Luận Án tiến sĩ detect and localize interference sources for global navigation satellite systems

A Gaussian Mixture Model Based GNSS Spoofing Delector using Double Difference of Carrier Phase it simple spoofing scenario 108 4.3 A novel approach to classify authentic and fake GNSS si

MINISTRY OF EDUCATION AND TRAINING HANOI UNIVERSITY OF SCIENCE ANT TECHNOLOGY

NGUYEN VAN HIEN

DETECT AND LOCALIZE INTERFERENCE SOURCES FOR,

GLOBAL NAVIGATION SATELLITE SYSTEMS

Major: Computer Engineering

Code No: 9480106

COMPUTER ENGINEERING DISSERTATION

SUPERVISORS:

1 Assoc Prof La The Vinh

2, Assoc Prof Fabio Dovis

Hanoi -2022

STATEMENT OF ORIGINALITY AND AUTHENTICITY

Thereby declare that all the content and organization of the thesis is the product of

my own research and does iol compromise im any way the righls of third parties, and

all ciltalions are expheitly specified from credible sources T further conlinn thal all

the data and results in the thesis are performed on actual devices completely true and

have never been published by anyone else

ACKNOWLEDGEMENTS

First of all, T would like to thanks my supervisor Assoc Prof La The Vinh sincerely,

for bis guiding, supporting and motivating te throughout the whole my PhD studeru

time

T would also like to express ny gratitude to the members of the Navigation, Signat

Analysis and Simulation (NavSAS) and Navis Centre In many ways, they have

contributed to all the research activities presented in the thesis Mainly, I want to express my gratitude to Dr Gianluca Faloo and Dr Nguyen Dinh Thuan, their endless support and huge knowledge have greatly contributed to my work And | would like

to oxpross my gratitude to Dr Emanuela Falletti, who offered scientific guidance and suggestions to help me develope and finish my research during my period at NavSAS

Thanks to Assoo-Prof, Fabio Dovis, who gave me mportant ideas and guided me to

do my research expecially durmg my periad at Polileerico Di Torino

I sincerely thanks to VINIF, With the grcat financial support of the VINIF, my research conitions have greally improved, and Tam fully committed to the works with all of my creative energy

This work was funded by Vingroup Joint Stock Company and supported by the

Domestic Master’ PhD Scholarship Programme of Vingroup Innovation Foundation

(VINIF), Vingroup Big Data Institute (VINBIGDATA), code VINIF.2020.TS.129

I would also like to thank the members of the dissertation committee for their

insightful suggestions, which have helped me develop and finish this dissertation

Last but not least, I am grateful to my parents and my wife for their unconditional love, encouragement, support and motivation, as well as for inspiring me to overcome all challenges and difficulties in order to finish this thesis

2 RELATED WORK wu scassctecsessstsetntssnvnetnsstsnntnsanssineeel _—

2.1 Civil GNSS vulnerabilities to intentional interference n 2.2 Radio Frequency lnterferenoe se —

2.4 Spooling delection Iecliiiques sec "—-

2.4.2 Spoofing dotection slgorithms cớ ceserieeeoae 27

3.2 Delection of @ subset of counterfeit GNSS signals based ou the Dispersion

3.2.1 Differential Carrier-Phase Model and SoS Detector 38 3.3.2 Sum of Squares Detector Based on Double Differences 40

3.2.4 Detection Of A Subset Of Counterfeit Signals Based On The

Dispersion Of The Double Differences (1) 44 3.2.5 Determmatien of the Iecision 'Threshold ¬ -

3.2.6 Cyele ship monitoring: the Doppler shiÍt mronitor 4

2.7 Reducing the probability of incorrect decision by time averaging 48

3.3 Performance Analysis of the Dispersion of Double Differences Algorithm to

3.3.1 Theoretical analysis of performance and decision direstiold 54

3.3.2 Performance evaluation o£ robust LỶ iraplementatiơns 65

3.3.4 Performance assessiMent cceicessessssiansceessseessteese "5

3.4 A Linear Regression Model of the Phase Double Differences to Tmprove the

3.4.1 Lùnitatlons o£ D° algorithm ¬ "—

3.4.3 The proposed LR-L” deietor co 2s ccvsccez 1 83

3.4.4 Performance assessment with in-lab GNSS signals 87 3.5 COnG]usÏOS ìà cover Ö 92

4.1.3 Maximum likelihood for the Gaussian 100 4.1.4 The expectation maximization algorithm tor GMM (source |67 |} 101

4.2 A Gaussian Mixture Model Based GNSS Spoofing Delector using Double Difference of Carrier Phase it simple spoofing scenario 108

4.3 A novel approach to classify authentic and fake GNSS signals in

ADC Analog to Digital Converters

CiNo Carrier-to-Noise density

CDMA Code Division Multiple Access

DS Dispersion of the Double Differences

DVBY Digital Video Broadeasting ‘Terrestrial

EDMA Frequency Division Multiple Access

GLRI General Likelihood Ratio Lest

GNSS Global Navigation Satellite Systems

GPS Global Positioning System

GSM Global System for Mobile Communications

IMU inertial Measurement Units

OEM Original Equipment Manufacturer

PVT Position, Velocity and Time

REL Radio Frequency Interference

TNR ‘True Negative Rate

TPR ‘True Positive Rate

urMs Universal Mobile ‘Telecommunications System

VD Vestigial Signal Defense

vi

LIST OF TABLES

Table 2.1 Techniques of GNSS spoofing detector based on signal features 29

‘Table 3.1 Percentage of correct decisions for SoS and D, in the three scenarios under

Table 3.2 Statistical performance of the TẺ algorirn with two basclines 67

Table 3⁄3 Static tests: estimation of the probability of missed detection on the counterfeit signals (%) the ‘overall’ case is the probability of missed detection of

Table 3.4 Static tests: Estimation of the probability of false alarms on the authentic

Table 3.5 Dynamic tests: aircraft inijeclories description 73

Table 3.6 Dynamic test TRJ1: Estimation of the probability of missed detection on the counterfeit signals (%) The ‘overall’ case is the probability of missed detection

Table 3.7 Dynamic test TRI: Estamation of the probability of false alarm on the

Table 3.8 Dynamic test TRJ2: Estimation of the he pect of missed detection on

Table 39 Dynamic test TRJ2: Estimation of the probability of false alarm on the

Table 3.10 Static test with Real Measurements: Detection Results for Test #1 .77

Table 3.11 Dynamic tests with Real Measurements: Tests wajectories description 77

‘Table 3.12 Dynamic tests with Real Measurements: Detection Results for ‘Test #478

Table 3.13 Comparison of detection performance for 2 hours of signal simulation

Table 3.14 Detection performance as a fimetion of C/N: "` Table 4.1 The result of cross validation testing 120 'Table 4.2 ‘The result of Fractional LDDs in case of Intermediate spoofing attack, where the DDs of authentic satellites cross Lhe ones reluled lo the spoofed satellites 122

Table 4.3 Normalized confusion matrix of Fractional DDs in case of Intermediate

viil

LIST OF FIGURES

Figure 2.1 ‘The enviroment for transmitting signals from satellites to receivers

Figure 2.6 Cheap jmnmors are widely sold online (source: [38]) 24 Vigure 2.7 ‘Techniques for Detecting GNSS Interference 125 Figure 2.8 Three continuum of spoofing [teat simplistic, intermediate, and

Figure 2.9 A summary of the various spoofing detection methods available in the

Eterature (source: [13]) sessssessesesseesieenests onset 8 Figure 2.10 Angle of arrival of GNSS satellite - - 30 EFigtưe 2.11 Angle of arrwal defense Spoolng or _—-

Figure 3.2 A fundamental GNS6 receiver arehitecture (sơuree: [46}, 35

Figure 3.5 Block diagram of SoS Detector - - 38 Vigure 3.7 Reference geometry for the dual-antenna system „40

Figure 3.10 Fractional DTD measurements and SoS detection metric m mixed tracking,

conditions under spoofing, attack Only three signals out of nine are counterfeit The

Figure 3.11 Example of eyole slips effect on the SoS metric in the presence of single sources The detector is nol able lo reveal a spooling attack when cycle slips oecur 43

Figure 3.12 Zero baseline fractional DD measurements for various values of input

‘Ye ratio In this setup the ratio was equal for all the simulated signals 46

Figure 3.13 Fimpirical mapping of the relationship between tbreshold Gc and input

Figure 3.14 Fractional DD measurements and SoS metric in the presence of single

Tigure 3.15 Authentio signals scenario osiiereireerriee teres AD Figure 3.16 Simplistic spoofing attack sconario - - 50 Figure 3.17 Intermediate spoofing, attack scenario 50

Figure 3.18 Fractional DD measurements and SoS metric in the Authentic signals

scenario When cycle slips occur, the TDs are nol computed 52

Figure 3.19 D? detector results in the Authentic signals scenario "——.-

Figure 3.20 Fractional DDs in case of Tulenmediate spoolmg altack, where the DDs

of authentic satellites (PRN 23) cross the ones related to the spoofed satellites 54

igure 3.21 lractonal DD measurements in mixed tracking conditions under

spoofing attack Hive signals of eight are counterfeit ‘The reference signal is

Figure 3.2? Nomnalized distribution under the hy condition: comparison between

Figure 3.23 Nonnalized distribution under the by condition: comparison between theoretical and samplc đistribuiion —— 58

Figure 3.24 Relationship between § and pairwise Pau, under the he condition (Iogarithmic scalo on the Y axis) se LH Hee -58

Figure 3.25 Comparison between the theoretical Pm¿ and the computed missed-

detection rate Rma for various vahies of detection threshold E2 59 Figure 3.26 Theorelical values of Pp (3.24) as a fumetion of €? and for several non-

Vigure 3.27 Livaluation of the feasible range of values for the non-centrality parameter

% as a function of the difference [my-mnk | and of the standard deviation of the

Measurement noIse C 61

Figure 3.28 Measured values of Res as a fimetion of &2 for a two-hours simulation in which |m;mu | varies along time and so does the non-centrality parameter Aly 61

Figure 3.29 Pairwise operating curves (ic, pairwise Py (2) as a funelion of the

pairwise Pina ) for the D? detection rule, for several non-centrality parameters 4 62

Figure 3.30 Estimated Pym for the I? algorithm under the Hạ condition 64 Figure 3.31 ROC curves for the D? spoofing detection algorithm, for several non-

Figure 3.32 Estimated Pyp for the TY algorithm wilh averaged fractional DDs, under

the Hp condition and for different averaging window lengths 1, 66

Kigure 3.33 Comparison of ROC curves for the L¥ spoofing detection algonthm with

1 and 2 baselines, for several non-centrality pararefers À mm 68

Figure 3.38 Sequences of decisions, with false alarms, in the standard D" spoofing

detector algorithm for PRNs 25 and 16 - BO

Figure 3.39 Example of fractional DD approximaled by piccowise straight lines 80

Figure 3,10 Example of estimated value of line slope and intercept 82

Figure 3.41 Measured pairwise missed-delcetion rate for the deteclion events Ag and

By evaluated on three data collections at different SNR 86

Figure 3.42 Overall probability of missed-detection (Pum) estimated for the LR-D*

Figure 3.43 Measured pairwise false-alarm rate for the detection events Ay and By

Figure 3.47 Decisions produced by the LR-LY algorithm me)

Figure 3.48 Examples of slope estimates (a) and intercept estimates (c), and

associaied pairwise false alarm rates for events Ava<(b) and By.as(d) [Tere PRN 7€ S

Figure 3.49 Measured missed-detection rate and false alarm rate, evaluated on three

data collections at different C/No (dataset 1: 39 di31[z, dataset 2: 42 dBI Iz, dataset 3:

AS di31Iz} as a function of the detection threshold 2,

By evaluated on three data collections at different dislance of two antermas

Figure 4.1 Block diagram of sophisticated gnss spoofing detector using GMM 94

Figure 4.2 The single variable Gaussian are plotled with ư = 0 and ø = 1 95 Vigure 4.3 Lxample of a Gaussian mixture distribution in one dimension, green, blue, and yellow are shown as cornponents, and thetr sum is shown in blaek 6 Figure 4.4 Illustration of a mixture of 3 Gaussian components in 2D, a) Constant density contour for the 3 components of the mixture; b) The contour of the boundary probability density PO © of the mixed distribution; ¢) Show the distribution of p(x)

Figure 1.5 Graph showing a mixed model in which the combined distribution is

Eigure 4.8 TllustraHon of EM nlgorithm, data distribution ard evaluation of PDF by

EM a) After 1/100 iteration, b) After the 2/100 iteration; ¢) After the 5/100 iteration, d) After the 10/100 iteration; e) After the 15/100 iteration; £) After 20/100 iteration,

2) After 30/100 iteration; h) After 38/100 iteration 106 Figure 4.9 Double camier phase difference and GMM density fametions of spoofed

Figure 4.10 Fractional DD measurements and SoS detection metric in mixed tracking conditions under spoofing attack with a fake satellite as the reference 110 Figure 4.1] Fractional DD measurements and SoS detection metric in mixed tracking couditions under spoofing attack wilh a authentic salelliic as the reference 111

Kigure 4,12 DD points distribution of all the 4-satellite combination (spoofed 1a 2s — all the points corresponding to the combinations in which the reference is spoofed,

the other three conta 1 authentic and 2 spoofed satellites) 11

Figure 1.13 DD of real data and fake data to make the reasonability of the approach clear, we analyse the difficulty of spoofing, identification in the below œases 112

Figure 4.14 DD of the data has only onc fake satellite - 113

Figure 4.15 GMM of DD of the data has only one fake satellite ~113

Figure 4.16 The DD planes for the mixed data, including two spooled satellites and

Figure 4.20 Test configuration of GNSS simulation system 118 Figure 4.2] Phase difference for real signal .jcssessssiesensenoneteee seo T1R Figure 4.22 Phase dilTeronce of conventional simulation sigrial 119 Figure 4.23 Phase difference of the multi-directional simulation signal .00 L19

Figure 4.24 Fractional DDs mi case of Twlenmediate spoolmg aliack, where the DDs

of authentic satellites (PRN 25) cross the ones related to the spoofed satellites 121

Figure 4.25 False alarm in the D* detector: a fractional DD from a genuine satellite

crosses the Ds of the spoofed satellites ccccccccccsssssesesesusessisaseseee 121

ABSTRACT

Global Navigation Satellite Systems (GNSS) spoofing is a pernicious lype of intentional interference where a GNSS rr

wer is fooled into tracking courler{cit

signals, with the purpose of inducing a misleading information into the application it

is used for

This work prosonls the development of a dualantenna GNSS spoofing detection technique based on the analysis of the dispersion of the double differences of carrier phase measurements produced by lwo GNSS receivers (D? technique) Ne

synchronization of the receivers is needed for the algorithm to properly work The algorithm is derived from the idea of the Sum of Squares (SoS) detector, recently presented as a simple and efficient way to detect a common angle of arrival for all the GNSS signals arriving to a pair of antennas The presence of such a common angle is recognized as an undiscussed indication of spoofed GNSS signals Nonetheless, some lnnitations can be identified in the SoS algorithm First of all, the asswnption that all the signals arrive from the same source; situations are possible in which the receiver tracks only asubsel of counterfeit signals, out of lhe whole signal ensemble The idea presented in this work intends Lo overcome such limitations, properly modilving the

SoS detection metric to identify

supported by several simulation tests, in both nominal and spoofed signal conditions,

to prove the effectiveness of the proposed method

ibsets of counterfeit signals The analysis is

However, the D? technique has not been analyzed in a rigorous theorelical way so far

aud the detection threshold was, lor inslance

, sect only empirically Aiming at filling

these gaps, this work intends to revise the main concepts of the aforementioned technique in a clear mathematical way Thus, the detection threzhold will be given according to a target probability of missed detection Moreover, the work provides a thorough analysis of expected performance in terms of probability of missed detection and probability of false alarm, addressing them first as pairwise probability, then as overall probability ‘The effect of the signal C/No ratio on these detection performances is analyzed Methods to reduce the occurrence of events of false alarm are ulso discussed Eveutually, an assessment of (he performance of the D? algorithm

is ovaluated through a sct of tests that emulate real working conditions

Moreover, this work presents the development of a new metric to improve the performance of the L? algorithm ‘Ihe new metric is based on a linear regression applied to the fiactional phase double differences ‘The original D? algorithm is sometimes prone (o false alanns and to missed detections The idea presented in this work intonds lo overcome such lmilations by leveraging on the fact thal the [ractional double differences are characterized by having a piecewise linear trend, with different slopes and intercepts By evaluating the dispersion of such two parameters instead of the double difference measurements directly it is possible to design a more robust spoofing detector The performance of this linear regression-based method is very

xiv

promising, since no cases of false alarms or of missed deleclions have been observed

in all the performed | sls

In the next contribution, we propose a novel method to effectively detect GNSS spoofing signals Our approach utilizes mixtures of Gaussian distributions to model

the Double Carrier Phase Difference (DD) produced by two separated receivers DD values contain the angle of arrival (AoA) information and 4 small amount of Gaussian

noise The authentic GNSS signals come from different directions, therefore AoA

values are different for each satellite Tu contrast, spoofing signals from one

broadcaster should always have the same direction Therefore, DD values of authentic satellites contain mainly the double difference of AoA values, while DD of spoofing satellites contains only an insignificant amount of Gaussian noise That rough observation is the theoretical basis for our proposal in which we use Gaussian Mixture Model (GMM) to learn the distribution of DD values calculated for both kinds of satellites The pre-trained GMMs are then utilized for detecting spoofed signals

coming from spooler

1 INTRODUCTION

1.1 Overview

The Global Navigation Satellite Systems are used in many civil fields for positioning services that need accuracy and security (Figure 1.1), such as vehicle tracking, unmanned aircraft, precise agriculture, pay-as-you-drive, financial transactions, ete

All these services could potentially be attacked by hackers for economical or even

terroristic interests [1], [2] The fact that, almost all services rely on GNSS civil

signals, which are easily interfered unintentionally or intentionally In reality, the

threat of intentional Radio Frequency Interference (RFI), such as jamming or

spoofing attacks, is growing in popularity The major hazard in this situation is when

the receiver is not aware of being fooled; therefore, it does not raise any alarm to the hosting system, which is induced to make wrong and possibly hazardous decisions based on spoofed position, velocity and time (PVT) information [3] - [7] This attack

is known with the name of ‘spoofing’ [1]-[11]

This perception has been motivated by technological progresses and by the

availability of advanced software-defined radio (SDR) platforms making the

16

development of GNSS spoofers nol only feasible bul also affordable [13], [14]

Vurthermore, many public channels are active source of information and awareness,

as for example web siles, social platforms anu online magavines [15 ]-[18]

Spoofing attacks can be defeated by exploiting specific features which are difficult to

be counterfeited at the signal, measurement, and position level [9], [10], [19124]

A detailed survey of the most promising techniques [or spooling detection proposed

in the last decade for civil signals can be found int [10] where several methods are described and compared in tenns of complexity and effectiveness Among all these families of approaches, spatial processing based on the AoA defense is probably the most robust and effective technique to detect and possibly mitigate the counterfeit signals [24], [25] However, AcA-based methods in cost-constrained mass-market applications are still difficult for several reasons: costs of the equipment, complexity

of the processing and size of the installation

Jn [13], [26], the authors developed a method for spoofing detection based on differential carrier phase measurements from a pair of receivers and antennas; it neither requires dedicated hardware nor needs special constraints on the geometry of the system; only the knowledge of the baseline (of the relative position of the lwo receiving antemmas), is needed However, although thes methods Imve been proved

to be simple but efficient technique to detect spoofing attacks, they still have some Timitations that will be discussed im the following sections

According to [10], [22], [27], spoofed attacks can be divided into three main categories: simple spoofing attack, intermediated spoofing attack, sophisticated spoofing attack The simple spoofing attack can be easily detected by the existing techniques [10] Llowever, these methods may not detect well the intermediated spoofing attack and sophisticated spoofing attack [10] Recently, those kinds of attacks are proved to be increasingly popular [2], [28]

‘Therefore, the thesis focuses to study the detection of spoofing in the intermediated and sophisticated cases to ensure the reliability and accuravy of services using GNSS

1.2 Motivation

From the analysis above, it can be seen that ensuring the safety and reliability of GNSS applivations is increasingly important andl urgent Currently, the proposed detvotion methods are nol veally practieslly cfTeetive [13], (27), 29131] they either

ary equipment, leading

to higher cosis Meanwhile, the affordable AoA approaches arc however nol really effective in complex attack situations Therefore, the first motivation in this work is

to propose a method to improve the performance of low-cost AoA-based methods to detect intermediate and complicated spaofings (spoofed signals comes from different directions)

require directly mlerfering to the syste signal or using am

Regarding the dataset for spoofing detection research, most of the GNSS simulaters (IFEN, Spirent, SkyDel, Teleorbit, cle) generate uni-direction signals or

require specific costly license for multi-direction signals Therefore, the secand motivation of the thesis is to propose a method to generate fake signals from different

directions for the validation of complicated spoofing detection methods

1.3 Problem statement

To the best of our knowledge, the spoofing detection based on AoA is perhaps the most powerful and efficient technique for detecting and possibly minimizing false signals [24], [25] However, its use in commercial applications is limited by a number

of reasons: costs, processing complexity and size of receiver

‘The authors of [13], [26] develop a simple method for spoofing, detection based on differential carricr phase measurements from a pair of receivers and antennas It requires neither a specialized hardware nor special geometrical constraints; the only

technical requiremont 1s (he synchromation of the receivers and the distance between

the two anicnnas This method is known as sum of squared (SoS) detector Unlike

other works [32], SoS models the imeger ambiguity component of the carrier phase

measurement as random variables having values in a set of integers ambiguities These variables are deduced using the general likelihood ratio test (GLRT) approach

while for the remaining are sll authentic ones (so-called ‘inixed tracking? 1m the regL

of the work) [2] [19], [28]

In this work, we focus on proposing AoA-based spoofing detection methods which

address the limitations pointed out in typical existing work (especially in SoS

approach) Furthermore, we are also interested in validating our method in complicated spoofing scenarios wherein spoofed signals may come from different directions Llowever, it is the fact that generating multi-direction spoofed signals require special high-cost equipment installation; therefore, we propose to use a software-based receiver approach to modify the signal phase to sintulate the signal’s angle of arrival

in the second method to detect spoofing signals coming from multiple directions To attack spoofing from many different directions, we have to synchronize the spoofing, signal generators ‘Io implement this method, we have to use high-precision and expensive clocks Therefore, we use the method of transmitting only one spoof

satellite to fool the recerer

1.5 Contribution

This work focuses on solving the spoofing detection problem based on AoA approach Tn addition, lo overcome the Tiilation of the lack of dataset for testing spoofing detectors, we also propose a method for simulating unmauthentic signals in two typical scenarias: spoof only and mixed signals from different directions Our work has the below main contributions:

First, we propose AoA-based methods for spoof detection, in our proposal we utilize

Dé measurement to overcome the limitation of the existing SoS methods

V.H Nguyen, G Falco, M Nicola, and E Falletti (2018) “4 dual antenna GNSS

spoofing detector based on the dispersion of double difference measurements”, in

Proc Tat 9 ESA Workshop on Satellite Navigation Technologies and European Workshop on GNSS Signals and Signal Processing (NAVITEC), Noordwijk,

Netherlands, Dec 2018, 5-7, DOT: 10.1109/NAVITEC.2018.8642705

ÁN Van Hien, G Falco, E Falletti, M Nicola and T V La (2020), “4 Linear Regression Model of the Phase Double Differences to Improve the D3 Spoofing Detection Algorithm,” 2020 European Navigation Conference (ENC), 2020, pp 1-14, doi: 10.23919/HNC48637.2020.9317320

T Fallctti, G Falco, V H Nguyen and M Nicola (2021), “Performance Analysis

of the Dispersion of Double Differences Algorithm to Detect Single-Source GNSS

Spoofing,” in IEEE Transactions on Acrospace and Electronic Systems, vol 57,

no 5, pp 2674-2688, Oct 2021, doi: 10.1109/TAES.2021 3061822

Sccond, this thesis introduces a novel approuch to classify authentic and fake GNSS signals using Gaussian Mixture Models (GMMs) and increase detection accuracy while eliminating the need for any parameter tuning process through automated

leaning (Expeclalion Maximive algorithm) This method can improve the

performance of the algorithm te detect spoofed signals in the sophisticated case

Nguyen Van Hien, Nguyen Dinh Thuan, Hoang Van Hiep, La The Vinh (2020)

“4 Gaussian Mixture Model Based GNSS Spoofing Detector using Double

Difference of Carrier Phase” journal of Science and ‘technology of ‘I'echnical

Universities, pp 012-047, Vol 144 (6-2020)

19

Third, we develop a method to sitnulate signals coming from different directions which are used to validate the detection algorithm in multi-direction attack scenarios Nguyén Van Hién, Can Văn Toàn, Nguyễn Đình Thuận, Hoàng Văn Hiệp (2020),

"Phuong pháp sinh dữ liệu mô phòng GNSS Âa hướng sử dụng công nghệ võ truến

điều khiến bằng phân mềm" 178-185, số Đặc san Viện Điện tử, 9 - 2020, Tạp chỉ

Nghiên cứu Khoa học Công nghệ quân sự

1.6 Thesis outline

The dissertation is composed of five chapters as follows

Chapter 1 Introduction This chapter briefly introduces the research area, The importance of the topic, the definitions and the existing, approaches are clearly addressed ‘Then the thesis focuses on the contributions are also presented clear

Chapter 2 Related Work ‘Ibis chapter first summarizes the importance of services using GNSS, Then, a comprehensive survcy of the previous algorithms, existing work relating to interference detector are presented The limitations of the previous algorithms are clearly analysed and resolved

Chapter 3 Intermediated GNSS Spoofing detector based on angle of anive The

development of a dual-anterma GNSS spoofing detection technique based on the

dispersion of the double differences of carrier phase measurements created by two

GNSS receivers is presented in this chapter

Chapter 4 Sophisticated GNSS spoofing detector based on angle of arrive The

chapter present an algorithm that using an automated leaming process, this approach

can improve detection accuracy and detect GNSS spoofing in the sophisticated

scenario while obviating the need for any parameter tuning procedures (Lixpectation Maximization algorithm)

Chapter 5 Conclusion and future works A conclusion is given in this chapter Furthermore, some limitations of the work are presented, along with possible

solutions, which may 1ecd additional study:

20

2 RELATED WORK

This chapter presents vulnerabilities of civil GNSS with more focus on different types

of spoofing techniques We also briefly introduce some state-of-the-art methods for

GNSS spoofing detection and analyse the advantages as well as disadvantages of the surveyed methods From the analysis, we propose our approach to improve the current limitations of the existing work

2.1 Civil GNSS vulnerabilities to intentional interference

Because of the low SIS (Signal in Space) signal strength [33] (Figure 2.2) (GPS L1

C/A code: -158.5 dBW, Galileo El: -157 dBW) and the physical environment in

which signals are transmitted from satellites to receivers (Figure 2.1), GNSS receivers

are extremely vulnerable An interfering signal that is just a few orders of magnitude stronger than the minimum received GNSS signal intensity will cause a receiver to lose lock on a satellite Navigation receivers are vulnerable to strong interfering

signals such as jamming, ionospheric and tropospheric effects and RF emitters

on L3-band), the GLONASS-M satellites (including CDMA signals on L3-band since

2014), and the GLONASS-K2 satellites, have begun to include additional CDMA signals (launched in 2018, transmitting CDMA signals also on L1- and L2-bands) In

the presence of interfering signals, the receiver's dispreading procedure spreads the power of the interfering signal over a large bandwidth as show in Figure 2.2 Other radio frequency signals can also cause problems such as Digital Video Broadcasting

21

— Terrestrial (DVBT), which is used as an incentive signal, has harmonics in the

Figure 2.2 The low SIS signal power of GNSS (source: [35]

2.2 Radio Frequency Interference

Radio Frequency Interference

Intentional interference Unintentional interference

« DVTB

Figure 2.4 Radio frequency interference

With low power signal, GNSS can be attacked by RFI (Radio Frequency

Interference), both unintentional and intentional as shown in Figure 2.4

(1) Unintentional interference

Radio frequency systems such as radar systems, DVTB, VHFs (Very High Frequency), mobile satellite services, and personal electronics with high power

harmonics and intermodulation products [28] can inadvertently interfere with the

GNSS signal However, this kind of interference is somewhat resolved by properly

radio frequency band management policies which are currently used by all

governments,

(2) Intentional interference

The first type of intentional RFI is jamming A jamming attacker uses devices to

generate powerful signals in the GNSS band (Figure 2.6), resulting in various effects

(which may lead to failed operation of GNSS receivers) [37] With the existing handheld GNSS jammers, GNSS signals within a radius of a few tens of meters are

completely disrupted The operating principle of these devices is to use a chirp signal

to intervene in the GNSS signal's operating frequency range To the best of our knowledge, there are no effective methods for reducing the impact of this type of

attack

Spoofing is another form of intentional interference and is one of the most dangerous

attacks (Figure 2,5) Because this technique uses devices to broadcast fake GNSS

signals to mislead the victim GNSS receiver's position or time information without

23

completely disrupting its operations The incorrect position, velocity and time

information produced by the attacked receiver may result in even more serious problems if they are used in other important systems like: financial transaction

synchronization, energy transmission, etc

24

2.3 GNSS Interference detection techniques

In the [12], [28], [33], [39], [40], the authors list some GNSS interference detection

methods (as shown in Figure 2.7)

(2) CINO monitoring

All GNSS receivers support the C/NO parameter The interference can be modelled

as an addition to the noise variance [28] However, this technique may fail to work if the presence of the jammer is "masked" or "filtered" by an estimation algorithm

(3) Time-domain statistical analysis

In [33], non-stationary interference is typically concentrated in a small region of the time-frequency (TF) plane The general procedure is to compare the peak magnitude

25

of the received signal's TF distribution with a predefined threshold However, this

method has a high computational complexity Therefore, it is difficult to implement the algorithm on a commercial receiver with a limited computation capability

(4) Post-correlation statistical analysis

In this approach, the Chi-square Goodness of Fit test, implemented in a software

receiver, is used and applied against two live spoofing datasets [42] The result

obtained in two scenarios (static and dynamic) demonstrates the GoF's ability to

detect the fake signal However, similar to time-domain statistical analysis technique,

this method also has a high computational complexity In addition, this method is implemented on the software receiver making it hard to be available on existing commercial receivers

2.4 Spoofing detection techniques

Figure 2.8 Three continuum of spoofing threat: simplistic, intermediate, and

sophisticated attacks (source: [27])

2.4.1 Classification of spoofing threat

According to [10], [25], [27], spoofing attacks can be divided into three main

categories (see Figure 2.8):

(1) Simplistic attacks

The construction of this spoofer includes a GNSS signal simulator in combination

with an RF terminal used to mimic real GNSS signals These signals are not basically synchronized with the real GNSS signals Thus, the spoofing signals look like noises

in the receiver operating in monitor mode (even if the broadcast power is higher than the actual signal) [10] However, this type of device can deceive commercial receivers, especially if the power of the spoofing signal is higher than the authentic signal This signal simulator is easy to detect using various anti-splitting techniques

26

such as amplitude tracking, checking consistency belween different

measurements and checking for consistency with inertial measurement unils (MU) (2) Intermediate attacks

This is more advanced than the simple spoofer It includes a GNSS receiver combined

with a spoofed transmitter The system first synchronizes with the GNSS signal by

extracting the current satellite position, time and calendar from the GPS receiver, then

it generates fake signals based on the above information and emits it from transmits toward the target receiving antenna Some of the difficulties in building this system are referencing, spoofing signals to the intended target receiver with the correct delay and signal strength Another downside is that the spoofing power must be higher than the authentication signal power to fool the GNSS receiver Carrier phase alignment with aulhentic signals This type of spooler overeomes many al the spooling detection teolmiques of conventional single receivers because they synchronize the

authentication signal and can spoof the receiver in tracking mode This type of Spoof

so signals coming from the same direclion can be

uses an antenna thal transmit

detected via the AoA [13],[26]

(3) Sophisticated attacks

According to [10], this is the most complicated and dangerous of all the spoofer This type assumes knowing the centimeter-level position of the antenna-phase center of the receiver under attack in order to perfectly synchronize the spoofing signal code and carrier phase with the authenticated signal code ‘his type of spoofer can take advantage of a number of special antennas that can pass direction-based detection

teolmiques Th this case, the spoofer needs to synthesize a malching array manifold

with the authentic signal array to defcat the spoofing signal detection system by the

direction The complexity of this device is much more compheated than the lwo

above, and at the same time its high cost and high operating complexity [10] In

addition, there are some physical limitations regarding the location of the transmitting

antenna and target receiver antenna Detecting this fake case detection technique is

quite complex This spoofing signal can be detected using the integrated inertial measurement systems Attacks of this type can be defended by using data encryption

3.4.2 Spoofing detection algorithms

Figure 2.9 depicts a high-level overview of variaus antispoofing approaches

(1) Cryptographic

Acvording to [13], the most effective defense is eryplographic defense, bul iL

ions,

necessilales hal GNSS signals be designed tp support cryplographic fum

Cryptographic defenses are further classified as encryption-hased approaches, which

237

require fully or partially encrypted GNSS signals, and authentication-based defenses, which require GNSS signals to have specific features that allow them to be authenticated Signal encryptions include code and navigation message encryptions

Spoofing detector Approaches

e Navigation e Inertial units Vestigial signal

© Code encryption eGSM/UTMS Any ¢ Amplitude

system providing correlation

PVT-related ® AGC gam, noise

information floor, clock bias,

wireless fidelity (Wi-Fi), and cellular-based location A detailed survey of the most

promising techniques for spoofing detection proposed in the last decade for civil signals can be found in [23], where several methods are described and compared in

terms of complexity and effectiveness

(3) Signal Features

Several spoofing detector techniques rely on signal characteristics that are difficult to

be faked as shown Table 2.1

Vestigial signal defense: In [20], to detect spoofing attacks, this technique monitors

distortions in the complex correlation domain The ‘vestigial signal defense’ is based

on the assumption that original GNSS signals are present also during a spoofing attack

28

20] and the presence of residual signal components can be verified by au ad-hoc

rectiver The VSD is a stand-alone software-defined defers

low implementation cost and adds no size or weight to the receiver It cannot implement in the commercial receiver

; which means it has a

Table 2.1 Techniques of GNSS spoofing detector based on signal features

Pros: It does not

necessitate the use

spoofing — aflacks,

this teehnique

monitors distortions in the complex

correlation domain [20]

Spoofing Detector based on Signal Features

Amplitude correlation

that employs the

automatic gain control (AGC) mechanism [43]

computational complexity and

is an extremely

powerful Cons: a stand- alone software- defined defence

implement in the commercial

Amplitude correlation: In [41], the authors investigated a moving antenna to distinguish between the spatial signatures of authentic and spoofing signals by monitoring the amplitude and Doppler correlation of visible satellite signals it is not affected by spatial multipath fadiug thai the GNSS signals This teclnrique is

complexily of implementation because of toving reveiver

29

In [19], the authors developed two methods of spoofing detection, that is Chi-

square Goodness of Fit (GoF) and a signature test applied to paired correlation difference, for each satellite tracked by the receiver The algorithms show a certain effectiveness in detecting the spoofing attack The GoF test also seems reliable under dynamic conditions and in the case of a large energy difference of spoofing and authentic signals However, these two methods develop on soft receivers with complex algorithms, which are quite difficult to apply on commercial receivers

AGC gain: In [43], a monitor in the Radio Frequency (RF) front end using the

automatic gain control (AGC) mechanism is outlined GNSS simulator signal is broadcast and its power level is greater than that of the received true GNSS signal

This technique is low computational complexity But this technique is implemented

on a stand-alone software-defined defense It cannot implement in the commercial receiver This technique can be difficult to distinguish between interference,

environmental changes or noise

Angle of Arrival: The angle-of-arrival (AoA) of GNSS signal (Figure 2.10) is the

direction in which the signal is received These techniques are analysed in terms of

complexity, cost and performance as well as in terms of robustness against the type

of spoofing attack [44] Most of the techniques discussed in the literature are intended for single-antenna receivers, since this is the most common operative condition in

which receivers operate Nonetheless, spoofing transmitters are expected to broadcast

all the counterfeit signals from the one antenna, while the authentic signals are

transmitted by the satellites in orbit from widely separate directions with respect to the receiver [10] The AoA defense exploits the fact that genuine GNSS signals come

from different directions whereas counterfeit signals are likely transmitted from a

single source [23]-[25]

GNSS Satellite

GNSS antenna Figure 2.10 Angle of arrival of GNSS satellite

30

* Based on SDR platforms * Commercial off the shelf GNSS

* Share a common oscillator * Two receivers operate

* Know the geometry of the independently

system * Don’t share a common oscillator

* Require the estimation of * Does not make any assumption

the baseline vector ‘on the geometry of the system

* Does not require the estimation

of the baseline vector

Figure 2,11 Angle of arrival defense Spoofing

Among all these families of approaches, spatial processing based on the AOA defense is probably the most robust and effective technique to detect and possibly mitigate counterfeit signals [24], [25] However, this method has two approaches as

shown in Figure 2.11 The first approach uses estimation of direction-of-arrival

characteristics This technique uses multi antenna receiver with a common oscillator

and deploy on the software receiver [25], [45] its use in cost-constrained mass-

market applications is still difficult for several reasons: costs of the equipment,

complexity of the processing and size of the installation

In [21], [26] the authors developed a simple method (according to the estimation of

difference of direction-of-arrival characteristics) for spoofing detection based on differential carrier phase measurements (difference of direction-of-arrival) from a

pair of receivers and antennas; it does not require dedicated hardware nor special constraints on the geometry of the system; only a basic synchronization of the receivers and the knowledge of the baseline, i.e., of the relative position of the two

receiving antennas, is needed This method is called stwm-of-squares (SoS) detector

Differently from other works [32], the SoS models carrier phase cycle ambiguities as

random variables that assume value on an arbitrary set of integers Thus, they do not

need to be estimated This formulation, derived using the generalized likelihood ratio

test (GLRT) approach, leads to the SoS detector, where the decision variable is

31

expressed as the sum of squared carrier phase single dilferences corrected for a pseudo meat and for their integer parts [21], [26]

Although this method has heen proved to be @ simple but efficient technique tạ detecL

spoofing attacks, it still has some limitations: the SoS approach considers just the condition of having the whole signal ensemble either counterfeit or authentic, while

it does not consider possible scenarios where the victim's receiver is locked onto a subset of spoofed satellites only, while for the remaining ones the tracking stage continues on the authentic signals ‘his situation is indicated as ‘mixed tracking’ Several in-lab tests have shown this ‘mixed tracking’ condition as quite common, in particular at the beginning of an attack [13], [29]

The original SoS detector would fail in detecting the presence of the subsct of spoofed

signals Therefore, in lhis work, we modify the SoS method in order to make it robusl

agains! such a situalion According Lo the fact that all the spoofing signals are spalially

correlated due to the same direction of arrival, all the differential measurements

related to such signals have a similar (correlated) magnitude and this correlation remains over time On the contrary, when we consider signals coming, from the true satellites, the differential measurements have independent magnitudes, because the signals are not spatially correlated Such a correlation is another indicator of common transmitting source and will be used in this work as another degree of robustness added ta the SoS to detect likely counterfeit signals In this way we identify a robust modification of the original SoS detector, based on a test metric built on the

dispersion of the double difference measurements {rom a pair of antennas

2.5 Conclusions

In this chapter 2, we have prosonted an overview of techniques for detecting

Trferfkrence signals on GNSS The first part of this chapler shows the vulnerability

of GNSS, which is low signal power and the hard environment for signal lnans

from satellites to receivers Because of the above vulnerability, GNSS is very

vulnerable to intentional and unintentional interference which is described in the second part The most serious of the interferences is the spoofing attack In this chapter, the existing algorithm for detecting spoofed signals are clearly analyzed ‘Ihe methods that use AoA are the most effective among the GNSS spoofed signal detecting algorithms ‘Ihe techniques for detecting spoofed signals based on AoA are the Lopic of this thesis

sion

32

3 INTERMEDIATED GNSS SPOOFING DETECTOR BASED ON

is based on a spherical positioning system in which all transmitters (satellites) are

synchronized The receiver calculates a signal parameter whose value is proportional

to the distance between the sources: Time of Arrival (ToA) The signals must be

timestamped to correspond to the transmission time The centres of the spheres are the satellites, and the distance is the radius The intersection of at least three spheres

must be used to determine the location as show Figure 3.1 In this thesis we will focus

on the GPS system, although it can be extended to all satellite navigation signal and

systems and all algorithm, which is presented in this thesis based on GPS signal

Figure 3.1 Spherical positioning system of GNSS

In GNSS, the time measurement can be done as: receiver only receive the signal in one direction; satellites must be synchronized with high precision (within few ns)

A pulse transmitted by a satellite at time ¢o is received at time to + 7 The (3.1) is an

approximation of the distance between TX and RX:

Where c is the speed of light (~3.10°8 m/s) The measure of to + t allows for R

determination if both synchronized oscillators are perfects However, the clocks of

receiver cannot be synchronized with the satellite time scale at low cost and

33

Then, signals received from the salellite have a bias due to the difference in GNSS lime and the reeciver’s clock Ling The receiver's measurements are knowm as pseudo-ranges GNSS system use four satellite to determine the

location Pseudo-ranges can be written as (3.2)

Where p is pseudo-range, Stvis user clock bias

The user will calculate four unknowns by measuring four pseudo-ranges as (3.3) with respect to four satellites with known coordinates:

Đị = \ Gà — Xu)” + 1 — Xu)” + Gr — tu)? — bạy

Đa = Org = tu)? + (2 — Yu)? + y — #u)2 — bục

Ps = V1 — Xu)? + Os — Yu)? + a — tu)? — bục

p= of Oty — My)? + (4 — Yud® + Gry — 4)? — dine

(3.3)

(x49), 4) is satellite position (conter of the pscudo-sphere)

p; is pseudo-range (radius of the pseudo-sphere), can be

bạy = €.6t,, is clock bias

The (3.3) can be solved by using linearization process [16]

3.1.2 GPS signal

‘The GPS Signal in Space (SIS) received at the antenna can be described as [34], [46]:

su(;) = (P,y0,(BT, — DAE, — 74) exp (j[2mf„ „m1, + @œ)) - 49

Where:

Đam is the received signal power of the kth satellite

tự is the propagation delay of the eth satellite

fax is the Doppler frequency of the kth satellite

©, is the initial carrier phase of the kth satellite

Cy is the Coarse/Acquisition (C/A) code of the kth satellite

D,, is the navigation data bits of the kth satellite

Figure 3.2 A fundamental GNSS receiver architecture (source: [46])

In the Figure 3.2 show a basic GNSS receiver architecture The antenna receives the

signals sent by the GPS satellites The input signal is amplified to the correct

amplitude and the frequency is converted to the desired output frequency through the

RF front-end chain The RF front-end can be disturb by thermal noise, random

fluctuations of electrical, electromagnetic, interference signals (random or

deterministic) The output signal is digitalized using the Automatic Gain Control (AGC) that optimizes the gain according to the Analog-to digital Converter (ADC) dynamic range The receiver's hardware includes the antenna, RF chain, and ADC

The acquisition stage refers to the process of locating a satellite's signal The tracking

stage is used to locate the navigation data's phase transition, Subframes and

navigation data can be accessed from the navigation data phase transformation The

navigation data can be used to acquire ephemeris data and pseudo-ranges The satellite positions are calculated using ephemeris data Finally, for the satellite positions and pseudo-ranges, the user location can be determined

3.1.4 GNSS spoofing

As shown in Figure 3.3 in the forward direction, the receiver receives information

about the satellite number (Coarse/Acquisition (C/A) code), the position of the

satellites and the time at which the satellite transmitted the signal (the navigation data bits) From the information on the receiver, it is estimated that the distance is assumed When at least 4 satellites have received signals, the receiver solves the (3.3)

to determine the position (3, }„„Z„)

In the opposite direction, to generate spurious signals: user position, based on satellite

orbit information, the ephemeris is widely published on websites such as [47] Then

we can simulate the navigation data bits

35

Pr = V4 = Xu)? + On = Vụ)? + Bi = Zu)? = Bue

Pa = V (2 = Xu)? + 2 = Yu)? + 2 = Zu)? — bụy

Ps = V (3 — Xu)? + 3 — Yu)? + Gs = Zu)? — Due

Pa = V4 = Xu)? + (Ya Yu)? + Gs = 2a)? — Buc

Interference model |_| Continuous waves, narrow quantizing

Figure 3.4 Blocks scheme of GPS simulator

Figure 3.4 shows how to generate spoofing signals, To generate a fake position or time, the following parameters are needed: C/NO to perform the calculation of the output signal power, Ephemeris, Almanac is published on the website of IGS [48] together with the location user to define satellite number, pseudo-range, The clock bias, ionospheric, tropospheric parameters are estimated to be similar to the authentic signal,

3.2 Detection of a subset of counterfeit GNSS signals based on the

Dispersion of the Double Differences (D*)

The first block in the Figure 3.6 shows the development of a dual-antenna GNSS

spoofing detection technique based on the dispersion of the double differences of

carrier phase measurements (D') made by two GNSS receivers The approach does

not require receiver synchronization to function effectively The approach is based

on the Sum of Squares (SoS) detector (as shown in Figure 3.5), which was recently

introduced as a simple and efficient method of detecting a common angle of arrival

37

for all GNSS signals arriving at a pair of antennas The presence of such a

common angle is recognized as an undiscussed indication of spoofed GNSS signals

Despite this, various flaws in the SoS algorithm can be found To begin with, the

assumption that all signals originate from the same source, it is feasible that the

receiver only monitors a subset of counterfeit signals out of the entire signal ensemble The concept provided in this section aims to address these issues by changing the SoS detection measure to identify subsets of counterfeit signals The

efficiency of the suggested strategy is demonstrated by many simulation experiments

in both authentic and spoofed signal situations

Cartier phase measurement of

[be singe caie pase m===

(georretic range, lønespheric Nộp difference

error, tropospheric error, bias)

‘satellite clock bias)

error, tropospheric error, satelite

clock bias, receiver clock bias,

integer ambiguities, noise)

Sum of square double cartier phase difference (remove integer ambiguities)

Figure 3.5 Block diagram of SoS Detector

‘Carrier phase measurement

cof two receiver Single carrier phase

(geometric range, lonospheric difference

110% tropospheric eror, (remove lonospheric

satellite clock bias, receiver error, tropaspheric eto,

lock bie, integer ambiguities, satellite clock bias)

Double carrier phase difference (00) (remove clock receiver

© @; is the carvier phase measurement for the th satellite @ = 1,2, /), expressed in meter:

® 1; is the geometric range between the receiver and the ith satellite,

« N, is the imeger ambiguity,

* Ais the signal wavelength:

« ¿ is the speed of the light;

© St; is the dh satellite clock error;

« ST is the receiver clock error,

& £14 is the ionospheric error,

@ &n, is the tropospheric error;

© & 3s anoise term accounting for residual un-inodeled errors, inchucling thermal

noise and multipath

It we consider fro receivers observing the same satellites at the same time, we can

use their output data to build single carrier phase differences for each satellite in

common view:

Ab, = OF — đệ? = (n0) —1) 4 anat clor@—srM) +a, (6)

where superscripts © and ? denote measurements from the two receivers For short

baselines, the ionospheric and tropospheric errors are cancelled out Moreover, the

range difference between the satellite and the receivers (7; — 7°”) can be expressed

as in [26]:

where D is the distance between the two antermas and a; is the angle of arrival (AoA)

of the ih satellite signal, as depicied in Figure 3.7 The Double carrier phase

Difference (11D) between the i-th satellite single difference and the reference satellite single difference, here indicated with the subscript ‘7’, removes the difference clock bias term (87 — 67) from (3.6):

Avg; = ; (Ag; —A¢,) = 2 (cos(a;) — cos(ay)) FAWN + Ave, — 9%

expressed in units of cycle Notice that the chaice of using the double difference measurements AVg; in the construction of the detector is equivalent to the option expressed in [26] -equation (10) and further discussed in [13] -equation (39)

39