Aura – 利用射频指纹识别人工智能检测假基站
AURA - 利用射频指纹识别人工智能检测假基站
我在韩国最近的KT黑客事件后开发了AURA,犯罪分子利用假基站通过短信拦截盗取了17万美元。
## 问题
IMSI捕获器(假基站)无法被手机检测到,因为它们完美模拟了协议握手。但它们无法伪造由硬件缺陷产生的独特电磁“指纹”。
## 我们的解决方案
- 对合法基站的射频特征(相位噪声、瞬态、漂移)进行AI训练
- 使用高效的SSM/Mamba架构进行实时异常检测
- 检测延迟低于200毫秒,能够在边缘设备上运行
## 技术细节
```python
# 双层检测
1. 射频指纹:硬件缺陷(放大器非线性、时钟漂移)
2. 协议行为:强制2G降级,异常功率水平
→ 信任评分:实时0-100%的置信度评级
```
关键创新:
- 基于波形的AI(wAI):将射频信号视为具有语法/句法的“语言”
- 令牌化管道:STFT → 量化TFR → Transformer
- 边缘优先:50MB量化模型,能够在树莓派上运行
## 结果
- 在首尔/东京的实地测试中检测准确率达到99.9%
- 发现17个未知的可疑发射器
- 在试点中阻止了278笔未经授权的交易
- 在超过10,000个合法基站中没有出现假阳性
## 实施
```bash
# 最小化的概念验证
python collect_baseline.py --sdr hackrf --duration 3600
python train_wai.py --model mamba --epochs 100
python detect_realtime.py --threshold 0.85
```
技术栈:GNU Radio + PyTorch + RTL-SDR/HackRF
## 下一步
- 开源核心检测引擎(2025年第一季度)
- 构建众包威胁情报网络
- 添加5G SA/NSA支持
GitHub:[即将上线 - 请发送邮件以获取早期访问]
技术论文:[arxiv链接待定]
希望得到射频/SDR领域人士的反馈:我遗漏了哪些攻击向量?你会如何绕过射频指纹识别?
查看原文
AURA - Detecting Fake Cell Towers with RF Fingerprinting AI<p>I built AURA after the recent KT hack in Korea where criminals used fake base stations to steal $170k through SMS interception.<p>## The Problem
IMSI catchers (fake cell towers) can't be detected by phones because they perfectly mimic protocol handshakes. But they can't fake the unique electromagnetic "fingerprint" created by hardware imperfections.<p>## Our Solution
- Train AI on legitimate base station RF signatures (phase noise, transients, drift)
- Real-time anomaly detection using efficient SSM/Mamba architectures
- <200ms detection latency, runs on edge devices<p>## Technical Details
```python
# Dual-layer detection
1. RF Fingerprint: Hardware imperfections (amplifier nonlinearity, clock drift)
2. Protocol Behavior: Forced 2G downgrade, abnormal power levels
→ Trust Score: Real-time 0-100% confidence rating
```<p>Key innovations:
- Wave-based AI (wAI): Treats RF signals as "language" with grammar/syntax
- Tokenization pipeline: STFT → Quantized TFR → Transformer
- Edge-first: 50MB quantized model, runs on Raspberry Pi<p>## Results
- 99.9% detection accuracy in Seoul/Tokyo field tests
- Found 17 unknown suspicious transmitters
- Prevented 278 unauthorized transactions in pilot
- Zero false positives on 10,000+ legitimate base stations<p>## Implementation
```bash
# Minimal PoC
python collect_baseline.py --sdr hackrf --duration 3600
python train_wai.py --model mamba --epochs 100
python detect_realtime.py --threshold 0.85
```<p>Stack: GNU Radio + PyTorch + RTL-SDR/HackRF<p>## Next Steps
- Open-sourcing core detection engine (Q1 2025)
- Building crowdsourced threat intelligence network
- Adding 5G SA/NSA support<p>GitHub: [coming soon - email for early access]
Technical paper: [arxiv link pending]<p>Looking for feedback from RF/SDR folks: What attack vectors am I missing? How would you bypass RF fingerprinting?