WNCG, UT Austin, 1 April 2011 Mark L. Psiaki Sibley School of Mechanical & Aerospace Engr., Cornell University Civilian GPS Spoofing Detection based on

WNCG, UT Austin, 1 April 2011

Mark L. PsiakiSibley School of Mechanical & Aerospace Engr., Cornell University

Civilian GPS Spoofing Detection based on Dual-Receiver Correlation of Military Signals

UT Austin April ‘11 2 of 32

Collaborator Acknowledgements Steve Powell, Cornell ECE staff Brady O’Hanlon, Cornell ECE Ph.D. student Jahshan Bhatti, UT Austin Aero. Engr. &

Engr. Mechanics Ph.D. student Todd Humphreys, UT Austin Aero. Engr. &

Engr. Mechanics faculty


Motivation: Defend civilian GPS receivers from Humphreys-et-al.-

type spoofing attack RAIM methods not useful

Strategy: Exploit encrypted P(Y) code Cross-correlate P(Y) code in defended receiver with P(Y)

code on secure receiver P(Y) found in quadrature with tracked C/A Codeless technique is simple Semi-codeless yields increased processing gain Narrow-band P(Y) experiences ~75% power loss & distortion

Initially use MATLAB in an offline mode for analysis & testing


OutlineI. Related researchII. Spoofing detection conceptIII. Signal modelIV. Using narrow-band receivers

Narrow-band-filtered P(Y) code characteristics System ID of envelop filter impulse response to enable

spoofing detection in a narrow-band receiver

V. Codeless spoofing detectionVI. Semi-codeless spoofing detectionVII. Summary & conclusionsVIII. Future plans


Related Research Substantial literature on RAIM detection of

navigationally inconsistent spoofing Warner & Johnston (2003): Hardware-simulator-

based spoofer detectable via RAIM only at start-up Humphreys et al. (2008, 2009): Receiver/spoofer

not detectable via RAIM Lo et al. (2009): Codeless military P(Y) code dual-

receiver cross-correlation spoofing detection proposed & tested under non-spoofing conditions

O’Hanlon et al. (2010): Attempted real-time implementation of Lo et al. spoofing detector & test under Humphreys et al. spoofing attack


A Spoofing Attack not Detectable by RAIM


UE with - receiver for delayed,

digitally-signed P(Y) features

- delayed processing to detect spoofing via P(Y) feature correlation

Anti-Spoofing via P(Y) Correlation

Secure antenna/receiver w/processing to estimate

P(Y) features

GPS Satellite

Transmitter of delayed, digitally-

signed P(Y) features

GEO “bent-pipe”transceiver

Broadcast segments of delayed, digitally-signed P(Y) features Secure uplink of

delayed, digitally-signed P(Y) features


Block Diagram of Generalized P(Y) Correlation Spoofing Detector

GPStransmitter

UE receiver with P(Y)fea extraction

processing

Secure ground-based

antenna/ receiver

Digital signer

Secure link to broadcaster

Wireless(or internet) broadcaster

UE receiver (or internet link) for P(Y)fea

Correlation registers

Digital sig-nature verifier

Spoofing Detector

L1 C/A& P(Y)

P(Y)fea

P(Y)fea

P(Y)fea/est

User Equipme

nt

New Infrastructure


Signal with C/A & P(Y) code at RF front-end output

Sample interval t C/A code C(t) & P code P(t) known (+1/-1 values) P(Y) +1/-1 encryption chips w(t) not known w(t) average chipping at 480 KHz w/known timing

relative to C/A & P codes Wide-band carrier-to-noise ratios:

Signal Model at RF Front-End Output

)cos()()( iifiiaci ttDtCAy

iiifiiipy nttDtwtPA )sin()()()(

Δt

ANC

n

caac 2

2

0 4)/(

Δt

ANC

n

pypy 2

2

0 4)/(


46

810

12

-20

2

-2

0

2

Time (chips)

Reference Signal

P(Y) Signal

C/A

Sig

nal

46

810

12

-20

2

-2

0

2

Time (chips)

Defended Signal

P(Y) SignalC

/A S

igna

l

Corellated portions of P(Y) code based onC/A code to match timing between receivers

Unknown encrypted quadrature P(Y) codeused for cross-correlation spoofing detection

Known in-phase C/A code used fortracking in both receivers

Carrier Phase & Timing Relationships of C/A & P(Y) Codes


Original & Filtered P(Y) Spectra

-10 -8 -6 -4 -2 0 2 4 6 8 10

0

0.2

0.4

0.6

0.8

1

Frequency Offset from Carrier (MHz)

Nor

mal

ized

Pow

er

Full P(Y) codeP(Y) code as filtered in narrow-band C/A-code receiver (24.96% of original power)


Original & Filtered P(Y) Time Histories

25 30 35 40 45 50 55 60 65 70 75

-1

-0.5

0

0.5

1

Chip Count

P(Y

) C

ode

Full P(Y) codeP(Y) code filtered in narrow-band C/A-code receiver (delay removed)


Envelope (finite) impulse response of Z code:

Correlation between filtered code & unfiltered replica:

Derived cross-correlation relationship for system ID:

Complex Envelope Filter Impulse Response & Filtered PRN Code Correlation

dZthdZthtZ

t

ttF

max

)()()()()(

dttZtAZT

limc D

T

TF

TZFZ )()(

2

1)(

dchdttcthc

A ZZt

DDZZ

t

ZFZD

maxD

max)()()()()(

1

0


Track C/A code using DLL & PLL Compute, prompt, early, late, double early, double late, etc…. C/A

accumulations, cCFC(i) for many i cross-correlation delay values Guess reasonable, conservative tmax & D values Parameterize h(t;p) as the 1st derivative of a quintic spline envelop step

response function with spline node parameters p Use known cCC() C/A autocorrelation, measured cCFC(i) cross correlations,

& analytic spline integrals to formulate over-determined system of linear equations in p & (1/A) based on final equation of previous chart

Solve least-squares estimation problem subject to the constraint

& penalizing

Or set up & solve simultaneously for multiple C/A PRN codes in same receiver, solving for differential D values between PRN codes in outer nonlinear optimization

Filter Impulse System ID Calculations

1);(0

maxt

dth p

splinetdt

hd

tdt

hd Njmidjmidj

1,...,for &

2

);(

2

);(4

4

3

3

pp


Theoretical & Measured C/A Correlations, PRN 08

-5 -4 -3 -2 -1 0 1 2 3 4 5-0.2

0

0.2

0.4

0.6

0.8

1

1.2

<--- Wide-band earlier Chip Offset Wide-band later --->

Cor

rela

tion

Theoretical wide-band autocorrelationMeasured narrow-band in-phase correlationMeasured narrow-nand quadrature correlation


Estimation Fit for PRN 08

-5 -4 -3 -2 -1 0 1 2 3 4 5-0.2

0

0.2

0.4

0.6

0.8

1

1.2

<--- Wide-band earlier Chip Offset Wide-band later --->

Cor

rela

tion

Measured in-phase correlationMeasured quadrature correlationEstimated in-phase correlationEstimated quadrature correlationEstimation Error Absolute Value


Estimated Impulse & Frequency Responses for 2 Narrow-Band RF Filters

0 1 2 3 4 5

0

1

2

3

4x 10

6

Time (microsec)

Envelo

p Im

puls

e R

esponse Filter A Impulse Response

-6 -4 -2 0 2 4 6-50

-40

-30

-20

-10

0


Gain

(dB

)

Filter A Frequency Response

RealImaginary

-1 0 1 2 3 4

0

1

2

3

4x 10

6

Time (microsec)

Envelo

p Im

puls

e R

esponse Filter B Impulse Response

RealImaginary

-6 -4 -2 0 2 4 6-50

-40

-30

-20

-10

0


Gain

(dB

)

Filter B Frequency Response


1. Track C/A code, compute & record base-band-mixed quadrature samples yrawAi & yrawBi, & do noise & C/A & P(Y) power calculations on both receivers

2. Compute normalized cross-correlation spoofing detection statistic

Codeless Spoofing Detection Calculations (1 of 2)

accumIQFca

IQca

TL

ANC

2

2

02

)/(

}{ 22caca

QIEzca 22222 }]{[ cazca zQIEcaca

222zcacaIQ zA )(5.0 222

zcacacaIQ zz 22 2IQ

accumRF T

Δt

Fpycapy LNCNC 3.000 10)/()/(

pyARFBRFA

M

irawBirawAi

NCΔtM

yy

)/(214 0

1


3. Compute conditional means & variances of detection statistic under non-spoofed null hypothesis, H0, & under spoofed hypothesis, H1

4. Develop spoofing detection threshold th based on conditional probability density functions & desired false alarm probability

5. Compare computed statistic to threshold

Codeless Spoofing Detection Calculations (2 of 2)

1}|{ 12 HE

0}|{ 1 HE

attack spoofingunder channel

detected spoofing no

th

th

pyA

pyBpyA

NCΔt

NCNCMΔtHE

)/(21

)/()/(2}|{

0

000

pyA

pyBpyA

NCΔt

NCNCΔtHE

)/(21

])/()/[(21)(}|{

0

0020

2

ththddHpFA

}

2

)(exp{

2

1)|(

2

2

0

detectmisdet PrddHpPrthth

1}5.0exp{2

1)|( 2

1


Verification of No-Spoofing Case

0 20 40 60 80 100 120 140 160 1800

5

10

15

Time (sec)

gam

ma,

(N

orm

aliz

ed S

poof

ing

Det

ectio

n S

tat)

Predicted Mean Valuebased on C/A code &

3.04 dB power decrementto yield transmitted P(Y)

power (i.e., before filteringin RF front-end)

Spoofing Detection Threshold,alpha

FA = 0.01%, Pr

detect = 1 - 1.11e-16


First Successful Spoofing Attack Detection

0 20 40 60 80 100 120 140 160 180-4

-2

0

2

4

6

8

10

12

14

Time (sec)

gam

ma,

(N

orm

aliz

ed S

poof

ing

Det

ectio

n S

tat)

SuccessfulSpoofing Detection

for PRN 12

SuccessfulVerification of lack

of Spoofingfor PRN 02

Onset ofspoofing attack

PRN 02 (unspoofed)detection statistic

PRN 12 (spoofed)Detection Statistic

PRN 12 predicted mean valuebased on C/A code & 3.04 dB decr

PRN02 predicted mean valuebased on C/A code & 3.47 dB decr

PRN 02 Spoofing DetectionThreshold, alpha

FA = 0.01%,

Prdetect

= 99.99999999774%

before spoofing eventPr

detect = 99.9857% after event

PRN 12 Spoofing DetectionThreshold, alpha

FA = 0.01%,

Prdetect

= 98.7274%

before spoofing eventPr

detect = 99.9999999999982%

after event


Base-Band Quadrature Semi-Codeless Signal Model chips encryption valued-1unknown with )()(

1ji

N

jiFjjpyiraw wntPwAty

0 20 40 60 80 100-1

-0.5

0

0.5

1

Pj(t

)

0 20 40 60 80 100-1

-0.5

0

0.5

1

t (P-code chips)

PF

j(t)

P1

P2

P3

P4

P5

PF1

PF2

PF3

PF4

PF5

w1 P & P

F

time histories

w2 P & P

F

time histories

w3 P & P

F

time histories

w4 P & P

F

time histories

w5 P & P

F

time histories


1. Track C/A code, compute & record base-band-mixed quadrature samples yrawAi & yrawBi, do noise & C/A & P(Y) power calculations on both receivers (as in codeless tracking) , & estimate P(Y) amplitude Apy

2. Form hard +1/-1 estimates of wj encryption chips by approximately optimizing the following cost function using integer techniques

3. Compute probability that wj = +1 & compute soft wj–chip estimates for j = 1, …, N

Semi-Codeless Spoofing Detection Calcs. (1 of 3)

]}{[}1{21

21 joptjoptjj wPrwwPrPr

211 /)],...,,...,(),...,,...,([

1

1}{

nNoptjoptoptNoptjoptopt wwwJwwwJjopt

e

wPr

])()([),...,(1

2

121

1

M

i

N

jiFjjpyirawN tPwAtywwJ

MwwJ Noptoptn /),...,(2 1

12ˆ jj Prw


Semi-Codeless Spoofing Detection Calcs. (2 of 3)4. Compute spoofing detection statistic equal to cross-correlation of soft w-chip estimates between receivers A & B

5. Compute conditional means & variances of detection statistic under non-spoofed null hypothesis, H0, & under spoofed hypothesis, H1

N

jBjAjrwHE

1

21

21 )(ˆ}|{ 0}|{ 11 HE

N

jBjAjww

1ˆˆ

N

jBjAjqwHE

1

200 )(ˆ}|{

N

jBjAjBjAj qwqwHE

1

2220

20 )](ˆ1)[(ˆ)(}|{

dr }5.0exp{)(tanh2

1)( 22

dq }5.0exp{)](tanh[2

1)( 2

)]([)(

)( 2

jmax

jmin

i

iiiFj

Bn

BpyBj tP

A



7. Compare computed statistic to threshold

Semi-Codeless Spoofing Detection Calcs. (3 of 3)

attack spoofingunder channel

detected spoofing no

th

th

ththddHpFA

}

2

)(exp{

2

1)|(

20

20

00


1}2

exp{2

1)|(

21

2

1

1


A Priori Semi-Codeless Spoofing Detection Analysis1. Compute conditional means & variances of detection statistic under non-spoofed hypothesis & spoofed hypothesis without receiver A data


)()(}|{ 12

1 BAwchipcorr rqfTHE 0}|{ 11 HE

)()(}|{ 00 BAwchipcorr qqfTHE

)]()(1)[()()(}|{ 20

20 BABAwchipcorr qqqqfTHE

wchip

pyBB f

NC )/(2 0 )/(2 0

wchip

pyAA f

NC

ththddHpFA

}

2

)(exp{

2

1)|(

20

20

00


1}2

exp{2

1)|(

21

2

1

1

Semi-Codeless Verification of No Spoofing


0 20 40 60 80 100 120 140 160 1800

100

200

300

400

500

600

700

800

900

1000

Time (sec)

gam

ma

spoo

fing

dete

ctio

n st

atis

tic

Correlation statistic0.01% false alarm thresholdExpected meanA priori expected meanA priori 0.01% false alarm threshold

First Semi-Codeless Spoofing Attack Detection


0 20 40 60 80 100 120 140 160 180

-200

0

200

400

600

800

1000

1200

1400

Time (sec)

gam

ma

spoo

fing

dete

ctio

n st

atis

tic

Correlation statistic0.01% false alarm thresholdExpected meanA priori 0.01% false alarm thresholdA priori expected meanCorrelation stat, amp. effects removed 1Correlation stat, amp. effects removed 2

Codeless & Semi-Codeless Detection Power


10-2

10-1

100

101

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Correlation Accumulation Interval (sec)

Pro

babi

lity

of S

poof

ing

Det

ectio

n

CodelessSemi-Codeless

FA = 0.01 %(C/N0)pyA = 35 dB-Hz(C/N0)pyB = 35 dB-Hz

Test of C/A Timing as a Proxy for P(Y) Timing, Codeless Correlation


-1 -0.8 -0.6 -0.4 -0.2 0 0.2 0.4 0.6 0.8 1

-0.2

0

0.2

0.4

0.6

0.8

1

1.2

Delay of Receiver B Signal Relative to Receiver A Signal Compared to Nominal C/A-Code Alignment (microsec)

Nor

mal

ized

Cor

rela

tion

of Q

uadr

atur

e B

aseb

and

Sig

nals

Summary & Conclusions Developed dual-receiver spoofing detection methods

Codeless & semi-codeless cross-correlation of quadrature P(Y) code Thresholds designed based on full statistical analyses

Implemented in narrow-band C/A receiver Did system ID of narrow-band RF filters Employed resulting models of P(Y) power loss & of time-domain

distortion

Demonstrated first successful detection of RAIM-proof spoofing attack Detection achieved after-the-fact in MATLAB Works well with semi-codeless detection interval of 0.2 sec for

reasonable C/N0 levels & can work well with shorter intervals


Future Plans/Hopes Evaluate narrow-band filter effects of w-chip timing

relative to C/A DLL prompt code & modify w-chips timing if indicated

Evaluate potential improvements from Higher-gain reference station antenna Higher-bandwidth reference station receiver

Tailor calculations for efficient real-time calculation Implement in CASES real-time software radio Also implement for L2C spoofing detection Try narrow-band processing for L2 tracking based

on traditional L1 P(Y) semi-codeless correlation


Documents

WNCG, UT Austin, 1 April 2011 Mark L. Psiaki Sibley School of Mechanical & Aerospace Engr., Cornell University Civilian GPS Spoofing Detection based on