Presentation is loading. Please wait.

Presentation is loading. Please wait.

Coherent Navigation Candidate Non- Cryptographic GNSS Spoofing Detection Techniques Brent Ledvina*, Isaac Miller, Bryan Galusha, William Bencze, and Clark.

Similar presentations


Presentation on theme: "Coherent Navigation Candidate Non- Cryptographic GNSS Spoofing Detection Techniques Brent Ledvina*, Isaac Miller, Bryan Galusha, William Bencze, and Clark."— Presentation transcript:

1 Coherent Navigation Candidate Non- Cryptographic GNSS Spoofing Detection Techniques Brent Ledvina*, Isaac Miller, Bryan Galusha, William Bencze, and Clark Cohen, Coherent Navigation, Inc. GNSS Security Splinter Meeting, Portland, OR 23 September 2010 *Adjunct Professor at Virginia Tech

2 Coherent Navigation Protecting Civil GPS Receivers  Critical infrastructure relies on civil GPS navigation and timing  Electrical grid timing and control  Banking/financial transactions  Commercial aircraft guidance and landing  Communication systems (cellular)  Public transportation  Asset tracking  Commercial fishing monitoring  Vehicle mileage taxation  Monitoring criminals Non-cryptographic spoofing defenses provide some protection to civil GNSS receivers 9/23/2010

3 Coherent Navigation Goal and Motivation  Goal  Illustrate six candidate non-cryptographic spoofing detection techniques  Motivation  Non-cryptographic spoofing detection techniques could be implemented today  Non-cryptographic defenses are needed if one is concerned with encryption or authentication key security breaches 9/23/2010

4 Coherent Navigation The Sinister Threat: A Portable Receiver-Spoofer Humphreys et al., 2008 and Montgomery et al., 2009 described development and testing of portable GPS L1 C/A code receiver-spoofer GPS signal simulators, RF playback systems, and GPS repeaters are also a threat

5 Coherent Navigation Spoofing Attack Demonstration Tracking Peak 9/23/2010

6 Coherent Navigation Candidate Spoofing Defenses/Detection Techniques 1Standalone Receiver-Based  Monitor the relative GPS signal strength  Monitor satellite identification codes and the number of satellite signals received  Check the time intervals  Do a time comparison (look at code phase jitter)  Monitor the absolute GPS signal strength  Data bit latency detection  Vestigial signal detection  Signal quality monitoring  Employ two antennas; check relative phase against know satellite directions  Extended RAIM 2External-Aiding  Perform a sanity check with relative position estimate (compare with IMU)  Compare with independent absolute position or time-bearing information (e.g., Galileo and GLONASS) 3Cryptographic  Encrypt navigation message  Spreading code authentication Defenses suggested by Dept.of Homeland Security (2003) in italics 9/23/2010

7 Coherent Navigation Data Bit Latency Detection (1/6) Hard to retransmit data bits with < 1ms latency Detection Technique: Modify PLL to look for inconsistencies in data bits on the order of 1 ms out of 20 ms data bit interval Spoofer could employ data bit prediction Defense: External input of authenticated GPS data bits GPS data bit time history Humphreys et al., /23/2010

8 Coherent Navigation Vestigial Signal Detection (2/6) Hard to conceal telltale counterfeit peak in autocorrelation function Detection Technique: Search for vestigial signals Monitor AGC for suspicious increases in noise level Great for detecting ongoing attack Vestigial signal detection Vestigial Signal Humphreys et al., /23/2010

9 Coherent Navigation Vestigial Signal Detection Cont’d  Utilize standard techniques for GPS signal acquisition, tracking, and data decoding  Acquisition: Standard frequency-domain and time-domain acquisition  Tracking: Standard code (DLL) and carrier (PLL) tracking loops  Data decoding: Standard data decoding with parity checking

10 Coherent Navigation Extended Receiver Autonomous Integrity Monitoring (RAIM) (3/6)  RAIM provides statistical method to detect signal with unacceptable pseudorange error and remove it from navigation solution  Vestigial signals could appear at an erroneous pseudorange or carrier Doppler shift frequency  Extend RAIM to include carrier Doppler shift frequency  Create single test statistic based on pseudorange and carrier Doppler shift frequency measurements  Test statistic is normalized chi-square random variable with 2*N – 8 degrees of freedom, where N is number of tracking signals  Provides statistical hypothesis test to throw out at least 1 signal Ledvina et al., ION NTM 2010

11 Coherent Navigation GNSS Signal Quality Monitoring (4/6)  Signal Quality Monitoring (SQM) designed to identify satellite anomalies or faults  Goal: Can we leverage SQM for spoofing detection?  Two test statistics considered  Delta Test: Detects asymmetries in the correlation functions (assumes carrier tracking loop phase lock, Q ≈ 0)  Ratio Test: Detects flat correlation peaks or abnormally sharp or elevated correlation peaks Ledvina et al., ION NTM 2010

12 Coherent Navigation Testing SQM: Two Spoofing Signal Alignment Techniques  Two ways a counterfeit signal interacts with authentic signal  1. Counterfeit signal marches into code phase alignment with authentic signal  2. Counterfeit signal is code-phase aligned with authentic signals and grows in amplitude  Do not necessarily assume carrier phase alignment  Requires cm-level knowledge of 3-D vector between spoofer and target receiver  Assume spoofer has a priori knowledge of 12.5-minute GPS navigation message 9/23/2010

13 Coherent Navigation Case 1: Counterfeit Signal Marching In  +3dB counterfeit signal with two extremes of carrier phase alignment Perfect carrier phase alignment 180 degrees out of phase 9/23/2010

14 Coherent Navigation Multi-Antenna Differential-Carrier-Phase Spoofing (5/6) 13 Montgomery et al., ION ITM /23/2010

15 Coherent Navigation External Aiding: High-Quality Frequency Reference (6/6)  Time and Frequency Synchronization via GPS Receivers  70% of GPS receivers are utilized for timing applications providing time and frequency reference sources  GPS timing receivers  Implemented with a high-quality crystal oscillator, a coupled GPS receiver, and control logic  Control logic cross-checks with high-quality oscillator providing some protection against GPS time spoofing attacks Control logic implementation and oscillator quality primarily dictate rate at which time spoofing attack can be successfully carried out 9/23/2010 Symmetricom XL-GPS Time and Frequency Receiver

16 Coherent Navigation Conclusions  Described six candidate spoofing detection techniques  Spoofing detection  Simple software-based solutions provide some protection  Multi-antenna differential carrier phase and external aiding provide more protection  Strength of each detection scheme needs to be mathematically defined and tested to understand protection level  Best Non-Cryptographic Spoofing Detection Technique Multi-Antenna Differential Carrier Phase Spoofing Detection Technique

17 Coherent Navigation Back-Up Slides 9/23/2010

18 Coherent Navigation Additional Observations Relevant to Signal Quality Monitoring  Counterfeit signal +1dB above an authentic signal can cause successful lift-off  +3 dB counterfeit signal up to 30 degrees out-of-phase causes detectable deconstructive interference  Time rate of attack shortens deconstructive interference period, and thus shortens time in which an attack can be detected  Code tracking loop bandwidth becomes important for fast attacks  Data bit latency or data bit errors causes deconstructive interference, thereby improving detection 9/23/2010

19 Coherent Navigation In-Line GPS Anti-Spoofing Module Architecture – Adding Anti-Spoofing Defenses to Legacy GPS Receivers The GPS anti-spoofing module makes existing GPS equipment resistant to spoofing without requiring hardware or software changes to the equipment 18

20 Coherent Navigation Case 2: Counterfeit Signal Growing in Amplitude  Maximum +3dB counterfeit signal with two extremes of carrier phase alignment Perfect carrier phase alignment 180 degrees out of phase 9/23/2010

21 Coherent Navigation Phasor Interpretation of Observations  Baseband phasors in the complex plane can explain observations


Download ppt "Coherent Navigation Candidate Non- Cryptographic GNSS Spoofing Detection Techniques Brent Ledvina*, Isaac Miller, Bryan Galusha, William Bencze, and Clark."

Similar presentations


Ads by Google