Transcript Developing Defenses Against Jamming & Spoofing of Civilian
Developing Defenses Against Jamming & Spoofing of Civilian GNSS Receivers
Mark L. Psiaki
Sibley School of Mechanical & Aerospace Engr., Cornell University ION/GNSS 2011, 23 Sept. 2011
Approach of an Estimation Theorist: Reductionist Problem Solving
Problem Givens: Spoofers & jammers will be deployed against civilian GNSS receivers (mostly GPS at present) GNSS signal structures will not be modified to aid defenses Likely jammers can be bought & studied Likely spoofers can be designed/imagined/modeled Strategies for Developing Defenses: Jamming: Acquire, examine, test, & characterize jammers Design detection, localization, & mitigation systems for known jammers (like computer anti-virus software) Spoofing: Exploit encrypted military signals & known timing/phasing relative to defended civilian signals ION/GNSS Sept. ‘11 2 of 11
Jamming Mitigation Strategies
Detection & localization Deploy networked array of advanced GNSS receivers in defended region Each node is small phased-array; beam steering allows GPS tracking under jamming Example: on every New Jersey State police car near Newark Airport Detection & localization strategies Solve layered sequence of problems 1 st detect 2 nd rough-locate based on power at several nodes, simple algorithms 3 rd fine-locate based on multi-node carrier-phase interferometry or TDOA to within meters – exploit fine-scale correlations between multiple nodes & precise inter-receiver timing from GPS 4 th interdict Develop scalable algorithms with potential to deal with 100 or more jammers simultaneously Receiver-based mitigation Simultaneous frequency/time excision Pose as Kalman-filter-based estimation problem & near/far signal reception problem Requisite information: Jammer time/frequency models enable efficient/accurate detection & localization Generalized model-independent detection, localization, & mitigation for new/unknown jammer types Like computer anti-virus software that looks for unknown viruses based on suspicious characteristics/behavior ION/GNSS Sept. ‘11 3 of 11
Power & Spectral Time Evolution of a Cigarette Lighter-Type Jammer * * from Mitch et al. “Signal Characteristics of Civil GPS Jammers”, ION/GNSS 2011 ION/GNSS Sept. ‘11 4 of 11
Jammer Effective Ranges from Attenuation Tests
* Faraday Box Signal Combiner Victim Receiver * from Mitch et al. “Signal Characteristics of Civil GPS Jammers”, ION/GNSS 2011 ION/GNSS Sept. ‘11 GPS Signal Simulator 5 of 11
Future Issues in Jammer Detection & Localization
How can one exploit frequency-sawtooth structure of many known low-budget jammers … in detection?
… in fine localization?
… in receiver mitigation? (Kalman-filter-based coupled time/frequency excision?) … in an environment with many such jammers?
ION/GNSS Sept. ‘11 6 of 11
Spoofing Detection via P(Y) Correlation
* GPS Satellite UE with - receiver for delayed, digitally-signed P(Y) features - delayed processing to detect spoofing via P(Y) feature correlation Broadcast segments of delayed, digitally signed P(Y) features GEO “bent-pipe” transceiver Secure uplink of delayed, digitally signed P(Y) features Transmitter of delayed, digitally-signed P(Y) features Secure antenna/receiver w/processing to estimate P(Y) features (or a single antenna or a distributed set of single-antennas) * from Psiaki et al. “Civilian GPS Spoofing Detection based on Dual-Receiver Correlation of Military Signals”, ION/GNSS 2011 ION/GNSS Sept. ‘11 7 of 11
Block Diagram of Generalized P(Y) Correlation Spoofing Detector
UE receiver with P(Y) fea extraction processing User Equipment GPS transmitter P(Y) fea/est Correlation registers Spoofing Detector P(Y) fea Digital sig nature verifier UE receiver (or internet link) for P(Y) fea L1 C/A & P(Y) Secure ground based antenna/ receiver P(Y) fea Digital signer Secure link to broadcaster New Infrastructure Wireless (or internet) broadcaster ION/GNSS Sept. ‘11 8 of 11
Early Codeless Spoofing Attack Detection
* 14 12 10 8 6 Onset of spoofing attack Successful determination that PRN 23 remains reliable because solid turquoise detection statistic never crosses below dashed brown threshold 4 2 0 -2 -4 0 Successful detection of PRN 13 spoofing when solid blue detection statistic cross below dashed green threshold PRN 13 gamma detection statistic PRN 13 predicted gamma mean PRN 13 spoofing detection threshold PRN 23 gamma detection statistic PRN 23 predicted gamma mean PRN 23 spoofing detection threshold 50 Build-up of significant spoofed C/A code-phase error 100 150 Ithaca Receiver Time (sec) 200 * from Psiaki et al. “Civilian GPS Spoofing Detection based on Dual-Receiver Correlation of Military Signals”, ION/GNSS 2011 ION/GNSS Sept. ‘11 250 9 of 11
Early Semi-Codeless Spoofing Attack Detection
* 400 350 300 250 200 Onset of spoofing attack gamma detection statistic predicted gamma mean spoofing detection threshold a priori predicted gamma mean a priori spoofing detection threshold 150 100 50 0 -50 0 Successful detection of spoofing when dashed green threshold crosses above solid blue detection statistic 50 Build-up of significant spoofed C/A code-phase error 100 150 Receiver A Time (sec) 200 * from Psiaki et al. “Civilian GPS Spoofing Detection based on Dual-Receiver Correlation of Military Signals”, ION/GNSS 2011 ION/GNSS Sept. ‘11 250 10 of 11
Future Issues in Defense Against Spoofing Attack
Real-time implementation Codeless possible in 6-12 months w/internet transmission Semi-codeless needs improved algorithmic efficiency for real-time ops Infrastructure Capable & secure reference receivers Help from military (declassify segments of P(Y) shortly after broadcast?) Comm. infrastructure to transmit P(Y) data between receivers Defense against alternate attack scenarios Sophisticated attack may seek to use pseudo- or estimated P(Y) code Gaming analysis may guide designs that detect new attack types Other signals M-code to defend GPS civilian codes Encrypted Galileo signals to defend open-source Galileo codes Post-detection receiver actions ION/GNSS Sept. ‘11 11 of 11