ion/gnss 2011, 23 sept. 2011 mark l. psiaki sibley school of mechanical & aerospace engr.,...
TRANSCRIPT
ION/GNSS 2011, 23 Sept. 2011
Mark L. PsiakiSibley School of Mechanical & Aerospace Engr., Cornell University
Developing Defenses Against Jamming & Spoofing of Civilian GNSS Receivers
ION/GNSS Sept. ‘11 2 of 11
Approach of an Estimation Theorist:Reductionist Problem Solving Spoofers & jammers will be deployed against civilian GNSS
receivers (mostly GPS at present) GNSS signal structures will not be modified to aid defenses Likely jammers can be bought & studied Likely spoofers can be designed/imagined/modeled
Strategies for Developing Defenses:
Problem Givens:
Jamming: Acquire, examine, test, & characterize jammers Design detection, localization, & mitigation systems for known jammers
(like computer anti-virus software) Spoofing:
Exploit encrypted military signals & known timing/phasing relative to defended civilian signals
ION/GNSS Sept. ‘11 3 of 11
Jamming Mitigation Strategies Detection & localization
Deploy networked array of advanced GNSS receivers in defended region Each node is small phased-array; beam steering allows GPS tracking under jamming Example: on every New Jersey State police car near Newark Airport
Detection & localization strategies Solve layered sequence of problems 1st detect 2nd rough-locate based on power at several nodes, simple algorithms 3rd fine-locate based on multi-node carrier-phase interferometry or TDOA to within meters –
exploit fine-scale correlations between multiple nodes & precise inter-receiver timing from GPS 4th interdict Develop scalable algorithms with potential to deal with 100 or more jammers simultaneously
Receiver-based mitigation Simultaneous frequency/time excision Pose as Kalman-filter-based estimation problem & near/far signal reception problem
Requisite information: Jammer time/frequency models enable efficient/accurate detection & localization
Generalized model-independent detection, localization, & mitigation for new/unknown jammer types
Like computer anti-virus software that looks for unknown viruses based on suspicious characteristics/behavior
Power & Spectral Time Evolution of a Cigarette-Lighter-Type Jammer *
ION/GNSS Sept. ‘11 4 of 11
* from Mitch et al. “Signal Characteristics of Civil GPS Jammers”, ION/GNSS 2011
Jammer Effective Ranges from Attenuation Tests *
FaradayBox
VictimReceiver
GPSSignal
SimulatorSignalCombiner
ION/GNSS Sept. ‘11 5 of 11
* from Mitch et al. “Signal Characteristics of Civil GPS Jammers”, ION/GNSS 2011
Future Issues in Jammer Detection & Localization How can one exploit frequency-sawtooth
structure of many known low-budget jammers… in detection?
… in fine localization?
… in receiver mitigation? (Kalman-filter-based coupled time/frequency excision?)
… in an environment with many such jammers?
ION/GNSS Sept. ‘11 6 of 11
ION/GNSS Sept. ‘11 7 of 11
UE with - receiver for delayed,
digitally-signed P(Y) features
- delayed processing to detect spoofing via P(Y) feature correlation
Spoofing Detection via P(Y) Correlation *
Secure antenna/receiver w/processing to estimate P(Y) features (or a single antenna or a distributed set of single-antennas)
GPS Satellite
Transmitter of delayed, digitally-
signed P(Y) features
GEO “bent-pipe”transceiver
Broadcast segments of delayed, digitally-signed P(Y) features Secure uplink of
delayed, digitally-signed P(Y) features
* from Psiaki et al. “Civilian GPS Spoofing Detection based on Dual-Receiver Correlation of Military Signals”, ION/GNSS 2011
ION/GNSS Sept. ‘11 8 of 11
Block Diagram of Generalized P(Y) Correlation Spoofing Detector
GPStransmitter
UE receiver with P(Y)fea extraction
processing
Secure ground-based
antenna/ receiver
Digital signer
Secure link to broadcaster
Wireless(or internet) broadcaster
UE receiver (or internet link) for P(Y)fea
Correlation registers
Digital sig-nature verifier
Spoofing Detector
L1 C/A& P(Y)
P(Y)fea
P(Y)fea
P(Y)fea/est
User Equipme
nt
New Infrastructure
ION/GNSS Sept. ‘11 9 of 11
Early Codeless Spoofing Attack Detection *
0 50 100 150 200 250-4
-2
0
2
4
6
8
10
12
14
Ithaca Receiver Time (sec)
gam
ma s
PRN 13 gamma detection statisticPRN 13 predicted gamma meanPRN 13 spoofing detection thresholdPRN 23 gamma detection statisticPRN 23 predicted gamma meanPRN 23 spoofing detection threshold
Successful determination that PRN 23 remains reliable because solid turquoise detection statistic never
crosses below dashed brown threshold
Onset of spoofing attack
Successful detection of PRN 13spoofing when solid blue detection
statistic cross below dashed green threshold
Build-up of significant spoofedC/A code-phase error
* from Psiaki et al. “Civilian GPS Spoofing Detection based on Dual-Receiver Correlation of Military Signals”, ION/GNSS 2011
Early Semi-Codeless Spoofing Attack Detection *
ION/GNSS Sept. ‘11 10 of 11
0 50 100 150 200 250-50
0
50
100
150
200
250
300
350
400
Receiver A Time (sec)
gam
ma s
gamma detection statisticpredicted gamma meanspoofing detection thresholda priori predicted gamma meana priori spoofing detection threshold
Onset of spoofing attack
Successful detection of spoofingwhen dashed green threshold crossesabove solid blue detection statistic
Build-up of significant spoofedC/A code-phase error
* from Psiaki et al. “Civilian GPS Spoofing Detection based on Dual-Receiver Correlation of Military Signals”, ION/GNSS 2011
Future Issues in Defense Against Spoofing Attack
Real-time implementation Codeless possible in 6-12 months w/internet transmission Semi-codeless needs improved algorithmic efficiency for real-time ops
Infrastructure Capable & secure reference receivers Help from military (declassify segments of P(Y) shortly after broadcast?) Comm. infrastructure to transmit P(Y) data between receivers
Defense against alternate attack scenarios Sophisticated attack may seek to use pseudo- or estimated P(Y) code Gaming analysis may guide designs that detect new attack types
Other signals M-code to defend GPS civilian codes Encrypted Galileo signals to defend open-source Galileo codes
Post-detection receiver actions
ION/GNSS Sept. ‘11 11 of 11