Shinan Liu,Xiang Cheng,Hanchao Yang,Yuanchao Shu,Xiaoran Weng,Ping Guo,Kexiong (Curtis) Zeng,Gang Wang,Yaling Yang

2021-01-01

Abstract:The GPS has empowered billions of users and various critical infrastructures with its positioning and time services. However, GPS spoofing attacks also become a growing threat to GPS-dependent systems. Existing detection methods either require expensive hardware modifications to current GPS devices or lack the basic robustness against sophisticated attacks, hurting their adoption and usage in practice. In this paper, we propose a novel GPS spoofing detection framework that works with off-the-shelf GPS chipsets. Our basic idea is to rotate a one-side-blocked GPS receiver to derive the angle-of-arrival (AoAs) of received signals and compare them with the GPS constellation (consists of tens of GPS satellites). We first demonstrate the effectiveness of this idea by implementing a smartphone prototype and evaluating it against a real spoofer in various field experiments (in both open air and urban canyon environments). Our method achieves a high accuracy (95%-100%) in 5 seconds. Then we implement an adaptive attack, assuming the attacker becomes aware of our defense method and actively modulates the spoofing signals accordingly. We study this adaptive attack and propose enhancement methods (using the rotation speed as the "secret key") to fortify the defense. Further experiments are conducted to validate the effectiveness of the enhanced defense.

Zhou Meng,Liu Ying,Xie Lin,Li Hong,Lu Mingquan,Liu Peng

DOI: https://doi.org/10.33012/2017.14956

2017-01-01

Abstract:Global Navigation Satellite System (GNSS) is able to provide real-time, all-weather, continuous, global coverage of high precision positioning and timing services. However, since navigation signals are very weak and the interfaces of GNSS to users are open, GNSS is vulnerability to spoofing attacks. As a spoofing attack, receiver-spoofer can complete attacking without interrupting the tracking loops of a receiver, and it is difficult to be detected. In this paper, the signal model of the receiver-spoofer is built and the process of the receiver-spoofer taking over the Delay Locked Loop (DLL) of the target receiver is carefully studied. It is found that the key of the spoofing is the alignment of the spoofing and authentic signals. If the receiver-spoofer is not able to accurately estimate the position of the target receiver and makes the spoofing and authentic signals align in code phase, it should increase the power of spoofing signal for a possible successful spoofing. In the paper the following situations are analyzed. (1) the carrier phases of spoofing and authentic signals are aligned; (2) the carrier frequencies of spoofing and authentic signals are the same, but the carrier phases of them are different; (3) both the carrier phases and carrier frequencies of them are different. Under the three cases, the lower threshold of the SSR, which is the ratio of the amplitudes of the spoofing and authentic signals, will be changed due to the imprecise alignment of the code phases. The performance curves of the SSR on the three cases are obtained. The mathematical derivation of the lower bound of the SSR in the first case is given, and the numerical solutions for the other two cases are provided as well. Finally, in order to evaluate the analysis above, a serial of experiments are performed in a simulation environment. The simulation results verify the above analysis results.

Chenxi Peng,Hong Li,Mingquan Lu

DOI: https://doi.org/10.33012/2019.16987

2019-01-01

Abstract:GNSS has become an indispensable information infrastructure in our daily life for its function in positioning and timing. But along with its wide application, the security of GNSS is receiving growing concern. Intermediate spoofing, which utilizes the working mechanism of GNSS tracking loop to covertly take over target receiver, poses the most serious near-term threat to GNSS receiver. In order to find corresponding defensive measures, it is essential to understand how GNSS tracking loop reacts to intermediate spoofing. In this paper, simulation framework that mimics actual attack scenario is developed. Through examination of simulation attack, the basic principle behind intermediate spoofing is reviewed. On the basis of above analysis, vulnerability of tracking loops with different loop parameters, such as loop bandwidth and phase discriminator to intermediate spoofing, is evaluated. Furthermore, innovative tracking loop which takes advantage of the redundancy of tracking are evaluated against intermediate spoofing.

Li He,Hong Li,Mingquan Lu

DOI: https://doi.org/10.1007/978-981-10-4588-2_76

2017-01-01

Abstract:Spoofing attack is growing into a great potential menace to future GNSS systems and related applications, featured by its stealth. Spoofing signal can deceive victim receivers by changing ranging observables covertly, leading to wrong positioning or timing solutions. It is reasonable to keep the power of spoofing signal similar to the power of authentic signal, in addition to its signal structure and navigational data. Therefore, there still are chances to track authentic signal along with received signal. Changing transmit time observables is essential to a successful spoofing attack. Based on this fact, we propose an acquisition and tracking framework in which transmit time plays a core role. This framework combines several algorithms, namely multi-peak acquisition algorithm, multiple tracking algorithm and repetitive signal cancelation regime. A receiver, equipped with the proposed framework, can continuously acquire all existing signals and then tracks them, regardless of their authenticity. Moreover, experiments on GPS simulator attack and meaconing spoofing signal are shown.

Xie Xiaogang,Lu Mingquan,Zeng Dazhi

DOI: https://doi.org/10.1049/cp.2015.0999

2015-01-01

Abstract:Through the analysis of satellite navigation spoofing jamming signal, a GNSS generating spoofing jamming simulation system is constructed based on the GNSS generating spoofing jamming model. According to the receiver trajectory detected, the system can simulate the high precision and real-time GNSS spoofing jamming signals by receiving and analyzing the data information of the real navigation signal. The key algorithm and approach are put forward through analysis. Meanwhile, the key technology of GNSS generating spoofing jamming simulation system is designed and its implementation was presented. The spoofing jamming signal generated by the simulation system has a high fidelity and is not easy to be detected. It can provide effective means for jamming and guiding the receiver.

Meng Zhou,Hong Li,Mingquan Lu

DOI: https://doi.org/10.1186/s13638-018-1048-y

2018-01-01

EURASIP Journal on Wireless Communications and Networking

Abstract:A receiver-spoofer is one of the most covert global navigation satellite system (GNSS) spoofing attacks and can only be effectively detected by the combination of multiple anti-spoofing technologies. In this paper, an analysis of influencing parameters for receiver-spoofers indicates that the ratio of the spoofing signal amplitude versus the authentic signal amplitude (spoofing-signal ratio) is a key parameter for spoofing results. For a spoofer to ensure covertness, the goal is to maintain a low spoofing-signal ratio. The carrier phase difference and code phase difference between authentic signals and spoofing signals resulted in errors in the position estimation of the target receiver increase the lower limit of the spoofing-signal ratio required for successful spoofing. A spoofing signal alters the phase of local replicate code based on the original balance of a receiver phase discriminator to seize control. Based on this principle, the lower limit of the spoofing-signal ratio that corresponds to various phase discriminator spacings, carrier phase differences, and code phase differences is deduced in this paper. Two tests are designed for the simulation source and authentic navigation signals to verify the deduced formula. The lower limit of the spoofing-signal ratio obtained from these tests matches the calculated results, which proves the validity and effectiveness of the derived algorithm.

Meng Zhou,Hong Li,Mingquan Lu

DOI: https://doi.org/10.1007/978-3-642-37398-5_58

2013-01-01

Abstract:As various application of navigation technology penetrating people's life and national security, spoofing and anti-spoofing techniques have become hot research topics. Since more and more complicated spoofers have emerged, from repeater to creator, then to receiver-spoofer, the research of anti-spoofing is very urgent. Moreover, research and assessment on spoofing are prerequisite and foundation for anti-spoofing research. Considering various aspects of spoofing technology, including spoofing efficiency, blanket factor, influence area, destructiveness, and the risk of being determined, this paper explores the factors needed in comprehensive evaluation of GNSS spoofing technology. Through modeling the spoofing signals, this paper builds up an evaluation computing model for various metrics. And it analyzes the evaluation results of common spoofing technologies by utilizing various models. This paper also builds up a reference score model for these various metrics through expert scoring method. Finally, the paper also introduces the plan for future research work.

Ziheng Zhou,Hong Li,Zhiyuan Chen,Minghan Zhong,Mingquan Lu

DOI: https://doi.org/10.33012/2022.18251

2022-01-01

Abstract:Aiming at fabricating a false positioning solution towards the victim user, spoofing attacks are nowadays challenging the security of Global Navigation Satellite Systems (GNSS). Due to the relative motion between the spoofer and victim user, the potential inconsistency involved in the measurement of Doppler shift could be an efficient basis to reveal the attacks. Although several researches on anti-spoofing techniques via measured Doppler have been developed, weaknesses in terms of implementation complexity and strict assumptions such as single-antenna spoofing still remain. To this end, Doppler Residual Monitoring (DRM) is proposed and investigated in this paper as a novel anti-spoofing scheme. Firstly, caused by the presence of the spoofing attacks, abnormal bias within the measured Doppler shifts is demonstrated based on the modeling of GNSS spoofing. Due to the difficulty in directly observing the Doppler bias concealed in the counterfeit signal, Doppler positioning technique is exploited to reveal this part of the variation in an indirect way. In particular, Doppler residual provided by Doppler positioning equations is proposed and the relationship between Doppler bias and Doppler residual is illustrated. More specifically, Sum of Squares of Errors (SSE), which denotes the sum of squares of Doppler residual, is utilized as the test statistics for spoofing detection. To further distinguish all the counterfeit signals, a random traversal technique is investigated in this paper. Moreover, Doppler Shift Difference (DSD) is proposed to match the spoofing signals with its transmitting antenna based on the discrimination results, which could be an essential basis for the anti-spoofing techniques towards multi-antenna spoofing scenario. Also provided is the analysis of the theoretical performance along with the simulation results. Finally, the validity of our method is demonstrated through field tests with two spoofing scenarios, where the spoofing attacks are respectively achieved by one antenna and two antennas. Without external facilities assistance, our DRM-based scheme could be a significant complement to the GNSS anti-spoofing techniques as a novel spoofing discrimination method.

Jian Wen,Hong Li,Fei Wang,Weiyu Gao,Jianfeng Li,Mingquan Lu

DOI: https://doi.org/10.33012/2018.15588

2018-01-01

Abstract:Global Navigation Satellite System (GNSS) suffers from the threat of spoofing attacks. To protect low-cost commercial off the shelf (COTS) receivers when spoofing attack occurs, an effective countermeasure is to locate the spoofer and somehow deactivate the spoofer. To this end, in this paper, a prototype system for spoofer localization is developed, in which the time of arrival (TOA) based localization technique is used. The system consists of four stand-alone GNSS receivers, which are connected via wireless communication modules for data collection. In order to demonstrate the feasibility of this system, a spoofing attack is considered where the spoofing signal can be detected and identified by receiver autonomous integrity monitoring (RAIM). Then, the spoofer is located by measuring the TOAs of the spoofing signal upon arriving at the four receivers. A series of field tests are carried out and demonstrate the feasibility of the system. Moreover, the factors that influence the performance of the system are also analyzed and validated by the field tests.

Minghan Zhong,Xiaoming Zhang,Weiyu Gao,Mingquan Lu,Hong Li

DOI: https://doi.org/10.33012/2022.18454

2022-01-01

Abstract:Spoofing attacks on the Global Navigation Satellite System (GNSS) have attracted great attention in recent years due to their severe harm to position, velocity, and timing (PVT) service users. Conventional spoofing techniques focus on disabling the victim by directly broadcasting fake GNSS signals and thus could cause obvious alarms. Meanwhile, covert spoofing techniques require precise information or physical access of the victim to carry out spoofing attacks without triggering alarms, but these conditions are not satisfied in numerous real-world scenarios, especially in remote and temporary cases. In this paper, we design a spoofer framework that is suitable for committing remote GNSS spoofing attacks temporarily and covertly. We describe in detail the control strategy to adjust the key parameters of the spoofing signals including the code phase, Doppler frequency shift, signal strength, and navigation message data bit. The observation module that consists of a light detection and ranging (LiDAR) unit and an attitude and heading reference system (AHRS) unit is utilized to provide supplementary information to ensure the validation of the spoofing attacks. A brief error analysis is provided to represent the performance of the proposed spoofer framework. Finally, we develop a prototype based on the spoofer framework and carry out actual spoofing experiments toward a widely used commercial GNSS receiver. The results show that such temporary and covert spoofing attacks are indeed a practical threat.

Yang Gao,Hong Li,Mingquan Lu,Zhenming Feng

DOI: https://doi.org/10.1109/tst.2013.6678905

2013-01-01

Abstract:Intermediate spoofing can impact most off-the-shelf Global Navigation Satellite Systems (GNSS) receivers, therefore low cost detection of such spoofing is very important to protect the reliability of the GNSS receivers used in critical safety and financial applications. This paper presents two strategies to analyze attacks by intermediate spoofing attackers to identify the weaknesses of such attacks. The analyses lead to a code and carrier phase consistency detection method with simulation results showing that this method can indicate the receiver when spoofing has occurred. The method can be used by most receivers, is inexpensive, and requires only a small software upgrade.

Xinran Zhang,Hong Li,Li He,Mingquan Lu,Chun Yang

DOI: https://doi.org/10.1007/978-981-13-0029-5_35

2018-01-01

Abstract:Anti-spoofing technology is currently a hot spot in the field of navigation. In comparison with the traditional GNSS receiver, vector receiver takes the advantage of the coupling of satellite signals in a combining way regarding the state of receiver. Limited to attack conditions and implementation complexity, spoofing signals are generally not coupled with authentic satellite signals. This means that vector receiver is likely to have anti-spoofing capability. To validate this conception, we develop a real-time GNSS vector receiver on FPGA platform and test its response to spoofing signals. The experimental results show that the vector receiver is insensitive to the spoofing attacks when the number of satellites is four. While if the number is five, some loops of the vector receiver will lose lock on the condition that spoofing signals delays are greater than 2 similar to 15 mu s. It demonstrates preliminarily that the vector receiver can detect spoofing attack to a certain extent. Moreover, we also investigate the influence of satellite geometrical distribution, spoofing signal delay and other factors on the anti-spoofing capability of vector receiver.

Yichen Yang,Hong Li,Mingquan Lu

DOI: https://doi.org/10.33012/2016.13417

2016-01-01

Abstract:GNSS signals are vulnerable to jamming and spoofing attacks. Compared with jamming, spoofing may mislead a GNSS receiver to a preplanned wrong positioning and time result without noticing, which would result in dangerous consequences and serious losses.In the paper, a GNSS replay spoofing detection method based on multi-user cooperation is proposed. The effects of replay delays on receivers caused by replay spoofers are discussed at first. The analyses show that the receivers' position differences between the cheated positions and the correct ones are proportional to the replay delays. In fact, the spoofing delays added in spoofers and the relative positions between satellites, spoofers and receivers are various, which make each receiver suffers different replay delay. So replay spoofing for different receivers will have different deception effects generally, and the distances between receivers will change unusually. By comparing the distances of position results and the real ones known in advance with multi-user collaborative approaches, contradictions can be detected and warnings of spoofing attack would be raised. The performance of the proposed method is analyzed and evaluated, which demonstrates the validity of the method.

Jianfeng Li,Hong Li,Fei Wang,Hang Ruan,ZhongXiao Wang,Mingquan Lu

DOI: https://doi.org/10.33012/2018.15587

2018-01-01

Abstract:Global Navigation Satellite System (GNSS) is widely applied to our daily life with its stable service. The GNSS control segment routinely generates navigation message based on a prediction model and the measurements from global monitor stations. Navigation message includes each satellite's clock correction, ephemeris, and almanac which are stable and change by certain rules. The paper analyzes these parameters of Global Positioning System (GPS) and BeiDou System (BDS). Based on different changing rules of parameters, the paper divides all parameters into four categories and briefly discusses their applications in anomaly detection and anti-spoofing. Further, the computed satellite position deviations by ephemerides and almanacs of different time are researched and relevant mathematical model is established. Also, the computed clock deviations are discussed. With the increasing use of GNSS, its vulnerability has caused much concern. In general, there are many spoofing methods. In order to deceive a victim receiver to a predetermined position or time, some spoofers may change navigation message. The above analysis results can be applied to check such spoofing attacks. So two threshold models are established and their advantages and disadvantages are discussed. Combining two threshold models, the paper proposes a method to effectively utilize navigation message for anti-spoofing. Finally, the method is implemented on GPS/BDS receivers and the relevant experimental results show that it is feasible and effective in different deception scenarios where navigation message is tampered.

jian wang,meng zhou,hong li,xiaowei cui,mingquan lu

DOI: https://doi.org/10.1007/978-3-642-54737-9_47

2014-01-01

Abstract:Intermediate spoofing can control the target receiver successfully without interrupting tracking loop, so it is strongly secret, while it needs to know the accurate antenna position and channel condition of victim. In practical condition, position of victim is often fuzzy, which will influence the performance of spoofing. For a successful spoofing in actual scene with a lower detected probability, it is necessary to research the requirements of GNSS Intermediate spoofing. In this paper, according to the principle of intermediate spoofing, we establish the signal model of intermediate spoofing, and then we analyze the related influence factors based on a fix successful probability, including signals' interval, carrier-frequency difference, carrier-phase difference and code rate difference between authentic signal and spoofing signal. Monte Carlo simulations present the relationship between spoofing-to-noise ratio (SSR) and factors, which verify the reasonable of models and theoretical analysis. Thus, minimum SSR for successful spoofing is obtained in the case of fuzzy position of victim, which reduces the risk of being detected. Finally, requirements of successful intermediate spoofing are summarized. The research is based on actual scene, which extends the application range of intermediate spoofing, so it has a guiding significance for designing of GNSS spoofer.

Fengkui Chu,Hong Li,Mingquan Lu

DOI: https://doi.org/10.33012/2017.15107

2017-01-01

Abstract:Global Navigation Satellite System (GNSS) based positioning, navigation, and time synchronization services have a profound influence on human society. However, the fundamental system is vulnerable due to the low power and the public structure of GNSS signals. The traditional menace for GNSS is jamming which disables the positioning function of receivers. Unlike jamming, spoofing attacks could deviate a victim receiver's reported position away from the authentic one. It is more precarious since the victim is unware of this threat. To detect such spoofing, a consistency check approach of measured and calculated carrier Dopplers is proposed. The measured Dopplers are extracted from carrier tracking loops; the calculated Dopplers are formulated by motion information of the receiver and satellites. The feasibility of the proposed method lies in the fact that the calculated Dopplers would be abnormal compared with the measured Dopplers when a position fix is spoofed away from the authentic one. To put the proposed method into practice and illustrate its performance, a generalized likelihood ratio test (GLRT) based statistical detection model is established in this paper. The simulation results demonstrate the theoretical performance. Moreover, the effectiveness of the developed detection method is validated by a replay spoofing test on a GNSS software-defined receiver. Besides, the spoofing detection performance is improved by a smoothing technique.

Wentao Bai,Hong Li,Yichen Yang,Mingquan Lu

DOI: https://doi.org/10.33012/2016.13456

2016-01-01

Abstract:The GNSS repeater spoofing scenarios can be classified into two categories, namely all-channel and part-channel attacks. Due to the different navigation environments of the repeater and the victim receiver, it is quite difficult to guarantee that all the authentic signals would be copied by the repeater. Therefore part-channel repeater spoofing is ordinary for most repeater spoofing scenarios.Under part-channel repeater spoofing, we find that the positioning result of the victim receiver not only takes a sudden jump but also appears an approximately linear variation for a period. Based on the properties, a motion state monitoring based detection method is proposed in the paper. The method is more intuitionistic and easier to be implemented than many other detection methods for detecting the part-channel repeater spoofing attack. The proposed method keeps an eye on the change of the motion state depicted by the PVT result of the receiver, comparing the actual motion state of the target receiver with the one depicted by the positioning result. If they are inconsistent, it means there may be a repeater spoofing attack. The method is suitable for many situations, such as for the cellphone towers of 3G, 4G, and future 5G, handheld equipment and other users which roughly know some prior information of themselves. To investigate the performance of the method, many simulations and experiments of GPS signals are conducted. In the simulations, the signals are generated by a GPS signal simulator and a part of them are delayed. In the livesignal experiment, the real GPS signals from the spoofing receiving antenna are delayed by a repeater spoofer and transmitted to the antenna of the receiver. All the signals are processed by a software defined receiver. The results demonstrate the validity of proposed method.

Zhongxiao Wang,Hong Li,Jian Wen,Mingquan Lu

DOI: https://doi.org/10.33012/2021.17825

2021-01-01

Abstract:Spoofing attacks are severe threat to Global navigation satellite system (GNSS). Using the propagation characteristic of spoofing signals, a lot of methods have been put forward to detect and discriminate spoofing. In this paper, we propose a double difference method using Doppler shift measurements of independent receivers, which does not require time synchronization and can be easily integrated on commercial off-the-shelf (COTS) receivers. We derive the theoretical model of Doppler frequency double difference (DFDD) in detail, and analyse the detection performance. Numerical simulations and field experiments are conducted to verify the feasibility of the proposed method.

Junzhi Li,Xiangwei Zhu,Mingjun Ouyang,Dan Shen,Zhengkun Chen,Zhiqiang Dai,ZHiqiang Dai

DOI: https://doi.org/10.1088/1361-6501/ac672a

IF: 2.398

2022-04-13

Measurement Science and Technology

Abstract:Abstract Global Navigation Satellite System (GNSS) spoofing interference poses a great threat to the security of end users. Based on the same propagation path characteristics of the spoofing signals transmitted by a single antenna spoofing device, this paper proposes a method against single antenna spoofing jamming utilizing the Fréchet distance of Doppler frequency difference. When the receiver moves, the Doppler data in a window are fitted via the leastsquares method, and the Fréchet distance between the two satellite signals is calculated to obtain the similarity evaluation value between them. The detection of spoofing signal is carried out based on the evaluation value. We use real data to verify the detection performance of the method, and the experimental results show that the method can effectively distinguish the spoofing signal from the authentic signal. In addition, the method has low computational complexity and requires less additional information, which makes it possible to apply it in the anti-spoofing module of a GNSS receiver.

engineering, multidisciplinary,instruments & instrumentation

Jian Wang,Hong Li,Xiaowei Cui,Mingquan Lu

DOI: https://doi.org/10.1109/mec.2013.6885528

2013-01-01

Abstract:Spoofing is a huge threat to navigation system. Anti-spoofing in acquisition can firstly find spoofing signal. In this paper, a new method is proposed to alarm receiver whether there is a spoofing signal: in acquisition stage, if receiver finds two correlation peaks above a threshold for two times continuously, it indicates a spoofing signal; while if one peak, only if the rough signal-to-noise ratio is lower than a power threshold and the width of correlation function is lower than a width threshold, it has no spoofing signal. The theoretical calculation methods of thresholds above are all presented there. Also, the influence factors and performance analysis is presented. Results show that we give a quantitative power threshold; and by introducing the width of correlation function, it can deal with the condition that the authentic and spoofing signals are overlap, while methods existed can't. Our work is significant for designing anti-spoofing receiver.