- On the use of low - cost inertial measurement units for autonomous spoofing detection in vehicular applications, James Curran, ESA (The Netherlands), Ali Broumandan, University of Calgary (Canada)
The use of wireless positioning systems, such as GNSS, for the purposes of the monitoring and regulation has risen sharply in recent years. Systems and services such as fleet-management, asset-tracking, pay-as-you-drive insurance have begun to use GNSS as a primary, and sometimes only, positioning sensor. For many of these applications, in particular where the end users are monitored, billed or penalized based on their location, there is a strong incentive to compromise the GNSS sensor. Unsurprisingly, when such monitoring devices are installed in vehicles, they are typically enclosed in tamper-proof housings, and secured to the vehicle in a tamper-evident manner. However, it is unavoidable that the GNSS antenna, and in most cases, the device power supply, is exposed to the outside world. In some cases, other vehicle bases sensors are also made available to the device via the CAN BUS, including, for example, wheel-tick counters, wheel angle. Because the CAN BUS currently offers no authenticity or security features, inputs delivered are equally vulnerable to spoofing as GNSS. To provide an effective means of spoofing detection, some sensor that can be protected by the tamper-proof enclosure is desirable, an inertial measurement unit (IMU) being a suitable candidate.
Ideally, measurements drawn from the IMU might be compared against GNSS-derives measurements, to provide some consistency check, that could be used to assert whether the GNSS was spoofed or not. One approach might be to project the GNSS measurements onto the same domain as the IMU. To perform this comparison, the initial orientation of the IMU would need to be known, and in practice, considering an imperfect IMU, further information is required. Low-cost inertial sensors typically exhibit high measurement noise, and a high uncertainty in measurement bias. For this reason, when used in GNSS-enabled positioning devices, device calibration is typically performed online, by combining GNSS measurements with those of the IMU. Although effective, for navigation purposes, this interaction negates some of the value of the IMU as an independent sensor. When the measurements gained from the IMU are influenced by the GNSS measurements, consistency checking between the IMU and GNSS measurements no longer represents a comparison of independent sensors.
To overcome this problem, some transformation must be found, under which the IMU measurements can be compared with GNSS measurements, such that the comparison is insensitive to both the initial IMU orientation and the IMU measurement biases. In this work, we examine consistency between GNSS and IMU through the norms of the acceleration vectors and rotation rate vectors. My computing the covariance of these norms a scalar indicator can be computed and compared to a threshold to support spoofing detection. The method is tested using a set of vehicular measurements collected in urban and motorway scenarios using mass-market GNSS receivers and cell-phone grade 6-asix MEMS inertial measurement units. Initial results show promise, indicating that a spoofing detection probability greater than 0.95, with a false-alarm probability below 1e-3 can be achieved with a time-to-alarm of 180 seconds.
- Comparison of low complexity C/No estimators for GNSS signals affected by ionospheric scintillation, José Marçal, University of Lisbon (Portugal), Fernando Sousa, ISEL (Portugal), Fernando Nunes, University of Lisbon (Portugal)
The estimation of the carrier-to-noise intensity is important in GNSS receivers as it is used to determine whether the receiver is operating normally or is in a region where it is prone to lose carrier lock. In receivers that monitor the activity of the ionosphere in environments affected by ionospheric scintillation, the instantaneous C/No estimation estimation is crucial to evaluate the scintillation index S4.
An analysis of low complexity carrier-to-noise ratio estimators in an environment of ionospheric scintillation, as the ones observed near the geomagnetic equator or in the polar regions is performed, using a Kalman Filter to optimaly track the amplitude variations and to smooth the noisy estimates provided by the different methods.
- Using of Collective Detection for GNSS Signals Authentication, Nicolas Bouny, M3 Systems (France), Thierry Robert, CNES (France), Thomas Junique, CNES (France), Frederic Faurie, M3 Systems (France)
In a context of growing development of critical GNSS applications and services, the ability of a GNSS receiver to guarantee the authentication of received signals, and to detect spoofing attempt, will become mandatory for a lot of use cases. The goals of every GNSS authentication algorithms are to ensure that, on the one hand, the received navigation message is the one emitted by each satellite and that, on the other hand, the computed pseudo-ranges are corrects. The contribution of this paper consists of an innovative GNSS signals authentication algorithm based on collective detection method. The collective detection is an acquisition method that allows to more efficiently use multiple GNSS signals in challenging environments. It follows a vectorial approach as strong signals are acquired collaboratively to assist the detection of weaker ones.The objective of the algorithm presented in this paper is to apply the collective approach to detect and identify one or several spoofer added on real GNSS signals. We propose a remote GNSS authentication solution, where the algorithm is implemented on a secure base station called “authentication center” that receives measured pseudoranges from the GNSS rover terminal. The detection is performed by evaluating the degradation and the dispersion of the PVT computed by the collective detection method. Different cases of spoofing have been considered: non coherent superposition, meaconing or corruption of the navigation message. However, all these cases can be simulated by a bias added on the pseudo-range. For every scenario, the algorithm has succeeded in detecting and identifying the spoofed satellite. Therefore, the algorithm have shown promising results. In future work, the detection and false alarm probabilities will be provided to prove the efficiency and the reliability of this method.
- Dual – constellation Vector Tracking Algorithm in lonosphere and Multipath Conditions, Enik Shytermeja, ENAC (France), Olivier Julien, ENAC (France), Axel Garcia-Pena, ENAC (France)
The urban environment presents several challenges to GNSS signal reception that are translated in the positioning domain in a decreased navigation solution accuracy up to the lack of an available position. A promising approach able to cope with the urban environment-induced effects including multipath, NLOS reception and signal outages is Vector Tracking (VT). Contrary to the conventional or scalar tracking (ST), where each visible satellite channel is being tracked individually and independently, in VT all the satellites channels are tracked jointly. The reason is that the tracking process of each satellite channel is driven by the common central navigation filter and is based on the navigation solution calculated by the filter. This paper presents a dual constellation GPS + Galileo single frequency L1/E1 VDFLL architecture for the automotive usage in urban environment. The objective of this work is to assess the performance of the proposed vector tracking architecture, seen as a combination of the vectorized DLL and FLL loops, referred to as VDLL and VFLL, in multipath and under ionosphere reception conditions. From the navigation point of view, VDFLL represents a concrete application of information fusion, since all the tracking channels NCOs are controlled by the common navigation solution filter. One important remaining issue, not entirely addressed in the vector tracking literature, is the mitigation of the ionosphere residual which increases the noise of the pseudo-range and Doppler measurements estimations: the use of single frequency L1 band signals does not allow the entire correction of the ionosphere delay. The originality of this work resides in the implementation of a dual-constellation VDFLL algorithm that is capable of estimating the ionosphere residual error along with its evolution in time. In order to be able to mitigate the ionosphere residual impact, the absolute position, velocity and time state vector is augmented with the ionosphere residual errors affecting the pseudo-range measurements from each tracked channel, as a reason of one extra state per tracked satellite. Each ionosphere residual state is modelled as a first order Gauss-Markov (GM) process, correlated in time and having an exponentially decaying autocorrelation function, as standartized in the civil aviation domain. The tests performed in this work use the motion of a real car trajectory in Toulouse urban area while the signal reception conditions are simulated. The performance analysis will be extended even to the multipath presence. For this purpose, the DLR Land Mobile Multipath Channel modelling (LMMC) will be used. From the conducted simulations, an important result that was observed is that the VDFLL superiority expressed in terms of tracking robustness w.r.t the scalar tracking receiver, which requires the initialization of a re-acquisition procedure after a loss-of-lock condition. Moreover, a certain observability of the ionosphere residual error is achieved from the proposed VDFLL technique due to the PVT-related code and carrier NCO feedback loops.
- Performance Evaluation of Signal Quality Monitoring Techniques for GNSS Multipath Detection, Ali Pirsiavash, University of Calgary (Canada), Gerard Lachapelle, University of Calgary (Canada), Ali Broumandan, University of Calgary (Canada)
This research investigates the performance evaluation of Signal Quality Monitoring (SQM) techniques under a broad range of multipath scenarios. After modelling the received GNSS signals in the output of tracking correlators, monitoring correlators are defined based on their code and Doppler distances from the reference tracking correlators. Different SQM metrics are then defined as the linear and non-linear combination of monitoring correlator outputs. Prior to setting an appropriate detection threshold, the statistical properties of the SQM metrics are investigated and calibrated based on practical observations. Afterwards, SQM metric variation profiles are proposed to evaluate the theoretical performance of each SQM metric defined for multipath detection. An analytical discussion is presented to justify different parts of these variation profiles in terms of graph models and critical points. SQM metrics sensitivity and effectiveness in multipath detection and mitigation are then defined and analyzed based on the proposed SQM variation profiles and the conventional tracking range error envelopes. Two different correlator strategies namely Narrow Correlator (NC) and Double Delta correlator, including the High Resolution Correlator (HRC) and the Strobe Correlator (SC), are considered. The analytical discussion includes BPSK(1) and BOC(1,1) signaling schemes. Based on the extracted SQM results, a weighting algorithm is proposed to de-weight degraded measurements and improve positioning performance. Real data analysis is also provided for static and dynamic test scenarios to validate the analytical discussion under practical multipath environments.
Results show that although SQM is sensitive to medium and long-delay multipath, its effectiveness in mitigating these ranges of multipath errors varies based on tracking strategy and signaling scheme. Under medium and long-delay multipath, when a compounded signal (direct + reflected signals) is processed by either a narrow or wide correlator receiver, the deviations of the SQM metrics from nominal values (SQM sensitivity) coincide with the non-zero tracking range error envelope. This means that the SQM detection output can be exploited effectively for multipath mitigation by de-weighting (or excluding) distorted measurements (SQM effectiveness). For receiver using double Delta correlator strategies (e.g. HRC technique), although SQM is sensitive to medium and long-delay multipath, its detection output will not be effective due to the mitigating effect of double Delta techniques on these range of multipath delays. In this scenario, relying on SQM detection to de-weight measurements may even increase positioning errors due to geometry degradation. For short-delay multipath, the SQM detection output can be used effectively for multipath mitigation when range error envelopes take non-zero values under both narrow and double Delta correlator strategies. In this area, however, due to the low sensitivity of SQM metrics, it is possible that the resulting metric values do not exceed the monitoring thresholds and thus remain undetected in the presence of receiver noise. In all cases, lower signal to multipath ratios (SMR) result in higher SQM sensitivity as expected. For a specific level of SMR, higher carrier-to-noise-density (C/N0) increases SQM sensitivity by reducing the nominal variance of SQM metrics and lowering detection threshold.
- GNSS Authenticity Verification in Covered Spoofing Attack Using Antenna Array, Ali Broumandan, University of Calgary (Canada), James CURRAN, European Space Agency (Netherlands)
Due to rapidly increasing applications of GNSS dependent systems, motivation has increased to spoof these signals for illegal or concealed transportation and to mislead receiver timing used by critical infrastructure. Detection and mitigation of spoofing attacks on GNSS receivers has become an important issue. Spoofing countermeasure methods analyze specific features of the counterfeit signals which may enable a receiver to distinguish them from authentic signals. These methods assume that both authentic and spoofing signals are present and the receiver is initially tracking authentic signals. Hence, in absence of authentic signals, when only counterfeit signals are received, these methods might not work. This may occur, for example, when the covered GNSS antenna is only exposed to counterfeit signals, or an overpower non-overlapped spoofing attack where the receiver is exposed to counterfeit signals during cold start.
An antenna array is another approach to detect and mitigate spoofing attacks. Under the assumption that all counterfeit signals are broadcast from a single spoofing source, this approach takes advantage of the similarity between the angle of arrival (AoA) of counterfeit signals. Algorithms applied to the signals received using an antenna array can classify signals according to their respective AoA and to steer a null in the directions from which the counterfeit signals arrive. At the pre-despreading level, an antenna array can be used to extract the spatial signature of counterfeit signals without acquiring and tracking the counterfeit and authentic signals. It is assumed that the antenna array is not calibrated. More specifically the relative phase and gain of the antenna elements and the orientation of the array are unknown. After tracking all spoofing and authentic signals, the spoofing detection module correlates the array responses (steering vector) of different signals. The counterfeit signals sourced from a single antenna have the same spatial signature, which means that all the signals experience the same channel parameter variation in the spatial domain. This can be used as a metric to detect a spoofing attack. The advantage of the antenna array processing over the single antenna spoofing detection methods is that it can detect spoofing attack in absence of authentic signals (in the covered antenna case) as long as spoofing signals are transmitted from a single antenna.
The contributions of this paper are twofold. Firstly, a covered spoofing scenario is defined to establish a foundation to analyze the sensitivity of different spoofing methods. In this case, the antenna array is covered to block reception of authentic signals where a small antenna connected to a hardware simulator transmits an ensemble of counterfeit signals which are received by the antenna array. Then detection and mitigation performance of the antenna array processing based on the near-filed signal propagation are analyzed. The performance of single antenna spoofing detection metrics including IF sample variance and SQM methods will be also investigated. The spoofing detection performance as a function of the number of antenna elements in an actual environment will be tested. Initial results demonstrate successful spoofing detection.
- Thales TopAlert solution for jammer detection and localisation, Audrey Guilloton, Thales Avionics (France), Daniel Millewood, Thales Avionics (France), Bruno Montagne, Thales Avionics (France)
Today, many applications such as aircraft operations, wireless telecommunications, energy distribution, financial trading, fleet tracking and personal navigation rely on Global Navigation Satellite Systems (GNSS). This technology has the advantage to provide accurate time and position, however it is vulnerable to jamming and spoofing.
Thales Avionics has been involved in several projects, to assess the impact of jammers and to develop counter measures to mitigate the risks. In the [GAMMA] project, GNSS threat scenarios were evaluated against the SESAR ATM Security Risk Assessment Methodology defined in [SECRAM]. This analysis has identified jamming and spoofing scenarios.
GNSS interference, whether intentional or not, has the ability to disrupt GNSS reception over wide areas. It is therefore necessary to provide early warning and protection against such events around critical infrastructures (airports, harbours, etc.). The Thales TopAlert solution presented in this paper is capable of detecting and localising interference sources in the GNSS frequency bands.
Thales TopAlert is based on a network of sensors that are located around the area to be protected and a secured server which elaborates the GNSS alerts. Currently two varieties of sensors may be deployed. A specialised GNSS receiver developed by a partner company is capable of evaluating the local GNSS reception conditions based on spectrum analysis, and signal to noise ratios. The Jambuster sensor is capable of providing a direction of arrival estimate for multiple jammers based on a high resolution direction finding algorithm. Jambuster is developed internally by Thales Avionics.
Thales TopAlert has acquired in-service experience in various environments. The solution based on GPS sensors was tested in the Bordeaux harbour. The Jambuster sensors have been thoroughly evaluated during a test campaign in anechoic chambers and were tested in real condition on the Vidsel test range in northern Sweden in 2015.
The first section of the paper recalls the GNSS threats and defines the scenarios used to simulate these threats.
In the second part, the architecture of the Thales TopAlert solution is described. The tests conducted to evaluate the Jambuster sensors in anechoic chamber and in real conditions will be introduced in this part.
The third section discusses the performance of the Thales TopAlert solution. Jammer detection success rates and localisation accuracy is evaluated according to the scenarios defined in the first section.
- Influence of GNSS spoofing on drone in automatic flight mode, Alexandre Vervisch Picois, Telecom Sud – Paris Institut Mines Telecom (France), Thierry Taillandier Loize, Telecom Sud – Paris Institut Mines Telecom (France), Nel Samama, Telecom Sud – Paris Institut Mines Telecom (France)
Recent years have seen the proliferation in our skies of flying drones otherwise called UAVs (Unmaned Aerial Vehicle). Their current and potential uses are many: from the military uses to leisure activities through business applications like photography, aerial imaging, spotting, pest extermination (like hornets nest), home delivery, etc.This was made possible and facilitated by the miniaturization and the reduction of the power consumption of Microelectromechanical Systems (Mems), but also by the dissemination of techniques making the navigation easier. We refer of course to satellites geolocation techniques such as the well-known Global Positioning System (GPS) and Global Navigation Satellites Systems (GNSS), which is its extension to all existing constellations. The growing interest in UAVs is obvious, however, this brings some questionings: are there any limits to what a drone can do ? One drone operating modes is to fly automatically, that is to say: set in advance a flight plan to be followed by the drone without any intervention of a pilot. Small sized UAVs (from less than 1 kg to 25 kg) are unlikely to embark complementary navigation systems to GNSS. Concretely, this means that, apart from a visual flight (where the drone is directly visible by the pilot), the only means by which the drone knows its position is a GNSS receiver. This is a great strength, since accuracy of GNSS is sufficient to perform a flight under excellent conditions. However, it could also be a great weakness because the dependency to GNSS is thus considerable. This article aims to put the problematic of the drone linked to the vulnerability of the GPS signal and its consequences. Indeed, one of the characteristics of civilian GNSS signals (therefore free to use) is their very low power. A GNSS receiver is therefore easy to decoy by means of a fake GNSS signal that reproduces the aspect of a real signal but contains false positioning information. Under these conditions, the GNSS receiver embarked by the drone calculates a position which is not the real position. Consequently, the trajectory of the drone is distorted. We will see, from a theoretical point of view, what happens when a receiver is submitted to a fake signal and the consequences that this induces to the navigation of the drone. Simulations will support our words and laboratory tests on existing UAV navigation systems will be presented.