Post on 28-Sep-2020
GNSS Vulnerability to Spoofing Threats and
a Review of Anti-Spoofing Techniques
Ali Broumandan, Ali Jafarnia Jahromi,
Saeed Daneshmand, Gérard Lachapelle
Position, Location And Navigation (PLAN) Group
Department of Geomatics Engineering
University of Calgary
ION Alberta Meeting
Friday January 24th, 2014
Outline
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques2
• Motivation and Background
• Spoofing and Anti-Spoofing Techniques
• Pre-Despreading Spoofing Detection
• Acquisition Level Analysis
• Tracking Level Analysis
• Position Level Authenticity Verification
• Synthetic Array Spoofing Detection
• Antenna Array Spoofing Mitigation
• Summary
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques3
Spoofing Concept
Spoofing
Transmitter
Authentic
SV1
Authentic
SV2
Authentic
SV3
Actual
Trajectory
Authentic
SV4
GNSS antenna
Spoofer
TX antenna
Spoofing: A Different Type of Interference
• Spoofing signals: similar temporal
and spectral characteristics to the
authentic GNSS signals
• GNSS receivers are vulnerable
• Known GNSS signal structure
• Lack of authentication mechanism
• Spoofing is a serious threat
• Not prohibitively costly
• Significant motivations for spoofing
due to wide-spread GNSS applications
• Receiver is not aware of being spoofed
(it is providing a PVT solution)
Spoofing a deliberate interference that aims to mislead
GNSS receivers into generating false PVT solution
?
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques4
GPS Spoofing Headlight
• Mainstream make
announcement on the
vulnerability of GNSS to
spoofing attack
• $80 million yacht hijacked
• Spoofing drone and UAS
• Vulnerability of timing systems
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques5
Vulnerability of Unmanned Vehicles
to GPS Spoofing Attack
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques6
• Unmanned Aircraft Systems
(UAS) and drones
• US congress has mandated
the Security of
Transportation to accelerate
safety of civil unmanned
aircraft systems
• Amazon is working on a new
delivery system to get
packages into customers’
hands within 30 min using
UAS
Vulnerability of Timing Systems to
Spoofing Attack
• The Power Grid’s
Vulnerability to GPS
Spoofing Attack
• Telecommunication links
are using GPS time
synchronization
• Stock Market time
synchronization is mostly
depend on civilian GPS
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques7
http://gpsworld.com/wirelessinfrastructuregoing-against-
time-13278/
Vulnerability of RTK Application to
Spoofing Attack (I/II) RTK base stations are highly vulnerable
to the spoofing attack
What does to a rover position solution if
the base station is spoofed?
A two-channel hardware simulator and
two NovAtel receivers in reference-rover
scenario have been used to asses the
spoofing vulnerability
A spoofing attack is simulated for a RTK
application where the spoofed horizontal
trajectory of the base station is spoofed
by 10 m
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques8
Vulnerability of RTK Application to
Spoofing Attack (II/II)
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques9
Authentic
Spoofing
RTK
processing
engine
Rover measurements
in RINEX
Spirent HW
simulator
Ambiguity fixed horizontal error in
the absence of spoofing
Spoofed
Reference
Ambiguity fixed horizontal error in
the presence of spoofing
Some Research Groups
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques10
Spoofing Generation Categories
• GPS signal generator
• Simplest spoofing technique but still very effective
• Receiver based spoofer
• Spoofer is coupled to a GPS receiver
• Hard to detect compared to GPS signal generator
• Self jamming avoidance is an important issue
• Advanced receiver based spoofer
• A receiver-spoofer with multiple antennas
• Very hard to detect even for AOA estimator receivers
• Very expensive and complex
• Many practical implementation issues
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques11
Spoofing Countermeasure Methods
12
Po
sit
ion
ing Receiver Autonomous Integrity
Monitoring (RAIM)
Integrity Check among Different
Pseudorange Measurements
Consistency Cross Check with
Other Navigation Systems
Cross check with IMU solutions,
Cross check with cellular and Wi-Fi
positioning solutions
Data
bit Time of Arrival (TOA) Methods
Monitoring the bit transition
boundaries
Navigation Message AnalysisConsistency check among satellites
navigation messages
Sig
na
l P
rocessin
g Correlation Peak Monitoring
Signal Quality Monitoring (SQM),
Monitoring the distribution of
correlation peak.
Spatial Discrimination of
Spoofing Signals
Antenna Array Processing,
Synthetic Antenna Arrays
Power Based Methods
C/N0 Monitoring, Absolute Power
Monitoring, L1/L2 Power level
Comparison, …
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques
Pre-Despreading Analysis
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques13
RF Down-
ConverterADC
Acquisition
Tracking PVT Solution
AGC
• Jafarnia-Jahromi, A., A. Broumandan, J. Nielsen and G. Lachapelle (2014) Pre-Despreading Authenticity Verification
for GPS L1 C/A Signals. Navigation, Journal of The Institute of Navigation, in press.
Pre-Despreading Spoofing Detection
• Looking for abnormal
power content of cyclo-
stationary signals
• GPS L1 C/A
• Line spectrum 1KHz
spacing
• Delay and Multiply (DAM)
• Processing method
• Differential Doppler removal
• Noise comb filtering
• Signal comb filtering
• Signal normalization
• Spoofing detection
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques14
TEXBAT Data Processing
• Spoofing datasets
provided by RNL at Texas
University at Austin
• Static spoofing scenarios
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques15
0 50 100 150 200 250 3000
2
4
6
8
10
12
14
Time (s)
Te
st S
tatistic T
(x)
S0: Clean Data
S1: Switched Spoofing
S2: Overpowered (10 dB)
S3: Matched-Power (1.3 dB)
S4: Matched-Power (0.4 dB)
Thr for PFA
= 0.1
Thr for PFA
= 0.01
Thr for PFA
= 0.001
Thr for PFA
= 0.0001
• S1: Switched attack
• S2: Overpowered
(10 dB advantage)
• S3: Matched Power
(1.3 dB advantage)
• S4: Matched Power
(0.4 dB advantage)
• Spoofing starts
after 100 s
Acquisition Level Analysis
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques16
RF Down-
ConverterADC
Acquisition
Tracking PVT Solution
AGC
• Jafarnia-Jahromi, A., A. Broumandan, J. Nielsen and G. Lachapelle (2012) GPS Spoofer Countermeasure
Effectiveness based on Using Signal Strength, Noise Power and C/No Observables. International Journal of Satellite
Communications and Networking, 30:181–191, DOI: 10.1002/sat.1012.
• Nielsen, J., V. Dehghanian and G. Lachapelle (2012) Effectiveness of GNSS Spoofing Countermeasure based on
Receiver CNR Measurements. International Journal of Navigation and Observations, vol. 2012, Article ID 501679, 9
pages, 2012. doi:10.1155/2012/501679.
• Dehghanian, V., J. Nielsen and G. Lachapelle (2012) GNSS Spoofing Detection Based on Receiver C/No Estimates.
Proceedings of GNSS12 (Nashville, TN, 18-21 Sep), The Institute of Navigation, 10 pages.
Acquisition Vulnerability to Spoofing
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques17
• Additional fake correlation peaks
• Potentially misdirects the acquired PRN set, code
delay and Doppler estimate
• Receiver noise floor
increase
• Generated by the cross
correlation between
spoofing PRNs and
local replicas
• Spoofing acts as a
wide-band interference
• Affects all the PRNs-165 -160 -155 -150 -145 -140 -135 -130 -125 -120
-185
-180
-175
-170
-165
-160
-155
-150
-145
Total Spoofing Power (TSP) [dBW]
No
ise
flo
or
estim
ate
[d
BW
]
Tc = 1 ms
Tc = 2 ms
Tc = 4 ms
Tc = 8 ms
Typical Received Power of Authentic GPS signals
Authentic SNR @ Tc=1 ms,
TSP = -135 dBW
Multiple Thresholds in CAF
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques18
Spoofing Peak
Authentic Peak
The threshold for
maximum GPS power
SNR vs. Absolute Power Monitoring
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques19
• Absolute power monitoring • Signal level monitoring, Noise level monitoring
• Signal to Noise Ratio (SNR) monitoring
-160 -155 -150 -145 -140 -135 -130 -1250
10
20
30
Total Spoofing Power (TSP) [dBW]
SN
R [d
B]
-160 -155 -150 -145 -140 -135 -130 -125
-170
-160
No
ise
Flo
or
Estim
ate
[d
BW
] (@
Tc=
1m
s)
data1
data2
data3
data4
Maximum SNR of GPS signal at Tc=1ms
Spoofing Signal SNR (N-spoof=16)
Boundary for Maximum Absolute Power (-151 dBW)
SNR Threshold for Detection (PFa
=10-3
)
Authentic Signal SNR (Nauth
=10)
Noise Floor Estimate (right side Y axis)
2 dB Noise Floor Increase
Vulnerability Region for Spoofing Detection based on C/N0
Vulnerability Region for Spoofing Detection based on
Absolute Power Analysis
Tracking Level Analysis
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques20
RF Down-
ConverterADC
Acquisition
Tracking PVT Solution
AGC
• Jafarnia-Jahromi, A., T. Lin, A. Broumandan, J. Nielsen and G. Lachapelle (2012) Detection and Mitigation of Spoofing
Attacks on a Vector Based Tracking GPS Receiver. International Technical Meeting, Institute of Navigation, 30Jan-
1Feb, Newport Beach, CA, 11 pages.
• Jafarnia-Jahromi, A. (2013) GNSS Signal Authenticity Verification in the Presence of Structural Interference. PhD
Thesis, Report No. 20385, Department of Geomatics Engineering, University of Calgary
Spoofing Attack on Tracking Receivers
• Tracking receiver
• Focused on tracking authentic correlation peaks
• Less vulnerable to non-aligned spoofing peaks
, ,0 , 0a s a s
l lf k k
, ,a s a s
l RF lf k f k
• Spoofer lifts-off
the tracking point
of the receiver
• Two categories:
• Consistent Doppler
• Locked Doppler
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques21
, , ,
,00a s a s a s
l l lf k k
, ,a s a s
l RF lf k f k
Spoofing Countermeasure during
Tracking• Consistent Doppler:
• Amplitude fluctuations
due to the interaction
between spoofing and
authentic signals
0 50 100 150 200 250 300 350 4000
2
4
6
8
10x 10
6
Time (s)(a)
Co
rre
lato
r O
utp
ut
132 133 134 135 136 137 138 139 140 141 1420
2
4
6
8
x 106
Time (s)(b)
Co
rre
lato
r O
utp
ut
Prompt Correlator (PRN-19)
Prompt Correlator (PRN-10)
Theoretical Prompt (PRN-19)
Theoretical Prompt (PRN-10)
Spoofing Attack Starts
Spoofing peak starts to move away from the authentic one
50 100 150 200 250 300 350 4000
10
20
30
40
50
60
70
80
90
100
Time (s)
De
tectio
n T
est S
tatistic
S0: Authentic Signal
S1: Switched Spoofing Attack
S2: Consistent Doppler Spoofing
S3: Locked Doppler Spoofing
S4: Locked Doppler Spoofing
Detection Threshold (PFA
=10-2
)
Detection Threshold (PFA
=10-3
)
Detection Threshold (PFA
=10-4
)
• Locked Doppler:
• Consistency check
between PLL and DLL
loop filter outputs
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques22
Position Level Analysis
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques23
RF Down-
ConverterADC
Acquisition
Tracking PVT Solution
AGC
• Jafarnia-Jahromi, A., S. Daneshmand, A. Broumandan, J. Nielsen and G. Lachapelle (2013) PVT Solution
Authentication Based on Monitoring the Clock State for a Moving GNSS Receiver, Proceedings of the European
Navigation Conference (ENC2013), April 23-25, Vienna, Austria, 11 pages.
Position Level Authenticity Verification
• Authentic pseudorange
• Spoofed pseudorange
• Spoofing Detection (the idea)
• Receiver motion causes pseudorange variation
• All spoofing PRNs coming from the same source
• Common spoofer-user range (ρsu) variation
• Clock state will be affected for a spoofed PVT solution
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques24
( ):i
i i i u i
Specific to PRN x t Common among all PRNs
PR t t cdt t c dT t t
ˆ( ):
ˆ ˆˆ ˆ.
i
i i i u su s i
Specific to PRN x t Common among all PRNs
PR t t cdt t cdT t t c dT t t
Handheld Circular Motion
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques25
Synthetic Array Processing
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques26
RF Down-
ConverterADC
Acquisition
Tracking PVT Solution
AGC
• Broumandan, A., A. Jafarnia-Jahromi, V. Dehgahanian, J. Nielsen and G. Lachapelle (2012) GNSS Spoofing
Detection in Handheld Receivers based on Signal Spatial Correlation. Proceedings of IEEE/ION PLANS 2012,
Session B3, Myrtle Beach, SC, 24-26 April, 9 pages.
• Nielsen, J., A. Broumandan and G. Lachapelle (2011) GNSS Spoofing Detection for Single Antenna Handheld
Receivers. NAVIGATION, 58, 4, 335-344.
Synthetic Array Processing• Spatial correlation
coefficient is a metric to
discriminate spoofing
• The processing interval
is divided into M
subintervals
• and are
assumed constant during
each subinterval
• The detection problem
can be developed as
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques27
( ( ), )A
iA t tp ( ( ), )S
iA t tp
1
0
S S S S S
i i i i i
i A A A A A
i i i i i
H
H
a α η Λ ηx
a α η Λ η
.
H
i j
ijH H
i i j j
E
E E
x x
x x x x
0 0.5 1 1.5 2 2.5 3
x 104
-10
-5
0
5
10a) Authentic
Time (ms)
Dop
ple
r (H
z)
0 0.5 1 1.5 2 2.5 3
x 104
-10
-5
0
5
10
Time (ms)
Dop
ple
r (H
z)b) Spoofing
PRN 16
PRN 21
PRN 15
PRN 18
PRN 24
PRN 16
PRN 21
PRN 18
PRN 15
PRN 24
Spoofing Discrimination based on
Doppler Pairwise Correlation
• Measured Doppler
due to the antenna
motion for the
authentic and
spoofing signals
• Authentic Doppler
values are
uncorrelated while
the spoofed ones
are correlated
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques28
29
Acquisition
Tracking
PVT
Authentication
for a Moving
Receiver
RF Down-
Converter
Antenna
Combining
(Beam-
Forming)
Antenna Array Processing
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques
• Daneshmand, S., A. Jafarnia Jahromi, A. Broumandan, J. Nielsen and G. Lachapelle (2013) GNSS Spoofing
Mitigation in Multipath Environments Using Space-Time Processing, Proceedings of the European Navigation
Conference (ENC2013), April 23-25, Vienna, Austria 12 pages.
• Daneshmand, S., A. Jafarnia-Jahromi, A. Broumandan and G. Lachapelle (2012) A Low-Complexity GPS Anti-
Spoofing Method Using a Multi-Antenna Array. Proceedings of GNSS12 (Nashville, TN, 18-21 Sep), The Institute of
Navigation, 11 pages.
• Daneshmand, S, A. Jafarnia-Jahromi, A. Broumandan and G. Lachapelle (2011) A Low Complexity GNSS Spoofing
Mitigation Technique Using a Double Antenna Array. GPS World, 22, 12, 44-46.
Antenna Array Processing
• Each Signal has Specific
Spatial Signature Vector
(SSV)
• Spoofer spatial detection
• Authentic signals
Different SSVs
• Spoofing signals
All PRNs coming from the same
source
The same SSV
• Spoofing mitigation
• Spatial filtering (Null Steering)
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques30
(a)
(b)
Authentic Peak
Nullifying Spoofing Signals
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques31
• Real-time operation
• Low computational
complexity
• Pre-despreading operation
• Applicable for both civilian
and military signals
• Array antenna
considerations
• No need for array calibration
• Small antenna separation
Summary
• A possible structure of a stand-alone anti-
spoofing GNSS receiver
• Increased resistance against spoofing signals
Acquisition
Tracking
PVT
Authentication
for a Moving
Receiver
• Structural signals's power analysis
• Noise floor analysis
• Detecting multiple correlation peaks in CAF
• Detecting high received power level
• Synthetic array processing
• Detecting rapid fluctuations in
tracked signal amplitude
• Doppler and code rate
consistency check
• Synthetic array processing
• Move the GNSS
receiver and detect
abnormal variations in
the clock bias
RF Down-
Converter
Antenna
Combining
(Beam-
Forming)
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques32
References (1/2) • http://plan.geomatics.ucalgary.ca/project_info.php?pid=26
• Jafarnia-Jahromi, A., A. Broumandan, J. Nielsen and G. Lachapelle (2014) Pre-Despreading
Authenticity Verification for GPS L1 C/A Signals. Navigation, Journal of The Institute of Navigation,
in press.
• Jafarnia-Jahromi, A. (2013) GNSS Signal Authenticity Verification in the Presence of Structural
Interference. PhD Thesis, Report No. 20385, Department of Geomatics Engineering, University of
Calgary
• Jafarnia-Jahromi, A., S. Daneshmand and G. Lachapelle (2013) Spoofing Countermeasures for
GNSS Receivers – A Review of Current and Future Research Trends. Proceedings of Fourth
Internantional Colloquium on Scientific and Fundamental Aspects of the Galileo Programme,
Prague, 4-6 Dec 2013, 8 pages.
• Jafarnia-Jahromi, A., S. Daneshmand, A. Broumandan, J. Nielsen and G. Lachapelle (2013) PVT
Solution Authentication Based on Monitoring the Clock State for a Moving GNSS Receiver,
Proceedings of the European Navigation Conference (ENC2013), April 23-25, Vienna, Austria, 11
pages.
• Daneshmand, S., A. Jafarnia Jahromi, A. Broumandan, J. Nielsen and G. Lachapelle (2013)
GNSS Spoofing Mitigation in Multipath Environments Using Space-Time Processing, Proceedings
of the European Navigation Conference (ENC2013), April 23-25, Vienna.
• Jafarnia-Jahromi, A., A. Broumandan, J. Nielsen and G. Lachapelle (2012) GPS Vulnerability to
Spoofing Threats and a Review of Anti-Spoofing Techniques. International Journal of Navigation
and Observations, vol. 2012, Article ID 127072, 16 pages, 2012.
• Broumandan, A., A. Jafarnia-Jahromi, V. Dehgahanian, J. Nielsen and G. Lachapelle (2012)
GNSS Spoofing Detection in Handheld Receivers based on Signal Spatial Correlation.
Proceedings of IEEE/ION PLANS 2012, Myrtle Beach, SC, 24-26 April, 9 pages.
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques33
References (2/2) • Jafarnia-Jahromi, A., A. Broumandan, J. Nielsen and G. Lachapelle (2012) GPS Spoofer
Countermeasure Effectiveness based on Using Signal Strength, Noise Power and C/No
Observables. International Journal of Satellite Communications and Networking.
• Nielsen, J., V. Dehghanian and G. Lachapelle (2012) Effectiveness of GNSS Spoofing
Countermeasure based on Receiver CNR Measurements. International Journal of Navigation and
Observations, vol. 2012, Article ID 501679, 9 pages, 2012.
• Dehghanian, V., J. Nielsen and G. Lachapelle (2012) GNSS Spoofing Detection Based on
Receiver C/No Estimates. Proceedings of GNSS12 (Nashville, TN, 18-21 Sep), The Institute of
Navigation, 10 pages.
• Jafarnia-Jahromi, A., T. Lin, A. Broumandan, J. Nielsen and G. Lachapelle (2012) Detection and
Mitigation of Spoofing Attacks on a Vector Based Tracking GPS Receiver. International Technical
Meeting, ION, 30Jan-1Feb, Newport Beach, CA, 11 pages.
• Nielsen, J., A. Broumandan and G. Lachapelle (2011) GNSS Spoofing Detection for Single
Antenna Handheld Receivers. NAVIGATION, 58, 4, 335-344.
• Daneshmand, S., A. Jafarnia-Jahromi, A. Broumandan and G. Lachapelle (2012) A Low-
Complexity GPS Anti-Spoofing Method Using a Multi-Antenna Array. Proceedings of GNSS12
(Nashville, TN, 18-21 Sep), The Institute of Navigation, 11 pages.
• Daneshmand, S, A. Jafarnia, A. Broumandan and G. Lachapelle (2011) A Low Complexity GNSS
Spoofing Mitigation Technique Using a Double Antenna Array. GPS World, 22, 12, 44-46.
• Nielsen, J., A. Broumandan and G. Lachapelle (2010) Spoofing Detection and Mitigation. GPS
World, 21, 9 (September), 27-33.
GNSS Vulnerability to Spoofing Threats and a Review of Anti-Spoofing Techniques34