212 research outputs found
Recommended from our members
A Testbed for Developing and Evaluating GNSS Signal Authentication Techniques
An experimental testbed has been created for developing
and evaluating Global Navigation Satellite System (GNSS)
signal authentication techniques. The testbed advances the state
of the art in GNSS signal authentication by subjecting candidate
techniques to the strongest publicly-acknowledged GNSS spoofing
attacks. The testbed consists of a real-time phase-coherent GNSS
signal simulator that acts as spoofer, a real-time softwaredefined
GNSS receiver that plays the role of defender, and
post-processing versions of both the spoofer and defender. Two
recently-proposed authentication techniques are analytically and
experimentally evaluated: (1) a defense based on anomalous
received power in a GNSS band, and (2) a cryptographic
defense against estimation-and-replay-type spoofing attacks. The
evaluation reveals weaknesses in both techniques; nonetheless,
both significantly complicate a successful GNSS spoofing attackAerospace Engineering and Engineering Mechanic
GNSS Spoofing Detection via Opportunistic IRIDIUM Signals
In this paper, we study the privately-own IRIDIUM satellite constellation, to
provide a location service that is independent of the GNSS. In particular, we
apply our findings to propose a new GNSS spoofing detection solution,
exploiting unencrypted IRIDIUM Ring Alert (IRA) messages that are broadcast by
IRIDIUM satellites. We firstly reverse-engineer many parameters of the IRIDIUM
satellite constellation, such as the satellites speed, packet interarrival
times, maximum satellite coverage, satellite pass duration, and the satellite
beam constellation, to name a few. Later, we adopt the aforementioned
statistics to create a detailed model of the satellite network. Subsequently,
we propose a solution to detect unintended deviations of a target user from his
path, due to GNSS spoofing attacks. We show that our solution can be used
efficiently and effectively to verify the position estimated from standard GNSS
satellite constellation, and we provide constraints and parameters to fit
several application scenarios. All the results reported in this paper, while
showing the quality and viability of our proposal, are supported by real data.
In particular, we have collected and analyzed hundreds of thousands of IRA
messages, thanks to a measurement campaign lasting several days. All the
collected data ( hours) have been made available to the research
community. Our solution is particularly suitable for unattended scenarios such
as deserts, rural areas, or open seas, where standard spoofing detection
techniques resorting to crowd-sourcing cannot be used due to deployment
limitations. Moreover, contrary to competing solutions, our approach does not
resort to physical-layer information, dedicated hardware, or multiple receiving
stations, while exploiting only a single receiving antenna and
publicly-available IRIDIUM transmissions. Finally, novel research directions
are also highlighted.Comment: Accepted for the 13th Conference on Security and Privacy in Wireless
and Mobile Networks (WISEC), 202
Signal processing techniques for GNSS anti-spoofing algorithms
The Global Navigation Satellite Systems (GNSS) usage is growing at a very high
rate, and more applications are relying on GNSS for correct functioning. With the
introduction of new GNSSs, like the European Galileo and the Chinese Beidou, in
addition to the existing ones, the United States Global Positioning System (GPS)
and the Russian GLONASS, the applications, accuracy of the position and usage of
the signals are increasing by the day.
Given that GNSS signals are received with very low power, they are prone to
interference events that may reduce the usage or decrease the accuracy. From these
interference, the spoofing attack is the one that has drawn major concerns in the
GNSS community. A spoofing attack consist on the transmission of GNSS-like
signals, with the goal of taking control of the receiver and make it compute an
erroneous position and time solution.
In the thesis, we focus on the design and validation of different signal processing
techniques, that aim at detection and mitigation of the spoofing attack effects. These
are standalone techniques, working at the receiver’s level and providing discrimination
of spoofing events without the need of external hardware or communication
links. Four different techniques are explored, each of them with its unique sets of
advantages and disadvantages, and a unique approach to spoofing detection. For
these techniques, a spoofing detection algorithm is designed and implemented, and
its capabilities are validated by means of a set of datasets containing spoofing signals.
The thesis focuses on two different aspects of the techniques, divided as per detection
and mitigation capabilities. Both detection techniques are complementary, their joint
use is explored and experimental results are shown that demonstrate the advantages.
In addition, each mitigation technique is analyzed separately as they require
specialized receiver architecture in order to achieve spoofing detection and mitigation.
These techniques are able to decrease the effects of the spoofing attacks, to the point
of removing the spoofing signal from the receiver and compute navigation solutions
that are not controlled by the spoofer and lead in more accurate end results.
The main contributions of this thesis are: the description of a multidimensional
ratio metric test for distinction between spoofing and multipath effects; the introduction
of a cross-check between automatic gain control measurements and the
carrier to noise density ratio, for distinction between spoofing attacks and other
interference events; the description of a novel signal processing method for detection
and mitigation of spoofing effects, based on the use of linear regression algorithms;
and the description of a spoofing detection algorithm based on a feedback tracking
architecture
Joint Antenna Array Attitude Tracking and Spoofing Detection Based on Phase Difference Measurements
Spoofing attacks are a serious problem for civil GNSS applications with safety content, such as airplane landing or maritime navigation in harbors. Also many strategically important infrastructures, such as electric power grids or mobile communications networks, are becoming increasingly dependent on GNSS services. Military GNSS users solve that problem by signal encryption at chip level. This reduces the threat to only allow for meaconing, i.e. retransmitting the GNSS signals from a certain location, since the exact waveform is unpredictable. Civil users cannot rely on encryption at the moment and most likely in the near future. They must be protected by additional techniques, which are able to detect and mitigate spoofing attacks.
A number of receiver-autonomous solutions for the spoofing problem have been proposed in the last decade. For single antenna receivers the detection of spoofing attacks can rely on the observation of the time evolution of different signal parameters such as power and Doppler frequency shift, the PRN code delay and its rates, the correlation function shape as well as the cross-correlation of the signal components at different carrier frequencies. However, the most advanced protection against the sophisticated spoofing attacks can be provided by utilizing the spatial domain for signal processing available by using antenna arrays ([1], [2], [3], [4], [5]). A GNSS receiver with an antenna array is able to estimate the directions of arrival of the impinging waveforms and so to discriminate between the authentic and counterfeit signals. Moreover the malicious signals can be mitigated by generating a spatial zero into the array antenna reception pattern in the direction of the spoofing source(s).
The use of the array-aided joint estimation of the array attitude and spoofing detection was investigated by the authors in [1], [3], [5]. A post-correlation estimation of the signal direction of arrival (DOA) was utilized as the first step of the corresponding signal processing chain. This approach however still suffers from the effects of short-term distortions in the receiver tracking loops and the resulting unavailability of the DOA estimations during the spoofing attack. Two approaches have been identified to overcome this effect. On the one hand, a more accurate direction of arrival detection and antenna calibration can be used. On the other hand, the attitude estimation can be made more robust by skipping the DOA estimation step and using instead directly the post-correlation array outputs in the underlining measurement model, similar to method 2 in [6]. The latter possibility will be exploited throughout the current paper. One of the main challenges here is to design robust and computationally effective attitude estimation when the post-correlation array outputs consist of the superposition of the authentic and counterfeit signals. This problem, for example, is not adequately handled in [6] and [7].
In the aforementioned approaches, the estimation of the actual direction of arrival in terms of (antenna local) azimuth and elevation was done explicitly before the attitude was estimated. The approach presented in the paper will avoid this (computationally expensive) step, by introducing an adequate measurement model. This model connects the measured relative phases between the antennas elements (spatial signature) to the ones expected from the almanac. This interconnection involves the receiver attitude, which is the state to be estimated.
In a second step, the model fit (i.e. residuals of least square fit) is used to detect anomalies. Further processing is done by comparing the spatial signature for different satellites. Contrary to using the cyclic nature of PRN codes to detect the direction in the pre-correlation domain as described in [2], the spatial signature in the post-correlation domain is used. If one dominant direction is present, the likelihood of spoofing or meaconing is considered high. If detected, a second processing stage is triggered, capable of spatially filtering out the spoofers signature (post-correlation nulling). Finally a second run of the aforementioned procedure is done to estimate the antennas attitude using a spatially filtered signal. Theoretical results as well as hardware simulations ([8]) show, that if a GPS/CA or Galileo receiver already tracks a certain PRN, the likelihood of success is very low for an unsynchronized spoofer. In this context (un)synchronized is related to the PRNs current frequency shift (caused by the Doppler Effect), as well as code delay. The code delay error should not be larger than one chip in general. The tolerable frequency mismatch however, highly depends on the receivers implementation (i.e. FLL and PLL parameters and stages), but should not be bigger than a few multiples of 50 Hz. A synchronized spoofer or meaconing signal which is turned on when the receiver already tracks the corresponding PRN will be considered in the context of the paper. The described methods will be evaluated using software simulations. Scenarios without spoofing or meaconing are used to demonstrate the attitude estimation. Scenarios with repeaters will be used to demonstrate the two-stage approach with spatial filtering.
[1] M. Meurer, A. Konovaltsev, M. Cuntz, and C. Hättich, “Robust Joint Multi-Antenna Spoofing Detection and Attitude Estimation using Direction Assisted Multiple Hypotheses RAIM,” in Proceedings of the 25th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS 2012), September 2012, Nashville, TN, USA., 2012.
[2] S. Daneshmand, A. Jafarnia-Jahromi, A. Broumandon, and G. Lachapelle, “A low-complexity GPS anti-spoofing method using a multi-antenna array,” in Proc. ION GNSS 2012, 2012, pp. 1233–1243.
[3] A. Konovaltsev, M. Cuntz, C. Haettich, and M. Meurer, “Autonomous Spoofing Detection and Mitigation in a GNSS Receiver with an Adaptive Antenna Array,” in Proc. ION GNSS+ 2013, 2013, p. 12.
[4] M. Appel, A. Konovaltsev, and M. Meurer, “Robust Spoofing Detection and Mitigation based on Direction of Arrival Estimation,” in Proc. ION GNSS+ 2015, 2015, pp. 3335–3344.
[5] M. Meurer, A. Konovaltsev, M. Appel, M. Cuntz, E. M. Meurer, A. Konovaltsev, M. Appel, and M. C. De, “Direction-of-Arrival Assisted Sequential Spoofing Detection and Mitigation,” in ION ITM 2016, 2016.
[6] M. Markel, E. Sutton, and H. Zmuda, “An antenna array-based approach to attitude determination in a jammed environment,” in Proceedings of the 14th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GPS 2001), 2001, pp. 2914–2926.
[7] S. Daneshmand, N. Sokhandan, and G. Lachapelle, “Precise GNSS Attitude Determination Based on Antenna Array Processing,” in Proceedings of the 27th International Technical Meeting of the Satellite Division of The Institute of Navigation, ION GNSS+ 2014, Tampa, Florida, September 8-12, 2014, 2014.
[8] M. Appel, A. Hornbostel, and C. Haettich, “Impact of meaconing and spoofing on galileo receiver performance,” 7th ESA Workshop on Satellite Navigation Technologies NAVITEC, 2014
GNSS Vulnerabilities and Existing Solutions:A Review of the Literature
This literature review paper focuses on existing vulnerabilities associated with global navigation satellite systems (GNSSs). With respect to the civilian/non encrypted GNSSs, they are employed for proving positioning, navigation and timing (PNT) solutions across a wide range of industries. Some of these include electric power grids, stock exchange systems, cellular communications, agriculture, unmanned aerial systems and intelligent transportation systems. In this survey paper, physical degradations, existing threats and solutions adopted in academia and industry are presented. In regards to GNSS threats, jamming and spoofing attacks as well as detection techniques adopted in the literature are surveyed and summarized. Also discussed are multipath propagation in GNSS and non line-of-sight (NLoS) detection techniques. The review also identifies and discusses open research areas and techniques which can be investigated for the purpose of enhancing the robustness of GNSS
Security of GPS/INS based On-road Location Tracking Systems
Location information is critical to a wide-variety of navigation and tracking
applications. Today, GPS is the de-facto outdoor localization system but has
been shown to be vulnerable to signal spoofing attacks. Inertial Navigation
Systems (INS) are emerging as a popular complementary system, especially in
road transportation systems as they enable improved navigation and tracking as
well as offer resilience to wireless signals spoofing, and jamming attacks. In
this paper, we evaluate the security guarantees of INS-aided GPS tracking and
navigation for road transportation systems. We consider an adversary required
to travel from a source location to a destination, and monitored by a INS-aided
GPS system. The goal of the adversary is to travel to alternate locations
without being detected. We developed and evaluated algorithms that achieve such
goal, providing the adversary significant latitude. Our algorithms build a
graph model for a given road network and enable us to derive potential
destinations an attacker can reach without raising alarms even with the
INS-aided GPS tracking and navigation system. The algorithms render the
gyroscope and accelerometer sensors useless as they generate road trajectories
indistinguishable from plausible paths (both in terms of turn angles and roads
curvature). We also designed, built, and demonstrated that the magnetometer can
be actively spoofed using a combination of carefully controlled coils. We
implemented and evaluated the impact of the attack using both real-world and
simulated driving traces in more than 10 cities located around the world. Our
evaluations show that it is possible for an attacker to reach destinations that
are as far as 30 km away from the true destination without being detected. We
also show that it is possible for the adversary to reach almost 60-80% of
possible points within the target region in some cities
- …