Session B1, Paper #1
Interference Suppression for High Precision Navigation Using Vector-Based GNSS Software Receivers
T. Lin, M. Abdizadeh, A. Broumandan, D. Wang, K. O´Keefe, G. Lachapelle, University of Calgary, Canada
Recently, the problem of Radio Frequency (RF) interference mitigation in GNSS-based navigation systems has been receiving greater attention, as the potential use of jamming has become more recognized. The expected interference propagation adversely affects receiver performance for most applications.
In the literature, numerous solutions have been proposed to alleviate jamming/interference challenges. These solutions can be categorized into two groups. The first group mitigates jamming and interference via advanced interference mitigation algorithms, while the second group utilizes advanced GNSS receiver architectures such as vector-based and ultra-tight methods.
Among all interference mitigation algorithms, notch filtering, pulse blanking, and wavelet decomposition have been proposed and implemented for continuous-wave-interference (CWI) and pulse interference mitigation (e.g. Anyaegbu et al 2005,Gao 2007, Borio 2008, Paonni et al 2010). Although these algorithms provide acceptable performance in terms of anti-jamming improvement, to the best of the authors´ knowledge the side-effects of these algorithms on navigation measurements have not yet been fully assessed. As shown in Montloin (2010), notch filters will introduce a bias on pseudorange measurements. Thus it is desirable to evaluate the performance of interference mitigation algorithms in terms of, not only the Signal-to-Interference and Noise Ratio (SINR) improvement, but also the accuracy of measurements and the final navigation solution.
Vector-based tracking and its extension ultra-tight integration with an IMU have attracted attention because of their capability of not only weak signal tracking in urban canyon environments but also higher immunity to jamming/interference compared to conventional scalar-based tracking. Benson (2007) and Groves et al (2007) reported the benefits of a vector delay lock loop (VDLL) and a non-coherent ultra-tight integration in a high jamming environment. However the anti-jamming improvement by utilizing vector-based or ultra-tight architectures still cannot satisfy the requirements for many applications under high jamming/interference. Moreover, vector-based tracking and ultra-tight integration require ephemeris information, which cannot be obtained unless signals are successfully acquired, tracked, and decoded. In practice, jamming/interference likely occurs before receivers transforming from scalar-based tracking to vector-based or ultra-tight tracking.
In order to provide a robust and precise navigation solution under strong jamming/interference, advanced suppression techniques should be utilized in a vector-based or an ultra-tight receiver. In this paper, a vector-based GNSS receiver and its ultra-tight version are investigated to address this problem. In the proposed solutions, a pre-processor that performs adaptive notching filtering, wavelet decomposition, and pulse blanking is used to detect and mitigate CWI and pulse interference at the pre-correlation level. Cascaded vector-based tracking loops that combine local coherent Kalman filter tracking and navigation solution feedback are used to robustly track code and carrier phase. The pre-processor unit not only removes jamming/interference, but also ensures that the vector-based or ultra-tight tracking can be successfully enabled. The use of vector-based tracking or ultra-tight integration provides an additional protection on code and carrier phase tracking under the impact of residual jamming/interference or the signal distortion due to mitigation filters.
This paper starts with the SINR improvement analysis of various interference mitigation techniques, namely wavelet filtering, pulse blanking and adaptive notch filtering. Their impacts on navigation measurements (i.e. pseudorange bias) are then fully investigated. The performance of the selected adaptive notch filter and wavelet filter implemented in the vector-based and the ultra-tight receiver architectures are assessed with simulated GPS signals with CWI and pulse interference utilizing a Spirent hardware simulator, and with real GPS signals and interference collected in a controlled environment. The focus is given on the evaluation of the RTK solution from the proposed receivers in the presence of CWI and pulse interference. Finally, the possibility of closure of the vector phase lock loop (VPLL) after carrier phase ambiguity fixing in the presence of interference is investigated. Various adaptive notch filters, pulse blanking, pulse clipping and wavelet filtering have been implemented in the vector-based and ultra-tight GNSS software receivers and their performance are being evaluated. The implementation of vector phase lock loop with ambiguity fixing is being investigated. According to the preliminary results, the proposed solutions can provide acceptable accuracy and availability under strong CWI and pulse interference simulated by a Spirent hardware simulator.
References:
Anyaegbu E., J. Cooper and S. Boussakta (2005), Wavelet based Interference Detection and Suppression Algorithm for Next Generation GNSS Signals, The European Navigation Conference (GNSS), Munich.
Benson, D. (2007) Interference Benefits of a Vector Delay Lock Loop (VDLL) GPS Receiver, Proceedings of the 63rd Annual Meeting of the Institute of Navigation. Cambridge, Massachusetts, Institute of Navigation, April 2007.
Borio, D. (2008) A Statistical Theory for GNSS Signal Acquisition, Doctoral Thesis, Dipartimento di Elettronica, Politecnico di Torino, Italy.
Groves, P., C. Mather and A. Macaulay (2007) Demonstration of Non-coherent Deep INS/GPS Integration for Optimised Signal-to-noise Performance, ION GNSS 20th International Technical Meeting of the Satellite Division, 25-28, September 2007, Forth Worth, TX.
Montloin, L. (2010) Impact of Interference Mitigation Techniques on a GNSS Receiver. Memoire de fin d´Etudes, Ecole Nationale de l´Aviation Civile, Toulouse.
Paonni, M., Jang, J.G., Eissfeller, B., Wallner, S., Avila Rodriguez, J. A., Samson, J., Amarillo Fernandez, F., Innovative Interference Mitigation Approaches. Analytical Analysis, Implementation and Validation, NAVITEC 2010, ESA/ESTEC, Netherlands, 2010.
Xingxin Gao G. (2007) DME/TACAN Interference Mitigation in L5/E5 Bands, ION GNSS, 25-28, September 2007, Forth Worth, TX.
[Return to Program]
Session B1, Paper #2
Field Test: Jamming the DLR Adaptive Antenna Receiver
M. Cuntz, A. Konovaltsev, M. Sgammini, C. Haettich, M. Meurer, A. Hornbostel, A. Dreher, German Aerospace Center, Germany
Array processing is a very promising technology for interference mitigation and detection for satellite navigation receivers. Especially in the field of safety critical applications, interference is a major concern. Therefore, the Institute of Communications and Navigation of the German Aerospace Center (DLR) started the development of a multi-antenna real-time receiver platform to demonstrate the performance gain of digital beamforming for GNSS receivers.
It was clear at the very beginning that the impact of interference on the system has to be considered at each stage of the receiving chain from the single antenna element to the position solution in order to ensure robustness. For this reason a completely new receiver design was necessary, which provides access to each part of the receiver to take appropriate counter measures against almost any kind of interference and jamming.
In the current stage of the GPS/Galileo E1/E5a receiver a two-by-two antenna array is employed. The DBF algorithm manages to reach the theoretical bound of signal power boost, which is approximately 7 dB for a square 2x2 antenna array compared to a single element. The adaptive beamforming together with frequency domain adaptive filtering (FDAF) give the receiver the unique capability of mitigating interference in the spatial, in the frequency and also in the time domain. The direction of arrival of impinging GNSS satellite signals can be estimated within 2-3 degrees of accuracy thanks to a novel calibration method. This is a very powerful and effective tool for detecting and mitigating spoofing, interference and multi path. Due to its real-time capability, the effects of multi path signals, interference and other kind of distortions can be directly detected and assessed online.
The Galileo Test environment GATE in Berchtesgaden offers the unique opportunity to test this receiver with Galileo signals under real conditions even before the first Galileo IOV satellites are launched. Especially the interference impact of nearby military radar in the L- band is of great interest. But also the multipath effects due to the low elevation of the pseudo satellites are a challenging task for receiver tests. In order to analyze the interference robustness and the performance of the multi-antenna receiver in general, measurement campaigns in the GATE environment have been performed. The first field measurement campaign in the Galileo test range (GATE) in Berchtesgaden, Germany, was done in summer 2010; two follow up campaign are planned for May 2011. As a special feature of these campaigns different types of disturbing signals were actively emitted to jam the receiver and to study the impact on receiver performance and behaviour under harsh conditions. The measurements allow very interesting insights into the performance of the first multi-antenna combined GPS and Galileo multi frequency receiver in a real and especially interfered environment.
The paper will, as introduction, briefly describe the multi antenna receiver architecture and, as main content, discuss the measurements that were taken in the GATE test environment. The performance of the GNSS receiver will be studied in detail. Especially the impact of interference and multipath will be assessed for different receiver configurations. The work tends to provide valuable insights in the development of a safety of life receiver with adaptive antennas and will present the performance gains that are obtained. These insights allow to assess the usability of the proposed safety of life receiver technologies for future applications, e. g. CAT I-III precision approaches in aviation.
[Return to Program]
Session B1, Paper #3
Antenna Array Based GNSS Signal Acquisition: Real-time Implementation and Results
J. Arribas, C. Fernandez-Prades, P. Closas, Centre Tecnologic de Telecomunicacions de Catalunya, Spain
The use of Global Navigation Satellite System (GNSS) technology in safety- and mission-critical services has raised the concern in recent times about possible GNSS Denial of Service (DoS) situations, as reported in [RoE11] among others reports. Examples could be the power distribution grid, synchronized using the Global Positioning System (GPS) signals [Lix11], or the integration of GNSS into civil aviation, which demands specific quality of service to be assured in a variety of conditions, including harsh environments. The GNSS unavailability could become a real threat to the entire service integrity.
Examining the threats against the GNSS service availability, it is important to take into account that all present and forthcoming GNSS make use of a Code Division Multiple Access technique and the ranging signals are received with very low Signal-to-Noise Ratio (SNR). The moderate and strong Radio Frequency Interferences (RFI) (either intentional or unintentional) remain as one of the most important causes of performance degradation. In that sense, an interference with a Jammer-to-Signal Ratio that exceeds the processing gain can easily degrade receivers´ performance or even deny completely the GNSS service. Receivers equipped with minimal or basic level of protection towards RFIs are especially affected.
Focusing our attention on the GNSS receiver, it is known that the signal acquisition has the worst sensitivity of the whole receiver operation, and consequently, it becomes the performance bottleneck in the presence of interfering signals [Wei11]. A single-antenna receiver can make use of time and frequency diversity techniques to mitigate interferences, even though their performance is compromised in low SNR situations or in the presence of wideband interferences.
On the other hand, antenna arrays can be used to exploit the spatial diversity and mitigate the effects of interfering signals. The interference capability of antenna arrays is usually applied to signal tracking, where beamforming algorithms may have access to an estimation of the satellite signal synchronization parameters, direction of arrivals, and array attitude. Tracking depends on signal acquisition, and there are a number of situations in which the acquisition process can fail as stated before. Surprisingly, to the best of our knowledge, the application of antenna arrays to GNSS signal acquisition has not received much attention.
In this work, the array-based acquisition process is addressed from a detection theory perspective. Using the Neyman-Pearson detector framework, we briefly review our previous work on the Generalized Likelihood Ratio Test detector for array-based acquisition as presented in [Arr11], focusing the analysis in a realistic implementation of the algorithm. In that sense, practical aspects such as the acquisition threshold setting and frequency domain grid search techniques are explored. The proposed acquisition method enjoys protection against uncorrelated directional interferences, even if the array is moderately uncalibrated.
The implementation effort started in [Arr09], with the design and the implementation of a FPGA-based real-time platform for digital beamforming. This paper extends the previous work pursuing a twofold objective: on one hand, we provide details about the real-time implementation of a state-of-the-art array-based acquisition algorithm in an FPGA platform using hardware and software co-design techniques, and on the other hand we test and validate the performance of the proposed algorithm in a variety of situations and environments. The antennas are arranged as an eight-element circular array for the GPS L1 / Galileo E1 band. The platform design includes a multichannel phase coherent RF front-end, which uses commercial off-the-shelf integrated circuits to amplify and downconvert the signal. The output is fed to an eight-channel, 12-bit ADC converter which is able to sample the array signal up to 70 Msps.
The FPGA processing section combines the use of an embedded microcontroller and custom peripherals to accelerate several time-critical parts such as the input covariance matrix and the cross-correlation vector estimations. The microcontroller implements high-level matrix operations and orchestrates the acquisition search grid.
Once the signal is acquired, the platform activates a real-time beamformer whose output is fed to an open-source GNSS software receiver running on a commodity PC [Fer10] using a gigabit Ethernet bus. The platform is comprehensively validated through several tests, including anechoic chamber measurements of the antenna elements. The digital section of the prototype is validated using the well-known test-driven development methodology.
The platform is also tested with real-life signals, including both unintentional and intentional interference environments. Unintentional interference scenarios include telecommunication towers and airport boundaries, where the spurious signals can interfere with GNSS service [Lan97]. Intentional interference scenarios take into account situations where an in-band jammer device is present, either with narrowband or uncorrelated wideband interference.
The measurement campaign results are analyzed in terms of acquisition probability of detection and false alarm, and compared when possible to their theoretical and simulated curves. Furthermore, the protection against interferences is compared to conventional single-antenna implementations. In that sense, a jammer protection metric is also defined and measured.
References:
[Lix11] M. Lixia, et al. "Synchrophasors measurement in a GPS-IEEE 1588 hybrid system", European Transactions on Electrical Power, January 2011, volume 21, pp 345-362.
[RoE11] The Royal Academy of Engineering, "Global Navigation Space Systems: reliance and vulnerabilities", Tech. Rep., March 2011.
[Wei11] L. R. Weill and M. Petovello, "Differences between Signal Acquisition and Tracking", Inside GNSS, January 2011, Volume 6.
[Arr11] J. Arribas, C. Fern ndez-Prades, and P. Closas, "Array-Based GNSS Acquisition In The Presence Of Colored Noise," in Proceedings of the 36th IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP´11, May 2011, Prague (Czech Republic).
[Arr09] J. Arribas, et al., "A Novel Real-time Platform for Digital Beamforming with GNSS Software Defined Receivers," in Proceedings of the ION GNSS 2009, September 2009, Savannah, Georgia (USA).
[Fer10] C. Fern ndez-Prades, et al., "Design patterns for GNSS software receivers," in Proceedings of the 5th ESA Workshop on Satellite Navigation Technologies, NAVITEC´10, December 2010, Noordwijk (The Netherlands).
[Lan97] R. J. Landry et al., "Analysis of potential interference sources and assessment of present solutions for GPS/GNSS receivers," in 4th International Conference on Integrated Navigation Systems, May 1997, Saint Petersburg, Russia.
[Return to Program]
Session B1, Paper #4
Detection of Spoofing Threats by Means of Signal Parameters Estimation
F. Dovis, X. Chen, A. Cavaleri, K. Ali, Politecnico di Torino, Italy; M. Pini, Istituto Superiore Mario Boella, Italy
The increasing use of satellite navigation systems in ordinary life application, is demanding more and more protection of the position information, in order to provide not only accurate solutions, but also reliable and "trustable" information. For this reason, new algorithms, strategies techniques are being investigated and designed, in order to provide added value features to satellite navigation receivers. In particular it is gaining relevance the possible spoofing that may threat the receivers; if in the past this has been a specific problem restricted to military or sensitive applications, with the wide use of GNSS in critical networked infrastructures and commercial services (e.g., road tolling, vehicle insurance schemes), the malicious interest in cheating the receiver or in disrupting the nominal operations is expected to increase. It is well known that spoofing is more sinister than intentional interference because the target receiver might not detect the attack and consequently generate erroneous data. Within the described scenario, the importance for the GNSS community of investigating spoofing and antispoofing techniques appears essential.
In this paper we investigate the possible use of multipath estimation techniques as spoofing detector, relying on the likelihood of the estimated parameters with respect to a multipath affected scenario.
In particular we focus on the Enhanced Coupled Amplitude Delay Locked Loops (ECADLL) structure that was proposed in [1] for multipath robust receivers. The ECADLL was originally designed as a pure multipath estimation and mitigation architechture. However its ability to accurately estimate the multipath rays features (and their evolution in time) allows to use it to detect spoofing signals coming into view even if they have stronger power than the authentic signal (i.e. the LOS). The basic principle of ECADLL is estimating and tracking the line-of-sight signal (LOS) and its replicas in order to cancel them from the received signal, thus reducing the multipath effects to minimum. CADLL embeds several Units and each Unit is made of a delay lock loop (DLL) and an amplitude lock loop (ALL). Each Unit is responsible for tracking a signal component. CADLL has shown very accurate estimation on parameters (delays, amplitudes and phases) and a good performance for mitigating the near multipath signals. The ECADLL embeds a monitor block that is in charge, for example, to check the tracking status and shut down redundant Units, so the number of Units is always matching the number of rays of the incoming signal. In presence of an intentional spoofing signal, the monitor block is able to provide warnings observing the behavior of the parameters in time. As a simple example, in a dynamic scenario, the relative delay between LOS and reflected ray may change in time, but such variation is correlated to a change in the amplitude of the multipath depending on the distance between the user and the obstacle generating the reflection. This is not the case in case the "second ray" is a spoofing signal and not the reflection.
In order to verify the effectiveness of the proposed architecture a spoofing lab prototype have been implemented as described in [2]. In this prototypes, the signal at the antenna is processed by a realtime software receiver, that generates false signals synchronized to the constellation in view. The false signals are then converted to RF and summed to the real ones. In the paper we present the results for the spoofing detection in a number of significant cases, showing the effectiveness of the ECADLL in spoofed scenario, and discussing the proper cross-checks that may be implemented to distinguish the spoofing signal from a pure multipath reflection.
[1] X. Chen, F. Dovis "Enhanced CADLL Structure for Multipath Mitigation in Urban Scenarios" International Technical Meeting 2011, January 24-26, 2011 - San Diego, California [2] M. Nicola, L. Musumeci, M. Pini, M. Fantino, and P. Mulassano, "Design of a GNSS Spoofing Device Based on a GPS/Galileo Software Receiver for the Development of Robust Countermeasures", in Proc. of European Navigation Conference ENC 2010, 19-21 October 2010, Braunschweig, Germany.
[Return to Program]
Session B1, Paper #5
Your GNSS Receiver is Really a GNSS Receiver: Isn´t It?
I. Khazanov, D. Kozlov, A. Osipov, G. Zyryanov, Ashtech, Russia
Today we have quite a number of receivers on the market, which are claimed to be GNSS receivers. Some manufacturers prove this by demonstrating how they track/use other than GPS signals. Others additionally demonstrate what user benefit (usually position accuracy/availability/reliability) extra GNSS brings.
And everyone concludes that GLONASS, Galileo, Compass etc is (or at least can be) a good mate for GPS.
The key word here is mate. But mate is not a master; mate is not an equal partner. Mate is someone who helps. Mate brings no value by itself. Have we asked ourselves if our GNSS receiver could survive without GPS? Or in other words, is out GNSS receiver GPS-centered or not?
Let us take a receiver, look at it and its datasheets and try to answer the following questions:
1. Can this receiver track GLONASS with GPS not being available? How can we prove that? 2. Can this receiver deliver GLONASS-only standalone position of admissible quality? 3. Can this receiver deliver GLONASS-only differential (including RTK fixed) position of admissible quality, including operation against 3rd party reference GLONASS receiver? 4. Can this receiver start up when only few GPS and few GLONASS Sats (e.g. 3+3) can be potentially acquired in given conditions? 5. Can this receiver continue kinematics positioning when only few GPS and few GLONASS Sats (e.g. 2+2) can be tracked in given conditions? 6. Can this receiver be equally configured to output its data tagged to GPS time (GPS week and seconds within GPS week) or GLONASS time (GLONASS day and seconds within GLONASS day)? 7. Can this receiver be equally configured to output computed position in the datum specific for GPS (WGS-84) or GLONASS (PZ-90.02)? 8. Can this receiver be equally configured to output receiver clock offset against GPS or GLONASS system time?
Only having answered YES to all these question one may be sure, that the given receiver is actually a GNSS receiver. Otherwise, your receiver is GPS-centered receiver, where GLONASS is only a crutch for GPS and not an independent player.
More and more new GNSS are deployed. More and more new signals become available for the end-user. Will these GNSS become another helper for GPS? Or should they become an equal partner? If your receiver is a true GNSS receiver, then you may expect that adding yet another GNSS to processing should clause no problems.
Given paper show what is the difference between GPS centered and non-GPS centered GNSS solutions. The focus is made on working in harsh conditions when the power of any single GNSS is not sufficient to provide reliable and accurate enough solution. Symbols ´2+2´ and/or ´3+3´ are used through the paper to point out conditionally such a GNSS environment.
The paper addresses both standalone and differential (including RTK) types of positioning. The quantitative results we report here are derived with Ashtech GNSS receivers.
[Return to Program]
Session B1, Paper #6
Survey of In-Car Jammers - Analysis and Modeling of the RF Signals and IF Samples (Suitable for Active Signal Cancelation)
T. Kraus, R. Bauernfeind, B. Eissfeller, University FAF Munich, Germany
Distance based charging (DBC) systems like road tolling or pay-as-you-drive insurances charge their users on the mileage recorded. The primary sensor therefore is GNSS. GNSS allows the charging system a high degree of flexibility but is also very vulnerable due to its low signal power. It is the weakest point of the charging system which can be targeted at for possible fraud attempts, which brings so called In-Car jammers in place. In-Car jammers are small devices, powered from the cigarette lighter of a car, transmitting a high power signal within the GNSS band. Thereby they are blocking the signal reception not only in the targeted GNSS receiver, but also in its vicinity and degrading the position determination, proportional to the distance, over a wide area. In-Car Jammers are illegal in most of the countries, but can be easily ordered from abroad at a very low price and hardly to detect with common used tracking systems.
Current In-Car jammers are transmitting in the L1/E1 band where the open GPS C/A service is provided and the future Galileo OS will be broadcasted. With the introduction of an additional open service in the L5/E5 band it can be assumed that future In-Car jammers will also transmit in the according band. At that point In-Car jammers not only interfere with GNSS but also with aeronautical radio navigation services within that band. In order to protect these navigation services it is necessary to detect and locate interference sources fast and reliable. If possible also interference mitigation algorithms within the receiver could be envisaged. To enable the development of such systems a comprehensive know-how on the interference signal of such In-Car jammers is necessary. In order to provide this information various In-Car jammer have been purchased, analyzed and will be presented in this paper.
The analysis of the In-Car jammers has been done in the laboratory as well as with open field tests at the Galileo Testbed (GATE) in Berchtesgaden, which shows the influence not only on GPS C/A but also on Galileo OS signals. At the Galileo Testbed different scenarios have been simulated e.g. with a stationary jammer at the roadside and a jammer moving with a vehicle. IF-samples of the interference signal, directly after the front-end, have been recorded with the ipexSR Software Receiver, which allows comparisons of different receiver configurations under same signal conditions in the post-processing mode. The ipexSR Software Receiver is a real time capable multi frequency receiver, developed at our institute. The front-end provides IF samples with a maximum of 8 bit quantization at 20.48 MHz sampling rate. The paper gives a detailed characterization of the transmitted RF signal. First analyses have shown that most of the nowadays available In-Car jammers are chirp signals of the similar type. All of them have a unidirectional, linear and positive sweep function, but with different bandwidth, signal power, sweep time, temperature effects and oscillator stability, especially visible through the varying sweep function. Only a few In-Car jammers are transmitting continuous wave signals. All the jammers will be compared and listed with the previous mentioned characteristics in respect of the maximum range of the jammers. Second part of the jammer signal characterization is the mathematical model description. Two types of models will be given: a standard model, which is suitable enough for most of the detection and mitigation simulations and tests, and a high-precision model with time variable amplitude and phase over time. These high-precision models will be needed for applications like active In-Car jammer signal cancelation.
Furthermore, the IF samples recorded at GATE Berchtesgaden are analyzed in respect to the front-end effects with focus on front-end bandwidth and quantization level. Simulations with various front-end parameters will be presented and limitations on the interference signal reconstruction referred. In terms of possible detection and mitigation methods, appropriate time-frequency representations like short time fourier transformation and wavelet transformation will be reviewed. Optimal parameters and implementation will be given. The accuracy of received signal strength measurements as needed for localization algorithms is analyzed.
The paper will provide a comprehensive basis for further research in the field of In-Car jammer interference detection, characterization, localization and mitigation. A short overview and first results of active signal cancelation techniques will be presented to give an example why high precision models of In-Car jammers are needed. These techniques are using real-time signal analysis and modeling of the In-Car jammer to cancel or reduce the undesired signal by a 180ø degree phase-turned signal before the front-end of the GNSS receiver. First hardware lab test compared with the simulation results will be provided in this paper to give an indication of planed further work in this field.
[Return to Program]
Session B1, Paper #7
Authentication of GNSS Position: An Assessment of Spoofing Detection Methods
Y. Bardout, Thales Alenia Space, France
As new applications of satellite based positioning are developed each day, it creates a new space for criminal activities as fraud or sabotage. Although the GNSS provides highly secured signal for military or regulated services (GPS P(Y) and Galileo PRS), such safety level is not available for mass market uses. Location based payment of services, geolocation of financial transactions, safety automation in transport (Automatic Driver Assistance System and aviation procedures based on GPS), and Electronic Monitoring by tether all depends on open signal which is a weak link in processing secured position data.
Motivation for corruption of position data is increasing with the economic impact of the position data and the risks of sabotage is increasing with the safety impact of the position data. The risks and protection against various attacks has been discussed in various papers (signal jamming, interruption or hijack using record/replay, spoofing by signal generation, meaconing by delaying the signal). Recent publications have demonstrated the feasibility of more sophisticated attacks at declining costs, e.g. the Coordinated Phase-Locked Portable Receiver-Spoofers.
As the Prime Contractor of the European augmentation system EGNOS, TAS has been for 15 years working on the integrity of satellite positioning, and is applying this expertise on the GALILEO Mission System, as well as for liability critical applications such as Road User Charging. This paper synthesizes results of a study contributed to the Gamma-A project, focused on advanced automotive positioning applications and funded by European Commission R&D Framework Program.
The paper first presents authentication requirements of the Safety of Life or Liability Critical services, the sensitivity of various applications, and possible mechanisms of spoofing, taking as examples trajectory alteration or substitution that defeat the application purpose. It describes the detection principles and the architecture of the proposed system, as well as the methodology for simulation of attack and detection. A test suite is built to demonstrate the following impacts on applications: Loss of position, Targeted position outage to prevent event triggering payment, Fake position, Frozen position, Trajectory alteration and Time alteration. Specific test cases are designed to defeat known criteria of detection, as a trajectory slow change that does not trigger an alert using gyration sensors.
A high level of confidence on required accuracy (expressed as Horizontal and Vertical Protection Level) for SOL applications is difficult but possible in aeronautical or maritime environment, but unlikely to achieve in terrestrial environment. Instead an authentication indicator representing the probability of true position (in the sense of best effort accuracy based on authentic signal) is provided to applications, which is a basis for decision to alert the service users. The standardization of such a measure is suggested at the OMA LOC group, as an additional field beside the confidence, in the Mobile Location Protocol.
The paper then reports on the performance of a selection of low cost counter-measures that are applicable with commercial receivers using any open service GNSS signal, excluding the encrypted signals, and changes to the receiver design. Specifically, the criteria based on signal strength, clock or using second position source from the mobile communication network, low-cost inertial mechanisms have been tested.
Results obtained by simulation show that methods simple to implement in a mobile device or a central server in the infrastructure are efficient to counter elaborated frauds. E.g. a Cell-id based check allows to raise suspicion from repeated errors, and maybe used as a minimal statistical measure of possible fraud, although not usable as evidence in court. The verified qualities for criteria of consistency of GPS and gyration sensor are: robustness, low cost OBU, low complexity for embedded algorithm. This is quite a good fraud indicator and is a candidate for an operational detection in most cases, although it may be challenged as a legal base. Such consistency criteria may not be able to guarantee the integrity of each position, required for safety critical applications as automated or assisted driving, but many other services based on position may still be covered with a reliable statistical indication of truth on a set of position data, that may be usable as proof in court of law.
Although the countermeasures analysed in this paper will not stop spoofing attacks, they will detect these in most cases, alerting the application supervision system, and allowing to point out the likely non-cooperative users for a police control and support for legal suit. In the case of malicious 3rd party, it allows to alert both the user of the GNSS receiver to suspicious activity, and a supervision authority to track their activity and localise them for arraignment.
Finally, the paper also covers the cryptographic authentication of signal based on signal watermark, for new GNSS satellites, that requires a change to the equipment on board and the GNSS receiver chips, compatible with the signal ICD, and null impact on legacy receivers. A simulation of the impact of this method is included.
The limitations of these simple methods are drawn, clarifying their applicability and cost/benefits. Considering the stringent needs of safety critical services, the tracks for further development are given.
[Return to Program]
Session B1, Paper #8
Positioning with Mixed Signals of Opportunity
C. Yang, D. Qiu, Sigtem Technology, Inc.; T. Ngyuen, AFRL/RYMN; J. Casper, M. Quigly, Casper Quigley Research, LLC
In GPS-challenged environments, signals of opportunity (SOOP) can be exploited to ensure a graceful degradation of navigation solution with smoothing transition and continuity. By signals of opportunity, we mean those radio signals that are not originally designed for navigation purposes but possess such characteristics that can be used for positioning. Broadcast and wireless communication signals fall into this category. Indeed, digital television and cellular phone signals and their infrastructure are built for urban and indoor applications where GPS is likely to fail.
However, there are a number of technical difficulties in using SOOP for positioning. One is the initially unknown clock bias and drift of SOOP transmitters, which are not synchronized. There may be no explicit timing information embedded in SOOP. More importantly, the number of independent SOOP sources in a region may not be enough for robust and precise position location. In an in-door environment, multipath may pose a serious problem for accuracy. The use of mixed signals of opportunity has the potential to alleviate the problems. In this paper, we present the initial results of our effort in developing a testbed for positioning with mixed signals of opportunity. The testbed consists of a multi-channel software-defined radio and associated software receivers. Driven by an oven controlled crystal oscillator (OCXO), the software-defined radio can be tuned independently to seven different frequency bands and down-convert the RF signals to the baseband coherently for analog to digital conversion. The sampling of seven channels is synchronized.
The testbed has been used to acquire and track GPS, DTV, GSM, and CDMA (EVDO and 1X RTT) signals successfully. The paper will describe the hardware and software design features and present the initial processing results in terms of code and carrier phase and frequency accuracy and equivalent ranging accuracy. The testbed can be easily configured to receive other broadcast and wireless communication signals such as digital audio signals, Wi-Fi, and WiMAX, which will also be discussed in the paper.
[Return to Program]