Crowd-GPS-Sec: Leveraging Crowdsourcing to Detect and Localize GPS Spoofing Attacks

Jansen K, Schäfer M, Moser D, et al. Crowd-GPS-Sec: Leveraging Crowdsourcing to Detect and Localize GPS Spoofing Attacks[C] IEEE Symposium on Security and> Privacy (S&P). 2018.

Introduction

GPS

A. GPS Usage in avaition

非常广泛

B. GPS Spoofing Attacks

依赖GPS的航空工具都是攻击者倾向的目标

1） Threat Model

Spoffer is emulating a moving track such as a straight line or a curve with some potential acceleation

2) Validation of assumptions

• first,position advertisements contain the spoofed GPS positions
• Second,spoofed signals will affect neighboring aircraft and UAVs

GPS Spoofing Expriments

The gole of these expriments is to demonstrate that existing transponders do not perform any checks on the derived GPS position and that spoffers can precisely control the positino and speed of victim receivers 实验表明欺骗很容易实现

GPS Spoofing Coverage Estimation

根据假设作出自由空间路径损失 $$L_{fs} = 32.45 + 20log_{10}(d_{km}) + 20 log_{10}(f_{MHz}) \tag{1}$$ $L_{$fs}$自由空间路径损耗，$d_{km}$信号源与接收器距离，$f_{MHz}$信号频率 根据（1）得 $$Power -L_{fs}d - Attenuation \geq -160[dBW]$$ 由该公式知所有离被攻击目标内34km的UAVs都会收到至少-160dBW的信号

CROWD-GPS-SEC

所调查，传感器主要分布在美欧，我们的系统由三个模型组成

• multilateration(MLAT) module estimates the location of airrcraft based on the time defference of Arrival(TDoA) between different sensors
• spoofing detection module check inconsistencies between multilaterated positions and GPS-derived positions in consistencies between position advertisements from different aircraft
• spoofer localization module has tetected a GPS spoofer estimates the position fo the spoffer.

A. Multilateration(MLAT)

每个被收到的信息可被表示成元组 $$ADS-B/Flarm Report :(\hat a_i,t_s) \tag{2}$$ 传播距离和TDoA的关系： $$dist(s_i,A) - dist(s_j,A) = \Delta t_{i,j} \tag{3} \cdot c$$ $s_i$是i传感器的位置，A是发射信号的UAVs，$\Delta t_{i,j}$为i,j的时间差,c光速。传感器距离交点即为UAVs的位置。

B. GPS Spoofing Detection

1) Time Alignment of Transmissions: 算出传递时间 $$t_{TX} = t_s - \frac{dist(s,a)}{c} \tag{4}$$ 利用相对时间计算UAVs的相对位置 $$ a_{REF} = \left{ \begin{aligned} \frac{a_{TX} \cdot(t_{TX+1} - t_{REF})+a_{TX+1} \cdot (t_{REF} - t{TX})}{t_{TX+1} - t_{TX}}&&&& t_{TX} < t_{REF} & \ a_{TX} &&&& t_{TX} = t_{REF}\ \frac{a_{TX} \cdot (t_{REF} - t_{TX-1}) + a_{TX-1} \cdot (t_{TX} -t_{REF})}{t_{TX} - t_{TX-1}} &&&& t_{TX} > t_{REF} \end{aligned} \right. $$

(2) test1 (Cross-checks with MLAT) 测试位置差是否大于阈值 $$dist(a_i,\hat a_i) \overset{?}{<} \tau_i \tag{5}$$ $a_i$是real position determined by MLAT,$\hat a$ position reported by UAVs i using ADS-B/Flarm $\tau$太大检测的成功率会减小，太小会提高出错率 复杂度：O(n)

(3) test2 (Multiple Aircraft Comparison) UAVs间的距离比较是否小于阈值 $$dist(\hat a_i,\hat a_j) = d_{i,j} \overset{?}{>} \tau _2 \tag{6}$$ 复杂度：两两比较为$O(n^2)$，但通过最近邻算法可降到$n \cdot Olog(n)$前面的n代表有n个UAVs。 （4）检测的时候两个test一起用 ##C. GPS Spoofer Localization

1) localization Model

每个被欺骗的UAVs报告相同的位置，反射追踪这些位置找到欺骗者的位置。检测模块找到被 欺骗的UAVs，定位模块进行定位 ，将得到的变量代入公式。 $$dist(a_i,SP) - dist(a_j,SP) = d_{i,j} \cdot \frac{c}{v_{track}} \tag{7}$$

• 几何断点：三个双曲面有两个点，4个或更多就只有一个交叉点
• 要求：两个被欺骗的UAVs在不同位置即可得到4组乖式，进而得到解。 $$\begin{equation} \left ( \begin{array}{ccc} m\ 2 \end{array} \right ) \end{equation} \cdot t_s \ge 4 \tag{8}$$

Comparison with MLAT. 我们的方法更好，MLAT不行

2） Error Minimization:

用双曲面交叉来标记一个点而不是一个区域，错误函数为： $$E_t(SP,i,j) = dist(a_i,SP) - dist(a_j,SP) - d_{i,j} \cdot \frac{c}{v_{track}} \tag{9}$$ root mean square error(RMSE)是 : $$\begin{equation} \mathop{\arg\min}{SP} \sqrt{\frac{\sum{t = 1}^{\infty}\sum_{i = 1}^{m}\sum_{j = 1}^{i - 1}E_t(SP,i,j)^2}{t \cdot (\frac{m^2}{2} - m)}} \end{equation} \tag{10}$$ 最小化损失函数即可最大准确率，被欺骗的UAVs越多结果越准确，

3） improved Filtering

对得到的位置进行正交化过滤 $$\hat a_i - \hat a_{j}^{’} \bot tarck \tag{11}$$