Skip to content

Instantly share code, notes, and snippets.

@ericsg1999

ericsg1999/mimd.md

Last active November 7, 2022 06:02
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ericsg1999/496811fa9d70f3eb5ef04d1975c5d743 to your computer and use it in GitHub Desktop.
Save ericsg1999/496811fa9d70f3eb5ef04d1975c5d743 to your computer and use it in GitHub Desktop.
Download ZIP
miMD
Raw
mimd.md

GSoC 22 - Implementation of anti-spoofing techniques in Borre’s software

Introduction

Nowadays is substantial the growth of the applications whose services rely on Global Positioning Systems (GPS). Moreover, most of these applications involve safety features requiring high integrity and availability. Few examples are civil/military positioning and navigation, personnel tracking, emergency rescue, atmospheric analysis, mining and exploration, power grids, etc.

This capability of being used in a vast variety of applications has led to a definition of a system free from authentication and the publication of the signal structure (data structure, modulation schemes, PRN spreading codes, etc.). However, this implementation presents a significant drawback as this transparency and accessibility leave the receivers exposed to spoofing attacks. Moreover, this vulnerability is aggravated by the low power that the legitimate GPS signals reach the receivers, facilitating the attackers to eclipse or even jam these legitimate signals.

Therefore, this project aims to address this issue and it is proposed to implement several anti-spoofing techniques in the Borre’s software incorporated and described in [1].

Nonetheless, it required a previous state-of-the-art research in order to get to know the studied anti-spoofing techniques and an analysis of the spoofing signals that will be used to test the developed algorithms.

State of the art

  • Spoofing attacks: Although there are different ways to drive the receiver away from the correct PVT solution, in both physical and logical layers, all attacks shall take over the receiver tracking’s module (which initially is locked to a legitimate GPS signal).

    · The most sophisticated manner to take over a receiver’s tracking module is the so-called seamless take-over or synchronous non-coherent attack, which consists in transmitting a perfectly synchronized (in carrier frequency and code-phase) GPS signal that increases the power gradually and, afterwards, drives the receiver’s tracking module away by modifying the code-phase. In the following picture can be seen this process:

image Figure 1: Synchronous and non-coherent attack (seamless take-over attack) correlation temporal evolution, extracted from [2]

· However, it is also taken into consideration the less sophisticated version of the previous attack, the so-called non-synchronous non-coherent attack, in which the spoofing signal is not initially perfectly synchronized with the legitimate signal. In this case, the spoofing manages the synchronization after some time, fact that exposes him in the acquisition grid of the receiver’s victim. The following picture is represented this attack:

image Figure 2: Non-synchronous attack correlation temporal evolution, extracted from [3]

  • Anti-spoofing techniques:

    I) Auxiliary Peak Tracking (APT)

Trying to detect the non-synchronous non-coherent attacks and leveraging the fact that the initial mis-matching in the code-phase axis report the apparition of a secondary and malicious signal in the correlation grid, in the reference [2] it is proposed this technique.

Unlike typical GPS receivers where each satellite is acquired, tracked and decoded by a single channel, which keeps track of the highest correlation peak between the specific satellite code replica and the received signal, in this technique it is decided to dedicate more than a single channel per satellite. This extra channel per satellite is in charge of monitoring the acquisition grid in order to detect potential apparition of spoofing signals. The spoofing attack detection flag is triggered if the code phase difference between peaks exceeds a configurable τmax. As a result, auxiliary peak tracking technique is capable of protecting the GPS receiver from non synchronized attacks.

II) NAVI

In the second anti-spoofing technique it is aimed to protect the receiver in the logical layer instead of the physical layer as it is addressed in the APT technique.

The logical layer-level detection techniques are based on the inspection and monitoring of the decoded navigation message aimed to detect inconsistencies or abnormalities among the receiver’s observables and PVT solutions. There are attackers that change the navigation’s message contents to deceive the receiver.

In particular, the NAVI considers the navigation message structure and taking advantage of the fact that each of the five subframes broadcasted with a period of 6 seconds by each satellite contains a shortened version of the particular subframe transmission time, the implemented solution stores the time of week (TOW) of the previous subframes and checks whether the time has been increased exactly 6 seconds or not. In this latter case, it triggers a flag reporting the inconsistency probably owing to a spoofing attack.

Spoofing signals analysis

The studied anti-spoofing techniques will be tested under the Texas Spoofing Test Battery (TEXBAT), a public database elaborated in the Texas University radionavigation laboratory which contains different GPS L1 C/A signals affected with several types of spoofing attacks. As held in [4], the TEXBAT is considered adequate enough to certify civil GPS receivers as spoof resistant. Consequently, many papers analysing anti-spoofing techniques have based their evaluation on the TEXBAT signal’s repository.

The first TEXBAT release contained a set of six spoofed signals named from ds1 up to ds6. These signals were based on two un-spoofed or spoof-free (also referred to as clean) signals, one where the receiver was static and the other where the receiver’s antenna was mounted on a vehicle. These clean scenario signals are also included in the database. Subsequently, two more signals (ds7 and ds8) representing different attacks were added to the database.

The recorded spoofed signals contain the contribution of both the authentic GPS and the spoofed GPS signals. The authentic GPS signals are not directly captured from the receiver antenna but it comes from the initially recorded clean signals. The clean static signal was replayed through the National Instruments vector signal generator to serve as the authentic signal stream for TEXBAT scenarios 1-4 whereas the clean dynamic signal was used similarly for scenarios 5 and 6.

All eight TEXBAT spoofing scenario signals contain base band complex samples at a rate of 25MSPS, which, with the high-quality front-end filtering employed, provides a frequency response over a 20-MHz bandwidth around the L1 band. Each signal is approximately 7 minutes (420 seconds) long. In the first 100 seconds, no spoofing signals are present, thus allowing receivers to acquire authentic signals and, consequently, obtaining real navigation and timing solutions.

Although there are several candidate signals to examine with the developed anti-spoofing techniques, the intention of the APT anti-spoofing techniques implemented is to test it towards the following spoofing attacks:

  • Non-synchronous non-coherent attack

    For evaluating this kind of attack it has been taken into consideration the TEXBAT scenario 3. Performing a monitoring in the correlation grid in the PRN 13, it has been identified this type of attack. In the following pictures it is presented this analysis:

image Figure 3: Acquisition grid code-phase axis perspective: Scenario ds3, PRN 13, second 135 (Own source) image Figure 4: Acquisition grid code-phase axis perspective: Scenario ds3, PRN 13, second 165 (Own source) image Figure 5: Acquisition grid code-phase axis perspective: Scenario ds3, PRN 13, second 168 (Own source) image Figure 6: Acquisition grid code-phase axis perspective: Scenario ds3, PRN 13, second 171 (Own source) image Figure 7: Acquisition grid code-phase axis perspective: Scenario ds3, PRN 13, second 175 (Own source)

In figure 3 it is represented the correlation grid before the attack is being detected. As in normal conditions, it only appears the peak corresponding to the legitimate GPS signals.

Nonetheless, in figure 4 it can be detected a suspicious second peak with lower amplitude. Moreover, the floor level has risen remarkably.

In the following two figures (5 and 6), it can be seen how the secondary peak caused by the spoofing signal approaches and tries to synchronize in the code-phase axis with the legitimate correlation peak.

Finally in figure 7 it can be seen how the spoofing signal has synchronized with the legitimate signal and has increased its power in order to perform the take-over.

  • Synchronous non-coherent attack

This kind of attack has been identified in different scenarios, which will be presented and detailed in this section. In this section are sorted out the attacks in which the take-over is seamless, meaning that the spoofing signal has managed to synchronize to the legitimate signal from the beginning. Therefore, in this attacks it only can be detected both peaks when the malicious peak has already locked into the victim receiver’s tracking module and maliciously driven the spoofing peak away. At this point, it can be spotted both peaks, the one coming from the spoofing signal and the one coming from the legitimate signal.

- Coarse seamless take-over

Surprisingly, in the same TEXBAT scenario 3 but in another signal coming from another satellite it has been identified another kind of attack. Particularly in the PRN 23. In the following pictures depict the most relevant events occuring in this attack: image Figure 8: Acquisition grid code-phase axis perspective: Scenario ds3, PRN 23, second 154 (Own source) image Figure 9: Acquisition grid code-phase axis perspective: Scenario ds3, PRN 23, second 184 (Own source) image Figure 10: Acquisition grid code-phase axis perspective: Scenario ds3, PRN 23, second 186 (Own source) image Figure 11: Acquisition grid code-phase axis perspective: Scenario ds3, PRN 23, second 189 (Own source)

The first figure (figure 8) intends to show the initial state before any secondary peak is acquired.

In figure 9 can be seen the appearance of the secondary peak almost synchronized to the legitimate signal. That is why it is considered a synchronous attack.

In the following two figures (10 and 11) it is shown the process of desyncrhonization once the malicious signal has locked into the victim receiver’s tracking module. Nonetheless, it can be seen that this process leads to an increase of the noise floor and that the malicious signal performs it without remarkably increasing its power thus increasing its peak’s amplitude. Consequently, once it separates a bit of the legitimate signal, the correlation peak of the legitimate signal presents the same order of magnitude. Ideally, the spoofer would desire not to leave this trace as it allows the detection of the spoofing attack.

– Fine seamless take-over

In TEXBAT spoofing scenario number 7 (ds7) it is presented the most sofisticated, therefore the most challenging to detect spoofing attack. It is characterized by a perfeclty synchronized non-coherent attack that, once has managed to lock to the victim’s receiver, it drives it away from the legitimate signal and, in addition, remarkably masks the legitimate signal into the noise floor. Next, the following figures depict the most relevant events carried out in this attack:

image Figure 12: Acquisition grid code-phase axis perspective: Scenario ds7, PRN 23, second 172 (Own source) image Figure 13: Acquisition grid code-phase axis perspective: Scenario ds3, PRN 23, second 199 (Own source) image Figure 14: Acquisition grid code-phase axis perspective: Scenario ds3, PRN 23, second 209 (Own source) image Figure 15: Acquisition grid code-phase axis perspective: Scenario ds3, PRN 23, second 230 (Own source) image Figure 16: Acquisition grid code-phase axis perspective: Scenario ds3, PRN 23, second 248 (Own source)

Following the same strategy when explaining the spoofing attacks, the first figure (12) intends to visualize the acquisition grid in an instant free from spoofing.

In the figure 13 it can be noticed a slight distortion in the correlation pattern, mainly in the right part, distortion which can be caused by either the auxiliary peak or either natural fading or multi-path effect. At this point, it is not possible to alert from the presence of a spoofing attack.

Looking the figure 14 it can be noticed a secondary peak that starts to form at the right of the main peak. Nonetheless, at first sight, can not be identified as a spoofing attack.

After some seconds (figures 15 and 16), definitely can be spotted a secondary peak, which actually is the legitimate peak. The malicious peak has already taken-over and increased its power, therefore becoming the main peak in the acquisition grid. However, as this seamless take-over attack is so sophisticated, it is only possible to detect it in the acquisition grid once it has driven the receiver’s tracking module some chips away from the legitimate signal.

Anti-spoofing techniques implementations:

  • APT implementation:

    New managing parameters shall be added in order to define the several parameters related to the APT configuration. All these parameters are sorted together and its name starts with the Apt distinctive. The following table exposes a summary:

image

Table 1: init structure new parameters regarding APT feature (Own source)

Next are listed and explained the different modifications that the acquisition function has suffered in order to incorporate the APT feature.

  1. Acquisition function

• acqMode parameter: The acquisition function has been modified to accept a new input parameter, which will define among which satellites the function will perform the acquisition. It has been called acqMode and can adopt two different values:

– Normal

Acquisition in normal mode will look for the presence of all possible satellites in the received signal. This mode is used in the initial acquisition, when the receiver has still not acquired any satellite, therefore still does not know which satellites are present. The objective of this acquisition mode is to determine the visible satellites and provide an estimation of the Doppler frequency and code phase parameters.

– APT

Acquisition in APT mode will only perform the acquisition of the previously acquired satellites. In this mode, the acquisition function does not look for satellites that were declared as not visible in the initial acquisition. By restricting the number of satellites to acquire, the computational load is remarkable reduced as it is assumed that the spoofer will only perform the attack to the satellites that are visible for the victim receiver.

• Statistic test: This new feature uses the following statistic test, which is a ratio of the highest peak and third highest peaks obtained in the acquisition search grid:

image

The following flowchart expresses the new acquisition.m function work’s principle image

Figure 17: Acquisition with APT feature flowchart part 1 (Own source)

image

Figure 18: Acquisition with APT feature flowchart part 2 (Own source)

  1. Channel initialization

In this section, which in particular is coded in the preRun.m function, it is implemented the initial idea of allocating more than one channel per satellite. The primary channel is responsible for the traditional tracking process whereas the secondary, third, etc. channels, referred as auxiliary channels, attempt to detect a spoofing signal by launching the acquisition module. Therefore, apart from the channels responsible for tracking the signals with the estimated values in the acquisition, the channel initialization shall contain as well the channels dedicated to detect the presence of any spoofing signal in form of a secondary peak in the acquisition search grid. In order to do that, depending on the settings parameter AptNumberChannelsPerSat, more than one channel are allocated for each acquired signal. These auxiliary channels are set with the tracking status ’APT’. An example of the modified channel structure is the following one:

image

Figure 19: channel structure with the APT feature example (Own source)

  1. Tracking function

The tracking function has also been modified as, in the original software, is where the code goes through all the incoming signal and processes it. The APT detection process presents the same nature as it goes through all signal. However, whereas the tracking processess the incoming signal millisecond per millisecond, the APT detection processes fragments of 42 milliseconds separated AptPeriod milliseconds.

As the original code, the tracking function still examines all channels which receives as input. However, this time, it examines the channel status and depending on it, it performs either the original tracking process or the new APT detection process. This last, reads 42 milliseconds of the incoming signal located AptPeriod milliseconds away from the previous APT check and performs an acquisition in ’APT’ mode. The acquisition function itself will be responsible for looking for an spoofing peak in the acquisition search grid and trigger an alarm in case it exceeds the established APT threshold.

The following flowchart summarizes the work flow of the receiver including the APT new feature.

image

Figure 20: Tracking with APT feature flowchart (Own source)

  • NAVI implementation: The first change that was necessary to be done was to increase the scope of the navigation message processing. Initially, the code only decoded the ephemeris of one frame (five sub-frames), in essence 1500 bits or 30 seconds of signal. Therefore, in order to properly monitor the TOW parameter, it was necessary to make the code able to decode all frames contained in the entire navigation message.

    Consequently, the initial structure ephemeris, which contained in its atributes the ephemeris of a frame, had to be converted to a list of ephemeris.

    Once it was obtained the list of ephemeris structure, it was coded the naviTowSpoofingDetection.m function, which received as an input a list of ephemeris and was in charge of checking the TOW parameter consistency among the different frames. For each consecutives subframes it performed the TOW consistency check and displayed in the command window its status.

Results

The APT spoofing detection technique was evaluated in the Receiver Operating Characteristic (ROC), that is a graphic contanining the probability of detection as a function of the false alarm probability for the several APT thresholds.

For instance, for the scenario 7 PRN23:

image

The NAVI spoofing detection technique could not be tested as we could not find any spoofed signal with this particular spoofing.

Code repository

https://github.com/ericsg1999/TFG_AntiSpoofingNew.git

References

[1] Borre, Kai, et al. A software-defined GPS and Galileo receiver: a single-frequency approach. Springer Science Business Media, 2007

[2] Ranganathan, A., ́Olafsd ́ottir, H. and Capkun, S. ”SPREE: A Spoofing Resistant GPS Receiver”.Proceedings of the 22nd Annual International Conference on Mobile Computing and Networking. 348–360. (2016)

[3] Wang, Wenyi, Na Li, Renbiao Wu and Pau Closas. ”Detection of induced gnss spoofing using s-curve-bias.” Sensors 19.4 (2019). 922

[4] Humphreys, Todd. ”Statement on the vulnerability of civil unmanned aerial vehicles and other systems to civil GPS spoofing.” University of Texas at Austin (July 18, 2012). 1-16.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment