Demonstration of a Multi-Layer Spoofing Detection Implemented in a High Precision GNSS Receiver
Ali Broumandan, Sandy Kennedy, John Schleppe NovAtel Inc., Canada
Date/Time: Friday, Sep. 25, 3:42 p.m.
Time and position services provided by GNSS impact many aspects of human life. Many civilian applications such as vehicular navigation, electrical power grids, digital communication networks, aircraft navigation and landing systems, police and rescue operations are relying on these services. As such, motivation has increased to disrupt these systems and endanger safety of life and critical applications. GNSS signals are extremely vulnerable to interference signals including jamming and spoofing due to being weak near the earth surface. Spoofing attack is more hazardous than jamming since the target receiver(s) is not aware of this threat and produces wrong information that may lead to disastrous consequences. Since the civilian GNSS signal structure is known for public, the implementation of spoofer attack is not complicated. Moreover, in recent years, the implementation of software receiver based spoofers has become feasible and less costly (Psiaki & Humphreys 2016).
Different types of spoofing attacks have been described in the literature (Wesson et al 2018, Jafarnia-Jahromi et al 2012). Among them GNSS signal generator and receiver based spoofing attack are the most feasible ones. In signal simulator case, the simulated signals are coupled with a RF transmitter. The signals generated by this kind of spoofers are not essentially synchronized to the real GNSS signals. The receiver based spoofers are more complicated type of spoofer consists of a GNSS receiver concatenated with a spoofing transmitter (Jafarnia-Jahromi et al 2012). This attack first synchronizes itself with the current GNSS signals and extracts the position, time and satellite ephemeris and then generates the spoofing signal knowing the position of its target receiver’s antenna. This type of spoofers is relatively hard to detect since they are synchronized with real GNSS satellites. The main challenge toward realization of this kind of spoofer is projecting the spoofing signals to the intended victim receiver with the correct signal delay and strength (Gross & Humphreys 2017).
Several spoofing detection metrics has been proposed in literature which use specific features of the counterfeit signals to distinguish them from authentic signals using a single antenna receiver (Psiaki & Humphreys 2016, Pirsiavash et al 2017). Multi-antenna spoofing detection has also been extensively investigated (Borio & Gioia 2015). The single antenna based spoofing detection metrics are implemented in pre-despreading or post-despreading layers of a GNSS receiver and they mostly effective when both spoofing and authentic signals are present. Pre-despreading and intermediate frequency signal monitoring metrics have been used to detect the presence of excessive amount of power in GNSS bands (Jafarnia-Jahromi 2012). These metrics rely on the assumption that spoofing signals are more powerful than the authentic ones and a successful spoofing attack transmits several GNSS-like signals. The power monitoring techniques are most effective when a spoofer tries to jam a receiver first and then try to spoof it. Nevertheless the power monitoring techniques require calibration in absence of jamming and spoofing signals.
Post-despreading methods are used to detect an abnormal behavior in acquisition and tracking levels which is caused by the presence of both spoofing and authentic signals. For instance, in the case of non-overlapped spoofing attack (correlation peaks of spoofing and authentic signals do not overlap) there will be more than one correlation peak observable at the cross-ambiguity function. Furthermore, in the overlapped spoofing case the interaction between authentic and spoofing signals causes distortion on the shape of the correlation function. It has been shown that the interaction between authentic and spoofing correlation peaks is very similar to the case of direct and multipath signal component interaction (Gross & Humphreys 2017). Therefore, it is highly challenging and critical for a receiver to discriminate between an overlapping spoofing correlation peak and a specular multipath scenario. Signal Quality Monitoring (SQM) metrics has been used to detect any asymmetry and/or abnormally shaped correlation peaks due to the presence of undesired signals (Pirsiavash et al 2017). SQM metrics are designed to monitor correlation peak distortions due to multipath or overlapped spoofing attack. As such, they may exhibit high false-alarm rates under multipath conditions. Moreover, in the case of covered or non-overlapped spoofing attacks these metrics may not be effective.
Effective C/N0 analysis is a common signal strength monitoring metric that has been vastly used to monitor measurements quality. Effective C/N0 has also been used to monitor and detect an abnormal activity in GNSS receivers (Nielsen et al 2012).
The main contributions of this paper are twofold. First realistic spoofing scenarios and their features will be characterized. This characterization is based on spoofing/authentic relative signal power, spoofing ability to synchronize its signals to those of authentic ones, availability of both spoofing and authentic signals and relative motion between spoofing and authentic signals. Then various detectors addressing different spoofing scenarios are defined using metrics at different layers of a GNSS receiver. The focus will be on a single-antenna based defense mechanism. These detectors are implemented in NovAtel’s OEM7 generation of GNSS receivers providing the detection outputs in real-time. The detection metric outputs are then fed to an onboard central spoofing detection unit (CSDU). This unit collects different metrics and provides a decision whether the receiver is under spoofing attack or operating under a normal condition. The main feature of CSDU is to reduce false detection probability due to presence of jamming and multipath signals while detecting the spoofing attack with a high confidence. The detection thresholds for each individual metrics have been tuned based on an acceptable false alarm probability under various scenarios. The proposed method has been tested in different spoofing and non-spoofing scenarios to analyze the detection and false alarm probabilities. Hardware simulated spoofing data in addition to a software-based spoofing attack using HackRF have been used to evaluate the detection performance. Spoofing scenarios considered consist of time-push and position spoofing attacks. Several actual tests in static and dynamic conditions in different environments including rural, suburban and urban environments have been used to evaluate the false alarm probability of the detector. The processing results show the effectiveness of the spoofing detection metrics in identifying spoofing signals for wide range of attacks.
- M. L. Psiaki and T. E. Humphreys, “GNSS spoofing and detection,” Proceedings of the IEEE, vol. 104, no. 6, pp. 1258–1270, 2016
- K. D. Wesson, J. N. Gross, T. E. Humphreys, and B. L. Evans, “GNSS signal authentication via power and distortion monitoring,” IEEE Transactions on Aerospace and Electronic Systems, 2018, to be published; preprint available at https://arxiv.org/abs/1702.06554.
- J. Gross and T. E. Humphreys, “GNSS spoofing, jamming, and multipath interference classification using a maximum-likelihood multi-tap multipath estimator,” Proceedings of the ION International Technical Meeting, Jan. 2017.
- A. Pirsiavash, A. Broumandan, G. Lachapelle, and K. O'Keefe,. (2017). “Detection and Classification of GNSS Structural Interference Based on Monitoring the Quality of Signals at the Tracking Level”. 6th ESA International colloquium of Scientific and Fundamental Aspects of Galileo, 25-27 Oct 2017, Valencia, Spain.
- J. Nielsen, V. Dehghanian and G. Lachapelle (2012) Effectiveness of GNSS Spoofing Countermeasure based on Receiver CNR Measurements. International Journal of Navigation and Observations, vol. 2012, Article ID 501679, 9 pages, 2012. doi:10.1155/2012/501679.
- D. Borio and C. Gioia (2015), A Dual-antenna Spoofing Detection System Using GNSS Commercial Receivers, ION GNSS+ 2015 Tampa Florida
- A., Jafarnia-Jahromi, A. Broumandan, J. Nielsen and G. Lachapelle (2012) GPS vulnerability to spoofing threats and a review of antispoofing techniques, International Journal of Navigation and Observation