GPS Spoofing Detection System
Mark Psiaki & Brady O’Hanlon, Cornell Univ., Todd Humphreys & Jahshan Bhatti, Univ. of Texas at Austin
Abstract:
Challenges
A real-time method for detecting GPS spoofing in a
narrow-bandwidth civilian GPS receiver is being developed. It is
needed in order to detect malicious spoofed signals that seek to
deceive a C/A-code civilian GPS receiver regarding its position or
time. The ability to detect a spoofing attack is important to the
reliability of systems ranging from cell-phone towers, the power grid,
and commercial fishing monitors. The spoofing detector mixes and
accumulates base-band quadrature channel samples from two
receivers, one a secure reference receiver, and the other the
defended User Equipment (UE) receiver. The resulting statistic
detects the presence or absence of the encrypted P(Y) code that
should be present in both signals in the absence of spoofing.
Trusted
Receiver
π/2
Additional
C/A code
processing
L1 RF
Front end
Internet link
Carrier replica
generator
UE Receiver
Needing Spoofing
Detection
Solutions
• Use known, tracked civilian C/A code and known relationships
between C/A and P(Y) code to guide correlation times and
expected signal levels
• Analyze narrow-band filter power losses and distortion
• Develop signal detection statistical analysis to design reasonable
accumulation intervals
• Use semi-codeless detection techniques by estimating W antispoofing bits in reference receiver and transmitting only those to
UE
• Broadcast spoofing detection data over internet in real-time
• Encrypted military P(Y) signal necessitates squaring
operations and SNR loss
• Wide bandwidth of P(Y) code causes 75-80% power
loss, further degrading SNR, and significant
waveform distortions in narrow-band civilian receiver
• Bandwidth of communications link from trusted
reference receiver to defended UE receiver
• Constrained real-time signal processing capabilities
in low-power UE receiver
feedback
P(Y) code crosscorrelation
π/2
L1 RF
Front end
Codeless Detection Statistical Analysis
• Normalized detection statistic:
M
Additional
C/A code
processing
Sampled,
quantized
data at IF
Carrier replica
generator
 RFA  RFB
feedback
Tcorr Δt (C/ N 0) A (C/ N 0) B
 2
1  2 Δt (C/ N 0) A
1  2 Δt (C/ N 0) A  (C/ N 0) B 
 
1  2 Δt (C/ N 0) A
10
gamma
Predicted Mean Value
based on C/A code
• Detection threshold and probability of detection:
Spoofing Detection Threshold,
PFA = 0.01%, Pdetect = 99.9999999999972%'
gamma, (Normalized Spoofing Detection Stat)
12
PRN 12 predicted mean value
based on C/A code
Onset of
spoofing attack
0.05
PRN 02 (unspoofed)
detection statistic
Successful
Verification of lack
of Spoofing
for PRN 02
10
8
6
4
Successful
Spoofing Detection
for PRN 12
2
0
PRN 02 Spoofing Detection
Threshold, P FA = 0.01%,
P detect = 99.99999999972%
-2
PRN 12 Spoofing Detection
Threshold, P FA = 0.01%,
P detect = 96.6673%
before spoofing event
P detect = 99.99999999953%
before spoofing event
P detect = 99.9939% after event
-4
0
20
60
80
100
120
Time (sec)
Figure 4. Codeless detection of a spoofing attack.
140
160
180
Sure +1/-1 W Chips
Expected W Chips in range -1 to +1
0.03
0.02
0.01
0
-1
0
Time (microsec)
1
Figure 5. Comparison of 2 semi-codeless detection
statistics, case of no spoofing.
 th


 th
 th


Pdetect   p( | H1)d   N ( ;0,1)d
150
0.04
-0.01
-2
PRN 12 (spoofed)
Detection Statistic
after event
40
100
Time (sec)
Figure 3. Codeless verification of no spoofing.
Normalized UE Receiver Correlation
PRN02 predicted mean value
based on C/A code
50
 th
   p( | H 0 )d   N ( ;  ,  )d
5
14
M
1  2 Δt (C/N 0 ) A 
4
• Predicted mean and variance absent spoofing:
15
Figure 2. Hardware & profile of a spoofing attack.
i 1
 
Figure 1. Spoofing detection receiver architecture.
0
0
 y rawAi y rawBi
2
Results & Conclusions
• Narrow-band-filtered P(Y) code useful for spoofing
detection
• 20-25% of P(Y) power suffices to detect spoofing
• Spoofing detection threshold analysis requires
characterization of power loss
• W-bits semi-codeless detection requires distortion
model
• Codeless & semi-codeless techniques both work
• Successful codeless detection of real spoofing
attack (first ever demonstration) with 1.2 sec
detection interval
• Semi-codeless detection intervals as short as 0.1
sec possible.
• Needed Efforts
• Modest UE receiver modifications for after-the-fact
detection
• Significant modifications for real-time detection
• Establishment of reference station network or
intermittent after-the-fact W-bits declassification