GNSS SPOOFING DETECTION IN COVERED SPOOFING ATTACK USING ANTENNA ARRAY Ali Broumandan and James T. Curran PLAN group Schulich School of Engineering, University of Calgary PLAN.geomatics.ucalgary.ca International Technical Symposium on Navigation and Timing (ITSNT) 14-17 Nov 2017 ENAC, Toulouse, France
Outline Introduction Spoofing detection metrics Single antenna spoofing detection Antenna array for spoofing detection Detection performance Experimental results 2/16
Spoofing Scenarios Not Covered Overlapped and non overlapped scenarios Spoofer knows the target receiver signal parameters Authentic and spoofing signals coexist The correlation peak is aligned with the authentic peak Covered Authentic signals are blocked Easy to spoof and difficult to detect Spoofer 3/16
Standalone Spoofing Detection RF Down- Converter Detecting multiple correlation peaks in CAF Detecting high received power level Synthetic array processing Antenna Combining (Beam- Forming) Acquisition Tracking Move the GNSS receiver and detect abnormal variations in the clock bias PVT Authentication for a Moving Receiver Structural signals power analysis Noise floor analysis Detecting rapid fluctuations in tracked signal amplitude Doppler and code rate consistency check Synthetic array processing Possible spoofing detection metrics in different operating layers of a GNSS receiver 4/16
Spoofing Detection Spoofing detection can be performed at Receiver level where a stand-alone receiver detects a spoofing attack AGC level monitoring SNR monitoring Number of PRNs Pre-correlation based structural power analysis Network level where a CAV unit detects the spoofing occurrence based on observations from different receivers Position estimates Measurements 5/16
Antenna Array Based Spoofing Detection Spoofing-free Digital baseband Acquisition Ch N Ch 2 Ch 1 RF Down- Converter/ Digitizer Nullsteering Tracking Beamforming M S R P V T RF Front-end Precorrelation spoofing mitigation Single channel receiver Pre-despreading and post-despreading approaches can be employed 6/16
Covered Spoofing Scenario Two Maxtena helical antenna with 8 cm spacing as the receiver antenna array Spoofer antennas Spoofing Signals Receiver antennas 7/16
Data Collection Scenario Phase-coherent multi-channel TeleOrbit Frontend 10 Mega samples/s, 8 bit quantization and disabled automatic gain control (AGC) 8/16
Signal Quality in Covered Spoofing Ch1 cable connection Ch2 and Ch3 propagation Signals processed with a software receiver Counterfeit signals are propagated inside the case Received signals are not subject to attenuation and multipath propagation 9/16
Pre-despreading spoofing detection metrics Structural Power Content Analysis (SPCA) IF samples variance with disabled AGC is considered Pre-despreading methods cannot be used to detect SPCA and IF Variance 10/16
SQM and PLI Monitoring Metrics Post-despreading spoofing detection There is no distortion on correction peak Phase lock indicator (PLI) was used to monitor quality of PLL 0.05 0-0.05-0.1 1 0.95 0.9 0.85 a) SQM Authentic, std=0.01 Covered spoofing, std=0.01 0 20 40 60 Time (s) b) PLI Authentic Covered spoofing 0.8 0 20 40 60 Time (s) 11/16
RTK Solutions in Covered Spoofing Horizontal and vertical solutions Code and carrier measurements quality in the covered spoofing attack Antenna quality in covered spoofing scenario Carrier phase multipath propagation 12/16
Antenna Array Eigen Analysis 2-element antenna array was used Correlation matrix of IF samples was used for Eigen analysis Highest-to-lowest ratio of eigenvalues ( ) in spoofing and authentic cases 13/16
Relative Phase in Authentic Case Relative phase of Ch1-Ch2 in tracking stage Relative phase is a function of Direction of arrival PRN signals Relative path delay of the RF chain Relative phase in authentic case for various PRNs are not the same 14/16
Relative Phase in Spoofing Case Relative phase of Ch1-Ch2 at correlator outputs Ch1 parameters were used to wipe of Ch2 Relative phase in spoofing case for various PRNs are the same All PRNs are transmitted from a single source 15/16
Conclusions Covered spoofing scenario was investigated where the reception of the authentic signals was blocked The covered spoofing attack is relatively easy to implement while the signal quality was preserved Multipath due to signal propagation inside the spoofing case was not a concern Single antenna based spoofing detection metrics are not sensitive for the covered spoofing attack Two-element antenna array was utilized to implement spatial processing in pre-despreading and post-despreading stages of the receiver the covered spoofing attack could be successfully detected using such an antenna array 16/16