ION/GNSS 2011, 23 Sept. 2011

Mark L. PsiakiSibley School of Mechanical & Aerospace Engr., Cornell University

Developing Defenses Against Jamming & Spoofing of Civilian GNSS Receivers

ION/GNSS Sept. ‘11 2 of 11

Approach of an Estimation Theorist:Reductionist Problem Solving Spoofers & jammers will be deployed against civilian GNSS

receivers (mostly GPS at present) GNSS signal structures will not be modified to aid defenses Likely jammers can be bought & studied Likely spoofers can be designed/imagined/modeled

Strategies for Developing Defenses:

Problem Givens:

Jamming: Acquire, examine, test, & characterize jammers Design detection, localization, & mitigation systems for known jammers

(like computer anti-virus software) Spoofing:

Exploit encrypted military signals & known timing/phasing relative to defended civilian signals

ION/GNSS Sept. ‘11 3 of 11

Jamming Mitigation Strategies Detection & localization

Deploy networked array of advanced GNSS receivers in defended region Each node is small phased-array; beam steering allows GPS tracking under jamming Example: on every New Jersey State police car near Newark Airport

Detection & localization strategies Solve layered sequence of problems 1st detect 2nd rough-locate based on power at several nodes, simple algorithms 3rd fine-locate based on multi-node carrier-phase interferometry or TDOA to within meters –

exploit fine-scale correlations between multiple nodes & precise inter-receiver timing from GPS 4th interdict Develop scalable algorithms with potential to deal with 100 or more jammers simultaneously

Receiver-based mitigation Simultaneous frequency/time excision Pose as Kalman-filter-based estimation problem & near/far signal reception problem

Requisite information: Jammer time/frequency models enable efficient/accurate detection & localization

Generalized model-independent detection, localization, & mitigation for new/unknown jammer types

Like computer anti-virus software that looks for unknown viruses based on suspicious characteristics/behavior

Power & Spectral Time Evolution of a Cigarette-Lighter-Type Jammer *

ION/GNSS Sept. ‘11 4 of 11

* from Mitch et al. “Signal Characteristics of Civil GPS Jammers”, ION/GNSS 2011

Jammer Effective Ranges from Attenuation Tests *

FaradayBox

VictimReceiver

GPSSignal

SimulatorSignalCombiner

ION/GNSS Sept. ‘11 5 of 11

* from Mitch et al. “Signal Characteristics of Civil GPS Jammers”, ION/GNSS 2011

Future Issues in Jammer Detection & Localization How can one exploit frequency-sawtooth

structure of many known low-budget jammers… in detection?

… in fine localization?

… in receiver mitigation? (Kalman-filter-based coupled time/frequency excision?)

… in an environment with many such jammers?

ION/GNSS Sept. ‘11 6 of 11

ION/GNSS Sept. ‘11 7 of 11

UE with - receiver for delayed,

digitally-signed P(Y) features

- delayed processing to detect spoofing via P(Y) feature correlation

Spoofing Detection via P(Y) Correlation *

Secure antenna/receiver w/processing to estimate P(Y) features (or a single antenna or a distributed set of single-antennas)

GPS Satellite

Transmitter of delayed, digitally-

signed P(Y) features

GEO “bent-pipe”transceiver

Broadcast segments of delayed, digitally-signed P(Y) features Secure uplink of

delayed, digitally-signed P(Y) features

* from Psiaki et al. “Civilian GPS Spoofing Detection based on Dual-Receiver Correlation of Military Signals”, ION/GNSS 2011

ION/GNSS Sept. ‘11 8 of 11

Block Diagram of Generalized P(Y) Correlation Spoofing Detector

GPStransmitter

UE receiver with P(Y)fea extraction

processing

Secure ground-based

antenna/ receiver

Digital signer

Secure link to broadcaster

Wireless(or internet) broadcaster

UE receiver (or internet link) for P(Y)fea

Correlation registers

Digital sig-nature verifier

Spoofing Detector

L1 C/A& P(Y)

P(Y)fea

P(Y)fea

P(Y)fea/est

User Equipme

nt

New Infrastructure

ION/GNSS Sept. ‘11 9 of 11

Early Codeless Spoofing Attack Detection *

0 50 100 150 200 250-4

-2

0

2

4

6

8

10

12

14

Ithaca Receiver Time (sec)

gam

ma s

PRN 13 gamma detection statisticPRN 13 predicted gamma meanPRN 13 spoofing detection thresholdPRN 23 gamma detection statisticPRN 23 predicted gamma meanPRN 23 spoofing detection threshold

Successful determination that PRN 23 remains reliable because solid turquoise detection statistic never

crosses below dashed brown threshold

Onset of spoofing attack

Successful detection of PRN 13spoofing when solid blue detection

statistic cross below dashed green threshold

Build-up of significant spoofedC/A code-phase error

* from Psiaki et al. “Civilian GPS Spoofing Detection based on Dual-Receiver Correlation of Military Signals”, ION/GNSS 2011

Early Semi-Codeless Spoofing Attack Detection *

ION/GNSS Sept. ‘11 10 of 11

0 50 100 150 200 250-50

0

50

100

150

200

250

300

350

400

Receiver A Time (sec)

gam

ma s

gamma detection statisticpredicted gamma meanspoofing detection thresholda priori predicted gamma meana priori spoofing detection threshold

Onset of spoofing attack

Successful detection of spoofingwhen dashed green threshold crossesabove solid blue detection statistic

Build-up of significant spoofedC/A code-phase error

* from Psiaki et al. “Civilian GPS Spoofing Detection based on Dual-Receiver Correlation of Military Signals”, ION/GNSS 2011

Future Issues in Defense Against Spoofing Attack

Real-time implementation Codeless possible in 6-12 months w/internet transmission Semi-codeless needs improved algorithmic efficiency for real-time ops

Infrastructure Capable & secure reference receivers Help from military (declassify segments of P(Y) shortly after broadcast?) Comm. infrastructure to transmit P(Y) data between receivers

Defense against alternate attack scenarios Sophisticated attack may seek to use pseudo- or estimated P(Y) code Gaming analysis may guide designs that detect new attack types

Other signals M-code to defend GPS civilian codes Encrypted Galileo signals to defend open-source Galileo codes

Post-detection receiver actions

ION/GNSS Sept. ‘11 11 of 11