ION GNSS 2011
Session C6: Galileo & Other Emerging GNSS (COMPASS, QZSS, IRNSS)

Title: The Texas Spoofing Test Battery: Toward a Standard for Evaluating GPS Signal Authentication Techniques
Author(s): T. Humphreys, J. Bhatti, D. Shepard, and K. Wesson, The Universtiy of Texas at Austin
Date/Time: Friday, September 21, 2012, 3:42 p.m.
Room: Room A107-109

An experimental testbed has been created for developing and evaluating Global Navigation Satellite System (GNSS) signal authentication techniques. The testbed consists of a real-time phase-coherent GNSS signal simulator that acts as spoofer, a real-time software-defined GNSS receiver that plays the role of defender, and post-processing versions of both the spoofer and defender. An in-band signal power interference detection test is developed theoretically and evaluated in a realistic spoofing scenario. Two other recently-proposed signal authentication techniques are also evaluated: (1) a cryptographic defense against replay-type spoofing attacks, and (2) a non-cryptographic defense that triggers on interaction between the spoofing signal and the vestige of the authentic signal.
Authentication of civil Global Navigation Satellite System (GNSS) signals is increasingly a concern. Spoofing attacks, in which counterfeit GNSS signals are generated for the purpose of manipulating a target receiver´s reported position and time, have been demonstrated with low-cost commercial equipment against a wide variety of civil Global Positioning System (GPS) receivers [1], [2]. Such attacks threaten the integrity of financial transactions, communications, and power grid monitoring operations that depend on GNSS signals for accurate positioning and timing [3]-[5].

Whereas the military GPS waveform was originally designed to be unpredictable and therefore resistant to spoofing [6], civil GPS waveforms and other civil GNSS waveforms are precisely specified in publicly-available documents [7], [8]. Also, although not entirely constrained by the signal specifications, the navigation data messages modulated onto the civil waveforms are highly predictable. Known signal structure and data bit predictability make civil GNSS signals susceptible to spoofing attacks.

Several researchers have proposed techniques for overlaying unpredictable but verifiable modulations on existing and future civil GNSS signals [9]-[13]. These cryptographic techniques offer the promise of effective signal authentication without requiring additional hardware such as multiple antennas [14] or inertial measurement equipment [15], which would be impractical in cost-sensitive applications. Another cryptographic technique exploits the existing encrypted military signals to offer civil GPS signal authentication for networked GPS receivers [16]-[18]. Non-cryptographic GNSS signal authentication techniques that do not require additional hardware have also been proposed [19], [20]. The best protection against GNSS spoofing likely involves a combination of cryptographic and non-cryptographic techniques [13].

Existing and proposed GNSS signal authentication schemes are all premised on hypothesis tests involving statistical models for the authentic and counterfeit GNSS signals. These models make simplifying assumptions that permit tractable analytical treatment of the detection problem. In general, the statistics of the null hypothesis (only authentic signals present) are readily verifiable by laboratory experiment but the statistics of the alternative hypothesis (spoofing attack underway) are not easily verified. This is because sophisticated signal generation hardware capable of code- and carrier-phase-aligned spoofing attacks is neither commercially available nor straightforward to construct. Thus, for example, experimental validation of the authentication technique proposed in [16] was limited to the null hypothesis. A testbed capable of simulating realistic spoofing attacks is needed so that the efficacy of proposed GNSS signal authentication techniques can be experimentally evaluated.

This paper makes three contributions. First, it describes an experimental testbed that has been created for developing and evaluating GNSS signal authentication techniques. The testbed consists of a software-defined real-time phase-coherent GNSS signal simulator capable of carrying out sophisticated spoofing attacks, a real-time software-defined GNSS receiver that plays the role of defender, and post-processing versions of both the spoofer and defender. Second, this paper develops an in-band signal power interference detection test that takes into account the natural variability of received in-band power. Third, it presents results of simulated spoofing attacks against several recently-proposed civil GNSS signal authentication techniques, including the in-band signal power detection test developed herein and the techniques proposed in [13], [19].

[1] T. E. Humphreys, B. M. Ledvina, M. L. Psiaki, B. W. O´Hanlon, and P. M. Kintner, Jr., "Assessing the spoofing threat: development of a portable GPS civilian spoofer," in Proceedings of the ION GNSS Meeting. Savannah, GA: Institute of Navigation, 2008.

[2] D. Shepard and T. E. Humphreys, "Characterization of receiver response to a spoofing attack," in Proceedings of the ION GNSS Meeting. Portland, Oregon: Institute of Navigation, 2011.

[3] Anon., "Vulnerability assessment of the transportation infrastructure relying on the Global Positioning System," John A. Volpe National Transportation Systems Center, Tech. Rep., 2001.

[4] Anon., "Global positioning system impact to critical civil infrastructure (GICCI)," Mission Assurance Division, Naval Surface Warfare Center, Tech. Rep., 2009.

[5] U. Kroener and F. Dimc, "Hardening of civilian GNSS trackers," in Proceedings of the 3rd GNSS Vulnerabilities and Solutions Conference. Krk Island, Croatia: Royal Institute of Navigation, Sept. 2010.

[6] J. J. Spilker, Jr, Global Positioning System: Theory and Applications. Washington, D.C.: American Institute of Aeronautics and Astronautics, 1996, ch. 3: GPS Signal Structure and Theoretical Performance, pp. 57-119.

[7] Anon., "IS-GPS-200E: Navstar GPS space segment/navigation user interfaces," Science Applications International Corporation, Tech. Rep., 2010, http://www.losangeles.af.mil/library/factsheets/factsheet.asp?id=9364.

[8] Anon., "OD SIS ICE: European GNSS (Galileo) signal in space interface control document," European Union, Tech. Rep., 2010, http://ec.europa.eu/enterprise/policies/space/files/galileo/ galileo os sis icd revised 2 en.pdf.

[9] L. Scott, "Anti-spoofing and authenticated signal architectures for civil navigation systems," in Proceedings of the ION GNSS Meeting. Portland, Oregon: Institute of Navigation, 2003, pp. 1542-1552.

[10] G. Hein, F. Kneissl, J.-A. Avila-Rodriguez, and S. Wallner, "Authenticating GNSS: Proofs against spoofs, Part 2," Inside GNSS, pp. 71-78, September/October 2007.

[11] O. Pozzobon, "Keeping the spoofs out: Signal authentication services for future GNSS," Inside GNSS, vol. 6, no. 3, pp. 48-55, May/June 2011.

[12] K. Wesson, M. Rothlisberger, and T. E. Humphreys, "Practical cryptographic civil GPS signal authentication," NAVIGATION, Journal of the Institute of Navigation, 2011, submitted for review; available at http://radionavlab.ae.utexas.edu/nma.

[13] T. E. Humphreys, "Detection strategy for cryptographic GNSS anti-spoofing," IEEE Transactions on Aerospace and Electronic Systems, 2011, submitted for review; available at http://radionavlab.ae.utexas.edu/detstrat.

[14] P. Y. Montgomery, T. E. Humphreys, and B. M. Ledvina, "A multi-antenna defense: Receiver-autonomous GPS spoofing detection," Inside GNSS, vol. 4, no. 2, pp. 40-46, April 2009.

[15] N. White, P. Maybeck, and S. DeVilbiss, "Detection of interference/jamming and spoofing in a DGPS-aided inertial system," Aerospace and Electronic Systems, IEEE Transactions on, vol. 34, no. 4, pp. 1208-1217, 1998.

[16] S. Lo, D. DeLorenzo, P. Enge, D. Akos, and P. Bradley, "Signal authentication," Inside GNSS, vol. 0, no. 0, pp. 30-39, Sept. 2009.

[17] M. L. Psiaki, B. W. O´Hanlon, J. A. Bhatti, and T. E. Humphreys, "Civilian GPS spoofing detection based on dual-receiver correlation of military signals," in Proceedings of the ION GNSS Meeting. Portland, Oregon: Institute of Navigation, 2011.

[18] M. Psiaki, B. O´Hanlon, J. Bhatti, D. Shepard, and T. Humphreys, "Gps spoofing detection via dual-receiver correlation of military signals," IEEE Transactions on Aerospace and Electronic Systems, 2012, submitted for review; available at http://web.mae.cornell.edu/psiaki/.

[19] K. Wesson, D. Shepard, J. Bhatti, and T. E. Humphreys, "An evaluation of the vestigial signal defense for civil GPS anti-spoofing," in Proceedings of the ION GNSS Meeting. Portland, Oregon: Institute of Navigation, 2011.

[20] B. M. Ledvina, W. J. Bencze, B. Galusha, and I. Miller, "An in-line anti-spoofing module for legacy civil GPS receivers," in Proceedings of the ION ITM, San Diego, CA, Jan. 2010.

Previous Abstract Return to Session C6 Next Abstract