechanism (e.g., message authentication code), 2) Phase II: B aims to infer the legitimacy of a transmission from an unknown transmitter leveraging the reference CSI value estimated in Phase I.In other words, B's task is to discriminate A i and E i successfully.Obviously, a legitimate transmitter should produce a close CSI value compared to Phase I's.Hence, HT is performed with respect to a certain threshold as follows: where H 0 indicates that the transmitter is A i , while H 1 represents the case when the packet is from E i .Furthermore, S CSI is a TS built from the previous and current CSI observations for HT purposes, while T CSI is a predefined authentication threshold.A GLRT can be employed for an unknown transmitter X i (X ∈ {A, E}) as follows [10]: Remark 1: It is worth mentioning that the considered TS in ( 6) is similar to the one used in [10] by normalizing the complex-valued fading by the FSPL term, hence producing unit-variance ZMCGRVs.
Remark 2: The CSI nodes' mobility-related correlation coefficient, given by (2), encompasses A i -B relative speed, carrier frequency, CSI sampling time, and speed of light.For static transceivers, i.e., v A i B = 0, one gets ρ A i B = 1, indicating a perfect correlation between the previous and current CSI values.In a similar manner, at very high f and/or v A i B and/or τ , ρ A i B tends to 0, resulting in complete uncorrelation between updated and outdated channel realizations.Of note, J 0 (y) in ( 2), with y = [(2π v A i B f τ )/(c)], is a decreasing function of v A i B and/or f and/or τ over y ∈ [0, y 0 ], with y 0 = 3.8317 being the function's minima, numerically found as the first zero of (J 0 (y)) .

III. PROPOSED DUAL PHYSICAL-LAYER AUTHENTICATION SCHEME
Due to the high mobility of nodes, the CSI-based authentication scheme fails at maintaining acceptable AP values at high speed due to the rapid time decorrelation of fading realizations.Furthermore, in spite of the spatial decorrelation property, one cannot always ensure a significant difference between the legitimate and intruder links CSI observations.Toward this end, we propose the incorporation of the CFO as a device fingerprint alongside the CSI for improved node discrimination.The CFO, as a position-independent feature, is mainly caused by the local oscillator (LO) drift at both the transmitter and the receiver from the ideal predefined communication carrier frequency due to manufacturing imperfections.It can be estimated from the preamble training sequences (e.g., Wi-Fi OFDM training sequences or cyclic prefix) through several estimation techniques [37].The time-domain received training sequences can be expressed as [19] with k = 0, . . ., N s L s − 1 is the discrete-time training sample index, N s is the number of training sequences for the CFO estimation purpose, and L s is the corresponding number of samples per sequence is the sampling frequency-normalized relative CFO of the communication between X i and B, with f X i = f + f X i and f + f B indicating X i and B LOs' carrier frequencies, with f X i and f B referring to the respective LOs' CFOs, F s is the sampling frequency, k is the sample index, x(k) is the kth training sample in the preamble sequences with a known structure to all nodes, and ν(k) is the zero-mean AWGN process contaminating the preamble sequence of variance σ 2 N .To this end, B capitalizes on the estimated CSI and CFO features to build a hybrid PLA scheme for improving the CSI-based one's performance.In detail, the proposed scheme undergoes the following steps.
1) Phase I: B estimates the CSI and CFO attributes of the corresponding legitimate users (A i ) i=1,...K .Again, it is assumed that this phase is secured through an upper layer authentication mechanism.While the CSI estimate is given by ( 4), the CFO can be estimated by leveraging the correlation-based estimation technique from the preamble training sequences as [19], [38] ξ (u) with r (u) It follows from ( 9) that ξ (u) A i B can be approximated as a Gaussian random variable (RV) [19]: (11) Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.where indicates the CFO estimation Gaussian noise, while γ (u) is the respective link's instantaneous SNR provided as γ (u) It has been shown that ξ (u) 2) Phase II: In this phase, K unknown transmitters send to B. 1 This phase consists of identifying the legitimacy of the transmitters leveraging the stored CSI values in Phase I and the updated CSI observations.B classifies the various transmitters per their instantaneous CSI values h (u) X i B X∈{A,B} leveraging the HT in (5) alongside (6).Obviously, when A i s and E i s are the senders, the result of classification will yield an amount of wellclassified A i s (true positive) and E i s (true negative), for which the TS values are below and above the threshold T CSI , respectively.Furthermore, the CSI HT will yield expectedly a portion of misclassified nodes, whereby some legitimate Alices are denied as they are claimed to be malign nodes, while another part of Eves will pass the authentication successfully.Fig. 2 shows an illustration of the classification results following ( 5) and ( 6) for K = 20 and T CSI = 1, where malign and benign nodes are assumed to transmit simultaneously in this phase.Notably, green-and yellow-labeled nodes are well-classified legitimate and illegitimate nodes whose TS falls below and surpasses 1 (T CSI value), respectively.On the other hand, red-and purple-labeled ones represent misclassified legitimate and illegitimate nodes whose TS exceeds and falls below 1, respectively.
The proposed dual authentication scheme can be employed in two possible strategies. where is the CFO's TS for a transmitter X i .Thus, as Q 1 contains also well-classified Alices, B identifies these latter nodes using ( 16) and (17).Finally, the estimated class of the remaining nodes in Q 1 (i.e., Eves wrongly classified as legitimate through the CSI's HT with CFO > T CFO ) will be flipped to malign ones.2) Strategy II: In a similar way, we estimate the CFO ξ (n) whereby the HT in ( 16) is executed.Q 2 contains the well-classified Eves and misclassified Alices.Thus, B employs ( 16) and ( 17) to spot well-classified Eves to keep their classes unchanged.Finally, the estimated class of the remaining nodes in Q 2 (misclassified Alices with CFO ≤ T CFO ) will be flipped to legitimate ones.Remark 3: Similar to the imperfect CSI estimate in (4), the preamble sequences for the CFO estimate, given by (7), are affected by an AWGN noise process.Obviously, the Gaussian estimation errors will be correlated in the case of the joint channel and CFO estimation from the same training samples.Thus, without loss of generality, we assume that both features are estimated from different training sequences, yielding independent estimation noise samples.
Remark 4: It is worth noting that the CFO HT employed in Phase III for both proposed strategies might as well wrongly claim H 0 and H 1 for a portion of nodes in Q 1 and Q 2 .Therefore, the classes of misclassified Eves with S (i) CFO ≤ T CFO and well-classified Alices with S (i) CFO > T CFO in Q 1 are, respectively, unaltered and flipped incorrectly.A similar remark can be ascertained to misclassified A i 's with S (i)  CFO > T CFO and well-classified E i 's with Remark 5: The proposed dual CSI-CFO authentication scheme leverages the estimated CSI and CFO from the received users' signals to perform a statistical HT for authentication.Although the proposed CSI-CFO authentication scheme was described and applied in this work to a multiuser scenario, it is worth emphasizing that it fits as well for a single-user case.
Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

IV. SECURITY ANALYSIS
In this section, the secrecy level of the CSI-and CFObased PLA schemes, along with the proposed dual PLA one, is analyzed in terms of the AP and DP.While the former represents the rate of correctly classifying a legitimate user (claiming Alice while effectively Alice is the transmitter), the latter yields the rate of accurately labeling a malign node.Assuming A i and E i are the transmitters (H 0 and H 1 , respectively), and employing a single-attribute PLA scheme, the AP and DP be expressed as respectively, with Z ∈ {CSI, CFO}.
In the sequel, the AP and DP analysis will be presented for a particular user (i.e., a single legitimate or illegitimate transmitter).Then, the respective metrics will be provided for a multiuser case by averaging over the CFO's variations among benign and malign users.

A. Single-User Analysis
This section presents the AP and DP analysis for a singletransmitter case (i.e., either a single Alice or Eve is the transmitter).
1) CSI-Based PLA: Proposition 1: Assuming A i and E i are the transmitters, the corresponding AP and DP are given as and respectively, for i = 1, . . ., K, where Proof: Kindly refer to Appendix A. Corollary 1: At high SNR (γ (X i B) → ∞), the AP and DP reduce to and respectively.
Remark 6: 1) Differentiating ( 20) with respect to ρ A i B yields the following: which is strictly positive.Therefore, capitalizing on Remark 2, the lower the nodes' speed v A i B , the greater ρ A i B .Consequently, this results in higher AP.On the other hand, it is evident that the DP in ( 21) is independent of ρ A i B . 2) Differentiating (20) with respect to γ (A i B) yields the following: which is strictly positive.Thus, the higher the SNR, the less noisy is the CSI estimate in (4), yielding a better authentication rate.On the other hand, one can prove in a similar way that the DP ( 21) decreases with the increase of both γ (A i B) and γ (E i B) .Thus, one can infer that noisy CSI observations can help to better discriminate between A i and E i s' CSIs.2) CFO-Based PLA: Proposition 2: Assuming A i and E i are the transmitters, the corresponding AP and DP are given as (26) and respectively, where with z p > 0 being the pth zero of Laguerre's polynomial of order n and Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply. with and Remark 7: It is worthwhile that the AP and DP for the CFO-based PLA scheme exhibit asymptotic horizontal floors at the high-SNR regime, which depends essentially on ρ A i B , T CFO , and ξ E i A i .Notably, (36) converges to unit (perfect detection) when a small threshold value is selected to discriminate accurately between legitimate and illegitimate CFOs.However, the DP converges to 0 (total intrusion) in a noise-free channel with a threshold exceeding the gap between A i s and E i s CFO, whereby B cannot discriminate between the CFOs of legitimate and illegitimate transmitters.Thus, decent detection performance is ensured only when the threshold is chosen according to the first aforementioned case.
Remark 8: 1) By computing the first derivative of P (CFO,i) auth with respect to γ (A i B) through [34, eq.(06.25.20.0001.01)],one obtains which is positive.Therefore, the AP is an increasing function of the average legitimate SNR γ (A i B) .Similarly, we have DP's derivative with respect to γ (A i B) , shown in (38) at the bottom of the page, where a similar derivation can be performed with respect to γ (E i B) with identical findings.Thus, it can be seen that the derivative above in (38) is strictly negative when T CFO ≥ ξ E i A i , resulting in a decreasing DP in this case.Nonetheless, the DP's monotony cannot be inferred analytically when Relying on [34, eq. (06.25.20.0001.01)], the DP's derivative with respect to ξ E i A i can be formulated after some simplifications as Thus, as T CFO , ξ E i A i > 0, the difference of exponential terms in ( 39) is positive, which yields an increasing DP in terms of ξ E i A i .Indeed, this latter indicates the gap between the actual CFOs of Alice and Eve.Thus, higher CFO difference values improve the CFO distinguishability at B, improving the detection rate.Lemma 1: Under H 0 , the CSI and CFO TSs, given by ( 6) and (17), respectively, are correlated by the following correlation coefficient: where N (H 0 ) and D (H 0 ) are given in ( 41) and ( 42), shown at the bottom of the next page, with ε as an approximation constant, chosen close to 0, and Proof: Kindly refer to Appendix C. Remark 9: The correlation coefficient between the CSI and CFO TSs, given by ( 40)- (42) involves the channel time correlation coefficient and average SNR of the legitimate channels.On the other hand, due to its analysis complexity, the correlation coefficient under ϕ CSI,CFO is evaluated by simulation.Notably, Figs. 3 and 4 show the impact of the γ (X i B) and v A i B on such TSs' correlation level, with ε = 10 −4 , and assuming H 0 and H 1 , respectively.It is noteworthy that ϕ (H 1 ) CSI,CFO is plotted against γ (A i B) and γ (E i B) , as it is independent of v A i B .Notably, although S (i)

CSI and S (i)
CFO , given by ( 6) and (17), respectively, includes a common fading realization term, their correlation level |ϕ Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.range of average SNR and speed values under both hypotheses.It is worth mentioning that the aforementioned correlation levels are only approximate ones, while it is challenging to derive the exact correlation level.

B. Multiuser Analysis
Proposition 3: The AP and DP expressions of the proposed scheme over both strategies are given by Proof: Kindly refer to Appendix D. Remark 10: As P (Z,i)  auth ≤ 1 (Z ∈ {CSI, CFO}), one can note from (44) that the proposed scheme's AP under Strategy I is below the single-attribute schemes' ones, i.e., P (I,i) auth < P (Z,i) auth (Z ∈ {CSI, CFO}), while the proposed scheme's DP in (46) is improved compared to P (I,i) On the other hand, Strategy II's AP in (45) is higher than both the CSI and CFO-based PLA schemes, while the corresponding DP is lower compared to the former single-feature schemes.Therefore, Strategy I brings an improvement on DP at the cost of reduced AP, while Strategy II's provides opposed gains; i.e., improved AP and degraded DP.
Considering a multiuser scenario whereby the corresponding CFO is different among the different transmitters (Alices and Eves).Thus, let us assume that X i s CFOs being random samples from a uniformly distributed RV, denoted ξ X ∼ U (ξ ), where ξ (min) X and ξ (max) X are the upper and lower bounds of X i s CFO range, respectively.One can note from ( 20), ( 21), (26), and ( 27) that the CFO-based PLA's DP uniquely incorporates the relative CFO while the remaining metrics do not.Thus, considering independent and identically distributed (i.i.d) users' channel's statistics; i.e., γ (X i B) = γ (XB) , the AP expressions for the multiuser scenario reduces to the single-user case in (20) and ( 26) which yields as well Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
from ( 44) and (45).On the other hand, it is crucial to determine the statistics of ξ EA2 for deriving the average DP of the system from (27).
Lemma 2: The probability distribution function (PDF) of the relative CFO between A i s and E i s ξ EA , can be expressed in (52), shown at the bottom of the page, where Y , X, Y ∈ {A, E}, r ∈ {min, max} (53) and Proof: Kindly refer to Appendix E. Proposition 4: For uniformly distributed CFOs at A i s and ), with X ∈ {A, B}, the overall system's DP for the CFO-based can be formulated as follows: where m , and W (k,l) are given in ( 56)-( 58), shown at the bottom of the next page, with x min (T CFO ) = and Proof: Kindly refer to Appendix F. Consequently, the overall system's DP for both adopted strategies is given as Remark 11: For identical relative CFO's across all E i -A i pairs; i.e., ξ E i A i = ξ EA ; the overall DP of the CFO-based PLA scheme reduces to the single user's one, given in (58); i.e., V. NUMERICAL RESULTS Extensive numerical results are shown in this section to highlight the analyzed system parameters' effects on the overall secrecy performance.Unless otherwise mentioned, Table I summarizes all the default parameters' values set for obtaining numerical and simulation results.The considered simulation setup consists of a fixed authenticator (B) and moving A i s and E i s with a constant relative speed with respect to B (v X i B , X ∈ {A, E}).It is assumed that all nodes belonging to each class (Alice or Eves) are moving with the same speed (i.e., v X i B = v XB ∀i = 1, . . ., K).Thus, such nodes' mobility creates a channel temporal correlation, where we correlate the CSI of both phases (Phases I and II) according to (1), (2), and (4).Notably, the CSI (channel fading coefficient) at each of the two phases is generated as a complex Gaussian RV.Moreover, such a fading corrupts, in addition to a zero-mean complex Gaussian AWGN of variance σ 2 N and the FSPL, the received signal, from which B estimates the CFO.Precisely, B leverages N s sequences at the received signal's preamble of L s samples each for CFO estimation, relying on (9).In addition, A i s and E i s transmit signals with power P s , which results, combined with the FSPL computed from (3) and the AWGN in different average SNR levels γ X i B .Furthermore, the default Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.values indicated for A i s' and E i s' CFO values, i.e., ξ A i and ξ E i in Table I, correspond to the case of identical relative CFO at all A i s and E i s.It is worth highlighting that the noise power indicated in Table I is computed as σ 2 N = kTB W F [8], with k = 1.38 × 10 −23 J/K is Boltzmann's constant, T is the receiver temperature, set at 290 K, B W is the bandwidth set at 10 MHz, while F refers to the receiver's noise figure, set as 0 dB.The developed MATLAB framework for simulation and numerical evaluation can be found in [39].
Fig. 5 shows the system's AP versus γ (X i B) (X ∈ {A, E}) for both adopted strategies with v A i B = 100 km/h.The AP plots of the single-attributed PLA schemes (i.e., CSI-and CFO-based ones), analyzed in [10] and [19], respectively, are presented for comparative purposes.It can be shown that the analytical curve for the CSI's AP, plotted from (20) match exactly with the simulations markers.On the other hand, the CFO's one, provided in (26), exhibits a tight matching at mid and high-SNR values, while a small gap can be noticed at low SNR values.The latter behavior is due to the approximation of the CFO estimate Fig. 6.DP of the proposed scheme versus γ (X i B) compared with singleattribute ones.
as a Gaussian one as given in (11), whereby the estimator is unbiased at high-SNR values.Furthermore, one can note that the analytical curves of the proposed scheme over both strategies, plotted from (66) and ( 67), closely match their simulation counterparts, corroborating the TSs' weak dependence shown in Lemma 1 and Remark 9.In addition to this, one can clearly note that Strategy II offers a better overall authentication rate for the system, compared to the CSI-and CFO-based schemes, confirming Remark 10.Notably, the AP reaches 100% at γ (X i B) = 30 dB.On the other hand, Strategy I provides a lower AP compared to both single-attribute schemes, endorsing the finding discussed in the same aforementioned remark.
In Fig. 6, the DP versus γ (X i B) (X ∈ {A, E}) for both adopted strategies is shown in comparison with single-attribute PLA schemes' performance.The proposed scheme and the CFO-based one's curves are plotted using (66)-(68), assuming identical relative CFO case discussed in Remark 11.One can spot the high-DP gain brought by adopting Strategy I Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.compared to the CSI-and CFO-based schemes.Different to Strategy I's AP performance against the last-mentioned two schemes, such a strategy provides a better DP, while Strategy II's DP is below the single-attribute schemes ones.
In addition, the proposed scheme's curves closely match their simulation counterpart, endorsing the TSs independence assumption, although their approximate correlation coefficient approaches 10%, as was shown in Remark 9 and Fig. 4. Finally, the DP of the CFO-based and proposed scheme are convex functions where a minimum DP value is manifested.
As discussed in Remark 8, the DP's monotony cannot be inferred analytically when T CFO < ξ A i E i .The system's ROC curve is provided in Fig. 7 for the proposed scheme, compared with the CSI-and CFO-based ones with γ (X i B) = 20 dB and v A i B = 50 km/h.The DP is plotted as a function of the false alarm probability (FAP), defined as the complementary of the AP; P (Z ∈ {CSI, CFO, I, II}).Thus, it states the average amount of wrongly denied Alices.Once more, an identical relative CFO case is considered.Also, the ROC curves for the CSI-and CFO-based schemes were produced by varying both corresponding thresholds as T CSI ∈ ]0, 4] and T CFO ∈ [10 −6 , 8 × 10 −4 ], respectively.In addition, as both the FAP and DP depend on two thresholds, we have varied T CFO within the interval [10 , 8 × 10 −4 ], whereas T CSI was selected from the interval [0, 4] to produce the maximal DP corresponding to a target AP interval of P (Z)  auth ∈ [0.91, 0.95], i.e., P (Z) auth ∈ [0.05, 0.09].Thus, this results in T CSI = 1.4 and T CSI = 0.09, for Strategy I and Strategy II, respectively.It can be ascertained that the proposed strategies can yield a higher DP for a reduced FAP compared to its single-attribute counterparts.For instance, the DP can reach 83% and 80% for Strategy I and Strategy II, respectively, with an FAP≈ 6%, while it approximately equals 73% and 68% at the same aforementioned FAP value for CFO-and CSI-based schemes, respectively.Fig. 8 manifest the impact of A i 's speed on the AP with dB).One can note the clear impact of legitimate nodes' speed on the overall AP.The greater v A i B , the lower the system's AP, which corroborates Remark 6.The AP of the CSI-based PLA scheme reaches 86% at v A i B = 70 km/h, while it can converge to unit (perfect authentication) for speed below 40 km/h.Notably, the AP of the proposed scheme using Strategy II can be maintained above 95%.
Figs. 9-11 exhibit the DP performance in three dimensions versus γ (A i B) and γ (E i B) .One can remark that the performance is symmetric with respect to legitimate and illegitimate links' SNRs, over the three considered schemes, as was discussed in Remark 6. Remarkably, it is worthy to note that the DP of the CSI-based scheme strictly decreases versus γ (A i B) and γ (E i B) , where an asymptotic floor is reached, as shown in (23).Furthermore, the CFO-based and proposed schemes exhibit a decreasing behavior.Given T CFO = 2 × 10 −4 > ξ E i A i = 1.875 × 10 −4 , the DP is a decreasing function of γ (A i B) and γ (E i B) , as was shown in Remark 8. Fig. 12 represent the average DP performance of the proposed scheme versus γ (X i B) = γ (XB) , evaluated using (66) and (67).Considering uniformly distributed CFOs at A i s and . The results show that DP is worse when the CFO range of both legitimate and illegitimate nodes' shrinks to 1.25 × 10 −3 -wide; i.e., ξ (max) , where A i s and E i s CFOs range over the same Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.interval.Notably, the greater the CFO interval, the higher the DP over both considered strategies.
Figs. 13 and 14 present comparative AP and DP plots of the proposed hybrid CSI-CFO scheme with its CSI-PN counterpart, considering the result provided in [24].Importantly, both the authentication and detection probabilities (AP/DP) were evaluated leveraging the complementary of the FAP, given by (22), and the respective DP provided by (32) of the same work, respectively.Then, the corresponding result of Fig. 13.AP comparison between the considered hybrid CSI-CFO scheme and the CSI-PN one of [24].Fig. 14.DP comparison between the considered hybrid CSI-CFO scheme and the CSI-PN one of [24].
both proposed strategies was obtained by applying (44)-(47).It is worth noting that the analysis in [24] was conducted over a MIMO system.Therefore, for a fair comparison, we set the number of transmit and receive antennas to unit in the AP and DP expressions of the aforementioned work.Furthermore, we set v X i B = 100 km/h and we denote by σ 2 δ,X as the Gaussian PN increments' variance at node X ∈ {A, B, E}, while we set δ,E = 10 −4 , and T PN = 0.3 (threshold of the PN-based PLA).One can note that the considered CSI-CFO scheme outperforms the CSI-PN for both strategies in terms of AP at a high range of SNR values.On the other hand, it can be well noted that the DP performance of the CSI-PN scheme significantly drops at high SNR, despite the gap between the PN variances at Alice and Eve.

VI. CONCLUSION
In this work, an improved PLA scheme based on both the CSI and CFO, as channel-and device-based attributes, respectively, was proposed.The proposed scheme was applied to a multiuser scenario.In detail, an initial nodes' classification is performed through the CSI-based PLA with respect to a fixed threshold.Then, HT is employed, leveraging the CFO TS to improve the classification results of the former CSI-based PLA stage.Precisely, two distinct strategies are defined, namely, 1) Strategy I: applying the CFO HT on nodes belonging to the interval of misclassified Eves or 2) Strategy II: applying the CFO HT on nodes belonging to the interval of misclassified Alices.To this end, novel AP and DP expressions are derived in approximate forms, whereby the impact of key system parameters is highlighted analytically.In addition, an average DP is provided considering random CFO distribution among the different nodes in the network.We showed that the system's AP drops with respect to legitimate nodes' speed, where it can attain 86% at high SNR with 70 km/h of relative speed, while it can approach 100% at velocities below 40 km/h.Also, the higher the SNR of the legitimate link, the better the proposed scheme's AP and DP.Results also showed that, compared to the single-attribute schemes, the proposed scheme provided a better DP and reduced AP over Strategy I, while Strategy II improves the AP with the cost of DP drop.Finally, the wider the CFO distribution range for both legitimate and wiretap nodes, the better the DP (i.e., improved CFO distinguishability).As a future extension, we aim at the deployment of the proposed scheme in a real testbed where real-world data sets can be used for implementation and evaluation.Also, extending it to an ML-aided or hybrid ML-HT one and comparing it with its HT-based counterpart is a promising direction.

APPENDIX A PROOF OF PROPOSITION 1
The AP, provided by (18), is related to the scenario when the transmitter is a legitimate node (H 0 ).Thus, under this hypothesis and using ( 4) and (1), the respective TS in (6) can be written as One can note from the last equation that D (i) CSI is the sum of ZMCGRVs.Therefore, it conserves the same distribution with variance Therefore, |D CSI | is a Rayleigh-distributed RV with parameter σ D , while S (i)  CSI is exponentially distributed of mean ) with a cumulative distribution function (CDF) as follows: Thus, it is obvious from ( 18) that the AP is nothing but the CDF of S (i)  CSI evaluated at T CSI , yielding (20).In a similar fashion, it can be easily shown when H 1 takes place that S (i) ).Thus, by virtue of (19) and its cumulative CDF (CCDF), ( 21) is attained.By this, the proof is concluded.

APPENDIX B PROOF OF PROPOSITION 2
Similarly to the CSI, either H 0 or H 1 can take place.Thus, when the sender is legitimate and relying on (17) with X = A and (11), we have CFO is the absolute value of the difference of two Gaussian RVs.The difference alone (D (i)  CFO,A ) conserves the same distribution with a variance equal to the sum of the two variances; i.e., it yields from (12) that σ 2 while the difference's absolute value is a one-sided Gaussian RV with CDF [40] F It can be clearly noted that the above CDF is conditioned on the variance σ 2 ), function of two consecutive SNRs of the A i -B link; i.e., γ (p) B .Thus, in order to determine the unconditioned CDF, an average needs to be computed over all possible realizations of the latter pair of correlated RVs.Thus, this yields Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

It is worthwhile that as h (p)
A i B and h

and γ (n)
A i B , being proportional to the squared fading envelope, are correlated by a correlation level of ρ 2 A i B [7].Their underlying joint PDF is obtained by setting m B = N B = 1 in [41, eq. ( 59)] as Consequently, plugging (76) into (75), it yields a double integral of nonelementary functions.Due to the complexity to derive a closed-form expression, Gauss-Laguerre quadrature method can be applied twice to solve the above integral [42, eq. (25.4.45)], yielding, after the change of variables: ), the following: where w i , defined in (28), are the Gauss-Laguerre quadrature weights evaluated at z i , being the ith zero of the Laguerre polynomial of order n.Thus, from (18), the AP is the CDF in (77) evaluated at x = T CFO , yielding (26).In a similar fashion, under H 1 , plugging (11) into (17) with where equivalently we have CFO,E as a Gaussian RV with mean ξ E i A i and variance Henceforth, the corresponding CDF of S (i) B , can be expressed as Thus, an average over the possible values of γ (p) yields the unconditional CDF as as the corresponding RVs are independent, with referring to their marginal PDF.Again incorporating (82) into (83), and using the Gauss-Laguerre method, one gets Finally, the detection rate is obtained at (27) as the corresponding CCDF evaluated at x = T CSI , which is the complementary of the CDF in (84).This concludes Proposition 2's proof.

APPENDIX C PROOF OF LEMMA 1
The correlation coefficient under H 0 can be written as As shown in Appendix A, S (i) CSI is an exponentially distributed RV of mean equal to its standard deviation σ S (i) On the other hand, S (i) CFO = |D (i) CFO,A |, provided by ( 72), is a one-sided Gaussian RV with mean [40] E S (i) Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
where σ D (i) is defined in (73).One can note from (88) that the CFO TS's mean is conditioned on γ (n) A i B and γ (p) A i B values.Therefore, an average is taken over the possible realizations of γ (n) Due to the integrand function's singularity at y = z = 0, the above integral diverges.Therefore, an approximation is proposed by truncating the integral lowerbounds as with where step (a) holds by incorporating (76) into (89) along with the change of variables: u ) is generated leveraging the Gauss-Laguerre quadrature method, whereby w k is given in (28) and z k is the kth zero of the Laguerre polynomial of order n.Furthermore, we have (92) and (93), shown at the bottom of the next page, where AB | 2 (y, z) can be obtained from (76) by setting γ (A i B) = 1.These last mentioned two equations can be solved as well in a similar way through the Gauss-Laguerre quadrature method.Thus, involving (87), (90), and the quadrature-based solution of (92) and ( 93) into (85) yields ( 41) and (42).This concludes the proof of Lemma 1.

APPENDIX D PROOF
be the successful authentication and detection events of a legitimate or wiretap user 1 ≤ i ≤ K, occurring with probabilities P (x,i)  auth and P (x,i) det , respectively, where x∈ {I, II }.The superscripts I and II refer to using either Stragegy I or II, respectively.

A. Authentication Probability
According to Strategy I, a legitimate user A i with S (i)  CSI ∈ I 1 can be authenticated if and only if the HT over CSI claims H 0 (i.e., correct initial classification of Phase II) and so does the CFO's one (i.e., correct identification to keep A i 's class unaltered in Phase III).Thus, we can write the following: Relying on Lemma 1, Fig. 3, and Remark 9 whereby the underlying correlation between S (i)

CSI and S (i)
CFO remains below 0.1, the above AP expression can be approximated as which yields (44) leveraging (18).On the other hand, E (II,i) a for Strategy II is decomposed to the intersection of the following two events.1) A (x,i) a : Given A i is the transmitter, the CSI's HT claims accurately H 0 , 2) B (x,i) a : Given A i is the transmitter, the CSI's HT claims wrongly H 1 , while the CFO's HT accurately claims H 0 .As a result, one can express the AP for this strategy as which reduces approximately to (45) leveraging the negligible correlation between S (i)  CSI and S (i) CFO .

B. Detection Probability
Under Strategy I, E (I,i) d can be written as the intersection of the two following events.1) A (I,i) d : Given E i is the transmitter, the CSI's HT claims accurately H 1 , 2) B (I,i)  d : Given E i is the transmitter, the CSI's HT claims wrongly H 0 , while the CFO's HT accurately claims H 1 .To this end, the DP can be formulated as In a similar way, E (II,i) d under Strategy II occurs when both CSI and CFO HTs, given by ( 5) and ( 16), respectively, claim H 1 for E i with S (i) CSI ∈ I 2 ; i.e., well-classified E i is accurately identified by the CFO to keep its class unaltered.Therefore, Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

APPENDIX E PROOF OF LEMMA 2
Armed by the Jacobian transform, the PDF of ξ EA is expressed as , where ].On the other hand, the following holds from w's bounds ξ which indicates that y's upper bound exceeds the upper bound of the integral (99).Thus, it yields from (102) and ( 103) that the integral in case I is restricted to the interval [ξ EA )].The incorporation of (100) into (104) and through few manipulations, yields the first case of (52).].Therefore, the PDF will be computed by restricting the integration bounds to the aforementioned interval as follows: Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.EA , which is identical to the first subcase's PDF in (107).As a result, inserting (100) into (107), (109), and (111), and by virtue of some manipulations, we reach , with β defined in (54).

APPENDIX F PROOF OF PROPOSITION 4
By considering uniformly distributed CFO realizations ξ E i A i in (49) among the various E i -A i pairs, represented by the RV ξ EA , the system's overall DP of the CFO-based PLA is expressed as where T (k,l) , V (k,l) , and V (k,l) are given in ( 119)-( 121), shown at the bottom of the previous page.One can write T (k,l) = T (k,l) 1 + T (k,l) 2 , where (T (k,l) m ) m=1,2 is given in (122), shown at the bottom of the previous page, where each term is the sum of two integrals.

Manuscript received 21
December 2022; revised 21 February 2023 and 16 July 2023; accepted 8 August 2023.Date of publication 11 August 2023; date of current version 7 December 2023.This work was supported in part by the NATO Science for Peace and Security Programme under Grant SPS G5797.Open Access funding provided by the Qatar National Library.(Corresponding author: Elmehdi Illi.)

3 )
Phase III: In order to improve the misclassification results of the earlier stage, the CFO attribute can be used at B to refine Phase II's classification further.Let us denote by I 1 = [0, T CSI ] and I 2 = ]T CSI , ∞[ as Interval 1 and Interval 2, respectively.Accordingly, let the following sets:

1 )
Strategy I: The CFO ξ (n) X i B is estimated from the received signals of the nodes in Q 1 (i.e., S (i) CSI ≤ T CSI ).Then, a second HT is performed for each node S (i) CSI ∈ I 1 as follows:

Fig. 5 .
Fig.5.AP of the proposed scheme versus γ (X i B) compared with singleattribute ones.

Fig. 7 .
Fig. 7. ROC curve of the proposed scheme compared with single-attribute ones.

Fig. 8 .Fig. 9 .
Fig. 8. AP versus v A i B for the proposed scheme and the CSI-and CFO-based ones.

Fig. 10 .
Fig. 10.DP versus γ A i B and γ E i B for the CFO-based PLA scheme.

Fig. 11 .
Fig. 11.DP versus γ A i B and γ E i B for the proposed PLA scheme (Strategy I).

Fig. 12 .
Fig. 12.Average DP versus γ AB and γ EB for the proposed PLA scheme for randomly varying CFO.
noted that the integrand function in (99) is strictly positive only when f ξ E (w + y) is as well, which depends on the following cases of w values.1)Case I-ξ (min)E − ξ (max) A ≤ w ≤ min(δ (min) EA , δ (max) EA ):The following condition on the argument w + y of f ξ E (.) need to check whether the bounds of y in (101) are within the interval of integration; i.e., [ξ which the integrand in (99) is strictly positive.Relying on the limits of w and (53 can note that y's bound are outside [ξ (min) A , ξ(max)   A ξ E (w + y)f ξ A (y)dy.PDF in (99) becomesf ξ EA (w) = ξ (max) A ξ (min) A f ξ E (w + y)f ξ A (y)dy (111) for w = δ (max) EA = δ (min)

.
Thus, it can be seen that the PDF is expressed in terms of ξ can be noted that y's bounds in (114) and (115) are below the integration's one(ξ E (w + y)f ξ A (y)dy (116)for w ∈ [ max(δ