INTERNATIONAL JOURNAL OF SATELLITE COMMUNICATIONS AND NETWORKING Int. J. Satell. Commun. Network. 22; 3:8 9 Published online in Wiley Online Library (wileyonlinelibrary.com)..2 GPS spoofer countermeasure effectiveness based on signal strength, noise power, and C/N measurements Ali Jafarnia Jahromi, *,, Ali Broumandan, John Nielsen 2 and Gérard Lachapelle University of Calgary, Geomatics Engineering, Calgary, Alberta, Canada 2 University of Calgary, Electrical and Computer Engineering, Calgary, Alberta, Canada SUMMARY Spoofing sources can effectively disrupt a GPS receiver during the acquisition phase by generating multiple false correlation peaks and increasing the noise floor. Such deceptive correlation peaks can mislead the GPS receiver into acquiring the spoofer generated signals rather than the authentic signals. Also, the spoofer can increase the receiver noise floor to bury the authentic signals in the noise and at the same time generate correlation peaks with amplitudes commensurate with reasonable C/N expectations. The main focus of this paper is on assessment of the reduced effectiveness of the GPS spoofer countermeasure during acquisition where the GPS receiver utilizes C/N discrimination. As shown, whereas the C/N discrimination is of limited effectiveness, with a modest circuit modification, the receiver can measure the absolute power of the correlation peaks, which is an effective means of detecting and discriminating spoofer sources. It will be shown that employing absolute power monitoring technique considerably reduces the vulnerability region of the receiver compared with the C/N monitoring techniques. Copyright 22 John Wiley & Sons, Ltd. Received 22 July 2; Accepted May 22 KEY WORDS: GPS, anti-spoofing, C/N analysis, noise power analysis, absolute power analysis. INTRODUCTION GPS signal is vulnerable to the in-band interferences because of being an extremely weak signal. Therefore, even low-power interference can easily jam or spoof the consumer handheld GPS receivers within a radius of several kilometers []. Spoofing is a deliberate interference that aims to coerce global navigation satellite system receivers into generating false position/navigation solutions [2]. The spoofing attack is potentially significantly more menacing than jamming because the target receiver is not aware of this threat. Because the GPS signal structure is in the public domain, the implementation of a spoofer of disruptive capability is not prohibitively complex. Spoofing and related countermeasures are emerging issues for GPS and are consequently attracting significant interest [3 5]. In recent years, several spoofing detection and mitigation techniques have been proposed in the articles [6 ]. During the acquisition procedure, a generic GPS receiver correlates the received signal with a locally generated one to provide a rough estimate of the code delay and the Doppler frequency. Herein, it is assumed that the receiver searches over all in range Doppler and code cells and estimates the signal parameters commensurate to the maximum peak of the correlation function that is above a predetermined detection threshold. The spoofing threat can affect the acquisition process of a GPS receiver from two different perspectives. First, the spoofer can generate one or more fake correlation peaks whose amplitude is larger than the authentic signals and as such, present the acquisition processing of the receiver *Correspondence to: Ali Jafarnia Jahromi, University of Calgary, Geomatics Engineering, Calgary, Alberta, Canada. E-mail: ajafarni@ucalgary.ca Copyright 22 John Wiley & Sons, Ltd.
82 A. JAFARNIA JAHROMI ET AL. with seemingly legitimate correlation peaks from which a false navigation solution is generated. Second, the spoofer can generate a component of uncorrelated noise in the GPS band that can arbitrarily manipulate the noise floor observed by the receiver. Additionally, as the Pseudorandom Noise (PRN) codes are not orthogonal relative to the dwell time interval used by the GPS acquisition, there is a mutual nonzero cross-correlation of the PRN codes that further increases the noise floor. To be effective, the spoofer should generate a correlation peak that has more power than the authentic signal peak to mislead the target receiver. Hence, it would initially seem desirable to generate a powerful spoofing signal whose power is significantly larger than the corresponding authentic signal. However, as the maximum GPS signal strength at the receiver antenna is known approximately, the receiver can detect the spoofing source if it is too large. Therefore, the receiver has effective means of detecting a spoofing source and hence can take the appropriate action. This may be that the receiver merely informs the user of a potential spoofing attack such that less reliability is placed on the eventual navigation solution. A more sophisticated response would be for the receiver to attempt to discriminate and sort the spoofer and authentic correlation peaks. By monitoring the power levels of the noise and correlation peaks, it becomes much more difficult for the spoofer to be effective. Hence, the spoofer to be effective must present the receiver with an accurate signal power level within this window. This is significantly further exasperated by multipath as the spoofing signal level is then essentially random. Also, the distance between the spoofer and the receiver is not known to the spoofer. As will be shown in this paper, application of these simple power thresholds virtually assures the receiver that if the spoofer signal is strong enough to be effective, then it is also detectable with reasonable probability. Some recent articles have heuristically discussed the amplitude discrimination techniques to detect the spoofing threat [2,]; however, no considerable analytical discussion has been provided in this regard in the open literature. This paper considers an analytical approach to investigate the effect of the spoofing signals on the receiver noise floor. It has been shown that the distribution of spoofing interference can be approximated by a circularly symmetric Gaussian distribution that is added to the ambient additive white Gaussian noise. After that, the receiver acquisition process has been analyzed on the basis of the received signal-to-interference-and-noise ratio (SINR). It is shown that the spoofing interference can decrease the SINR of authentic signal and cause it to fall under the detection threshold that results in deterioration of receiver acquisition performance. In addition, the spoofing power increment increases the SINR of the spoofing PRNs that can mislead the receiver toward acquiring the spoofer-sourced correlation peaks. The rest of this paper is organized as follows: In Section 2, the received signal model and the acquisition technique have been discussed. Section 3 discusses the spoofing effect on increasing the noise floor estimate. The effect of spoofing threat on the receiver SINR and consequently deteriorating its acquisition performance has been discussed in Section 4. Section 5 presents spoofing discrimination on the absolute power monitoring, and finally, the concluding notes will be discussed in Section 6. 2. SYSTEM MODEL Herein, it is assumed that the spoofing signal is transmitted from a single source located on the earth surface and is received at the receiver antenna as shown in Figure. The spoofing signal is a terrestrial signal that is subjected to multipath fading on route to the GPS receiver. It is assumed that the structure of the spoofing signal is similar to that of the authentic GPS signals; however, the spoofer is not limited to generate signals at the same power level, code delay, Doppler frequency, and PRN set as the present authentic signals. The GPS receiver is assumed to operate in the acquisition stage and aim to correctly detect the presence of the authentic signal and provide a rough estimate of the code delay and Doppler frequency. Therefore, if the spoofing signal has totally aligned its signal with the authentic signal in terms of Doppler frequency and code delay, it does not mislead the acquisition procedure. The baseband section of a generic GPS receiver consists of a complex correlator whose structure has been shown in Figure 2. This procedure includes Doppler removal, signal despreading, and low-pass filtering. In Figure 2, c l is the lth locally generated spreading sequence, o l and t l are the Doppler and code delay of the locally generated signal, respectively, and T s is the sampling interval. During the acquisition process, the receiver correlates the received signal with the locally generated PRN codes with different Copyright 22 John Wiley & Sons, Ltd. Int. J. Satell. Commun. Network. 22; 3:8 9
EFFECTIVENESS OF GPS SPOOFING DETECTION BASED ON C/N MEASUREMENT 83 Figure. Spoofing scenario illustration. delays that are modulated by different Doppler frequencies. Then the resulting signal is integrated over N consecutive samples. When the Doppler frequency and the code delay of the locally generated signal match to that of the received signal parameters, a correlation peak will be observed at the output of the integrator. Here, it is assumed that the phase of the locally generated carrier is not necessarily synchronized to the target PRN, but its Doppler frequency as well as the spreading code delay perfectly matches to the desired signal s parameters. Also, the integration time has been considered to be much shorter than the data bit duration; therefore, it can be assumed that there is no data bit transition during the acquisition process. Therefore, the output signal from integrator and dump block can be written as follows [2]: y l ½o l ; t l ; KŠ ¼ ffiffiffiffi N p P l exp ð jfl Þþ Auth SV pffiffiffiffi P ifil ½o l ; t l ; KŠ fflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflffl} i ¼ I: Desired Signal () i 6¼ l fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl} II: Interference caused by where Figure 2. The correlator structure in the baseband section of the GPS receiver. F il ½o l ; t l ; K other authentic PRNs þ pffiffiffiffiffi P kfkl ½o l ; t l ; KŠ þ ½KŠ ffl{zffl} k¼ fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl} IV: Gaussian Noise III: Interference caused by Š ¼ N spoofer generated PRNs KN n¼ðk ÞNþ c i ðn t ilk Þc l ðþexp n ðjδo ilk n þ jδf ilk Þ (2) where P i and c i are respectively the received power and the spreading code of the ith satellite. Δo ilk, Δf ilk,andt ilk are respectively the Doppler difference, the carrier phase difference, and the code Copyright 22 John Wiley & Sons, Ltd. Int. J. Satell. Commun. Network. 22; 3:8 9 ()
84 A. JAFARNIA JAHROMI ET AL. delay difference between ith received PRN code and lth locally generated PRN code at the Kth integration interval. y l [o l, t l, K] is the integrator output at the Kth interval and is actually composed of four terms. The first term is the desired signal that is the term of interest during acquisition process. The second term is the interference caused by other authentic PRN codes; the third term is actually the interference caused by the spoofing PRN codes. These two terms are generated because of the cross-correlation between different Gold sequences. [K] is the circularly symmetric complex Gaussian noise process with variance of ~s 2 =N where ~s 2 is the variance of input ambient white Gaussian noise. The conventional GPS receivers consider all the last three terms as the noise term and perform the acquisition and tracking operations just on the first term. 3. EFFECT OF SPOOFING SIGNAL ON RECEIVER NOISE FLOOR ESTIMATE Consider the case where the spoofing signal received at the GPS receiver antenna is stronger than the authentic GPS signals. The interference caused by the spoofer can elevate the noise floor of the receiver processing. The receiver noise floor can be estimated by correlating the received signal with a fictitious PRN code that is not present in the current GPS constellation. The noise floor is actually the variance of y f [o f, t f, K], which is the complex correlator output at time interval K. 2 3 N Auth SV pffiffiffiffiffi s 2 Y f ½KŠ ¼ var P a i Fif o f ; t f ; K þ pffiffiffiffiffi P s k Fkf o f ; t f ; K þ ½KŠ ffl{zffl} i¼ k¼ fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl} fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl} IV: Gaussian Noise (3) 6 7 4 II: Interference induced by III: Interference induced by 5 authentic PRNs spoofer generated PRNs where it is assumed that the fth PRN code is a fictitious code that is not present in neither of the authentic nor the spoofing PRN sets. Therefore, the correlator output is made up of three major terms, namely interference terms induced by authentic PRN codes, interference terms induced by the spoofing PRN codes, and finally the Gaussian channel noise. It is assumed that the delay and Doppler frequency of authentic and spoofing PRN codes are independent of each other and randomly distributed. Therefore, (3) can be rewritten as follows: s 2 Y f ½KŠ ¼ N Auth SV i¼ P a i var F if o f ; t f ; K þ k¼ P s k var F kf o f ; t f ; K þ var½½kšš (4) The first and second terms in (4) consist of var[f if [o f, t f, K]]. This term is actually the cross correlation of ith and fth PRN codes modulated by the random Doppler shift and phase difference between these two signals. The distribution of F if [o f, t f, K] has been calculated numerically and can be well approximated by a zero mean Gaussian distribution in either of the I and Q branches. The simulations have been performed for normalized power spreading Gold codes, and the cross correlation variance in either of in-phase or quadrature branches has been extracted to be s 2 I;F if ¼ s 2 Q;F if ¼ :33. On the basis of the simulation results, the covariance between the I and Q branches is negligible. Therefore, it can be written as F if o f ; t f ; K e Ν c ; " #! s 2 I;F if s 2 Q;F if where the N c (a,b) is the circularly symmetric complex Gaussian distribution with the mean vector of a and the covariance matrix of b. In consequence, the correlator output y f [o f, t f, K] is the summation of circularly symmetric Gaussian random variables, which in turn is a complex Gaussian random variable with the following distribution: y f o f ; t f ; K e Ν c ; N 2NT s þ N Auth SV i¼ P a i þ k¼ P s k!" #! s 2 I;Fif s 2 Q;F if (5) (6) Copyright 22 John Wiley & Sons, Ltd. Int. J. Satell. Commun. Network. 22; 3:8 9
EFFECTIVENESS OF GPS SPOOFING DETECTION BASED ON C/N MEASUREMENT 85 Equation (6) shows that the variance of the interference term is directly affected by the transmitted power of the authentic and spoofing PRN codes. The GPS system has been designed such that the interference level of authentic PRN codes does not exceed the ambient noise floor [3]. However, spoofing signals can be much more powerful than the authentic GPS signals. Therefore, their corresponding interference level can overtake the ambient Gaussian noise floor and therefore decrease the authentic SINR at the correlator output of conventional single-user GPS receivers. To investigate the effect of spoofing interference on the noise floor variance of the GPS receiver, the total received spoofing power (TSP) has been considered and is defined as follows: P s k k¼ ½TSPŠ dbw ¼ log! (7) In Figure 3, the estimated noise floor is depicted versus the TSP for the integration time of ms. It is observed that when the TSP is very low, the ambient Gaussian noise is the dominant term that determines the noise floor of the receiver. However, increasing the TSP will increase the noise floor and causes it to overtake the authentic satellites received signal power. 4. VULNERABILITY OF GPS ACQUISITION IN THE PRESENCE OF SPOOFING ATTACK The acquisition process of the GPS receiver is aimed to detect the authentic signal correlation peak and estimate the Doppler frequency and code delay. However, the interference caused by a spoofing signal can considerably increase the observed noise floor of a GPS receiver. On the basis of the discussions in the previous sections, the correlator output can be written under H (signal absent), H a (authentic signal present), and H s (spoofing signal present) hypotheses as follows: H ðsignal absentþ : y l ½o l ; t l ; KŠ ¼ Ν c ð; s 2 I 2 Þ H a ð authentic signal present Þ : y l½o l ; t l ; KŠ ¼ Ν c m a ; s 2 a I 2 ð spoofing signal present Þ : y l½o l ; t l ; KŠ ¼ Ν c m s ; s 2 s I (8) 2 H s -5 Theoritical noise floor Noise floor estimate [dbw] -55-6 -65 GPS L Typical Received Power Coherent Integration Time (T c ) = ms -7-65 -6-55 -5-45 -4-35 -3-25 -2 Total Spoofing Power (TSP) [dbw] Figure 3. Noise floor estimate versus total spoofing power. Copyright 22 John Wiley & Sons, Ltd. Int. J. Satell. Commun. Network. 22; 3:8 9
86 A. JAFARNIA JAHROMI ET AL. where qffiffiffiffiffiffiffi m ajs ¼ expðjf l Þ P ajs l N Auth SV s 2 ¼ N þ s 2 I;F 2NT if s s 2 a ¼ N þ s 2 B I;F 2NT if @ s i¼ P a i þ N Auth SV P a i þ i ¼ i 6¼ l s 2 s ¼ N þ s 2 B I;F 2NT if @ s N Auth SV P s k k¼ P a i þ ka i¼ k ¼ k 6¼ l where the superscript a s is a compact reference to either of the authentic or spoofing hypotheses. As k¼ P s k P s discussed before, the interference level of an authentic signal is very small compared with the interference level of Gaussian noise process. Therefore, it can be considered that s 2 s 2 a. Also, if the number of spoofing signals is large enough (around or more), it can be assumed that a single spoofing PRN signal does not considerably change the noise floor. Hence, all the three variance terms are very close to each other (s 2 s 2 a s2 s ). For most of the GPS receivers, it is more convenient to work with squared value of correlator output amplitude. Therefore, the distribution of D = y l [o l, t l, K] 2 under H and H a s can be respectively written as central and noncentral Chi-squared distributions with two degrees of freedom as follows: pdjh ð Þ ¼ D exp 2s2 2s 2 p DjH ajs ¼ 2s 2 exp ajs D þ Pajs l 2s 2 ajs! I! C A C qffiffiffiffiffiffiffiffiffiffiffi DP ajs @ l A where H a s refers to either of the authentic or spoofing hypotheses. If the detection threshold is defined as D th, then the probability of detection (P D ) and probability of false alarm (P FA ) can be defined as follows: Z Z! qffiffiffiffiffiffiffiffiffiffiffi P ajs D ¼ p DjH ajs dd ¼ 2s 2 exp D þ Pajs DP ajs l ajs 2s 2 I @ l AdD ajs s 2 ajs D th D th Z Z () D P FA ¼ pdjh ð ÞdD ¼ exp dd 2s2 2s 2 D th D th where I (x) is the modified zero-order Bessel function of the first kind. The generalized likelihood ratio test (GLRT) [4] suggests that the GPS receiver evaluates the correlator output corresponding to all possible range of Doppler and code delay and picks the cell with highest squared amplitude. If the amplitude is above the threshold, the signal presence is flagged and the Doppler and code delay of corresponding cell is reported as the rough estimate of detected signal parameters. Therefore, for the correct detection, only one of the cross ambiguity function (CAF) cells should be above the detection threshold, and for given noise floor estimate and the probability of false alarm, the detection threshold can be determined as follows (The proof has been provided in Appendix A): h i D th ¼ 2s 2 ln ð P FA ÞNc (2) where the N c is the number of cells in the search space. Under the H a or H s hypotheses, the SINR of the ith PRN can be calculated using the following equation: s 2 ajs (9) () SINR ajs i ¼ Pajs i 2s 2 ajs Also, a SINR threshold can be defined by modifying (2) as follows: (3) Copyright 22 John Wiley & Sons, Ltd. Int. J. Satell. Commun. Network. 22; 3:8 9
EFFECTIVENESS OF GPS SPOOFING DETECTION BASED ON C/N MEASUREMENT 87 ðsinrþ th ¼ D h i th 2s 2 ¼ ln ð P FAÞNc (4) On the basis of (4), it can be deduced that for a given probability of false alarm, the acquisition procedure is able to detect those signals whose SINR is above the detection SINR threshold. Figure 4 shows the authentic and spoofing SINR values versus the TSP for the case of equal power authentic PRNs and of, 2, 3, and 4 equal power spoofing PRNs. The power of each authentic PRN is 58 dbw, and the integration time is T c = ms. The threshold SINR has been calculated for P FA = 3 as a typical probability of false alarm. The search space consists of 5 Doppler bins and 246 code delay bins; therefore, the size of search space is defined as N c = 5 246 = 3,69. It is observed that the SINR of authentic signals decreases as the TSP increases, whereas on the contrary, the SINR of spoofing PRNs increases up to a certain level as the TSP increases. The maximum spoofing SINR level depends on the number of transmitted spoofing PRNs and the distribution of TSP among them. The receiver noise floor estimate at ms integration time has been also depicted on the right-hand Y-axis. This curve is useful for analyzing the noise floor increase at a certain TSP level. The spoofer can add some additive white Gaussian noise to the transmitted signal to shift down the SINR curves and equivalently shift up the receiver noise floor estimate. However, this noise does not move the junction point of the authentic/spoofing SINR curves. The analysis of Figure 4 is based on the following assumptions: (i) (ii) (iii) (iv) The power of spoofing PRN signals should be higher than the authentic PRN signal s power to mislead the previously discussed GLRT detector. However, this power should not be considerably higher than the maximum authentic signal s power level anticipated by the receiver as it can be easily detected. The spoofing interference should not considerably increase the receiver noise floor because it might be detected as an unwanted interference by a spoofing-aware GPS receiver. The number of spoofing PRNs should be selected from a plausible list of visible space vehicles. Furthermore, the C/N of spoofing PRNs should not exceed the typical C/N level of authentic signals because the unusual C/N levels might be detected by the GPS receiver. If the spoofer knows the detection threshold of the receiver, it is better to choose a TSP bias point such that the authentic SINR falls under the detection threshold. In this case, only the spoofing peak can be found above the detection threshold. On the basis of the aforementioned discussion, a possible TSP bias point can be TSP = 43 dbw for equal power spoofing PRNs. In this case, all the first three conditions mentioned previously have been met while the absolute power of each spoofing PRN is around 53 dbw, which is equal to the maximum possible power level of the L C/A GPS signals [5]. Also, the noise floor increase is around 2 db. Authentic Signal SINR (N auth =) Spoofing Signal SINR (N spoof =) SINR [db] 2 Spoofing Signal SINR (N spoof =2) Spoofing Signal SINR (N spoof =3) Spoofing Signal SINR (N spoof =4) SINR Threshold for Detection (P Fa = -3 ) Noise Floor Estimate (I) Only Authentic Peak Above Detection Threshold (III) Two Correlation Peaks Above Detection Threshold 2 db (II) Only Spoofing Peak Above Detection Threshold -6-7 Noise Floor Estimate [dbw] (@ T c =ms) -6-55 -5-45 -4-35 -3-25 Total Spoofing Power (TSP) [dbw] Figure 4. Received signal-to-interference-and-noise ratio (SINR) versus TSP for authentic and spoofing correlation peaks. Copyright 22 John Wiley & Sons, Ltd. Int. J. Satell. Commun. Network. 22; 3:8 9
88 A. JAFARNIA JAHROMI ET AL. The following two subsections investigate the effect of spoofing attack on the basis of the analysis of the curves in Figure 4. This analysis shows that the acquisition process of the GPS receivers is vulnerable to the spoofing attack even if the spoofing signal is not much more powerful compared with the authentic signals. 4.. Acquisition vulnerability analysis for uncommon authentic/spoofing PRN signals In this case, it is assumed that the receiver is trying to acquire an authentic PRN signal that is not common between authentic and spoofing PRN signals. Therefore, as shown by the green plot in Figure 4, the spoofing signal decreases the SINR of the authentic signal and finally makes it fall under the detection SINR threshold. In this scenario, the spoofer performs more like a wideband interference that deteriorates the detection performance of the receiver by decreasing the received SINR (increasing the noise plus interference floor). Figure 5 shows the ROC for different values of TSP. It is observed that the detection performance of the receiver substantially decreases as the TSP increases. P a D has been defined in (). Another case also can be defined where the receiver is acquiring a PRN signal that is only transmitted by the spoofer. In this case, as shown by the red curves in Figure 4, the receiver mistakenly acquires the spoofing correlation peak if the spoofing power is enough to overtake the detection SINR threshold. 4.2. Acquisition vulnerability analysis for common authentic/spoofing PRN signal In this case, it is supposed that the receiver is acquiring a PRN signal that is common between authentic and spoofing signals. Therefore, both green and red curves in Figure 4 should be considered while the receiver detection performance analysis. Three different zones can be observed in Figure 4 for the case of authenticandspoofing PRN signals. The first area happens when the TSP is less than 5 dbw; therefore, the spoofing SINR is under the detection threshold. Here, the only harmful effect of the spoofer is a slight reduction in the authentic signal SINR, but the authentic correlation peak is still acquired by the receiver. The second area happens for the TSPs greater than 39 dbw where the authentic SINR falls under the detection SINR threshold and only spoofing generated correlation peak can be detected by the acquisition procedure. In this case, the spoofing interference has a major contribution on the receiver noise floor. Third area happens when the TSP is higher than 5 dbw and lower than 39 dbw. In this case, the SINR of both authentic and spoofing signals are above the detection threshold that implies the presence of two correlation peaks above the detection threshold. Hence, the receiver might mistakenly acquire the spoofing correlation peak when its SINR is higher than the authentic signal s SINR. In this area, especially for the region where the noise floor increase is less than 2 db, the receiver might not be able to detect the spoofing interference on the basis of the noise floor increment analysis. It seems that in this TSP window, the GPS receiver has the maximum vulnerability to the spoofing attack..9.8.7.6 P D a.5 Spoofing Power Increase.4.3.2. No spoofing [TAP=-47 dbw] [TSP=-37 dbw] [TSP=-32 dbw] [TSP=-27 dbw]..2.3.4.5.6.7.8.9 Figure 5. Receiver operating characteristic for different spoofing powers. P FA Copyright 22 John Wiley & Sons, Ltd. Int. J. Satell. Commun. Network. 22; 3:8 9
EFFECTIVENESS OF GPS SPOOFING DETECTION BASED ON C/N MEASUREMENT 89 In Figure 4, it is also observed that if the number of PRN signals among which the spoofer is dividing its transmit power increases, each individual PRN will receive a smaller portion of spoofing power that leads to a lower SINR at the same TSP value. For instance, for the case of 3 equal power spoofing PRN signals, it is observed that the maximum SINR is less than 9 db, which is not unusually high to be detected by C/N monitoring techniques. In addition, in this case, for the region where both authentic and spoofing correlation peaks are above the threshold, their SINR difference is so smaller than the case of spoofing PRNs, and this makes it more difficult for the receiver to discriminate the spoofing attack. 5. SPOOFING DISCRIMINATION BASED ON ABSOLUTE POWER MONITORING As mentioned in the previous section, the C/N (equivalently SINR) measurements are vulnerable to the spoofing attack. This is because the spoofer can set up its TSP such that the C/N does not change considerably at the receiver side. However, if the receiver is capable to analyze the absolute received power within a certain accuracy level, the receiver vulnerability against the spoofing attack can be reduced significantly. A spoofing-aware receiver should be able to monitor the noise floor to detect any unusual noise level increase due to the spoofing interference. In addition, the ability of the receiver to monitor the absolute received power of each individual PRN signal, increases its resistance against the spoofing signals whose power is considerably higher than the typical power level of the authentic GPS signals. The incremental receiver hardware required to facilitate an absolute power measurement within an uncertainty of about 2 db is trivial especially in the context of monolithic application-specific integrated circuit (ASIC) integration. However, an additional factory calibration step will be required. On the basis of this, it is very reasonable to consider absolute power measurements as a readily available spoofer countermeasure. Figure 6 compares the spoofing vulnerability region for a C/N monitoring receiver versus an absolute power monitoring receiver. It has been assumed that the absolute power monitoring receiver is able to discriminate the elevated noise floor as well as higher power PRN signals within a 2 db accuracy range. In other words, this receiver is able to discriminate those signals whose absolute power is 2 db or more, higher than the maximum possible received power of GPS L C/A signal, which is 53 dbw [5]. Also, this receiver is capable to detect 2 db increase in noise floor from its desired value. However, the C/N monitoring receiver is only able to discriminate the signals whose SINR is higher than the maximum possible SINR of the GPS L C/A signal (This value is assumed to be 2.8 db for T c = ms and temperature = 3 K). Therefore, the C/N monitoring receiver is vulnerable to those signals whose SINR is higher than the detection SINR threshold and lower than the maximum SINR level of authentic GPS signals. This vulnerability region has been depicted in Figure 6. It is shown that for a spoofer whose TSP is equally divided among 6 PRNs, the C/N monitoring is vulnerable to the TSPs higher than 45 dbw. However, the vulnerability region of the absolute power monitoring receiver is limited to those signals whose SINR is SINR [db] 3 2 Maximum SINR of GPS signal at Tc=ms Spoofing Signal SINR (N-spoof=6) Boundary for Maximum Absolute Power (-5 dbw) SINR Threshold for Detection (P-Fa= -3 ) Noise Floor Estimate (right side Y axis) Vulnerability Region for Spoofing Detection based on Absolute Power Analysis Vulnerability Region for Spoofing Detection based on C/N 2dBNoiseFloorIncrease -6-7 Noise Floor Estimate [dbw] (@T c =ms) -6-55 -5-45 -4-35 -3-25 Total Spoofing Power (TSP) [dbw] Figure 6. Vulnerability region comparison of C/N versus absolute power monitoring techniques. Copyright 22 John Wiley & Sons, Ltd. Int. J. Satell. Commun. Network. 22; 3:8 9
9 A. JAFARNIA JAHROMI ET AL. above the detection threshold, and their absolute power is below the maximum allowable GPS L power level. In this case, the vulnerability region is limited to the TSP value above which the receiver noise floor increases more than 2 db. Hence, as it is depicted in Figure 6, the vulnerability region of the absolute power monitoring receiver is much smaller than the vulnerability region of C/N monitoring receiver. Furthermore, if the receiver is able to detect the absolute receiver power more accurately, it can considerably reduce the size of its vulnerability window in presence of spoofing attack. 6. CONCLUSION Analysis of the vulnerability of GPS receivers to spoofing signals during the acquisition phase has been given. It has been shown that the C/N measurement alone is not an effective means of spoofing discrimination. As shown, spoofer is capable to transmit higher power signals and/or additional noise to elevate the noise floor estimate in the receiver processing. In this case, because of the noise floor increase, the C/N of the authentic signals reduces, which leads to the deterioration of the receiver detection performance. It was shown that the absolute power monitoring techniques enable the receiver to analyze the absolute noise floor as well as the absolute power of the correlation peaks. It has been shown that observations of the absolute power can be used to considerably reduce the effectiveness of the spoofing attack. This effectiveness comes about from the spoofer having to operate in a very small range of received power at the GPS receiver. APPENDI A: DETECTION THRESHOLD CALCULATION BASED ON PROBABILITY OF FALSE ALARM On the basis of (), the false alarm probability for a given Doppler and code phase can be calculated using the following equation: Z P FA cell ¼ pdjh ð ÞdD ¼ D th Z D th D exp 2s2 2s 2 dd ¼ exp D th 2s 2 For the correct detection, the false alarm should not occur in none of the CAF cells. Therefore, considering the independent CAF cells, the false alarm probability of total CAF can be defined as follows: (A) and therefore, P FA system ¼ ð P FA cell Þ N c (A2) P FA cell ¼ P Nc FA system (A3) On the basis of the aforementioned calculations, the detection threshold can be defined as follows: h D th ¼ 2s 2 ln½p FA cell Š ¼ 2s 2 i ln P Nc FA system (A4) REFERENCES. Hwang S, Shynk JJ. A null despreader for interference suppression in GPS. International Journal of Satellite Communications and Networking 2; 29(4):35 332, John Wiley Publications. 2. Montgomery PY, Humphreys TE, Ledvina BM. Receiver-autonomous spoofing detection: experimental results of a multiantenna receiver defense against a portable civil GPS spoofer. ION 29 International Technical Meeting, Anaheim, CA, 26 28 January 29. 3. Forssell B. The dangers of GPS/GNSS. Coordinates magazine 29; V(2):6 8. 4. Humphreys TE, Ledvina BM, Psiaki ML, O Hanlon BW, Kintner PM. Assessing the spoofing threat: development of a portable GPS civilian spoofer. ION GNSS 2st International Technical Meeting of the Satellite Division, Savannah, GA, 6 9 September 28. 5. Shepard D, Humphreys T. Characterization of Receiver Response to a Spoofing Attack. Proceedings of. ION GNSS 2, Portland, OR, September 2; 268. 6. Ledvina BM, Bencze WJ, Galusha B, Miller I. An In-line Anti-spoofing Device for Legacy Civil GPS Receivers. Institute of Navigation ITM: San Deigo, CA, 2. 7. Nielsen J, Broumandan A, Lachapelle G. GNSS Spoofing Detection for Single Antenna Handheld Receivers. Journal of the Institute of Navigation 2; 58(4):335 344. Copyright 22 John Wiley & Sons, Ltd. Int. J. Satell. Commun. Network. 22; 3:8 9
EFFECTIVENESS OF GPS SPOOFING DETECTION BASED ON C/N MEASUREMENT 9 8. Scott L. Anti-spoofing & authenticated signal architecture for civil navigation systems. 6th International Technical Meeting of the Satellite Division of the Institute of Navigation (ION GPS/GNSS 23), Portland, OR, 9 2 September 23. 9. McDowell CE. GPS Spoofer and Repeater Mitigation System using Digital Spatial Nulling. US Patent 72593 B, 27.. Wen H, Huang PY, Dyer J, Archinal A, Fagan J. Countermeasures for GPS signal spoofing. ION GNSS 8th International Technical Meeting of the Satellite Division, Long Beach, CA, 3 6 September 25.. Jafarnia-Jahromi A, Lin T, Broumandan A, Nielsen J, Lachapelle G. Detection and Mitigation of Spoofing Attack on a Vector Based Tracking GPS Receiver. In The International Technical Meeting ITM 22, Institute of Navigation: Newport Beach, CA, 3 Jan Feb; 79 8. 2. Van Dierendonck AJ. Determination of C/A code self-interference using cross-correlation simulations and receiver bench tests. ION GPS 22, Portland, OR, 24 27 September 22. 3. O Driscoll C. Performance analysis of the parallel acquisition of weak GPS signals. Ph.D. Thesis, Department of Electrical and Electronic Engineering, National University of Ireland, Cork, 27. 4. Kay SM. Fundamentals of Statistical Signal Processing, Volume II: Detection Theory. Prentice Hall Signal Processing Series, Upper Saddle River, New Jersey 7458, 998; 87 89. 5. Kaplan ED, Hegarty CJ. Understanding GPS Principles and Applications (2nd edn). Artech House: Boston, London, 26; 3 53. AUTHORS BIOGRAPHIES Ali Jafarnia Jahromi is a Ph.D. student in the Position, Location and Navigation (PLAN) group of Geomatics Engineering Department of University of Calgary. He received his B.Sc. and M.Sc. degrees in Telecommunications Engineering from Amirkabir University of Technology, in 26 and 29 respectively. His research interests include signal processing in GNSS applications, statistical signal processing, array processing and GNSS software receiver design. Dr. Ali Broumandan received his Ph.D. from the Department of Geomatics Engineering, the University of Calgary (29). He holds a MSc. degree from the Department of Electrical and Computer Engineering, University of Tehran (26). His current research focuses on GNSS software receiver, array processing and detection and estimation theory. Dr. John Nielsen is an Associate Professor in the Department of Electrical and Computer Engineering of University of Calgary. Two main areas of his research are Ultra-Wideband technology that is applicable for high rate data communications and short-range imaging radar. The other area is mobile positioning based on TOA/AOA using CDMA and GPS signals. Professor Gérard Lachapelle is a Professor and Canada Research Chair in Wireless Location in the PLAN Group. He has been involved with GPS developments and applications since 98. His research ranges from precise positioning to GNSS signal processing. Copyright 22 John Wiley & Sons, Ltd. Int. J. Satell. Commun. Network. 22; 3:8 9