The Case for Recording IF Data for GNSS Signal Forensic Analysis Using a SDR Professor Gérard Lachapelle & Dr. Ali Broumandan PLAN Group, University of Calgary PLAN.geomatics.ucalgary.ca IGAW 2016-GNSS Technology Advances in a Multi- Constellation Framework Rome, 21-22 January 2016
Motivation GNSS signals increasingly subject to intentional interference (Jamming and spoofing) Concern for safety of life applications and protection of the citizen Receiver manufacturers continuously implement countermeasures However, sophistication of jamming and spoofing increasing continuously as well What can be done if incidents & accidents occur? 2/17
Spoofing Scenario - Transportation Authentic SV1 Authentic SV2 Authentic SV3 Authentic SV4 Spoofing Transmitter GNSS antenna Actual Trajectory 3/17
GNSS Data Capture and Sampling Digital baseband Samples (5-50 Msps) Signal processing RF Front-end Acquisition Measurement and PVT engine RF Down- Converter ADC Tracking Measurements PVT Solution Tracking Outputs (50-1000 Hz) Measurements (up to 100 Hz) Position outputs (up to 100 Hz) 4/17
Processed Data Limitations (1) Positions: (i) Useful to record locations and tracks (ii) Algorithm cannot be changed post-mission (PM) (iii) Information limited (iv) Low storage requirement (2) Code, carrier phase and related data: (i) Signal processing techniques used at data collection no reprocessing possible (ii) Reliability & accuracy analysis, some multipath detection and atmospheric studies possible (ii) Up to a few MB/h at 1s data rate for 8 SVs (iii) Common in reference networks (e.g. IGS) 5/17
IF Sampling 1. Allows complete signal re-processing with postmission method of choice using a SDR (Software Defined Receiver), hence independence from specific receiver 2. More detailed science (e.g. ionosphere, environment) and detailed forensic analysis in case of signal issues (e.g. jamming, spoofing) 3. Very high to extremely high storage requirements 6/17
Actual In-Lab Interference Test LOS authentic signals combined with interference signals generated with HWS Combined signal is passed to a three-way splitter Two commercial receivers acquired and tracked signals RF front-end samples and stores IF data Interference power increased by 5 db almost every 30 s 7/17
Receiver Position Solution Position solution denied Position Solution errors as a function of time for Receiver 1 Sky plot of available satellite The receivers initially tracks 10 PRNs Navigation solutions denied for 150 s What is the reason? 8/17
Receiver Quality Monitoring Receiver 1 Receiver 2 Receiver 1 & 2 quality measures also failed for about 150s There is no way to understand what happened to the signal (e.g. jamming/spoofing, signal denied?) 9/17
Forensic SDR Structure Different analyses at different SDR stages Structure of hostile signals determined through IF sample access If antenna array used, signal direction and location can be determined 10/17
AGC Monitoring Investigation IF sample analysis shows that standard deviation (STD) of IF samples (AGC gain) is increasing This reveals the presence of an strong signal source nearby The jammer might be moving since the IF samples power varies with time STD of IF samples More analyses can be done to characterize the nature of the signal 11/17
Acquisition Level Detection Several tests can be performed to determine the nature of the interference source Spectral and signal structure analyses Spatial processing A normal test is to check for a possible spoofing attack AGC level investigation Number of detected PRNs Correlation peak analyses Signal quality monitoring test Correlator Power Spoofing Peak Detec0on Threshold Authen0c Peak 0 200 400 600 800 1000 Delay (Chips) Cross ambiguity function Analysis revealed the presence of a strong spoofing signal Jafarnia, A., S. Daneshmand and G. Lachapelle (2013) Spoofing Countermeasures for GNSS Receivers A Review of Current and Future Research Trends. Proceedings of Fourth Internantional Colloquium on Scientific and Fundamental Aspects of the Galileo Programme, Prague, 4-6 Dec 2013, 8 pages. 12/17
Signal Classification and Spoofing After spoofing detection, several approaches can be used to classify and remove the spoofing signals Spatial processing methods (e.g. Antenna array or moving antenna) can be utilized to classify signals Mitigation Placing detected signals in spoofing and authentic signal groups, successive spoofing cancellation method can be used to remove spoofing signals and recover authentic ones Before mitigation After mitigation Broumandan, A., A. Jafarnia and G. Lachapelle (2014) Spoofing Detection, Classification and Cancellation (SDCC) Receiver Architecture for a Moving GNSS Receiver. GPS Solutions, published online 23 September, DOI 10.1007/s10291-014-0407-3 13/17
Signal Classification and Spoofing After spoofing detection, several approaches can be used to classify and remove the spoofing signals: Spatial processing methods (e.g. Antenna array or moving antenna) can be utilized to classify signals Mitigation Placing detected signals in spoofing and authentic signal groups, a successive spoofing cancellation method can be used to remove spoofing signals and recover authentic ones 0 200 400 600 800 1000 Broumandan, A., A. Jafarnia and G. Lachapelle (2014) Spoofing Detection, Classification and Cancellation (SDCC) Receiver Architecture for a Moving GNSS Receiver. GPS Solutions, published online 23 September, DOI 10.1007/s10291-014-0407-3 Correlator Power Correlator Power Before mitigation After mitigation 0 200 400 600 800 1000 14/17
Spoofing Detection and Mitigation Position error wrt authentic position Position error wrt authentic position The SDR detects the attack type, its PRNs and finally provides authentic and spoofed position solutions which can be used to localize spoofing source 15/17
Spoofing Source Localization Authentic SV.3 Authentic SV.1 Authentic SV.2 Authentic SV.4 Communication Link Central Authenticity Verification RX4 P 4 4 ρ su 5 ρ su RX5 P 5 s P 3 ρ su Spoofer RX3 2 ρ su 1 ρ su P 3 P 2 RX2 After detecting and characterizing the jamming signals and having several receivers affected the spoofing source can be located Broumandan, A., A. Jafarnia-Jahromi, S. Daneshmand, and G. Lachapelle (2015) A Network-based GNSS Structural Interference Detection, Classification and Source Localization, Proceedings of ION GNSS+2015 (Tampa, FL, 14-18 Sep), The Institute of Navigation, 12 pages P 1 RX1 16/17
IF Storage Requirements per Antenna Memory/Day/Antenna (TB) L1/E1 BW: 30.69 MHz L5/E5a BW: 20.42 MHz 16 bits per sample L5/E5a Frequency bands L1/E1 Memory = 2* Bandwidth* (bits / sample) 12 8x10 [ Tera Bytes (TB) ] GPS ICD L1C (2013) Global Positioning Systems Directorate Systems Engineer & Integration Interface Specification, IS- GPS-800D, Navstar GPS Space Segment/User Segment L1C Interfaces, 24 Sep. GPS ICD L5 (2013) Global Positioning Systems Directorate Systems Engineer & Integration Interface Specification, IS- GPS-705D, Navstar GPS Space Segment/User Segment L5 Interfaces, 24 Sep. 17/17
Conclusions Is there infrastructure worth protecting with this IF data recording approach? Are the advantages worth the benefits and costs? IF yes, how long should the IF data be kept? If not, what would be the alternatives? relying on evolving in-receiver solutions? Note: Papers quoted in the presentation are on the PLAN Group website 18/17