Technical Article • September/October 2017
Consumer Mass Market Accelerometers for GNSS AntiSpoofingA novel GNSS spoofing detection method via direct comparison of acceleration using commercial inertial sensors.This article presents a novel GNSS spoofing detection method via direct comparison of acceleration using commercial inertial sensors. The developed concept allows for comparison of the two sensors without coupling GNSS with an inertial measurement unit (IMU). The design provides a robust, steady state spoof detection capability that can be developed as an addon to existing receivers. Collected flight test data is used to show that executive monitors (EMs) successfully yielded spoof detection capabilities as well as the ability to limit false alerts. While many more flights will be needed to validate performance results, fast detection (<10 seconds) is achieved under high amplitude and frequency accelerations.
Share via: Slashdot Technorati Twitter Facebook Spoofing of Global Navigation Satellite System (GNSS) signals can have deleterious effects on society given the widespread use and dependence of critical infrastructure on GNSS. However, few commercial receivers have significant antispoofing (A/S) mechanisms. Even simple interference events such as jamming and meaconing have resulted in erroneous position outputs from shipboard and airborne receivers (see W. Dunkel et alia; S. Pullen and G. Gao; A. Grant et alia; and A. J. Van Dierendonck in Additional Resources). Spoofing tests have shown that deliberate GNSS spoofing could have significant impact on the GNSS receiver and hence GNSS dependent systems (J. S. Warner and R. G. Johnson; D. P. Shepard et alia). While the extent of the impact is still debated, it is clear that a spoofing event would significantly harm some users. So, the debate over the utility of A/S comes down to the likelihood of spoofing events. It is clear that GNSS spoofing, outside a laboratory or military setting, has occurred. Recently, GNSS spoofing was observed outside the Kremlin (C. Sebastian) and in the Black Sea (see Goward, Additional Resources). Furthermore, the popularity of locationbased games such as Pokémon Go has also induced hackers to build and utilize GNSS spoofers (I. Birnbaum). While the spoofer in Birnbaum uses an expensive GNSS signal generator, other professional security groups have put together GNSS spoofers using low cost software defined radios (SDRs), open source software, and some basic GNSS knowhow (see L. Huang and Q. Yang). GNSS spoofing capabilities are no longer solely the realm of navigation experts. As time goes by, spoofing capabilities will get better and costs will only decrease. There are many motivations to spoof. Ordinary citizens may spoof to aid their gaming, to protect their privacy, or to subvert location based charges (e.g., road tolling) or restrictions. A quick search on the Google Play store shows multiple pages of “Fake GPS” applications. The first application, “Fake GPS Location Spoofer Free,” alone has more than 60,000 reviews as of May 2017. This indicates that many people took the time to not only download and use the app but also to comment on its benefits! There is substantial and growing public interest in spoofing location. Coupling these two factors — the availability of GNSS spoofing equipment or knowhow and public interest in spoofing — means we should expect more spoofing incidents in the future. And while critical infrastructure may not be the target for most spoofers, it may fall victim as collateral damage. We developed and examined a GNSS spoofing detection method via direct comparison of acceleration using commercial inertial sensors. The developed concept allows for comparison of the two sensors without coupling GNSS with an inertial measurement unit (IMU). The design allows for a robust, steady state spoof detection capability that can be developed as an addon to existing receivers. This article focuses on our preliminary development and demonstration of the concept for aviation.
Background: Prior Art & Developed Technique While there are many A/S techniques, there is no panacea for spoofing. There is currently no one technique that ideally satisfies all needs. There will likely need to be different solutions for different users, applications, and requirements. As each technique is likely only good against a subset of threats, the overall solution may actually employ several, complimentary techniques to cover all desired threats. Regardless, the techniques employed should have certain characteristics. First, they need to be robust meaning that they catch the threats that they were designed for while having very low false alert rates. Second, they need to be reasonable to implement. This means that they do not significantly change existing receiver designs or add to their cost. A/S needs to be effective but also transparent to the user. It cannot inconvenience users through false alerts or additional, costly complexity. This motivates our investigation of the use of simple inertialbased techniques. Use of inertial sensors to complement and cross check GNSS is not new. Traditional aviation GNSS/inertial crosschecking algorithms for fault detection have previously been adapted to spoof detection (Y. Liu et alia). Tanil et alia investigated the use of inertials with Kalman filtering to perform spoofing detection in the position domain. These techniques, which require comparisons in the pseudorange or position domain, essentially require GNSS to regularly calibrate IMU results. The deep intertwining of GNSS information to transform IMU results to the position domain limit the trustworthiness of the comparison over time. A spoofer may induce a small GNSS error that causes a bias error in the calibration of the acceleration that can then be slowly exploited. Hence, these spoofing detection methods are considered transient detectors as they only have a limited detection window in which the IMUderived positions can be considered uncontaminated by GNSS spoof induced errors.
Developed Technique Any spoofing attack without a good estimate of the vehicle acceleration should be detectable. Even a spoofer that can measure the acceleration remotely or relay a measurement of acceleration from an onboard device may be detectable. This is because the spoofer will incur errors and delays that may be detected provided there are high frequency dynamics. However, there are threats that the technique cannot catch. An attacker with accurate and near realtime knowledge of acceleration can slowly drift the measured position from truth as long as they keep the acceleration error within the allowable detection tolerance. Physical security or complimentary detection techniques may handle these threats. To be effective, the technique requires a high frequency component of acceleration and predictable attitude. The former represents in cryptographic terms, a onetime pad that a spoofer cannot guess a priori. In flight, there can be many sources of unpredictable acceleration — wind, pilot input to thrust, lowering of the landing gear, etc. Others have considered these items for their ability to provide motion that is difficult for a spoofer to predict (C. Tanil et alia (2015a, 2015b)). Because GNSS alone is used to derive attitude, stable or predictable attitude is desired. Single antenna GNSS measurements cannot estimate some attitude parameters such as roll angle without additional information. Without a reasonable sense of the true attitude, the reference frames between the IMU and GNSS may not be wellaligned and a comparison between IMU and GNSS accelerations cannot be made. While the requirement seems demanding, commercial flights desire stable attitude, especially on approach. This makes sense as the aircraft should be reasonably steady for landing. It should not have much roll and the pitch angle should be small as the aircraft tries to maintain a small, constant glide slope (approximately three degrees). Another time where aircraft attitude is reasonably stable is during cruise, i.e., the majority of any flight. Having established a generally stable attitude over the course of a given flight, we now focus on final approach, as it is the most critical phase of flight. Critical to the utility of the methodology are two key questions. First, are there adequate motions available for spoof detection using a low cost INS? The motion must be semirandom and significant relative to the capability of the sensors and their errors. This will be examined using flight test data. It must be significant enough to rise above the errors and biases induced by our methodology. The second question is whether we can develop a robust, steadystate test metric for spoof detection given that information.
Data Collection & Testing
Data collection equipment
Flight Test
Comparison of Flight Acceleration Data Equation (1) (see inset photo, above right) Figure 3 shows the comparison of the accelerometer and GNSS PPP derived acceleration on each axis adjusting for heading only. The comparison is conducted with GNSS and IMU acceleration data that has undergone five seconds of exponential averaging. There are periods where the accelerations are wellmatched and other periods where they are not. Generally, they match well during level flight and final approach. They do not match well during the turn section or in climb. This is not surprising as these are periods where the small pitch and roll assumptions are not valid. Estimating and accounting for pitch and roll angles results in better alignment and agreement between the accelerations on all axes. Figure 4 shows the acceleration applying roll estimates. Since most turns were reasonably coordinated, the roll estimates are good and their application results in good alignment.
Comparison of Acceleration Data Figure 7 shows the normalized autocorrelation of the IMU acceleration for the first two approaches, again with five second exponential averaging. The figure shows the (1/e) decorrelation times which range from 2.5 to 3.2 seconds for the approaches. Figure 8 shows the crosscorrelation of the second approach with the first and third approaches normalized by the maximum autocorrelation of the second approach. The maximum normalized crosscorrelation value over all approaches is about 0.55. The results indicate a fast decorrelation period and no significant crosscorrelation between approaches. These results affirmatively answer the first question: Aircraft acceleration measured by low cost accelerometer can provide meaningful comparison with GNSS. We measured the noise on accelerometer and GNSS acceleration using static measurements of vertical acceleration. Without averaging, the accelerometer showed a mean (μ) and standard deviation (σ) of 0.03 and 0.027 m/s^{2}, respectively, and the PPP GNSS acceleration was zero mean with a standard deviation of 1.198 m/s^{2}. These statistics are used as the basis of our model bounding variance for the statistical spoof detection tests. With five second exponential averaging, the zaxis accelerometer has a mean of –0.03 m/s^{2} and standard deviation of 0.003 m/s^{2}. Similarly, PPP up acceleration was zero mean with 0.028 m/s^{2} standard deviation.
Analysis of Detection and False Alerts Two test statistics are examined and standard hypothesis tests are used to develop monitors based on each test statistic. The first statistic uses the difference in acceleration as measured by GNSS and accelerometer. A spoofed GNSS should experience different accelerations than those measured by the accelerometer. The second statistic examines the standard deviation of the acceleration difference (σ_{Δa}). The σ_{Δa} should be larger than the nominal value when the accelerations between the two sensors are not well matched. The second test is less sensitive to a relatively constant bias, such as those resulting from axis misalignment. The first test statistic, z (mean difference), is shown in Equation (2). It examines the mean difference of acceleration (ȳ) normalized by the model standard deviation, σ. It also accounts for the effect of the maximum nominal bias b. The max function used to incorporate the bias since its sign is not known. The statistic should be bounded by a standard normal distribution provided the model standard deviation and bias are representative. Hence, our threshold test is to flag if z > z_{thres}. For a 10^{9} probability of false alert (P_{fa}), z_{thres} is 6.1. The second test statistic, χ^{2}, is shown in Equation (3) with n being the number of samples examined, and s^{2} and σ^{2} being the sample and model variances, respectively. For the initial analysis, n = 8 samples are used to generate the sample variance. The statistic is (central) χ^{2} distributed with (n1) degrees of freedom (dof). Similarly, our threshold test is to flag when χ^{2} > χ^{2}_{thres} with χ^{2}_{thres} being 55.87 for 10^{9} and dof equal to 7 (since n = 8). Both statistical tests depend on the model standard deviation, σ, of the acceleration difference. As such, incorrect modeling affects the monitor performance. If σ is too large, then there will be a larger missed detection rate than modeled. Given the steady state nature of the developed spoof detector, this may be acceptable as there are many chances to catch the spoofer. If σ is too small, the false alert rate will be higher than expected. This is the worse outcome of the two possibilities as it may lead users to distrust the system. So it is better to err on the side of slightly too large. For our testing, the exponential average values are used for the test statistics. The model standard deviation, σ, used is 0.06 m/s^{2} which is twice the root sum squared (rss) of the standard deviation of the accelerometer and GNSS acceleration, as found in the static tests. As the exponential average is used, the static exponential average standard deviations are used. This is shown in Equation (4). A test bias, b, of 0.03 m/s^{2} and n = 8 samples are used. Equations (2), (3) & (4) (see inset photo, above right) The statistical tests provide the basic building blocks for the spoof detection monitor. There are several considerations that the monitor must address. One important consideration is minimizing false alerts. Each test may get flagged in nonspoofing situations if our assumptions are not well met. For example, unmodeled attitude can cause large differences in the zaxis accelerometer and up GNSS acceleration. Another consideration is that the tests will not flag during every instant where there is spoofing. For example, the first test will not flag if the spoofed acceleration happens to be within the allowable error tolerance of the true acceleration. This can happen purely by chance or if the acceleration does not vary much and so is easy to anticipate. The monitor should be designed to be robust to these issues. A moving observation window is used primarily to reduce false alerts. Initially a five second window is chosen since this is larger than the decorrelation time. Within the window, each test flag must exceed specified thresholds a certain number of times before the monitor issues an alert. The thresholds may differ for different tests and conditions. Figure 9 shows a general architecture for the spoof detection. Two overall detection monitors based on these tests are implemented. The simple executive monitoring (EM) indicates spoofing if both detectors indicate spoofing by having their moving sums, Σ_{1} and Σ_{2}, respectively, each exceed a threshold value, Σ_{thres}. A more nuanced EM leverages the strengths of each test. The EM may alert for each of several different conditions. We developed a multicondition EM that alerts if the simple EM conditions are met or if the χ^{2} test triggered at a higher threshold, Σ_{thres,2} only. This allows us to leverage the power of the χ^{2} monitor to detect spoofing even when the mean difference test is oblivious to it. The mean difference test will not flag for acceleration differences that vary by a small shift in time, whereas the χ^{2} test could flag variation changes. These example executive monitors are shown in Figure 10. To test the spoof detection monitor, both no spoofing (nominal) and simulated spoofing cases are examined. The nominal case tests the probability of false alert. Testing the nominal case is straightforward and is done with the collected data without modification. To test the spoof detection, we do not need to simulate the spoofing signal. We only need to model the effect of the spoofer on the statistical tests – that is, the acceleration resulting from the spoofing signal. The ability to defeat the monitor is determined by the acceleration that the spoofer can predict. An unsophisticated spoofer may have no knowledge of acceleration and hence its best guess is to assume zero acceleration in the vertical. A sophisticated, worstcase spoofer would accurately know the true GNSS acceleration with a small delay and could generate a spoofed GNSS exhibiting any acceleration profile. While the spoofer can produce many different acceleration profiles with delayed knowledge of the true acceleration, repeating back the true acceleration was found to be a good strategy. This is an extreme spoofing scenario as the spoofer only cares to spoof the acceleration profile without regard to the actual spoofed position. An actual attack would be constrained by the need to generate its spoofed positions. Figure 11 illustrates an example of the accelerations used for evaluation. The figure shows the acceleration as indicated by the accelerometer, nominal PPP GNSS, and the worst case spoofed GNSS as previously discussed for the first approach. The spoofed case shown assumes that the nominal PPP acceleration is known with a two second delay and a spoofed signal is generated with that acceleration (repeat back). Figure 12 and Figure 13 show the acceleration difference (IMU minus GNSS or spoofed GNSS, top) and performance of each monitor (bottom) for the nominal and spoofed cases, respectively. The bottom of those plots show when each test, the mean difference test (black) and standard deviation difference test (red), was triggered over the course of the approach. A zero value indicates no spoofing while a nonzero value (1.5 and 1 for acceleration difference and standard deviation, respectively) indicates a flag by the specified test. In the nominal case, the standard deviation test flags only once while the mean difference test did not flag. In the spoofing case, each test flags many times on the approach though there are some quiet periods where neither tests flag. Figure 14 shows the number of times each test, the mean difference test (black), standard deviation difference test (red), and the sum for both tests (blue), flags over a moving five second (50 sample) window. The top shows the nominal case while the bottom shows the spoofed case. As desired, there is not much happening in the nominal case. Examining the spoofing case, there are many intervals where the tests flag 2040 times each or 4080%. However, there are other intervals where there are no flags. Comparing the time periods where there are spoofing flags to the accelerations shown in Figure 11 suggests that the tests are effective during periods with rapid changes in acceleration. No flags occur during reasonably calm acceleration periods. This is not surprising, as the spoofer can easily approximate the actual acceleration in these periods. Table 1 shows a summary of the results for the simple and for the multicondition EMs from Figure 10 with a threshold, Σ_{thres}, of 6% or 3 total test flags in a 50 sample window. For the multicondition EM, the Σ_{thres,2} used is 12% or 6 flagged instances. The table shows the percentage of time spoofing is alerted by each EM and time from start to first detection presented for all four approaches and for different cases: nominal, a spoofer with no knowledge (assuming zero acceleration), and the repeatback spoofing cases. The repeatback spoofing cases are conducted with onehalf and twosecond information delay. In the table, any nonzero detection percentage indicates that the EM has generated a spoofing alert during the approach. Hence, the multicondition EM catches all simulated spoofing cases shown. Additionally, the monitor alerts within about 13 seconds of the start of the approach and spoofing with the exception of Approach 1. This time to first detection (TFD) is a function not just of the monitor but also of the dynamics of the aircraft. With little variation in motion, it is easy for an attacker to predict the acceleration profile and hence remain concealed to the monitor. As seen in Figure 11, Approach 1 does not have much vertical acceleration variation initially. Hence it has high TFD. The simple EM can catch the longer delay (two second) spoofing attack but with a larger TFD. With a shorter delay, the simple EM may not alert throughout the entire approach as the acceleration difference monitor never flags. This is because the acceleration is continuous and does not change rapidly over a short period of time. Thus, with very small delays, difference between the actual and spoofed acceleration can be small and always remains within the tolerances specified by the low probability of false alert. Similarly, the percentage of time the monitor detects spoofing also depends on the dynamics of the flight. For example, the multicondition EM detects the repeatback spoofer with halfsecond delay between 14.2 to 50.3% of the time. Another important result is that there are no false alerts in any case with the exception of Approach 4 with the multiple condition EM. The cause of the false alert was found to be dropouts in the GNSS measurements, which caused outlier GNSS accelerations for a few seconds. The result of the dropout, which was exponentially averaged with other measures, can be seen in Figure 15 which shows the accelerations from the accelerometer, GNSS, and spoofer. The standard deviation monitor flagged the resulting jump. Hence, the false alert was due to a data issue rather than the monitor itself. The detection architecture should be designed to manage data handling errors.
Conclusions The analysis conducted provides only a preliminary feasibility demonstration and there is still much to be done. One area for future work is faulttolerant design. The detection architecture needs to determine when it is suitable for use – i.e., when the attitude assumptions are valid. While the analysis conducted leverages some special characteristics of flight, other test measurements conducted have shown that this technique may be suitable for other transportation such as railways and automobiles. Both automobile and rail have additional characteristics that can be leveraged.
Acknowledgements
Disclaimer
Additional Resources ManufacturersFlight test equipment included the following. A Samsung Galaxy Note 3 was used to provide accelerometer data. It contains a consumer grade IMU, Invensense MP65M. This represents a worstcase level of IMU performance as implementations for transportation applications would likely use automotive grade MEMS or better. The sensor data is collected at roughly 8 hertz. For the flight test, a Trimble BX935INS GNSS receiver was used. The receiver and the flight test vehicle, a Federal Aviation Administration (FAA) Technical Center Global 5000 business jet, were shown in Figure 1.Copyright © 2017 Gibbons Media & Research LLC, all rights reserved. 
