CN108931789B - Attack detection method, attack detector, computer-readable storage medium, and terminal - Google Patents

Attack detection method, attack detector, computer-readable storage medium, and terminal Download PDF

Info

Publication number
CN108931789B
CN108931789B CN201810173885.3A CN201810173885A CN108931789B CN 108931789 B CN108931789 B CN 108931789B CN 201810173885 A CN201810173885 A CN 201810173885A CN 108931789 B CN108931789 B CN 108931789B
Authority
CN
China
Prior art keywords
detection threshold
attack
satellite
log
sum
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810173885.3A
Other languages
Chinese (zh)
Other versions
CN108931789A (en
Inventor
刘柏池
贾志科
虞婧
鹿智萃
姜天宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Core and material (Shanghai) Technology Co.,Ltd.
Hexin Xingtong Technology (Beijing) Co., Ltd
Original Assignee
Hexin Xingtong Technology Beijing Co ltd
Unicorecomm Shanghai Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hexin Xingtong Technology Beijing Co ltd, Unicorecomm Shanghai Technology Co ltd filed Critical Hexin Xingtong Technology Beijing Co ltd
Priority to CN201810173885.3A priority Critical patent/CN108931789B/en
Publication of CN108931789A publication Critical patent/CN108931789A/en
Application granted granted Critical
Publication of CN108931789B publication Critical patent/CN108931789B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S19/00Satellite radio beacon positioning systems; Determining position, velocity or attitude using signals transmitted by such systems
    • G01S19/01Satellite radio beacon positioning systems transmitting time-stamped messages, e.g. GPS [Global Positioning System], GLONASS [Global Orbiting Navigation Satellite System] or GALILEO
    • G01S19/015Arrangements for jamming, spoofing or other methods of denial of service of such systems

Abstract

The invention discloses an attack detection method, an attack detector, a computer readable storage medium and a terminal, wherein the method comprises the following steps: determining an upper layer detection threshold corresponding to the existence of the spoofing attack hypothesis and a lower layer detection threshold corresponding to the nonexistence of the spoofing attack hypothesis; acquiring a first satellite position determined by satellite signals and a second satellite position determined by a prediction ephemeris, defining statistic as an absolute value of a difference between the first satellite position and the second satellite position, and calculating a log-likelihood ratio cumulative sum of the statistic at the current moment; the log-likelihood ratio cumulative sum is compared to the magnitude of the upper detection threshold and the magnitude of the lower detection threshold to determine whether a spoofing attack is present. The invention can efficiently and robustly detect the spoofing attack by comparing the log-likelihood ratio cumulative sum of the absolute value of the difference between the first satellite position determined by the satellite signal and the second satellite position determined by the prediction ephemeris with the preset binary detection threshold value.

Description

Attack detection method, attack detector, computer-readable storage medium, and terminal
Technical Field
The present invention relates to the field of satellite navigation technologies, and in particular, to an attack detection method, an attack detector, a computer-readable storage medium, and a terminal.
Background
Currently, due to good performance and low access cost, our lives increasingly rely on Global Navigation Satellite Systems (GNSS), and therefore, security of GNSS is receiving more and more public attention. GNSS signal spoofing is a key threat to all navigation applications. Spoofing attacks occur when a spoofed signal is intentionally broadcast to a target user, resulting in an erroneous location determination. Therefore, the GNSS receiver needs a function capable of detecting the spoofed signal. Due to the importance of global navigation satellite system security, many attack detection techniques have been developed, for example, based on multiple antennas and absolute power measurements. However, this technique requires additional hardware or changes to the interface specifications, and therefore, their application is limited.
There is also provided in the prior art a method of detecting spoofed attacks, i.e., detecting the location of a spoofed source of signals (i.e., satellite orbital location), including both methods using terrestrial communication signals or using inertial navigation systems. When using terrestrial communication signals, the determined navigation satellite receiver positions are compared by using the terrestrial communication signals. In general, terrestrial communication systems not only serve communication purposes, but also provide location signals, which are more difficult and less prone to spoofing than GNSS signals. When using an inertial navigation system, the inertial solution is compared to a GNSS-derived position solution.
Disclosure of Invention
In order to solve the above technical problems, the present invention provides an attack detection method, an attack detector, a computer-readable storage medium, and a terminal, which can efficiently and robustly detect a spoofing attack.
In order to achieve the purpose of the invention, the technical scheme of the embodiment of the invention is realized as follows:
the embodiment of the invention provides an attack detection method, which comprises the following steps:
determining an upper layer detection threshold corresponding to the existence of the spoofing attack hypothesis and a lower layer detection threshold corresponding to the nonexistence of the spoofing attack hypothesis;
acquiring a first satellite position determined by satellite signals and a second satellite position determined by a prediction ephemeris, defining statistic as an absolute value of a difference between the first satellite position and the second satellite position, and calculating a log-likelihood ratio cumulative sum of the statistic at the current moment;
comparing the log-likelihood ratio cumulative sum to the magnitude of the upper detection threshold and the magnitude of the cumulative sum to the lower detection threshold to determine whether a spoofing attack is present.
Further, the comparing the log-likelihood ratio running sum to the upper detection threshold and the running sum to the lower detection threshold to determine whether a spoofing attack is present includes:
determining that a spoofing attack exists if the running sum is greater than or equal to the upper detection threshold;
determining that a spoofing attack is not present if the running sum is less than or equal to the lower detection threshold;
if the running sum is between the lower detection threshold and the upper detection threshold, obtaining a value of a statistic at a next time, recalculating the running sum, and performing the comparison.
Further, the formula for calculating the cumulative sum of log-likelihood ratios of the statistics at the current time is as follows:
Figure BDA0001586683560000021
wherein the content of the first and second substances,
Figure BDA0001586683560000022
is the statistical quantity that is to be measured,
Figure BDA0001586683560000023
is the cumulative sum of the log-likelihood ratios for the jth satellite at time instant i,
Figure BDA0001586683560000024
is the cumulative sum of log-likelihood ratios for the jth satellite at time (i-1), H0Indicates that there is no spoofing attack hypothesis, and H0Obeying a Gaussian distribution, H, with an expected 0, standard deviation of σ1Indicates the existence of a spoofing attack hypothesis, and H1Subject to a gaussian distribution with a standard deviation a desired,
Figure BDA0001586683560000025
is that
Figure BDA0001586683560000026
Assuming the probability of H1 for the case,
Figure BDA0001586683560000027
is that
Figure BDA0001586683560000028
The probability of H0 is assumed.
Further, the determining an upper detection threshold corresponding to the existence of the spoof attack hypothesis and a lower detection threshold corresponding to the absence of the spoof attack hypothesis includes:
determining an acceptable false alarm probability alpha and an acceptable false drop probability beta;
calculating the upper detection threshold lambda according to the determined false alarm probability alpha and the undetected probability betauAnd the lower detection threshold lambdal
Figure BDA0001586683560000031
Figure BDA0001586683560000032
Embodiments of the present invention also provide a computer-readable storage medium storing one or more programs, which are executable by one or more processors to implement the steps of the attack detection method according to any one of the above.
The embodiment of the invention also provides an attack detector, which comprises a determining module, a calculating module and a comparing module, wherein:
a determining module, configured to determine an upper detection threshold corresponding to the existence of the spoofing attack hypothesis, and a lower detection threshold corresponding to the absence of the spoofing attack hypothesis;
the computing module is used for acquiring a first satellite position determined by satellite signals and a second satellite position determined by prediction ephemeris, defining statistic as an absolute value of the difference between the first satellite position and the second satellite position, and computing the cumulative sum of log-likelihood ratios of the statistic at the current moment;
and the comparison module is used for comparing the log-likelihood ratio accumulated sum with the size of the upper detection threshold value and the accumulated sum with the size of the lower detection threshold value so as to determine whether the spoofing attack exists.
Further, the method for determining whether a spoofing attack exists by the comparison module comprises the following steps:
determining that a spoofing attack exists if the running sum is greater than or equal to the upper detection threshold;
determining that a spoofing attack is not present if the running sum is less than or equal to the lower detection threshold;
if the running sum is between the lower detection threshold and the upper detection threshold, obtaining a value of the statistic at the next moment, recalculating the running sum, and comparing.
Further, the calculation formula of the calculation module for calculating the cumulative sum of log likelihood ratios of the statistics at the current time is as follows:
Figure BDA0001586683560000033
wherein the content of the first and second substances,
Figure BDA0001586683560000034
is the statistical quantity that is to be measured,
Figure BDA0001586683560000035
is the cumulative sum of the log-likelihood ratios for the jth satellite at time instant i,
Figure BDA0001586683560000036
is the cumulative sum of log-likelihood ratios for the jth satellite at time (i-1), H0Indicates that there is no spoofing attack hypothesis, and H0Obeying a Gaussian distribution, H, with an expected 0, standard deviation of σ1Indicates the existence of a spoofing attack hypothesis, and H1Subject to a gaussian distribution with a standard deviation a desired,
Figure BDA0001586683560000041
is that
Figure BDA0001586683560000042
Assuming the probability of H1 for the case,
Figure BDA0001586683560000043
is that
Figure BDA0001586683560000044
The probability of H0 is assumed.
Further, the determining module is specifically configured to:
determining an acceptable false alarm probability alpha and an acceptable false drop probability beta;
calculating the upper detection threshold lambda according to the determined false alarm probability alpha and the undetected probability betauAnd the lower detection threshold lambdal
Figure BDA0001586683560000045
Figure BDA0001586683560000046
Embodiments of the present invention also provide a terminal comprising a satellite receiver, an ephemeris predictor and an attack detector as described in any of the above, wherein,
the satellite receiver is used for receiving satellite signals and determining the first satellite position according to the satellite signals;
and the ephemeris predictor is used for receiving seed data from the server and determining the position of the second satellite according to the seed data.
The technical scheme of the invention has the following beneficial effects:
the attack detection method, the attack detector, the computer readable storage medium and the terminal provided by the invention realize a new attack detection method by comparing the log likelihood ratio sum of the absolute value of the difference between the first satellite position determined by the satellite signal and the second satellite position determined by the prediction ephemeris with the magnitude of the preset binary detection threshold, detect the position of a counterfeit signal source by using a new signal source (namely, the prediction ephemeris) and can efficiently and robustly detect the spoofing attack.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
fig. 1 is a schematic flow chart of an attack detection method according to an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of an attack detector according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a terminal according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an attack detection system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that the embodiments and features of the embodiments in the present application may be arbitrarily combined with each other without conflict.
Referring to fig. 1, an embodiment of the present invention provides an attack detection method, including the following steps:
step 101: determining an upper layer detection threshold corresponding to the existence of the spoofing attack hypothesis and a lower layer detection threshold corresponding to the nonexistence of the spoofing attack hypothesis;
it should be noted that the present invention implements attack detection by binary hypothesis testing. Binary detection is a simple hypothesis test with the output being one of two possible hypotheses, H0 and H1, and referring to H0 as the null hypothesis (indicating the absence of a spoofing attack) and H1 as the alternative hypothesis (indicating the presence of a spoofing attack).
Preferably, the binary hypothesis Test of the present invention implements attack detection based on the optimal Sequence Probability Ratio Test (SPRT). SPRT is a detection technique that provides the minimum detection delay for a given error rate. It is optimal because it uses the least amount of information to make a reliable decision. SPRT requires minimal content and time to provide reliable detection and optimal delay, guaranteeing bounded false alarm and missed detection probability with low complexity and low memory requirements. SPRT sets two detection thresholds: lower detection threshold lambdalAnd an upper detection threshold lambdauWherein the lower layer detects the threshold lambdalRepresenting the absence of a spoofing attack, the upper detection threshold λuRepresenting the presence of a spoofing attack. When the calculated test statistic exceeds these detection thresholds, a conclusion can be drawn and data collection can be stopped.
Further, the step 101 of determining an upper detection threshold corresponding to the existence of the spoofing attack hypothesis and a lower detection threshold corresponding to the absence of the spoofing attack hypothesis includes:
determining an acceptable false alarm probability alpha and an acceptable false drop probability beta;
calculating the upper detection threshold lambda according to the determined false alarm probability alpha and the undetected probability betauAnd the lower detection threshold lambdal
Figure BDA0001586683560000051
Figure BDA0001586683560000061
It should be noted that the detection threshold values are selected to respectively reflect the probability P of an acceptable false alarm eventFAAnd probability P of missing a detection eventMD. Acceptable P according to Neemann-Pearson criterionFAAnd PMDShould be set to PFA=P(D1|H0)=α;PMD=P(D0|H1) β, D1 represents an area where a spoof attack is detected, and D0 represents an area where a spoof attack is not detected; alpha and beta are respectively acceptable false alarm probability and acceptable false detection probability. By a given PFAAnd PMDTwo log-likelihood ratio thresholds lambda can be obtainedlAnd λu
Assuming the detection moves to sample k, then the likelihood ratio of k is
Figure BDA0001586683560000062
Wherein the content of the first and second substances,
Figure BDA0001586683560000063
f is a probability density function; pi is a product symbol; l is a likelihood ratio.
According to PFAAnd PMDTo obtain:
Figure BDA0001586683560000064
by taking the area D0And D1The upper and lower thresholds of the likelihood ratio can be obtained by integration of (2).
Given as
Figure BDA0001586683560000065
And
Figure BDA0001586683560000066
for ease of calculation, we instead use log-likelihood ratios:
Figure BDA0001586683560000067
step 102: acquiring a first satellite position determined by satellite signals and a second satellite position determined by a prediction ephemeris, defining statistic as an absolute value of a difference between the first satellite position and the second satellite position, and calculating a log-likelihood ratio cumulative sum of the statistic at the current moment;
in particular, assume that
Figure BDA0001586683560000068
Is the first satellite position of the jth satellite determined from the satellite signals at time i,
Figure BDA0001586683560000069
is the second satellite position of the jth satellite determined by the predicted ephemeris at time i, then the statistics
Figure BDA00015866835600000610
The purpose of the predicted ephemeris (or extended ephemeris) is to provide consistent assistance data to assist the satellite receiver in fast position fixes. The assistance data may include predictions of satellite orbits and clocks, and in general, predicted ephemeris is more difficult and less vulnerable to spoofing than broadcast ephemeris received at the satellite receiver. This method of detecting a spoofing attack is to compare the received satellite positions with predicted satellite positions. This comparison is performed by using a sequence probability ratio test method.
It should be noted that when the second satellite position determined by the ephemeris is valid, the difference between the first satellite position and the second satellite position contains only noise, i.e., H0iN, wherein N to N (0, σ)2) I.e. n obeys a gaussian distribution with the desired 0, standard deviation sigma. The standard deviation σ is the satellite position accuracy determined by the predicted ephemeris.
In one embodiment, the value of the standard deviation σ may be a fixed value, for example 20 meters or 25 meters.
When there is a spoofing attack on the satellite signals, the first satellite position determined from the satellite signals will contain a large error, H1iA + n, wherein H1~N(A,σ2) I.e. H1Obeying a gaussian distribution with the expectation of a, the standard deviation σ, which is an error estimate of the minimum value of the spoof signal contribution.
In one embodiment, the value of the desired a may be a fixed value, for example 200 or 250 meters.
Under both assumptions, the final statistic
Figure BDA0001586683560000071
Also obey a gaussian distribution. However, the distribution parameters under the two hypotheses are different, which provides a basis for determining whether spoofed GNSS signals are present.
Further, the formula for calculating the cumulative sum of log-likelihood ratios of the statistics at the current time is as follows:
Figure BDA0001586683560000072
wherein the content of the first and second substances,
Figure BDA0001586683560000073
is the statistical quantity that is to be measured,
Figure BDA0001586683560000074
is the cumulative sum of the log-likelihood ratios for the jth satellite at time instant i,
Figure BDA0001586683560000075
is the cumulative sum of log-likelihood ratios for the jth satellite at time (i-1), H0Indicates that there is no spoofing attack hypothesis, and H0Obeying a Gaussian distribution, H, with an expected 0, standard deviation of σ1Indicates the existence of a spoofing attack hypothesis, and H1Subject to a gaussian distribution with a standard deviation a desired,
Figure BDA0001586683560000076
is that
Figure BDA0001586683560000077
Assuming the probability of H1 for the case,
Figure BDA0001586683560000078
is that
Figure BDA0001586683560000079
The probability of H0 is assumed.
Step 103: comparing the log-likelihood ratio cumulative sum to the magnitude of the upper detection threshold and the magnitude of the cumulative sum to the lower detection threshold to determine whether a spoofing attack is present.
Further, the comparing the log-likelihood ratio running sum to the upper detection threshold and the running sum to the lower detection threshold to determine whether a spoofing attack is present includes:
determining that a spoofing attack exists if the running sum is greater than or equal to the upper detection threshold;
determining that a spoofing attack is not present if the running sum is less than or equal to the lower detection threshold;
if the running sum is between the lower detection threshold and the upper detection threshold, obtaining a value of the statistic at the next moment, recalculating the running sum, and comparing.
In addition, when the next time comes, the cumulative sum of the log likelihood ratios at the current time is obtained
Figure BDA0001586683560000081
Quilt
Figure BDA0001586683560000082
And replacing, respectively obtaining a new first satellite position and a new second satellite position, recalculating the accumulated sum and comparing, wherein the specific calculation and comparison process is consistent with the principle of the current moment, and the details are not repeated here.
An embodiment of the present invention further provides a computer-readable storage medium, where one or more programs are stored in the computer-readable storage medium, and the one or more programs are executable by one or more processors to implement the steps of the attack detection method according to any one of the above.
As shown in fig. 2, an embodiment of the present invention further provides an attack detector, which includes a determining module 201, a calculating module 202, and a comparing module 203, where:
a determining module 201, configured to determine an upper detection threshold corresponding to the existence of the spoofing attack hypothesis, and a lower detection threshold corresponding to the absence of the spoofing attack hypothesis;
a calculation module 202, configured to obtain a first satellite position determined by a satellite signal and a second satellite position determined by a predicted ephemeris, define a statistic as an absolute value of a difference between the first satellite position and the second satellite position, and calculate a cumulative sum of log-likelihood ratios of the statistic at the current time;
a comparing module 203, configured to compare the log-likelihood ratio cumulative sum with the size of the upper detection threshold and the size of the cumulative sum with the size of the lower detection threshold to determine whether a spoofing attack exists.
Further, the determining module 201 is specifically configured to:
determining an acceptable false alarm probability alpha and an acceptable false drop probability beta;
calculating the upper detection threshold lambda according to the determined false alarm probability alpha and the undetected probability betauAnd the lower detection threshold lambdal
Figure BDA0001586683560000083
Figure BDA0001586683560000084
Further, the calculation formula of the calculation module 202 for calculating the cumulative sum of log likelihood ratios of the statistics at the current time is as follows:
Figure BDA0001586683560000091
wherein the content of the first and second substances,
Figure BDA0001586683560000092
is the statistical quantity that is to be measured,
Figure BDA0001586683560000093
is the cumulative sum of the log-likelihood ratios for the jth satellite at time instant i,
Figure BDA0001586683560000094
is the cumulative sum of log-likelihood ratios for the jth satellite at time (i-1), H0Indicates that there is no spoofing attack hypothesis, and H0Obeying a Gaussian distribution, H, with an expected 0, standard deviation of σ1Indicates the existence of a spoofing attack hypothesis, and H1Subject to a gaussian distribution with a standard deviation a desired,
Figure BDA0001586683560000095
is that
Figure BDA0001586683560000096
Assuming the probability of H1 for the case,
Figure BDA0001586683560000097
is that
Figure BDA0001586683560000098
The probability of H0 is assumed.
Further, the comparing module 203 determines whether there is a spoofing attack, comprising:
determining that a spoofing attack exists if the running sum is greater than or equal to the upper detection threshold;
determining that a spoofing attack is not present if the running sum is less than or equal to the lower detection threshold;
and if the accumulated sum is between the lower detection threshold and the upper detection threshold, acquiring the value of the statistic at the next moment, recalculating the accumulated sum, and comparing.
In addition, when the next time comes, the cumulative sum of the log likelihood ratios at the current time is obtained
Figure BDA0001586683560000099
Quilt
Figure BDA00015866835600000910
Alternatively, the calculating module 202 then obtains the new first satellite position and the new second satellite position, recalculates the cumulative sum, and compares the cumulative sum with the comparing module 203, where the specific calculating and comparing processes are consistent with the principle of the current time, and are not described herein again.
As shown in fig. 3, the embodiment of the present invention further provides a terminal, which includes a satellite receiver 301, an ephemeris predictor 302 and an attack detector 303 as described in any of the above, wherein,
the satellite receiver 301 is configured to receive a satellite signal, and determine the first satellite position according to the satellite signal;
the ephemeris predictor 302 is configured to receive seed data from a server, and determine the second satellite position according to the seed data.
It should be noted that the terminal according to the present invention may be any type of device, such as a laptop, a tablet, a smart phone, a wearable electronic device, and so on. The terminal may include, but is not limited to, a processor and memory for executing and storing instructions, and the software may include one or more application programs and an operating system. The terminal may have multiple processors and multiple shared or separate memory components.
Fig. 4 is a system for attack detection according to the present invention. As shown in fig. 4, satellite signals 420a, 420b, and 420c are transmitted from one or more satellites 410a, 410b, and 410 c. Satellite signals 420 a-420 c transmitted from one or more satellites 410 a-410 c may be received by a terminal 450, the terminal 450 configured to communicate with the satellites 410 a-410 c using the satellite signals 420 a-420 c.
The end user determines the location of the terminal using GNSS technology included in the terminal 450. As shown in fig. 4, a spoof or spoof signal 460 may be generated by a simulator (e.g., a GNSS simulator) and transmitted by a transmitter 470 to a limited area. The transmitter 470 may transmit at a higher signal power and possibly in combination with a signal blocking environment or active jammer to reduce the likelihood that the terminal 450 will detect the actual GNSS signal.
Referring to fig. 4, the terminal 450 may include a satellite receiver 451, an ephemeris predictor 452, and an attack detector 453. At any given time, the satellite receiver 451 is able to distinguish which satellites 410 a-410 c transmitted the satellite signals 420 a-420 c and their respective locations in space. Ephemeris predictor 452 uses the seed data received from server 430 to generate future ephemeris. Such seed data may provide a complete GNSS constellation compared to the actual observations at the satellite receiver 451. In some implementations, the ephemeris is predicted to be valid for 14 or 28 days, depending on the capabilities of the ephemeris predictor 452. The predicted ephemeris for each satellite includes satellite orbit data and clock states. The ephemeris predictor 452 may provide predicted or extended ephemeris to assist the satellite receiver 451 in determining the position of the terminal 450, thereby reducing the Time To First Fix (TTFF). In accordance with one presently disclosed embodiment, ephemeris predictor 452 stores a software program for predicting orbits and clocks from which predictions of orbits and clocks can be calculated.
As shown in fig. 4, the seed data is transmitted from the server 430 through the wireless communication network 440. In one embodiment, the wireless communication network 440 may be a cellular communication network. The terminal 450 communicates with the cell stations (not shown) using radio frequency signals according to various cellular technologies, such as Global System for Mobile Communication (GSM), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), and so on. In another embodiment, wireless communication Network 402 may be a wireless Local Area Network (LAN). The terminal 450 communicates with an access point (not shown) using radio frequency signals according to various communication protocols, such as Institute of Electrical and Electronics Engineers (IEEE) based 802.11 protocols (e.g., WiFi networks).
The attack detector 453 is capable of receiving one or more navigation readings from the satellite receiver 451 and the ephemeris predictor 452, respectively. The one or more navigation readings of the satellite receiver 451 are one or more satellite positions received by the satellite receiver 451. The one or more navigation readings of ephemeris predictor 452 are the one or more satellite positions predicted by ephemeris prediction 452. Attack detector 453 monitors one or more navigation readings in satellite receiver 451 to detect malicious navigation information. Malicious navigation information, which may include one or more spoofed signals 460 transmitted from one or more transmitters 470. One or more transmitted or spoofed signals 460 from one or more transmitters 470 may be received by the terminal 450.
Attack detector 453 compares the received satellite positions to the predicted satellite positions. This comparison is accomplished using a binary hypothesis test, which may be performed by a software program stored in attack detector 453. When the navigation readings are collected from the satellite receiver 451 and ephemeris predictions 452, respectively, the attack detector 453 performs a running statistical analysis, which is repeated. The navigational readings are evaluated repeatedly after each observation or collection interval until a decision is made.
It will be understood by those skilled in the art that all or part of the steps of the above methods may be implemented by instructing the relevant hardware through a program, and the program may be stored in a computer readable storage medium, such as a read-only memory, a magnetic or optical disk, and the like. Alternatively, all or part of the steps of the foregoing embodiments may also be implemented by using one or more integrated circuits, and accordingly, each module/unit in the foregoing embodiments may be implemented in the form of hardware, and may also be implemented in the form of a software functional module. The present invention is not limited to any specific form of combination of hardware and software.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. An attack detection method applied to a satellite navigation system, the method comprising:
determining an upper layer detection threshold corresponding to the existence of the spoofing attack hypothesis and a lower layer detection threshold corresponding to the nonexistence of the spoofing attack hypothesis;
acquiring a first satellite position determined by satellite signals and a second satellite position determined by a prediction ephemeris, defining statistic as an absolute value of a difference between the first satellite position and the second satellite position, and calculating a log-likelihood ratio cumulative sum of the statistic at the current moment;
and comparing the magnitude of the log-likelihood ratio accumulated sum with the upper detection threshold value and the magnitude of the accumulated sum with the lower detection threshold value to determine whether the global navigation satellite system GNSS signals have the spoofing attack.
2. The attack detection method according to claim 1 wherein the comparing the log-likelihood ratio running sum to the magnitude of the upper detection threshold and the running sum to the magnitude of the lower detection threshold to determine whether a spoofing attack is present comprises:
determining that a spoofing attack exists if the running sum is greater than or equal to the upper detection threshold;
determining that a spoofing attack is not present if the running sum is less than or equal to the lower detection threshold;
if the running sum is between the lower detection threshold and the upper detection threshold, obtaining a value of a statistic at a next time, recalculating the running sum, and performing the comparison.
3. The attack detection method according to claim 1, wherein the calculation formula for calculating the cumulative sum of log likelihood ratios of the statistics at the present time is:
Figure FDA0002720627970000011
wherein the content of the first and second substances,
Figure FDA0002720627970000012
is the statistical quantity that is to be measured,
Figure FDA0002720627970000013
is the cumulative sum of the log-likelihood ratios for the jth satellite at time instant i,
Figure FDA0002720627970000014
is the cumulative sum of log-likelihood ratios for the jth satellite at time (i-1), H0Indicates that there is no spoofing attack hypothesis, and H0Obeying a Gaussian distribution, H, with an expected 0, standard deviation of σ1Indicates the existence of a spoofing attack hypothesis, and H1Subject to a gaussian distribution with a standard deviation a desired,
Figure FDA0002720627970000015
is that
Figure FDA0002720627970000016
Assuming the probability of H1 for the case,
Figure FDA0002720627970000021
is that
Figure FDA0002720627970000022
The probability of H0 is assumed.
4. The attack detection method according to claim 1, wherein the determining an upper detection threshold corresponding to the presence of a spoofed attack hypothesis and a lower detection threshold corresponding to the absence of a spoofed attack hypothesis comprises:
determining an acceptable false alarm probability alpha and an acceptable false drop probability beta;
calculating the upper detection threshold lambda according to the determined false alarm probability alpha and the undetected probability betauAnd the lower detection threshold lambdal
Figure FDA0002720627970000023
Figure FDA0002720627970000024
5. A computer-readable storage medium, characterized in that the computer-readable storage medium stores one or more programs which are executable by one or more processors to implement the steps of the attack detection method according to any one of claims 1 to 4.
6. An attack detector, for use in a satellite navigation system, the attack detector comprising a determination module, a calculation module and a comparison module, wherein:
a determining module, configured to determine an upper detection threshold corresponding to the existence of the spoofing attack hypothesis, and a lower detection threshold corresponding to the absence of the spoofing attack hypothesis;
the computing module is used for acquiring a first satellite position determined by satellite signals and a second satellite position determined by prediction ephemeris, defining statistic as an absolute value of the difference between the first satellite position and the second satellite position, and computing the cumulative sum of log-likelihood ratios of the statistic at the current moment;
and the comparison module is used for comparing the log-likelihood ratio accumulated sum with the upper detection threshold value and the accumulated sum with the lower detection threshold value so as to determine whether the global navigation satellite system GNSS signals have the spoofing attack.
7. The attack detector of claim 6 wherein the comparison module determines whether a spoofing attack is present, comprising:
determining that a spoofing attack exists if the running sum is greater than or equal to the upper detection threshold;
determining that a spoofing attack is not present if the running sum is less than or equal to the lower detection threshold;
if the running sum is between the lower detection threshold and the upper detection threshold, obtaining a value of the statistic at the next moment, recalculating the running sum, and comparing.
8. The attack detector of claim 6 wherein the calculation module calculates the cumulative sum of log-likelihood ratios of the statistics at the current time by the formula:
Figure FDA0002720627970000031
wherein the content of the first and second substances,
Figure FDA0002720627970000032
is the statistical quantity that is to be measured,
Figure FDA0002720627970000033
is the cumulative sum of the log-likelihood ratios for the jth satellite at time instant i,
Figure FDA0002720627970000034
is the cumulative sum of log-likelihood ratios for the jth satellite at time (i-1), H0Indicates that there is no spoofing attack hypothesis, and H0Obeying a Gaussian distribution, H, with an expected 0, standard deviation of σ1Indicates the existence of a spoofing attack hypothesis, and H1Subject to a gaussian distribution with a standard deviation a desired,
Figure FDA0002720627970000035
is that
Figure FDA0002720627970000036
Assuming the probability of H1 for the case,
Figure FDA0002720627970000037
is that
Figure FDA0002720627970000038
The probability of H0 is assumed.
9. The attack detector of claim 6, wherein the determination module is specifically configured to:
determining an acceptable false alarm probability alpha and an acceptable false drop probability beta;
calculating the upper detection threshold lambda according to the determined false alarm probability alpha and the undetected probability betauAnd the lower detection threshold lambdal
Figure FDA0002720627970000039
Figure FDA00027206279700000310
10. A terminal for application in a satellite navigation system, the terminal comprising a satellite receiver, an ephemeris predictor and an attack detector according to any one of claims 6 to 9, wherein,
the satellite receiver is used for receiving satellite signals and determining the first satellite position according to the satellite signals;
and the ephemeris predictor is used for receiving seed data from the server and determining the position of the second satellite according to the seed data.
CN201810173885.3A 2018-03-02 2018-03-02 Attack detection method, attack detector, computer-readable storage medium, and terminal Active CN108931789B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810173885.3A CN108931789B (en) 2018-03-02 2018-03-02 Attack detection method, attack detector, computer-readable storage medium, and terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810173885.3A CN108931789B (en) 2018-03-02 2018-03-02 Attack detection method, attack detector, computer-readable storage medium, and terminal

Publications (2)

Publication Number Publication Date
CN108931789A CN108931789A (en) 2018-12-04
CN108931789B true CN108931789B (en) 2021-02-05

Family

ID=64449247

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810173885.3A Active CN108931789B (en) 2018-03-02 2018-03-02 Attack detection method, attack detector, computer-readable storage medium, and terminal

Country Status (1)

Country Link
CN (1) CN108931789B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110568456B (en) * 2019-09-11 2022-01-14 北京交通大学 Train satellite positioning deception jamming detection method based on ultra wide band assistance
EP3805801A1 (en) * 2019-10-10 2021-04-14 HERE Global B.V. Identifying gnss navigation data as potentially manipulated or as trustworthy at least partially based on an estimated deviation of a second estimate of a satellite state from a first estimate of the satellite state
CN111143843B (en) * 2019-12-12 2022-04-12 绿盟科技集团股份有限公司 Malicious application detection method and device
CN112987037B (en) * 2021-02-10 2023-02-28 北京敏视达雷达有限公司 Detection method and related device for spoofing attack

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012031940A1 (en) * 2010-09-08 2012-03-15 Sagem Defense Securite Method and device for detecting and excluding multiple satellite failures in a gnss system
CN104504247A (en) * 2014-12-09 2015-04-08 沈阳航空航天大学 RAIM method for double satellite faults ofGPS
CN104536015A (en) * 2014-12-09 2015-04-22 沈阳航空航天大学 FPGA realizing method for particle filter RAIM method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012031940A1 (en) * 2010-09-08 2012-03-15 Sagem Defense Securite Method and device for detecting and excluding multiple satellite failures in a gnss system
CN104504247A (en) * 2014-12-09 2015-04-08 沈阳航空航天大学 RAIM method for double satellite faults ofGPS
CN104536015A (en) * 2014-12-09 2015-04-22 沈阳航空航天大学 FPGA realizing method for particle filter RAIM method

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
GNSS用户端自主完好性监测研究综述;徐肖豪 等;《航空学报》;20130325;第34卷(第3期);全文 *
GPS Spoofing Attack Characterization and Detection in Smart Grids;Pradhan, Parth 等;《IEEE Conference on Communications and Network Security (CNS) 》;20161019;全文 *
基于信噪比测量的欺骗干扰检测方法;曹可劲 等;《计算机测量与控制》;20160430;第24卷(第4期);全文 *

Also Published As

Publication number Publication date
CN108931789A (en) 2018-12-04

Similar Documents

Publication Publication Date Title
CN108931789B (en) Attack detection method, attack detector, computer-readable storage medium, and terminal
EP3327458B1 (en) Method and apparatus for marking inconsistent position location data
EP2746813B1 (en) Detection of spoofing of GNSS navigation signals
US10830897B2 (en) System and method for identifying global navigation satellite system spoofing attacks on a protected vehicle
EP2908454A2 (en) GPS spoofing detection techniques
US8325086B2 (en) Methods and systems to diminish false-alarm rates in multi-hypothesis signal detection through combinatoric navigation
CN108933772B (en) Attack detection method and device, computer readable storage medium and terminal
EP2652522B1 (en) Recovery from position and time outliers in positioning
WO2011112439A2 (en) Efficient channel search with energy detection
JP2013518260A (en) Navigation data bit synchronization system, method and computer program for GNSS receiver
WO2015063607A2 (en) Method and apparatus for frame synchronization in a positioning system
Stenberg et al. Results on GNSS spoofing mitigation using multiple receivers
CN113985451A (en) Navigation deception detection method and device based on Kalman filtering tracking loop
CN113507334A (en) Parameter testing method, device and equipment based on channel sniffing and storage medium
Liu et al. Robust time-hopping pseudolite signal acquisition method based on dynamic Bayesian network
Zhang et al. Signal quality monitoring‐based spoofing detection method for Global Navigation Satellite System vector tracking structure
US9755790B2 (en) Detecting presence/absence of an information signal
Arribas et al. Joint acquisition strategy of GNSS satellites for computational cost reduction
Chen et al. Satprobe: Low-energy and fast indoor/outdoor detection via satellite existence sensing
US8886221B1 (en) Mobile device location estimation using local location data
WO2011056885A1 (en) Methods and apparatuses for reducing time to estimate a position using a satellite positioning system
EP3544248A1 (en) Adaptive detection function based on statistical propagation channel estimation for gnss receivers
CN111510852B (en) Method and device for capturing positioning signal in common frequency band positioning system
CN117215172B (en) Satellite time service method and device, satellite time service system and storage medium
CN115267852B (en) Anti-interference GNSS signal processing chip, receiver and processing method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: 201210 whole floor, 8th floor, No. 1, Lane 500, shengxia Road, China (Shanghai) pilot Free Trade Zone, Pudong New Area, Shanghai

Patentee after: Core and material (Shanghai) Technology Co.,Ltd.

Patentee after: Hexin Xingtong Technology (Beijing) Co., Ltd

Address before: 200122 3rd floor, building 8, Lane 912, Bibo Road, Pudong New Area, Shanghai

Patentee before: UNICORECOMM (SHANGHAI) TECHNOLOGY CO.,LTD.

Patentee before: Hexin Xingtong Technology (Beijing) Co., Ltd

CP03 Change of name, title or address