WNCG, UT Austin, 1 April 2011 Mark L. Psiaki Sibley School of Mechanical & Aerospace Engr., Cornell University Civilian GPS Spoofing Detection based on.

Slides:

Advertisements

Similar presentations

VSMC MIMO: A Spectral Efficient Scheme for Cooperative Relay in Cognitive Radio Networks 1.

Advertisements

Challenges of Practical Civil GNSS Security Todd Humphreys, UT Austin Civil Navigation and Timing Security Splinter Meeting |Portland, Oregon | September.

Protecting Civil GPS Receivers

ION GNSS 2011, September 23 rd, Portland, Oregon Improving Security of GNSS Receivers Felix Kneissl University FAF Munich.

Digital transmission over a fading channel Narrowband system (introduction) Wideband TDMA (introduction) Wideband DS-CDMA (introduction) Rake receiver.

Noise on Analog Systems

Collaboration FST-ULCO 1. Context and objective of the work  Water level : ECEF Localization of the water surface in order to get a referenced water.

June 4, 2015 On the Capacity of a Class of Cognitive Radios Sriram Sridharan in collaboration with Dr. Sriram Vishwanath Wireless Networking and Communications.

Advancing Wireless Link Signatures for Location Distinction J. Zhang, M. H. Firooz, N. Patwari, S. K. Kasera MobiCom’ 08 Presenter: Yuan Song.

Workshop EGNOS KRAKÓW GNSS RECEIVER TESTING TECHNIQUES IN A LABORATORY ENVIRONMENT Institute of Radar Technology Military University of Technology.

A SINGLE FREQUENCY GPS SOFTWARE RECEIVER

GPS and other GNSS signals GPS signals and receiver technology MM10 Darius Plausinaitis

Distance-decreasing attack in GPS Final Presentation Horacio Arze Prof. Jean-Pierre Hubaux Assistant: Marcin Poturalski January 2009 Security and Cooperation.

II. Medium Access & Cellular Standards. TDMA/FDMA/CDMA.

Angle Modulation Objectives

Frontiers in Radionavigation Dr. Todd E. Humphreys.

Carrier-Amplitude modulation In baseband digital PAM: (2d - the Euclidean distance between two adjacent points)

Thoughts on GPS Security and Integrity Todd Humphreys, UT Austin Aerospace Dept. DHS Visit to UT Radionavigation Lab | March 10, 2011.

Modern Navigation Thomas Herring

Kyle Wesson, Mark Rothlisberger, and Todd Humphreys

King Fahd University of Petroleum & Minerals Electrical Engineering Department EE 578 Simulation of Wireless Systems Code Division Multiple Access Transmission.

All Rights Reserved © Alcatel-Lucent 2006, 2008 Enabling high efficiencies Digital signal conditioning in modern RF transmitters Thomas BOHN June 2008.

ECE 8443 – Pattern Recognition ECE 8423 – Adaptive Signal Processing Objectives: Introduction SNR Gain Patterns Beam Steering Shading Resources: Wiki:

R/C Simulation and Hardware Proof of Concept Development Dr. Philip A. Dafesh, Dr. R. T. Bow, Mr. G. Fan and Mr. M. Partridge Communication Systems Subdivision.

1 Techniques to control noise and fading l Noise and fading are the primary sources of distortion in communication channels l Techniques to reduce noise.

CHAPTER 6 PASS-BAND DATA TRANSMISSION

Modern Navigation Thomas Herring MW 11:00-12:30 Room A

ION/GNSS 2011, 23 Sept Mark L. Psiaki Sibley School of Mechanical & Aerospace Engr., Cornell University Developing Defenses Against Jamming & Spoofing.

Digital transmission over a fading channel Narrowband system (introduction) Wideband TDMA (introduction) Wideband DS-CDMA (introduction) Rake receiver.

Multiuser Detection (MUD) Combined with array signal processing in current wireless communication environments Wed. 박사 3학기 구 정 회.

An Evaluation of the Vestigial Signal Defense for Civil GPS Anti-Spoofing Kyle Wesson, Daniel Shepard, Jahshan Bhatti, and Todd Humphreys Presentation.

Riding out the Rough Spots: Scintillation-Robust GNSS Carrier Tracking Dr. Todd E. Humphreys Radionavigation Laboratory University of Texas at Austin.

Automatic Gain Control Response Delay and Acquisition in Direct- Sequence Packet Radio Communications Sure 2007 Stephanie Gramc Dr. Noneaker.

1 Todd E. Humphreys, Cornell University Larry Young, JPL Thomas Pany, University FAF Munich 2008 IGS Workshop, Miami Beach FL IGS Receiver Considerations.

ECE 4710: Lecture #17 1 Transmitters  Communication Tx  generate modulated signal s(t) at the carrier frequency f c from the modulating information signal.

Baseband Demodulation/Detection

Quickest Detection of GPS Spoofing Attack Z. Zhang, M. Trinkle, L. Qian, and H. Li MILCOM 2012 Nadia Adem 10/27/2014.

GPS: Everything you wanted to know, but were afraid to ask Andria Bilich National Geodetic Survey.

1 Chapter 9 Detection of Spread-Spectrum Signals.

Chapter 6. Effect of Noise on Analog Communication Systems

Observer-Based Test in Analog/RF Circuits Sule Ozev Arizona State University.

ECE 4710: Lecture #25 1 Frequency Shift Keying  Frequency Shift Keying = FSK  Two Major FSK Categories  Continuous Phase »Phase between bit transitions.

Wireless Multiple Access Schemes in a Class of Frequency Selective Channels with Uncertain Channel State Information Christopher Steger February 2, 2004.

CHAPTER 2 Amplitude Modulation 2-3 AM RECEIVERS. Introduction AM demodulation – reverse process of AM modulation. Demodulator: converts a received modulated-

Advancing Wireless Link Signatures for Location Distinction Mobicom 2008 Junxing Zhang, Mohammad H. Firooz Neal Patwari, Sneha K. Kasera University of.

AM RECEPTION Introduction

Implementing algorithms for advanced communication systems -- My bag of tricks Sridhar Rajagopal Electrical and Computer Engineering This work is supported.

Tightly-Coupled Opportunistic Navigation for Deep Urban and Indoor Positioning Ken Pesyna, Zak Kassas, Jahshan Bhatti, and Todd Humphreys Presentation.

GPS Spoofing Detection System Mark Psiaki & Brady O’Hanlon, Cornell Univ., Todd Humphreys & Jahshan Bhatti, Univ. of Texas at Austin Abstract: A real-time.

Deep Occultations With GRAS C. Marquardt, A.von Engeln and Y. Andres.

ECE 8443 – Pattern Recognition ECE 8423 – Adaptive Signal Processing Objectives: Normal Equations The Orthogonality Principle Solution of the Normal Equations.

1 SVY 207: Lecture 12 Modes of GPS Positioning Aim of this lecture: –To review and compare methods of static positioning, and introduce methods for kinematic.

EE359 – Lecture 4 Outline Announcements: 1 st HW due tomorrow 5pm Review of Last Lecture Model Parameters from Empirical Measurements Random Multipath.

Spectrum Sensing In Cognitive Radio Networks

Bandpass Modulation & Demodulation Detection

Secure Civil Navigation and Timing Todd Humphreys | Aerospace Engineering The University of Texas at Austin MITRE | July 20, 2012.

Baseband Receiver Receiver Design: Demodulation Matched Filter Correlator Receiver Detection Max. Likelihood Detector Probability of Error.

September 28, 2000 Improved Simultaneous Data Reconciliation, Bias Detection and Identification Using Mixed Integer Optimization Methods Presented by:

Presented by: Class Presentation of Custom DSP Implementation Course on: This is a class presentation. All data are copy rights of their respective authors.

Assessing the Civil GPS Spoofing Threat

Performance of Digital Communications System

INTRODUCTION. Electrical and Computer Engineering  Concerned with solving problems of two types:  Production or transmission of power.  Transmission.

1.) Acquisition Phase Task:

Digital transmission over a fading channel

Techniques to control noise and fading

Geodesy & Crustal Deformation

Figure 4–1 Communication system.

Concept of Power Control in Cellular Communication Channels

Advancing Wireless Link Signatures for Location Distinction

Presentation transcript:

WNCG, UT Austin, 1 April 2011 Mark L. Psiaki Sibley School of Mechanical & Aerospace Engr., Cornell University Civilian GPS Spoofing Detection based on Dual-Receiver Correlation of Military Signals

UT Austin April ‘11 2 of 32 Collaborator Acknowledgements Steve Powell, Cornell ECE staff Brady O’Hanlon, Cornell ECE Ph.D. student Jahshan Bhatti, UT Austin Aero. Engr. & Engr. Mechanics Ph.D. student Todd Humphreys, UT Austin Aero. Engr. & Engr. Mechanics faculty

UT Austin April ‘11 3 of 32 Motivation: Defend civilian GPS receivers from Humphreys-et-al.- type spoofing attack RAIM methods not useful Strategy: Exploit encrypted P(Y) code Cross-correlate P(Y) code in defended receiver with P(Y) code on secure receiver  P(Y) found in quadrature with tracked C/A  Codeless technique is simple  Semi-codeless yields increased processing gain  Narrow-band P(Y) experiences ~75% power loss & distortion Initially use M ATLAB in an offline mode for analysis & testing

UT Austin April ‘11 4 of 32 Outline I.Related research II.Spoofing detection concept III.Signal model IV.Using narrow-band receivers  Narrow-band-filtered P(Y) code characteristics  System ID of envelop filter impulse response to enable spoofing detection in a narrow-band receiver V.Codeless spoofing detection VI.Semi-codeless spoofing detection VII.Summary & conclusions VIII.Future plans

UT Austin April ‘11 5 of 32 Related Research Substantial literature on RAIM detection of navigationally inconsistent spoofing Warner & Johnston (2003): Hardware-simulator- based spoofer detectable via RAIM only at start-up Humphreys et al. (2008, 2009): Receiver/spoofer not detectable via RAIM Lo et al. (2009): Codeless military P(Y) code dual- receiver cross-correlation spoofing detection proposed & tested under non-spoofing conditions O’Hanlon et al. (2010): Attempted real-time implementation of Lo et al. spoofing detector & test under Humphreys et al. spoofing attack

UT Austin April ‘11 6 of 32 A Spoofing Attack not Detectable by RAIM

UT Austin April ‘11 7 of 32 UE with -receiver for delayed, digitally-signed P(Y) features -delayed processing to detect spoofing via P(Y) feature correlation Anti-Spoofing via P(Y) Correlation Secure antenna/receiver w/processing to estimate P(Y) features GPS Satellite Transmitter of delayed, digitally-signed P(Y) features GEO “bent-pipe” transceiver Broadcast segments of delayed, digitally- signed P(Y) features Secure uplink of delayed, digitally- signed P(Y) features

UT Austin April ‘11 8 of 32 Block Diagram of Generalized P(Y) Correlation Spoofing Detector GPS transmitter UE receiver with P(Y) fea extraction processing Secure ground- based antenna/ receiver Digital signer Secure link to broadcaster Wireless (or internet) broadcaster UE receiver (or internet link) for P(Y) fea Correlation registers Digital sig- nature verifier Spoofing Detector L1 C/A & P(Y) P(Y) fea P(Y) fea/est User Equipment New Infrastructure

UT Austin April ‘11 9 of 32 Signal with C/A & P(Y) code at RF front-end output Sample interval  t C/A code C ( t ) & P code P ( t ) known (+1/-1 values) P(Y) +1/-1 encryption chips w ( t ) not known w ( t ) average chipping at 480 KHz w/known timing relative to C/A & P codes Wide-band carrier-to-noise ratios: Signal Model at RF Front-End Output

UT Austin April ‘11 10 of 32 Carrier Phase & Timing Relationships of C/A & P(Y) Codes

UT Austin April ‘11 11 of 32 Original & Filtered P(Y) Spectra

UT Austin April ‘11 12 of 32 Original & Filtered P(Y) Time Histories

UT Austin April ‘11 13 of 32 Envelope (finite) impulse response of Z code: Correlation between filtered code & unfiltered replica: Derived cross-correlation relationship for system ID: Complex Envelope Filter Impulse Response & Filtered PRN Code Correlation

UT Austin April ‘11 14 of 32 Track C/A code using DLL & PLL Compute, prompt, early, late, double early, double late, etc…. C/A accumulations, c CFC (  i ) for many  i cross-correlation delay values Guess reasonable, conservative t max &  D values Parameterize h ( t ; p ) as the 1 st derivative of a quintic spline envelop step response function with spline node parameters p Use known c CC (  ) C/A autocorrelation, measured c CFC (  i ) cross correlations, & analytic spline integrals to formulate over-determined system of linear equations in p & (1/ A ) based on final equation of previous chart Solve least-squares estimation problem subject to the constraint & penalizing Or set up & solve simultaneously for multiple C/A PRN codes in same receiver, solving for differential  D values between PRN codes in outer nonlinear optimization Filter Impulse System ID Calculations

UT Austin April ‘11 15 of 32 Theoretical & Measured C/A Correlations, PRN 08

UT Austin April ‘11 16 of 32 Estimation Fit for PRN 08

UT Austin April ‘11 17 of 32 Estimated Impulse & Frequency Responses for 2 Narrow-Band RF Filters

UT Austin April ‘11 18 of 32 1.Track C/A code, compute & record base-band-mixed quadrature samples y rawAi & y rawBi, & do noise & C/A & P(Y) power calculations on both receivers 2. Compute normalized cross-correlation spoofing detection statistic Codeless Spoofing Detection Calculations (1 of 2)

UT Austin April ‘11 19 of 32 3.Compute conditional means & variances of detection statistic under non-spoofed null hypothesis, H 0, & under spoofed hypothesis, H 1 4.Develop spoofing detection threshold  th based on conditional probability density functions & desired false alarm probability 5. Compare computed statistic to threshold Codeless Spoofing Detection Calculations (2 of 2)

UT Austin April ‘11 20 of 32 Verification of No-Spoofing Case Figure 3. Codeless verification of no spoofing.

UT Austin April ‘11 21 of 32 First Successful Spoofing Attack Detection

UT Austin April ‘11 22 of 32 Base-Band Quadrature Semi-Codeless Signal Model

UT Austin April ‘11 23 of 32 1.Track C/A code, compute & record base-band-mixed quadrature samples y rawAi & y rawBi, do noise & C/A & P(Y) power calculations on both receivers (as in codeless tracking), & estimate P(Y) amplitude A py 2.Form hard +1/-1 estimates of w j encryption chips by approximately optimizing the following cost function using integer techniques 3. Compute probability that w j = +1 & compute soft w j –chip estimates for j = 1, …, N Semi-Codeless Spoofing Detection Calcs. (1 of 3)

UT Austin April ‘11 24 of 32 Semi-Codeless Spoofing Detection Calcs. (2 of 3) 4.Compute spoofing detection statistic equal to cross-correlation of soft w-chip estimates between receivers A & B 5.Compute conditional means & variances of detection statistic under non-spoofed null hypothesis, H 0, & under spoofed hypothesis, H 1

UT Austin April ‘11 25 of 32 6.Develop spoofing detection threshold  th based on conditional probability density functions & desired false alarm probability 7. Compare computed statistic to threshold Semi-Codeless Spoofing Detection Calcs. (3 of 3)

UT Austin April ‘11 26 of 32 A Priori Semi-Codeless Spoofing Detection Analysis 1.Compute conditional means & variances of detection statistic under non-spoofed hypothesis & spoofed hypothesis without receiver A data 2.Develop spoofing detection threshold  th based on conditional probability density functions & desired false alarm probability

Semi-Codeless Verification of No Spoofing UT Austin April ‘11 27 of 32

First Semi-Codeless Spoofing Attack Detection UT Austin April ‘11 28 of 32

Codeless & Semi-Codeless Detection Power UT Austin April ‘11 29 of 32  FA = 0.01 % (C/N 0 ) pyA = 35 dB-Hz (C/N 0 ) pyB = 35 dB-Hz

Test of C/A Timing as a Proxy for P(Y) Timing, Codeless Correlation UT Austin April ‘11 30 of 32

Summary & Conclusions Developed dual-receiver spoofing detection methods  Codeless & semi-codeless cross-correlation of quadrature P(Y) code  Thresholds designed based on full statistical analyses Implemented in narrow-band C/A receiver  Did system ID of narrow-band RF filters  Employed resulting models of P(Y) power loss & of time-domain distortion Demonstrated first successful detection of RAIM- proof spoofing attack  Detection achieved after-the-fact in M ATLAB  Works well with semi-codeless detection interval of 0.2 sec for reasonable C/N 0 levels & can work well with shorter intervals UT Austin April ‘11 31 of 32

Future Plans/Hopes Evaluate narrow-band filter effects of w-chip timing relative to C/A DLL prompt code & modify w-chips timing if indicated Evaluate potential improvements from  Higher-gain reference station antenna  Higher-bandwidth reference station receiver Tailor calculations for efficient real-time calculation Implement in CASES real-time software radio Also implement for L2C spoofing detection Try narrow-band processing for L2 tracking based on traditional L1 P(Y) semi-codeless correlation UT Austin April ‘11 32 of 32