Signal Quality Indicators and Reliability Testing for Spoof-Resistant GNSS Receivers Heidi Kuusniemi1, Mohammad Zahidul H. Bhuiyan1,2, Tuomo Kröger1 1
2
Finnish Geodetic Institute, Department of Navigation and Positioning, Finland Visiting Researcher, Tampere University of Technology, Department of Pervasive Computing, Finland
[email protected],
[email protected],
[email protected]
Abstract – GNSSs (Global Navigation Satellite Systems) are particularly prone to unintended or deliberate interference due to the extremely low power level of the signal at the user receiver. Intentional GNSS interference sources include jamming and spoofing. Spoofing i.e. fooling the receiver to use fake spoof signals for positioning calculations can lead to acute danger due to the resulting misleading position solution. Civilian satellite navigation receivers are very vulnerable to spoofing attacks due to the typically low cost antenna used and only single-frequency civilian, unauthenticated signals exploited. This paper discusses signal quality and reliability indicators in tracking and navigation domains feasible for detecting spoofing incidents of consumer-level GNSS receivers. The performance of the indicators in two hardware simulation scenarios of spoofing are presented. The performance of a commercial receiver in the spoofing experiments is also assessed. BIOGRAPHIES Dr. Heidi Kuusniemi is an acting Head of Department and Professor at the Department of Navigation and Positioning at the Finnish Geodetic Institute (FGI). She is also a Lecturer in GNSS Technologies at the Department of Surveying Sciences at Aalto University, Finland. Her research interests cover various aspects of GNSS and sensor fusion for seamless outdoor/indoor positioning including quality control, software defined receivers as well as interference and error mitigation. She is the President of the Nordic Institute of Navigation. Dr. Mohammad Zahidul H. Bhuiyan received his M.Sc. degree in 2006 and Ph.D. degree in 2011 from the Department of Communications Engineering, Tampere University of Technology, Finland. Dr. Bhuiyan joined the Department of Navigation and Positioning at FGI in October 2011 as a Senior Research Scientist with research interests covering various aspects of GNSS receiver design and sensor fusion algorithms for seamless outdoor/indoor positioning.
Tuomo Kröger received his M.Sc. degree in Electronics from the University of Kuopio. He is a Research Scientist at the Finnish Geodetic Institute, Department of Navigation and Positioning. His research interests include especially sensor based indoor/outdoor navigation and GNSS signal processing. I.
INTRODUCTION
Today, besides the apparent employment of GNSS (Global Navigation Satellite System) for positioning and navigation, more and more applications are also relying on a robust timing reference from GNSS. Thus, a range of highly critical applications depend on GNSS. Though providing accurate and global position, velocity and time, GNSS technology is highly vulnerable to a variety of threats. GNSS signals, as well as many other Radio Frequency (RF) signals, are susceptible to interference. GNSS is particularly prone to unintended or even deliberate interference due to the extremely low power level of the signal at the user receiver after travelling from the satellite transmitter to the user receiver antenna on the Earth. The interference sources threatening reliable GNSS operation are divided to unintentional and intentional. Unintentional interferences include natural phenomena such as increased levels of ionospheric disturbance and solar flares, as well as man-made phenomena including unwanted radio frequency. Intentional GNSS interference sources include mainly jamming and spoofing. One of the major objectives of this paper is to analyze the vulnerability of the available civilian satellite navigation signals to spoofing attacks pertaining to the most commonly used consumer-grade single-frequency receivers. We also assess typical signal quality indicators in the tracking level and present a spoofing detection mechanism in the correlation level, in which a set of correlators are utilized at the code tracking stage to analyze a time-delay window of about ±1.5 chips with respect to the prompt correlator. The target is to calculate the deviation of the received correlation function from the ideal single path correlation function in terms of Root-Mean-Square Error (RMSE) for a timedelay window of ±1.5 chips, i.e. to provide a signal quality indication for each individual channel that is
being tracked. The ideal reference correlation function is generated offline for a defined front-end configuration considering a single Line-of-Sight (LOS) signal. The higher the deviation from the ideal reference correlation function, i.e. the higher the RMSE, the greater the possibility of having a spoofed/multipath signal in the vicinity of the receiver and the lower the quality indication given to the signal. After the detection of a spoofed/multipath signal via the specific tracking quality indicators, the next task would naturally be to apply a reliability enhancement scheme in terms of measurement selection based on the indicators and a positioning figure-of-merit in order to obtain a “spoofless” and a trustworthy solution. The suggested spoofing indicators are implemented in a software receiver platform utilizing an off-the-shelf single-frequency GNSS radio front-end. Two hardware signal-simulation spoofing scenarios will be presented and the results of the spoof-indicators will be shown. The results illustrate the benefits of the implemented signal quality assessment and measurement monitoring for added spoof awareness. Section II presents briefly satellite navigation systems and their intentional vulnerability risks. Section III presents the implemented signal tracking quality indicators for spoofing detection and section IV presents the positioning consistency test assessed. The analysed hardware signal simulations are presented in section V and experiment results in section VI. Section VII concludes the paper. II.
SATELLITE NAVIGATION AND VULNERABILITIES
The objective of jamming is to interrupt the availability of the GNSS signal at the receiver. The intension of jamming is to cause the received signal to be corrupted so that no valid GNSS signal can be discovered by the receiver. The illegal jamming devices increasing in occurrence have gained a lot of attention recently on the civilian front due to the severe threat they pose to many applications fully relying on satellite positioning. 2) Spoofing The goal of spoofing on the other hand is to provide the receiver with a misleading signal, fooling the receiver to use these fake spoof signals for positioning calculations, which ultimately results in a misleading position solution. While the GPS (Global Positioning System) P(Y)-code (Precise/encrYpted) is heavily encrypted and thus, hard to spoof, the civilian GNSS signal, for example, the GPS L1 C/A (coarse/acquisition) code, is easy to spoof because the signal structure, the Pseudo-Random Noise (PRN) codes, and the modulation types are open to the public. However, spoofing is more difficult to achieve than jamming, as it is necessary to simulate the signals in order to make the receiver lock on to the false signals to cause a functional deception scenario. Furthermore, the consequences of spoofing are far more serious than those of jamming: if the false signals are impossible to be differentiated from the real ones and give a position close enough to be plausible, then the user may not be aware of the deception possibly leading into acute danger. III. SIGNAL QUALITY PARAMETERS
A. GNSS and interference Modern society is highly reliant on GNSS. Nowadays, in addition to the obvious usage in positioning and navigation, more and more applications are relying on a robust timing reference from GNSS. Though typically providing accurate and global position, velocity and time, GNSS technology is highly vulnerable to a range of threats. Serious consequences are faced if proper threat mitigating efforts are not taken. Satellite navigation signals are very weak after travelling from the satellite transmitter to the user receiver antenna on the Earth (minimum -160 dBW for GPS and -154 dBW for Galileo) and are extremely vulnerable to unintentional and intentional interference. The Volpe report by the Department of Transportation in the United States from 2001 [1] and the Royal Academy of Engineering report of 2011 from the United Kingdom [2] describe the wide variety of threats ranging from interruptions in satellite-based services in some regions due to solar storms to the intentional civil jamming risks from localized to more extensive denials in GNSS availability. Some basic signal checks (such as monitoring the signal‟s carrier-to-noise-density ratio, C/N0) and position solution consistency testing (such as monitoring the residuals of an over-determined navigation solution) can detect, diagnose, and characterize jamming and spoofing attacks. 1) Jamming
This section describes the implemented tracking quality indicators to be assessed as candidates for spoofing detection. A. Carrier-to-Noise density ratio The Carrier-to-Noise density ratio (C/N0) is used to measure the quality of an obtained GNSS signal. The Carrier-to-Noise density ratio (C/N0) estimation is performed based on the ratio of the signal‟s wideband power to its narrowband power as mentioned in [3]: 1 ˆ NP 1 C / N 0 10 log10 T M ˆ NP
(1)
where T 0.001 seconds; M is the number of T blocks used for coherent integration, and ˆ NP is the mean normalized power, as expressed in the following equation:
ˆ NP where
1 K
K
NP
k
(2)
k 1
NP is the normalized power between
narrow-band power and wide-band power: NBPk NPk W BPk
(3)
where NBP and WBP can be expressed as follows:
NBPk W BPk
M
i 1
2
I Pi k
M
(I i 1
2 Pi
2
Q Pi i 1 k M
Q P2i ) k
(4)
(5)
where I Pi and Q Pi are the prompt correlation outputs at the tracking stage from the in-phase and quadrature arms, respectively. The used values for M and K in this implementation are 20 and 50, respectively. More details can be found in [3].
autocorrelation peak and enable revealing the presence of unexpected correlation peaks in the search space. The ideal non-coherent correlation functions are generated off-line and those are saved in a look-up table. A similar implementation for multipath mitigation was introduced in [5]. In tracking processing, the correlation values from the look-up table are read, the ideal reference correlation functions transferred at the middle delay index to the corresponding candidate delay index within the code delay window, and the RMSE then computed for that specific delay candidate with the 30 correlators. The running RMSE sums up the values over time as follows: j N 1
B. Running DLL variance A non-coherent Early-Minus-Late (EML) discriminator is used in this particular experiment as the Delay Lock Loop for code tracking. As mentioned in [4], the EML discriminator can be written as: DLLi
where
I E2i Q E2i I L2i Q L2i
RMSE(k )
and
Q Ei
outputs of the late correlators, chips late from the prompt discriminator variance is then (6) for a running window of
A two-quadrant „ATAN‟ Costas discriminator is used in this implementation as a Phase Locked Loop in carrier tracking. According to [4], the ATAN Costas discriminator can be written as:
where I Pi and Q Pi
j 1,2,
(8)
IV. RELIABILITY TESTING
are the in-phase and
C. Running PLL variance
QP PLLi ATAN i IP i
;
(6)
quadrature correlation outputs of the early correlators, respectively (i.e., 0.5 chips early from the prompt correlation), I Li and Q Li are the in-phase and quadrature correlation respectively (i.e., 0.5 correlation). The DLL calculated from Eqn. N 1000 points.
N
where a running window of N 20 is used in this experiment and j is the time epoch.
I E2i Q E2i I L2i Q L2i
I Ei
k j
RMSE( j )
(7) are the prompt correlation
outputs from the in-phase and quadrature arms, respectively. The Costas PLL discriminator variance is then computed from Eqn. (7) for a running window of N 1000 points. D. Running RMSE For an additional signal tracking quality indicator, we calculate the deviation of the received correlation function from an ideal single path correlation function in terms of Root-Mean-Square Error (RMSE) for a timedelay window of ±1.5 chips with 30 correlator values, i.e. to provide a signal quality indication for each individual channel that is being tracked with 15 early and 15 late correlators. Assessing the RMSE of these multi-correlators consists of introducing and monitoring more correlators at the tracking stage. Correlators placed outside the normal width of early to late replicas of the incoming code support finding the genuine
If sufficient redundancy exists, measurement residuals can be used for checking the consistency of the solution, also in certain limits for detecting spoofing. The range residuals are the differences between the expected measurements and the actual measurements [4], and they are here denoted as vˆ k Hxˆ k z k
(9)
where z k is the observation vector of pseudorange measurements at time epoch k, H is the design matrix i.e. the satellite-to-user geometry matrix and xˆ k is the estimated position, velocity and time solution. The residual vector v k can be used as an efficient indicator of measurement quality and the reliability of the model being used. A simple consistency test can be performed by assessing the distribution of the residuals by comparing the weighted sum of the squared residuals to a 2 -distribution as follows Ha : (reliability failure) T vˆ k T R 1vˆ k 12 , n p
(10)
where R is the covariance matrix of the observations z k , is the false alarm rate, n is the number of observations i.e. elements in the observation vector, and p is the number of unknowns. For detecting an erroneous and inconsistent position solution, a test can be performed whether or not the test statistic T is centrally chi-squared distributed with a significance level of and degrees of freedom of (n-p). Inconsistency is detected in the assessed observations if the hypothesis Ha in Eqn. (10) holds [6]. V.
HARDWARE SIMULATION EXPERIMENTS
Hardware simulation tests to emulate spoofing attacks were conducted with a Spirent GPS signal simulator on L1 following the setup introduced in [7]. As
a receiver, a Matlab-based GNSS software receiver, the FGI-GSRx, is used to process raw IF (intermediate frequency) data samples in post-processing. The FGIGSRx software receiver for research purposes is developed further from the software-defined receiver introduced originally in [8]. A screenshot of the FGIGSRx is shown in Figure 1. A USB front-end module from Sparkfun Electronics, named SiGe GN3S sampler v3 [9], is used to capture the raw GPS L1 C/A IF signal. The GNSS front-end is presented in Figure 2. All error sources other than spoofing, for example, ionospheric, tropospheric, etc. were not considered in the hardware simulation experiments.
the same as the authentic signal, also applying to all channels. VI. RESULTS This section presents the results of the various signal quality indicators when spoofing exists. A. Results for test scenario 1 Figures 3 to 6 presents the C/N0, running DLL variance, running PLL variance, and the running multicorrelator RMSE signal indicators for the spoofing test scenario 1. The spoofing that starts at around 48 seconds from the beginning of the test can be observed from the figures with increased noise levels: the C/N0 is decreased, and the running DLL and PLL variances increase, and multi-correlator RMSE decrease.
Figure 1: Software-defined research receiver FGIGSRx
Figure 3: C/N0 values for test 1
Figure 2: SiGe GN3S sampler v3 for capturing the raw GPS L1 C/A signal in the test scenarios A. Test scenario 1 Static receiver: spoofing from 48th second to the end of the test. The total experiment duration is 90 seconds. The spoofer will attack the receiver with a static position (signal simulation with all channels) with a constant time delay offset for spoofed signal being 50 nano-seconds and with the spoofed signal power being 3 dB higher than the authentic signal, applying to all channels. B. Test scenario 2 Static receiver: spoofing from 51st second to the end of the test. The total experiment duration is 90 seconds. The spoofer will attack the receiver with a static position (signal simulation with all channels) with a constant time delay offset for spoofed signal being 30 nano-seconds and with the spoofed signal power being
Figure 4: Running DLL variances for test 1 The consistency testing result (i.e. the hypothesis Ha holding and revealing an error) is shown in the accuracy figure of Figure 7. Only the last navigation solution was deemed as erroneous by the errorhypothesis Ha holding, with a false alarm rate Thus, spoofing is much more efficiently detectable in the tracking domain, as can be seen from Figures 3-6.
beginning of the spoofing can be observed from the figures with increased noise levels: the C/N0 and the multi-correlator RMSE decrease and the DLL and PLL variances increase significantly revealing the fake signals present.
Figure 5: Running PLL variance for test 1
Figure 8: C/N0 values for test 2
Figure 6: Running multi-correlator RMSE for test 1
Figure 9: Running DLL variance for test 2
Figure 7: Consistency testing in the navigation domain for test 1 B. Results for test scenario 2 Figures 8 to 11 presents the C/N0, running DLL variance, running PLL variance, and the running multicorrelator RMSE for the spoofing test scenario 2. The spoofing that starts at around 51 seconds from the
Figure 10: Running PLL variance for test 2
Figure 11: Running multi-correlator compared RMSE for test 2 The consistency testing result (i.e. testing the hypothesis Ha) did not reveal an error for the spoofing test scenario 2 at all. The resulting horizontal position accuracy figure is shown in Figure 12. The false alarm rate used was Thus, spoofing is easier to be detected in the tracking domain, as can be also seen from Figures 8-11.
Figure 13: Horizontal positioning error of a commercial GPS L1 C/A receiver to the spoofing scenarios VII. CONCLUSIONS This paper presented potential spoofing detection indicators in the tracking and navigation domains for civilian GPS L1 C/A receivers. C/N0, running DLL variance, running PLL variance, and running multicorrelator RMSE indicators were implemented as well as a navigation consistency check in a software receiver platform utilizing an off-the-shelf singlefrequency GNSS radio front-end. Two hardware signalsimulation spoofing scenarios were presented and the results of the potential spoof-detection indicators were shown. The results illustrate that the tracking signal quality indicators are capable of revealing the spoofer attack whereas the simple navigation domain consistency checking did not sufficiently efficiently reveal the spoofing incident. Also commercial receivers were heavily affected in terms of degraded accuracy of the spoofing. Future work will include implementing spoofing mitigation based on the presented tracking indicators to mitigate accuracy degradation and raising the necessary security alarms in a system. ACKNOWLEDGMENT
Figure 12: Consistency testing in the navigation domain for test 2 did not reveal an error C. Results of the effect of spoofing simulations to a commercial receiver Also commercial receivers are heavily affected in terms of degraded accuracy to the applied spoofing hardware simulator scenarios. Figure 13 presents the results in terms of horizontal accuracy of an uBlox 5T receiver in the experiments. The commercial receiver is very affected by the spoofing attack with the positioning accuracy increasing to about 400 meters in both of the short hardware simulations scenarios.
This research has been conducted within the project DETERJAM (Detection, analysis, and risk management of satellite navigation jamming) funded by the Scientific Advisory Board for Defence of the Finnish Ministry of Defence and the Finnish Geodetic Institute, Finland. The authors would like to warmly thank Mr. Esa Airos from the Defence Forces Technical Research Centre in Finland for conducting the simulation experiments. REFERENCES [1] Volpe, J.A. (2001). Vulnerability Assessment of the Transportation Infrastructure Relying on the Global Positioning System. National Transportation Systems Center, U.S. Department of Transportation. Final report, August 2001, 113 p.
[2] Royal Academy of Engineering (2011). Global Navigation Space Systems: Reliance & Vulnerabilities. March 2011, 48 p. ISBN 1-903496-62-4 [3] Parkinson B.W. and Spilker J.J. Jr. (1996): Global positioning system: theory and applications. American Institute of Aeronautics, Vol. 1, 370 L‟Enfant Promenade, SW, Washington, DC, pp. 390–392. [4] Kaplan E.D. and Hegarty C. (2006): Understanding GPS principles and applications. 2nd edition, chapter 5, Artech House Publishers, Boston. [5] Bhuiyan M. Z. H., Zhang J., Lohan E. S., Wang W., and Sand S. (2012). Analysis of Multipath Mitigation Techniques with Land Mobile Satellite Channel Model, RADIOENGINEERING, vol. 21, no. 4, December 2012, pp. 1067-1077. [6] Kuusniemi H. (2005), User-Level Reliability and Quality Monitoring in Satellite-Based Personal Navigation. Doctoral Dissertation, Tampere University of Technology, Sept. 2005, 180 p. [7] Tippenhauer N.O., Pöpper C., Rasmussen K.P., Capkun S (2011). On the Requirements for Successful GPS Spoofing Attacks. Proceedings of the 18th ACM conference on Computer and Communications Security, CCS 2011, pp. 75-86. [8] Borre K, Akos DM, Bertelsen N, Rinder P, Jensen SH (2006) A software-defined GPS and Galileo receiver: a single-frequency approach, first edition. Applied And Numerical Harmonic Analysis, Birkhäuser Verlag GmbH, Boston. [9] Sparkfun Electronics (2012). SiGe GN3S sampler v3. http://www.sparkfun.com/products/10981, Accessed 08 April 2013.
