WNCG, UT Austin, 1 April 2011 Mark L. Psiaki Sibley School of Mechanical & Aerospace Engr., Cornell...
-
Upload
amber-higgins -
Category
Documents
-
view
216 -
download
2
Transcript of WNCG, UT Austin, 1 April 2011 Mark L. Psiaki Sibley School of Mechanical & Aerospace Engr., Cornell...
WNCG, UT Austin, 1 April 2011
Mark L. PsiakiSibley School of Mechanical & Aerospace Engr., Cornell University
Civilian GPS Spoofing Detection based on Dual-Receiver Correlation of Military Signals
UT Austin April ‘11 2 of 32
Collaborator Acknowledgements Steve Powell, Cornell ECE staff Brady O’Hanlon, Cornell ECE Ph.D. student Jahshan Bhatti, UT Austin Aero. Engr. &
Engr. Mechanics Ph.D. student Todd Humphreys, UT Austin Aero. Engr. &
Engr. Mechanics faculty
UT Austin April ‘11 3 of 32
Motivation: Defend civilian GPS receivers from Humphreys-et-al.-
type spoofing attack RAIM methods not useful
Strategy: Exploit encrypted P(Y) code Cross-correlate P(Y) code in defended receiver with P(Y)
code on secure receiver P(Y) found in quadrature with tracked C/A Codeless technique is simple Semi-codeless yields increased processing gain Narrow-band P(Y) experiences ~75% power loss & distortion
Initially use MATLAB in an offline mode for analysis & testing
UT Austin April ‘11 4 of 32
OutlineI. Related researchII. Spoofing detection conceptIII. Signal modelIV. Using narrow-band receivers
Narrow-band-filtered P(Y) code characteristics System ID of envelop filter impulse response to enable
spoofing detection in a narrow-band receiver
V. Codeless spoofing detectionVI. Semi-codeless spoofing detectionVII. Summary & conclusionsVIII. Future plans
UT Austin April ‘11 5 of 32
Related Research Substantial literature on RAIM detection of
navigationally inconsistent spoofing Warner & Johnston (2003): Hardware-simulator-
based spoofer detectable via RAIM only at start-up Humphreys et al. (2008, 2009): Receiver/spoofer
not detectable via RAIM Lo et al. (2009): Codeless military P(Y) code dual-
receiver cross-correlation spoofing detection proposed & tested under non-spoofing conditions
O’Hanlon et al. (2010): Attempted real-time implementation of Lo et al. spoofing detector & test under Humphreys et al. spoofing attack
UT Austin April ‘11 6 of 32
A Spoofing Attack not Detectable by RAIM
UT Austin April ‘11 7 of 32
UE with - receiver for delayed,
digitally-signed P(Y) features
- delayed processing to detect spoofing via P(Y) feature correlation
Anti-Spoofing via P(Y) Correlation
Secure antenna/receiver w/processing to estimate
P(Y) features
GPS Satellite
Transmitter of delayed, digitally-
signed P(Y) features
GEO “bent-pipe”transceiver
Broadcast segments of delayed, digitally-signed P(Y) features Secure uplink of
delayed, digitally-signed P(Y) features
UT Austin April ‘11 8 of 32
Block Diagram of Generalized P(Y) Correlation Spoofing Detector
GPStransmitter
UE receiver with P(Y)fea extraction
processing
Secure ground-based
antenna/ receiver
Digital signer
Secure link to broadcaster
Wireless(or internet) broadcaster
UE receiver (or internet link) for P(Y)fea
Correlation registers
Digital sig-nature verifier
Spoofing Detector
L1 C/A& P(Y)
P(Y)fea
P(Y)fea
P(Y)fea/est
User Equipme
nt
New Infrastructure
UT Austin April ‘11 9 of 32
Signal with C/A & P(Y) code at RF front-end output
Sample interval t C/A code C(t) & P code P(t) known (+1/-1 values) P(Y) +1/-1 encryption chips w(t) not known w(t) average chipping at 480 KHz w/known timing
relative to C/A & P codes Wide-band carrier-to-noise ratios:
Signal Model at RF Front-End Output
)cos()()( iifiiaci ttDtCAy
iiifiiipy nttDtwtPA )sin()()()(
Δt
ANC
n
caac 2
2
0 4)/(
Δt
ANC
n
pypy 2
2
0 4)/(
UT Austin April ‘11 10 of 32
46
810
12
-20
2
-2
0
2
Time (chips)
Reference Signal
P(Y) Signal
C/A
Sig
nal
46
810
12
-20
2
-2
0
2
Time (chips)
Defended Signal
P(Y) SignalC
/A S
igna
l
Corellated portions of P(Y) code based onC/A code to match timing between receivers
Unknown encrypted quadrature P(Y) codeused for cross-correlation spoofing detection
Known in-phase C/A code used fortracking in both receivers
Carrier Phase & Timing Relationships of C/A & P(Y) Codes
UT Austin April ‘11 11 of 32
Original & Filtered P(Y) Spectra
-10 -8 -6 -4 -2 0 2 4 6 8 10
0
0.2
0.4
0.6
0.8
1
Frequency Offset from Carrier (MHz)
Nor
mal
ized
Pow
er
Full P(Y) codeP(Y) code as filtered in narrow-band C/A-code receiver (24.96% of original power)
UT Austin April ‘11 12 of 32
Original & Filtered P(Y) Time Histories
25 30 35 40 45 50 55 60 65 70 75
-1
-0.5
0
0.5
1
Chip Count
P(Y
) C
ode
Full P(Y) codeP(Y) code filtered in narrow-band C/A-code receiver (delay removed)
UT Austin April ‘11 13 of 32
Envelope (finite) impulse response of Z code:
Correlation between filtered code & unfiltered replica:
Derived cross-correlation relationship for system ID:
Complex Envelope Filter Impulse Response & Filtered PRN Code Correlation
dZthdZthtZ
t
ttF
max
)()()()()(
dttZtAZT
limc D
T
TF
TZFZ )()(
2
1)(
dchdttcthc
A ZZt
DDZZ
t
ZFZD
maxD
max)()()()()(
1
0
UT Austin April ‘11 14 of 32
Track C/A code using DLL & PLL Compute, prompt, early, late, double early, double late, etc…. C/A
accumulations, cCFC(i) for many i cross-correlation delay values Guess reasonable, conservative tmax & D values Parameterize h(t;p) as the 1st derivative of a quintic spline envelop step
response function with spline node parameters p Use known cCC() C/A autocorrelation, measured cCFC(i) cross correlations,
& analytic spline integrals to formulate over-determined system of linear equations in p & (1/A) based on final equation of previous chart
Solve least-squares estimation problem subject to the constraint
& penalizing
Or set up & solve simultaneously for multiple C/A PRN codes in same receiver, solving for differential D values between PRN codes in outer nonlinear optimization
Filter Impulse System ID Calculations
1);(0
maxt
dth p
splinetdt
hd
tdt
hd Njmidjmidj
1,...,for &
2
);(
2
);(4
4
3
3
pp
UT Austin April ‘11 15 of 32
Theoretical & Measured C/A Correlations, PRN 08
-5 -4 -3 -2 -1 0 1 2 3 4 5-0.2
0
0.2
0.4
0.6
0.8
1
1.2
<--- Wide-band earlier Chip Offset Wide-band later --->
Cor
rela
tion
Theoretical wide-band autocorrelationMeasured narrow-band in-phase correlationMeasured narrow-nand quadrature correlation
UT Austin April ‘11 16 of 32
Estimation Fit for PRN 08
-5 -4 -3 -2 -1 0 1 2 3 4 5-0.2
0
0.2
0.4
0.6
0.8
1
1.2
<--- Wide-band earlier Chip Offset Wide-band later --->
Cor
rela
tion
Measured in-phase correlationMeasured quadrature correlationEstimated in-phase correlationEstimated quadrature correlationEstimation Error Absolute Value
UT Austin April ‘11 17 of 32
Estimated Impulse & Frequency Responses for 2 Narrow-Band RF Filters
0 1 2 3 4 5
0
1
2
3
4x 10
6
Time (microsec)
Envelo
p Im
puls
e R
esponse Filter A Impulse Response
-6 -4 -2 0 2 4 6-50
-40
-30
-20
-10
0
Frequency Offset from Carrier (MHz)
Gain
(dB
)
Filter A Frequency Response
RealImaginary
-1 0 1 2 3 4
0
1
2
3
4x 10
6
Time (microsec)
Envelo
p Im
puls
e R
esponse Filter B Impulse Response
RealImaginary
-6 -4 -2 0 2 4 6-50
-40
-30
-20
-10
0
Frequency Offset from Carrier (MHz)
Gain
(dB
)
Filter B Frequency Response
UT Austin April ‘11 18 of 32
1. Track C/A code, compute & record base-band-mixed quadrature samples yrawAi & yrawBi, & do noise & C/A & P(Y) power calculations on both receivers
2. Compute normalized cross-correlation spoofing detection statistic
Codeless Spoofing Detection Calculations (1 of 2)
accumIQFca
IQca
TL
ANC
2
2
02
)/(
}{ 22caca
QIEzca 22222 }]{[ cazca zQIEcaca
222zcacaIQ zA )(5.0 222
zcacacaIQ zz 22 2IQ
accumRF T
Δt
Fpycapy LNCNC 3.000 10)/()/(
pyARFBRFA
M
irawBirawAi
NCΔtM
yy
)/(214 0
1
UT Austin April ‘11 19 of 32
3. Compute conditional means & variances of detection statistic under non-spoofed null hypothesis, H0, & under spoofed hypothesis, H1
4. Develop spoofing detection threshold th based on conditional probability density functions & desired false alarm probability
5. Compare computed statistic to threshold
Codeless Spoofing Detection Calculations (2 of 2)
1}|{ 12 HE
0}|{ 1 HE
attack spoofingunder channel
detected spoofing no
th
th
pyA
pyBpyA
NCΔt
NCNCMΔtHE
)/(21
)/()/(2}|{
0
000
pyA
pyBpyA
NCΔt
NCNCΔtHE
)/(21
])/()/[(21)(}|{
0
0020
2
ththddHpFA
}
2
)(exp{
2
1)|(
2
2
0
detectmisdet PrddHpPrthth
1}5.0exp{2
1)|( 2
1
UT Austin April ‘11 20 of 32
Verification of No-Spoofing Case
0 20 40 60 80 100 120 140 160 1800
5
10
15
Time (sec)
gam
ma,
(N
orm
aliz
ed S
poof
ing
Det
ectio
n S
tat)
Predicted Mean Valuebased on C/A code &
3.04 dB power decrementto yield transmitted P(Y)
power (i.e., before filteringin RF front-end)
Spoofing Detection Threshold,alpha
FA = 0.01%, Pr
detect = 1 - 1.11e-16
UT Austin April ‘11 21 of 32
First Successful Spoofing Attack Detection
0 20 40 60 80 100 120 140 160 180-4
-2
0
2
4
6
8
10
12
14
Time (sec)
gam
ma,
(N
orm
aliz
ed S
poof
ing
Det
ectio
n S
tat)
SuccessfulSpoofing Detection
for PRN 12
SuccessfulVerification of lack
of Spoofingfor PRN 02
Onset ofspoofing attack
PRN 02 (unspoofed)detection statistic
PRN 12 (spoofed)Detection Statistic
PRN 12 predicted mean valuebased on C/A code & 3.04 dB decr
PRN02 predicted mean valuebased on C/A code & 3.47 dB decr
PRN 02 Spoofing DetectionThreshold, alpha
FA = 0.01%,
Prdetect
= 99.99999999774%
before spoofing eventPr
detect = 99.9857% after event
PRN 12 Spoofing DetectionThreshold, alpha
FA = 0.01%,
Prdetect
= 98.7274%
before spoofing eventPr
detect = 99.9999999999982%
after event
UT Austin April ‘11 22 of 32
Base-Band Quadrature Semi-Codeless Signal Model chips encryption valued-1unknown with )()(
1ji
N
jiFjjpyiraw wntPwAty
0 20 40 60 80 100-1
-0.5
0
0.5
1
Pj(t
)
0 20 40 60 80 100-1
-0.5
0
0.5
1
t (P-code chips)
PF
j(t)
P1
P2
P3
P4
P5
PF1
PF2
PF3
PF4
PF5
w1 P & P
F
time histories
w2 P & P
F
time histories
w3 P & P
F
time histories
w4 P & P
F
time histories
w5 P & P
F
time histories
UT Austin April ‘11 23 of 32
1. Track C/A code, compute & record base-band-mixed quadrature samples yrawAi & yrawBi, do noise & C/A & P(Y) power calculations on both receivers (as in codeless tracking) , & estimate P(Y) amplitude Apy
2. Form hard +1/-1 estimates of wj encryption chips by approximately optimizing the following cost function using integer techniques
3. Compute probability that wj = +1 & compute soft wj–chip estimates for j = 1, …, N
Semi-Codeless Spoofing Detection Calcs. (1 of 3)
]}{[}1{21
21 joptjoptjj wPrwwPrPr
211 /)],...,,...,(),...,,...,([
1
1}{
nNoptjoptoptNoptjoptopt wwwJwwwJjopt
e
wPr
])()([),...,(1
2
121
1
M
i
N
jiFjjpyirawN tPwAtywwJ
MwwJ Noptoptn /),...,(2 1
12ˆ jj Prw
UT Austin April ‘11 24 of 32
Semi-Codeless Spoofing Detection Calcs. (2 of 3)4. Compute spoofing detection statistic equal to cross-correlation of soft w-chip estimates between receivers A & B
5. Compute conditional means & variances of detection statistic under non-spoofed null hypothesis, H0, & under spoofed hypothesis, H1
N
jBjAjrwHE
1
21
21 )(ˆ}|{ 0}|{ 11 HE
N
jBjAjww
1ˆˆ
N
jBjAjqwHE
1
200 )(ˆ}|{
N
jBjAjBjAj qwqwHE
1
2220
20 )](ˆ1)[(ˆ)(}|{
dr }5.0exp{)(tanh2
1)( 22
dq }5.0exp{)](tanh[2
1)( 2
)]([)(
)( 2
jmax
jmin
i
iiiFj
Bn
BpyBj tP
A
UT Austin April ‘11 25 of 32
6. Develop spoofing detection threshold th based on conditional probability density functions & desired false alarm probability
7. Compare computed statistic to threshold
Semi-Codeless Spoofing Detection Calcs. (3 of 3)
attack spoofingunder channel
detected spoofing no
th
th
ththddHpFA
}
2
)(exp{
2
1)|(
20
20
00
detectmisdet PrddHpPrthth
1}2
exp{2
1)|(
21
2
1
1
UT Austin April ‘11 26 of 32
A Priori Semi-Codeless Spoofing Detection Analysis1. Compute conditional means & variances of detection statistic under non-spoofed hypothesis & spoofed hypothesis without receiver A data
2. Develop spoofing detection threshold th based on conditional probability density functions & desired false alarm probability
)()(}|{ 12
1 BAwchipcorr rqfTHE 0}|{ 11 HE
)()(}|{ 00 BAwchipcorr qqfTHE
)]()(1)[()()(}|{ 20
20 BABAwchipcorr qqqqfTHE
wchip
pyBB f
NC )/(2 0 )/(2 0
wchip
pyAA f
NC
ththddHpFA
}
2
)(exp{
2
1)|(
20
20
00
detectmisdet PrddHpPrthth
1}2
exp{2
1)|(
21
2
1
1
Semi-Codeless Verification of No Spoofing
UT Austin April ‘11 27 of 32
0 20 40 60 80 100 120 140 160 1800
100
200
300
400
500
600
700
800
900
1000
Time (sec)
gam
ma
spoo
fing
dete
ctio
n st
atis
tic
Correlation statistic0.01% false alarm thresholdExpected meanA priori expected meanA priori 0.01% false alarm threshold
First Semi-Codeless Spoofing Attack Detection
UT Austin April ‘11 28 of 32
0 20 40 60 80 100 120 140 160 180
-200
0
200
400
600
800
1000
1200
1400
Time (sec)
gam
ma
spoo
fing
dete
ctio
n st
atis
tic
Correlation statistic0.01% false alarm thresholdExpected meanA priori 0.01% false alarm thresholdA priori expected meanCorrelation stat, amp. effects removed 1Correlation stat, amp. effects removed 2
Codeless & Semi-Codeless Detection Power
UT Austin April ‘11 29 of 32
10-2
10-1
100
101
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Correlation Accumulation Interval (sec)
Pro
babi
lity
of S
poof
ing
Det
ectio
n
CodelessSemi-Codeless
FA = 0.01 %(C/N0)pyA = 35 dB-Hz(C/N0)pyB = 35 dB-Hz
Test of C/A Timing as a Proxy for P(Y) Timing, Codeless Correlation
UT Austin April ‘11 30 of 32
-1 -0.8 -0.6 -0.4 -0.2 0 0.2 0.4 0.6 0.8 1
-0.2
0
0.2
0.4
0.6
0.8
1
1.2
Delay of Receiver B Signal Relative to Receiver A Signal Compared to Nominal C/A-Code Alignment (microsec)
Nor
mal
ized
Cor
rela
tion
of Q
uadr
atur
e B
aseb
and
Sig
nals
Summary & Conclusions Developed dual-receiver spoofing detection methods
Codeless & semi-codeless cross-correlation of quadrature P(Y) code Thresholds designed based on full statistical analyses
Implemented in narrow-band C/A receiver Did system ID of narrow-band RF filters Employed resulting models of P(Y) power loss & of time-domain
distortion
Demonstrated first successful detection of RAIM-proof spoofing attack Detection achieved after-the-fact in MATLAB Works well with semi-codeless detection interval of 0.2 sec for
reasonable C/N0 levels & can work well with shorter intervals
UT Austin April ‘11 31 of 32
Future Plans/Hopes Evaluate narrow-band filter effects of w-chip timing
relative to C/A DLL prompt code & modify w-chips timing if indicated
Evaluate potential improvements from Higher-gain reference station antenna Higher-bandwidth reference station receiver
Tailor calculations for efficient real-time calculation Implement in CASES real-time software radio Also implement for L2C spoofing detection Try narrow-band processing for L2 tracking based
on traditional L1 P(Y) semi-codeless correlation
UT Austin April ‘11 32 of 32