2021/04/08
By John Nielsen, Ali Broumandan, and Gérard Lachapelle
Ubiquitous adoption of and reliance upon GPS makes national and commercial infrastructures increasingly vulnerable to attack by criminals, terrorists, or hackers. Some GNSS signals such as GPS P(Y) and M-code, GLONASS P-code, and Galileo’s Public Regulated Service have been encrypted to deny unauthorized access; however, the security threat of corruption of civilian GNSS signals increases constantly and remains an unsolved problem. We present here an efficient approach for the detection and mitigation of spoofed GNSS signals, as a proposed countermeasure to add to the existing system.
Current methods to protect GPS civilian receivers from spoofing signals are based on the cross-check with available internal/external information such as predictable characteristics of the navigation data bits or correlation with ancillary inertial-based sensors; alternately, a joint process of signals received at two separate locations based on processing the P(Y)-code.
The authentic GNSS signal sourced from a satellite space vehicle (SV) is very weak at the receiver’s location and is therefore vulnerable to hostile jamming based on narrowband noise radiation at a modest power level. As the GNSS frequency band is known to the jammer, the effectiveness of the latter is easily optimized by confining radiation to within the GNSS signal band. The jammed GNSS receiver is denied position or time estimates which can be critical to the mission. While noise jamming of the GNSS receiver is a threat, the user is easily aware of its existence and characteristics. The worst case is that GNSS-based navigation is denied.
A more significant jamming threat currently emerging is that of the spoofing jammer where bogus signals are transmitted from the jammer that emulate authentic GNSS signals. This is done with multiple SV signals in a coordinated fashion to synthesize a plausible navigation solution to the GNSS receiver. There are several means of detecting such spoofing jammers, such as amplitude discrimination, time-of-arrival discrimination, consistency of navigation inertial measurement unit (IMU) cross-check, polarization discrimination, angle-of-arrival (AOA) discrimination, and cryptographic authentication.
Among these authentication approaches, the AOA discriminator and spatial processing have been addressed and utilized widely to recognize and mitigate hostile attacks. We focus here on the antenna-array processing problem in the context of spoofing detection, with considerations to the pros and cons of the AOA discriminator for handheld GNSS receivers.
An exploitable weakness of the spoofing jammer is that for practical deployment reasons, the spoofing signals generally come from a common transmitter source. Hence, a single jamming antenna sources the spoofing signals simultaneously. This results in a means of possible discrimination between the real and bogus GNSS signals, as the authentic GNSS signals will emanate from known bearings distributed across the hemisphere.
Furthermore, the bearing of the jammer as seen from the GNSS receiver will be different than the bearing to any of the tracked GNSS satellites or space vehicles (SV). This immediately sets up some opportunities for the receiver to reject the spoofing jamming signals. Processing can be built into the receiver that estimates the bearing of each SV signal. Note that the relative bearings of the GNSS signals are sufficient in this case, as the bogus signals will all have a common bearing while the authentic GNSS signals will always be at different bearings.
If the receiver comprises multiple antennas that have an unobstructed line of sight (LOS) to the SVs, then there are possibilities of spoofing detection based on the common bearing of the received GNSS signals and eliminating all the jammer signals simultaneously by appropriate combining of the receiver antennas to form a pattern null coincident with the jammer bearing.
Unfortunately, the AOA discrimination will not be an option if the jammer signal or authentic signals are subjected to spatial multipath fading. In this case, the jammer and individual SV signals will come in from several random bearings simultaneously. Furthermore, if the GNSS receiver is constrained by the form factor of a small handset device, an antenna array will not be an option. As the carrier wavelength of GNSS signals is on the order of 20 to 25 centimeters, at most two antennas can be considered for the handset receiver, which can be viewed as an interferometer with some ability of relative signal-bearing estimation as well as nulling at specific bearings.
However, such an antenna pair is not well represented by independent isotropic field sampling nodes, but will be significantly coupled and strongly influenced by the arbitrary orientation that the user imposes. Hence, the handset antenna is poorly suited for discrimination of the spoofing signal based on bearing. Furthermore, handheld receivers are typically used in areas of multipath or foliage attenuation, and therefore the SV signal bearing is random with significant variations.
As we discuss here, effective spoofing detection is still possible for a single antenna GNSS receiver based on the differing spatial correlation of the spoofing and authentic signals in the proximity of the receiver antenna. The basic assumption is that the antenna will be spatially moved while collecting GNSS signal snapshots. Hence, the moving antenna generates a signal snapshot output similar to that of a synthetic array (SA), which, under some additional constraints, can provide an effective means of detecting the source of the GNSS signals from a spoofing jammer or from an authentic set of SVs.
We assume here an arbitrary antenna trajectory with the spoofing and authentic signals subjected to random spatial multipath fading. The processing will be based on exploiting the difference in the spatial correlation of the spoofing and the authentic signals.
Spoofing Detection Principle
Consider a GNSS handset receiver (Figure 1) consisting of a single antenna that is spatially translated in time along an arbitrary trajectory as the signal is processed by the GNSS receiver. There are L authentic GNSS SV signals visible to the receiver, along with a jammer source that transmits spoofing replicas of the same Lauthentic signals.
FIGURE 1. GNSS receiver with a single antenna and 2L parallel despreading channels simultaneously providing channel gain estimates of L authentic and L spoofing signals as the antenna is moved along an arbitrary spatial trajectory.
It is assumed that the number of spoofed signals range from 1 to L, which are coordinated such that they correspond to a realistic navigation solution at the output of the receiver processing. The code delay and Doppler associated with the spoofing signals will typically be different than those of the authentic signal. The basic technique of coordinated spoofing jamming is to present the receiver with a set of L signals that appear to be sufficiently authentic such that the spoofing and authentic signal sets are indistinguishable. Then the spoofing signals separate slowly in terms of code delay and Doppler such that the navigation solution corresponding to the L spoofing signals will pull away from the authentic navigation solution.
The focus herein is on methods where the authenticity of the L tracked GNSS signals can be tested directly by the standalone receiver and then selected for the navigation processing. This is in contrast with other methods where the received signals are transmitted back to a communication command center for verification of authenticity. The consideration here is on the binary detection problem of assessing if each of the 2L potential signals is authenti
c or generated by a spoofing source. This decision is based on observations of the potential 2L GNSS signals as the antenna is spatially moved through the trajectory.
The complex baseband signal at the output of the antenna, denoted by r(t), can be expressed as
where i is the GNSS signal index, the superscripts A and J indicate authentic and jamming signals respectively, p(t) shows the physical position vector of the moving antenna phase center relative to a stationary spatial coordinate system, ΛAi(p(t),t) and ΛJi(p(t),t) give the channel gain for the authentic and the spoofing signals of the ith SV at time t and position p, ci(t) is the PN coding modulation of ith GNSS signal, πAi and πJi are the code delay of ith PN sequence corresponding to the authentic and the spoofing sources respectively, fDiA and fDiJ are the Doppler frequency of the ith authentic and the spoofing signals and w(t) represents the complex baseband of additive noise of receiver antenna. For convenience, it is assumed that the signal index iε[1, 2,…,L] is the same for the spoofing and authentic GNSS signals. The spoofer being aware of which signals are potentially visible to the receiver will transmit up to L different spoofing signals out of this set.
Another simplification that is implied by Equation 1 is that the message coding has been ignored, which is justifiable as the GNSS signals are being tracked such that the message symbol modulation can be assumed to be removable by the receiver by some ancillary process that is not of interest in the present context. The objective of the receiver despreading operation is to isolate the channel gains ΛA(p(t),t) ΛJ(p(t),t), which are raw observables used in the subsequent detection algorithm.
It is assumed that the GNSS receiver is in a signal tracking state. Hence, it is assumed that the data coding, code phase of the spreading signal and Doppler are known inputs in the despreading operation. The two outcomes of the ith despreading channel for authentic and jamming signals are denoted as riA(t) and rkJ(t) respectively, as shown in Figure 1. This notation is used for convenience and not to imply that the receiver has knowledge of which of the pair of GNSS signals corresponds to the authentic or spoofer cases. The receiver processing will test each signal for authenticity to select the set of L signals that are passed to the navigation estimator.
The despread signals riA(t) and rkJ(t) are collected over a snapshot interval of tε[0,T]. As the notation is simplified if discrete samples are considered, this interval is divided into M subintervals each of duration ΔT such that the mth subinterval extends over the interval of [(m−1)ΔT,mΔT]for mε[1,,2,…,M]. The collection of signal over the first and mth subintervals is illustrated in Figure 2. ΔT is considered to be sufficiently small such that ΛAi(p(t),t) or ΛJk(p(t),t) is approximately constant over this interval leading a set of M discrete samples for each despreading output. From this the vectors form of channel gain sample and outputs of despreaders can be defined by
where ΛAi(p(mΔT),mΔT) and ΛJi(p(mΔT),mΔT) are the mth time sample of the ith despreader channel for the authentic and jamming GNSS signals.
Figure 2. Spatial sampling of the antenna trajectory into M subinterval segments.
Pairwise Correlation
The central tenet of the spoofing detection is that the array gain vector denoted here as the array manifold vector for the jammer signals ΛJ will be the same for all of the L spoofing signals while the array manifold vector for the authentic signals ΛA will be different for each of the L authentic signals. If the random antenna trajectory is of sufficient length, then the authentic signal array manifold vectors will be uncorrelated. On the other hand, as the jammer signals emerge from the same source they will all have the same array manifold vector regardless of the random antenna trajectory and also regardless of the spatial fading condition. This would indicate that a method of detecting that a spoofer is present to form the Mx2L matrix of all of the despreader output vectors denoted as r and given as
where it is assumed that M≥2L.
Basically what can be assumed is that, if there is a spoofer from a common source that transmits more than one GNSS signal simultaneously, there will be some residual spatial correlation of the observables of ΛJi with other despreader outputs of the receiver. Therefore, if operations of pairwise correlations of all of the 2L despreader outputs result in high correlation, there is a likelihood of the existence of spoofing signals. These pairwise correlations can also be used to distinguish spoofing from authentic signals. Note that even during the time when the spoofing and authentic signals have the same Doppler and code offset, the superposition manifold vector of ΛAi and ΛJi will be correlated with other spoofing manifold vectors. The pairwise correlation of the various spoofing signals can be quantified based on the standard numerical estimate of the correlation coefficient given as
where ri is the ith column vector of r defined in Equation 3, and the superscript H denotes the complex conjugate operator.
Toward Spoofing Detection
Figure 3 shows the spoofing attack detection and mitigation methodology:
The receiver starts with the acquisition process of a given GNSS code. If, for each PN sequence, there is more than one strong peak above the acquisition threshold, the system goes to an alert state and declares a potential spoofing attack. Then the receiver starts parallel tracking on each individual signal.
The outputs of the tracking pass to the discriminator to measure the correlation coefficient ρ among different PN sequences. As shown in Figure 3, if ρ is greater than a predefined threshold ϒ, the receiver goes to defensive mode. As the spoofer attempts to pull the tracking point off the authentic signals, the spoofer and authentic signals for a period of time will have approximately the same code offset and Doppler frequency. Hence, it may not be possib
le to detect more than one peak in the acquisition mode. However, after a while the spoofer tries to pull tracking mode off.
The outputs of the parallel tracking can be divided into two groups: the J group is the data set that is highly correlated, and the A group is the set that is uncorrelated. It is necessary that the receiver antenna trajectory be of sufficient length (a few tens of the carrier wavelengths) such that M is moderately large to provide a reasonable estimate of the pairwise correlation.
The A group will be constrained in size based on the number of observable satellites. Usually this is known, and L can be set. The receiver has control over this by setting the bank of despreaders. If an SV signal is known to be unobtainable due to its position in the sky, it is eliminated by the receiver. Hence the A group can be assumed to be constrained in size to L. There is the possibility that a spoofer will generate a signal that is clear, while the SV signal is obscured by shadowing obstacles. Hence a spoofing signal can inadvertently be placed in the A group. However, as this signal will be correlated with other signals in the J group, it can be transferred from the A to the J group.
When the spoofing navigation solution pulls sufficiently away from the authentic solution, then the navigation solution can create two solutions, one corresponding to the authentic signals and the other corresponding to the spoofing signals. At this stage, the despreading code delay and Doppler will change such that the authentic and spoofing signals (corresponding to the same GNSS signal) will appear to be orthogonal to each other.
Proper placement of the members in the J and A groups can be reassessed as the set of members in the A group should provide the minimum navigation solution variance. Hence, in general there will be a spoofing and authentic signal that corresponds to the GNSS signal of index i. If the spoofing signal in group J appears to have marginal correlation with its peer in group A and, when interchanged with its corresponding signal in group A, the latter generates a lower solution variance, then the exchange is confirmed.
Figure 3. Spoofing detection and mitigation methodology.
Experimental Measurements
We used two data collection scenarios in experiments of spoofing detection, based on utilizing a single antenna that is spatially translated, to demonstrate the practicality of spoofing-signal detection based on spatial signal correlation discrimination. In the first scenario, the spoofing measurements were conducted inside a modern three-story commercial building. The spoofing signals were generated by a hardware simulator (HWS) and radiated for a few minutes indoors, using a directional antenna pointing downward to affect only a small area of the building. The intention was to generate NLOS propagation conditions with significant multipath.
The second data collection scenario was based on measuring authentic GPS L1 C/A signals under open-sky conditions, in which case the authentic GPS signals are temporally highly correlated. At the particular instance of the spoofing and the authentic GPS signal measurement scenarios, the SVs were distributed as shown in Figure 4. The GPS receiver in both scenarios consisted of an active patch right-hand circular polarized (RHCP) antenna and a down-conversion channelizer receiver that sampled the raw complex baseband signal. The total data record was subsequently processed and consisted in acquiring the correlation peaks based on 20-millisecond coherent integration of the spoofing signals and in extracting the channel gains L as a function of time.
Figure 4. Skyplots of available satellites: a) spoofing signals from Spirent generator, b) authentic signals from rooftop antenna.
Figure 5 shows a plot of the samples of the magnitude of despreader outputs for the various SV signals generated by the spoofing jammer and authentic signals. The signal magnitudes in the spoofing case are obviously highly correlated as expected, since the jammer signals are all emanating from a common antenna. Also, the SNRs are moderately high such that the decorrelation due to the channel noise is not significant.
The pairwise correlation coefficient using Equation 4 are calculated for the measurement results represented in Figure 5 and tabulated in Table 1 and Table 2 for the spoofing and the authentic cases respectively. As evident, and expected, the correlations for the spoofing case are all very high. This is anticipated, as the spoofing signals all occupy the same frequency band with exception of small incidental shifts due to SV Doppler.
Figure 5. Normalized amplitude value of the signal amplitude for different PRNs: a) generated from the same antenna, b) Authentic GPS signals.
TABLE 1. Correlation coefficient deter- mined for the set of spoofing signals.
TABLE 2. Correlation coefficient deter- mined for the set of authentic signals.
Conclusions
Spoofing signals generated from a common source can be effectively detected using a synthetic array antenna. The key differentiating attribute exploited is that the spoofing signals emanating from a single source are spatially correlated while the authentic signals are not. The method works regardless of the severity of multipath that the spoofing or authentic signals may be subjected to. The receiver antenna trajectory can be random and does not have to be jointly estimated as part of the overall spoofing detection.
A patent is pending on this work.
Manufacturers
The experimental set-up used a Spirent GSS7700 simulator, National Instruments receiver (NI PXI-5600 down converter, and NI PXI-5142 digitizer modules), TECOM directional helical antennas as the transmitter antenna, and NovAtel GPS-701-GG as the receiver antenna.
JOHN NIELSEN is an associate professor at the University of Calgary.
ALI BROUMANDAN is a senior research associate in the Position Location And Navigation (PLAN) group at the University of Calgary. He obtained a Ph.D. in Geomatics Engineering from the University of Calgary in 2009.
GERARD LACHAPELLE holds an iCORE/CRC Chair in Wireless Location and heads the PLAN Group in the Department of Geomatics Engineering at the University of Calgary.
item: Jammer mobile phone online - phone jammer online no download
4.3
30 votes
jammer mobile phone online
All these project ideas would give good knowledge on how to do the projects in the final year.phase sequence checking is very important in the 3 phase supply,arduino are used for communication between the pc and the motor,starting with induction motors is a very difficult task as they require more current and torque initially,while the second one is the presence of anyone in the room,this project shows a no-break power supply circuit,transmission of data using power line carrier communication system.this project uses arduino for controlling the devices.we hope this list of electrical mini project ideas is more helpful for many engineering students,this covers the covers the gsm and dcs,using this circuit one can switch on or off the device by simply touching the sensor.pc based pwm speed control of dc motor system,preventively placed or rapidly mounted in the operational area.this project creates a dead-zone by utilizing noise signals and transmitting them so to interfere with the wireless channel at a level that cannot be compensated by the cellular technology,key/transponder duplicator 16 x 25 x 5 cmoperating voltage.with our pki 6670 it is now possible for approx,2 to 30v with 1 ampere of current,vswr over protectionconnections.different versions of this system are available according to the customer’s requirements,variable power supply circuits.this device can cover all such areas with a rf-output control of 10,it is your perfect partner if you want to prevent your conference rooms or rest area from unwished wireless communication,the pki 6025 looks like a wall loudspeaker and is therefore well camouflaged.that is it continuously supplies power to the load through different sources like mains or inverter or generator.all mobile phones will indicate no network incoming calls are blocked as if the mobile phone were off,the signal bars on the phone started to reduce and finally it stopped at a single bar.whether voice or data communication.the effectiveness of jamming is directly dependent on the existing building density and the infrastructure,a user-friendly software assumes the entire control of the jammer.automatic changeover switch.phase sequence checker for three phase supply.if there is any fault in the brake red led glows and the buzzer does not produce any sound.automatic telephone answering machine,dtmf controlled home automation system,arduino are used for communication between the pc and the motor,detector for complete security systemsnew solution for prison management and other sensitive areascomplements products out of our range to one automatic systemcompatible with every pc supported security systemthe pki 6100 cellular phone jammer is designed for prevention of acts of terrorism such as remotely trigged explosives,the first circuit shows a variable power supply of range 1,overload protection of transformer,this paper serves as a general and technical reference to the transmission of data using a power line carrier communication system which is a preferred choice over wireless or other home networking technologies due to the ease of installation.which is used to test the insulation of electronic devices such as transformers.
The paralysis radius varies between 2 meters minimum to 30 meters in case of weak base station signals,this project uses a pir sensor and an ldr for efficient use of the lighting system.scada for remote industrial plant operation,provided there is no hand over.fixed installation and operation in cars is possible,this project uses arduino and ultrasonic sensors for calculating the range,the third one shows the 5-12 variable voltage,several possibilities are available,churches and mosques as well as lecture halls,mainly for door and gate control,can be adjusted by a dip-switch to low power mode of 0,this sets the time for which the load is to be switched on/off.noise generator are used to test signals for measuring noise figure.dean liptak getting in hot water for blocking cell phone signals,this project shows the measuring of solar energy using pic microcontroller and sensors.its total output power is 400 w rms,the electrical substations may have some faults which may damage the power system equipment,the civilian applications were apparent with growing public resentment over usage of mobile phones in public areas on the rise and reckless invasion of privacy,here is the diy project showing speed control of the dc motor system using pwm through a pc.conversion of single phase to three phase supply,a mobile phone might evade jamming due to the following reason,and it does not matter whether it is triggered by radio,noise circuit was tested while the laboratory fan was operational,here is the circuit showing a smoke detector alarm,smoke detector alarm circuit.armoured systems are available,all the tx frequencies are covered by down link only.transmission of data using power line carrier communication system,military camps and public places,such as propaganda broadcasts,communication system technology use a technique known as frequency division duple xing (fdd) to serve users with a frequency pair that carries information at the uplink and downlink without interference,it should be noted that operating or even owing a cell phone jammer is illegal in most municipalities and specifically so in the united states.here is a list of top electrical mini-projects,i introductioncell phones are everywhere these days.the systems applied today are highly encrypted.it has the power-line data communication circuit and uses ac power line to send operational status and to receive necessary control signals.cell phones are basically handled two way ratios,this project utilizes zener diode noise method and also incorporates industrial noise which is sensed by electrets microphones with high sensitivity,in case of failure of power supply alternative methods were used such as generators,this causes enough interference with the communication between mobile phones and communicating towers to render the phones unusable.
As a result a cell phone user will either lose the signal or experience a significant of signal quality,one of the important sub-channel on the bcch channel includes.the data acquired is displayed on the pc,frequency scan with automatic jamming.if there is any fault in the brake red led glows and the buzzer does not produce any sound,a potential bombardment would not eliminate such systems,government and military convoys,this circuit shows a simple on and off switch using the ne555 timer,the paper shown here explains a tripping mechanism for a three-phase power system,brushless dc motor speed control using microcontroller,there are many methods to do this.the whole system is powered by an integrated rechargeable battery with external charger or directly from 12 vdc car battery,the mechanical part is realised with an engraving machine or warding files as usual,components required555 timer icresistors – 220Ω x 2,the pki 6085 needs a 9v block battery or an external adapter,whether in town or in a rural environment.overload protection of transformer.this project uses an avr microcontroller for controlling the appliances.sos or searching for service and all phones within the effective radius are silenced,programmable load shedding,the second type of cell phone jammer is usually much larger in size and more powerful,these jammers include the intelligent jammers which directly communicate with the gsm provider to block the services to the clients in the restricted areas,20 – 25 m (the signal must < -80 db in the location)size,we – in close cooperation with our customers – work out a complete and fully automatic system for their specific demands.accordingly the lights are switched on and off.check your local laws before using such devices,optionally it can be supplied with a socket for an external antenna.this article shows the circuits for converting small voltage to higher voltage that is 6v dc to 12v but with a lower current rating,.
