MINISTRY OF EDUCATION AND TRAINING HANOI UNIVERSITY OF SCIENCE AND TECHNOLOGY NGUYEN VAN HIEN DETECT AND LOCALIZE INTERFERENCE SOURCES FOR GLOBAL NAVIGATION SATELLITE SYSTEMS Major: Computer Engineering Code No: 9480106 COMPUTER ENGINEERING DISSERTATION SUPERVISORS: 1. La The Vinh 2. Fabio Dovis Hanoi -2022 STATEMENT OF ORIGINALITY AND AUTHENTICITY I hereby declare that all the content and organization of the thesis is the product of my own research and does not compromise in any way the rights of third parties, and all citations are explicitly specified from credible sources. I further confirm that all the data and results in the thesis are performed on actual devices completely true and have never been published by anyone else.
Hanoi, August 2022 SUPERVISORS AUTHOR Assoc. Lã Thế Vinh Nguyễn Văn Hiên Prof. Fabio Dovis i ACKNOWLEDGEMENTS First of all, I would like to thanks my supervisor Assoc. La The Vinh sincerely, for his guiding, supporting and motivating me throughout the whole my PhD student time.
I would also like to express my gratitude to the members of the Navigation, Signal Analysis and Simulation (NavSAS) and Navis Centre. In many ways, they have contributed to all the research activities presented in the thesis. Mainly, I want to express my gratitude to Dr. Gianluca Falco and Dr.
Nguyen Dinh Thuan, their endless support and huge knowledge have greatly contributed to my work. And I would like to express my gratitude to Dr. Emanuela Falletti, who offered scientific guidance and suggestions to help me develope and finish my research during my period at NavSAS. Thanks to Assoc.
Fabio Dovis, who gave me important ideas and guided me to do my research especially during my period at Politecnico Di Torino. I sincerely thanks to VINIF. With the great financial support of the VINIF, my research conditions have greatly improved, and I am fully committed to the works with all of my creative energy. This work was funded by Vingroup Joint Stock Company and supported by the Domestic Master/ PhD Scholarship Programme of Vingroup Innovation Foundation (VINIF), Vingroup Big Data Institute (VINBIGDATA), code VINIF.
I would also like to thank the members of the dissertation committee for their insightful suggestions, which have helped me develop and finish this dissertation. Last but not least, I am grateful to my parents and my wife for their unconditional love, encouragement, support and motivation, as well as for inspiring me to overcome all challenges and difficulties in order to finish this thesis. ii TABLE OF CONTENTS STATEMENT OF ORIGINALITY AND AUTHENTICITY. ii TABLE OF CONTENTS.
iii LIST OF ACRONYMS. vi LIST OF TABLES. viii LIST OF FIGURES .4 Scope of Research.1 Civil GNSS vulnerabilities to intentional interference .2 Radio Frequency Interference.3 GNSS Interference detection techniques .4 Spoofing detection techniques .1 Classification of spoofing threat .2 Spoofing detection algorithms. INTERMEDIATED GNSS SPOOFING DETECTOR BASED ON ANGLE OF ARRIVAL .1 Fundamental background of GNSS and Spoofing .1 GNSS positioning theory .3 GNSS receiver architecture .2 Detection of a subset of counterfeit GNSS signals based on the Dispersion of the Double Differences (D3) .1 Differential Carrier-Phase Model and SoS Detector .2 Sum of Squares Detector Based on Double Differences .3 Some Limitations of the SoS Detector .4 Detection Of A Subset Of Counterfeit Signals Based On The Dispersion Of The Double Differences (D3) .5 Determination of the Decision Threshold .6 Cycle slip monitoring: the Doppler shift monitor .7 Reducing the probability of incorrect decision by time averaging .3 Performance Analysis of the Dispersion of Double Differences Algorithm to Detect Single-Source GNSS Spoofing .1 Theoretical analysis of performance and decision threshold .2 Performance evaluation of robust D3 implementations .3 Considerations on practical performance .4 A Linear Regression Model of the Phase Double Differences to Improve the D3 Spoofing Detection Algorithm .1 Limitations of D3 algorithm .2 The piecewise linear model .3 The proposed LR-D3 detector .4 Performance assessment with in-lab GNSS signals.
SOPHISTICATED GNSS SPOOFING DETECTOR BASED ON ANGLE OF ARRIVAL .1 Gaussian Mixture Models and Expectation-Maximization for GMM (source [67]) .3 Maximum likelihood for the Gaussian .4 The expectation maximization algorithm for GMM (source [67]) .2 A Gaussian Mixture Model Based GNSS Spoofing Detector using Double Difference of Carrier Phase in simple spoofing scenario .3 A novel approach to classify authentic and fake GNSS signals in sophisticated spoofing scenario using Gaussian Mixture Model .1 Grouping of Double Carrier Phase Difference .4 Multi-Directional GNSS Simulation Data Generation Method Use of Software Defined Radio Technology .1 Multidirectional GNSS signal simulation .2 Signal and system model .1 Multidirectional GNSS signals simulation .2 Sophisticated GNSS spoofing detector. CONCLUSIONS AND FUTURE WORKS. 128 v LIST OF ACRONYMS Acronym Meaning ADC Analog to Digital Converters AGC Automatic Gain Control AoA Angle of Arrival C/A Coarse/Acquisition C/N0 Carrier-to-Noise density CDMA Code Division Multiple Access D3 Dispersion of the Double Differences DVBT Digital Video Broadcasting – Terrestrial FDMA Frequency Division Multiple Access FNR False Negative Rate FPR False Positive Rate GLRT General Likelihood Ratio Test GMM Gaussian Mixture Model GNSS Global Navigation Satellite Systems GoF Goodness of Fit GPS Global Positioning System GSM Global System for Mobile Communications vi IMU Inertial Measurement Units OEM Original Equipment Manufacturer PVT Position, Velocity and Time RFI Radio Frequency Interference RX Receiver SDR Software-Defined Radio SIS Signal in Space SoS Sum of Squares TNR True Negative Rate ToA Time of Arrival TPR True Positive Rate TX Transmitter UTMS Universal Mobile Telecommunications System VHF Very High Frequency VSD Vestigial Signal Defense vii LIST OF TABLES Table 2.1 Techniques of GNSS spoofing detector based on signal features.1 Percentage of correct decisions for SoS and D3, in the three scenarios under test .2 Statistical performance of the D3 algorithm with two baselines .3 Static tests: estimation of the probability of missed detection on the counterfeit signals (%). the ‘overall’ case is the probability of missed detection of three counterfeit signals .4 Static tests: Estimation of the probability of false alarms on the authentic signals (%) .5 Dynamic tests: aircraft trajectories description .6 Dynamic test TRJ1: Estimation of the probability of missed detection on the counterfeit signals (%).
The ‘overall’ case is the probability of missed detection of three counterfeit signals .7 Dynamic test TRJ1: Estimation of the probability of false alarm on the authentic signals (%) .8 Dynamic test TRJ2: Estimation of the probability of missed detection on the counterfeit signals (%) .9 Dynamic test TRJ2: Estimation of the probability of false alarm on the authentic signals (%) .10 Static test with Real Measurements: Detection Results for Test #1 .11 Dynamic tests with Real Measurements: Tests trajectories description 77 Table 3.12 Dynamic tests with Real Measurements: Detection Results for Test #4 78 Table 3.13 Comparison of detection performance for 2 hours of signal simulation: LR-D3 and standard D3 algorithms .14 Detection performance as a function of C/N0 .1 The result of cross validation testing.2 The result of Fractional DDs in case of Intermediate spoofing attack, where the DDs of authentic satellites cross the ones related to the spoofed satellites .3 Normalized confusion matrix of Fractional DDs in case of Intermediate spoofing attack. 123 viii LIST OF FIGURES Figure 1.1 Applications of GNSS (source:[12]) .1 The enviroment for transmitting signals from satellites to receivers (source: [33]) .2 The low SIS signal power of GNSS (source: [35]).3 GNSS frequency bands (source: [36]) .4 Radio frequency interference .5 Intermediated Spoofing Scenario .6 Cheap jammers are widely sold online (source: [38]) .7 Techniques for Detecting GNSS Interference .8 Three continuum of spoofing threat: simplistic, intermediate, and sophisticated attacks (source: [27]) .9 A summary of the various spoofing detection methods available in the literature (source: [13]) .10 Angle of arrival of GNSS satellite .11 Angle of arrival defense Spoofing .1 Spherical positioning system of GNSS .2 A fundamental GNSS receiver architecture (source: [46]) .3 Principles of GPS simulator .4 Blocks scheme of GPS simulator .5 Block diagram of SoS Detector .7 Reference geometry for the dual-antenna system .8 Fractional DDs and SoS detector results under simulated spoofing attack (H0) .9 Fractional DDs and SoS detector results in normal conditions (H1) .10 Fractional DD measurements and SoS detection metric in mixed tracking conditions under spoofing attack. Only three signals out of nine are counterfeit. The reference signal is authentic .11 Example of cycle slips effect on the SoS metric in the presence of single source.
The detector is not able to reveal a spoofing attack when cycle slips occur 43 Figure 3.12 Zero baseline fractional DD measurements for various values of input C/N0 ratio. In this setup the ratio was equal for all the simulated signals .13 Empirical mapping of the relationship between threshold ξk and input C/N0 ratio .14 Fractional DD measurements and SoS metric in the presence of single source after removing cycle slips .15 Authentic signals scenario .16 Simplistic spoofing attack scenario .17 Intermediate spoofing attack scenario .18 Fractional DD measurements and SoS metric in the Authentic signals scenario. When cycle slips occur, the DDs are not computed .19 D3 detector results in the Authentic signals scenario .20 Fractional DDs in case of Intermediate spoofing attack, where the DDs of authentic satellites (PRN 23) cross the ones related to the spoofed satellites .21 Fractional DD measurements in mixed tracking conditions under spoofing attack. Five signals of eight are counterfeit.
The reference signal is counterfeit, so that Mcnt = 0 .22 Normalized distribution under the h1 condition: comparison between theoretical and sample distribution .23 Normalized distribution under the h0 condition: comparison between theoretical and sample distribution .24 Relationship between ξ2 and pairwise Pmd, under the h0 condition (logarithmic scale on the Y axis) .25 Comparison between the theoretical Pmd and the computed missed- detection rate Rmd for various values of detection threshold ξ2 .26 Theoretical values of Pfa (3.24) as a function of ξ2 and for several non- centrality parameters λ.27 Evaluation of the feasible range of values for the non-centrality parameter λ, as a function of the difference |mj-mk | and of the standard deviation of the measurement noise σ .28 Measured values of Rfa as a function of ξ2 for a two-hours simulation in which |mj-mk | varies along time and so does the non-centrality parameter λ|(h1) .29 Pairwise operating curves (i., pairwise Pfa (λ) as a function of the pairwise Pmd ) for the D3 detection rule, for several non-centrality parameters λ .30 Estimated PMD for the D3 algorithm under the H0 condition .31 ROC curves for the D3 spoofing detection algorithm, for several non- centrality parameters λ.32 Estimated PMD for the D3 algorithm with averaged fractional DDs, under the H0 condition and for different averaging window lengths η .33 Comparison of ROC curves for the D3 spoofing detection algorithm with 1 and 2 baselines, for several non-centrality parameters λ .34 Static test: Double carrier phase differences with respect to a counterfeit reference satellite .35 Double carrier phase differences of the 1st baseline (top) and 2nd baseline (bottom) in TRJ 1 .36 Block diagram of LR-D3 Detector .37 Fractional DD measurements in mixed tracking conditions under spoofing attack. Five signals of eight are counterfeit .38 Sequences of decisions, with false alarms, in the standard D3 spoofing detector algorithm for PRNs 25 and 16 .39 Example of fractional DD approximated by piecewise straight lines .40 Example of estimated value of line slope and intercept .41 Measured pairwise missed-detection rate for the detection events Aij and Bij evaluated on three data collections at different SNR .42 Overall probability of missed-detection (PMD) estimated for the LR-D3 and the standard D3 algorithms .43 Measured pairwise false-alarm rate for the detection events Aij and Bij evaluated on three data collections at different SNR .44 Overall probability of false-alarm (PFA) estimated for the LR- D3 and the standard D3 algorithms .45 Time series of the fractional DD measurements computed from a GNSS dataset, including both authentic and spoofed signals .46 Decisions produced by the standard D3 algorithm .47 Decisions produced by the LR-D3 algorithm .