1 / 21

Candidate Non-Cryptographic GNSS Spoofing Detection Techniques

Candidate Non-Cryptographic GNSS Spoofing Detection Techniques. Brent Ledvina*, Isaac Miller, Bryan Galusha, William Bencze, and Clark Cohen, Coherent Navigation, Inc. GNSS Security Splinter Meeting, Portland, OR 23 September 2010. *Adjunct Professor at Virginia Tech.

elroy
Download Presentation

Candidate Non-Cryptographic GNSS Spoofing Detection Techniques

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Candidate Non-Cryptographic GNSS Spoofing Detection Techniques Brent Ledvina*, Isaac Miller, Bryan Galusha, William Bencze, and Clark Cohen, Coherent Navigation, Inc. GNSS Security Splinter Meeting, Portland, OR 23 September 2010 *Adjunct Professor at Virginia Tech

  2. Protecting Civil GPS Receivers • Critical infrastructure relies on civil GPS navigation and timing • Electrical grid timing and control • Banking/financial transactions • Commercial aircraft guidance and landing • Communication systems (cellular) • Public transportation • Asset tracking • Commercial fishing monitoring • Vehicle mileage taxation • Monitoring criminals Non-cryptographic spoofing defenses provide some protection to civil GNSS receivers

  3. Goal and Motivation • Goal • Illustrate six candidate non-cryptographic spoofing detection techniques • Motivation • Non-cryptographic spoofing detection techniques could be implemented today • Non-cryptographic defenses are needed if one is concerned with encryption or authentication key security breaches

  4. The Sinister Threat: A Portable Receiver-Spoofer Humphreys et al., 2008 and Montgomery et al., 2009 described development and testing of portable GPS L1 C/A code receiver-spoofer GPS signal simulators, RF playback systems, and GPS repeaters are also a threat

  5. Spoofing Attack Demonstration Tracking Peak

  6. Candidate Spoofing Defenses/Detection Techniques • Standalone Receiver-Based • Monitor the relative GPS signal strength • Monitor satellite identification codes and the number of satellite signals received • Check the time intervals • Do a time comparison (look at code phase jitter) • Monitor the absolute GPS signal strength • Data bit latency detection • Vestigial signal detection • Signal quality monitoring • Employ two antennas; check relative phase against know satellite directions • Extended RAIM • External-Aiding • Perform a sanity check with relative position estimate (compare with IMU) • Compare with independent absolute position or time-bearing information (e.g., Galileo and GLONASS) • Cryptographic • Encrypt navigation message • Spreading code authentication Defenses suggested by Dept.of Homeland Security (2003) in italics

  7. Data Bit Latency Detection (1/6) • Hard to retransmit data bits with < 1ms latency • Detection Technique: • Modify PLL to look for inconsistencies in data bits on the order of 1 ms out of 20 ms data bit interval • Spoofer could employ data bit prediction • Defense: • External input of authenticated GPS data bits GPS data bit time history Humphreys et al., 2008

  8. Vestigial Signal Detection (2/6) • Hard to conceal telltale counterfeit peak in autocorrelation function • Detection Technique: • Search for vestigial signals • Monitor AGC for suspicious increases in noise level • Great for detecting ongoing attack Vestigial signal detection Vestigial Signal Humphreys et al., 2008

  9. Vestigial Signal Detection Cont’d • Utilize standard techniques for GPS signal acquisition, tracking, and data decoding • Acquisition: Standard frequency-domain and time-domain acquisition • Tracking: Standard code (DLL) and carrier (PLL) tracking loops • Data decoding: Standard data decoding with parity checking

  10. Extended Receiver Autonomous Integrity Monitoring (RAIM) (3/6) • RAIM provides statistical method to detect signal with unacceptable pseudorange error and remove it from navigation solution • Vestigial signals could appear at an erroneous pseudorange or carrier Doppler shift frequency • Extend RAIM to include carrier Doppler shift frequency • Create single test statistic based on pseudorange and carrier Doppler shift frequency measurements • Test statistic is normalized chi-square random variable with 2*N – 8 degrees of freedom, where N is number of tracking signals • Provides statistical hypothesis test to throw out at least 1 signal Ledvina et al., ION NTM 2010

  11. GNSS Signal Quality Monitoring (4/6) • Signal Quality Monitoring (SQM) designed to identify satellite anomalies or faults • Goal: Can we leverage SQM for spoofing detection? • Two test statistics considered • Delta Test: Detects asymmetries in the correlation functions (assumes carrier tracking loop phase lock, Q ≈ 0) • Ratio Test: Detects flat correlation peaks or abnormally sharp or elevated correlation peaks Ledvina et al., ION NTM 2010

  12. Testing SQM: Two Spoofing Signal Alignment Techniques • Two ways a counterfeit signal interacts with authentic signal • 1. Counterfeit signal marches into code phase alignment with authentic signal • 2. Counterfeit signal is code-phase aligned with authentic signals and grows in amplitude • Do not necessarily assume carrier phase alignment • Requires cm-level knowledge of 3-D vector between spoofer and target receiver • Assume spoofer has a priori knowledge of 12.5-minute GPS navigation message

  13. Case 1: Counterfeit Signal Marching In • +3dB counterfeit signal with two extremes of carrier phase alignment Perfect carrier phase alignment 180 degrees out of phase

  14. Multi-Antenna Differential-Carrier-Phase Spoofing (5/6) 13 Montgomery et al., ION ITM 2009

  15. External Aiding: High-Quality Frequency Reference (6/6) • Time and Frequency Synchronization via GPS Receivers • 70% of GPS receivers are utilized for timing applications providing time and frequency reference sources • GPS timing receivers • Implemented with a high-quality crystal oscillator, a coupled GPS receiver, and control logic • Control logic cross-checks with high-quality oscillator providing some protection against GPS time spoofing attacks • Control logic implementation and oscillator quality primarily dictate rate at which time spoofing attack can be successfully carried out Symmetricom XL-GPS Time and Frequency Receiver

  16. Conclusions • Described six candidate spoofing detection techniques • Spoofing detection • Simple software-based solutions provide some protection • Multi-antenna differential carrier phase and external aiding provide more protection • Strength of each detection scheme needs to be mathematically defined and tested to understand protection level • Best Non-Cryptographic Spoofing Detection Technique Multi-Antenna Differential Carrier Phase Spoofing Detection Technique

  17. Back-Up Slides

  18. Additional Observations Relevant to Signal Quality Monitoring • Counterfeit signal +1dB above an authentic signal can cause successful lift-off • +3 dB counterfeit signal up to 30 degrees out-of-phase causes detectable deconstructive interference • Time rate of attack shortens deconstructive interference period, and thus shortens time in which an attack can be detected • Code tracking loop bandwidth becomes important for fast attacks • Data bit latency or data bit errors causes deconstructive interference, thereby improving detection

  19. In-Line GPS Anti-Spoofing Module Architecture – Adding Anti-Spoofing Defenses to Legacy GPS Receivers The GPS anti-spoofing module makes existing GPS equipment resistant to spoofing without requiring hardware or software changes to the equipment 18

  20. Case 2: Counterfeit Signal Growing in Amplitude • Maximum +3dB counterfeit signal with two extremes of carrier phase alignment Perfect carrier phase alignment 180 degrees out of phase

  21. Phasor Interpretation of Observations • Baseband phasors in the complex plane can explain observations

More Related