Characterization of Receiver Response to a Spoofing Attack Daniel Shepard DHS visit to UT Radionavigation Lab 3/10/2011.

Slides:

Advertisements

Similar presentations

Challenges in Making Tomography Practical

Advertisements

Angle of Arrival (AoA) Calen Carabajal EECS 823.

Operating the Harmonizer

Chapter 4 Continuous Time Signals Time Response Continuous Time Signals Time Response.

Challenges of Practical Civil GNSS Security Todd Humphreys, UT Austin Civil Navigation and Timing Security Splinter Meeting |Portland, Oregon | September.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7.3 Secure and Resilient Location Discovery in Wireless.

Introduction to Training and Learning in Neural Networks n CS/PY 399 Lab Presentation # 4 n February 1, 2001 n Mount Union College.

STRIDE Introduction Increasing use for PNT applications:  Positioning  Navigation  Timing.

CHAPTER 3 Measurement Systems with Electrical Signals

Robotics applications of vision-based action selection Master Project Matteo de Giacomi.

ADCP Compass Calibrations

Smart Grid Projects Andrew Bui.

Spectrum analyser basics Spectrum analyser basics 1.

1 Stochastic Event Capture Using Mobile Sensors Subject to a Quality Metric Nabhendra Bisnik, Alhussein A. Abouzeid, and Volkan Isler Rensselaer Polytechnic.

PERFORMANCE OF THE DELPHI REFRACTOMETER IN MONITORING THE RICH RADIATORS A. Filippas 1, E. Fokitis 1, S. Maltezos 1, K. Patrinos 1, and M. Davenport 2.

Aggregation in Sensor Networks NEST Weekly Meeting Sam Madden Rob Szewczyk 10/4/01.

PEG Breakout Mike, Sarah, Thomas, Rob S., Joe, Paul, Luca, Bruno, Alec.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

1 5. Video Object Tracking and Processing To achieve augmented reality, computer generated graphics should be shown together with the live video In addition,

William Stallings Data and Computer Communications 7th Edition (Selected slides used for lectures at Bina Nusantara University) Data, Signal.

Lect. 5 Lead-Lag Control Basil Hamed

Frontiers in Radionavigation Dr. Todd E. Humphreys.

Thoughts on GPS Security and Integrity Todd Humphreys, UT Austin Aerospace Dept. DHS Visit to UT Radionavigation Lab | March 10, 2011.

Operational Amplifiers

Frequency Characteristics of AC Circuits

Kyle Wesson, Mark Rothlisberger, and Todd Humphreys

There are no two things in the world that are exactly the same… And if there was, we would say they’re different. - unknown.

1 Business Telecommunications Data and Computer Communications Chapter 3 Data Transmission.

MineralScan Fill Level Signal Examples & Explanations - RNMC Introduction The MineralScan MillSlicer system normally consists of two fixed vibration sensors.

Chapter 8: Systems analysis and design

MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.

Multimedia Databases (MMDB)

Generation of FM Two methods of FM generation: A. Direct method:

Secure Cell Relay Routing Protocol for Sensor Networks Xiaojiang Du, Fengiing Lin Department of Computer Science North Dakota State University 24th IEEE.

Namaste Project 3.4 GHz Interference Study Preliminary document - Work in Progress updated The intent of this study is to collect data which may.

Cascade and Ratio Control

Evaluation of Smart Grid and Civilian UAV Vulnerability to GPS Spoofing Attacks D. P. Shepard, J. A. Bhatti, T. E. Humphreys, The University of Texas at.

An Evaluation of the Vestigial Signal Defense for Civil GPS Anti-Spoofing Kyle Wesson, Daniel Shepard, Jahshan Bhatti, and Todd Humphreys Presentation.

Riding out the Rough Spots: Scintillation-Robust GNSS Carrier Tracking Dr. Todd E. Humphreys Radionavigation Laboratory University of Texas at Austin.

Hao Yang, Fan Ye, Yuan Yuan, Songwu Lu, William Arbaugh (UCLA, IBM, U. Maryland) MobiHoc 2005 Toward Resilient Security in Wireless Sensor Networks.

Tarun Bansal, Bo Chen and Prasun Sinha

J1879 Robustness Validation Hand Book A Joint SAE, ZVEI, JSAE, AEC Automotive Electronics Robustness Validation Plan The current qualification and verification.

1 Deterministic Collision-Free Communication Despite Continuous Motion ALGOSENSORS 2009 Saira Viqar Jennifer L. Welch Parasol Lab, Department of CS&E TEXAS.

1 Short Term Scheduling. 2  Planning horizon is short  Multiple unique jobs (tasks) with varying processing times and due dates  Multiple unique jobs.

December 9, 2014Computer Vision Lecture 23: Motion Analysis 1 Now we will talk about… Motion Analysis.

DC & AC BRIDGES Part 2 (AC Bridge).

Sources of noise in instrumental analysis

11/25/2015 Wireless Sensor Networks COE 499 Localization Tarek Sheltami KFUPM CCSE COE 1.

Characterization of Receiver Response to a Spoofing Attack

Time This powerpoint presentation has been adapted from: 1) sApr20.ppt.

Network/Computer Security Workshop, May 06 The Robustness of Localization Algorithms to Signal Strength Attacks A Comparative Study Yingying Chen, Konstantinos.

1 SVY 207: Lecture 12 Modes of GPS Positioning Aim of this lecture: –To review and compare methods of static positioning, and introduce methods for kinematic.

Secure Civil Navigation and Timing Todd Humphreys | Aerospace Engineering The University of Texas at Austin MITRE | July 20, 2012.

Detection, Classification and Tracking in Distributed Sensor Networks D. Li, K. Wong, Y. Hu and A. M. Sayeed Dept. of Electrical & Computer Engineering.

Characterization of Receiver Response to a Spoofing Attack Daniel Shepard Honors Thesis Symposium 4/21/2011.

Sanna Taking & Mohamad Nazri Abdul Halif School of Microelectronic Engineering Prepared by DC & AC BRIDGES Part 2 (AC Bridge) Syarifah Norfaezah Edited.

11. FM Receiver Circuits. FM Reception RF Amplifiers Limiters

Assessing the Civil GPS Spoofing Threat

Network Dynamics and Simulation Science Laboratory Structural Analysis of Electrical Networks Jiangzhuo Chen Joint work with Karla Atkins, V. S. Anil Kumar,

Experimental Ranging With Mica2 Motes M. Allen, E. Gaura, R. Newman, S. Mount Cogent Computing, Coventry University The experimental work here makes use.

Secure positioning in Wireless Networks Srdjan Capkun, Jean-Pierre Hubaux IEEE Journal on Selected area in Communication Jeon, Seung.

High precision phase monitoring Alexandra Andersson, CERN Jonathan Sladen, CERN This work is supported by the Commission of the European Communities under.

 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.

Chapter 19 Alternating Current Circuits and Electromagnetic Waves.

The Working Theory of an RC Coupled Amplifier in Electronics.

FUNCTION GENERATOR.

Automatic control systems I

Describing Motion The graphs… Game.

Reducing Uncertainty of Near-shore wind resource Estimates (RUNE) using wind lidars and mesoscale models EMS 2015, Sofia, Bulgaria, Coastal meteorology.

8.5 Modulation of Signals basic idea and goals

Presentation transcript:

Characterization of Receiver Response to a Spoofing Attack Daniel Shepard DHS visit to UT Radionavigation Lab 3/10/2011

Spoofing Defense: The Big Picture  How aggressively can receiver dynamics be manipulated by a spoofing attack?  Would a J/N-type jamming detector trigger on a spoofing attack?

Would a J/N-type jamming detector trigger on a spoofing attack?  Power ratio (η): Ratio of spoofing signal power to authentic signal power  A power ratio above 3 would cause input power to exceed 95% of natural variation  J/N-type jamming detector would trigger  What power ratio is required for reliable spoofing? P spoof P auth

How Aggressively can Receivers be Manipulated?  We would like to know:  How quickly could a timing or position bias be introduced?  Critical infrastructure reliant on GPS often requires certain accuracy in position/time  What kinds of oscillations could a spoofer cause in a receiver’s position and timing?  Spurious synchrophasor oscillations as low as 0.1 Hz could damage power grid  How different are receiver responses to spoofing?  One defense strategy: choose receivers that are difficult to manipulate v t a  Approach: Determine velocity at which a receiver can be spoofed over a range of accelerations

How Aggressively can Receivers be Manipulated? (cont.)  These are some potential shapes for the acceleration-velocity curves  Green: represents the region where a spoofer can operate without being detected  Red represents the region where a spoofer might be unsuccessful

Tested Receivers 1. Science receiver: CASES receiver developed by UT Radionavigation Lab in collaboration with Cornell University and ASTRA. 2. High-quality time reference receiver: HP 58503B, commonly used in cell phone base stations. Has a high quality Ovenized Crystal Oscillator (OCXO) steered by the GPS time solution.

Tested Receivers (cont.) 3. Low-quality time reference receiver: SEL-2401, provides time signal for power grid Synchrophasor Measurement Units (SMUs). Has low quality Temperature Controlled Oscillator (TCXO) slaved to the GPS time solution. 4. Name brand receiver: Trimble Juno SB.

Test Setup  A National Instruments Radio Frequency Signal Generator (RFSG) was used to produce 6 GPS signals at a constant power level  The spoofed signals were summed with the RFSG signals  This combination of RFSG signals and spoofed signals were fed to the target receiver and a National Instruments Radio Frequency Signal Analyzer (RFSA) used for visualization RFSG RFSA SpooferTarget Receiver splitters Control / Feedback Computer

Procedure  Power Ratio  Spoofed Velocity and Acceleration 1. Power Adv. = x dB 2. Attempt Carry- off 3. Check for Success (Remove Authentic Signal) 4. Measure the Power 1 m/s SV1512 C/N Acceleration = a m/s 2 2. Velocity = v m/s3. Check for Success (watch for alarms) 4. Iterate until a maximum velocity is found v max found? v t a no yes

Anatomy of a Spoofing Attack  Now for a short video of a spoofing attack using a plot similar to the one to the right for visualization White: In-Phase Component (Real) Red: Quadrature Component (imaginary) Blue: Authentic Signal Phasor Green: Spoofed Signal Phasor Yellow: Composite Phasor

Results: Power Ratio  These tests showed that a power ratio of about 1.1 is all that is needed to capture a target receiver with at least 95% confidence  This increase in absolute power received by the target receiver’s front-end is well below the natural variations due to solar activity Implications: 1. A spoofing attack would easily evade detection by a J/N sensor at the RF signal conditioning stage: J/N sensors are necessary, but not sufficient 2. Downstream signal processing is crucial for reliable spoofing detection

Results: Spoofed Velocity and Acceleration  The data points collected for each receiver were fit to an exponential curve of the form:  This curve fit defines the upper bound of a region of the acceleration-velocity plane where a sophisticated spoofer can successfully spoof that particular receiver  These curves can be used to assess the security implications of a spoofing attack

Results: Spoofed Velocity and Acceleration of Science Receiver  Notice the asymptote at 5 m/s 2 acceleration  The maximum speed is only limited by the doppler range of the correlators to around 1000 m/s (3.3 μs/s) Implications: 1. Acceleration limited to 2 m/s 2 due to phase trauma 2. No limitation on velocity up until the receiver is unable to track the signal

 Due to this receiver placing trust in the frequency stability of its oscillator, it cannot be moved very quickly  Maximum achievable speed in time is 2 m/s Results: Spoofed Velocity and Acceleration for High-Quality Time Reference Receiver Implications: 1. Can still be carried 10 μs off in time in around 35 min, which would cause cell network throughput to degrade

 Can be easily manipulated by the spoofer  Corresponding induced phase angle rate is shown for a 60 Hz phasor Results: Spoofed Velocity and Acceleration for Low-Quality Time Reference Receiver Implications 1. Can reach a maximum speed of 400 m/s resulting in a phase angle rate of 1.73 o /min 2. Oscillations of even 0.1 Hz are not possible due to the low accelerations

Summary of Findings to Date  We’ve never met a civil receiver we couldn’t spoof  J/N-type jamming detector won’t catch a spoofer  Large, quick changes in position and timing seem to be impossible, but smooth, slow changes can be quite effective and slowly accelerate to a large velocity in some receivers  It is difficult to cause oscillations in position and timing due to low acceleration capability of the spoofer

Follow-on Work We Hope to Pursue  Power Grid  How could a spoofer alter the power flow estimates?  Would altering the power flow estimate require a network of spoofers? How many?  Communications Networks  How much could a spoofer degrade network throughput by spoofing a single node (e.g. cell phone tower)?  Could a network of spoofers cause nodes to interfere with one another?  How would this interference affect the network?  Financial Sector  Could a malefactor spoof a receiver in charge of time stamping online stock exchanges?  Could a stock trading computer program be created to take advantage of this?  Vestigial Signal Defense  Could the hallmarks left by a spoofing attack due to the vestige of the authentic signal be used to reliably detect spoofing?  Can these hallmarks be distinguished from those of multipath?