GNSS Integrity Monitoring assisted by Signal Processing techniques in Harsh Environments

The Global Navigation Satellite Systems (GNSS) applications are growing and more pervasive in the modern society. The presence of multi-constellation GNSS receivers able to use signals coming from different systems like the american Global Positioning System (GPS), the european Galileo, the Chinese Beidou and the russian GLONASS, permits to have more accuracy in position solution. All the receivers provide always more reliable solution but it is important to monitor the possible presence of problems in the position computation. These problems could be caused by the presence of impairments given by unintentional sources like multipath generated by the environment or intentional sources like spoofing attacks. In this thesis we focus on design algorithms at signal processing level used to assist Integrity operations in terms of Fault Detection and Exclusion (FDE). These are standalone algorithms all implemented in a software receiver without using external information. The first step was the creation of a detector for correlation distortion due to the multipath with his limitations. Once the detection is performed a quality index for the signal is computed and a decision about the exclusion of a specific Satellite Vehicle (SV) is taken. The exclusion could be not feasible so an alternative approach could be the inflation of the variance of the error models used in the position computation. The quality signal can be even used for spoofinng applications and a novel mitigation technique is developed and presented. In addition, the mitigation of the multipath can be reached at pseudoranges level by using new method to compute the position solution. The main contributions of this thesis are: the development of a multipath, or more in general, impairments detector at signal processing level; the creation of an index to measure the quality of a signal based on the detector’s output; the description of a novel signal processing method for detection and mitigation of spoofing effects, based on the use of linear regression algorithms; An alternative method to compute the Position Velocity and Time (PVT) solution by using different well known algorithms in order to mitigate the effects of the multipath on the position domain

GNSS Anti-Spoofing Defense Based on Cooperative Positioning

Radio navigation is of utmost importance in several application fields. Nowadays, many civil and professional applications massively rely on the Global Navigation Satellite System (GNSS) and related technologies to accurately estimate position and time. Existing GNSS-based systems are threatened by malicious attacks among which spoofing and meaconing constitute severe challenges to the receiver. Several of such GNSS systems constitute mass market applications and devices, and a threat to the GNSS receiver could have cascading effects at application levels and for interconnected systems. Networked GNSS receivers are in general ubiquitous because any receiver embedded in a complex system such as a smart device or smart connected cars can exploit network connectivity. This novel generation of valuable-performance GNSS receivers are prone both to standard RF spoofing attacks and to cyber-attacks conceived to hijack complex network based services such as DGNSS-based cooperative positioning. By means of a set of experimental tests, this paper highlights possible metrics to be checked to identify malicious attacks to the positioning and navigation systems in mass market connected devices. The network-based exchange of GNSS data such as GNSS raw measurements recently disclosed in Android smart devices is conceived in this work to offer the possibility to compare or combine such metrics to better identifies spoofing and meaconing attacks

GNSS Spoof Detection Using Passive Ranging

Advances in electronics technology have enabled the creation of malicious RF interference of GNSS signals. For example jamming completely denies the GNSS user of position, navigation, and time (PNT) information. While a serious concern when we expect PNT at all times, current generation GNSS receivers often warn the user when PNT is unavailable. A second threat to GNSS integrity is spoofing, the creation of counterfeit GNSS signals with the potential to confuse the receiver into providing incorrect PNT information. This type of attack is considered more dangerous than a jamming attack since erroneous PNT is often worse than no solution at all. A variety of approaches have been proposed in the literature to recognize spoofing and can vary widely based upon the assumed capabilities and a priori knowledge of the spoofer. One method is to compare the GNSS result to data from a non-GNSS sensor. At the January 2016 ION ITM these authors developed and analyzed a spoof detection algorithm based upon measurements from an active ranging system (distances, but no heading). This paper expands the class of signals viable for this spoofing detection approach to passive ranging; equivalently, to range measurements which depend upon knowledge of precise time (effectively pseudoranges)

Implementation Considerations for ACAS and Simulation Results

The Assisted Commercial Authentication Service (ACAS) is a semi-assisted signal authentication concept currently being defined for Galileo, based on the E6-C encrypted signal. Leveraging the assumption that the true E6-C encrypted signal always arrives before any inauthentic signal, we define user concepts for signal detection, including vestigial signal search. We define three mitigation levels, each level defending against an increasing set of threats, incorporating the described concepts and additional checks. The concepts are analyzed and implemented in a simulation environment, and tested in both nominal conditions and under advanced spoofing attacks. The results suggest that even advanced attacks can be detected and mitigated by ACAS receivers

Intentional control of invasive mobile wireless systems

Within recent years, remotely operated or autonomous drones have been encroaching on the realm of consumer electronics and are beginning to crowd the airspace in populated areas. As such, the number of incidents involving drones has seen a sharp increase and concerns are being raised. In this sense, the current work aims to explore a method which enables spoofing of the Global Positioning System (GPS) many of these devices use to navigate, and thus provide a way to shift them off course and away from the intended areas. The proposed hypothesis is that, by altering the parameters by which GPS receivers correct for clock errors in the navigation systems, it is possible to shift the device’s perceived position in a measurable and easily replicable way. To test this hypothesis, a simulator was developed to test different offsets applied to the clock correction coefficients of a GPS navigation message. The positions resulting from calculations using these altered parameters were then plotted on a map of the surrounding area and analysed. As expected, the positions are effectively and predictably altered according to the offsets applied. In order to validate the results from the simulations, real world tests were conducted using a Software Defined Radio (SDR) platform and an open source GPS Signal Generator which was modified to generate a signal based on the altered data from the simulations. With these tests it was asserted that the spoofed signals were able to consistently cause receivers to miscalculate their positions analogously to the simulations.Recentemente, drones operados remotamente ou de funcionamento autónomo têm surgido no domínio dos produtos eletrónicos para consumidores e começam a popular o espaço aéreo das áreas populacionais. Como tal, o número de incidentes envolvendo estes dispositivos tem sofrido um aumento acentuado. Neste sentido, o presente trabalho visa explorar um método que permita a falsificação dos sinais Global Positioning System (GPS) utilizados por muitos destes dispositivos para navegar, com o intuito de desenvolver uma forma de alterar a sua rota para longe das áreas desejadas. A hipótese em estudo é a de que, alterando os parâmetros usados pelos recetores GPS para corrigir erros de relógio nos sistemas de navegação, é possível alterar a posição calculada pelo dispositivo de uma forma mensurável e facilmente replicável. Para testar esta hipótese, foi desenvolvido um simulador que permite testar diferentes desvios aplicados aos valores dos coeficientes de correção do relógio presentes nas mensagens de navegação GPS. As posições resultantes de cálculos dependentes destes parâmetros foram depois traçadas num mapa da área circundante e analisadas. Como esperado, as posições são eficaz e previsivelmente alteradas de acordo com os desvios aplicados. Por forma a validar os resultados das simulações, foram realizados testes físicos usando uma plataforma de Software Defined Radio (SDR) e um gerador de sinais GPS open source que foi modificado para gerar sinais com base nos dados alterados das simulações. Estes testes sustentam a hipótese de que os sinais falsificados são capazes de provocar, consistentemente, a deteção errónea de posições por parte dos recetores de forma análoga à das simulações

Assessing spoofing of GPS systems

Lately, plenty of self navigation vehicles have been developed, as drones, or in the future, self driving cars. However, it has become easier to forge radionavigation signals, which can be a problem. With the growing risk of this threat, there has to be way to solve it and this thesis goal is to study various ways to mitigate this problem. For this effect, an u-blox evk-m8t GNSS (Global Navigation Satellite System) receiver was used, which is capable of returning raw unprocessed data from radio navigation signals. A raspberry pi was also used to analyze the data. This is not a linear problem, since each spoofer is unique, it is necessary to pay attention to transitions, comparing old with new data. Since each scenario is a different scenario, the variations will be observed in order to try to find a variation pattern. These variations will be tested in a neural network in order to find if it is viable to detect forged signals this way. Spoofing as a whole also has specific variations that should not be there, the unstable clock variation is the most influenceable factor. This work managed to conclude that it is possible to implement a calibration algorithm that is able to detect patterns in forged signals and distinguish them from legitimate signals. Forged signals, normally, are more incoherent in variations of signal properties and its functioning as a whole, for example, the position that would be calculated by removing a satellite from the equation. These signals also present unpredicted variations in the clock delay.Ultimamente tem havido bastante desenvolvimento de viaturas que se deslocam automaticamente por sinais de radionavegação, como por exemplo drones ou, futuramente, carros autopilotados. No entanto, também é cada vez mais fácil forjar sinais de radionavegação, o que pode vir a ser um problema. Com o crescimento desta ameaça também tem de haver uma preocupação em preveni-la e o objetivo desta dissertação é estudar formas de mitigar este problema. Para tal, foi usado um receptor de GNSS (Global Navigation Satellite System), u-blox evk-m8t, capaz de devolver dados brutos retirados da leitura dos sinais sem qualquer tipo de processamento. De maneira a analisar os dados foi usado um raspberry pi. Este problema não é linear, visto que cada spoofer tem a sua especifidade, é necessário prestar atenção às transições comparando dados antigos com recentes. Como cada cenário é diferente, as variações vão ser observadas de modo a tentar encontrar um padrão de variações. Estas variações serão testadas numa rede neuronal de modo a encontrar sinais falsificados. Falsificação de sinais como um todo apresenta variações especificas que não deviam lá estar, a variação instável do relógio é o fator mais influenciável. Este trabalho conseguiu concluir que é possível implementar um algoritmo de calibração que consegue detetar padrões em sinais ilegítimos e distingui-los de sinais legítimos. Os sinais falsificados normalmente são mais incongruentes no que toca a variações de propriedades de sinal e no seu funcionamento como um todo, como por exemplo a posição que seria calculada retirando um satélite da equação. Estes sinais também apresentam variações não previstas no atraso de relógio

A Low Cost Mass-Market Deployable Security Approach Against GPS Spoofing Attacks

The Global Positioning System (GPS) is used ubiquitously for navigation and timing synchronization purposes. Many telecommunication, finance and aviation systems rely heavily on GPS information for routine operations. GPS functions by relying on satellites orbiting the earth in very accurately predictable orbits, which are used as references to identify the positions of objects (receivers). Receivers calculate their positions by receiving GPS signals and calculating their relative distances to each of the satellites. With enough relative distances, the receiver can resolve its position using the method known as trilateration [1]. In this thesis, we underline the vulnerability of this orbiting infrastructure to spoofing attacks, by easily procurable and affordable software defined radios. GPS Signal spoofing is a type of malicious attack, where an attacker generates fake GPS signal with valid GPS properties but false navigational and/or timing information to fool non-suspecting receivers. These signals appear authentic and receivers end up processing the false signal and extracting wrong information. There are two types of GPS services, civilian and military. The military service is encrypted and not vulnerable to such attacks because the pseudorandom codes are not disclosed to the public. However, this service is accessible to authorized military personnel alone. All other commercial and public GPS receivers which form the mass of the population are vulnerable to spoofing attacks. The civilian GPS broadcast band is not encrypted, and this makes it easy for an attacker to recreate the signal that appears valid to GPS receivers. In this thesis we implement a low cost, easy for mass-market application Doppler measurement based spoofing detection approach, utilizing non-specialized off the shelf commercial receivers

GNSS Vulnerabilities and Existing Solutions:A Review of the Literature

This literature review paper focuses on existing vulnerabilities associated with global navigation satellite systems (GNSSs). With respect to the civilian/non encrypted GNSSs, they are employed for proving positioning, navigation and timing (PNT) solutions across a wide range of industries. Some of these include electric power grids, stock exchange systems, cellular communications, agriculture, unmanned aerial systems and intelligent transportation systems. In this survey paper, physical degradations, existing threats and solutions adopted in academia and industry are presented. In regards to GNSS threats, jamming and spoofing attacks as well as detection techniques adopted in the literature are surveyed and summarized. Also discussed are multipath propagation in GNSS and non line-of-sight (NLoS) detection techniques. The review also identifies and discusses open research areas and techniques which can be investigated for the purpose of enhancing the robustness of GNSS

다양한 교란 시나리오를 이용한 GNSS 수신기 성능 분석에 대한 연구

학위논문(박사)--서울대학교 대학원 :공과대학 기계항공공학부,2020. 2. 기창돈.The security and safety aspects of global navigation satellite systems have been receiving significant attention from researchers and the general public, because the use of GNSS has been increasing in modern society. In this situation, the importance of GNSS safety and security is also increasing. The most dangerous type of interference is a spoofing because if the receiver captures a spoofing signal, the navigation solution can be controlled by the spoofer. In this paper, I analyzed the characteristics of the main spoofing parameters that determines the success or failure of spoofing process when the spoofing signal is injected into the receiver. I also proposed a CCEE. It determines the spoofing result according to the various spoofing parameter. Also the correlation between spoofing parameters could be explained by estimating the boundary value and line using CCEE. In addition, spoofing success and failure could be distinguished in the spoofing parameter space using CCEE results. When the covert capture is performed at the receiver, the two correlation peaks of authentic and covert capture signals are generated on the code domain. The relative velocity (Doppler difference value) of the two signal peaks determines the time of total spoofing process. In general, the timing at which the DLL tracking lock point is switched from the authentic signal to the spoofing signal is different according to the visible satellite. This raises the value of WSSE. In order to minimize this, the spoofing should be performed in a short time by determining the optimal sweep direction. In a 3D situation, triangles are defined using a particular visible satellites, and the circumcenter direction of the triangle on the victim becomes the optimal direction, and the relative speed of the authentic and the covert capture signal for the visible satellite be maximized on the optimal covert capture direction. To simulate the proposed methods, we defined the covet capture scenarios and generated the IF data to simulate the intended scenarios. Then, using the corresponding IF data, signal processing was performed through SDR. Through this, it was confirmed that the spoofing is successfully performed as intended scenarios through the optimal spoofing parameters generated through CCEE, and the covert capture process time is noticeably minimized through the optimal sweep direction.GNSS는 점점 활용범위가 확장되고 있고, 현재는 대체불가능한 시스템이 되었다. 이런 상황에서 GNSS의 안전 및 보안의 중요성 또한 크게 증가하고 있다. 본 논문에서는 GNSS의 보안에 가장 위협이 되는 기만에 대해서, 기만 신호가 수신기에 주입되었을 때 수신기의 ACF가 어떻게 변화되어 가며 기만 공격을 결정하는 주된 기만파라미터들의 특징에 대해서 분석을 진행하였다. 그리고 기만 신호에 따른 기만 결과를 결정하는 CCEE를 제안하고, 이를 통해서 기만파라미터들의 상관관계에 대해서 분석하였다. 기존에는 무수히 반복된 계산을 통해서 판단 가능한 기만 결과를 CCEE를 통해 한번의 계산으로 결과를 확인하도록 하였다. 또한 CCEE를 이용하여 경계 값과 경계 라인을 정의함으로써, 기만파라미터 공간에서 기만 성공과 실패를 구분할 수 있음이 확인되었다. 수신기에서 기만이 수행될 때, 코드도메인상에서 replica와 cross correlation에 의한 원신호와 기만신호 각각의 correlation peak가 생성된다. 두 신호 peak의 상대속도가 기만이 수행되는 시간을 결정한다. 일반적으로 기만이 수행되는 동안, 각 채널간 DLL tracking lock 지점이 원신호에서 기만신호로 전환되는 시점이 다르다. 이로 인해서 WSSE의 값이 상승하게 된다. 이를 최소화하기 위해서, 최적 기만 sweep 방향을 결정함으로써 빠른 시간에 기만을 수행할 수 있음을 확인하였다. 3D 상황에서 특정 가시위성를 이용하여 삼각형을 정의하고, 해당 삼각형의 외심 방향이 최적 방향이 되며, 해당 방향이 기만 수행이 가장 늦게 되는 가시위성에 대한 원신호와 기만신호의 상대속도가 최대가 되는 방향임을 확인하였다. 제안된 방법들을 모사하기 위해서, 기만시나리오를 정의하고, 해당 기만시나리오를 모사하는 IF data를 생성하였다. 그리고, 해당 IF data를 이용하여, SDR을 통해서 신호 처리를 진행하였다. 이를 통해, CCEE를 적용하여 생성한 최적 기만파라미터로 기만이 의도된 데로 수행이 되며, optimal 방향을 통해 기만수행시간이 최소화 됨을 확인하였다.Chapter 1. Introduction 1 1.1. Research Motivation １ 1.2. Related research ２ 1.3. Outline of the Dissertation ４ 1.4. Contributions 5 Chapter 2. Background ７ 2.1. GPS receiver fundamental ７ 2.1.1. GPS signal structure ７ 2.1.2. Signal processing structure of GPS receiver ９ 2.1.3. Signal acquisition １０ 2.1.4. Signal tracking １１ 2.1.5. Navigation Message Decoding １４ 2.1.6. Pseudorange model and range calculation １６ 2.2. GNSS interferences and attack strategies １９ 2.2.1. Types of GNSS interferences １９ 2.2.2. Interference attack strategies ２１ Chapter 3. Covert Capture Effectiveness Equation ２６ 3.1. Authentic and spoofing signal ACF model ２６ 3.2. Spoofing scenario simulation using ACF model ３０ 3.3. Development of spoofing process equation ３３ 3.3.1. conventional approach for tau calculation ３３ 3.3.2. proposed approach for τ calculation ３４ 3.3.3. Spoofing attack success or failure criteria ３７ 3.3.4. Derivation of SPE ４４ 3.4. Analysis of CCEE simulation results ４９ 3.4.1. CCEE performance analysis ４９ 3.4.2. Determination of boundary line and surface using SPE ５３ Chapter 4. Optimal sweep direction of covert capture signal ５８ 4.1. Maximum Doppler difference value ５８ 4.2. Optimal covert capture direction in 2D case ６２ 4.3. Optimal covert capture direction in 3D case ６８ 4.4. Optimal covert capture direction using optimization method ７１ Chapter 5. Covert capture simulation using software defined receiver ７３ 5.1. Implementation of GNSS measurement and IF data generation simulator ７３ 5.1.1. Pseudorange model ７３ 5.1.2. Simulator structure ７４ 5.1.3. Signal amplitude calculation in spoofing scenario ７５ 5.2. CCEE simulation in SDR ８１ 5.2.1. Compensation value calculation for covert capture ８４ 5.2.2. Compensation value calculation for covert capture ８５ 5.3. Optimal covert capture direction simulation in SDR ９２ Chapter 6. Changing the user's trajectory using covert capture signal ９５ Chapter 7. Conclusions and future works １０２ 7.1. Conclusions １０２ 7.2. Future works １０３ Capture 8. Reference １０４Docto