Cooperative GPS Signal Authentication from Unreliable Peers

Transcription

1 Cooperative GPS Signal Authentication from Unreliable Peers Liang Heng, Daniel Chou, and Grace Xingxin Gao University of Illinois at Urbana-Champaign BIOGRAPHY Liang Heng is a postdoctoral research associate in the Department of Aerospace Engineering, University of Illinois at Urbana-Champaign. He received the B.S. and M.S. degrees from singhua University, China in 2006 and 2008, and the Ph.D. degree from Stanford University in 2012, each in Electrical Engineering. His research interests are cooperative navigation and satellite navigation. He is a member of the Institute of Electrical and Electronics Engineer (IEEE) and the Institute of Navigation (ION). Daniel Chou is a graduate student in the Department of Electrical and Computer Engineering, University of Illinois at Urbana-Champaign. He received his B.S. in Electrical Engineering from Arizona State University in His current research projects includes designing and implementing countermeasures against malicious attacks on civilian grade GPS receivers utilized in phasor measurement units. Grace Xingxin Gao is an assistant professor in the Aerospace Engineering Department at University of Illinois at Urbana-Champaign. She received her B.S. degree in Mechanical Engineering in 2001 and her M.S. degree in Electrical Engineering in 2003, both at singhua University, China. She obtained her Ph.D. degree in Electrical Engineering at Stanford University in Before joining Illinois at Urbana-Champaign as an assistant professor in 2012, Prof. Gao was a research associate at Stanford University. Prof. Gao has won a number of awards, including RCA William E. Jackson Award, Institute of Navigation Early Achievement Award, 50 GNSS Leaders to Watch by GPS World Magazine, and multiple best presentation awards at ION GNSS conferences. ABSRAC Secure, reliable position and time information is indispensable for many civil GPS applications such as guiding aircraft, tracking freight, synchronizing power grids and cellular networks, and time-stamping financial transactions. his paper introduces a signal authentication architecture based on a network of cooperative receivers. A receiver in the network correlates its received military P(Y) signal with those received by other receivers (hereinafter referred to as crosscheck receivers) so as to detect spoofing attacks. his paper describes a candidate structures to implement this architecture. Our theoretical analysis shows that the signal-to-noiseratio significantly affects pair-wise check performance, and the final authentication performance improves exponentially with increasing number of cross-check receivers. We have conducted two field experiments to evaluate pair-wise check performance in different spatial conditions (urban canyon and open space) and different transport modes (static and moving). he experiments shows that pair-wise check performance is sensitive to spatial conditions, but insensitive to transport modes. INRODUCION During the past two decades, the Global Positioning System (GPS) has become an essential element of the global information infrastructure, with myriad applications in almost every facet of modern businesses and lifestyles, including communication, energy distribution, finance, and transportation. Ever-growing dependence on GPS creates strong incentives to attack civil GPS receivers, for either an illegitimate advantage or a terrorism purpose. Unfortunately, the civil GPS signal was not designed for security-critical applications. Unlike its military counterpart, the civil signal is not encrypted or authenticated. he signal specification is publicly available [1]. An attacker can synthesize and broadcast spoofing signals that are structured to resemble a set of authentic GPS signals. A victim receiver fed with the spoofing signals will report position and time solutions that are manipulated by the spoofer [2, 3]. Spoofing poses a great security risk because it is surreptitious and usually undetected by most commercial-off-the-shelf receivers [2 4].

2 Previous work on spoofing countermeasures A variety of methods have been proposed to harden civil GPS receivers against spoofing attacks. hese methods can be generally categorized into three groups: external assistance, signal statistics, and cryptographic authentication. he first group performs consistency checks against metrics external to the GPS subsystem, such as the information from inertial sensors, odometers, cellular networks, and highstability clocks [5, 6]. he second group performs statistical tests on features inherent in GPS signals, including angle of arrival [7, 8], signal quality [9], signal power [, 11], and multipath [12]. he third group relies on cryptographic, unpredictable information carried by GPS signals [13 16]. Unlike the first group of methods, cryptographic methods do not require any additional hardware, which can be a hurdle to mass-market GPS applications that are sensitive to cost, weight, or volume. In comparison to the second group, cryptographic methods enable users to differentiate authentic signals from counterfeit signals with higher confidence and robustness, especially in a harsh environment where the statistics of authentic signals can be highly unstable. hree types of cryptographic spoofing countermeasures have been explored in recent literature. he first option, known as navigation message authentication (NMA), inserts public-key digital signature into the navigation message [13, 16 18]. Another strategy is to interleave spread spectrum security codes (SSSC) with normal civil GPS spreading codes so that parts of spreading sequences are periodically unpredictable [13, 19]. Both NMA and SSSC require significant modifications to the legacy GPS signal structure. hey are unlikely to be implemented in the coming decade due to the static nature of GPS interface specification (IS) and long deployment cycles. he third approach relies on codeless cross-correlation of unpredictable encrypted military P(Y) code between two civil GPS receivers [14, 15, 20]. Without any modification to the GPS IS, this approach is practical today. Figure 1 illustrates how cross-correlation spoofing detection works. It correlates a snippet of L1 signal from the receivers to be authenticated (hereafter referred to as user receivers ) with a snippet from the reference receiver. Both snippets are known to contain the same part of the military P(Y) codes broadcast by a GPS satellite visible to both receivers. Although the P(Y) code is encrypted and thus unknown, and although its received versions are noisy and may be distorted by a narrow-band radio frequency (RF) front-end [15], when conducting cross-correlation, the P(Y) code components in the two snippets are similar enough to create a high correlation peak if neither the user receiver nor the reference receiver is spoofed. However, if the reference receiver is spoofed, especially by the same spoofer to the Figure 1. Principle of cross-correlation spoofing detection (adapted from Fig. 1 in [15]). he publicly-known C/A signal and encrypted P(Y) signal are modulated on to the L1 carrier in-phase and quadrature, respectively. Each receiver tracks the C/A code, and uses its phase and timing relationships to the P(Y) code to take a snippet of the same part of the P(Y) code. A high correlation will appear if the two snippets contain the same P(Y) code. user receiver, the authentication result will be incorrect. Previous papers [14, 15] have analyzed the performance of the cross-correlation spoofing detection method using one reference receiver. In addition, they proposed employing a few dedicated reference stations to provide GPS signal authentication service for a wide area. Despite the strong merits, such a client-server authentication service has some weakness. First and foremost, it requires considerable investment into the setup of reference stations, not to mention the maintenance cost. Second, since fixed reference stations can be located, they are vulnerable to organized, targeted jamming and spoofing attacks, and loss of a majority of the reference stations may paralyze the authentication service. Authentication based on a network of ad-hoc receivers In this paper, we extend the dual-receiver P(Y)-code correlation method to a network of receivers, and present a GPS signal authentication architecture in an ad hoc, cooperative manner. he fundamental difference from the client-server manner mentioned above is that our architecture relies on multiple receivers (hereinafter referred to as ad-hoc crosscheck receivers or simply cross-check receivers ) as references. he cross-check receivers can be mobile, low-quality, unreliable, and even spoofed. he authentication process consists of two steps: pair-wise check and decision aggregation. In pair-wise check, the P(Y) signal received by a user receiver is correlated with that received by each cross-check receiver. Each such correlation provides a decision as to the authenticity of the signal received by the user receiver. In

3 decision aggregation, the pair-wise decisions are aggregated to determine if the user receiver is spoofed. he cooperative manner is superior to the client-server manner in terms of cost, user capacity, and robustness, thanks to unlimited geographically-dispersed low-cost ad-hoc crosscheck receivers. However, one should be aware that an ad-hoc cross-check receiver is less reliable than a dedicated reference receiver. First, a mass-market GPS receiver, especially one embedded in a smartphone, may not be as good as a dedicated geodetic-grade receiver in terms of the antenna and the signal conditioning circuit. Second, a cross-check receiver may intentionally be malicious so that it provides no or even negative contribution to the final authentication result. hird, a cross-check receiver can also be spoofed, and sometimes a user receiver and a cross-check receiver may be spoofed by the same spoofer if they are not sufficiently far apart. We shall further show in this paper that our proposed architecture is actually robust against these potential issues because 1) low-cost receivers can still provide satisfactory pair-wise check performance, and 2) the final authentication performance improves exponentially with increasing number of cross-check receivers. Content of this paper Pair-wise check and decision aggregation are two stages in our proposed authentication system. We have theoretically proven that in the second stage, decision aggregation achieves authentication performance that improves exponentially with increasing number of cross-check receivers [21, 22]. In this paper, we focus on the performance of pair-wise check and conduct field experiments to evaluate authentication performance in different spatial conditions (urban canyon and open space) and different transport modes (static and moving). For the remainder of this paper, we start with a description of a candidate structure to implement our proposed cooperative authentication architecture. In section Performance Analysis, we theoretically analyze the spoofing detection performance of pair-wise check and briefly revisit the final authentication of decision aggregation. Section Experiments presents experiment results on the pair-wise check performance using low-cost receivers. SYSEM SRUCURE here are several approaches to implementing our proposed cooperative authentication system. hese approaches differ from one another mainly in where correlations are computed. One approach is to distribute correlation computation to either cross-check receivers or a cloud service. Another option is to compute all the correlations in a centralized User receiver (aggregating decisions) snippet decision 1 snippet decision 2 snippet decision N Cross-check receiver 1 (computing correlation) Cross-check receiver 2 (computing correlation). Cross-check receiver N (computing correlation) Figure 2. A candidate structure of authentication system. Each cross-check receiver computes the correlation between its own snippet and the one from the user receiver, and decides whether the signal received by the user receiver is authentic or not. he user receiver collects the decisions from all cross-check receivers, and finally determines the authenticity of its received signal by an appropriate statistical measure. way, either by the user receiver itself or by a third party which wants to ensure the validity of the position and clock reported by the user receiver. In this paper, we focus on a candidate structure in which cross-check receivers compute the correlations. Figure 2 illustrates this structure, in which correlation computation is distributed to cross-check receivers. he whole procedure is explained in detail in able 1. In the beginning, a user receiver wants to know whether its received signal is authentic or not, and it finds N peers as cross-check references. he user receiver and all cross-check receivers agree to collect a snippet of quadrature-phase baseband signal for a GPS satellite at a time in the immediate future. he user receiver sends its snippet to the reference receivers via secure channels. hen each reference receiver correlates its own snippet with the one from the user receiver, and decides if the signal received by the user receiver is authentic or not. Finally, the user receiver aggregates the decisions from the N reference receivers, and determines the authenticity of its received signal by an appropriate statistical measure. Since snippets of GPS signals have to be transported over a communication network, a security protocol, such as LS and IPsec [23], should be used to avoid man-in-the-middle

4 Steps Actions 1 User receiver sends out authentication requests with its rough location. 2 Available receivers within an appropriate area * respond to requests. 3 User receiver chooses N cross-check receivers, chooses a common-view GPS satellite, and sends them a GPS time in the immediate future. 4 User receiver and cross-check receivers collect snippets of quadrature-phase baseband signal from the GPS satellite at the GPS time. 5 User receiver sends its snippet to the N crosscheck receivers. 6 Each cross-check receiver correlates its snippet with user receiver s, and replies to the user receiver with a decision authentic or unauthentic. 7 User receiver determines the authenticity of its received signal by aggregating all these decisions. * Cross-check receivers should be at least several kilometers away from the user receiver. here should be at least one GPS satellite visible to the user receiver and all the cross-check receivers. attacks. able 1. Procedure of the authentication process. he authentication process can be performed in near realtime, and the time delay mainly depends on data collection, communication, and computation. According to Psiaki et al. [15], a snippet of approximate 1 second is generally needed for reliable spoofing detection. A narrow-band GPS front-end usually has a bandwidth of 2.4 MHz, and 1-second 1-bit quadrature-phase samples yield 2.4 M bits of data. For current 3G/4G cellular networks, it typically takes 1 second or less to transfer one snippet. he time of computation depends, but a rule of thumb is that a receiver must have the capability of processing 1-second data within 1 second. Since the time for sending and responding requests and aggregating decisions is usually negligible, the authentication process can take as short as 2 + N seconds: 1 second for collecting snippets, N seconds for transferring the user receiver s snippet to N cross-check receivers, and 1 second for computing the correlations. It is worth nothing that our cooperative authentication does not require highly reliable spoofing detection for each cross-check receiver, and thus allows a much shorter snippet to be collected. herefore, a delay of 2 + N seconds is a conservative estimate. Besides, if the user receiver can upload its snippet to a cloud service for file-sharing, from which the cross-check receivers can download the snippet simultaneously, then the authentication delay can be shortened to 4 seconds: 1 second for collecting snippets, 1 second for uploading, 1 second for downloading, and 1 second for computing the correlations. An issue with cooperative authentication is that there may exist some spam receivers being deliberately malicious (or playfully mischievous). In this structure, a malicious crosscheck receiver may reply to the user receiver with a random decision independent of the correlation, or even worse, a decision always opposite to the correct decision based on the correlation. In Section Performance Analysis, we shall show that the performance deterioration due to malicious cross-check receivers can be compensated by more crosscheck receivers. PERFORMANCE ANALYSIS Authentication is essentially a statistical hypothesis test, so it has a probability of making two types of errors: false alarm and missed detection. his section analyzes the probability of the two types of errors in pair-wise check and in decision aggregation. Assumptions and notations In order to simplify the analysis, we assume that all adhoc cross-check receivers have the same spoofing detection performance, namely, the same probability of false alarm and the same probability of missed detection. A crosscheck receiver can be malicious with certain probability. Additionally, a cross-check receiver can be spoofed with a certain probability, and the spoofer can be the same as or different from the spoofer to the user receiver. he list below summaries the notations used throughout this article. N C H 0 H 1 Number of cross-check receivers. Snippet length, i.e., number of samples in a snippet. Normalized cross-correlation, used as the pair-wise check test statistic. Null hypothesis that a user receiver s snippet and a cross-check receiver s snippet contain the same P(Y) code. Alternative hypothesis that a user receiver s snippet and a cross-check receiver s snippet contain different P(Y) codes. N (µ,σ 2 ) Normal distribution with mean µ and variance σ 2.

5 S A i Actual status of user receiver: S = 0 authentic, and S = 1 spoofed. Pair-wise check decision using the ith cross-check receiver, i = 1,..., N: A i = 0 authentic, and A i = 1 spoofed. A Final authentication result from aggregating all A i, i = 1,..., N. α Equal to Prob(A i = 1 S = 0), for all i = 1,..., N, probability of false alarm using an unspoofed, nonmalicious cross-check receiver. β Equal to Prob(A i = 0 S = 1), for all i = 1,..., N, probability of missed detection using an unspoofed, nonmalicious cross-check receiver. P F A P M D P D P SS P SD Equal to Prob(A = 1 S = 0), probability of false alarm of the final authentication result. Equal to Prob(A = 0 S = 1), probability of missed detection of the final authentication result. Equal to 1 P M D, probability of detection, also referred to as detection power. Probability of (a) a cross-check receiver being spoofed by the same spoofer to the user receiver and (b) a cross-check receiver being malicious such that its pair-wise check decision is always opposite to the correct decision based on the correlation. Probability of (a) a cross-check receiver being spoofed by a different spoofer to the user receiver and (b) a cross-check receiver being malicious such that its pair-wise check decision is based on the correlation involving a random, irrelevant snippet. Signal model and performance of pair-wise check In this subsection, let Receiver 1 be a user receiver, and Receiver 2 be a cross-check receiver. Suppose that both receivers track the L1 signal with perfect carrier and symbol timing recovery. he quadrature-phase baseband signals that contain the L1 P(Y) code are given by s 1 [t] = Λ 1 p 1 [t] + n 1 [t], (1) s 2 [t] = Λ 2 p 2 [t] + n 2 [t], (2) where t {1,2,...,} is the index of a total of samples, Λ 1 and Λ 2 are the received P(Y) code amplitudes (after distortion and attenuation) for the two receivers, p 1 [t] and p 2 [t] = ±1 denote the unknown P(Y) code sequences, and n 1 [t] N (0,σ1 2) and n 2[t] N (0,σ2 2 ) account for receiver noises and other irrelevant GPS signals. he spoofing detection is based on the test statistic C = 1 s 1 [t]s 2 [t]. (3) t=1 Define c[t] = s 1 [t]s 2 [t] for all t {1,2,...,}. Under the hypothesis H 0 that both receivers receive the same P(Y) code, i.e., p 1 [t] = p 2 [t] for all t, the expectation and variance of c[t] are given by E(c[t]) = E ( (Λ 1 p 1 [t] + n 1 [t])(λ 2 p 2 [t] + n 2 [t]) ) (4) = Λ 1 Λ 2 ; Var(c[t]) = E ( (Λ 1 p 1 [t] + n 1 [t]) 2 (Λ 2 p 2 [t] + n 2 [t]) 2) ( E(c[t]) )2, (5) = Λ 2 1 σ2 2 + Λ2 2 σ2 1 + σ2 1 σ2 2. By the central limit theorem (CL), for a very large, we have ( C H0 N (µ H0,σ 2 H 0 ) = N Λ 1 Λ 2, Λ2 1 σ2 2 + Λ2 2 σ2 1 + σ2 1 σ2 ) 2. (6) Under the hypothesis H 1 that the two receivers receive different P(Y) codes, let us assume that p 1 [t] is independent from p 2 [t] for all t. hen, the expectation and variance of c[t] are given by E(c[t]) = E ( (Λ 1 p 1 [t] + n 1 [t])(λ 2 p 2 [t] + n 2 [t]) ) (7) = 0; Var(c[t]) = E ( (Λ 1 p 1 [t] + n 1 [t]) 2 (Λ 2 p 2 [t] + n 2 [t]) 2) ( E(c[t]) )2, (8) = (Λ σ2 1 )(Λ2 2 + σ2 2 ). By CL, for a very large, we have C H1 N (µ H1,σ 2 H 1 ) = N (0, (Λ2 1 + σ2 1 )(Λ2 2 + σ2 2 ) ). (9) he signal-to-noise ratio (SNR) for the received signals are given by γ 1 = Λ 2 1 /σ2 1 and γ 2 = Λ 2 2 /σ2 2. Normalizing (1) by σ 1 and (2) by σ 2, and considering the fact that γ 1 1 and γ 2 1, we can finally simplify (6) and (9) into ( γ1 C H0 N γ 2, γ 1 + γ ) N ( γ 1 γ 2,1/), () ( C H1 N 0, (1 + γ 1)(1 + γ 2 ) ) N (0,1/). (11) Given a spoofing detection threshold ζ, if C ζ then the null hypothesis H 0 will be accepted, otherwise the alternative hypothesis H 1 will be accepted. hus, the probability of false alarm α and the probability of missed detection β are given by α = Q ( ( γ 1 γ 2 ζ) ), (12) β = Q(ζ ), (13) where the Q-function Q(x) = (2π) 1/2 x exp( u2 /2) du is the tail probability of the standard normal distribution. he Chernoff bound of Q-function is Q(x) 1 2 exp( x2 /2) for all x > 0. When the threshold ζ is chosen properly, i.e., 0 < ζ < γ 1 γ 2, increasing decreases both α and β

6 exponentially, as shown by α 1 2 exp( ( γ 1 γ 2 ζ) 2 ), (14) β 1 2 exp( ζ 2 ). (15) If we choose ζ = 1 2 γ1 γ 2, both α and β will decreases at the same rate, on the order of exp( γ 1 γ 2 /4)/2. herefore, for low-cost receivers which typically have low SNR, in order to achieve certain authentication performance, we must increase and/or use multiple receivers. Final authentication performance after aggregating decisions Let X = N i=1 A i and ξ be a preset threshold, where ξ is an integer such that 0 ξ N. he user receiver is determined to be authentic if X < ξ and to be spoofed if X ξ. Our previous work [21, 22] has proven P F A = Prob(A = 1 S = 0) = Prob(X ξ S = 0) N ( ) N = α m (1 α) N m, m where m=ξ P D = Prob(A = 1 S = 1) = Prob(X ξ S = 1) N ( ) N = (1 β) m β N m. m m=ξ (16) (17) α = (1 P SS P SD )α + (P SS + P SD )(1 β), (18) β = (1 P SS ) β + (P SS )(1 α) (19) account for the performance degradation due to unreliability of cross-check receivers. Consider a threshold selection strategy ξ = κn such that N α ξ = κn N (1 β). (20) In [22], we have proven the following upper bounds using Hoeffding s inequality [24]: P F A exp ( (ξ αn)2 ) 2 N = exp ( 2N (κ α) 2) (21), P M D F(ξ; N,1 β) exp ( 2 (N (1 β) ξ) 2 ) N = exp ( 2N (1 β κ) 2). (22) It can be seen that both P F A and P M D decrease exponentially with increase of N. he parameter κ determines how fast P F A and P M D shrink. A larger κ hastens exponential decay of P F A, while a smaller κ hastens exponential decay of P M D. In (21) and (22), if we choose κ = 1 2 (1 + α β), both P F A and P M D decrease at the same rate, on the order of exp ( N (1 α β) 2). herefore, the parameter λ = 1 α β is a figure of merit characterizing how fast the final authentication performance improves with an increasing N. By (18) and (19), we have λ = 1 α β = (1 α β)(1 2P SS P SD ), (23) which indicates that the factor 1 2P SS P SD is the penalty for the unreliability of cross-check receivers. In addition, (23) implies a fundamental requirement on pairwise check: α + β < 1. (24) Unless the requirement was met, increasing N would not improve authentication performance. EXPERIMENS In this section, we conduct field experiments to evaluate authentication performance in real environments. In the experiments, we employ multiple SiGe GN3S samplers and portable antennas to collect raw intermediate frequency (IF) samples of GPS signals. he data are post-processed using our developed software receiver. Snippets of P(Y) codes are extracted from the tracking loops, and then used to compute correlations. SNR loss in low-cost receivers Most commercial-off-the-shelf low-cost GPS receivers do not have the capability of streaming out raw IF samples. We use SiGe GN3S samplers as a substitute. he SiGe frontend is a thumb-sized USB device designed for low-cost software-defined GPS and Galileo receivers. It has a sampling frequency from 4 MHz to 16 MHz and a quantization resolution of 2 bits (4 levels). he price of one SiGe device is around $450. We use a series Agilent Vector Signal Analyzer (VSA) as a representative of high-cost GPS receivers. he VSA has a sampling frequency up to 40 MHz and a quantization resolution of 16 bits. he price of one device is around $50,000. We collected multiple concurrent data sets with the SiGe and VSA using the same antenna and RF splitter. Our software receiver shows that relative to the VSA, the average SNR lost by using the SiGe front-end is in the range of db. In addition to the RF front-ends, we compared the portable patch antenna (around $) used with the SiGe to a fixed choke ring antenna (around $1,000) commonly used with a geodetic-grade GPS receiver. he low-cost patch antenna loses 3 4 db in SNR relative to the high-cost antenna.

7 0 1 Prob. of missed detection β = 4 = 4 5 Figure 3. Experiment 1: One SiGe receiver was in a urban canyon in San Francisco, CA. he receiver was able to acquire only three satellites. Fortunately, the three satellites were visible to the other SiGe receiver in Urbana, IL. o sum up, the low-cost front-end and antenna combination has SNRs 4.5 6dB lower than its high-cost counterpart. = 7 5 = 6 4 We performed cross-correlation of the P(Y) snippets generated from the data set. he snippets are normalized, i.e., Λ21 + σ12 = Λ22 + σ22 = 1. he correlation shows that the estimate of Λ1 Λ2 is , with a 95% confidence interval ( , ). Fig. 4 shows the pair-wise check performance curves calculated by (12) and (13) for snippet length = 5, 4 5, 7 5, and 6. Due to the relatively low SNR, even when = 6, probability of spoofing detection errors α + β are on the order of 2. his experiment shows that it is possible, although not preferable, to use receivers in urban canyons for cooperative authentication. his experiment also shows that low-cost receivers can be used as cross-check receivers even though their SNRs may be several dbs lower than high-cost reference receivers. Experiment 2: 22 kilometers apart, one moving receiver he second data set was collected on 3 April One SiGe receiver was on a car moving at roughly 45 miles per hour in Rantoul, IL. he other receiver was in Urbana, IL. wo receivers were approximately 22 kilometers apart. Both receivers had a clear view of the sky. en satellites were 2 1 Prob. of false alarm α 0 Figure 4. Experiment 1 (3000 kilometers apart, one receiver in urban canyon): Pair-wise check performance curves for number of snippet samples = 5, 4 5, 7 5, and 6. Experiment 1: 3000 kilometers apart, one receiver in urban canyon 0 Prob. of missed detection β he first data set was collected on 27 March As shown in Fig. 3, one SiGe receiver was in a urban canyon in San Francisco, CA with open sky to the south east. he other receiver was in Urbana, IL with a clear view of the sky. wo receivers were approximately 3000 kilometers apart. Both receivers were static. he San Francisco receiver was able to track three satellites, although the SNRs were low. Fortunately, the Urbana receiver was able to see all the three satellites tracked by the San Francisco receiver. 3 5 = 5 = 4 5 = 7 5 = Prob. of false alarm α 0 Figure 5. Experiment 2 (22 kilometers apart, one moving receiver): Pair-wise check performance curves for number of snippet samples = 5, 4 5, 7 5, and 6. visible to both receivers, and 8 of them were tracked by both receivers. We performed similar cross-correlation as done in Experiment 1. he correlation shows that the estimate of Λ1 Λ2 is , with a 95% confidence interval ( , ). Fig. 5 shows the pair-wise check performance curves calculated by (12) and (13) for snippet length = 5, 4 5, 7 5, and 6. Due to the relatively high SNR, when = 4 5, probability of spoofing detection errors α + β are on the order of 5. In comparison to Experiment 1, this experiment shows that pair-wise check performance is sensitive to spatial conditions (e.g., urban canyon or open space), and insensitive to transport modes (e.g., static or

8 moving). his observation agrees with (12) and (13), which show that SNR significantly affects pair-wise check performance. CONCLUSION his paper has presented a GPS signal authentication architecture that relies on a network of cooperative, low-cost receivers. Given the availability of numerous mobile devices with GPS and communication capability today, it is practical to build a cooperative authentication system based on these existing mobile devices. In out architecture, the encrypted military GPS signals are sampled by a user receiver and several ad-hoc cross-check receivers at the same time. he samples from the user receiver and each cross-check receiver are cross-correlated in order to detect spoofing attacks. he spoofing detection results from all cross-check receivers are aggregated to reach the final decision of the authenticity of the signal received by the user receiver. his paper has described a candidate structure to implement this concept. Furthermore, this paper has validated the concept through a theoretical analysis. he analysis shows that SNR significantly affects pair-wise check performance, and the final authentication performance improves exponentially with increasing number of cross-check receivers. We have conducted two field experiments to evaluate pairwise check performance in different spatial conditions (urban canyon and open space) and different transport modes (static and moving). he experiments shows that pair-wise check performance is sensitive to spatial conditions, but insensitive to transport modes. REFERENCES [1] GPS Wing, Interface Specification IS-GPS-200E, Jun. 20. [2]. E. Humphreys, B. M. Ledvina, M. L. Psiaki, B. W. O Hanlon, and J. Kintner, Paul M., Assessing the spoofing threat: Development of a portable GPS civilian spoofer, in Proceedings of the 21st International echnical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS 2008), Savannah, GA, Sep. 2008, pp [3] X. Jiang, J. Zhang, B. J. Harding, J. J. Makela, and A. D. Domínguez-García, Spoofing GPS receiver clock offset of phasor measurement units, IEEE ransactions on Power Systems, vol. 28, no. 3, pp , [4] J. S. Warner and R. G. Johnston, A simple demonstration that the Global Positioning System (GPS) is vulnerable to spoofing, Journal of Security Administration, vol. 25, no. 2, pp , [5] J. Krumm and K. Hinckley, he NearMe wireless proximity server, in UbiComp 2004: Ubiquitous Computing, ser. Lecture Notes in Computer Science, N. Davies, E. Mynatt, and I. Siio, Eds. Springer Berlin Heidelberg, 2004, vol. 3205, pp [6] Y. Bardout, Authentication of GNSS position: An assessment of spoofing detection methods, in Proceedings of the 24th International echnical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS 2011), Portland, OR, Sep. 2011, pp [7] S. Daneshmand, A. Jafarnia-Jahromi, A. Broumandon, and G. Lachapelle, A low-complexity GPS antispoofing method using a multi-antenna array, in Proceedings of the 25th International echnical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS 2012), Nashville, N, Sep. 2012, pp [8] D. Borio, Panova tests and their application to GNSS spoofing detection, IEEE ransactions on Aerospace and Electronic Systems, vol. 49, no. 1, pp , [9] M. Pini, M. Fantino, A. Cavaleri, S. Ugazio, and L. L. Presti, Signal quality monitoring applied to spoofing detection, in Proceedings of the 24th International echnical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS 2011), Portland, OR, Sep. 2011, pp [] D. M. Akos, Who s afraid of the spoofer? GPS/GNSS spoofing detection via automatic gain control (AGC), NAVIGAION, vol. 59, no. 4, pp , Winter [11] V. Dehghanian, J. Nielsen, and G. Lachapelle, GNSS spoofing detection based on receiver C/No estimates, in Proceedings of the 25th International echnical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS 2012), Nashville, N, Sep. 2012, pp [12] F. Dovis, X. Chen, A. Cavaleri, K. Ali, and M. Pini, Detection of spoofing threats by means of signal parameters estimation, in Proceedings of the 24th International echnical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS 2011), Portland, OR, Sep. 2011, pp

9 [13] L. Scott, Anti-spoofing & authenticated signal architectures for civil navigation systems, in Proceedings of the 16th International echnical Meeting of the Satellite Division of he Institute of Navigation (ION GPS/GNSS 2003), Portland, OR, Sep. 2003, pp [24] W. Hoeffding, Probability inequalities for sums of bounded random variables, Journal of the American Statistical Association, vol. 58, no. 301, pp , [14] S. Lo, D. D. Lorenzo, P. Enge, D. Akos, and P. Bradley, Signal authentication: A secure civil GNSS for today, Inside GNSS, Sep [15] M. L. Psiaki, B. W. O Hanlon, J. A. Bhatti, D. P. Shepard, and. E. Humphreys, GPS spoofing detection via dual-receiver correlation of military signals, IEEE ransactions on Aerospace and Electronic Systems, vol. 49, no. 4, pp , Oct [16] K. Wesson, M. Rothlisberger, and. E. Humphreys, Practical cryptographic civil GPS signal authentication, NAVIGAION, vol. 59, no. 3, pp , Fall [17] C. J. Wullems, A spoofing detection method for civilian L1 GPS and the E1-B Galileo safety of life service, IEEE ransactions on Aerospace and Electronic Systems, vol. 48, no. 4, pp , [18]. E. Humphreys, Detection strategy for cryptographic GNSS anti-spoofing, IEEE ransactions on Aerospace and Electronic Systems, vol. 49, no. 2, pp , [19] M. G. Kuhn, An asymmetric security mechanism for navigation signals, in Proceedings of the 6th international conference on Information Hiding (IH 04), oronto, Canada, 2004, pp [20] B. W. O Hanlon, M. L. Psiaki,. E. Humphreys, and J. A. Bhatti, Real-time spoofing detection using correlation between two civil GPS receiver, in Proceedings of the 25th International echnical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS 2012), Nashville, N, Sep [21] L. Heng, D. B. Work, and G. X. Gao, Cooperative GNSS authentication: Reliability from unreliable peers, Inside GNSS, vol. 8, no. 5, pp , Sep [22], GPS signal authentication from cooperative peers, IEEE ransactions on Intelligent ransportation Systems, Apr. 2014, submitted. [23] C. Kaufman, R. Perlman, and M. Speciner, Network Security: Private Communication in a Public World. Prentice Hall PR, 2002.