ION GNSS 2010
Session C6: GNSS Space Based Augmentation Systems (SBAS)

Title: Real-Time Spoofing Detection Using Correlation Between two Civil GPS Receiver
Author(s): B.W. O´Hanlon, M.L. Psiaki, J.A. Bhatti, T.E. Humphreys, Cornell University
Date/Time: Friday, September 21, 2012, 4:04 p.m.

A real-time spoofing detection system has been developed for a narrow-band civil GPS receiver. In this system, the receiver that needs spoofing protection correlates its signal with that of a distant reference receiver in order to detect the presence of the P(Y) code as a verification of signal authenticity. This approach provides a strong spoofing defense that can be incorporated into current civil receivers by implementing moderate modifications -- perhaps only software or firmware modifications -- and by supplying an external reference signal. In this method, the RF front-end of a reference receiver in a secure location supports spoofing detection in one or more user equipment (UE) receivers. The reference receiver streams its RF front-end outputs to the UE receivers over a secure communications link, and each UE receiver implements a spoofing detection algorithm.

This spoofing detection concept has been previously demonstrated [1], but the present paper presents the first real-time implementation. The effort of Ref. 1 implemented after-the-fact spoofing detection based on samples from digital storage receivers that were operated simultaneously in Ithaca, NY and Austin, TX. Processing was done off-line using MATLAB on a desktop workstation. The current implementation does everything in real-time on a software receiver platform that is written in C++ and runs on a desktop workstation. Two new issues explored by the present paper are the intricacies of performing the calculations in real-time and of real-time streaming of RF samples between receivers. A third new issue concerns the effectiveness of the real-time algorithms when making various approximations that are needed to simplify the calculations.

In this system, signal authentication relies on cross-correlation of a portion of the encrypted P(Y) code between the non-spoofed reference receiver and any given UE receiver [1][2]. The current implementation differs from that of Ref. 2 in that the reference receiver and the UE receiver use RF front-ends that have only a 2.5 MHz bandwidth, which implies that only 25% of the P(Y) code power is available for spoofing detection; 5.5 dB is lost. Both the reference receiver and the UE receiver employ standard hemispherical patch antennas. Another difference is that the proposed system intentionally authenticates the C/A code, and it does this at the UE, whereas the implementation of Ref. 2 performs authentication remotely and does not necessarily authenticate the C/A code; irregularities in the phasing of the C/A and P(Y) codes are not necessarily considered in Ref. 2.

The signal authentication algorithm correlates data from the reference receiver RF front-end with data from the local RF-front end. Each data stream should contain the P(Y) code, perhaps a highly filtered version with significant attenuation and distortion. If the UE signal is authentic, then a correlation peak will be found between the reference and defended receivers. This method of spoofing detection assumes that the correct encrypted P(Y) code can only be present in an authentic signal, not in a spoofed signal. It tracks the L1 C/A signal in both receivers and uses it to find the correct relative carrier and code phase of the P(Y) signal. Reliable detection of a spoofing attack (99.87% probability of detection with a false alarm rate of 0.13 %) requires accumulation of the mixer output over 1.25 seconds if the P(Y) carrier-to-noise ratio is 45 dB-Hz before being passed through the RF front-end´s narrow-band filter.

The UE receiver must temporally align the two data streams in order to produce a large detection statistic when the P(Y) code is present in both signals. This alignment is accomplished by using the C/A code as a timing reference. The relation between C/A code phase and P(Y) code phase for a particular SV is constant. Therefore, the UE correlates identical C/A-code-relative portions of the base-band quadrature signals from the two RF front-ends.

Issues related to the implementation of this scheme within a real-time software receiver are discussed. The software receiver of this study uses bitwise parallelism in order to carry out the signal replica generation, mixing, and accumulate-and-dump computations that are standard within its DLL and PLL [3]. Bit-wise parallelism can also be used to implement the spoofing detector´s calculations. Inter-sample interpolation is needed in order to time-align the two quadrature base-band signals from the two receivers prior to mixing. In the bit-wise parallel format, however, efficiency is gained by mixing data samples from one RF front-end with data from its two nearest-neighbor samples for the other front-end in order to accumulate two separate statistics. The needed interpolation is performed periodically between partial accumulations of the two statistics. This approach greatly reduces computational costs in comparison to an algorithm that performs interpolation at the RF sample rate.

This spoofing detection system is verified by operating the system while under attack from a sophisticated GPS spoofer of the type described in [4]. The UE detects spoofing at a location in Austin, TX based on data from a reference RF front-end that is located in Ithaca, NY. The spoofing attack coordinates the spoofing signals in a way that precludes detection via stand-alone RAIM methods. The spoofing detection tests demonstrate the speed with which the victim receiver can detect these subtle attacks.

References:

[1] Psiaki, M.L., O´Hanlon, B.W., Bhatti, J.A., Shepard, D.P., and Humphreys, T.E., "Civilian GPS Spoofing Detection based on Dual-Receiver Correlation of Military Signals," Proc. ION GNSS 2011, Institute of Navigation, Portland, OR, 2011, pp. 2619-2645.

[2] Levin, P., De Lorenzo, D.S., Enge, P.K., and Lo, S.C., "Authenticating a Signal Based on an Unknown Component Thereof," U.S. Patent No. 7,969,354 B2, June 2011.

[3] Ledvina, B.M., Psiaki, M.L., Powell, S.P., and Kintner, P.M., "Bit-Wise Parallel Algorithms for Efficient Software Correlation Applied to a GPS Software Receiver," IEEE Trans. on Wireless Communications, Vol. 3, No. 5, Sept. 2004, pp. 1469-1473.

[4] Humphreys, T.E., Ledvina, B.M., Psiaki, M.L., O´ Hanlon, B.W., and Kintner, P.M. Jr., "Assessing the Spoofing Threat: Development of a Portable GPS Civilian Spoofer," Proc. ION GNSS 2008, Institute of Navigation, Savanna, Georgia, 2008, pp. 2314-2325.

Previous Abstract Return to Session C6 Next Abstract