Presentation is loading. Please wait.

Presentation is loading. Please wait.

WNCG, UT Austin, 1 April 2011 Mark L. Psiaki Sibley School of Mechanical & Aerospace Engr., Cornell University Civilian GPS Spoofing Detection based on.

Published byAmber Higgins Modified over 8 years ago

Similar presentations

Presentation on theme: "WNCG, UT Austin, 1 April 2011 Mark L. Psiaki Sibley School of Mechanical & Aerospace Engr., Cornell University Civilian GPS Spoofing Detection based on."— Presentation transcript:

1 WNCG, UT Austin, 1 April 2011 Mark L. Psiaki Sibley School of Mechanical & Aerospace Engr., Cornell University Civilian GPS Spoofing Detection based on Dual-Receiver Correlation of Military Signals

2 UT Austin April ‘11 2 of 32 Collaborator Acknowledgements Steve Powell, Cornell ECE staff Brady O’Hanlon, Cornell ECE Ph.D. student Jahshan Bhatti, UT Austin Aero. Engr. & Engr. Mechanics Ph.D. student Todd Humphreys, UT Austin Aero. Engr. & Engr. Mechanics faculty

3 UT Austin April ‘11 3 of 32 Motivation: Defend civilian GPS receivers from Humphreys-et-al.- type spoofing attack RAIM methods not useful Strategy: Exploit encrypted P(Y) code Cross-correlate P(Y) code in defended receiver with P(Y) code on secure receiver  P(Y) found in quadrature with tracked C/A  Codeless technique is simple  Semi-codeless yields increased processing gain  Narrow-band P(Y) experiences ~75% power loss & distortion Initially use M ATLAB in an offline mode for analysis & testing

4 UT Austin April ‘11 4 of 32 Outline I.Related research II.Spoofing detection concept III.Signal model IV.Using narrow-band receivers  Narrow-band-filtered P(Y) code characteristics  System ID of envelop filter impulse response to enable spoofing detection in a narrow-band receiver V.Codeless spoofing detection VI.Semi-codeless spoofing detection VII.Summary & conclusions VIII.Future plans

5 UT Austin April ‘11 5 of 32 Related Research Substantial literature on RAIM detection of navigationally inconsistent spoofing Warner & Johnston (2003): Hardware-simulator- based spoofer detectable via RAIM only at start-up Humphreys et al. (2008, 2009): Receiver/spoofer not detectable via RAIM Lo et al. (2009): Codeless military P(Y) code dual- receiver cross-correlation spoofing detection proposed & tested under non-spoofing conditions O’Hanlon et al. (2010): Attempted real-time implementation of Lo et al. spoofing detector & test under Humphreys et al. spoofing attack

6 UT Austin April ‘11 6 of 32 A Spoofing Attack not Detectable by RAIM

7 UT Austin April ‘11 7 of 32 UE with -receiver for delayed, digitally-signed P(Y) features -delayed processing to detect spoofing via P(Y) feature correlation Anti-Spoofing via P(Y) Correlation Secure antenna/receiver w/processing to estimate P(Y) features GPS Satellite Transmitter of delayed, digitally-signed P(Y) features GEO “bent-pipe” transceiver Broadcast segments of delayed, digitally- signed P(Y) features Secure uplink of delayed, digitally- signed P(Y) features

8 UT Austin April ‘11 8 of 32 Block Diagram of Generalized P(Y) Correlation Spoofing Detector GPS transmitter UE receiver with P(Y) fea extraction processing Secure ground- based antenna/ receiver Digital signer Secure link to broadcaster Wireless (or internet) broadcaster UE receiver (or internet link) for P(Y) fea Correlation registers Digital sig- nature verifier Spoofing Detector L1 C/A & P(Y) P(Y) fea P(Y) fea/est User Equipment New Infrastructure

9 UT Austin April ‘11 9 of 32 Signal with C/A & P(Y) code at RF front-end output Sample interval  t C/A code C ( t ) & P code P ( t ) known (+1/-1 values) P(Y) +1/-1 encryption chips w ( t ) not known w ( t ) average chipping at 480 KHz w/known timing relative to C/A & P codes Wide-band carrier-to-noise ratios: Signal Model at RF Front-End Output

10 UT Austin April ‘11 10 of 32 Carrier Phase & Timing Relationships of C/A & P(Y) Codes

11 UT Austin April ‘11 11 of 32 Original & Filtered P(Y) Spectra

12 UT Austin April ‘11 12 of 32 Original & Filtered P(Y) Time Histories

13 UT Austin April ‘11 13 of 32 Envelope (finite) impulse response of Z code: Correlation between filtered code & unfiltered replica: Derived cross-correlation relationship for system ID: Complex Envelope Filter Impulse Response & Filtered PRN Code Correlation

14 UT Austin April ‘11 14 of 32 Track C/A code using DLL & PLL Compute, prompt, early, late, double early, double late, etc…. C/A accumulations, c CFC (  i ) for many  i cross-correlation delay values Guess reasonable, conservative t max &  D values Parameterize h ( t ; p ) as the 1 st derivative of a quintic spline envelop step response function with spline node parameters p Use known c CC (  ) C/A autocorrelation, measured c CFC (  i ) cross correlations, & analytic spline integrals to formulate over-determined system of linear equations in p & (1/ A ) based on final equation of previous chart Solve least-squares estimation problem subject to the constraint & penalizing Or set up & solve simultaneously for multiple C/A PRN codes in same receiver, solving for differential  D values between PRN codes in outer nonlinear optimization Filter Impulse System ID Calculations

15 UT Austin April ‘11 15 of 32 Theoretical & Measured C/A Correlations, PRN 08

16 UT Austin April ‘11 16 of 32 Estimation Fit for PRN 08

17 UT Austin April ‘11 17 of 32 Estimated Impulse & Frequency Responses for 2 Narrow-Band RF Filters

18 UT Austin April ‘11 18 of 32 1.Track C/A code, compute & record base-band-mixed quadrature samples y rawAi & y rawBi, & do noise & C/A & P(Y) power calculations on both receivers 2. Compute normalized cross-correlation spoofing detection statistic Codeless Spoofing Detection Calculations (1 of 2)

19 UT Austin April ‘11 19 of 32 3.Compute conditional means & variances of detection statistic under non-spoofed null hypothesis, H 0, & under spoofed hypothesis, H 1 4.Develop spoofing detection threshold  th based on conditional probability density functions & desired false alarm probability 5. Compare computed statistic to threshold Codeless Spoofing Detection Calculations (2 of 2)

20 UT Austin April ‘11 20 of 32 Verification of No-Spoofing Case Figure 3. Codeless verification of no spoofing.

21 UT Austin April ‘11 21 of 32 First Successful Spoofing Attack Detection

22 UT Austin April ‘11 22 of 32 Base-Band Quadrature Semi-Codeless Signal Model

23 UT Austin April ‘11 23 of 32 1.Track C/A code, compute & record base-band-mixed quadrature samples y rawAi & y rawBi, do noise & C/A & P(Y) power calculations on both receivers (as in codeless tracking), & estimate P(Y) amplitude A py 2.Form hard +1/-1 estimates of w j encryption chips by approximately optimizing the following cost function using integer techniques 3. Compute probability that w j = +1 & compute soft w j –chip estimates for j = 1, …, N Semi-Codeless Spoofing Detection Calcs. (1 of 3)

24 UT Austin April ‘11 24 of 32 Semi-Codeless Spoofing Detection Calcs. (2 of 3) 4.Compute spoofing detection statistic equal to cross-correlation of soft w-chip estimates between receivers A & B 5.Compute conditional means & variances of detection statistic under non-spoofed null hypothesis, H 0, & under spoofed hypothesis, H 1

25 UT Austin April ‘11 25 of 32 6.Develop spoofing detection threshold  th based on conditional probability density functions & desired false alarm probability 7. Compare computed statistic to threshold Semi-Codeless Spoofing Detection Calcs. (3 of 3)

26 UT Austin April ‘11 26 of 32 A Priori Semi-Codeless Spoofing Detection Analysis 1.Compute conditional means & variances of detection statistic under non-spoofed hypothesis & spoofed hypothesis without receiver A data 2.Develop spoofing detection threshold  th based on conditional probability density functions & desired false alarm probability

27 Semi-Codeless Verification of No Spoofing UT Austin April ‘11 27 of 32

28 First Semi-Codeless Spoofing Attack Detection UT Austin April ‘11 28 of 32

29 Codeless & Semi-Codeless Detection Power UT Austin April ‘11 29 of 32  FA = 0.01 % (C/N 0 ) pyA = 35 dB-Hz (C/N 0 ) pyB = 35 dB-Hz

30 Test of C/A Timing as a Proxy for P(Y) Timing, Codeless Correlation UT Austin April ‘11 30 of 32

31 Summary & Conclusions Developed dual-receiver spoofing detection methods  Codeless & semi-codeless cross-correlation of quadrature P(Y) code  Thresholds designed based on full statistical analyses Implemented in narrow-band C/A receiver  Did system ID of narrow-band RF filters  Employed resulting models of P(Y) power loss & of time-domain distortion Demonstrated first successful detection of RAIM- proof spoofing attack  Detection achieved after-the-fact in M ATLAB  Works well with semi-codeless detection interval of 0.2 sec for reasonable C/N 0 levels & can work well with shorter intervals UT Austin April ‘11 31 of 32

32 Future Plans/Hopes Evaluate narrow-band filter effects of w-chip timing relative to C/A DLL prompt code & modify w-chips timing if indicated Evaluate potential improvements from  Higher-gain reference station antenna  Higher-bandwidth reference station receiver Tailor calculations for efficient real-time calculation Implement in CASES real-time software radio Also implement for L2C spoofing detection Try narrow-band processing for L2 tracking based on traditional L1 P(Y) semi-codeless correlation UT Austin April ‘11 32 of 32

Download ppt "WNCG, UT Austin, 1 April 2011 Mark L. Psiaki Sibley School of Mechanical & Aerospace Engr., Cornell University Civilian GPS Spoofing Detection based on."

Similar presentations

VSMC MIMO: A Spectral Efficient Scheme for Cooperative Relay in Cognitive Radio Networks 1.

VSMC MIMO: A Spectral Efficient Scheme for Cooperative Relay in Cognitive Radio Networks 1.
Challenges of Practical Civil GNSS Security Todd Humphreys, UT Austin Civil Navigation and Timing Security Splinter Meeting |Portland, Oregon | September.

Challenges of Practical Civil GNSS Security Todd Humphreys, UT Austin Civil Navigation and Timing Security Splinter Meeting |Portland, Oregon | September.
Protecting Civil GPS Receivers

Protecting Civil GPS Receivers
ION GNSS 2011, September 23 rd, Portland, Oregon Improving Security of GNSS Receivers Felix Kneissl University FAF Munich.

ION GNSS 2011, September 23 rd, Portland, Oregon Improving Security of GNSS Receivers Felix Kneissl University FAF Munich.
Digital transmission over a fading channel Narrowband system (introduction) Wideband TDMA (introduction) Wideband DS-CDMA (introduction) Rake receiver.

Digital transmission over a fading channel Narrowband system (introduction) Wideband TDMA (introduction) Wideband DS-CDMA (introduction) Rake receiver.
Noise on Analog Systems

Noise on Analog Systems
Collaboration FST-ULCO 1. Context and objective of the work  Water level : ECEF Localization of the water surface in order to get a referenced water.

Collaboration FST-ULCO 1. Context and objective of the work  Water level : ECEF Localization of the water surface in order to get a referenced water.
June 4, 2015 On the Capacity of a Class of Cognitive Radios Sriram Sridharan in collaboration with Dr. Sriram Vishwanath Wireless Networking and Communications.

June 4, 2015 On the Capacity of a Class of Cognitive Radios Sriram Sridharan in collaboration with Dr. Sriram Vishwanath Wireless Networking and Communications.
Advancing Wireless Link Signatures for Location Distinction J. Zhang, M. H. Firooz, N. Patwari, S. K. Kasera MobiCom’ 08 Presenter: Yuan Song.

Advancing Wireless Link Signatures for Location Distinction J. Zhang, M. H. Firooz, N. Patwari, S. K. Kasera MobiCom’ 08 Presenter: Yuan Song.
Workshop EGNOS KRAKÓW 2004 1 GNSS RECEIVER TESTING TECHNIQUES IN A LABORATORY ENVIRONMENT Institute of Radar Technology Military University of Technology.

Workshop EGNOS KRAKÓW GNSS RECEIVER TESTING TECHNIQUES IN A LABORATORY ENVIRONMENT Institute of Radar Technology Military University of Technology.
A SINGLE FREQUENCY GPS SOFTWARE RECEIVER

A SINGLE FREQUENCY GPS SOFTWARE RECEIVER
GPS and other GNSS signals GPS signals and receiver technology MM10 Darius Plausinaitis

GPS and other GNSS signals GPS signals and receiver technology MM10 Darius Plausinaitis
Distance-decreasing attack in GPS Final Presentation Horacio Arze Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski January 2009 Security and Cooperation.

Distance-decreasing attack in GPS Final Presentation Horacio Arze Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski January 2009 Security and Cooperation.
II. Medium Access & Cellular Standards. TDMA/FDMA/CDMA.

II. Medium Access & Cellular Standards. TDMA/FDMA/CDMA.
Angle Modulation Objectives

Angle Modulation Objectives
Frontiers in Radionavigation Dr. Todd E. Humphreys.

Frontiers in Radionavigation Dr. Todd E. Humphreys.
Carrier-Amplitude modulation In baseband digital PAM: (2d - the Euclidean distance between two adjacent points)

Carrier-Amplitude modulation In baseband digital PAM: (2d - the Euclidean distance between two adjacent points)
Thoughts on GPS Security and Integrity Todd Humphreys, UT Austin Aerospace Dept. DHS Visit to UT Radionavigation Lab | March 10, 2011.

Thoughts on GPS Security and Integrity Todd Humphreys, UT Austin Aerospace Dept. DHS Visit to UT Radionavigation Lab | March 10, 2011.
12.215 Modern Navigation Thomas Herring

Modern Navigation Thomas Herring
Kyle Wesson, Mark Rothlisberger, and Todd Humphreys

Kyle Wesson, Mark Rothlisberger, and Todd Humphreys

Similar presentations

Ads by Google