WNCG, UT Austin, 1 April 2011 Mark L. Psiaki Sibley School of Mechanical & Aerospace Engr., Cornell University Civilian GPS Spoofing Detection based on Dual-Receiver Correlation of Military Signals
UT Austin April ‘11 2 of 32 Collaborator Acknowledgements Steve Powell, Cornell ECE staff Brady O’Hanlon, Cornell ECE Ph.D. student Jahshan Bhatti, UT Austin Aero. Engr. & Engr. Mechanics Ph.D. student Todd Humphreys, UT Austin Aero. Engr. & Engr. Mechanics faculty
UT Austin April ‘11 3 of 32 Motivation: Defend civilian GPS receivers from Humphreys-et-al.- type spoofing attack RAIM methods not useful Strategy: Exploit encrypted P(Y) code Cross-correlate P(Y) code in defended receiver with P(Y) code on secure receiver P(Y) found in quadrature with tracked C/A Codeless technique is simple Semi-codeless yields increased processing gain Narrow-band P(Y) experiences ~75% power loss & distortion Initially use M ATLAB in an offline mode for analysis & testing
UT Austin April ‘11 4 of 32 Outline I.Related research II.Spoofing detection concept III.Signal model IV.Using narrow-band receivers Narrow-band-filtered P(Y) code characteristics System ID of envelop filter impulse response to enable spoofing detection in a narrow-band receiver V.Codeless spoofing detection VI.Semi-codeless spoofing detection VII.Summary & conclusions VIII.Future plans
UT Austin April ‘11 5 of 32 Related Research Substantial literature on RAIM detection of navigationally inconsistent spoofing Warner & Johnston (2003): Hardware-simulator- based spoofer detectable via RAIM only at start-up Humphreys et al. (2008, 2009): Receiver/spoofer not detectable via RAIM Lo et al. (2009): Codeless military P(Y) code dual- receiver cross-correlation spoofing detection proposed & tested under non-spoofing conditions O’Hanlon et al. (2010): Attempted real-time implementation of Lo et al. spoofing detector & test under Humphreys et al. spoofing attack
UT Austin April ‘11 6 of 32 A Spoofing Attack not Detectable by RAIM
UT Austin April ‘11 7 of 32 UE with -receiver for delayed, digitally-signed P(Y) features -delayed processing to detect spoofing via P(Y) feature correlation Anti-Spoofing via P(Y) Correlation Secure antenna/receiver w/processing to estimate P(Y) features GPS Satellite Transmitter of delayed, digitally-signed P(Y) features GEO “bent-pipe” transceiver Broadcast segments of delayed, digitally- signed P(Y) features Secure uplink of delayed, digitally- signed P(Y) features
UT Austin April ‘11 8 of 32 Block Diagram of Generalized P(Y) Correlation Spoofing Detector GPS transmitter UE receiver with P(Y) fea extraction processing Secure ground- based antenna/ receiver Digital signer Secure link to broadcaster Wireless (or internet) broadcaster UE receiver (or internet link) for P(Y) fea Correlation registers Digital sig- nature verifier Spoofing Detector L1 C/A & P(Y) P(Y) fea P(Y) fea/est User Equipment New Infrastructure
UT Austin April ‘11 9 of 32 Signal with C/A & P(Y) code at RF front-end output Sample interval t C/A code C ( t ) & P code P ( t ) known (+1/-1 values) P(Y) +1/-1 encryption chips w ( t ) not known w ( t ) average chipping at 480 KHz w/known timing relative to C/A & P codes Wide-band carrier-to-noise ratios: Signal Model at RF Front-End Output
UT Austin April ‘11 10 of 32 Carrier Phase & Timing Relationships of C/A & P(Y) Codes
UT Austin April ‘11 11 of 32 Original & Filtered P(Y) Spectra
UT Austin April ‘11 12 of 32 Original & Filtered P(Y) Time Histories
UT Austin April ‘11 13 of 32 Envelope (finite) impulse response of Z code: Correlation between filtered code & unfiltered replica: Derived cross-correlation relationship for system ID: Complex Envelope Filter Impulse Response & Filtered PRN Code Correlation
UT Austin April ‘11 14 of 32 Track C/A code using DLL & PLL Compute, prompt, early, late, double early, double late, etc…. C/A accumulations, c CFC ( i ) for many i cross-correlation delay values Guess reasonable, conservative t max & D values Parameterize h ( t ; p ) as the 1 st derivative of a quintic spline envelop step response function with spline node parameters p Use known c CC ( ) C/A autocorrelation, measured c CFC ( i ) cross correlations, & analytic spline integrals to formulate over-determined system of linear equations in p & (1/ A ) based on final equation of previous chart Solve least-squares estimation problem subject to the constraint & penalizing Or set up & solve simultaneously for multiple C/A PRN codes in same receiver, solving for differential D values between PRN codes in outer nonlinear optimization Filter Impulse System ID Calculations
UT Austin April ‘11 15 of 32 Theoretical & Measured C/A Correlations, PRN 08
UT Austin April ‘11 16 of 32 Estimation Fit for PRN 08
UT Austin April ‘11 17 of 32 Estimated Impulse & Frequency Responses for 2 Narrow-Band RF Filters
UT Austin April ‘11 18 of 32 1.Track C/A code, compute & record base-band-mixed quadrature samples y rawAi & y rawBi, & do noise & C/A & P(Y) power calculations on both receivers 2. Compute normalized cross-correlation spoofing detection statistic Codeless Spoofing Detection Calculations (1 of 2)
UT Austin April ‘11 19 of 32 3.Compute conditional means & variances of detection statistic under non-spoofed null hypothesis, H 0, & under spoofed hypothesis, H 1 4.Develop spoofing detection threshold th based on conditional probability density functions & desired false alarm probability 5. Compare computed statistic to threshold Codeless Spoofing Detection Calculations (2 of 2)
UT Austin April ‘11 20 of 32 Verification of No-Spoofing Case Figure 3. Codeless verification of no spoofing.
UT Austin April ‘11 21 of 32 First Successful Spoofing Attack Detection
UT Austin April ‘11 22 of 32 Base-Band Quadrature Semi-Codeless Signal Model
UT Austin April ‘11 23 of 32 1.Track C/A code, compute & record base-band-mixed quadrature samples y rawAi & y rawBi, do noise & C/A & P(Y) power calculations on both receivers (as in codeless tracking), & estimate P(Y) amplitude A py 2.Form hard +1/-1 estimates of w j encryption chips by approximately optimizing the following cost function using integer techniques 3. Compute probability that w j = +1 & compute soft w j –chip estimates for j = 1, …, N Semi-Codeless Spoofing Detection Calcs. (1 of 3)
UT Austin April ‘11 24 of 32 Semi-Codeless Spoofing Detection Calcs. (2 of 3) 4.Compute spoofing detection statistic equal to cross-correlation of soft w-chip estimates between receivers A & B 5.Compute conditional means & variances of detection statistic under non-spoofed null hypothesis, H 0, & under spoofed hypothesis, H 1
UT Austin April ‘11 25 of 32 6.Develop spoofing detection threshold th based on conditional probability density functions & desired false alarm probability 7. Compare computed statistic to threshold Semi-Codeless Spoofing Detection Calcs. (3 of 3)
UT Austin April ‘11 26 of 32 A Priori Semi-Codeless Spoofing Detection Analysis 1.Compute conditional means & variances of detection statistic under non-spoofed hypothesis & spoofed hypothesis without receiver A data 2.Develop spoofing detection threshold th based on conditional probability density functions & desired false alarm probability
Semi-Codeless Verification of No Spoofing UT Austin April ‘11 27 of 32
First Semi-Codeless Spoofing Attack Detection UT Austin April ‘11 28 of 32
Codeless & Semi-Codeless Detection Power UT Austin April ‘11 29 of 32 FA = 0.01 % (C/N 0 ) pyA = 35 dB-Hz (C/N 0 ) pyB = 35 dB-Hz
Test of C/A Timing as a Proxy for P(Y) Timing, Codeless Correlation UT Austin April ‘11 30 of 32
Summary & Conclusions Developed dual-receiver spoofing detection methods Codeless & semi-codeless cross-correlation of quadrature P(Y) code Thresholds designed based on full statistical analyses Implemented in narrow-band C/A receiver Did system ID of narrow-band RF filters Employed resulting models of P(Y) power loss & of time-domain distortion Demonstrated first successful detection of RAIM- proof spoofing attack Detection achieved after-the-fact in M ATLAB Works well with semi-codeless detection interval of 0.2 sec for reasonable C/N 0 levels & can work well with shorter intervals UT Austin April ‘11 31 of 32
Future Plans/Hopes Evaluate narrow-band filter effects of w-chip timing relative to C/A DLL prompt code & modify w-chips timing if indicated Evaluate potential improvements from Higher-gain reference station antenna Higher-bandwidth reference station receiver Tailor calculations for efficient real-time calculation Implement in CASES real-time software radio Also implement for L2C spoofing detection Try narrow-band processing for L2 tracking based on traditional L1 P(Y) semi-codeless correlation UT Austin April ‘11 32 of 32