GNSS Spoofing Detection usingGNSS Spoofing Detection using...
Transcript of GNSS Spoofing Detection usingGNSS Spoofing Detection using...
GNSS Spoofing Detection usingGNSS Spoofing Detection using Two-Antenna Differential Carrier PhaseMark L. Psiaki
Sibley School of Mech. & Aero. Engr., Cornell Univ.
Brady W O'Hanlon & Steven P PowellBrady W. O Hanlon & Steven P. PowellSchool of Electrical & Computer Engr., Cornell Univ.
Jahshan A. Bhatti, Kyle D. Wesson, & Todd E. HumphreysJahshan A. Bhatti, Kyle D. Wesson, & Todd E. Humphreys Aero. Engr. & Engr. Mechanics, UT/Austin
Andrew Schofield
ION/GNSS+ 2014, 12 Sept. 2014
Sea ID, Master of the White Rose of Drachs
Acknowledgementsg The owner of the White Rose of Drachs lent his yacht to
support the testing reported here
The White Rose crew aided this project in many ways The White Rose crew aided this project in many ways
ION/GNSS+ Sept. ‘14 2 of 22
Motivation: Detect attack by Humphreys-class spoofer on civilian
GPS receiver or meaconing attack on a military receiver
Strategy: Exploit differences of signal arrival geometry between Exploit differences of signal arrival geometry between
non-spoofed case & spoofing from a single transmitter using CDGPS/attitude-determination principlesg p p
Develop detection statistic based on difference of fits to spoofed & non-spoofed models of single-differenced carrier-phase between 2 antennas
Implement real-time version Test detection system against live-signal spoofing attacks
on a superyacht during a cruise around Italy
ION/GNSS+ Sept. ‘14 3 of 22
OutlineI. Spoofing detection system architectureII. Non-spoofed & spoofed carrier phase modelsIII. Detection tests with maximum likelihood optimal
estimation of unknown attitude parametersIV. Live-signal spoofing attack experiments aboard a
htyachtV. Results, analyses, & discussionVI S & l iVI. Summary & conclusionsVII. Future plans
ION/GNSS+ Sept. ‘14 4 of 22
Two Configurations of a 2-Antenna GNSS Spoofing Detection System
RF-switched-signal/single-receiver configuration
Two-receiver configuration
ION/GNSS+ Sept. ‘14 5 of 22
receiver configuration
Geometry of Non-Spoofed Case
ION/GNSS+ Sept. ‘14 6 of 22
Geometry of Single-Transmitter Spoofed Case
ION/GNSS+ Sept. ‘14 7 of 22
Carrier Phase Models Non-spoofed case
jBAΔφ j
AjB φφ −=BAφ AB φφ
BAj A br TT)ˆ(2
λπ−= j
rcvrBAjmpBA
jBA nnΔN ++++ πβ 2
BAjBA rr ˆ)ˆ(2 T
λπρ−= j
rcvrBAjmpBA
jBA nnΔN ++++ πβ 2
Spoofed casejBAΔφ BA
spBA rr ˆ)ˆ(2 Tλ
πρ−=jrcvrBA
spmpBA
jBA nnΔN ++++ πβ 2
BAφ BA)(λ rcvrBAmpBABA
jrcvrBA
jBAsp nΔN ++= πβ 2 rcvrBABAp
spmpBABA
spBAsp n++−= β
λπρβ rr ˆ)ˆ(2with T
ION/GNSS+ Sept. ‘14 8 of 22
λ
Single-Differenced Carrier Phase Responses to Spoofing Attack
0.6
PRN02Initial Attack0.4
cles
)
PRN12PRN14PRN21PRN25
Initial Attack
Code Drag-Off
0
0.2
f Δφ B
A (c
yc
PRN25PRN29PRN31Initial AttackDrag Off
-0.2
nal P
art o
f Drag Off
-0.6
-0.4
Frac
tio
0 200 400 600 800 1000 1200-0.8Receiver Clock Time (sec)
ION/GNSS+ Sept. ‘14 9 of 22
Receiver Clock Time (sec)
Hypothesis Test StatisticN f d t b li ti ti Non-spoofed case antenna baseline estimation
LBABAa ΔNΔN ,...,,,ˆ :find 1βr
=),...,,,ˆ( :minimize to 1 LBABABAnonsp ΔNΔNJ βr ), ,,,( BABABAnonsp β
+
−−+
=
L
j mpjrcvr
jBABA
jBAjBA ΔNΔ
1 22
2T
21
)(
]2ˆ)ˆ(2[
σσ
πβλ
πρφ rr
Spoofed case bias/ambiguity estimationNjΔNΔN j
BABAaa ,...,2for valued-integer ,0,1ˆ)ˆ(:subject to 1T ===rr
L1β
j mprcvr )( σσ
=),...,,( :minimize to 1 LBABAspsp ΔNΔNJ β
LBABAsp ΔNΔN ,...,, :find 1β
j1
−−
=
L
j jrcvr
jBAsp
jBA ΔNΔ
1 2
2
21
)(
]2[
σπβφ
Difference-of-fits spoofing detection test statisticNjΔNΔN j
BABA ,...,2for valued-integer ,0:subject to 1 ==
1 L
j rcvr )(
),...,,( 1 LBAspoptBAspoptspoptsp ΔNΔNJ βγ =
),...,,,ˆ( 1 LBAnsoptBAnsoptoptBAoptnonsp ΔNΔNJ βr−
ION/GNSS+ Sept. ‘14 10 of 22
ppppp
Monte-Carlo Simulation of Spoofed & Non-S f d P b bilit D iti f D t ti St ti tiSpoofed Probability Densities of Detection Statistic
4x 10-5
Spoofed CasesNon-Spoofed
3
3.5
y
Non SpoofedCandidate γth detection threshold with low PFA & low PMD
2
2.5
lity
Den
sity
1.5
Prob
abil
0.5
1
Antenna Separation = 14 cm 7 satellites GDOP: 2 4 C/N : 34 12 to 49 7 dB Hz
-1 0 1 2 3 4 5 6 7 8x 104
0
γ, Negative Log Likelihood Cost Differential
ION/GNSS+ Sept. ‘14 11 of 22
Antenna Separation = 14 cm, 7 satellites, GDOP: 2.4, C/N0: 34.12 to 49.7 dB-Hz
The Texas Lying Machine, Would-be Hijacker of the White Rose
ION/GNSS+ Sept. ‘14 12 of 22
Prototype Lie Detector, White Rose Defender Receiver:
2 USRPs 1 laptop running 2 parallel
UTAustin/Cornell real-time f i 2software receivers on 2
live USRP data streamsS fi d t t Spoofing detector: Matlab-based detection &
hi l t t tigraphical output tic function
Called by real time C Called by real-time C receiver code & fed ΔφBAjvalues
ION/GNSS+ Sept. ‘14 13 of 22
values
Movies: Initiation of Libya Spoofing Attack & Detection Download a 305MByte .zip-file of videosDownload a 305MByte .zip file of videos
(http://gps.mae.cornell.edu/libyaspoofingattack_reenactmentvideos.zip) Unzip in order to view two short movies Unzip in order to view two short movies prelibyaspoof_markleadsdiscuss_00011.mp4
B i f l ti f h t t t d d i Lib Brief explanation of what was tested during Libya spoofing attack
lib f tt k l fl t kb d libyaspoofattack_closeupoflaptop_markbradyextendeddiscuss_00013_00015.mp4
T hi ’ i f h fi d t ti t Techie’s eye view of how spoofing detection system picked up Libya attack at its outset. Gives a “taste” of being there during the experiments
ION/GNSS+ Sept. ‘14 14 of 22
Highlights of Spoofed Trip to Libya
ION/GNSS+ Sept. ‘14 15 of 22
Detection of Attack During Libya Tripg y p0.2
0.4
es)
PRN16PRN18PRN21
-0.4
-0.2
0
ΔφB
A (c
ycle PRN22
PRN27PRN29PRN31
0 100 200 300 400 500 600 700 800 900 1000-0.6
Initial AttackDrag Off
6
8x 104 Spoofing Det Plot (authentic >= blue dash-dot)
Non-Spoofed ValueSpoofed ValueD t ti Th h ld
2
4
γ
Detection Threshold
0 100 200 300 400 500 600 700 800 900 1000-2
0
Receiver Time (sec)
ION/GNSS+ Sept. ‘14 16 of 22
Receiver Time (sec)
Detection of More Subtle Attack0.5
es)
PRN02PRN12PRN14
0 5
0
ΔφB
A (c
ycle PRN14
PRN21PRN25PRN29
0 200 400 600 800 1000 1200
-0.5Δ
PRN31Initial AttackDrag Off
5
10x 104 Spoofing Det Plot (authentic >= blue dash-dot)
Non-Spoofed ValueSpoofed Value
Ambiguous DetectionPrior to Code Drag Off
0
5
γ
Detection ThresholdPrior to Code Drag-Off
0 200 400 600 800 1000 1200-5Receiver Time (sec)
ION/GNSS+ Sept. ‘14 17 of 22
Failed Detection of Failed Attack
0.5es)
PRN02PRN06
Spoofing at power slightlybelow authentic signal?
0
ΔφB
A (c
ycle PRN12
PRN14PRN24PRN25
0 200 400 600 800 1000 1200 1400
-0.5Δ
PRN25PRN29
S fi D t Pl t ( th ti bl d h d t)10x 104 Spoofing Det Plot (authentic >= blue dash-dot)
Non-Spoofed ValueSpoofed ValueD t ti Th h ld
5γ
Detection Threshold
False alarm due to fewSats & poor geometry?
0 200 400 600 800 1000 1200 14000Receiver Time (sec)
Sats & poor geometry?
ION/GNSS+ Sept. ‘14 18 of 22
Comparative Histograms of RF Samples8000
Authentic: σ = 7100
4500
5000
Successful Attack σ = 12500Spoofer Advantage ~ 7 dB
7000
Failed Attack σ = 8200Spoofer Advantage <= 0.9 dB
6000
7000
4000
4500
5000
6000
50003000
3500
4000
5000
3000
4000
2000
2500
3000
2000
1000
1500
1000
2000
-4 -3 -2 -1 0 1 2 3 4
x 104
0
1000
RAW USRP I & Q Samples-4 -3 -2 -1 0 1 2 3 4
x 104
0
500
RAW USRP I & Q Samples-4 -3 -2 -1 0 1 2 3 4
x 104
0
1000
RAW USRP I & Q Samples
ION/GNSS+ Sept. ‘14 19 of 22
RAW USRP I & Q Samples RAW USRP I & Q SamplesRAW USRP I & Q Samples
Lessons Learned, Expected & Unexpected p p
Initial capture & pre-drag-off is a challenge Incomplete transition of differential phases (expected) Difficulty of tracking thru alternating constructive &
destructive interference between true & spoofed signalsdestructive interference between true & spoofed signals if spoofer power advantage not large (unexpected)
Successful attacks not easy Successful attacks not easy Inexperienced spoofer operator needed to overwhelm
true signals in victim receiverstrue signals in victim receivers Simple absolute power tests could have detected
spoofing in these “sledgehammer” spoofing cases
ION/GNSS+ Sept. ‘14 20 of 22
Summary & Conclusions Developed real-time prototype of two-antenna spoofing
detection Exploits differing reception geometry between non-spoofed & spoofed
cases: spoofing removes the natural differences between single-differenced carrier phasesdifferenced carrier phases
Optimization-based data fitting leads to powerful detection tests
Demonstrated real-time detection of live-signal spoofing g p gattacks Detections possible in 0.2 sec, depending on PLL bandwidth. Tests less certain during initial capture period before code drag-off if
spoofer power not much greater than authentic signal.
ION/GNSS+ Sept. ‘14 21 of 22
Future Plans Improve receiver tracking robustness during initial attack Implement real-time switched antenna version w/new PLL Develop additional spoofing tests for layered defense
Simple in-band power monitor Advanced RAIM at discriminator/tracking loop level Advanced RAIM at discriminator/tracking-loop level Compass continuity for 2-antenna system estimated attitude
Improve & test methods for case of spoofing subset of signalsp p g g Develop methods to recover true signals
True signals have been acquired during times of strong spoofing attack i d d Whit R id b d d t tin recorded White Rose wideband data sets
Test improvements with recorded White Rose dataT t i t i li i l t t i t btl Test improvements in new live-signal tests against a subtle spoofer (requires another cruise!)
ION/GNSS+ Sept. ‘14 22 of 22