Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

Effectiveness of GNSS Spoofing Countermeasure Based on Receiver CNR Measurements

Effectiveness of GNSS Spoofing Countermeasure Based on Receiver CNR Measurements Hindawi Publishing Corporation International Journal of Navigation and Observation Volume 2012, Article ID 501679, 9 pages doi:10.1155/2012/501679 Research Article Effectiveness of GNSS Spoofing Countermeasure Based on Receiver CNR Measurements J. Nielsen, V. Dehghanian, and G. Lachapelle Position Location and Navigation Group, University of Calgary, Calgary, AB, Canada T2N 1N4 Correspondence should be addressed to V. Dehghanian, vdehghan@ucalgary.ca Received 2 January 2012; Revised 4 May 2012; Accepted 30 May 2012 Academic Editor: Dennis M. Akos Copyright © 2012 J. Nielsen et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. A perceived emerging threat to GNSS receivers is posed by a spoofing transmitter that emulates authentic signals but with ran- domized code phase and Doppler over a small range. Such spoofing signals can result in large navigational solution errors that are passed onto the unsuspecting user with potentially dire consequences. In this paper, a simple and readily implementable processing rule based on CNR estimates of the correlation peaks of the despread GNSS signals is developed expressly for reducing the effectiveness of such a spoofer threat. Consequently, a comprehensive statistical analysis is given to evaluate the effectiveness of the proposed technique in various LOS and NLOS environments. It is demonstrated that the proposed receiver processing is highly effective in both line-of-sight and multipath propagation conditions. 1. Introduction receiver computes the navigation solution based on these counterfeit signals which are passed on to the user as being GNSS satellites are approximately 20,000 km away and reliable with potentially damaging consequences. GNSS- transmit several watts of signal power such that at the ground based location estimates that are inaccurate but assumed to level, the power output of a 3-dB gain linearly polarized be accurate are potentially more damaging to the user than antenna is nominally −130 dBm [1]. As such,amodestjam- in the jamming case where at least the user knows that the mer can easily disrupt GNSS signals by increasing the noise service is temporarily unavailable. As the receiver processing floor, making the acquisition of GNSS signals rather difficult. gain used for suppressing the jammer is not applicable in the A high processing gain based on a long integration time is case of the spoofer signal, the spoofer transmit power can be one of the possible countermeasures to overcome a noise orders of magnitude less than that of the noise jammer. This jammer. Nevertheless, if the GNSS receiver undergoes ran- makes the spoofer signal much more difficult to locate and dom motion and is subjected to multipath fading as in a disable. typical urban environment, then the channel decorrelates There are essentially two categories of spoofer threats quickly such that attaining such large processing gains to envisioned. The first is the self-intentional spoofer that pro- overcome the jamming is not feasible. However, the noise vides the user a means of compromising its GNSS position. jammer is at least detectable as the spectral power in the An example is a fishing vessel wishing to enter prohibited affected GNSS receiver band will be abnormally high. Hence, areas undetected by a GNSS-based monitoring system. A the jammer can deny service but the user is aware of being collocated spoofer could provide counterfeit signals to fabri- jammed, limiting the damage potential of the jammer. Also cate navigation solution that falls outside the prohibited area the jammer is relatively easy to locate with radio direction [4, 5]. Another example is that of an offender required to finding and to potentially disable as its spectrum is signifi- wear a mandatory GNSS tracker to ensure compliance with cantly larger than the ambient noise [2, 3]. travel restrictions [2]. A more insidious threat is the standoff spoofer which Thesecondtypeofspoofersisthe standoff spoofer (SS) broadcasts a set of replicas of the authentic SV signals cur- that could be used in urban areas for malicious purposes rently visible to the mobile GNSS receiver [2]. The unaware ranging from sporadic disruptive hacking to sophisticated R1 2 International Journal of Navigation and Observation organized terrorist activities. The SS is illustrated in Figure 1 which covers a target area as a sector of an annulus ring. Multiple SS devices could potentially be used to collectively cover a given area such as an urban downtown core. Based on this, the perceived spoofer threat is a network of terrestrial SSs that can cause widespread disruption of GNSS-based location services in dense urban areas. Spoofer The SS is of interest in this paper specifically for the scenario of a terrestrial transmitter source that broadcasts GNSS Rx replicas of the GNSS signals that are visible in the target area illustrated in Figure 1. Disruption of GNSS services in the target area is achieved by randomly modulating the code phase over a small region of the overall Code-Delay Space (CDS) that is commensurate with the target area. Therefore, at least two correlation peaks will be observed in the CDS. An unsuspecting receiver detects the larger of the correlation Figure 1: Standoff Spoofer (SS) illuminating a target area which is peaks which can belong to the spoofer signal. The code a sector of an annulus extending from R to R . 1 2 phase and the Doppler associated with the spoofer signal are then passed onto the tracking segment and consequently a false navigation solution is generated. Note that, while the target area depicted in Figure 1 has hard boundaries, The code phase of the SS transmissions matches the nom- such boundaries are generally blurry and not well defined. inal code phase of the authentic GNSS signals in the target The effectiveness of the SS is considered to drop off outside area. Note that the target area is limited to one or two kilo- the depicted annulus sector region with vague boundaries metres and hence, the code phase only differs by several chips between radii R and R . In a typical scenario, R and R are 1 2 1 2 from one extreme of the target area to the other. For example, envisioned to be of the order of about 500 m and 2 km such in a 90-degree sector with R = 500 m and R = 1500 m, 1 2 that each SS covers an area of several square kilometres. A the average spread is only about four chips. The SS generated modest network of SS devices can then adequately cover a code phase will correspond to a random location within the downtown core area. However, for sake of simplicity, only a target area generated by slowly and randomly modulating single isolated SS will be considered in this paper. the code phase over a small domain commensurating with The SS is assumed to remain synchronized with currently the dimensions of the target area. Note that a sophisticated visible GNSS signals and then synthesize a set of GNSS GNSS receiver can potentially discriminate against the SS signals corresponding to the target area. The objective of signal based on the code phase corresponding to an outlier the SS is not to synthesize a specific counterfeit location for navigation solution. However, as the target region is not a specific GNSS receiver within the target area. This is not very large, the counterfeit SS navigation solutions will be possible as the location of the GNSS receiver is not known to plausible and cannot be easily dismissed as outliers. Further- the SS. Furthermore, the objective of the SS is disruption over more, the typical consumer grade GNSS unit does not pos- the general target area rather than affecting specific receivers. sess processing to track multiple candidate navigation solu- As such, the SS transmission signal synthesis does not have to tions let alone discriminate plausible outliers. Also, receiver be overly sophisticated. It matches the Doppler offset of the autonomous integrity monitoring (RAIM) and fault detec- replicated SV signals and adjusts the code phase such that it tion and exclusion (FDE) are not effective in detecting is commensurate with the intended target region. Note that such navigationally consistent spoofing signals [4]. Finally, it an urban area is a primarily non-line-of-sight (NLOS) multi- should also be mentioned that typically GNSS receivers teth- path channel. Therefore, the Doppler spectrum as perceived ered to a wireless data service provider will typically provide by the GNSS receiver will be spread by an amount com- the user with an aided GNSS (AGNSS) service, significantly mensurating with the magnitude of the receiver velocity but reducing the CDS corresponding to a physical area of several will not be sensitive to direction. Hence, other than the square kilometres [7]. Hence, there is a diminishing gain for deterministic Doppler offset of the SV to stationary ground- the spoofer attempting to affect an area larger than this. based receiver, no further modulation of the Doppler is As stated earlier, current consumer-grade receivers are required by the SS to ensure a plausible counterfeit signal. equipped with RAIM and FDE which are not effective in The typical handheld consumer GNSS receiver coherently mitigating the navigationally consistent spoofing attacks. A integrates the signal for about 10 to 20 ms. Based on this, the more sophisticated countermeasure to the SS with a random correlation peak in the CDS will have a spread in Doppler code delay modulation is to carefully tracking all combina- of about 100 Hz which is commensurate with the Doppler tions of possible navigation solutions and then dismissing spread of typical urban traffic(<50 km/hr) [6]. Even if the solutions that are less likely based on tracking records span- GNSS receiver is equipped with other inertial means such ning several tens of seconds up to the current time. This that the receiver velocity vector is known, this cannot be used solution likelihood can be augmented with the use of ancil- to discriminate the SS signal as multipath Doppler spreading lary sensors and other prior knowledge or belief maps [8]. occurs for both the SS and the authentic signals. However, the consumer-grade GNSS receivers considered R2 International Journal of Navigation and Observation 3 herein are assumed not to possess this level of sophistica- where ρ and ρ are the average CNRs of the authentic and a s 0 0 tion. Rather, the objective is to address a computationally SS signals, respectively. The complex channel gains are 2 2 efficient processing method that can be added to relatively denoted by h and h with E[|h | ] = E[|h | ] = 1where E a s a s unsophisticated consumer grade GNSS receivers and that denotes the expected value operation. Also w and w a s will be effective in discriminating against the SS. Such pro- represent the normalized white Gaussian noise samples dis- cessing is based on the received carrier-to-noise ratio (CNR) tributed according to CN(0, 1) with CN(μ, σ ) denoting a cir- measurements of the received GNSS signals. CNR measure- cularly normal multivariate distribution with a mean of μ ment is an integrated part of all GNSS receivers as the navi- and a variance of σ . Note that the noise variance is nor- gation algorithm heavily relies on determining the weight malized to simplify the expressions to follow. of the observables based on measuring the instantaneous It is assumed that there are nominally two correlation CNR. A simple discriminant is that if the CNR is implausibly peaks in the CDS hypothesis space that correspond to the high then an SS is suspected. Such processing is easily spoofer and the authentic signal for a specific GNSS signal implemented with essentially minor firmware changes to the with sample-based CNRs denoted as ρ and ρ ,respectively, s a receiver or an in-line filter component [2]. However, there is namely, the question of how to optimally set the threshold used for CNR comparison. The optimum threshold is easily deter- a 2 ρ ≡|x | − 1, mined and justified for LOS propagation with a known (2) antenna gain and orientation. However, for a handheld unit ρ ≡|x | − 1. operating in an urban canyon with a compromised multi- band antenna that is randomly oriented and potentially There are many variations as to how the receiver implements shadowed, setting the optimum threshold is no longer deter- the correlation search over the CDS; however, this assump- ministic nor trivial. Optimization is necessarily based on a tion of the correlator structure simplifies the system descrip- statistical analysis, which is the focus of this paper. tion and subsequent analysis. Furthermore, the possibility The rest of the paper is organized as follows. In Section 2, of the authentic signal resulting in two distinct correlation the system definition and simplifying assumptions are given. peaks due to resolvable multipath or poor receiver design is Adifficulty encountered with the statistical assessment of not considered. The GNSS receiver cannot determine which the SS effectiveness is the plethora of disparate parameters correlation peak corresponds to the desired authentic signal. and plausible scenarios encountered. For this paper, a However, recognizing that there are two possible choices constrained set of idealized parameters and assumptions is from which it suspects spoofer activity, it can impose the necessary to obtain fundamental insights. In Section 3, the following simple heuristic rule for selecting the authentic effectiveness of the SS and the receiver countermeasures signal: is considered for a variety of LOS and NLOS scenarios. Section 3.5 relates these findings to the plausible physical Choose the larger of the two peaks as the authentic coverage range of the SS. Finally, Section 4 states the major peak if (ρ <ρ ) ∩ (ρ <ρ ), otherwise choose the s T a T conclusions. smaller peak. 2. System Description and Assumptions Here ρ is a threshold CNR that ρ and ρ will be com- T s a pared to, which is the subject of some adaptive optimization The performance of spoofer detection based on a threshold process. Based on this formulation, the probability of a applied to the CNR in conjunction with a simple decision selection error can be evaluated. An error occurs every time rule is analyzed for various propagation conditions. To do the spoofer correlation peak is selected instead of the this in a comprehensive manner that is not obscured by authentic peak with the Doppler and code delay coordinates details, it is necessary to use simplifying assumptions and passed on to the navigation solution processor. As such there constraints. While these may erode generality, the benefit is a aretwo typesoferrorsdescribed as set of insights gained that are applicable to less idealized and more realistic scenarios. typeIerror: ρ <ρ ∩ ρ <ρ ∩ ρ <ρ , s T a T a s It is assumed that the GNSS receiver performs a reduced (3) search over the CDS based on traditional despreading type II error: ρ >ρ ∪ ρ >ρ ∩ ρ <ρ . s T a T s a correlation processing for each candidate GNSS signal that is potentially visible to the receiver. Assuming that both A graphical aid is introduced in Figure 2 which provides a the authentic and SS signals are present at the receiver for method of calculating the probability of receiver error as a given despread GNSS signal, the outcome is a set of two the sum of the probabilities of the two types of errors. This correlation peaks corresponding to the spoofer and the probability will be denoted as P and is a measure of the authentic signal. The complex amplitude of the authentic effectiveness of the spoofer; that is, the higher P is over a and spoofer correlation peaks is represented as given target area of the spoofer, the more effective it is, and is a therefore a suitable metric for quantifying the effectiveness of x = ρ h + w , a a a the SS. P depends on the probability density function (PDF) (1) of the CNRs of the authentic and spoofing correlation peaks. x = ρ h + w , s s s 0 4 International Journal of Navigation and Observation To proceed further, the following definitions are made: f (ρ ; ρ ): PDF of ρ with the parameter ρ ; a a a a a 0 0 f (ρ ; ρ ): PDF of ρ with the parameter ρ ; s s s s s 0 0 ρa F (ρ ; ρ ) = f (λ; ρ )dλ: cumulative distribution a a a a a 0 0 0 of the authentic signal; s II F (ρ ; ρ ) = f (λ; ρ )dλ: cumulative distribution s s s s s 0 0 0 of the authentic signal. Assuming that the authentic and the spoofer CNR sam- ples, {ρ , ρ }, are statistically independent random variables, a s ρ a then the joint PDF can be expressed as the product of f ρ , ρ ; ρ , ρ ≈ f ρ ; ρ f ρ ; ρ . f a,s a s a s a a a s s s (4) a 0 0 0 0 This assumption is based on the authentic SV original signal Figure 2: Graphical integration regions for the two error types. and the terrestrial source SS signal coming from different bearings and hence, in a dense urban area, the fast fading and nominal path-loss is independent. As the bearings are A useful observation is that if the PDFs of the authentic and sufficiently different, the longer-term fading or shadowing is the spoofer signals are scaled versions of each other, that is, not correlated [6]. Hence, the assumption of independence F (ρ ) = F (ρ /c); then (9) holds only if ρ = 0and ρ =∞, a T s T T T implied by (4) is made herein. However, there are instances since a cumulative distribution function (CDF) is a mono- where shadowing does become correlated especially if the tonically increasing function. This means that a finite bearings of the authentic and SS signals are similar. Based threshold other than ρ = 0and ρ =∞ does not exist. In T T on the graphic shown in Figure 2, P is given by other words, for the common case when f (ρ )isamono- a a ρ ρ T s modal function then it is easily shown that f (ρ )/F (ρ ) a a a a P = f ρ f ρ dρ dρ e s s a a a s is a monotonically decreasing function. Hence, if f (ρ)is 0 0 approximately a translation of the function f (ρ), then the ∞ ρ intersection points of f (ρ )/F (ρ )and f (ρ )/F (ρ )can s T s T a T a T + f ρ f ρ dρ dρ a a s s s a ρ 0 only be at ρ = 0and ρ =∞.Thisobservation will be T T (5) ρ used in the next section. Note that a threshold of ρ =∞ T T = f ρ F ρ − F (0) dρ is equivalent to having no threshold rather than applying a s s a s a s nonrealistically large threshold. + f ρ F ρ − F (0) dρ , a a s a s a 3. Performance of Antispoofing for LOS and NLOS Conditions where the simplified notation omits the parameters ρ and ρ which are initially assumed to be known parameters. In this section, P is determined for LOS and NLOS scenarios. Using F (0) = F (0) = 0, (5)becomes a s This is generally done by first solving for the optimum ρ ∞ threshold ρ and then determining P . T e P = f ρ F ρ dρ + f ρ F ρ dρ . e s s a s s a a s a a (6) 0 ρ 3.1. LOS with Additive Noise. As defined in (1), the in-phase The minimum value of P can be determined by setting and quadrature components of the demodulated signal are (∂/∂ρ )P = 0 such that the condition T e normalized such that the additive noise is of unit variance ρ ∞ for the in-phase and quadrature Gaussian components. With ∂ ∂ f ρ F ρ dρ + f ρ F ρ dρ = 0 s s a s s a a s a a this, the LOS signal from the authentic signal will have a ∂ρ ∂ρ T 0 T ρ mean square magnitude of 2ρ . Likewise the LOS from the (7) SS will have a mean square magnitude of 2ρ . Hence, the emerges and reduces to PDF of the square magnitudes of the correlation peaks cor- responding to the authentic and spoofer signals will then be f ρ f ρ s T a T given as = (8) F ρ F ρ s T a T f ρ ; ρ = χ ρ ;2ρ ,1 , a a a a a 0 2 0 which is then solved for the optimum value of ρ .Equation (10) (8) is mathematically equivalent to 2 f ρ ; ρ = χ ρ ;2ρ ,1 , s s s s s 0 2 0 ∂ F ρ s T 2 where χ (x; μ, σ ) is the noncentral chi-square PDF of vari- f ρ F ρ − f ρ F ρ ≡ = 0. s T a T a T s T N ∂ρ F ρ T a T able x with N degrees of freedom (DOF), the noncentrality (9) parameter μ, and the corresponding variance of the Gaussian International Journal of Navigation and Observation 5 0.9 1 0.9 0.8 0.8 0.7 0.7 0.6 0.6 0.5 0.5 0.4 0.3 0.4 0.2 0.3 0.1 0.2 02468 10 12 14 15 18 20 0 0.5 1 1.5 2 2.5 3 ρ (dB) SMRx, ρ = 10 (dB) ρ = 10 (dB) and ρ = 8 (dB) a s 0 0 Rx, ρ = 10 (dB) ρ = 10 (dB) and ρ = 12 (dB) a s Figure 4: P as a function of ρ for a conventional receiver (Rx) and e s Figure 3: P as a function of ρ . e T a spoofer mitigated receiver (SMRx). CNR authentic 10 dB 0.9 parameter σ [9]. P is plotted in Figure 3 as a function of ρ e T for specific cases where ρ >ρ and ρ <ρ . As stated ear- a s a s 0.8 0 0 0 0 lier, when ρ >ρ the optimum threshold is ρ =∞, while a s T 0 0 0.7 for ρ <ρ the optimum threshold is ρ = 0. This is tant- a s T 0 0 amount to selecting the larger of the two peaks if the average 0.6 power of the authentic signal is larger than the average power 0.5 of the spoofer. Otherwise, choose the smaller of the two peaks if the average power of the spoofer is larger than the average 0.4 power of the authentic signal. This trivial conclusion is a 0.3 manifestation of the assumption that ρ and ρ are known, a s 0 0 which is not generally the case. 0.2 Note that as f (ρ) is approximately a translation of the 0.1 function f (ρ) then the intersection points of f (ρ )/F (ρ ) s s T s T and f (ρ )/F (ρ ) can only be at ρ = 0and ρ =∞ as a T a T T T 0 2 4 6 8 10 12 14 16 18 20 observed before. ρ (dB) Figure 4 shows a plot of P for a receiver with no spoofer e 0 mitigation, herein denoted by Rx, compared to the P for a SMRx, ρ = 10 (dB) receiver with spoofer mitigation, herein denoted by SMRx, Rx, ρ = 10 (dB) with ρ =∞ for ρ >ρ and ρ = 0for ρ <ρ .The GNSS T a s T a s 0 0 0 0 receiver with no spoofer mitigation is equivalent to setting Figure 5: Comparison of the conventional and the spoofer miti- ρ =∞. As such there is no difference in the performance gation receiver based on 2 DOF in a NLOS Rayleigh fading channel. of the GNSS receivers with and without spoofer mitigation when ρ >ρ . However, for the case of ρ <ρ , the a0 s0 a0 s0 effectiveness of the spoofer mitigation is clearly evident in where χ (x; σ ) is the central chi-square PDF of variable x the reduction of P . 2 with 2 DOF, with a variance of each DOF of ρ + 1 for the authentic signal and ρ + 1 for the spoofing signal. 3.2. NLOS with Additive Noise. In this section, it is assumed Figure 5 shows a plot of P for a receiver with no spoofer that ρ and ρ are again deterministic and known to the a s 0 0 mitigation (Rx) compared to the P for a receiver with receiver. The PDFs of the magnitude of the correlation peaks spoofer mitigation (SMRx) with ρ =∞ for ρ >ρ and T a s 0 0 corresponding to the authentic and spoofer signals are then ρ = 0for ρ <ρ . Comparing Figure 5 with Figure 4,it T a0 s0 be given as is evident that the spoofer mitigation is more effective when a LOS rather than a NLOS scenario is encountered. Hence, when the spoofer and authentic signals are more random as f ρ ; ρ = χ ρ ; ρ , a a a a a 0 2 0 in the NLOS case, distinguishing them based on the sample (11) CNR is more difficult and hence, subject to higher P . f ρ ; ρ = χ ρ ; ρ , e s s s s s 0 2 0 e P e 6 International Journal of Navigation and Observation 0.8 0.8 0.6 0.6 0.4 0.4 0.2 0.2 20 0 20 20 15 15 ρ (dB) ρ (dB) ρ (dB) ρ (dB) 5 s T 5 0 T Figure 6: P as a function of ρ and ρ ,for ρ = 10 and NLOS e T s a 0 0 Figure 7: P as a function of ρ and ρ ,for ρ = 10 and NLOS e T s a Rayleigh conditions based on 2DOF. 0 0 conditions based on M = 3 (6DOF). Figure 6 shows P as a function of ρ and for various e T from the receiver. However, it will be assumed that ρ is ρ . The effectiveness of the spoofer countermeasure is again known approximately to the receiver. This is reasonable as evident in the region where ρ <ρ . The same behavior a s 0 0 the average power of a GNSS SV signal is approximately as before occurs, namely, that the optimum ρ for spoofer known in a multipath environment with the exception of power less than authentic power is ρ =∞ while for spoofer factors such as shadowing and building penetration losses. power greater than authentic power is ρ = 0, which is again Antenna orientation is typically not a factor as the multipath a manifestation of the assumed known average powers. is distributed across a large angular sector. As ρ is unknown, it is reasonable to assume a uniform PDF for ρ such that f (ρ ) = c where c is a constant. 3.3. Diversity NLOS with Additive Noise. Assuming a ring or s s s s s Consequently, P can be found from (6)as a sphere of scatterers to model a typical urban environment, the signals arriving at antennas with an approximate sepa- ρ 1/c T s ration of half a carrier wavelength, are statistically uncorre- P = c F ρ dρ + c af ρ dρ . (12) e s a a a s a a a lated. Consequently, M statistically independent samples of 0 ρ the receiver correlator output can be made available through Now the optimum ρ can be found from ∂P (ρ )/∂ρ = 0 T e T T accumulating M successive samples of the correlator outputs which simplifies to as the receiver is moving. The CNR of each correlation sample is ρ and ρ for the authentic and spoofing signals, a s 0 0 F ρ − ρ f ρ = 0. (13) a T T a T respectively, which are again assumed to be deterministic and known to the receiver. Equation (13) can be solved to find the optimum ρ . Figure 8 A plot of P based on M = 3 independent samples is shows F (ρ )−ρ f (ρ )for M = 1,... , 4 basedonaRayleigh a T T a T shown in Figure 7. Similar to the no diversity case with M = fading channel and ρ = 10 (dB). As can be seen from this 1, the optimum ρ for spoofer power less than the authentic T figure, ρ =∞ is optimum for M = 1. This means that a power is ρ =∞, while for spoofer power greater than the finite threshold does not exist for M = 1 and as such the pro- authentic power, the maximum is ρ = 0. Again, this is T posed spoofing countermeasure does not reduce the spoofer reasonable as the spoofer and authentic signal is identically effectiveness as ρ =∞ is equivalent to a receiver with no distributed except for the deterministic and known average spoofing countermeasure. However, as the diversity order powers. Clearly, if it is known that ρ >ρ then the larger a s increases, an optimum ρ other than 0 or ∞ can be found 0 0 peak would correspond to the authentic signal more often from (13). As will be shown in the next section, the optimum than the lower peak. value of ρ reduces P and as such reduces the spoofer T e effective range. 3.4. Measurement Uncertainty and Unknown Spoofer Average Power. In the previous sections, the outcome was a trivial 3.5. Relating Observations of Spoofer Effectiveness to Physical optimization of ρ as ρ = 0if ρ <ρ and ρ =∞ if Range. Having evaluated P for various scenarios, it is of T T a0 s0 T e ρ >ρ , which resulted from the assumption that {ρ , ρ } interest to determine the spoofer effectiveness as a function a s s a 0 0 o o was known to the receiver. In this section, the more realistic of the physical range. The potential target area of the spoofer multipath propagation case is considered where the average as illustrated in Figure 1 is conceptually the physical region in spoofer CNR is completely unknown. This is reasonable as which P is large enough to impact the navigation solution. the spoofer could be of arbitrary transmit power and range In this section, an approximation of the physical range of e International Journal of Navigation and Observation 7 1 1 0.9 0.8 0.8 0.6 0.7 0.4 0.6 0.2 0.5 0.4 0.3 −0.2 0.2 −0.4 0.1 0 5 10 15 20 25 30 100 200 300 400 500 600 700 800 900 1000 M = 3 M = 1 Spoofer-Rx separation (m) M = 2 M = 4 Rx, M = 4 SMRx, M = 2 Figure 8: F (ρ )− ρ f (ρ ) as a function of ρ for various number Rx, M = 2 a T T a T T Rx, M = 6 of diversity branches based on a NLOS Rayleigh fading channel and SMRx, M = 4 SMRx, M = 6 ρ = 10 (dB). Figure 10: P as a function of spoofer-Rx separation in a Rayleigh channel and based on ρ = 10 (dB), ρ (R ) = 30 dB, and a path- a0 s0 1 loss exponent of n = 3. 0.8 0.6 0.8 0.4 0.6 0.2 0.4 100 200 300 400 500 600 700 800 900 1000 0.2 Spoofer-Rx separation (m) SMRx, M = 1 Rx, M = 2 100 200 300 400 500 600 700 800 900 1000 Rx, M = 1 SMRx, M = 5 Spoofer-Rx separation (m) SMRx, M = 2 Rx, M = 5 Rx, M = 2 SMRx, M = 1 Figure 9: P as a function of spoofer-Rx separation in a LOS chan- Rx, M = 1 SMRx, M = 5 nel with measurement errors and based on ρ = 10 (dB), ρ (R ) = a s 1 0 0 SMRx, M = 2 Rx, M = 5 30 dB, and a path-loss exponent of n = 3. Figure 11: P as a function of spoofer-Rx separation in a Rician channel with K = K = 1 and based on ρ = 10 (dB), ρ (R ) = a s a0 s0 1 spoofer effectiveness is determined based on the empirical 30 dB, and a path-loss exponent of n = 3. path-loss model of order n as (R ) ρ = ρ − 10n log , (14) 0 s 10 diversity branches used to estimate the CNR. P can therefore R e be found by computing ρ using (13) and substituting it where R is a reference range, d is the spoofer-receiver range, 1 in (6). Figure 9 shows P for the spoofer mitigated receiver (R ) n is the path-loss exponent, and ρs is the average received (SMRx) as well as a conventional Rx for various spoofer- spoofer CNR at d = R . receiver separations and M. As can be seen from this figure, For a LOS scenario with measurement errors, the PDFs of aSMRx significantly reduces the effectiveness of the spoofer the SS CNR and SV CNR estimates are noncentral chi-square through reducing P . Also observed is that the higher the with 2M DOF with M denoting the number independent diversity order M is, the more effective the spoofer mitigation F (ρ ) − (ρ )·f (ρ ) a T T a T P P e e 8 International Journal of Navigation and Observation 1 Table 1: Spooferrange reductionfactor(SRRF)computedfor various channel scenarios based on ρ = 10 dB, ρ (R ) = 30 dB. a s 1 0 0 0.8 No. of diversity Path-loss SRRF K K a s branches exponent (n) (%) M =13 1 1 60 0.6 M =23 1 1 70 Rician Ch. M =53 1 10 75 0.4 M =53 10 1 70 M =23 0 0 45 Rayleigh Ch. 0.2 M =53 0 0 60 M = 1 3 NA NA 74 LOS M = 5 3 NA NA 75 100 200 300 400 500 600 700 800 900 1000 Spoofer-Rx separation (m) SMRx, M = 2, K = 10, K = 1 a s Rx, M = 2, K = 10, K = 1 a s processing based on estimating the CNR of the spoofer and SMRx, M = 2, K = 1, K = 10 a s the authentic received signals and applying a straightforward Rx, M = 2, K = 1, K = 10 a s threshold rule can significantly reduce the effectiveness of the Figure 12: P as a function of spoofer-Rx separation in a Rician standoff spoofer. This was shown for LOS, NLOS, and Ricean channel based on ρ = 10 (dB), ρ (R ) = 30 dB, and a path-loss multipath conditions. If the average spoofer and authentic a0 s0 1 exponent of n = 3. signal power is known then the setting of ρ is trivial. However, if ρ is completely unknown then it has a finite optimum, that is, a function of ρ and the type of propa- is. For a Rayleigh fading channel, the PDFs of the spoofer gation environment detected by the receiver. An expression and the authentic CNRs are central chi-square with 2M DOF. for computing the optimum ρ was deduced and applied to P can be found by numerically computing ρ from (13) e T various channels. The results demonstrated the effectiveness and setting it in (6). Figure 10 shows P for an SMRx as e of the proposed spoofer mitigation technique. A heuristic well as a conventional Rx with no spoofing countermeasures. metric of spoofer effectiveness (SRRF) was proposed. It was Note that the performance of the SMRx is significantly better shown that SRRF is reduced by up to 75% for LOS, 45% for than that of a conventional Rx with higher diversity branches NLOS Rayleigh M = 2, and 60% for NLOS Rayleigh M = 5 resulting in better performance. In addition, Figures 11 and and70% basedonaRician channelwith K = K = 1for a s 12 compare the P of SMRx and Rx under a generalized e M = 2, hence aptly demonstrating the effectiveness of the Rician channel with various K-factors such that [10] proposed countermeasure approach. K 1 2 2 f ρ ; ρ = χ ρ , ρ +1 , a a a a 0 2M a 0 K +1 K +1 a a References (15) K 1 2 2 f ρ ; ρ = χ ρ , ρ +1 , [1] E. D. Kaplan and C. J. Hegarty, Understanding GPS: Principles s s s0 2M s s0 K +1 K +1 s s and Applications, Artech House, Norwood, Mass, USA, 2006. [2] B. M. Ledvina, W. J. Bencze, B. Galusha, and I. Miller, “An where K and K are the Rician K-factors associated with a s in-line anti-spoofing device for legacy civil GPS receivers,” in the SV and the SS channels, respectively. Similar to the LOS Institute of Navigation—International Technical Meeting (ITM and the Rayleigh channels, a noticable improvement spoofer ’10), pp. 868–882, San Diego, Calif, USA, January 2010. mitigation is realizable. In order to quantify the reduction in [3] T. E. Humphreys, B. M. Ledvina, M. L. Psiaki, B. W. O’Hanlon, spoofer effective range, a heuristic metric is introduced here and P. M. Kintner, “Assessing the spoofing threat: development as of a portable gps civilian spoofer,” in Proceedings of the 21st ⎛ ⎞ R R 2 2 Rx SMRx International Technical Meeting of the Satellite Division of P dR − P dR R e R e 1 1 ⎝ ⎠ SRRF = × 100, (16) the Institute of Navigation (ION GNSS ’08), pp. 1198–1209, Rx P dR Savanna, Calif, USA, September 2008. R e [4] L. Scott, “Location assurance,” GPS World,vol. 18, no.7,pp. where SRRF denotes the spoofer range reduction factor. The 14–18, 2007. SRRF is computed for various channel scenarios and diver- [5] L. Scott, “Anti-spoofing and authenticated signal architetures sity branches and the results are summarized in Table 1. for civil navigation systems,” in Proceedings of the ION GPS/ GNSS, Portland, Ore, USA, September 2003. [6] W. C. Jakes, Microwave Mobile Communications, IEEE Press, 4. Conclusions New York, NY, USA, 1974. It was shown that a relatively unsophisticated standoff [7] F.S.T.V.Diggele, A-GPS: Assisted GPS, GNSS, and SBAS, spoofer can effectively disrupt a large physical area. However, Artech House, 2009. e International Journal of Navigation and Observation 9 [8] S. Thurun, W. Burgard, and D. Fox, Probabilistic Robotics,MIT Press, 2006. [9] S. Kay, Fundamentals of Statistical Signal Processing: Detection Theory, vol. 2, Printice-Hall, Upper Saddle River, NJ, USA, [10] J. G. Proakis, Digital Communications, McGraw-Hill, New York, NY, USA, 2001. International Journal of Rotating Machinery International Journal of Journal of The Scientific Journal of Distributed Engineering World Journal Sensors Sensor Networks Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 Volume 2014 Journal of Control Science and Engineering Advances in Civil Engineering Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 Submit your manuscripts at http://www.hindawi.com Journal of Journal of Electrical and Computer Robotics Engineering Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 VLSI Design Advances in OptoElectronics International Journal of Modelling & Aerospace International Journal of Simulation Navigation and in Engineering Engineering Observation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2010 Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com http://www.hindawi.com Volume 2014 International Journal of Active and Passive International Journal of Antennas and Advances in Chemical Engineering Propagation Electronic Components Shock and Vibration Acoustics and Vibration Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png International Journal of Navigation and Observation Hindawi Publishing Corporation

Effectiveness of GNSS Spoofing Countermeasure Based on Receiver CNR Measurements

Loading next page...
 
/lp/hindawi-publishing-corporation/effectiveness-of-gnss-spoofing-countermeasure-based-on-receiver-cnr-6syUPCllg2
Publisher
Hindawi Publishing Corporation
Copyright
Copyright © 2012 J. Nielsen et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
ISSN
1687-5990
DOI
10.1155/2012/501679
Publisher site
See Article on Publisher Site

Abstract

Hindawi Publishing Corporation International Journal of Navigation and Observation Volume 2012, Article ID 501679, 9 pages doi:10.1155/2012/501679 Research Article Effectiveness of GNSS Spoofing Countermeasure Based on Receiver CNR Measurements J. Nielsen, V. Dehghanian, and G. Lachapelle Position Location and Navigation Group, University of Calgary, Calgary, AB, Canada T2N 1N4 Correspondence should be addressed to V. Dehghanian, vdehghan@ucalgary.ca Received 2 January 2012; Revised 4 May 2012; Accepted 30 May 2012 Academic Editor: Dennis M. Akos Copyright © 2012 J. Nielsen et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. A perceived emerging threat to GNSS receivers is posed by a spoofing transmitter that emulates authentic signals but with ran- domized code phase and Doppler over a small range. Such spoofing signals can result in large navigational solution errors that are passed onto the unsuspecting user with potentially dire consequences. In this paper, a simple and readily implementable processing rule based on CNR estimates of the correlation peaks of the despread GNSS signals is developed expressly for reducing the effectiveness of such a spoofer threat. Consequently, a comprehensive statistical analysis is given to evaluate the effectiveness of the proposed technique in various LOS and NLOS environments. It is demonstrated that the proposed receiver processing is highly effective in both line-of-sight and multipath propagation conditions. 1. Introduction receiver computes the navigation solution based on these counterfeit signals which are passed on to the user as being GNSS satellites are approximately 20,000 km away and reliable with potentially damaging consequences. GNSS- transmit several watts of signal power such that at the ground based location estimates that are inaccurate but assumed to level, the power output of a 3-dB gain linearly polarized be accurate are potentially more damaging to the user than antenna is nominally −130 dBm [1]. As such,amodestjam- in the jamming case where at least the user knows that the mer can easily disrupt GNSS signals by increasing the noise service is temporarily unavailable. As the receiver processing floor, making the acquisition of GNSS signals rather difficult. gain used for suppressing the jammer is not applicable in the A high processing gain based on a long integration time is case of the spoofer signal, the spoofer transmit power can be one of the possible countermeasures to overcome a noise orders of magnitude less than that of the noise jammer. This jammer. Nevertheless, if the GNSS receiver undergoes ran- makes the spoofer signal much more difficult to locate and dom motion and is subjected to multipath fading as in a disable. typical urban environment, then the channel decorrelates There are essentially two categories of spoofer threats quickly such that attaining such large processing gains to envisioned. The first is the self-intentional spoofer that pro- overcome the jamming is not feasible. However, the noise vides the user a means of compromising its GNSS position. jammer is at least detectable as the spectral power in the An example is a fishing vessel wishing to enter prohibited affected GNSS receiver band will be abnormally high. Hence, areas undetected by a GNSS-based monitoring system. A the jammer can deny service but the user is aware of being collocated spoofer could provide counterfeit signals to fabri- jammed, limiting the damage potential of the jammer. Also cate navigation solution that falls outside the prohibited area the jammer is relatively easy to locate with radio direction [4, 5]. Another example is that of an offender required to finding and to potentially disable as its spectrum is signifi- wear a mandatory GNSS tracker to ensure compliance with cantly larger than the ambient noise [2, 3]. travel restrictions [2]. A more insidious threat is the standoff spoofer which Thesecondtypeofspoofersisthe standoff spoofer (SS) broadcasts a set of replicas of the authentic SV signals cur- that could be used in urban areas for malicious purposes rently visible to the mobile GNSS receiver [2]. The unaware ranging from sporadic disruptive hacking to sophisticated R1 2 International Journal of Navigation and Observation organized terrorist activities. The SS is illustrated in Figure 1 which covers a target area as a sector of an annulus ring. Multiple SS devices could potentially be used to collectively cover a given area such as an urban downtown core. Based on this, the perceived spoofer threat is a network of terrestrial SSs that can cause widespread disruption of GNSS-based location services in dense urban areas. Spoofer The SS is of interest in this paper specifically for the scenario of a terrestrial transmitter source that broadcasts GNSS Rx replicas of the GNSS signals that are visible in the target area illustrated in Figure 1. Disruption of GNSS services in the target area is achieved by randomly modulating the code phase over a small region of the overall Code-Delay Space (CDS) that is commensurate with the target area. Therefore, at least two correlation peaks will be observed in the CDS. An unsuspecting receiver detects the larger of the correlation Figure 1: Standoff Spoofer (SS) illuminating a target area which is peaks which can belong to the spoofer signal. The code a sector of an annulus extending from R to R . 1 2 phase and the Doppler associated with the spoofer signal are then passed onto the tracking segment and consequently a false navigation solution is generated. Note that, while the target area depicted in Figure 1 has hard boundaries, The code phase of the SS transmissions matches the nom- such boundaries are generally blurry and not well defined. inal code phase of the authentic GNSS signals in the target The effectiveness of the SS is considered to drop off outside area. Note that the target area is limited to one or two kilo- the depicted annulus sector region with vague boundaries metres and hence, the code phase only differs by several chips between radii R and R . In a typical scenario, R and R are 1 2 1 2 from one extreme of the target area to the other. For example, envisioned to be of the order of about 500 m and 2 km such in a 90-degree sector with R = 500 m and R = 1500 m, 1 2 that each SS covers an area of several square kilometres. A the average spread is only about four chips. The SS generated modest network of SS devices can then adequately cover a code phase will correspond to a random location within the downtown core area. However, for sake of simplicity, only a target area generated by slowly and randomly modulating single isolated SS will be considered in this paper. the code phase over a small domain commensurating with The SS is assumed to remain synchronized with currently the dimensions of the target area. Note that a sophisticated visible GNSS signals and then synthesize a set of GNSS GNSS receiver can potentially discriminate against the SS signals corresponding to the target area. The objective of signal based on the code phase corresponding to an outlier the SS is not to synthesize a specific counterfeit location for navigation solution. However, as the target region is not a specific GNSS receiver within the target area. This is not very large, the counterfeit SS navigation solutions will be possible as the location of the GNSS receiver is not known to plausible and cannot be easily dismissed as outliers. Further- the SS. Furthermore, the objective of the SS is disruption over more, the typical consumer grade GNSS unit does not pos- the general target area rather than affecting specific receivers. sess processing to track multiple candidate navigation solu- As such, the SS transmission signal synthesis does not have to tions let alone discriminate plausible outliers. Also, receiver be overly sophisticated. It matches the Doppler offset of the autonomous integrity monitoring (RAIM) and fault detec- replicated SV signals and adjusts the code phase such that it tion and exclusion (FDE) are not effective in detecting is commensurate with the intended target region. Note that such navigationally consistent spoofing signals [4]. Finally, it an urban area is a primarily non-line-of-sight (NLOS) multi- should also be mentioned that typically GNSS receivers teth- path channel. Therefore, the Doppler spectrum as perceived ered to a wireless data service provider will typically provide by the GNSS receiver will be spread by an amount com- the user with an aided GNSS (AGNSS) service, significantly mensurating with the magnitude of the receiver velocity but reducing the CDS corresponding to a physical area of several will not be sensitive to direction. Hence, other than the square kilometres [7]. Hence, there is a diminishing gain for deterministic Doppler offset of the SV to stationary ground- the spoofer attempting to affect an area larger than this. based receiver, no further modulation of the Doppler is As stated earlier, current consumer-grade receivers are required by the SS to ensure a plausible counterfeit signal. equipped with RAIM and FDE which are not effective in The typical handheld consumer GNSS receiver coherently mitigating the navigationally consistent spoofing attacks. A integrates the signal for about 10 to 20 ms. Based on this, the more sophisticated countermeasure to the SS with a random correlation peak in the CDS will have a spread in Doppler code delay modulation is to carefully tracking all combina- of about 100 Hz which is commensurate with the Doppler tions of possible navigation solutions and then dismissing spread of typical urban traffic(<50 km/hr) [6]. Even if the solutions that are less likely based on tracking records span- GNSS receiver is equipped with other inertial means such ning several tens of seconds up to the current time. This that the receiver velocity vector is known, this cannot be used solution likelihood can be augmented with the use of ancil- to discriminate the SS signal as multipath Doppler spreading lary sensors and other prior knowledge or belief maps [8]. occurs for both the SS and the authentic signals. However, the consumer-grade GNSS receivers considered R2 International Journal of Navigation and Observation 3 herein are assumed not to possess this level of sophistica- where ρ and ρ are the average CNRs of the authentic and a s 0 0 tion. Rather, the objective is to address a computationally SS signals, respectively. The complex channel gains are 2 2 efficient processing method that can be added to relatively denoted by h and h with E[|h | ] = E[|h | ] = 1where E a s a s unsophisticated consumer grade GNSS receivers and that denotes the expected value operation. Also w and w a s will be effective in discriminating against the SS. Such pro- represent the normalized white Gaussian noise samples dis- cessing is based on the received carrier-to-noise ratio (CNR) tributed according to CN(0, 1) with CN(μ, σ ) denoting a cir- measurements of the received GNSS signals. CNR measure- cularly normal multivariate distribution with a mean of μ ment is an integrated part of all GNSS receivers as the navi- and a variance of σ . Note that the noise variance is nor- gation algorithm heavily relies on determining the weight malized to simplify the expressions to follow. of the observables based on measuring the instantaneous It is assumed that there are nominally two correlation CNR. A simple discriminant is that if the CNR is implausibly peaks in the CDS hypothesis space that correspond to the high then an SS is suspected. Such processing is easily spoofer and the authentic signal for a specific GNSS signal implemented with essentially minor firmware changes to the with sample-based CNRs denoted as ρ and ρ ,respectively, s a receiver or an in-line filter component [2]. However, there is namely, the question of how to optimally set the threshold used for CNR comparison. The optimum threshold is easily deter- a 2 ρ ≡|x | − 1, mined and justified for LOS propagation with a known (2) antenna gain and orientation. However, for a handheld unit ρ ≡|x | − 1. operating in an urban canyon with a compromised multi- band antenna that is randomly oriented and potentially There are many variations as to how the receiver implements shadowed, setting the optimum threshold is no longer deter- the correlation search over the CDS; however, this assump- ministic nor trivial. Optimization is necessarily based on a tion of the correlator structure simplifies the system descrip- statistical analysis, which is the focus of this paper. tion and subsequent analysis. Furthermore, the possibility The rest of the paper is organized as follows. In Section 2, of the authentic signal resulting in two distinct correlation the system definition and simplifying assumptions are given. peaks due to resolvable multipath or poor receiver design is Adifficulty encountered with the statistical assessment of not considered. The GNSS receiver cannot determine which the SS effectiveness is the plethora of disparate parameters correlation peak corresponds to the desired authentic signal. and plausible scenarios encountered. For this paper, a However, recognizing that there are two possible choices constrained set of idealized parameters and assumptions is from which it suspects spoofer activity, it can impose the necessary to obtain fundamental insights. In Section 3, the following simple heuristic rule for selecting the authentic effectiveness of the SS and the receiver countermeasures signal: is considered for a variety of LOS and NLOS scenarios. Section 3.5 relates these findings to the plausible physical Choose the larger of the two peaks as the authentic coverage range of the SS. Finally, Section 4 states the major peak if (ρ <ρ ) ∩ (ρ <ρ ), otherwise choose the s T a T conclusions. smaller peak. 2. System Description and Assumptions Here ρ is a threshold CNR that ρ and ρ will be com- T s a pared to, which is the subject of some adaptive optimization The performance of spoofer detection based on a threshold process. Based on this formulation, the probability of a applied to the CNR in conjunction with a simple decision selection error can be evaluated. An error occurs every time rule is analyzed for various propagation conditions. To do the spoofer correlation peak is selected instead of the this in a comprehensive manner that is not obscured by authentic peak with the Doppler and code delay coordinates details, it is necessary to use simplifying assumptions and passed on to the navigation solution processor. As such there constraints. While these may erode generality, the benefit is a aretwo typesoferrorsdescribed as set of insights gained that are applicable to less idealized and more realistic scenarios. typeIerror: ρ <ρ ∩ ρ <ρ ∩ ρ <ρ , s T a T a s It is assumed that the GNSS receiver performs a reduced (3) search over the CDS based on traditional despreading type II error: ρ >ρ ∪ ρ >ρ ∩ ρ <ρ . s T a T s a correlation processing for each candidate GNSS signal that is potentially visible to the receiver. Assuming that both A graphical aid is introduced in Figure 2 which provides a the authentic and SS signals are present at the receiver for method of calculating the probability of receiver error as a given despread GNSS signal, the outcome is a set of two the sum of the probabilities of the two types of errors. This correlation peaks corresponding to the spoofer and the probability will be denoted as P and is a measure of the authentic signal. The complex amplitude of the authentic effectiveness of the spoofer; that is, the higher P is over a and spoofer correlation peaks is represented as given target area of the spoofer, the more effective it is, and is a therefore a suitable metric for quantifying the effectiveness of x = ρ h + w , a a a the SS. P depends on the probability density function (PDF) (1) of the CNRs of the authentic and spoofing correlation peaks. x = ρ h + w , s s s 0 4 International Journal of Navigation and Observation To proceed further, the following definitions are made: f (ρ ; ρ ): PDF of ρ with the parameter ρ ; a a a a a 0 0 f (ρ ; ρ ): PDF of ρ with the parameter ρ ; s s s s s 0 0 ρa F (ρ ; ρ ) = f (λ; ρ )dλ: cumulative distribution a a a a a 0 0 0 of the authentic signal; s II F (ρ ; ρ ) = f (λ; ρ )dλ: cumulative distribution s s s s s 0 0 0 of the authentic signal. Assuming that the authentic and the spoofer CNR sam- ples, {ρ , ρ }, are statistically independent random variables, a s ρ a then the joint PDF can be expressed as the product of f ρ , ρ ; ρ , ρ ≈ f ρ ; ρ f ρ ; ρ . f a,s a s a s a a a s s s (4) a 0 0 0 0 This assumption is based on the authentic SV original signal Figure 2: Graphical integration regions for the two error types. and the terrestrial source SS signal coming from different bearings and hence, in a dense urban area, the fast fading and nominal path-loss is independent. As the bearings are A useful observation is that if the PDFs of the authentic and sufficiently different, the longer-term fading or shadowing is the spoofer signals are scaled versions of each other, that is, not correlated [6]. Hence, the assumption of independence F (ρ ) = F (ρ /c); then (9) holds only if ρ = 0and ρ =∞, a T s T T T implied by (4) is made herein. However, there are instances since a cumulative distribution function (CDF) is a mono- where shadowing does become correlated especially if the tonically increasing function. This means that a finite bearings of the authentic and SS signals are similar. Based threshold other than ρ = 0and ρ =∞ does not exist. In T T on the graphic shown in Figure 2, P is given by other words, for the common case when f (ρ )isamono- a a ρ ρ T s modal function then it is easily shown that f (ρ )/F (ρ ) a a a a P = f ρ f ρ dρ dρ e s s a a a s is a monotonically decreasing function. Hence, if f (ρ)is 0 0 approximately a translation of the function f (ρ), then the ∞ ρ intersection points of f (ρ )/F (ρ )and f (ρ )/F (ρ )can s T s T a T a T + f ρ f ρ dρ dρ a a s s s a ρ 0 only be at ρ = 0and ρ =∞.Thisobservation will be T T (5) ρ used in the next section. Note that a threshold of ρ =∞ T T = f ρ F ρ − F (0) dρ is equivalent to having no threshold rather than applying a s s a s a s nonrealistically large threshold. + f ρ F ρ − F (0) dρ , a a s a s a 3. Performance of Antispoofing for LOS and NLOS Conditions where the simplified notation omits the parameters ρ and ρ which are initially assumed to be known parameters. In this section, P is determined for LOS and NLOS scenarios. Using F (0) = F (0) = 0, (5)becomes a s This is generally done by first solving for the optimum ρ ∞ threshold ρ and then determining P . T e P = f ρ F ρ dρ + f ρ F ρ dρ . e s s a s s a a s a a (6) 0 ρ 3.1. LOS with Additive Noise. As defined in (1), the in-phase The minimum value of P can be determined by setting and quadrature components of the demodulated signal are (∂/∂ρ )P = 0 such that the condition T e normalized such that the additive noise is of unit variance ρ ∞ for the in-phase and quadrature Gaussian components. With ∂ ∂ f ρ F ρ dρ + f ρ F ρ dρ = 0 s s a s s a a s a a this, the LOS signal from the authentic signal will have a ∂ρ ∂ρ T 0 T ρ mean square magnitude of 2ρ . Likewise the LOS from the (7) SS will have a mean square magnitude of 2ρ . Hence, the emerges and reduces to PDF of the square magnitudes of the correlation peaks cor- responding to the authentic and spoofer signals will then be f ρ f ρ s T a T given as = (8) F ρ F ρ s T a T f ρ ; ρ = χ ρ ;2ρ ,1 , a a a a a 0 2 0 which is then solved for the optimum value of ρ .Equation (10) (8) is mathematically equivalent to 2 f ρ ; ρ = χ ρ ;2ρ ,1 , s s s s s 0 2 0 ∂ F ρ s T 2 where χ (x; μ, σ ) is the noncentral chi-square PDF of vari- f ρ F ρ − f ρ F ρ ≡ = 0. s T a T a T s T N ∂ρ F ρ T a T able x with N degrees of freedom (DOF), the noncentrality (9) parameter μ, and the corresponding variance of the Gaussian International Journal of Navigation and Observation 5 0.9 1 0.9 0.8 0.8 0.7 0.7 0.6 0.6 0.5 0.5 0.4 0.3 0.4 0.2 0.3 0.1 0.2 02468 10 12 14 15 18 20 0 0.5 1 1.5 2 2.5 3 ρ (dB) SMRx, ρ = 10 (dB) ρ = 10 (dB) and ρ = 8 (dB) a s 0 0 Rx, ρ = 10 (dB) ρ = 10 (dB) and ρ = 12 (dB) a s Figure 4: P as a function of ρ for a conventional receiver (Rx) and e s Figure 3: P as a function of ρ . e T a spoofer mitigated receiver (SMRx). CNR authentic 10 dB 0.9 parameter σ [9]. P is plotted in Figure 3 as a function of ρ e T for specific cases where ρ >ρ and ρ <ρ . As stated ear- a s a s 0.8 0 0 0 0 lier, when ρ >ρ the optimum threshold is ρ =∞, while a s T 0 0 0.7 for ρ <ρ the optimum threshold is ρ = 0. This is tant- a s T 0 0 amount to selecting the larger of the two peaks if the average 0.6 power of the authentic signal is larger than the average power 0.5 of the spoofer. Otherwise, choose the smaller of the two peaks if the average power of the spoofer is larger than the average 0.4 power of the authentic signal. This trivial conclusion is a 0.3 manifestation of the assumption that ρ and ρ are known, a s 0 0 which is not generally the case. 0.2 Note that as f (ρ) is approximately a translation of the 0.1 function f (ρ) then the intersection points of f (ρ )/F (ρ ) s s T s T and f (ρ )/F (ρ ) can only be at ρ = 0and ρ =∞ as a T a T T T 0 2 4 6 8 10 12 14 16 18 20 observed before. ρ (dB) Figure 4 shows a plot of P for a receiver with no spoofer e 0 mitigation, herein denoted by Rx, compared to the P for a SMRx, ρ = 10 (dB) receiver with spoofer mitigation, herein denoted by SMRx, Rx, ρ = 10 (dB) with ρ =∞ for ρ >ρ and ρ = 0for ρ <ρ .The GNSS T a s T a s 0 0 0 0 receiver with no spoofer mitigation is equivalent to setting Figure 5: Comparison of the conventional and the spoofer miti- ρ =∞. As such there is no difference in the performance gation receiver based on 2 DOF in a NLOS Rayleigh fading channel. of the GNSS receivers with and without spoofer mitigation when ρ >ρ . However, for the case of ρ <ρ , the a0 s0 a0 s0 effectiveness of the spoofer mitigation is clearly evident in where χ (x; σ ) is the central chi-square PDF of variable x the reduction of P . 2 with 2 DOF, with a variance of each DOF of ρ + 1 for the authentic signal and ρ + 1 for the spoofing signal. 3.2. NLOS with Additive Noise. In this section, it is assumed Figure 5 shows a plot of P for a receiver with no spoofer that ρ and ρ are again deterministic and known to the a s 0 0 mitigation (Rx) compared to the P for a receiver with receiver. The PDFs of the magnitude of the correlation peaks spoofer mitigation (SMRx) with ρ =∞ for ρ >ρ and T a s 0 0 corresponding to the authentic and spoofer signals are then ρ = 0for ρ <ρ . Comparing Figure 5 with Figure 4,it T a0 s0 be given as is evident that the spoofer mitigation is more effective when a LOS rather than a NLOS scenario is encountered. Hence, when the spoofer and authentic signals are more random as f ρ ; ρ = χ ρ ; ρ , a a a a a 0 2 0 in the NLOS case, distinguishing them based on the sample (11) CNR is more difficult and hence, subject to higher P . f ρ ; ρ = χ ρ ; ρ , e s s s s s 0 2 0 e P e 6 International Journal of Navigation and Observation 0.8 0.8 0.6 0.6 0.4 0.4 0.2 0.2 20 0 20 20 15 15 ρ (dB) ρ (dB) ρ (dB) ρ (dB) 5 s T 5 0 T Figure 6: P as a function of ρ and ρ ,for ρ = 10 and NLOS e T s a 0 0 Figure 7: P as a function of ρ and ρ ,for ρ = 10 and NLOS e T s a Rayleigh conditions based on 2DOF. 0 0 conditions based on M = 3 (6DOF). Figure 6 shows P as a function of ρ and for various e T from the receiver. However, it will be assumed that ρ is ρ . The effectiveness of the spoofer countermeasure is again known approximately to the receiver. This is reasonable as evident in the region where ρ <ρ . The same behavior a s 0 0 the average power of a GNSS SV signal is approximately as before occurs, namely, that the optimum ρ for spoofer known in a multipath environment with the exception of power less than authentic power is ρ =∞ while for spoofer factors such as shadowing and building penetration losses. power greater than authentic power is ρ = 0, which is again Antenna orientation is typically not a factor as the multipath a manifestation of the assumed known average powers. is distributed across a large angular sector. As ρ is unknown, it is reasonable to assume a uniform PDF for ρ such that f (ρ ) = c where c is a constant. 3.3. Diversity NLOS with Additive Noise. Assuming a ring or s s s s s Consequently, P can be found from (6)as a sphere of scatterers to model a typical urban environment, the signals arriving at antennas with an approximate sepa- ρ 1/c T s ration of half a carrier wavelength, are statistically uncorre- P = c F ρ dρ + c af ρ dρ . (12) e s a a a s a a a lated. Consequently, M statistically independent samples of 0 ρ the receiver correlator output can be made available through Now the optimum ρ can be found from ∂P (ρ )/∂ρ = 0 T e T T accumulating M successive samples of the correlator outputs which simplifies to as the receiver is moving. The CNR of each correlation sample is ρ and ρ for the authentic and spoofing signals, a s 0 0 F ρ − ρ f ρ = 0. (13) a T T a T respectively, which are again assumed to be deterministic and known to the receiver. Equation (13) can be solved to find the optimum ρ . Figure 8 A plot of P based on M = 3 independent samples is shows F (ρ )−ρ f (ρ )for M = 1,... , 4 basedonaRayleigh a T T a T shown in Figure 7. Similar to the no diversity case with M = fading channel and ρ = 10 (dB). As can be seen from this 1, the optimum ρ for spoofer power less than the authentic T figure, ρ =∞ is optimum for M = 1. This means that a power is ρ =∞, while for spoofer power greater than the finite threshold does not exist for M = 1 and as such the pro- authentic power, the maximum is ρ = 0. Again, this is T posed spoofing countermeasure does not reduce the spoofer reasonable as the spoofer and authentic signal is identically effectiveness as ρ =∞ is equivalent to a receiver with no distributed except for the deterministic and known average spoofing countermeasure. However, as the diversity order powers. Clearly, if it is known that ρ >ρ then the larger a s increases, an optimum ρ other than 0 or ∞ can be found 0 0 peak would correspond to the authentic signal more often from (13). As will be shown in the next section, the optimum than the lower peak. value of ρ reduces P and as such reduces the spoofer T e effective range. 3.4. Measurement Uncertainty and Unknown Spoofer Average Power. In the previous sections, the outcome was a trivial 3.5. Relating Observations of Spoofer Effectiveness to Physical optimization of ρ as ρ = 0if ρ <ρ and ρ =∞ if Range. Having evaluated P for various scenarios, it is of T T a0 s0 T e ρ >ρ , which resulted from the assumption that {ρ , ρ } interest to determine the spoofer effectiveness as a function a s s a 0 0 o o was known to the receiver. In this section, the more realistic of the physical range. The potential target area of the spoofer multipath propagation case is considered where the average as illustrated in Figure 1 is conceptually the physical region in spoofer CNR is completely unknown. This is reasonable as which P is large enough to impact the navigation solution. the spoofer could be of arbitrary transmit power and range In this section, an approximation of the physical range of e International Journal of Navigation and Observation 7 1 1 0.9 0.8 0.8 0.6 0.7 0.4 0.6 0.2 0.5 0.4 0.3 −0.2 0.2 −0.4 0.1 0 5 10 15 20 25 30 100 200 300 400 500 600 700 800 900 1000 M = 3 M = 1 Spoofer-Rx separation (m) M = 2 M = 4 Rx, M = 4 SMRx, M = 2 Figure 8: F (ρ )− ρ f (ρ ) as a function of ρ for various number Rx, M = 2 a T T a T T Rx, M = 6 of diversity branches based on a NLOS Rayleigh fading channel and SMRx, M = 4 SMRx, M = 6 ρ = 10 (dB). Figure 10: P as a function of spoofer-Rx separation in a Rayleigh channel and based on ρ = 10 (dB), ρ (R ) = 30 dB, and a path- a0 s0 1 loss exponent of n = 3. 0.8 0.6 0.8 0.4 0.6 0.2 0.4 100 200 300 400 500 600 700 800 900 1000 0.2 Spoofer-Rx separation (m) SMRx, M = 1 Rx, M = 2 100 200 300 400 500 600 700 800 900 1000 Rx, M = 1 SMRx, M = 5 Spoofer-Rx separation (m) SMRx, M = 2 Rx, M = 5 Rx, M = 2 SMRx, M = 1 Figure 9: P as a function of spoofer-Rx separation in a LOS chan- Rx, M = 1 SMRx, M = 5 nel with measurement errors and based on ρ = 10 (dB), ρ (R ) = a s 1 0 0 SMRx, M = 2 Rx, M = 5 30 dB, and a path-loss exponent of n = 3. Figure 11: P as a function of spoofer-Rx separation in a Rician channel with K = K = 1 and based on ρ = 10 (dB), ρ (R ) = a s a0 s0 1 spoofer effectiveness is determined based on the empirical 30 dB, and a path-loss exponent of n = 3. path-loss model of order n as (R ) ρ = ρ − 10n log , (14) 0 s 10 diversity branches used to estimate the CNR. P can therefore R e be found by computing ρ using (13) and substituting it where R is a reference range, d is the spoofer-receiver range, 1 in (6). Figure 9 shows P for the spoofer mitigated receiver (R ) n is the path-loss exponent, and ρs is the average received (SMRx) as well as a conventional Rx for various spoofer- spoofer CNR at d = R . receiver separations and M. As can be seen from this figure, For a LOS scenario with measurement errors, the PDFs of aSMRx significantly reduces the effectiveness of the spoofer the SS CNR and SV CNR estimates are noncentral chi-square through reducing P . Also observed is that the higher the with 2M DOF with M denoting the number independent diversity order M is, the more effective the spoofer mitigation F (ρ ) − (ρ )·f (ρ ) a T T a T P P e e 8 International Journal of Navigation and Observation 1 Table 1: Spooferrange reductionfactor(SRRF)computedfor various channel scenarios based on ρ = 10 dB, ρ (R ) = 30 dB. a s 1 0 0 0.8 No. of diversity Path-loss SRRF K K a s branches exponent (n) (%) M =13 1 1 60 0.6 M =23 1 1 70 Rician Ch. M =53 1 10 75 0.4 M =53 10 1 70 M =23 0 0 45 Rayleigh Ch. 0.2 M =53 0 0 60 M = 1 3 NA NA 74 LOS M = 5 3 NA NA 75 100 200 300 400 500 600 700 800 900 1000 Spoofer-Rx separation (m) SMRx, M = 2, K = 10, K = 1 a s Rx, M = 2, K = 10, K = 1 a s processing based on estimating the CNR of the spoofer and SMRx, M = 2, K = 1, K = 10 a s the authentic received signals and applying a straightforward Rx, M = 2, K = 1, K = 10 a s threshold rule can significantly reduce the effectiveness of the Figure 12: P as a function of spoofer-Rx separation in a Rician standoff spoofer. This was shown for LOS, NLOS, and Ricean channel based on ρ = 10 (dB), ρ (R ) = 30 dB, and a path-loss multipath conditions. If the average spoofer and authentic a0 s0 1 exponent of n = 3. signal power is known then the setting of ρ is trivial. However, if ρ is completely unknown then it has a finite optimum, that is, a function of ρ and the type of propa- is. For a Rayleigh fading channel, the PDFs of the spoofer gation environment detected by the receiver. An expression and the authentic CNRs are central chi-square with 2M DOF. for computing the optimum ρ was deduced and applied to P can be found by numerically computing ρ from (13) e T various channels. The results demonstrated the effectiveness and setting it in (6). Figure 10 shows P for an SMRx as e of the proposed spoofer mitigation technique. A heuristic well as a conventional Rx with no spoofing countermeasures. metric of spoofer effectiveness (SRRF) was proposed. It was Note that the performance of the SMRx is significantly better shown that SRRF is reduced by up to 75% for LOS, 45% for than that of a conventional Rx with higher diversity branches NLOS Rayleigh M = 2, and 60% for NLOS Rayleigh M = 5 resulting in better performance. In addition, Figures 11 and and70% basedonaRician channelwith K = K = 1for a s 12 compare the P of SMRx and Rx under a generalized e M = 2, hence aptly demonstrating the effectiveness of the Rician channel with various K-factors such that [10] proposed countermeasure approach. K 1 2 2 f ρ ; ρ = χ ρ , ρ +1 , a a a a 0 2M a 0 K +1 K +1 a a References (15) K 1 2 2 f ρ ; ρ = χ ρ , ρ +1 , [1] E. D. Kaplan and C. J. Hegarty, Understanding GPS: Principles s s s0 2M s s0 K +1 K +1 s s and Applications, Artech House, Norwood, Mass, USA, 2006. [2] B. M. Ledvina, W. J. Bencze, B. Galusha, and I. Miller, “An where K and K are the Rician K-factors associated with a s in-line anti-spoofing device for legacy civil GPS receivers,” in the SV and the SS channels, respectively. Similar to the LOS Institute of Navigation—International Technical Meeting (ITM and the Rayleigh channels, a noticable improvement spoofer ’10), pp. 868–882, San Diego, Calif, USA, January 2010. mitigation is realizable. In order to quantify the reduction in [3] T. E. Humphreys, B. M. Ledvina, M. L. Psiaki, B. W. O’Hanlon, spoofer effective range, a heuristic metric is introduced here and P. M. Kintner, “Assessing the spoofing threat: development as of a portable gps civilian spoofer,” in Proceedings of the 21st ⎛ ⎞ R R 2 2 Rx SMRx International Technical Meeting of the Satellite Division of P dR − P dR R e R e 1 1 ⎝ ⎠ SRRF = × 100, (16) the Institute of Navigation (ION GNSS ’08), pp. 1198–1209, Rx P dR Savanna, Calif, USA, September 2008. R e [4] L. Scott, “Location assurance,” GPS World,vol. 18, no.7,pp. where SRRF denotes the spoofer range reduction factor. The 14–18, 2007. SRRF is computed for various channel scenarios and diver- [5] L. Scott, “Anti-spoofing and authenticated signal architetures sity branches and the results are summarized in Table 1. for civil navigation systems,” in Proceedings of the ION GPS/ GNSS, Portland, Ore, USA, September 2003. [6] W. C. Jakes, Microwave Mobile Communications, IEEE Press, 4. Conclusions New York, NY, USA, 1974. It was shown that a relatively unsophisticated standoff [7] F.S.T.V.Diggele, A-GPS: Assisted GPS, GNSS, and SBAS, spoofer can effectively disrupt a large physical area. However, Artech House, 2009. e International Journal of Navigation and Observation 9 [8] S. Thurun, W. Burgard, and D. Fox, Probabilistic Robotics,MIT Press, 2006. [9] S. Kay, Fundamentals of Statistical Signal Processing: Detection Theory, vol. 2, Printice-Hall, Upper Saddle River, NJ, USA, [10] J. G. Proakis, Digital Communications, McGraw-Hill, New York, NY, USA, 2001. International Journal of Rotating Machinery International Journal of Journal of The Scientific Journal of Distributed Engineering World Journal Sensors Sensor Networks Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 Volume 2014 Journal of Control Science and Engineering Advances in Civil Engineering Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 Submit your manuscripts at http://www.hindawi.com Journal of Journal of Electrical and Computer Robotics Engineering Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 VLSI Design Advances in OptoElectronics International Journal of Modelling & Aerospace International Journal of Simulation Navigation and in Engineering Engineering Observation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2010 Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com http://www.hindawi.com Volume 2014 International Journal of Active and Passive International Journal of Antennas and Advances in Chemical Engineering Propagation Electronic Components Shock and Vibration Acoustics and Vibration Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014

Journal

International Journal of Navigation and ObservationHindawi Publishing Corporation

Published: Jul 17, 2012

References