340 likes | 680 Views
Civilian GPS Spoofing Detection based on Dual-Receiver Correlation of Military Signals. Mark L. Psiaki Sibley School of Mechanical & Aerospace Engr., Cornell University. Collaborator Acknowledgements. Steve Powell , Cornell ECE staff Brady O’Hanlon , Cornell ECE Ph.D. student
E N D
Civilian GPS Spoofing Detection based on Dual-Receiver Correlation of Military Signals Mark L. Psiaki Sibley School of Mechanical & Aerospace Engr., Cornell University WNCG, UT Austin, 1 April 2011
Collaborator Acknowledgements • Steve Powell, Cornell ECE staff • Brady O’Hanlon, Cornell ECE Ph.D. student • Jahshan Bhatti, UT Austin Aero. Engr. & Engr. Mechanics Ph.D. student • Todd Humphreys, UT Austin Aero. Engr. & Engr. Mechanics faculty UT Austin April ‘11
Motivation: • Defend civilian GPS receivers from Humphreys-et-al.-type spoofing attack • RAIM methods not useful Strategy: • Exploit encrypted P(Y) code • Cross-correlate P(Y) code in defended receiver with P(Y) code on secure receiver • P(Y) found in quadrature with tracked C/A • Codeless technique is simple • Semi-codeless yields increased processing gain • Narrow-band P(Y) experiences ~75% power loss & distortion • Initially use Matlab in an offline mode for analysis & testing UT Austin April ‘11
Outline • Related research • Spoofing detection concept • Signal model • Using narrow-band receivers • Narrow-band-filtered P(Y) code characteristics • System ID of envelop filter impulse response to enable spoofing detection in a narrow-band receiver • Codeless spoofing detection • Semi-codeless spoofingdetection • Summary & conclusions • Future plans UT Austin April ‘11
Related Research • Substantial literature on RAIM detection of navigationally inconsistent spoofing • Warner & Johnston (2003): Hardware-simulator-based spoofer detectable via RAIM only at start-up • Humphreys et al. (2008, 2009): Receiver/spoofer not detectable via RAIM • Lo et al. (2009): Codeless military P(Y) code dual-receiver cross-correlation spoofing detection proposed & tested under non-spoofing conditions • O’Hanlon et al. (2010): Attempted real-time implementation of Lo et al. spoofing detector & test under Humphreys et al. spoofing attack UT Austin April ‘11
A Spoofing Attack not Detectable by RAIM UT Austin April ‘11
Anti-Spoofing via P(Y) Correlation GPS Satellite GEO “bent-pipe”transceiver Broadcast segments of delayed, digitally-signed P(Y) features Secure uplink of delayed, digitally-signed P(Y) features Transmitter of delayed, digitally-signed P(Y) features • UE with • receiver for delayed, digitally-signed P(Y) features • delayed processing to detect spoofing via P(Y) feature correlation Secure antenna/receiver w/processing to estimate P(Y) features UT Austin April ‘11
Block Diagram of Generalized P(Y) Correlation Spoofing Detector P(Y)fea/est UE receiver with P(Y)fea extraction processing Correlation registers Spoofing Detector P(Y)fea Digital sig-nature verifier UE receiver (or internet link) for P(Y)fea User Equipment L1 C/A & P(Y) GPS transmitter Secure ground-based antenna/ receiver Wireless(or internet) broadcaster P(Y)fea Digital signer Secure link to broadcaster New Infrastructure UT Austin April ‘11
Signal Model at RF Front-End Output • Signal with C/A & P(Y) code at RF front-end output • Sample interval Dt • C/A code C(t) & P code P(t) known (+1/-1 values) • P(Y) +1/-1 encryption chips w(t) not known • w(t) average chipping at 480 KHz w/known timing relative to C/A & P codes • Wide-band carrier-to-noise ratios: UT Austin April ‘11
Carrier Phase & Timing Relationships of C/A & P(Y) Codes UT Austin April ‘11
Original & Filtered P(Y) Spectra UT Austin April ‘11
Original & Filtered P(Y) Time Histories UT Austin April ‘11
Envelope (finite) impulse response of Z code: Correlation between filtered code & unfiltered replica: Derived cross-correlation relationship for system ID: Complex Envelope Filter Impulse Response & Filtered PRN Code Correlation UT Austin April ‘11
Filter Impulse System ID Calculations • Track C/A code using DLL & PLL • Compute, prompt, early, late, double early, double late, etc…. C/A accumulations, cCFC(hi) for many hi cross-correlation delay values • Guess reasonable, conservative tmax & tD values • Parameterize h(t;p) as the 1st derivative of a quintic spline envelop step response function with spline node parameters p • Use known cCC(h) C/A autocorrelation, measured cCFC(hi) cross correlations, & analytic spline integrals to formulate over-determined system of linear equations in p & (1/A) based on final equation of previous chart • Solve least-squares estimation problem subject to the constraint & penalizing • Or set up & solve simultaneously for multiple C/A PRN codes in same receiver, solving for differential tD values between PRN codes in outer nonlinear optimization UT Austin April ‘11
Theoretical & Measured C/A Correlations, PRN 08 UT Austin April ‘11
Estimation Fit for PRN 08 UT Austin April ‘11
Estimated Impulse & Frequency Responses for 2 Narrow-Band RF Filters UT Austin April ‘11
Codeless Spoofing Detection Calculations (1 of 2) 1. Track C/A code, compute & record base-band-mixed quadrature samples yrawAi & yrawBi, & do noise & C/A & P(Y) power calculations on both receivers 2. Compute normalized cross-correlation spoofing detection statistic UT Austin April ‘11
Codeless Spoofing Detection Calculations (2 of 2) 3. Compute conditional means & variances of detection statistic under non-spoofed null hypothesis, H0, & under spoofed hypothesis, H1 4. Develop spoofing detection threshold gth based on conditional probability density functions & desired false alarm probability 5. Compare computed statistic to threshold UT Austin April ‘11
Figure 3. Codeless verification of no spoofing. Figure 3. Codeless verification of no spoofing. Figure 3. Codeless verification of no spoofing. Verification of No-Spoofing Case UT Austin April ‘11
First Successful Spoofing Attack Detection UT Austin April ‘11
Base-Band Quadrature Semi-Codeless Signal Model UT Austin April ‘11
Semi-Codeless Spoofing Detection Calcs. (1 of 3) 1. Track C/A code, compute & record base-band-mixed quadrature samples yrawAi & yrawBi, do noise & C/A & P(Y) power calculations on both receivers (as in codeless tracking) , & estimate P(Y) amplitude Apy 2. Form hard +1/-1 estimates of wj encryption chips by approximately optimizing the following cost function using integer techniques 3. Compute probability that wj = +1 & compute soft wj–chip estimates for j = 1, …, N UT Austin April ‘11
Semi-Codeless Spoofing Detection Calcs. (2 of 3) 4. Compute spoofing detection statistic equal to cross-correlation of soft w-chip estimates between receivers A & B 5. Compute conditional means & variances of detection statistic under non-spoofed null hypothesis, H0, & under spoofed hypothesis, H1 UT Austin April ‘11
Semi-Codeless Spoofing Detection Calcs. (3 of 3) 6. Develop spoofing detection threshold gth based on conditional probability density functions & desired false alarm probability 7. Compare computed statistic to threshold UT Austin April ‘11
A Priori Semi-Codeless Spoofing Detection Analysis 1. Compute conditional means & variances of detection statistic under non-spoofed hypothesis & spoofed hypothesis without receiver A data 2. Develop spoofing detection threshold gth based on conditional probability density functions & desired false alarm probability UT Austin April ‘11
Semi-Codeless Verification of No Spoofing UT Austin April ‘11
First Semi-Codeless Spoofing Attack Detection UT Austin April ‘11
Codeless & Semi-Codeless Detection Power aFA = 0.01 % (C/N0)pyA= 35 dB-Hz (C/N0)pyB= 35 dB-Hz UT Austin April ‘11
Test of C/A Timing as a Proxy for P(Y) Timing, Codeless Correlation UT Austin April ‘11
Summary & Conclusions • Developed dual-receiver spoofing detection methods • Codeless & semi-codeless cross-correlation of quadrature P(Y) code • Thresholds designed based on full statistical analyses • Implemented in narrow-band C/A receiver • Did system ID of narrow-band RF filters • Employed resulting models of P(Y) power loss & of time-domain distortion • Demonstrated first successful detection of RAIM-proof spoofing attack • Detection achieved after-the-fact in Matlab • Works well with semi-codeless detection interval of 0.2 sec for reasonable C/N0levels & can work well with shorter intervals UT Austin April ‘11
Future Plans/Hopes • Evaluate narrow-band filter effects of w-chip timing relative to C/A DLL prompt code & modify w-chips timing if indicated • Evaluate potential improvements from • Higher-gain reference station antenna • Higher-bandwidth reference station receiver • Tailor calculations for efficient real-time calculation • Implement in CASES real-time software radio • Also implement for L2C spoofing detection • Try narrow-band processing for L2 tracking based on traditional L1 P(Y) semi-codeless correlation UT Austin April ‘11