Developing Defenses Against
Jamming & Spoofing of Civilian
GNSS Receivers
Mark L. Psiaki
Sibley School of Mechanical & Aerospace Engr.,
Cornell University
ION/GNSS 2011, 23 Sept. 2011
Approach of an Estimation Theorist:
Reductionist Problem Solving
Problem Givens:




Spoofers & jammers will be deployed against civilian GNSS
receivers (mostly GPS at present)
GNSS signal structures will not be modified to aid defenses
Likely jammers can be bought & studied
Likely spoofers can be designed/imagined/modeled
Strategies for Developing Defenses:

Jamming:



Acquire, examine, test, & characterize jammers
Design detection, localization, & mitigation systems for known jammers
(like computer anti-virus software)
Spoofing:

Exploit encrypted military signals & known timing/phasing relative to
defended civilian signals
ION/GNSS Sept. ‘11
2 of 11
Jamming Mitigation Strategies

Detection & localization

Deploy networked array of advanced GNSS receivers in defended region



Detection & localization strategies








Simultaneous frequency/time excision
Pose as Kalman-filter-based estimation problem & near/far signal reception problem
Requisite information:


Solve layered sequence of problems
1st detect
2nd rough-locate based on power at several nodes, simple algorithms
3rd fine-locate based on multi-node carrier-phase interferometry or TDOA to within meters –
exploit fine-scale correlations between multiple nodes & precise inter-receiver timing from GPS
4th interdict
Develop scalable algorithms with potential to deal with 100 or more jammers simultaneously
Receiver-based mitigation


Each node is small phased-array; beam steering allows GPS tracking under jamming
Example: on every New Jersey State police car near Newark Airport
Jammer time/frequency models enable efficient/accurate detection & localization
Generalized model-independent detection, localization, & mitigation for
new/unknown jammer types

Like computer anti-virus software that looks for unknown viruses based on suspicious
characteristics/behavior
ION/GNSS Sept. ‘11
3 of 11
Power & Spectral Time Evolution of a CigaretteLighter-Type Jammer *
*
from Mitch et al. “Signal Characteristics of Civil GPS Jammers”, ION/GNSS 2011
ION/GNSS Sept. ‘11
4 of 11
Jammer Effective Ranges from Attenuation Tests *
Faraday
Box
Signal
Combiner
*
GPS
Signal
Simulator
Victim
Receiver
from Mitch et al. “Signal Characteristics of Civil GPS Jammers”, ION/GNSS 2011
ION/GNSS Sept. ‘11
5 of 11
Future Issues in Jammer Detection &
Localization

How can one exploit frequency-sawtooth
structure of many known low-budget jammers
… in detection?
… in fine localization?
… in receiver mitigation? (Kalman-filter-based
coupled time/frequency excision?)
… in an environment with many such jammers?
ION/GNSS Sept. ‘11
6 of 11
Spoofing Detection via P(Y) Correlation *
GPS Satellite
Broadcast segments
of delayed, digitallysigned P(Y) features
Secure uplink of
delayed, digitallysigned P(Y) features
Transmitter of delayed,
digitally-signed P(Y)
features
UE with
- receiver for delayed,
digitally-signed P(Y)
features
- delayed processing
to detect spoofing
via P(Y) feature
correlation
*
GEO “bent-pipe”
transceiver
Secure antenna/receiver
w/processing to estimate
P(Y) features (or a single
antenna or a distributed
set of single-antennas)
from Psiaki et al. “Civilian GPS Spoofing Detection based on Dual-Receiver Correlation of Military Signals”, ION/GNSS 2011
ION/GNSS Sept. ‘11
7 of 11
Block Diagram of Generalized P(Y)
Correlation Spoofing Detector
UE receiver with
P(Y)fea extraction
processing
Correlation
registers
Spoofing
Detector
P(Y)fea
Digital signature verifier
User
Equipment
GPS
transmitter
P(Y)fea/est
UE receiver (or internet
link) for P(Y)fea
L1 C/A
& P(Y)
Secure
ground- P(Y)
Digital
Secure link to
fea
based
signer
broadcaster
antenna/
receiver
New Infrastructure
ION/GNSS Sept. ‘11
Wireless
(or internet)
broadcaster
8 of 11
Early Codeless Spoofing Attack Detection *
14
12
Successful determination that PRN
23 remains reliable because solid
turquoise detection statistic never
crosses below dashed brown threshold
Onset of spoofing attack
10
gamma
s
8
6
4
2
0
Successful detection of PRN 13
spoofing when solid blue detection
statistic cross below dashed green threshold
PRN 13 gamma detection statistic
PRN 13 predicted gamma mean
PRN 13 spoofing detection threshold
-2
PRN 23 gamma detection statistic
PRN 23 predicted gamma mean
-4
0
*
Build-up of significant spoofed
C/A code-phase error
PRN 23 spoofing detection threshold
50
100
150
Ithaca Receiver Time (sec)
200
250
from Psiaki et al. “Civilian GPS Spoofing Detection based on Dual-Receiver Correlation of Military Signals”, ION/GNSS 2011
ION/GNSS Sept. ‘11
9 of 11
Early Semi-Codeless Spoofing Attack Detection *
400
gamma detection statistic
Onset of spoofing attack
predicted gamma mean
350
spoofing detection threshold
a priori predicted gamma mean
a priori spoofing detection threshold
300
gamma
s
250
200
150
100
50
0
Successful detection of spoofing
when dashed green threshold crosses
above solid blue detection statistic
Build-up of significant spoofed
C/A code-phase error
-50
0
*
50
100
150
Receiver A Time (sec)
200
250
from Psiaki et al. “Civilian GPS Spoofing Detection based on Dual-Receiver Correlation of Military Signals”, ION/GNSS 2011
ION/GNSS Sept. ‘11
10 of 11
Future Issues in Defense Against Spoofing
Attack

Real-time implementation



Infrastructure





Sophisticated attack may seek to use pseudo- or estimated P(Y) code
Gaming analysis may guide designs that detect new attack types
Other signals



Capable & secure reference receivers
Help from military (declassify segments of P(Y) shortly after broadcast?)
Comm. infrastructure to transmit P(Y) data between receivers
Defense against alternate attack scenarios


Codeless possible in 6-12 months w/internet transmission
Semi-codeless needs improved algorithmic efficiency for real-time ops
M-code to defend GPS civilian codes
Encrypted Galileo signals to defend open-source Galileo codes
Post-detection receiver actions
ION/GNSS Sept. ‘11
11 of 11