230 likes | 450 Views
Candidate Non-Cryptographic GNSS Spoofing Detection Techniques. Brent Ledvina*, Isaac Miller, Bryan Galusha, William Bencze, and Clark Cohen, Coherent Navigation, Inc. GNSS Security Splinter Meeting, Portland, OR 23 September 2010. *Adjunct Professor at Virginia Tech.
E N D
Candidate Non-Cryptographic GNSS Spoofing Detection Techniques Brent Ledvina*, Isaac Miller, Bryan Galusha, William Bencze, and Clark Cohen, Coherent Navigation, Inc. GNSS Security Splinter Meeting, Portland, OR 23 September 2010 *Adjunct Professor at Virginia Tech
Protecting Civil GPS Receivers • Critical infrastructure relies on civil GPS navigation and timing • Electrical grid timing and control • Banking/financial transactions • Commercial aircraft guidance and landing • Communication systems (cellular) • Public transportation • Asset tracking • Commercial fishing monitoring • Vehicle mileage taxation • Monitoring criminals Non-cryptographic spoofing defenses provide some protection to civil GNSS receivers
Goal and Motivation • Goal • Illustrate six candidate non-cryptographic spoofing detection techniques • Motivation • Non-cryptographic spoofing detection techniques could be implemented today • Non-cryptographic defenses are needed if one is concerned with encryption or authentication key security breaches
The Sinister Threat: A Portable Receiver-Spoofer Humphreys et al., 2008 and Montgomery et al., 2009 described development and testing of portable GPS L1 C/A code receiver-spoofer GPS signal simulators, RF playback systems, and GPS repeaters are also a threat
Spoofing Attack Demonstration Tracking Peak
Candidate Spoofing Defenses/Detection Techniques • Standalone Receiver-Based • Monitor the relative GPS signal strength • Monitor satellite identification codes and the number of satellite signals received • Check the time intervals • Do a time comparison (look at code phase jitter) • Monitor the absolute GPS signal strength • Data bit latency detection • Vestigial signal detection • Signal quality monitoring • Employ two antennas; check relative phase against know satellite directions • Extended RAIM • External-Aiding • Perform a sanity check with relative position estimate (compare with IMU) • Compare with independent absolute position or time-bearing information (e.g., Galileo and GLONASS) • Cryptographic • Encrypt navigation message • Spreading code authentication Defenses suggested by Dept.of Homeland Security (2003) in italics
Data Bit Latency Detection (1/6) • Hard to retransmit data bits with < 1ms latency • Detection Technique: • Modify PLL to look for inconsistencies in data bits on the order of 1 ms out of 20 ms data bit interval • Spoofer could employ data bit prediction • Defense: • External input of authenticated GPS data bits GPS data bit time history Humphreys et al., 2008
Vestigial Signal Detection (2/6) • Hard to conceal telltale counterfeit peak in autocorrelation function • Detection Technique: • Search for vestigial signals • Monitor AGC for suspicious increases in noise level • Great for detecting ongoing attack Vestigial signal detection Vestigial Signal Humphreys et al., 2008
Vestigial Signal Detection Cont’d • Utilize standard techniques for GPS signal acquisition, tracking, and data decoding • Acquisition: Standard frequency-domain and time-domain acquisition • Tracking: Standard code (DLL) and carrier (PLL) tracking loops • Data decoding: Standard data decoding with parity checking
Extended Receiver Autonomous Integrity Monitoring (RAIM) (3/6) • RAIM provides statistical method to detect signal with unacceptable pseudorange error and remove it from navigation solution • Vestigial signals could appear at an erroneous pseudorange or carrier Doppler shift frequency • Extend RAIM to include carrier Doppler shift frequency • Create single test statistic based on pseudorange and carrier Doppler shift frequency measurements • Test statistic is normalized chi-square random variable with 2*N – 8 degrees of freedom, where N is number of tracking signals • Provides statistical hypothesis test to throw out at least 1 signal Ledvina et al., ION NTM 2010
GNSS Signal Quality Monitoring (4/6) • Signal Quality Monitoring (SQM) designed to identify satellite anomalies or faults • Goal: Can we leverage SQM for spoofing detection? • Two test statistics considered • Delta Test: Detects asymmetries in the correlation functions (assumes carrier tracking loop phase lock, Q ≈ 0) • Ratio Test: Detects flat correlation peaks or abnormally sharp or elevated correlation peaks Ledvina et al., ION NTM 2010
Testing SQM: Two Spoofing Signal Alignment Techniques • Two ways a counterfeit signal interacts with authentic signal • 1. Counterfeit signal marches into code phase alignment with authentic signal • 2. Counterfeit signal is code-phase aligned with authentic signals and grows in amplitude • Do not necessarily assume carrier phase alignment • Requires cm-level knowledge of 3-D vector between spoofer and target receiver • Assume spoofer has a priori knowledge of 12.5-minute GPS navigation message
Case 1: Counterfeit Signal Marching In • +3dB counterfeit signal with two extremes of carrier phase alignment Perfect carrier phase alignment 180 degrees out of phase
Multi-Antenna Differential-Carrier-Phase Spoofing (5/6) 13 Montgomery et al., ION ITM 2009
External Aiding: High-Quality Frequency Reference (6/6) • Time and Frequency Synchronization via GPS Receivers • 70% of GPS receivers are utilized for timing applications providing time and frequency reference sources • GPS timing receivers • Implemented with a high-quality crystal oscillator, a coupled GPS receiver, and control logic • Control logic cross-checks with high-quality oscillator providing some protection against GPS time spoofing attacks • Control logic implementation and oscillator quality primarily dictate rate at which time spoofing attack can be successfully carried out Symmetricom XL-GPS Time and Frequency Receiver
Conclusions • Described six candidate spoofing detection techniques • Spoofing detection • Simple software-based solutions provide some protection • Multi-antenna differential carrier phase and external aiding provide more protection • Strength of each detection scheme needs to be mathematically defined and tested to understand protection level • Best Non-Cryptographic Spoofing Detection Technique Multi-Antenna Differential Carrier Phase Spoofing Detection Technique
Additional Observations Relevant to Signal Quality Monitoring • Counterfeit signal +1dB above an authentic signal can cause successful lift-off • +3 dB counterfeit signal up to 30 degrees out-of-phase causes detectable deconstructive interference • Time rate of attack shortens deconstructive interference period, and thus shortens time in which an attack can be detected • Code tracking loop bandwidth becomes important for fast attacks • Data bit latency or data bit errors causes deconstructive interference, thereby improving detection
In-Line GPS Anti-Spoofing Module Architecture – Adding Anti-Spoofing Defenses to Legacy GPS Receivers The GPS anti-spoofing module makes existing GPS equipment resistant to spoofing without requiring hardware or software changes to the equipment 18
Case 2: Counterfeit Signal Growing in Amplitude • Maximum +3dB counterfeit signal with two extremes of carrier phase alignment Perfect carrier phase alignment 180 degrees out of phase
Phasor Interpretation of Observations • Baseband phasors in the complex plane can explain observations