Kalman Filter Aided Tracking Loop in GPS Signal Spoofing Detection

Transcription

1

2 Kalman Filter Aided Tracking Loop in GPS Signal Spoofing Detection Submitted in partial fulfillment of the requirement for the degree of Master of Science in the Department of Electrical and Computer Engineering University of Cincinnati By Hao Chen BS Electronic Information Science and Technology, Nanjing Agricultural University November 2014 Committee Chair: Dr. H. Howard Fan I

3 Abstract The Global Positioning System (GPS) is widely used in our daily lives. But GPS is vulnerable with spoofing attack. And there is no effective way to deal with GPS spoofing attack. In this thesis a new method of GPS spoofing attack detection is proposed. Since the tracking carrier frequency loop will react to a spoofing attack to produce a jitter, which has its own characteristics, a Kalman filter aided tracking loop in the GPS receiver is used to monitor the behavior of the tracked carrier frequency. Then a function called Test Function is proposed, which is used to decide if the spoofing attack happens or not. Statistical simulation tests have been performed which show that this new method is effective and relatively reliable. Key words: GPS spoofing, Kalman filter, Test function II

4 III

5 Contents 1 INTRODUCTION GLOBAL POSITIONING SYSTEM OVERVIEW GPS RECEIVER STRUCTURE GPS SPOOFING THREATS GPS SIGNAL STRUCTURE C/A PSEUDO RANDOM SPREADING CODE C/A Code Generation C/A Code Correlation NAVIGATION MESSAGE Telemetry and Hand Over Word Parity Check Navigation Data From Sub-frames 2 & Navigation Data From Sub-frames 4 & KALMAN FILTER AND ITS APPLICATION KALMAN FILTER MODEL KALMAN FILTER PRINCIPLES TRACKING LOOP IN SOFTWARE RECEIVER CODE TRACKING CARRIER TRACKING LOOP IF SPOOFING SIGNAL GENERATION CURRENT SPOOFING DETECTION METHOD AND RESULTS KF AIDED TRACKING LOOP & SPOOFING DETECTION KF AIDED TRACKING LOOP MODEL CARRIER TRACKING UNDER SPOOFING ATTACK Doppler Frequency Prediction PLL and Kalman Filter Output Comparison TEST FUNCTION TIME ACCURACY OF SPOOFING DETECTION USING TEST FUNCTION STATISTICAL ANALYSIS CONCLUSIONS AND RECOMMENDATIONS REFERENCE IV

6 List of Tables Table 1 C/A Code for Each Satellite... 8 Table 2 Sub-frame ID Table 3 URA Index& Range Table 4 Code for Health of SV Signal Components Table 5 Ephemeris Data from Sub-frame 2& Table 6 Data Contained in Sub-frames 4 & Table 7 Data IDs and SV IDs in Sub-frames 4 & Table 8 Almanac Parameters Table 9 Ionospheric and UTC parameters Table 10 Configuration Code Table 11 Navigation Data Health Indications Table 12 Kalman filter model variable definition V

7 List of Figures Figure 1 GPS Three Segments Overview... 1 Figure 2 Twenty Four GPS Satellites in Six Tracks... 2 Figure 3 GPS Receiver Structure... 3 Figure 4 GPS Spoofing Instance... 5 Figure 5 Generation of GPS L1 Frequency Signal... 7 Figure 6 C/A Code Generation... 8 Figure 7 The Autocorrelation of Satellite Figure 8 The Cross Correlation of Satellites 1&2 without Phase Shift Figure 9 Sub-frame 1 Structure Figure 10 Sub-frame 2 Structure Figure 11 Sub-frame 3 Stucture Figure 12 Kalman Filter Model Figure 13 Kalman Filter Estimation Algorithm Figure 14 Kalman Filter Prediction Algorithm Figure 15 Code Phase Tracking Loop Structure Figure 16 Carrier Tracking Loop Structure Figure 17 Costas Phase-Locked Loop in Time Domain Figure 18 A Simple Carrier Loop Filter Structure in Z Domain Figure 19 Kalman Filter Aided Tracking Loop Model Figure 20 Kalman filter s Low-pass Effect on Frequency Estimation Figure 21 PLL And Kalman Filter Output Comparison 1 with PLL Output in Blue and Kalman Filter Output in Red VI

8 Figure 22 Figure 23 Figure 24 PLL and Kalman filter output comparison 2 with PLL Output in Blue and Kalman Filter Output in Red PLL and Kalman filter output comparison 3 with PLL Output in Blue and Kalman Filter Output in Red PLL and Kalman filter output comparison 4 with PLL Output in Blue and Kalman Filter Output in Red Figure 25 The Test Function Output Relative Peak Trend Figure 26 The Test Function Output Relative Peak Trend Figure 27 Test Function Performance. Top: Test Function Output Figure 28 Kalman Filter Jitter Peak is Behind the PLL Jitter Peak Figure 29 Test Function Samples at Different Time Batches Figure 30 Statistical Results of Spoofing Detection, detection/false alarm rate vs. SNR VII

9 1 Introduction 1.1 Global Positioning System Overview Global Positioning System is known as GPS, which was developed in the year of The first ten GPS satellites named Block I is the mark of a new method of navigation. Up until now, GPS has been widely used in civilian and military for navigation and positioning. From the overall point of view, there are three segments in the GPS system: the space segment, the control segment and the user segment. Figure 1 GPS Three Segments Overview The space segment mainly refers to the space vehicles. There are 24 satellites evenly separated on 6 orbits. Orbital inclination is 55 degrees with radius of kilometers. It means almost all users are able to have a view of more than 4 satellites wherever they have a clear view of the sky. All these satellites are equipped with atomic clocks broadcasting navigation messages with time accuracy in nanoseconds. Also all these satellites are supervised and controlled by the control segment. 1

10 Figure 2 Twenty Four GPS Satellites in Six Tracks The center of the control segment is the Master Control Station (MCS) located in Colorado. There are 5 main functions for the MCS, including monitoring satellite orbits, maintaining satellite health, maintaining GPS time, predicting ephemerides and clock parameters, and updating satellite navigation messages. The center of the control segment is supported by five unmanned monitor stations equipped with high degree of accuracy cesium atomic clocks. All of the monitor stations check the exact altitude, position, speed, and the overall health of the orbiting satellites. Navigation messages broadcast by the space segment are uploaded at least once a day no matter there are errors or not. The user segment is comprised of receivers acquiring broadcast GPS signals to calculate the receiver locations. In the recent twenty years, GPS receivers for civilian use have been developed very fast. In the past, the GPS receiver was very expensive and very large in size. Nowadays GPS receivers have been integrated into cellphones, it becomes much easier to carry and to use. And thanks to the IC technology development, GPS receivers have also improved significantly in their calculation speed. 2

11 1.2 GPS Receiver Structure Antenna Frequency Downconversion (Rf to IF) Analog-todigital converter Software Based Acquisition & Tracking Navigation Solution Calculation Hardware-based Software-based Figure 3 GPS Receiver Structure A conventional GPS receiver contains two parts: hardware-based part and software-based part. The hardware-based part consists of the antenna, frequency down-conversion and analogdigital conversion (ADC). The software based part consists of signal acquisition, signal tracking and navigation solution calculation. The GPS antenna can receive multiple carrier frequencies. Typical carriers are known as L1 with the frequency of MHz, and L2 with the frequency of MHz. Then the received signal will be down-converted to IF (an intermediate frequency, which is a frequency to which a carrier frequency is shifted as an intermediate step in transmission or reception), for example, to be around 4MHz in a common conventional receiver. After down-converting, the signal is then fed through an ADC. The ADC digitizes the signal with a sampling frequency, which is then processed by digital means. Once the signal is digitized, either a software approach can be considered or independent hardware can be implemented [1]. To avoid aliasing, to achieve good calculation speed and to get a good and accurate result, we choose 16MHz as the sampling frequency in the simulation of this thesis. 3

12 In the software-based part, the first step is the signal acquisition. The GPS signal is a kind of pseudorandom noise, which has a low signal level with unique correlation characteristics. So the signal acquisition can be interpreted as a process of picking up the special signal sequence from a lot of noise. Then the acquisition will pass along the acquired carrier frequency and code phase to the signal tracking part. The signal tracking part consists of two loops, carrier phase tracking loop and code phase tracking loop. In these tracking loops, carrier frequency and phase detection and reconstruction, and code phase detection and reconstruction will be operated. And the correlation result (code phase) will be recorded and passed along to the next step, which is called navigation solution calculation. In this step, the pseudo-range derived from the code phase will be used, along with navigation messages decoded from the GPS signals, to calculation the receiver position. The reader can refer to [1] for more information about pseudo-range and navigation messages. Also in the navigation calculation step, much signal structure information is exposed to the receiver, including sub-frames and their numbers, which is important to a GPS spoofer. In this thesis, we focus on the software based part, especially on GPS signal tracking. The GPS signal structure will be discussed in detail in order to propose a method to detect spoofing in the GPS signal tracking part. 1.3 GPS Spoofing Threats GPS Spoofing is a form of malicious attacks on the GPS system. A GPS spoofer would broadcast a counterfeit GPS signal which is stronger than the actual GPS signals so that a GPS receiver would track the counterfeit signal instead of the real GPS signals. It would lead the GPS user to an unexpected location. Unlike GPS signal jamming, GPS signal spoofing is attacking 4

13 with a low profile, deceiving the given receiver silently. It is much more difficult to detect than jamming. Figure 4 GPS Spoofing Instance There are several levels of GPS spoofing attacks, including simplistic spoofing attack, intermediate attack and sophisticated attack [2]. For the simplistic spoofing attack, it is just a high power GPS signal generator regardless of the true GPS signals. Because it broadcasts artificial GPS signals with a higher level of power, the GPS receiver can easily detect and follow the fake GPS signal. This kind of spoofing can also be upgraded as a moving spoofing transmitter following a certain GPS receiver. For an intermediate spoofing attack, the spoofer will use a GPS receiver to estimate the signal power, to decode navigation information and to analyze the signal parameters before it plans to send out the artificial spoofing GPS signal. So for the intermediate level of spoofing, the spoofer would like to choose a more specific target. At the same time, analyzing, estimation and calculation are important for this level of spoofer. For this level of spoofing attacks, a spoofer has a specific target, with more realistic GPS signals that are more difficult to distinguish from genuine GPS signals, therefore are more difficult to detect than 5

14 the simplistic spoofing. Also, compared with the sophisticated spoofing, it has lower risks and lower complexity. For the sophisticated spoofing attacks, the spoofer may manipulate the antenna transmitting the spoofing signals to make them more authentic to the GPS receiver from the signal angle aspect. Nevertheless, this kind of spoofing also inherits all the characteristics of other spoofing attacks. In this thesis, we mainly focus on detection of the intermediate spoofing attacks by finding a way to detect the spoofing overtaking process in a GPS receiver s tracking loop. Simulation of spoofing signal generation and tracking loop overtaking are presented later in Chapters 4 and 5. 2 GPS Signal Structure GPS signals are transmitted in the Ultra-high frequency (UHF) band between 300MHz and 3000MHz. There are several different frequencies, the common ones are called L1 for civil utilization with the carrier frequency of MHz, and L2 for military applications with the carrier frequency of MHz. At the same time, the GPS signal is a phase-modulated signal with bi-phase shift keying (BPSK). It is also a code division multiple access (CDMA) signal which is a kind of spread-spectrum signal. The GPS signal contains several kinds of information, including the navigation message, coarse/acquisition code (C/A Code), and precision code (P code). In addition, the P code is encrypted with Y code, which makes P code also to be called P(Y) code. All signal components are derived from the output of a highly stable atomic clock which generates a pure sinusoidal wave with a frequency at 10.23MHz. Our research focuses on the L1 frequency for the C/A code, but is equally applicable to the L2 frequency and the P(Y) code. The Generation of GPS L1 frequency signal can be described in the figure below. 6

15 Figure 5 Generation of GPS L1 Frequency Signal 2.1 C/A Pseudo Random Spreading Code C/A Code Generation The C/A code is a sequence of 1023 chips that repeat itself each millisecond. The spreading sequences used as C/A code are referred to as Gold Code [4]. Each C/A code is generated using a tapped linear feedback shift register (LFSR). It generates a maximal-length sequence of length N = 2 n 1 elements, where n=10 is used in GPS C/A code. There are and in the sequence, appeared to be distributed at random. Here, random is actually pseudo-random because a specific satellite is identified by a unique, fixed C/A code. The C/A code generator contains two shift registers, G1 and G2. Each of them has 10 cells (n=10) generating sequences of length 1023, modulo-2 adds each other to generate a 1023 chip-long C/A code, and repeat every 1023 counts. The polynomials that describes the shift register architectures are G 1 = 1 + x 3 + x 10 and G 2 = 1 + x 2 + x 3 + x 6 + x 8 + x 9 + x 10. To generate different C/A code for different satellites, 7

16 G2 will be selectively delayed by 5 to 950 chips by choosing two of its states to a modulo-2 adder and modulo-2 added to G1 s output. Below it shows an example of a C/A code generator. In this example, I selected taps 2 and 7, which means it is the C/A code for Satellite number 30 which is also known as PRN 30 as shown in Table 11. Figure 6 C/A Code Generation Table 1 C/A Code for Each Satellite Satellite Number ID GPS PRN Signal Number Code Phase Selection Code Chips Delay First 10 Chips C/A Octal 8

17 C/A Code Correlation Gold code is chosen as C/A code for GPS because of its correlation properties. C/A code can produce a very high autocorrelation peak and low cross-correlation peaks. Since GPS signals are below noise level, it is important to find a way to detect the presence of the weak GPS signal. 9

18 And C/A provide a solution by performing correlation. It is desirable that the C/A code have the orthogonal property. However, the practical and easily implementable Gold code is nearly orthogonal instead of completely orthogonal. So the C/A code s cross-correlations have very low peaks rather than zeroes. The autocorrelation function of the C/A code can be expressed as R ii (τ) = CA i (t)ca i (t + τ)dt In the equation above, CA i is the C/A code from the satellite i. τ is the phase difference of the C/A code. For a GPS software receiver, the autocorrelation repeats for every code period. The autocorrelation peaks are used to determine C/A code phase shift and hence the time delay it experiences during the electromagnetic wave propagation, i.e., the pseudorange. The figure below shows without phase shift, how the autocorrelation of satellite 1 looks like. Figure 7 The Autocorrelation of Satellite 1 10

19 The maximum autocorrelation value is 1023, which corresponds to the number of chips in one set of the C/A code. The peak is at the very beginning of the plot. The autocorrelation reaches its maximum when τ = 0. The cross-correlation function of C/A code can be expressed as R ij (τ) = CA i (t)ca j (t + τ)dt Where CA i is the C/A code for the i th satellite and CA i is the C/A code for the j-th satellite and i j. The software GPS receiver keeps on searching for satellite signals by doing correlation. With each receiver generated C/A code corresponding to one satellite, the receiver cannot get a correlation peak unless the frequency (Doppler shift) and the satellite number match with what is received. Figure 8 The Cross Correlation of Satellites 1&2 without Phase Shift Unlike the autocorrelation, the maximum cross-correlation value is 63. There is also no peak at the magnitude of the autocorrelation peak in the plot. So according to Figure 7 and 11

20 Figure 8, it is easy to tell which satellite and the beginning of the satellite signal when correlation has been used. Therefore these two figures gives us an intuitive idea of how autocorrelation and cross-correlation work in GPS signal acquisition. 2.2 Navigation Message The navigation message is transmitted at 50 bit/s while the C/A code is at a rate of ^6 chips/s. Therefore one bit navigation message data lasts 20ms, and should be modulo-2 added to chips of the C/A code. A frame of navigation message is divided into five subframes. Each sub-frame consists of ten words. And a word has 30 bits, which means an entire frame has 1500 bits of data and takes 30 seconds. A frame contains all data structures, and this structure repeats in every frame. But the information each frame carries may differ, which is then called a page. A page is a frame, 30 seconds long and containing 5 sub-frames, but carrying certain (and unique) information. Twenty-five pages make a complete data set. Sub-frames 4 and 5 have 25 pages each, which means that a complete data message requires transmission of 25 frames. At a transmission rate of 50 bps, it needs 12.5 minutes to transmit all the satellite information, which will then repeat. As shown below, each sub-frame has its own data format. Those figures are from the GPS Standard IS-GPS-200F [3]. It is important to know the navigation message format, because a spoofer will take advantage of the navigation structure to make spoofing happen Telemetry and Hand Over Word Every sub-frame contains telemetry (TLM) and hand over words (HOW) as the first two words. TLM is the first word of each sub-frame. It begins with binary (hex: 8B), followed by 14 TLM message bits, one integrity status flag bit, one reserved bit, and six parity 12

21 bits. The TLM message contains information needed by the precise positioning service (PPS) user (authorized user) and by the control segment. The integrity status flag bit being 0 indicates that the conveying signal is provided with the legacy level of integrity assurance, and 1 means that the conveying signal is provided with an enhanced level of integrity assurance. The hand over word starts right after TLM word as the second word of each sub-frame. It contains 4 parts, truncated time of week, two flag bits, sub-frame ID and parity check bits. The HOW begins with the 17 most significant bits (MSBs) of the time-of-week (TOW) count. The next bit is the alert flag, for which 1 means that the signal user range accuracy (URA) may be worse than indicated in sub-frame 1 and that an unauthorized user shall use that satellite at his own risk. The 19th bit is a flag that will be 1 if the A-S mode is on. Bit 20 through 22 provide the ID of the sub-frame, shown below: Table 2 Sub-frame ID Sub-frame number ID code Bit 23 and bit 24 are used for parity check which will be discussed in the next section Parity Check At the end of each word of each sub-frame, there are at least 6 bits used for parity check, which are made to correct the polarity of the navigation bits following a specific rule. If the parity check fails, the navigation message should not be used. The rule is indicated below, where di is the original data bit, i=1, 2, 24, and Di is the navigation message bit the satellite send out, i=1,

22 Di = di D30*, i=1, 2 24 D25 = D29* d1 d2 d3 d5 d6 d10 d11 d12 d13 d14 d17 d18 d20 d23 D26 = D30* d2 d3 d4 d6 d7 d11 d12 d13 d14 d15 d18 d19 d21 d24 D27 = D29* d1 d3 d4 d5 d7 d8 d12 d13 d14 d15 d16 d19 d20 d22 D28 = D30* d2 d4 d5 d6 d8 d9 d13 d14 d15 d16 d17 d20 d21 d23 D29 = D30* d1 d3 d5 d6 d7 d9 d10 d14 d15 d16 d17 d18 d21 d22 d24 D30 = D29* d3 d5 d6 d8 d9 d10 d11 d13 d15 d19 d22 d23 d24 D25, D26, D27, D28, D29, D30 are the six parity bits which are appended to the end of each 24 bits of data, making up the full 30 bit Word. The mark * means previous value in time sequence. So D29* and D30* are the last two bits of parity of the previous 30 bit word. means module-2 addition, or XOR. Also, bit 23 and bit 24 of HOW and the last word of each sub-frame should be decoded in order to verify that both D29 and D30 of this word be 0. Except TLM, parity checking and HOW, each sub-frame has its own parameters and characters to carry out satellite messages. As we mentioned before, sub-frames 1 to 3 carry the identical information format. But for sub-frames 4 and 5, they carry different information with different format on different pages Navigation Data From Sub-frame 1 Sub-frame 1 contains the GPS date (week number) and information to rectify the satellite's time to GPS time, plus satellite status and health. The structure of sub-frame 1 is shown below. 14

23 Figure 9 Sub-frame 1 Structure In this figure, *** means reserved bits. P is 6-bit parity check bits. t is two noninformation bearing bits used for parity computation. C is TLM bits 23 and 24, where bit 23 is the integrity status flag and bit 24 is reserved. Other parameters in sub-frame 1 include 10 bits for GPS week number, 2 bits as a symbol of existence of any signals on L2, 4 bits for URA index, 6 bits for space vehicle (SV) health data, 2 bits as the most significant bits (MSBs) of the 10-bit issue of the clock (IODC) data, 1 bit for navigation data on P(Y) code flag, 8 bits for L1-L2 correction term, and 62 bits for satellite clock correction terms, time of clock (t oc ), SV clock bias (a f0 ), SV clock drift (a f1 ) and SV clock drift rate (a f2 ). In word 3, the 10 WN bits are the MSBs calculated by the week number modulo 1024, which increases at each end/start of week epoch. Bits 11 and 12 of word 3 indicate which code(s) 15

24 is (are) turned ON for the L2 channel: 00 = Reserved, 01 = P code ON and 10 = C/A code ON. Bits 13 through 16 of word 3 give the URA index (N) of the SV for the standard positioning service user, which is an integer in the range of 0 through 15. We can calculate the nominal URA (X) by the following functions: N 6: X = 2 1+N 2 6 N < 15: X = 2 N 2 N = 15 shall indicate the absence of an accurate prediction and shall advise the standard positioning service user to use that SV at his own risk. Table 3 URA Index & Range URA INDEX URA(m) URA INDEX URA(m) <URA <URA <URA <URA <URA <URA <URA <URA <URA <URA <URA< <URA <URA <URA <URA URA> (or no accuracy prediction is available) In word 3, bit 23 and bit 24 are the 2 MSBs of the 10-bit issue of clock (IODC) data, the eight LSBs of IODC is in bits 1 through 8 of word 8. The MSB of word 4 is 1 if the navigation data stream was OFF on the P(Y) code of L2 channel. The MSB is 1 only when some or all navigation data are bad. Bit 17 through 22 of are for satellite health. The 5 LSB is the satellite health status, shown in Table 3. 16

25 Table 4 Code for Health of SV Signal Components 5LSB Definition All Signals OK All Signals Weak* All Signals Dead All Signals Have No Data Modulation L1 P Signal Weak L1 P Signal Dead L1 P Signal Has No Data Modulation L2 P Signal Weak L2 P Signal Dead L2 P Signal Has No Data Modulation L1 C Signal Weak L1 C Signal Dead L1 C Signal Has No Data Modulation L2 C Signal Weak L2 C Signal Dead L2 C Signal Has No Data Modulation L1 & L2 P Signal Weak L1 & L2 P Signal Dead L1 & L2 P Signal Has No Data Modulation L1 & L2 C Signal Weak L1 & L2 C Signal Dead L1 & L2 C Signal Has No Data Modulation L1 Signal Weak* L1 Signal Dead L1 Signal Has No Data Modulation L2 Signal Weak* L2 Signal Dead L2 Signal Has No Data Modulation SV Is Temporarily Out (Do not use this SV during current 17

26 pass)** SV Will Be Temporarily Out (Use with caution)** One Or More Signals Are Deformed, However The Relevant URA Parameters Are Valid More Than One Combination Would Be Required To Describe Anomalies (Not including those marked with ** ) In this table, * indicates 3 to 6 db below specified power level due to reduced power output, excess phase noise, SV attitude, etc., and for ** one needs to refer to the definition above for Health Code In word 7, bits 17 through 24 contain the L1-L2 correction term T GD. Bits 9 through 24 of word 8, bits 1 through 24 of word 9, and bits 1 through 22 of word 10 are the parameters for time of clock t oc, SV clock bias a f0, SV clock drift a f1 and SV clock drift rate a f2, which are needed for an apparent satellite clock correction. For thorough details of these parameters and satellite clock correction, please refer to section of IS-GPS-200F Navigation Data From Sub-frames 2 &3 For sub-frames 2 & 3, they are focusing on ephemeris data transmission, the only time information and basic sub-frame information are carried by TLM and HOW. So even if without sub-frame 4 and sub-frame 5, the GPS user can still get receiver position from the information acquired from sub-frames 1, 2 and 3. 18

27 Figure 10 Sub-frame 2 Structure In this figure, *** means reserved bits. P is 6-bit parity check bits. t is two noninformation bearing bits used for parity computation. C is TLM bits 23 and 24, where bit 23 is the integrity status flag and bit 24 is reserved. Sub-frame 2 contains part of ephemeris parameters including: issue of data (Ephemeris) (IODE), amplitude of the sine harmonic correction term to the orbit radius (C rs ), mean motion difference from computed value (Δn), mean anomaly at reference time (M 0 ), amplitude of the cosine harmonic correction term to the argument of latitude (C uc ), eccentricity (e), amplitude of the sine harmonic correction term to the argument of latitude (C us ), square root of the semi-major axis ( A), and reference time ephemeris (t oe ). There are other 1 bit "fit interval" flag and 5 bits age of data offset (AODO). 19

28 Figure 11 Sub-frame 3 Stucture In this figure, *** means reserved bits. P is 6-bit parity check bits. t is two noninformation bearing bits used for parity computation. C is TLM bits 23 and 24, where bit 23 is the integrity status flag and bit 24 is reserved. Sub-frame 3 contains the rest of the ephemeris parameters including: amplitude of the cosine harmonic correction term to the angle of inclination (C ic ), longitude of ascending node of orbit plane at weekly epoch (Ω 0 ), amplitude of the sine harmonic correction term to the angle of inclination (C is ), inclination angle at reference time (i 0 ), amplitude of the cosine harmonic correction term to the orbit radius (C rc ), argument of perigee (ω), rate of right ascension (Ω ), 8 least significant bits (LSBs) of a 10-bit issue of data ephemeris (IODE), and rate of inclination angle (IDOT). 20

29 Ephemeris data and receiving time are the most important two components of calculating receiver position. With the ephemeris data and time delays of at least 4 satellites, a receiver can obtain all the parameters sent from each of the satellite, and calculate the pseudo-range from each satellite and the receiver, then locate the receiver. Table 5 has listed all the ephemeris data collected from sub-frames 2 and 3. Table 5 Ephemeris Data from Sub-frame 2& 3 Parameter Definitions Number of bits units M0 Mean Anomaly at Reference Time 32 semi-circles Δn Mean Motion Difference from Computed Value 16 semi-circles/sec e Eccentricity 32 dimensionless A Square Root of the Semi Major Axis 32 meters Ω0 Longitude of Ascending Node of 32 semi-circles Orbit Plane at Weekly Epoch i0 Inclination Angle at Reference Time 32 semi-circles ω Argument of Perigee 32 semi-circles Ω Rate of Right Ascension 24 semi-circles/sec IDOT Rate of Inclination Angle 14 semi-circles/sec Amplitude of the Cosine Harmonic Cuc Cus Crc Crs Cic Correction Term to the Argument of latitude 16 radians Amplitude of the Sine Harmonic Correction Term to the Argument of 16 radians Latitude Amplitude of the Cosine Harmonic Correction Term to the Orbit Radius 16 radians Amplitude of the Sine Harmonic Correction Term to the Orbit Radius 16 radians Amplitude of the Cosine Harmonic Correction Term to the Angle of Inclination 16 radians 21

30 Cis Amplitude of the Sine Harmonic 16 radians Correction Term to the Angle of Inclination toe Reference Time Ephemeris 16 seconds IODE Issue of Data Navigation Data From Sub-frames 4 & 5 Both sub-frames 4 and 5 have 25 versions, referred to as pages 1 through 25. Except the reserved for system use pages, sub-frame 4 has 7 different format pages while sub-frame 5 has 2. Table 6 Data Contained in Sub-frames 4 & 5 Sub-frame Page(s) Data 1, 6, 11, 16 and 21 Reserved 2, 3, 4, 5, 7, 8, 9 and 10 almanac data for SV 25 through 32 respectively 12, 19, 20, 22, 23 and 24 Reserved Navigation Message Correction Table 13 (NMCT) 4 14 and 15 Reserved for system use 17 Special messages 18 Ionospheric and coordinated universal time (UTC) data 25 A-S flags/sv configurations for 32 SVs, plus SV health for SV 25 through 32 1 through 24 almanac data for SV 1 through 24 5 SV health data for SV 1 through 24, the 25 almanac reference time, the almanac reference week number 22

31 Bits 1 and 2 of word 3 in each page are the data ID, denoting the navigation data structure. At the present time, it is 01 in binary. Bits 3 through 8 following the data ID are the SV ID [3]. Table 7 Data IDs and SV IDs in Sub-frames 4 & 5 Page Sub-frame 4 Sub-frame 5 Data ID SV ID* Data ID SV ID* 1 Note(2) 57 Note(1) 1 2 Note(1) 25 Note(1) 2 3 Note(1) 26 Note(1) 3 4 Note(1) 27 Note(1) 4 5 Note(1) 28 Note(1) 5 6 Note(2) 57 Note(1) 6 7 Note(1) 29 Note(1) 7 8 Note(1) 30 Note(1) 8 9 Note(1) 31 Note(1) 9 10 Note(1) 32 Note(1) Note(2) 57 Note(1) Note(2) 62 Note(1) Note(2) 52 Note(1) Note(2) 53 Note(1) Note(2) 54 Note(1) Note(2) 57 Note(1) Note(2) 55 Note(1) Note(2) 56 Note(1) Note(2) 58 Note(3) Note(1) Note(2) 59 Note(3) Note(1) Note(2) 57 Note(1) Note(2) 60 Note(3) Note(1) Note(2) 61 Note(3) Note(1) Note(2) 62 Note(1) Note(2) 63 Note(2) 51 23

32 The notations in Table 6 are as follows. *: Use 0 to indicate dummy SV. When using 0 to indicate dummy SV, use the data ID of the transmitting SV. Note(1): Data ID of that SV whose SV ID appears in that page. Note(2): Data ID of transmitting SV. Note(3): SV ID may vary (except for IIR/IIR-M/IIF SVs). The GPS almanac is a set of data containing information on the state of the entire GPS satellite constellation, and coarse data on every satellite s orbit. With almanac data, a receiver can make a list of visible satellites and acquire them much easier. For more information about satellite acquisition using almanac data, please refer to the related literature [3]. Table 8 Almanac Parameters Parameter Definitions No. Bits of Scale Factor(LSB) Effective Range** Units e Eccentricity dimensionless t oa Time of Almanac ,112 seconds δ i *** Inclination Offset 16* 2 19 semi-circles Ω A Rate of Right Ascension Square Root of Semi-Major Axis 16* 2 38 semi-circles/sec meters Ω 0 Longitude Orbital Plane of 24* 2 23 semi-circles ω Argument Perigee of 24* 2 23 semi-circles M 0 Mean Anomaly 24* 2 23 semi-circles a f0 Zeroth-Order Clock Correction 11* 2 20 seconds a f1 First-Order Correction Clock 11* 2 38 sec/sec 24

33 In this table, *: parameters so indicated shall be two s complement with the sign bit (+ or -) occupying the MSB; **: Unless otherwise indicated in this column, effective range is the maximum range attainable with indicated bit allocation and scale facto; ***: relative to i 0 = 0.30 semi-circles. Navigation Message Correction Table (NMCT) data are on page 13 of sub-frame 4. Bits 9 and 10 of word 3 on this page contain availability indicator (AI), followed by 30 six-bit estimated range deviation (ERD) values. For each SV, the ERD value in the NMCT is an estimated pseudo-range error. For AI, 00 means the correction table is unencrypted and is available to both precise positioning service users and standard positioning service users. 01 means the correction table is encrypted and is available only to authorized users (normal mode). 10 means no correction table available for either precise positioning service users or standard positioning service users. And 11 is reserved. Page 18 of sub-frame 4 contains ionospheric parameters and UTC parameters. Ionospheric parameters allow L1 or L2 only users to utilize the ionospheric model for computation of the ionospheric delay. The UTC parameters are for correlating UTC time with GPS time. GPS time is the atomic time scale implemented by the atomic clocks in the GPS ground control stations and the GPS satellites themselves. It was zero at 0h 6-Jan-1980 and is now ahead of UTC by 16 seconds because it is not perturbed by leap seconds [7]. Ionospheric and UTC parameters shall be refreshed at least once every six days. Table 9 Ionospheric and UTC parameters Parameter No. of Bits Scale Factor (LSB) Effective Range** Units 25

34 α 0 8* 2 30 seconds α 1 8* 2 27 sec/semi-circle α 2 8* 2 24 sec (semi ci rcle) 2 α 3 8* 2 24 sec (semi ci rcle) 3 β 0 8* 2 11 seconds β 1 8* 2 14 sec/semi-circle β 2 8* 2 16 sec (semi ci rcle) 2 β 3 8* 2 16 sec (semi ci rcle) 3 A 0 32* 2 30 seconds A 1 24* 2 50 sec/sec t LS 8* 1 seconds t ot ,112 seconds WN t 8 1 weeks WN LSF 8 1 weeks DN 8*** 1 7 days t LSF 8* 1 seconds In Table 8, *: parameters so indicated shall be two s complement with the sign bit (+ or -) occupying the MSB; **: Unless otherwise indicated in this column, effective range is the maximum range attainable with the indicated bit allocation and scale factor; ***: Right justified. Details about ionospheric and UTC parameters can be referred to sections and of IS-GPS-200F [3]. Page 25 of sub-frame 4 provides the A-S status and the configuration code up to 31 satellites. For each satellite, there is a 4-bit term. The MSB is 1 if A-S mode is ON. The other 3 LSBs indicate the configuration code of that satellite as shown below: Table 10 Configuration Code 26

35 Code SV Configuration 000 Reserved 001 A-S capability, plus flags for A-S and alert in HOW (e.g. Block II/IIA/IIR SV) A-S capability, plus flags for A-S and alert in HOW; M-Code signal capability, L2C signal capability (e.g., Block IIR-M SV). A-S capability, plus flags for A-S and alert in HOW; M-Code capability, L2C signal capability, L5 signal capability (e.g., Block IIF SV) A-S capability, plus flags for A-S and alert in HOW; M-Code capability, L1C signal capability, L2C signal capability, L5 signal capability, no SA capability (e.g., GPS III SV). There are two types of satellite health data that sub-frames 4 and 5 provide: an 8-bit satellite health status word in the almanac data, and a 6-bit satellite health status word for up to 31 satellites in page 25 of both sub-frames 4 and 5. The 6-bit data and the 6 LSBs of the 8-bit data are the same as the health data in subframe 1. The 3 MSBs of the 8-bit data are as shown below: Table 11 Navigation Data Health Indications Bits Indication 000 ALL DATA OK 001 PARITY FAILURE some or all parity bad 010 TLM/HOW FORMAT PROBLEM any departure from standard format (e.g., preamble misplaced and/or incorrect, etc.), except for incorrect Z-count, as reported in HOW Z-COUNT IN HOW BAD any problem with Z-count value not reflecting actual code phase SUBFRAMES 1, 2, 3 one or more elements in words three through ten of one or more sub-frames are bad SUBFRAMES 4, 5 one or more elements in words three through ten of one or more sub-frames are bad 27

36 ALL UPLOADED DATA BAD one or more elements in words three through ten of any one (or more) sub-frames are bad ALL DATA BAD TLM word and/or HOW and one or more elements in any one (or more) sub-frames are bad 3 Kalman Filter and Its Application Kalman filter which was developed by Rudolph E. Kalman is a kind of recursive filter used in time-varying linear systems. The Kalman filter is able to model a linear, discrete-time, finite-dimensional system. Endowed with a recursive structure, it makes a digital computer well suited for its implementation [6]. The Kalman filter can estimate or even predict certain quantities of the system that may or may not be directly measured. It uses noisy measurement in the past and present to predict certain parameters in the future by a minimum mean-square criterion to optimize the result. One typical example for Kalman filter is to predict the coordinates of location and speed of an object from a limited set of noisy observations of the object position. It can be found in many engineering applications, such as radar, computer vision. At the same time, Kalman filter is also an important tool in control theory and control system engineering. Besides the traditional Kalman Filter for linear estimation, there is also Extended Kalman Filter to work with non-linear systems. 3.1 Kalman Filter Model 28

37 Figure 12 Kalman Filter Model In the figure above, it shows the general idea of how Kalman filter model works. Only if the model is satisfied, Kalman Filter could be applied. First, to build up a Kalman filter, the states denoted as X and the transition model are the core. The states are the object behavior that we want to estimate at a certain time. In the linear case, the transition model is expressed as a transition matrix, typically named F. The transition model determines how the states as a vector transition from one time instant to the next. All the state values are true values which mean they are unknown to us. Second, measurement is needed. Through a measurement matrix which is a measurement model, we can get observation Y. For the measurement matrix C, it is a model or a pattern typically expressed as a matrix to describe how to observe quantities that are related to the states. Third, the noise part, which should be independent of each other. The covariance 29

38 matrix of the noise are important parameters for the prediction of states. In addition, the Kalman filter needs initial values which are important to the speed of convergence. For the control components U and B, they are not required in this thesis, so the control component part is absent. The Kalman filter model can be expressed as x(n + 1) = F(n + 1, n)x(n) + B(n)U(n) + v 1 (n) (3.1) y(n) = C(n)x(n) + v 2 (n) (3.2) For Eq.(3.1) and (3.2), all n indicates time instant n. All variables are vectors. Table 12 lists all the variables and their definition.[5] Table 12 Kalman filter model variable definition Variables Definition x(n) State vector at time n y(n) Observation (measurement) vector at time n U(n) Control vector at time n B(n) Control-input matrix at time n F(n + 1, n) Transition matrix from time n to time n+1 C(n) Measurement matrix at time n Q 1 (n) Correlation matrix of process noise v 1 (n) Q 2 (n) Correlation matrix of measurement noise v 2 (n) x (n y n 1 ) Predicted estimation of the state at time n, given the observation y(1), y(2),, y(n 1) x (n y n ) Filtered estimation of the state at time n, given the observation y(1), y(2),, y(n) G(n) Kalman gain matrix at time n α(n) Innovation vector at time n R(n) Correlation matrix of the innovation vector α(n) K(n, n 1) Correlation matrix of the error in x (n y n 1 ) K(n) Correlation matrix of the error in x (n y n ) 30

39 3.2 Kalman Filter Principles In section 3.1, it explained the Kalman Filter model. When the study object corresponds to the Kalman filter model, the Kalman filter principles can be applied. Kalman filter formulas consist of two parts: time updates and state updates [5]. For the Kalman filter time updates, it shows as follows x (n y n 1 ) = F(n, n 1)x (n 1 y n 1 ) + B(n)U(n) (3.3) Since here we do not use the control part, Eq. (3.3) can be written as x(n y n 1 ) = F(n, n 1)x(n 1 y n 1 ) (3.4) K(n, n 1) = F(n, n 1)K(n 1)F H (n, n 1) + Q 1 (n) (3.5) For the Kalman filter state updates, it shows as follows α(n) = y(n) C(n)x (n y n 1 ) (3.6) G(n) = F(n, n 1)C H (n 1)[C(n)K(n, n 1)C H (n) + Q 2 (n)] 1 (3.7) x (n y n ) = x (n y n 1 ) + G(n)α(n) (3.8) K(n) = K(n, n 1) F(n 1, n)g(n)c(n)k(n, n 1) (3.9) Here, C H (n)is the Hermitian matrix of C(n). [C(n)K(n, n 1)C H (n) + Q 2 (n)] 1 is the inverse of matrix C(n)K(n, n 1)C H (n) + Q 2 (n). In this set of formulas, the estimated state at time n is based on all the observation until time n. Figure 21 shows how the Kalman filter iteration is computed. The best estimation is based on all the measurement at time n and the previous prediction. 31

40 Figure 13 Kalman Filter Estimation Algorithm On the other hand, the Kalman filter theory also provided another set of formulas to estimate the state for time n+1 based on all the observations up to time n, i.e., Kalman prediction. According to [6], since here we do not use the control part, all the updates can be written as K(n + 1, n) = F(n + 1, n)k(n)f H (n + 1, n) + Q 1 (n) (3.10) α(n) = y(n) C(n)x (n y n 1 ) (3.11) x (n + 1 y n ) = F(n + 1, n)x (n y n 1 ) + G(n)α(n) (3.12) G(n) = F(n + 1, n)k(n, n 1)C H (n)[c(n)k(n, n 1)C H (n) + Q 2 (n)] 1 (3.13) K(n) = K(n, n 1) F(n, n + 1)G(n)C(n)K(n, n 1) (3.14) 32

41 This set of formulas shows how the iteration of Kalman filter works when the observation is one time step behind the prediction. The prediction is for time n+1, while the observation is only at time n. In this relationship, the estimation is ahead of the current observation time. In our simulation, we take this kind of prediction to help with PLL tracking loop. The core of these formulas above can be expressed by the following Figure 14. Figure 14 Kalman Filter Prediction Algorithm 33

42 4 Tracking Loop in Software Receiver Tracking in a software receiver is comprised of two loops, the code phase tracking loop and the carrier tracking loop. 4.1 Code Tracking The below Figure 15 shows how the code tracking loop works. Since the arrival times of GPS signals vary with distance and possibly time if the receiver moves, the code tracking process is supposed to remove the C/A code by finding out the appropriate arrival time, or code phase shift. It is called a Delay locked-loop (DLL). The main algorithm is to correlate the acquired satellite signals with a locally generated C/A code to identify which satellite each signal belongs to and where a correlation peak is. Based on the peak position, the corresponding shift of the local C/A code indicates the signal arrival time, and hence the pseudorange. Figure 15 Code Phase Tracking Loop Structure 34

43 Theoretically, from the properties of an orthogonal C/A code, there should be no correlation peak if two signals are misaligned by more than one chip. Also only auto-correlation can produce a peak when two signals are perfectly aligned. Therefore, lacking any significant peak, the crosscorrelation results can be treated as noise. To more precisely find out the arrival time, there is a scheme called early/prompt/late correlation. By shifting the locally generated C/A code by 0.5 chip forward and backward, we get the early and late C/A code. Take both of the early and late code, as well as the un-shifted (prompt) code to correlate with the received satellite signal, we get three correlation results. By judging the peak s position of the three correlator outputs, the signal arrival time can be more accurately estimated. This process can be expressed as I = LP{received data cos(2π f c t)} Q = LP{received data sin(2π f c t)} I e = early signal I Q e = early signal Q I l = late signal Q Q l = late signal Q ε = I e 2 2 +Q e I l 2 +Q l 2 (4.1) ε = 1, the prompt code is aligned with the incoming C/A coded signal, no shift is necessary, ε <1, a code phase shift to the left has occurred, shift the code phase forward, ε>1, a code phase shift to the right has occurred, shift the code phase backward. The above shifting is executed in the C/A code generator. Only when ε = 1 is achieved, the prompt correlator output gives the correct timing. 35

44 4.2 Carrier Tracking Loop Figure 16 Carrier Tracking Loop Structure Since the satellites (and possibly the receiver) are moving, all carrier frequencies of GPS signals experience Doppler shifts of varying amount. Therefore, the local carrier frequency generator should follow the trend and produce local carrier correspondently. This kind of scheme can be achieved by the algorithm which is called a phase locked loop (PLL). The fundamental use of this loop is in comparing frequencies of two waveforms, one being the input and the other being locally generated, and then adjusting the frequency of the locally generated waveform in the loop to equal the input waveform frequency. The figure above shows how the carrier tracking loop looks like. It is similar to the code phase tracking loop but it only uses the prompt code correlation results instead of the early and the late code correlation results. The carrier numerically controlled oscillator (NCO), the loop filter and the I-Q branches comprise the Costas PLL [9]. 36

45 Figure 17 Costas Phase-Locked Loop in Time Domain Within the Costas phase-locked loop, there is a loop filter, which significantly affects the behavior of the PLL. A simple loop filter can be a first order filter, and can be described by Eq. (4.2) in the s domain F(s) = sτ 2+1 sτ 1 (4.2) It can also be implemented by digital means, such as shown in the following figure Figure 18 A Simple Carrier Loop Filter Structure in Z Domain 37

46 In the z-transform domain, the loop filter transfer function can be expressed as F(z) = A 1 + A 2 (4.3) 1 z 1 A 1 = 2τ 2 t s τ 1 A 2 = t s τ 1 A1 and A2 are the loop filter coefficients. t s is the sampling interval. τ 1 and τ 2 are the loop filter coefficients, which determine the loop filter behavior. In a common software GPS receiver, a second order loop filter is used in the Costas PLL [1]. The transfer function of the second order PLL (not just the loop filter) in the z-domain can be written as H(z) = In Eq. (4.4) the coefficients are calculated as k 0 k 1 (C 1 +C 2 )z 1 k 0 k 1 C 1 z 2 1+[k 0 k 1 (C 1 +C 2 ) 2]z 1 +(1 k 0 k 1 C 1 )z C 1 = 1 8ζω n t s k 0 k ζω n t s + (ω n t s ) 2 C 2 = 1 k 0 k 1 4(ω n t s ) ζω n t s + (ω n t s ) 2 2 (4.4) ω n = k 0k 1 τ 1 ζ is the damping factor. ω n is called the natural frequency, k 0 k 1 is called the loop gain. The parameter values of the damping factor, natural frequency and loop gain are chosen based on experimental results in reference [8]. The damping factor is usually chosen as 0.707, which is considered to be optimum. 4.3 IF Spoofing Signal Generation 38

47 A spoofing signal is supposed to transmit through an antenna in radio frequency. Here in this thesis, we generate the IF spoofing signal by simulation in MATLAB. There are several requirements for the spoofing signal generation, appropriate for an intermediate level spoofing attack. First, an authentic GPS signal is required for a spoofer to receive. Second, the GPS signal information should be decoded by the spoofer properly, which entails that the format of the GPS signal should be clearly mastered by the spoofer. Finally, manipulation of the navigation message for the purpose of spoofing should be performed accordingly. For the intermediate level spoofing [2], the spoofer will clearly need to decide on a target that it is going to attack. Because the spoofer finds a specific target, it will need to know where the target is because a fake GPS signal needs to be generated for that specific location. The spoofer could even spoof the target receiver in close proximity. If the spoofer gets to a proper position, i.e., close to the target, it can observe the same satellites as the target receiver. This is very important. If the spoofer and the victim get close enough so they receive the same satellites, it makes the spoofer s spoofing signal generation much easier, since it only needs to alter the received GPS signal slightly, instead of computing which satellites the target will see and generating GPS signals from scratch for such satellites that the spoofer cannot see [4]. Decoding the GPS signal accurately is also very important to a GPS spoofer. For the intermediate spoofing, the spoofer needs to decode its received authentic GPS information very quickly, so that the generated fake GPS signal can suffer less delay [2]. And the navigation message itself is important, whether decoded or regenerated, because a wrong navigation message may cause location calculation to produce an obviously erroneous result that is either not usable or easy to catch an unsuspecting receiver s attention, such as a negative altitude with thousands of meters. Clearly, decoding the navigation information accurately will help a spoofer 39

48 to make adjustments in generating a fake GPS signal easily. In summary, to generate a fake GPS signal, the power level, the carrier frequency, the code phase, and the navigation message as well as timing are all important parameters. If any of them goes wrong with a target receiver, delay, jitter or even errors may occur which may cause the target receiver to be aware of possible spoofing. It is likely that an intermediate spoofer may want to mislead a target receiver to a certain location by spoofing, instead of re-generating standard GPS signals. So after the authentic GPS signal has been decoded, an intermediate spoofer will work out the mathematics to generate fraudulent GPS signals and its corresponding navigation messages according to the position and route it desires for the target receiver to deviate gradually from its original path. In our simulation, we focused on the regenerating the GPS signals and changed their parameters slightly to make a target receiver to perform a line motion. Most of the data structure information of our simulation is from reference [3]. The first step is to download the ephemeris and almanac data from the government GPS websites [15][16]. The second step is to change the downloaded ephemeris into a binary file. As we discussed in Chapter 2, there are 25 pages of a whole set of GPS information. They are all used in specific numbers and positions to carry the satellite information. And in this step the spoofer will modify the navigation message accordingly. The third step is to modulate the navigation message with the C/A code. In the first three sub-frames most of the important navigation messages for location calculation are presented. It also means that even if there is no information in sub-frame 4 or sub-frame 5, the receiver s location can still be calculated correctly. Although there are only several simulation results shown in this thesis in Chapter 5, we performed more than hundreds of simulations to test the result. Thanks to the actual GPS data 40

49 captured by AFRL(Air Force Research Laboratory) in Dayton, our spoofing signal generation has actual data to imitate. Although the GPS data format can be easily found in reference [3], every bit should be processed very carefully. Because of parity check, all sub-frames are connected together. And since some bits are in the unit of radians, some are with their own special definition, to generate an exact IF GPS signal needs quite a lot of detailed work. In addition, spoofing a target receiver onto a linear trajectory is not as easy as it seems to be. Since all satellites are moving, to make the target receiver move according to the spoofing signal involves much complex calculations There are theoretically two kinds of overtaking of the tracking loop by a spoofing signal. One is sudden overtaking, and the other one is gradual, i.e., ramping-up type. For the sudden type of overtaking, the spoofing signal debuts with an overwhelming power to the authentic GPS signal. While for the ramping-up type, the spoofing signal shows up with a lower signal power than the authentic GPS signal. As time goes on, the power of the spoofing signal will increase gradually. And at a certain point, the spoofing signal power is above the authentic GPS signal power. For both kinds of overtaking, they all can cause inconsistency of the carrier and code phases, since even for gradual increasing in spoofing power, the overtaking still happens all of a sudden. Once the spoofing signal takes over the tracking loop, it will stay on controlling the GPS tracking loop. In our simulation, we chose sudden type of overtaking and it stayed on the GPS tracking loop once the spoofing signal takes over the tracking loop. 4.4 Current Spoofing Detection Methods and Results The spoofing detection method nowadays can be grouped in 5 categories. Direction of arrival comparison, Time of arrival discrimination, Signal quality and Consistency check, Cryptographic authentication, and Power level monitoring. 41

50 Direction of arrival comparison is focusing on the direction difference of spoofing signal and the authentic GPS signals [25]. Since there must be a different source direction, spoofing signal detection is possible. This however requires a receive antenna array. Time of arrival discrimination, also known as TOA discrimination, is aided with a GPS/TOA network. A fraudulent GPS spoofing signal always lags authentic GPS signals due the spoofer s need to decode and replicate authentic GPS signals [24]. With the aid of such a GPS/TOA network, the GPS receiver could detect the time difference of spoofing signal and authentic signal much easier and more accurate than before, which makes the spoofing detection possible. The cost of such an approach is obviously high due to the need for such a network infrastructure. Cryptographic authentication and Power level monitoring are performed in straightforward ways. When GPS signals are encoded, it is difficult for the spoofer to generate an artificial signal with matching cryptographic code, so that spoofing attack could be eliminated. Cryptographic authentication is indeed implemented in the military GPS P(Y) code. By monitoring the received signal power level, it is also possible to observe the incoming signal power level difference if the spoofing attack is happening, because the spoofing signal is always coming with a higher level of power especially when it takes over the tracking loop. However, power level monitoring is not always reliable, since the received GPS signal power levels change with many uncontrollable parameters such as location, time, weather, etc. Signal quality and Consistency check includes code and carrier quality monitoring, code phase consistency check, carrier phase consistency check and GPS clock consistency check. Cross Ambiguity function, also known as CAF, can be used in GPS code and carrier quality monitoring to detect spoofing attack [26]. Code phase consistency check and carrier phase consistency check are used to detect spoofing attack by monitoring the behavior of code phase or 42

51 carrier phase. If the code phase or carrier phase is detected corresponding to a certain form, spoofing attack will be uncovered. And our research in this thesis is one of these consistency checks, but it is innovative and unique. By monitoring the carrier frequency behavior through a Kalman filter, which was not done before, the monitored result will be evaluated by a proposed test function. Spoofing detection is performed by the test function based on the Kalman filter output.. 5 KF aided Tracking Loop & Spoofing Detection As we discussed before, the GPS receiver is very vulnerable to spoofing attacks. In this chapter we propose a way to detect a spoofing attack. Since GPS spoofing signal is not a perfect imitation of the received authentic GPS signal, there are always some flaws so that the spoofing signal is different from the original signal. One of the flaws is that the GPS spoofing signal can hardly make its carrier frequency/phase and its code phase to match the original GPS signal when the spoofing signal is taking over the tracking loop of a target receiver. In this thesis we are only interested in the carrier frequency/phase mismatch when a spoofing signal is over-taking a target receiver. By using a Kalman filter aided tracking loop, we show in this Chapter that we can monitor the tracking loop behavior to detect unusual behaviors that indicate a spoofing event. 43

52 5.1 KF aided Tracking Loop Model Figure 19 Kalman Filter Aided Tracking Loop Model Figure 19 gives a block diagram of the proposed Kalman filter aided tracking loop. This scheme is based on reference [7]. In the reference [7], there is no Test Function and the Kalman filter output feeds back into the carrier tracking loop. So the Kalman filter in [7] is a part of the carrier tracking loop to help refine the carrier NCO output. But in our model, the scheme of [7] has been modified in that we changed the direction of Kalman filter output and added a new formula to deal with spoofing detection called Test Function. The Kalman filter and Test Function are functioning as a spoofing monitor, added to the traditional tracking loop without disturbing it. In this configuration, the Kalman filter s output is not used in the PLL but to be used to monitor spoofing together with the Test Function. In this way the operation of the practically proven traditional GPS software receiver is not disturbed. If desired, on the other hand, one can of course insert the Kalman filter into the tracking loop by directing its output into 44

53 the tracking loop as in [7]. In that case the test function will still tap into the Kalman filter output, and the spoofing detection will be the same as discussed in this Chapter. According to [7], for the Kalman filter aided PLL model, the state transition equation can be expressed as p n+1 1 T T2 p n T [ f n+1 ] = [ 0 1 T ] [ f n ] + [ 0 ] ω n + T 2 a n+1 a n 0 2 [ 1 0 0] 45 T2 ν1 n (5.1) Here it shows a more detailed Kalman filter model than the one described in Chapter 3. 1 T T2 2 The matrix [ 0 1 T ]is the transition matrix. ν1 n is the noise part, presenting the process noise, with the covariance at [ 1.85 ]. ω n is the nominal Doppler shift of the locally generated carrier for the phase correction. The three states are as follows. p n is the carrier phase difference between the actual signal and the software receiver s reconstructed signal, f n is the actual carrier signal s Doppler shift, and the drift rate of the Doppler shift is denoted as a n, all at the time n. Note that the PLL and the Kalman filter have the same update frequency, i.e., every 1ms (millisecond). Therefore the unit for n is millisecond. The observation function is described as p n+1 p n+1 = [1 0 0] [ f n+1 ] + ν2 n+1 (5.2) a n+1 Here the matrix[1 0 0] is the observation matrix. p_ob n+1 is the observation value, of carrier phase difference between the actual signal and the software receiver s reconstructed signal, i.e., the Kalman filter input from the NCO. ν2 n is the measurement noise.

54 The author of paper [7] used the first model of Kalman filter mentioned with a control vector in Chapter 3. As discussed in [7], ω n is the nominal Doppler shift of the locally generated carrier. Therefore ω n can be replaced by the fixed value of the initial Doppler shift estimate during the acquisition. This helps to eliminate the ω n term by redefining f n as the Dopplerremoved residual carrier frequency. Hence the above state equation simplifies to T2 p n+1 1 T T2 p n [ f n+1 ] = [ 0 1 T ] [ f n ] + T 2 ν1 a n+1 a 0 0 n (5.3) n 2 [ 1 0 0] p n p n [ f n ] = [ 0 1 0] [ f n ] + [ a n v2 n1 v2 n2 0 ] (5.4) Because the phase model has been changed, the observation method of the phase part is slightly changed as well. The only difference is that now the measured phase needs to be deducted the initially acquired Doppler frequency shift multiplied by time and 2π as p_ob n. The covariance 4π matrices of the process noise and measurement noise are given as [ ] and [ ], based on the simulation results The predicted estimates of the state at time n+1 is 1 T T2 p n 2 ] = [ 0 1 T ] [ f n a n a n p n+1 [ f n+1 G 11 G 12 G 13 ] + [ G 21 G 22 G 23 ] ([ G 31 G 32 G 33 p n p n f n ] [ 0 1 0] [ f n ]) (5.5) a n Here this predicted estimate of the state vector is the same as equation (9) of Chapter 3 in detail. G 11 G 12 G 13 [ G 21 G 31 G 22 G 32 G 23 ] is the gain matrix G(n). [ G 33 p n+1 f n+1 ] is the state prediction at time n+1. a n+1 46

55 The PLL part in our model remains the same as the traditional tracking loop. The carrier frequency output is F n = F 0 + NCO n + noise (5.6) n 1 NCO n = (λ 1 + λ 2 )t n + λ 2 k=1 t k (5.7) Here F n is also the frequency input (observation) to the Kalman Filter. F 0 is the carrier Doppler frequency acquired in the acquisition part. λ 1 is 1 explained in Chapter 4, and λ 2 is π τ 1 2π τ 2 τ 1, τ 1 and τ 2 are the PLL parameters. t n is arctan Q n, where Q I n and I n are the carrier- n removed and digitized GPS signal for the Q branch and the I branch at time n. 5.2 Carrier Tracking Under Spoofing Attack Doppler Frequency Prediction Because we are only interested in f n, we can get the following scalar equation from the state prediction vector equation, i.e. Eq. (5.5): f n+1 = (1 G 22 )f n + G 22 f n + G 21 (p n p n) + Ta n (5.8) In equation (17.1), f n is the predicted Doppler frequency, between -15KHz to 15KHz [5.8], f nis the observation from the output of PLL. G 21 and G 22 are part of the gain vector, which are calculated by (3.13). In our simulation, when the Kalman filter is stable G 21 = , therefore it is generally very small. At the same time, (p n p n) < 2π, T is the time interval which is 0.001s, and a n is just at the noise level, as shown in Eq. (5.8). Therefore, we can rewrite f n+1 as the following expression, where F n = f n, C is a small constant number. 47

56 f n+1 = (1 G 22 )f n + G 22 F n + C (5.9) From the above equation, we can also iterate to get the Kalman filter frequency prediction as or n f n+1 = s=1 (G 22 F s + C)(1 G 22 ) n s + F 0 (1 G 22 ) n (5.10) f n+1 = n s=1 (G 22 (NCO s + F 0 ) + C)(1 G 22 ) n s + F 0 (1 G 22 ) n (5.11) We can conclude from the recurrence formula Eq. (5.9) that the value of f n+1 is a low-pass filtered version of the input F n,with G 22 as the gain of the input, which decides where the single pole is. When G 22 is small, the single pole is close to the unit circle. As we know the pole of a low pass filter getting closer to the unit circle, the low pass filter frequency response will have a sharper roll off. It also means even if F n is large, f n+1 will not increase all of a sudden. That is, the output of the Kalman filter can smooth out random peaky jitters, which is shown in Figure 20 below. The blue line is a plot of F n, the output of PLL; and the red line is the plot of f n the output of Kalman filter. The smaller G 22 is, the more low-pass effect will take place. 48

57 Figure 20 Kalman Filter s Low-pass Effect on Frequency Estimation If a spoofing signal takes over the tracking loop, it has to satisfy two criteria. The first one is that the spoofing signal should have a higher power level than the authentic GPS signal. Because it has higher power, the correlation value in the tracking loop is larger, which means the peak is higher. The GPS receiver will then switch to the artificial spoofing signal by searching for a high peak. The second criterion is that the spoofing signal should have a close enough frequency to the authentic GPS signal carrier frequency. For an intermediate level spoofer, it will definitely decode the real GPS signal information first to get the carrier frequency. But there must be a delay between spoofing signal generation and the real GPS signal. Because there is always error in measurement, the spoofer can only produce a spoofing signal with error. There also must be a delay between the spoofer receiving the GPS signal and the spoofer transmitting the artificial signal. Because of error in the measurement and the delay, when spoofing signal takes over the receiver s tracking loop, there is a discontinuity of the carrier phase and code phase. So when the spoofing signal taking-over happens, PLL and DLL will lose their continuity. 49

58 DLL will keep on searching the peak until finding it. PLL jumps from the authentic carrier frequency to the spoofing signal frequency. And PLL cooperates with DLL, both began to trend back down to matching the spoofing signal in code phase and carrier phase. It also means that if a spoofing signal takes over the tracking loop at time n, NCO n is the one responding to the overtaking and to produce a jitter. Second, although Kalman filter can perform a smoothing function on F n, as shown in the figure above. There still can be jitters in the Kalman filter output f n+1. That is caused by spoofing signal overtaking the authentic signal. Because of the taking over, the PLL and DLL lost continuity, which could produce a jitter with a large magnitude. It takes a while for the PLL and DLL to settle, which means DLL to lock the correlation peak and PLL to lock the Doppler shift. That means it takes a while for the jitter in PLL from the peak trending back down to the normal level PLL and Kalman Filter Output Comparison As discussed above, because there must be some difference in carrier frequency between the spoofing signal carrier frequency and the true GPS carrier frequency when the spoofing signal is taking over, the output of the Kalman filter and the PLL responded differently. On the other hand, because of the noise, even if there is no spoofing attack, there still could be high spikes in the PLL output. The Kalman filter responds to this kind of jitters differently from the PLL output as well. Here we will show several simulations when the spoofing signal is taking over the tracking loop. 50

59 Figure 21 PLL And Kalman Filter Output Comparison 1 with PLL Output in Blue and Kalman Filter Output in Red Figure 22 PLL and Kalman filter output comparison 2 with PLL Output in Blue and Kalman Filter Output in Red 51

60 Figure 23 PLL and Kalman filter output comparison 3 with PLL Output in Blue and Kalman Filter Output in Red Figure 24 PLL and Kalman filter output comparison 4 with PLL Output in Blue and Kalman Filter Output in Red 52

61 There are four figures, i.e. Figures 21~24, picked out to show the conclusion. For all these figures, the red curve is the output of the prediction of Doppler shift from the Kalman filter. The blue curve is the output of Doppler shift from the PLL. All plots are the signal magnitude versus time. All these simulations are from different satellites with spoofing taking over at different times. For Figures 21 and 22, which are from satellite number 25 and number 14, we show that the output of the spoofing carrier frequency is 5Hz or more different from the authentic carrier frequency. For Figures 23 and 24, which are from satellite number 12 and number 22, they show the situation with Kalman filter output of the spoofing carrier differences within 5 Hz of the actual satellite signal carrier frequencies. In Figure 21, the spoofing takes over at time 9000ms, and it shows a big spike in both blue and red curve. For the PLL output, the blue curve, there are several big spikes caused by noise after 9000ms, which are very competitive to the spoofing spike. However, for the Kalman filter output, the red curve, the noise pikes are not so high. Only the spoofing spike is the most obvious. In Figure 22, the spoofing taking over happened at time 19000ms. There are no obvious high jitter shown by the PLL output, but there is an obvious jump in the Kalman filter output, when tracking loop is spoofed. In Figure 23 and Figure 24, the output of the carrier frequencies of the Kalman filter before and after spoofing do not differ much. In Figure 23, spoofing happened at 19000ms. It shows a huge jitter both in PLL output and Kalman filter output at the moment of spoofer taking over. In Figure 24, the spoofing taking over happened at time 15000ms. Figure 24 shows, before spoofing happened, there are large jitters in the PLL output, but not large in the Kalman filter output. It shows accordantly with other simulation results as well. 53

62 From the above simulations, we see that the traditional PLL is often not able to distinguish a spoofing jitter from noise jitter. And sometimes the noise jitter can be very competitive and even bigger than the spoofing jitter. However, the Kalman filter responds to spoofing jitter every time and makes it obvious. Because of the error and delay discussed in Section 5.2.1, when a spoofing signal takes over the tracking loop, the spoofing carrier frequency can hardly be the same as the authentic signal. Even if the spoofing carrier frequency is the same as the authentic one, the inevitable time delay may still cause a jitter at the time of taking over, as seen in Figures 23 and 24. In addition, there should be at least 4 satellites in 4 receiver channels. The spoofing signal should take over all available satellite channels. Due to different satellite locations in the sky, the Doppler shifts of all visible satellites observed by a receiver are necessarily different. It is extremely unlikely that a spoofer can imitate carrier frequencies of all channels perfectly. Here we need to mention that the Kalman filter here is mainly used to smooth out jitters in NCO output, as seen in the above figures. The reason that the Kalman filter output can distinguish jitters due to noise from those due to spoofing is because of the fundamental difference of NCO output jitters due to noise and due to spoofing. The noise jitters in the NCO output are very random, normally will not last more than 3 Milliseconds, whereas the spoofing jitters in the NCO output last much longer, normally from 7 Milliseconds to even more than 10 Milliseconds. This is due to the fact that the NCO needs to slowly catch up the frequency/phase mismatch due to taking over of the imperfect spoofing signal. Therefore the noise jitters are usually smoothed out by the Kalman filter, but the spoofing jitter will manifest itself at the Kalman filter output due to its longer duration. 54

63 In conclusion, a spoofer taking over the carrier frequency tracking loop will cause the Kalman filter frequency output a jitter spike of various heights. This has been observed in all of our simulations. In order to enhance this effect and make detection more reliable, we need to set a criterion for Kalman filter output to determine if the jitter is due to spoofing or not. 5.3 Test Function The proposed criterion is called a Test Function. The Test Function is expressed as following n+1 n+1- k=n α- +2 TF n = 1 ( α m=n-α+2 f m f k ) > ρ (21) In Equation (21), variable n means time n, in milliseconds. For the test function the time unit is the same as the Kalman filter, i.e., milliseconds. When n=100, it means time at 100ms. ρ, α and are constants. ρ is a threshold for the test function to determine if there is a spoofing signal taking over the tracking loop. α is an integer representing how many samples are used to do the time average. is the group delay, which is the time difference between two groups of the time averages. f n and TF n are functions of time, which are computed for every Kalman filter output sample and monitored as n increases. Clearly the Test Function is a difference of time averages of the Kalman filter output at two different blocks of time. As discussed before, if the NCO output F n experiences a jitter due to spoofing, i.e. a large spike, then due to the lowpass nature of the Kalman filter (17.2) several values after the value of f n, like f n+1, f n+2, will gradually get large. That is why time average is important, which can enhance such a persistent trend and suppress spikes due to random noise. We must choose the time span α properly. If α is too large, it means averaging over a long time, so that it may include many samples not due to the spoofing jitter, which may make the Test Function output not sharp enough to threshold. If α is chosen too small, on the other hand, the 55

64 average does not contain enough samples to cover the entire length of the spoofing jitter, it makes the Test Function vulnerable to noise jitter. α is typically chosen as 10, where 10 means 10 samples or 10 ms. The reason we choose 10 samples for the time average is because the jitter in f n due to spoofing will generally not last much longer than 10 ms which is determined by the Kalman gain G 22. The time gap must also be chosen with care. It cannot be too small since f n is stable over a short period of time due to its low pass nature. If it is chosen too small, the difference in values between the first sum and the second sum in TF n will not be significant enough for a robust spoofing detection. It cannot be too large either in order to maintain a steady baseline for the two sums, because the carrier frequency may drift over a long period of time. Typically, we choose as 60ms. The above argument for the choices of α and can be clearly seen in the next two figures. Figure 25 & Figure 26 show the trend of a measure of the peaks of all the outputs of test function when spoofing signal takes over the tracking loop, with different α and combinations in channel 4 with PRN 22. In Figure 25 and Figure 26, the x axis means the value of α, the y axis is the value of, and the height z axis is the ratio of the value of peak magnitude over the average of non-spoofing jitters. Note that Figure 26 is not an enlarged view of Figure 25. In Figure 26, the range of α is only 1/3 of that of Figure 25, but the range of is about 7 times that of Figure 25, i.e., is plotted from 1 to 1001 for every 20, in order to show the effect of large values of. I.e., the marks of axis in Figure 26 should be multiplied by 20 for the values of. When α is small, it shows that the peak values are not at their maximum, and are not stable. When α is too large, the peak values obviously decrease to a point where detection is not possible, as shown in Figure 25. This effect for large is shown in Figure 26. It is also seen from 56

65 Figure 25 that even though a small (from about 7 to 15 when α is about 15) may also give a peak, such peaks are not stable, as shown by a valley in Figure 25 for from about 15 to 40 when α is about 15). In other channels such peaks may completely disappear. Our general choice, = 60 and α = 10, is indeed very near the more stable peak as marked in Figure 25 for this particular channel. We can also see from Figure 25 that when is very small the peaks come up again as α increases. It is because when α is too large and is too small, n+1 m=n-α+2 f m and n+1- k=n α- +2 f k are overlapped, which is not desirable and will be further discussed in section 5.4. Figure 25 The Test Function Output Relative Peak Trend-1 57

66 Figure 26 The Test Function Output Relative Peak Trend-2 The choice of the threshold ρ directly affects the performance of the spoofing detection. If ρ is too small, the test function is too sensitive so it may cause false alarm. If ρ is too large, on the other hand, the test function may result in missed detection. Based on our simulation results, ρ is set at 3.5. For most of noise spikes, the test function produces values around 1 to 2. Only some rare noise spikes can make Test Function to reach up to 3. But for most spoofing jitters, the Test Function can easily go up to 4 or 5. Figure 27 shows the performance of the Test Function with parameters properly chosen. There are two plots in Figure 27. The upper plot is the output of the Test function, and the lower plot is the output of the Kalman fitler (red) and of the PLL (blue). All curves are plotted with magnitude verses time. And these curves show explicitly that when the spoofing signal produced a jitter, the output of the Test Function produced a high spike accordingly, without interference from noise. 58

67 Figure 27 Test Function Performance. Top: Test Function Output Bottom: Output of PLL (blue) and Kalman Filter (red) 59

68 5.4 Time Accuracy of Spoofing Detection Using Test Function In the previous part, we discussed the test function taking samples from time n+1 to n- α+2 and from n+1- to n+α- +2 when spoofing happens at the specific time n. In this section, the time accuracy of the Test Function in spoofing detection will be studied. First, we show that the Test Function is not able to tell spoofing happening right away when the spoofing signal takes over the tracking loop. Figure 28 Kalman Filter Jitter Peak is Behind the PLL Jitter Peak In Figure 28, the red curve is the output of Kalman filter f n and the blue curve is the output of PLL F n, the green curve is the output of the Test Function. Here the output of Test Fucntion has been rescaled in its magnitude to fit into this plot but still with the same time scale. We can tell the jitter peak of f n occurs later than the jitter peak of F n in time. This was explained by Eq.(5.9) due to its low pass mature. f n+1 being the lowpass filter output lags in variation to the lowpass filter output F n. But because of this kind of delay, the test function lags behind when spoofing happens, which is shown by the green curve. 60