Embed Size (px)
Citation preview
7/22/2019 GPS Spoofing
http://slidepdf.com/reader/full/gps-spoofing 1/5
GPS Spoofing Attack on Time Synchronization inWireless Networks and Detection Scheme Design
Qi Zeng, Husheng Li and Lijun Qian
bstract In this paper, we introduce a GPS spoofing attackon the time synchronization in wireless networks. As a case study,the frequency hopping code division multiple access (FH-CDMA)based ad hoc network relying on the GPS signal is invest igated.The GPS spoofing attack, which is more malicious than otherattacks such as jamming, could lead to the loss of network-widesynchroniza tion as well as the loss of synchronizat ion in FHcode. The performance degradat ion in terms of symbol errorrate (SER) of the FH-CDMA based ad hoc network under
such an attack is evaluated. Then, to detect the spoofing attack~ f f i i e n t l y we propose to employ a quick detection technique,i.e., CUSUM test algorithm, by observing the dynamic range ofthe successful detection rate. Simulation results show that GPSspoofing attack on network performance is a long-term impactand more pernicious threat compared to the jamming; moreover,our proposed CUSUM scheme is an effective method to detectthe GPS spoofing attack.
INTRODUCTION
Globa l posi tion sys tem (GPS) has been wide ly employed
in a variety of wireless applications, e.g., mobile ad hoc
network, cellular phone network, smart grid and so forth, since
it could provide many desired features, including localization,
navigation and time synchronization. However, GPS signals
are susceptible to jamming and spoofing attack. Comparedwith jamming, the spoofing attack is a more pernicious attackbecause it makes the GPS receivers in the attack range to
bel ieve the fake GPS signals sent by the spoofer, without any
alert to suggest that an attack is underway.
GPS spoofing attack is becoming a hot topic in recent years.In [1] and [2], the authors demonstrated a experiment and
a practical GPS spoofer to test how easily a civilian GPS
receiver could be spoofed, respectively. In [3], a low cost GPS
spoofer is des igned and the performance effect on the carrier
and code level is analyzed. Besides civilian GPS receiver,
spoofing attack is also a critical problem for the militaryGPS receiver. In [6], an a ttacker can manipula te the arrival
times of mil itary GPS signals by pulse-delaying or replaying
individual navigation signals with a delay, although advanced
cryptography and new keying architecture are employed in the
modernized military GPS design known as M code [16].
Recently in [4], the requirements for successful GPS spoofing
attacks on the military GPS receiver are investigated. From the
Q. Zeng and H. Li are with the Department of Electrical Eng ineeringand Computer Science, the University of Tennessee, Knoxville, TN 37996(email: [email protected]; [email protected]). L. Qian is with theDepartment of Electrical and Computer Engineering, Prairie View A MUniversity, Prairie View, TX 77446 (email: [email protected]).This workwas supported in part by the National Science Foundation under grants CCF0830451 and ECCS-0901425, and y the US rmy Research Office undergrant W911NF-12-1-0054.
©2013 IEEE
Fig. 1. The model of FH-CDMA based ad hoc network relying on the GPSsystem.
view of countermeasures to the spoofing attack, the approacheswhich range from the cryptographic authentication to modifications of the GPS signal or the infrastructure are proposed in
[5], [6]. However, such approaches are unlikely implemented
in the near future due to the high cos t and the long deployment
cycles, and spoofing military GPS is nonetheless a concern in
addition to civilian GPS spoofing.
In this paper, we investigate the impact of the GPS spoofingattack on wireless communication networks. As a case s tudy
for mili tary communications, we focus on FH CDMA based
ad hoc networks [7], [8], where all nodes usually need to
synchronize to an external clock, such as GPS signal. The
network infrastructure is shown in Fig. 1. In this network,
we propose to employ a novel general o rthogona l FH code ,i.e., no-hit -zone code [13], to the neighboring nodes in order
to mitigate the interference, which is similar to the idea of
[8]. The impact of GPS-based synchronization degradation on
other cellular networks (i.e., CDMA, GSM and UMTS) could
be found in [17].
The network-wide time synchronization is extremely crucial
for succes sful transmis sion in FH-based ad hoc netowrks,
because it renders the transmis sion pai r to simult aneously
switch to the next f requency channel. In order to achieve the
accurate network-wide time synchronization, we assume that
each node is equipped with a GPS receiver and is synchronized
to the GPS signal, Due to the GPS spoofing attack, the FH
7/22/2019 GPS Spoofing
http://slidepdf.com/reader/full/gps-spoofing 2/5
code s of v ic ti m no de s will be out of syn chronization, w hi ch
leads to the serious collision of hopping frequency. Therefore,
one of the is sues in this p ap er is to evaluate the pe rf orma nce
degradation in terms of symbol error rate SER) due to the
GPS spoofing attack.It sh oul d be noted that jamming or poor channel quality)
c ou ld r es ul t in p er fo rm an ce d eg ra da ti on s as well as the GPS
spoofing attack does, although there exist some critical diff er ences. J amming only impacts a s mall por tion of s pectrums
due to the random h op pi ng , w hi ch will lead to the s ho rt -t er m
impact on the performance. As to the GPS spoofing attack,the t ra ns cei ver s c an no t d et ec t such an a tt ac k and still fa ls el y
trust each other. The re fore, the spoofing attack is usua lly al on g- te rm and more p er ni ci ou s thre at. T hu s, the o th er i ss ue
in this p ap er is to find an efficient method to detect the GPS
spoofing attack and to distinguish from the jamming, To theauthors best knowl edge , t he re ha ve not b ee n any studies on
the GPS spoofing in communication networks.Based on the idea similar to the quickest detection for
the abrupt changes, we adopt the well-known cumulative
sum CUSUM) testing a lgorithm to detect the GPS spoofing
attack by observing the fluctuation range of the succ essfuld et ec ti on r at e [9]. The CUSUM detection method has been
extensively studied in a variety of applications, e.g., detecting
selfish occupancy of wireless resource [10], detecting the datainjection attack on s mart grid [11] and so forth.
The r em ai nd er of this p ap er is orga niz ed as follows. The
s ys te m m od el and s ign al a na ly sis are p ro vi de d in S ec ti on II.
The CUSUM test for detecting the GPS spoofing is discussed
in Section III. N ume ri cal s imulati ons and con clu si ons are
provided in Sections IV and V, r es pectively.
II. SYSTEM MODEL AND SIGNAL ANALYSIS
In this section, we focus on FH CDMA based ad hoc
wireless networks, where the network-wide time synchroniza
tion is achieved by relying on the GPS system. Firstly, we
introduce the basic infrastructure of FH CDMA b as ed ad hoc
network and analyze the impact of GPS spoofing attack on FH
code s ynchronization. T hen, we inves tigate the per formance
de gra dation in terms of SER due to the GPS spoofing attackon the time synchronization.
A. The System Model under the GPS Spoofing Attack
The structure of FH CDMA b as ed ad hoc n et wo rk is s ho wnin Fig. 1 In this network, the nodes are dis tr ibuted in the plane
accor ding to a Poiss on point process . Each node synchronizes
to an accur ate clock which is provided by GPS. We only focus
on the next neighbor trans miss ion to inves tigate the impact of
the spoofing attack on the system performance.In the p hy si ca l layer, all the c o- lo ca te d n od es in the n ei gh
bor ing area are ass umed to have been pre-ass igned unique sig
natur e FH codes which they use to modulate their inf or mation
symbols. The signature FH code of node k is denoted by CCk
To mitigate the multiple acces s inter ference M Al) r es ulting
f rom the neighborhood nodes , a novel gener al orthogonal FH
code, i.e., no-hit-zone NHZ) code, is proposed for FH CDMA
Fig. 2. The model of FH-CDMA transc eive r.
bas ed ad hoc networks in this paper. The r eason for using such
an FH code is t ha t NH Z c od e c ou ld i mp ro ve the i mm un it y to
the slight time impe rfec t sync hroniza tion due to its specific
Hamming c or re la ti on p ro pe rt ie s, c om pa re d w it h o th er FH
codes. Some des ign algor ithms of gener al orthogonal codes
and their Hamming c or re la ti on p ro pe rt ie s c ou ld be f ou nd in
[13].
For the ad hoc network inves tigated in this paper , a s poofer,
whi ch is pl ac ed near the target nodes, receives the ge nui ne
GPS s ignal and forges the fake one. The vi cti m nodes c ou ldfalsely track to the forged GPS signal via the spoofing attack
method s tated in [2]. We ass ume that the time s ynchronization
of nodes within a cer tain area near the s poof er , which is s hown
as the da she d circle in Fig.l is a ff ec te d by this spoofer. The
size of such a re a dep ends on the power of the s poof er. The
area of n ei gh bo r t ra ns mi ss ion , w hi ch is d en ot ed by the s ol id
cir cle in Fig.l c on ta in s the n od es s uffe ri ng or not s uf fe ri ng
from the spoofing attack. Each paired source-destination nodeemploys the unique NH Z c ode to r ed uc e the MAL
The paired transceiver structure for source-destination nodes
in the p hys ic al l aye r is s hown in Fig.2. The wire less c ha nne l
b et we en two a rb it ra ry n ode s is a ss ume d to be a slow R ay le ig h
fading. the transmitter, the information bits are firstlymodulated by l v1-ary FSK and the central frequency of MFSK
s ymb ol then h op s to the d es ig na te d fr equ en cy slot a cc or di ng
to the pre-assigned FH code. In the receiver, the received
signal is orderly processed through the dehopper, non-coherent
demodulator and decoder . The non-coher ent demodulator for
the MFSK signal is specified in detail in [14].
B. Signal Analysis r SER performance
In this subsection, the expressions of SER analysis are
derived for the FH CDMA bas ed ad hoc network with l v1-ary
FSK modulation. By using these express ions , s emi- analytic
Monte C ar lo s im ul at io ns are then p er fo rm ed to e st im at e theimpact on e rror probabili ty due to the GPS spoofing attack.
B efore we analyze the signal model, some definitions of thenotations are firstly listed as follows.
• K: the total number of s ource nodes in the neighboring
area, i nc lu di ng the n od es w hi ch are s yn ch ro ni ze d to the
genuine GPS signal and the victim nodes which are
s ynchronized to the fake one.
• dCk n : one l v1-arysymbol transmitted by the k th node
during the n th symbol interval.
• c ~ ~ : one f requency hopping slot used by the k-th node
dur ing the n th s ym bo l int erv al , w hi ch d ep en ds on the
assigned NH Z FH code set.
7/22/2019 GPS Spoofing
http://slidepdf.com/reader/full/gps-spoofing 3/5
• 1]: the complex additional white Gaussian noise AWGN)
with the two-sided power spectral density of N o/2.• J2S k : the received signal amplitude of the k-th node
under the independent Rayleigh fading channel with the
mean square value 20.• Tk: the t ime off se t of the k-th node caused by the GPS
spoofing attack. Actually, Ti is restricted by the maximum
value D which depends on the resolut ion of the crystal
oscillator of the local clock [2].
For the simplicity of ana lysi s, it is assumed that one AI
ary FSK symbol is sent per hop in this paper. In order
to mitigate the inter-symbol interference, the frequency of
signals maintains the orthogonality by setting the minimum FH
f requency spacing to AIITs, where T; denotes the duration of
one AI-ary symbol. Then, the complex received signal during
the n-th symbol interval can be written as
r t) = V2SCk FT s t-Tk -nT, exp[j 21T de ;;n t
+271 t c > ~ ] + ,. 1
A non-coherent demodulator is adopted in the paper. Then,
in the receiver of the destination node, the decision variable in
the l-th branch of the AI matched filters l == 0, 1, . . . ,A I 1
observed during the n-th interval is computed as follows [15].
f r C S ) \ 7 ~ ~ ) + ~ ~ 1 ; l q S I 1 C k ) n ) + V 1 1 , dCk l
IWl n)I==) K k I k) , 2l Lk:=l;k;fS I l r i +V l , d l l
where re fol lows i .i .d. Rayleigh dis tr ibut ion with PDFfrCk :£ == 2:£ exp _:£2 for k == 1,2, , K. \7 \S ==8 , Pk+8 ~ ~ L 1 - Pk), which r e p r e s e ~ t s the
impact of GPS att ack on the de sired signal. The maximum
time offset D caused by GPS spoofing attack is equal toNkT+PkTs, where Ni. is an integer and Pk follows a uniform
distribution within [0,1]. For the special case when there does
not exist any GPS attack and all nodes are well synchronized to
genuine GPS signals, \ 7 ~ ~ is constantly equal to 1. l k == rt+Nk
is the symbol interval index of the k-th interfering node after
suffering from the spoofing attack, which depends on themaximum time offset D. The function z ,y) == 1 for a: == y;
otherwise, :£, y) == O. Vl is a complex AWGN with mean zero
and var iance NolE s and the average energy of one symbol
E; == Tn. The total MAl Il k) due to the k-th interfering node
could be rewri tten as
3
where
k} k) k) . . .Il_\n == t1h r sznc Pk }l-)Pk exp J 7rPk }l_+cp k))), 4)
I l ~ ) n = = L l ~ ; l l r k sinc }l+ 1 Pk)) l-Pk
X exp j 1r }l+ Pk+1)+cp k)))_ 5
Fig. 3. The impact onSER performance due to the jamming and theGPS
spoofing attack.
I 4 d 5 A k)_ S _ k)n an h uC h ,C n , }l-==ri nk - land
}l+== ri k) nk + 1 - l . The function sinc :£) == sin 7 X I 7rxif a: =I=- 0 and sinc :£) == 1 if a: == O. The detailed derivations
of 3 - 5 are s imilar to the work in [12], which is omitted in
this paper due to the l im ited space .
In order to demonstrate the performance difference between
the GPS spoofing attack and the jamming, the SERs of FHbased ad hoc network with AI-ary FSK modulation for AI == 4
and 8 are shown in Fig. 3. We assume that the GPS spoofing
attack occurs at the t ime ins tant t==
100 and the jammingoccurs at t == 50. Besides, the number of victim nodes is equal
to 5 and the maximum time offset D due to GPS spoofinga tt ack is assumed to be 3 chip-slots. From the simulation
results, it is obtained that the system performance under
jamming is temporarily degraded, then will likely get better in
the next t ime slot due to the fact that f requency is hopped from
the jammed channel into the good one. However, under the
GPS spoofing attack, the system consistently remains at thepoor performance level. The symbol detection rate obtained
f rom the simula tion is u ti li zed as the observa tion in CUSUM
testing algorithm in the next section.
III. DETECTION OF GPS SPOOFINGThe CUSUM al gori thm is a promising method to quickly
find abrupt changes in a process when there is an unknownparameter in the post-change distribution and this parameter
may be varying duri ng the de tecti on process. Due to the
abrupt GPS spoofing attack, the time when the GPS spoofingattack occurs, which is denoted by to, is unknown. The other
parameter, i.e., the probability of frequency collisions hit-rate
) after spoofing, is unknown as well. The nodes which sufferf rom the attack are out of the FH code synchronization. It will
r esul t in the increase for MAl and the abrupt degradation for
performance.
For the simplicity of analysis in detection scheme, it is
7/22/2019 GPS Spoofing
http://slidepdf.com/reader/full/gps-spoofing 4/5
The standard statistical approach is to use the maximum
likelihood estimates of these two parameters , which leads to
the decis ion funct ion given by
By using the proposed CUSUM testing algorithm, the net
work will raise the alarm at the to- th time instant to inform that
the network is a tt acked by GPS spoofer. Also, the estimated
value of another parameter ) after change is denoted by {}
which can be obtained from 10 .
IV. SIMULATION RESULTS
In this section, we present the simulation results to demon-
strate the performance of the proposed detection scheme. In
the F H CDMA based ad hoc network, the NHZ FH code
set, which is designed via the algorithm in [13], is preassigned to the neighboring nodes and binary FS K modulation
is considered. In all the fol lowing results, it is assumed that
the GPS spoofing attack occurs at the l th observation i.e.,to 100) and the time offset due to the spoofing attack couldgo beyond the no hit zone. The performance for the proposed
detection scheme is considered in terms of the false alarm rate
and detection delay.
Fig. 4 shows the false alarm rate versus the CUSUM
decision threshold h) for the var ious s ignal- to-noise rat ios
S Rs . As observed from the figure, with the fixed S R in
each curve, the false alarm rate deceases when h increases. It
is also found that, as the false alarm rate is fixed, the detection
scheme for the system with large SN R needs a lager thresholdh t han that for the small S R system. It is due to the fact
that the sys tem with large SN R resul ts in the increase of gk
in 10 , thus increases the threshold h as well.
F ig . 5 shows the relat ion between the threshold hand S R
for some given false alarm rates 0.01 and 0.001 . From this
figure, we could obtain the optimal threshold for the CUSUMscheme corresponding to the S Rs so that the false al arm
rate reaches the expected level. For the given S R, the false
al arm rate wil l become a sma ll er va lue with increase of h;
however, it will result in the degradation of another detection
performance i.e., average detection delay, of which results will
be specified in Fig.6.
Fig. 4. The false alarm rate versus the CUSUM decision threshold h for thevarious S N Rs.
9)
7)
12
10
unknown O , 8)
to n1in{k: h}.
Ho
reasonable to assume tha t the detec tion for a packet is fai led if
the frequency hit occurs during the packet interval; otherwise,
the det ection is successful. Wit h this assumption, we can
obtain the acceptable level of detection performance. Denote
byY i E {
I} i
1,2, ...,N) theindependent
observationof
detection for packet at the i th time slots in the FH CDMA
based ad hoc network , where
{I , successful detection
Y i 0, failed detection 6)
The probability of Y i, which is denoted by PO Y i), belongs
to an unknown h it -r ate ) with a space 8. The space 8
is determined by both the pre assigned FH code and the
maximum time offset D.
N HZ FH code has the capabil ity to combat the slight time
offset, which l eads to hit -free ) 0); however , as the GPS
spoofing attack occurs, it will result in the severe hit-rate dueto fact that the time offset exceeds the no-hi t zone . When
spoofing attack occurs, the hit-rate is denoted by )I. As stated
above, the probabi li ty densi ties PO Y i) for these two cases
could be written as, respectively,
{Poo l PT
o 0 ,POo O 1 - PT
{PO 1 1 - OI PT
POI 0) 1 - 1 - OI PT
where PT denotes as the rate of correct detection when there
is hit -f ree 00 0), which depends on the fading channel
and noise . Actually, the value of PT depends on the channel
condition, the characteristic of the spoofer and so forth, which
is obtained by observing the symbol detection rate in thereal tes ting or the exper iment. From the above equat ions , we
assume the distribution of Y i is changed from 00 to }I at the
unknown time instant to, where }I is unknown as wel l but lies
in the space 8. We propose to adopt the CUSUM algorithm to
estimate the unknown parameters to and }I. Correspondingly,
we compute the log-likelihood ratio with the CUSUM method
for the observation i f rom time j up to time k, which is given
by
gk max sup S] OI)I::;j::;k 81
Then the decision rule is wri tt en as
{Ho chosen; gk < h 11HI IS chosen; If h
where h is a pre determined threshold. The alarm time for
the GPS spoofing attack is obtained by the following stoppingrule:
7/22/2019 GPS Spoofing
http://slidepdf.com/reader/full/gps-spoofing 5/5
Fig. 5. The relation between the threshold hand R for some false alarmrates (0.01 and 0.001).
Fig. 6. The The average detection delay of our proposed scheme underdifferent threshold hs.
The average detection delays of our scheme under different
thresholds are shown in Fig. 6 for the various SNR== 10 15
and 20dB. In the simulations, the average delay is defined asE{lio-tol}. It is observed that, for the small SN <15dB
the detection delay increases with the threshold; however, fora larger SNR 15dB), the average de tection delay is only
marginally dependent on the threshold. It should be noted that
the above phenomenon should exclude the range of smal l h
h< 1
v CONCLUSIONS
In this paper, we have studied the impact of GPS spoofingattack on the performance of FH-CDMA ad hoc ne twork.
This network relies on the GPS signal to realize the network
wide synchronization. The GPS spoofing attack is a type ofmalicious threat, which leads to the loss of the network
wide synchronization. Under such an attack, our investigated
network suffers f rom more severe performance degradation
than the jamming does. Then, we have proposed the CUSUM
detection s cheme for determining the occurrence of GPS
spoofing attack as quickly as possible. Finally, we presentedsimula tion results that demons tra te the performance of the
CUSUM based detection scheme. It should be noted that the
proposed CUSUM scheme and framework of analysis are still
available for other wireless communication systems which are
vulnerable to the GPS spoofing attack, not limited to FHCDMA based ad hoc network. Based on the resul ts obtained
in this paper, the countermeasure to the GPS spoofing attackwill be s tudied in our future works.
REFERENCES
[1] J. S. Warner and R. G. Johnston, A simple demonstration that the globalpositioning system (GPS) is vulnerable to spoofing , Journal of SecurityAdministration, pp.1-9, 2002.
[2] T. E. Humphreys, B. M. Ledvina, M. L. Psiaki and et al. , Assessing thespoofing threat: development of a portable GPS , in Proc. of the ION
GNSS Conference, The Institute of Navigation, Savanna, Georgia, Sept.2008.
[3] B. Motella, M. Pini, M. Fantino and et al., Per formance assessment oflow cost GPS receivers under civilian spoofing attacks , in Proc. of ESAWorkshop on Satellite Navigation Technologies and European Workshopon GNSS Signals and Signal Processing, Noordwijk, Dec. 2010.
[4] N. O. Tippenhauer, C. Popper, K. B. Rasmussen and et al., On therequirements for successful GPS spoofing attacks , in Proc. of the ACM
Conference on Computer and Communications Security, Chicago, IL, Oct.2011.
[5] B. M. Ledvina, W. J. Bencze, B. Galusha and et al., An in-line antispoofing device for legacy civil GPS receivers , in Proc. of the IONinternational Technical Meeting, San Diego, CA, 2010.
[6] M. G. Kuhn, An asymmetric security mechanism for navigation signals ,in Proc. of the International Information Hiding Workshop, Toronto,Canada, 2004.
[7] T. Vanninen, M. Raust ia, H. Saarnissaari and et al. , Frequency hopping
mobile Ad hoc and sensor network synchronization , in Proc. of IEEEMilitary Communications Conference Milcom 2008 , San Diego, CA ,Nov. 2008.
[8] J. Elsner, R. Tanbourgi and F. K. Jondral, Multiple access interferencemitigation through multi-level locally orthogonal FH-CDMA , in Proc.of IEEE Military Communications Conference Milcom 2011 , Baltimore,MD, Nov. 2011.
[9] M. Basseville, I V. Nikiforov, Detection of Abrupt Changes: Theory andApplication, Prentice Hall, New Jersey, 1993.
[10] C. Liu, O. W.W.Yang, Y.Shu and et al., Sliding window non-parametric
cumulative sum: a quick algorithm to detect selfish behavior in wirelessnetworks , lET Commun., Vol.5, no.15, pp.230-2140, 2010.
[11] Y. Huang, H. Li, K. A. Campbell and et al., Defending false datainjection attack on smart grid network using adaptive CUSUM test , inProc.of Conferece on Information Sciences and Systems CISS 2011 ,Baltimore, ML, Mar. 2011.
[12] Q. Zeng, D. Peng and X. Wang, Performance of a novel MFSKfFHMA
system employing no-hit zone sequence set over Rayleigh fading channel, IEICE Trans. Commun., vol . E94-B, no.2, pp. 526- 532, Feb. 2011.
[13] W.X. Ye, P.Z. Fan and E. M. Gabidulin, Construction of non-repeatingfrequency-hopping sequences with no-hit zone, Electronics Lett., vol. 42,no. 12, pp. 681-682, Jan. 2006.
[14] M. K. Simon, J.K. Omura and R. A. Scholtz and et al. Spread SpectrumCommunications Handbook, McGraw-Hill, New York, 2001.
[15] K. Choi and K. Cheun, Performance of asynchronous slow frequencyhop multiple-access networks with MFSK modulat ion, IEEE Trans.Commun., vol. 48,no. 2 pp.298-307, Feb. 2000.
[16] B. Barker, J. Betz and et al. Overview of the GPS M code signal,Proceedings of the 2000 National Technical Meeting of The Institute ofNavigation, pp.542-549, Anaheim, CA, Jan. 2000.
[17] F. A. Khan and A. G. Dempster, Impact of GPS-based synchronizationdegradation on cellular networks, Symposium of the 7 InternationalGlobal Navigat ion Satel li te Systems IGNSS 2007 , pp.1-11, Sydney,Austrilia, Dec. 2007.
