CN112987037A - Detection method and related device for spoofing attack - Google Patents

Detection method and related device for spoofing attack Download PDF

Info

Publication number
CN112987037A
CN112987037A CN202110183353.XA CN202110183353A CN112987037A CN 112987037 A CN112987037 A CN 112987037A CN 202110183353 A CN202110183353 A CN 202110183353A CN 112987037 A CN112987037 A CN 112987037A
Authority
CN
China
Prior art keywords
data
satellite observation
satellite
observation data
binary tree
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110183353.XA
Other languages
Chinese (zh)
Other versions
CN112987037B (en
Inventor
左申正
刘依楠
王岩
张一凡
张冬梅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Metstar Radar Co ltd
Beijing University of Posts and Telecommunications
Original Assignee
Beijing Metstar Radar Co ltd
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Metstar Radar Co ltd, Beijing University of Posts and Telecommunications filed Critical Beijing Metstar Radar Co ltd
Priority to CN202110183353.XA priority Critical patent/CN112987037B/en
Publication of CN112987037A publication Critical patent/CN112987037A/en
Application granted granted Critical
Publication of CN112987037B publication Critical patent/CN112987037B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S19/00Satellite radio beacon positioning systems; Determining position, velocity or attitude using signals transmitted by such systems
    • G01S19/01Satellite radio beacon positioning systems transmitting time-stamped messages, e.g. GPS [Global Positioning System], GLONASS [Global Orbiting Navigation Satellite System] or GALILEO
    • G01S19/13Receivers
    • G01S19/23Testing, monitoring, correcting or calibrating of receiver elements
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S19/00Satellite radio beacon positioning systems; Determining position, velocity or attitude using signals transmitted by such systems
    • G01S19/01Satellite radio beacon positioning systems transmitting time-stamped messages, e.g. GPS [Global Positioning System], GLONASS [Global Orbiting Navigation Satellite System] or GALILEO
    • G01S19/015Arrangements for jamming, spoofing or other methods of denial of service of such systems
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S19/00Satellite radio beacon positioning systems; Determining position, velocity or attitude using signals transmitted by such systems
    • G01S19/01Satellite radio beacon positioning systems transmitting time-stamped messages, e.g. GPS [Global Positioning System], GLONASS [Global Orbiting Navigation Satellite System] or GALILEO
    • G01S19/13Receivers
    • G01S19/21Interference related issues ; Issues related to cross-correlation, spoofing or other methods of denial of service
    • G01S19/215Interference related issues ; Issues related to cross-correlation, spoofing or other methods of denial of service issues related to spoofing

Landscapes

  • Engineering & Computer Science (AREA)
  • Radar, Positioning & Navigation (AREA)
  • Remote Sensing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Position Fixing By Use Of Radio Waves (AREA)
  • Radio Relay Systems (AREA)

Abstract

The application discloses a detection method of deception attacks and a related device, the detection method establishes a binary tree for satellite observation data in a data set according to the dispersion degree of the satellite observation data with other satellite observation data after acquiring the data set, the closer the distance between a node where the satellite observation data with the greater dispersion degree is located in the binary tree and a root node is, the smaller the dispersion degree between normal data is, therefore, the satellite observation data can be scored according to the position of the satellite observation data in the data set in the binary tree, whether the satellite observation data is abnormal data is judged according to the score of the satellite observation data, whether a satellite signal corresponding to the data set is interfered by an attacker and the data is tampered is further judged according to the abnormal data in the data set, the detection of the deception attacks is realized, and the detection method of the deception attacks does not need to modify a receiver of the satellite, and the satellite observation data does not need to be marked, and the method has the advantages of simplicity, rapidness and high efficiency.

Description

Detection method and related device for spoofing attack
Technical Field
The present application relates to the field of satellite navigation technologies, and in particular, to a detection method for spoofing attacks and a related apparatus.
Background
Satellite navigation positioning technology has been widely used in various fields, and becomes an indispensable part of traffic, electric power and daily life.
However, in the international global navigation satellite system, non-encrypted signals are used for civil signals, and the signal frequency band and the data content are public standards, so that received satellite observation data are easy to be tampered due to spoofing attack, a navigation structure is made to be wrong, and the damage is very serious.
Disclosure of Invention
In order to solve the technical problem, the application provides a detection method and a related device for spoofing attack, so as to achieve the purpose of simply, quickly and efficiently detecting spoofing attack.
In order to achieve the technical purpose, the embodiment of the application provides the following technical scheme:
a detection method of a spoofing attack, comprising:
updating a satellite observation file at intervals of first preset time, wherein the satellite observation file comprises satellite observation data acquired by at least one satellite;
acquiring satellite observation data of a plurality of time nodes from a current satellite observation file every second preset time, wherein the second preset time is greater than the first preset time;
dividing the acquired satellite observation data into a plurality of data sets according to different satellite numbers, wherein each data set corresponds to one satellite number;
dividing each data set for multiple times, and establishing a binary tree corresponding to the data sets according to a division result, wherein in the binary tree, the dispersion of satellite observation data in a node and other satellite observation data is in negative correlation with the distance between the node and a root node;
scoring each satellite observation data according to the position of the satellite observation data in the data set in the node of the binary tree, judging whether the satellite observation data is abnormal data according to the scoring of the satellite observation data, and judging whether the satellite signal corresponding to the data set is interfered by an attacker and the data is tampered according to the abnormal data in the data set.
Optionally, the dividing each data set for multiple times, and the establishing a binary tree corresponding to the data set according to the division result includes:
determining a root node, and putting all satellite observation data in a data set into the root node;
randomly determining a segmentation characteristic value, and dividing satellite observation data in the root node to obtain two child nodes of the root node, wherein a left node of the root node comprises satellite observation data of which the characteristic value is greater than the segmentation characteristic value, and a right node of the root node comprises satellite observation data of which the characteristic value is less than the segmentation characteristic value;
dividing each subnode for multiple times until the binary tree or the currently divided subnode meets a division stopping condition, randomly determining a division characteristic value in each division process, and dividing satellite observation data in the subnode according to the determined division characteristic value to obtain two subnodes of the currently divided subnode, wherein the left node of the currently divided subnode comprises satellite observation data with the characteristic value larger than the division characteristic value, and the right node of the currently divided subnode comprises satellite observation data with the characteristic value smaller than the division characteristic value;
the stop division condition includes: the binary tree reaches a preset limit height or only one satellite observation data in the currently divided sub-nodes or all the satellite observation data in the currently divided sub-nodes have the same characteristic value.
Optionally, the scoring the satellite observation data according to the positions of the satellite observation data in the data set at the nodes in the binary tree includes:
and calculating the score of the satellite observation data according to the path length of the satellite observation data, wherein the path length of the satellite observation data is the distance from the node of the satellite observation data in the binary tree to the root node of the binary tree.
Optionally, the calculating, according to the distance from the node where the satellite observation data is located in the binary tree to the root node of the binary tree, the score of the satellite observation data includes:
defining the number of all edges passed by the node of the satellite observation data in the binary tree to the root node of the binary tree as the path length of the satellite observation data;
acquiring the average path length of the satellite observation data in all binary trees;
calculating the average path length of the binary tree according to a first preset formula;
substituting the average path length of the binary tree and the average path length of the satellite observation data in all binary trees into a second preset formula to calculate and obtain a score of the satellite observation data;
the first preset formula includes:
Figure BDA0002942703170000031
wherein (c) (n) represents the average path length when the total number of satellite observation data in the binary tree is n, (h) (i) represents the sum of the tones of i, i is n-1 or n, and h (i) is lni + 0.5772156649;
the second preset formula includes:
Figure BDA0002942703170000032
s (x, n) represents the score of the satellite observation x, and E (h (x)) represents the average path length of the satellite observation x in all binary trees.
Optionally, the determining whether the satellite observation data is abnormal data according to the score of the satellite observation data includes:
when the difference value between the score of the satellite observation data and 0.5 is smaller than a preset difference value, judging that the satellite observation data in the whole data set are normal data;
and when the difference value between the score of the satellite observation data and 1 is smaller than the preset difference value, judging that the satellite observation data is abnormal data.
Optionally, the determining, according to the abnormal data in the data set, whether the satellite signal corresponding to the data set is interfered by an attacker and data is tampered includes:
when the abnormal data in the data set is smaller than a first preset number and the abnormal data in the data set are all located in the satellite observation data with the first preset number which is the latest in history in the data set, judging that the satellite signals corresponding to the data set are interfered by an attacker and tampering the data;
the first preset number is the amount of satellite observation data updated in the satellite observation data of the plurality of time nodes obtained currently compared with the satellite observation data of the plurality of time nodes obtained last time in history.
Optionally, the updating the satellite observation file every other first preset time includes:
receiving all satellite observation data capable of receiving the satellite once every 30 seconds by using a receiver, and recording the received satellite observation data in a satellite observation file;
the acquiring the satellite observation data of a plurality of time nodes from the current satellite observation file every second preset time comprises the following steps:
and acquiring the latest satellite observation data of 120 time nodes from the current satellite observation file every 5 minutes.
A detection system for spoofing attacks, comprising:
the data updating module is used for updating a satellite observation file at intervals of first preset time, wherein the satellite observation file comprises satellite observation data acquired by at least one satellite;
the data acquisition module is used for acquiring satellite observation data of a plurality of time nodes from a current satellite observation file every second preset time, wherein the second preset time is longer than the first preset time;
the data set dividing module is used for dividing the acquired satellite observation data into a plurality of data sets according to different satellite numbers, wherein each data set corresponds to one satellite number;
the data segmentation module is used for segmenting each data set for multiple times, establishing a binary tree corresponding to the data set according to segmentation results, wherein in the binary tree, the dispersion of satellite observation data in a node and other satellite observation data is in negative correlation with the distance between the node and a root node;
and the attack detection module is used for scoring each satellite observation data according to the position of the satellite observation data in the data set in the node in the binary tree, judging whether the satellite observation data is abnormal data according to the scoring of the satellite observation data, and judging whether the satellite signal corresponding to the data set is interfered by an attacker and tampering the data according to the abnormal data in the data set.
A detection system for a spoofing attack, comprising a memory and a processor;
the memory is used for storing program codes, and the processor is used for calling the program codes, and the program codes are used for executing the detection method of the spoofing attack.
A storage medium having stored thereon program code which, when executed, implements the detection method of a spoofing attack of any of the above.
It can be seen from the foregoing technical solutions that, in the detection method for spoofing attacks, firstly, obtained satellite observation data are classified according to different satellite numbers to obtain a plurality of data sets corresponding to the satellite numbers one by one, then, a binary tree is established for the satellite observation data in the data sets according to the dispersion with other satellite observation data, the distance between a node where the satellite observation data with the greater dispersion is located in the binary tree and a root node is closer, and since the obtained satellite observation data are data continuous in time and the dispersion between normal data is small, it is possible to score each satellite observation data according to the position of the satellite observation data in the data set in the node in the binary tree, and determine whether the satellite observation data are abnormal data according to the score of the satellite observation data, and then whether the satellite signal corresponding to the data set is interfered by an attacker and the data is tampered or not is judged according to the abnormal data in the data set, so that the detection of the deception attack is realized, and the detection method of the deception attack does not need to modify a receiver of the satellite or label the satellite observation data, so that the method has the advantages of simplicity, quickness and high efficiency.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic flowchart of a detection method for a spoofing attack according to an embodiment of the present application;
FIG. 2 is a schematic flow chart illustrating a segmentation of a data set according to an embodiment of the present application;
FIG. 3 is a diagram illustrating the results of a segmentation of a data set according to an embodiment of the present application;
FIG. 4 provides a data set sample illustration for one embodiment of the present application;
fig. 5 is a schematic diagram of detection accuracy provided by an embodiment of the present application.
Detailed Description
As described in the background art, a spoofing attack is an attack mode for tampering satellite observation data, and as signal simulation technology is continuously developed, counterfeiting navigation signals becomes easier and easier to implement, and the cost is continuously reduced. Global navigation satellite system signals are vulnerable to in-band interference because they are weak broadband broadcast signals on the radio channel. Even low power interference can affect the global navigation satellite system, causing damage.
At present, a plurality of detection means are provided for the spoofing attack, and firstly, a detection scheme can be designed based on the signal power or the spatial position of the signal, so that the spoofing signal can be accurately detected and the source of the spoofing signal can be determined. However, corresponding functional modules need to be additionally added, which increases the cost of the device and the difficulty of the device design. Secondly, it is possible to detect signal transmission delays or time stamps, but since the navigation data is public, a fraudster can predict the data in advance or forge the time stamps, and forge the transmission delays or time stamps of the individual satellite signals to be able to defraud the receiver. Thirdly, other navigation positioning data can be used for contrast detection under a specific scene, but no other auxiliary positioning data is used for contrast on a pure satellite receiver. And finally, processing the satellite data by using a supervised machine learning algorithm, and detecting whether a spoofing attack exists. However, the supervised machine learning algorithm needs to label data, the data cannot be labeled in an actual scene, and the detection model trained in advance cannot be applied to all attack data.
In view of this, an embodiment of the present application provides a detection method of a spoofing attack, where the detection method of the spoofing attack first classifies acquired satellite observation data according to different satellite numbers to obtain a plurality of data sets corresponding to the satellite numbers one by one, then establishes a binary tree for the satellite observation data in the data sets according to a dispersion with other satellite observation data, where a node in the binary tree where the satellite observation data with a larger dispersion is located is closer to a root node, and since the acquired satellite observation data is continuous data in time and the dispersion between normal data is small, each satellite observation data can be scored according to a position of the satellite observation data in the data sets in the node in the binary tree, and whether the satellite observation data is abnormal data or not can be determined according to the score of the satellite observation data, and then whether the satellite signal corresponding to the data set is interfered by an attacker and the data is tampered or not is judged according to the abnormal data in the data set, so that the detection of the deception attack is realized, and the detection method of the deception attack does not need to modify a receiver of the satellite or label the satellite observation data, so that the method has the advantages of simplicity, quickness and high efficiency.
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
An embodiment of the present application provides a detection method of a spoofing attack, as shown in fig. 1, including:
s101: and updating a satellite observation file at intervals of a first preset time, wherein the satellite observation file comprises satellite observation data acquired by at least one satellite.
Optionally, the first preset time may be 30 seconds, that is, the updating the satellite observation file every other first preset time includes: and receiving satellite observation data of all receivable satellites once every 30 seconds by using the receiver, and recording the received satellite observation data in a satellite observation file.
The data Format of the satellite observation data can be selected as a annex (Receiver Independent Exchange Format, data Exchange Independent of a Receiver) Format. The satellite observations include, but are not limited to, satellite numbers, pseudoranges, doppler shifts, carrier phase shifts, and signal-to-noise ratios. The data of the satellite observation files are directly selected for attack detection without any additional module or other system support. The satellite observation file stores satellite observation data in a Rinex format, and the data structure is detailed and clear, so that data extraction and data set production are facilitated.
S102: and acquiring satellite observation data of a plurality of time nodes from the current satellite observation file every a second preset time, wherein the second preset time is greater than the first preset time.
Optionally, the second preset time may be 5 minutes, and the plurality of time nodes may be 120 time nodes, each of which is 30 seconds. Namely, the acquiring the satellite observation data of the plurality of time nodes from the current satellite observation file every second preset time includes:
and acquiring the latest satellite observation data of 120 time nodes from the current satellite observation file every 5 minutes, namely the latest satellite observation data within one hour, and replacing the latest ten satellite observation data with the last acquired satellite observation data of 120 time nodes.
S103: and dividing the acquired satellite observation data into a plurality of data sets according to different satellite numbers, wherein each data set corresponds to one satellite number.
S104: and dividing each data set for multiple times, and establishing a binary tree corresponding to the data sets according to the division result, wherein in the binary tree, the dispersion of the satellite observation data in the node and other satellite observation data is in negative correlation with the distance between the node and the root node.
S105: scoring each satellite observation data according to the position of the satellite observation data in the data set in the node of the binary tree, judging whether the satellite observation data is abnormal data according to the scoring of the satellite observation data, and judging whether the satellite signal corresponding to the data set is interfered by an attacker and the data is tampered according to the abnormal data in the data set.
A practical implementation of a specific detection step of the detection method for spoofing attacks provided in the embodiment of the present application is described below.
Optionally, the dividing each data set for multiple times, and the establishing a binary tree corresponding to the data set according to the division result includes:
s1031: and determining a root node, and putting all satellite observation data in the data set into the root node.
S1032: randomly determining a segmentation characteristic value, and dividing satellite observation data in the root node to obtain two child nodes of the root node, wherein a left node of the root node comprises satellite observation data of which the characteristic value is greater than the segmentation characteristic value, and a right node of the root node comprises satellite observation data of which the characteristic value is less than the segmentation characteristic value.
S1033: and dividing each subnode for multiple times until the binary tree or the currently divided subnodes meet the condition of stopping division, randomly determining a division characteristic value in each division process, and dividing satellite observation data in the subnodes according to the determined division characteristic value to obtain two subnodes of the currently divided subnodes, wherein the left node of the currently divided subnodes comprises the satellite observation data of which the characteristic value is greater than the division characteristic value, and the right node of the currently divided subnodes comprises the satellite observation data of which the characteristic value is less than the division characteristic value.
The stop division condition includes: the binary tree reaches a preset limit height or only one satellite observation data in the currently divided sub-nodes or all the satellite observation data in the currently divided sub-nodes have the same characteristic value.
The preset limit height may be preset, or may be determined according to the number of satellite observation data in the data set, for example, the preset limit height may be set as: log (log)2(n), n is the number of satellite observations in the data set.
Referring to fig. 2, fig. 2 is a schematic diagram illustrating a process of segmenting a data set formed by four satellite observation data a, b, c, and d, where the root node includes four satellite observation data a, b, c, and d before segmentation, and after one segmentation, the left node of the root node includes three satellite observation data a, b, and c, and the right node includes d one satellite observation data.
In the secondary segmentation process, the child nodes including three satellite observation data of a, b and c are segmented into a left node including a and a right node including b and c, and likewise, the left node including only a is not segmented.
In the cubic segmentation process, the child nodes including the two satellite observation data of b, c are segmented into a left node including b and a right node including c.
As can be seen from fig. 2, the binary tree obtained finally is shown in fig. 3, and since the satellite observation data d is isolated at the earliest (the distance from the root node is the shortest), the satellite sensing data d is most likely to be abnormal data.
Based on the thought, after the binary tree is established, whether the satellite observation data is abnormal data or not can be judged according to the path length of the satellite observation data in each node from the root node.
Specifically, the scoring the satellite observation data according to the positions of the satellite observation data in the data set at the nodes in the binary tree includes:
s1051: and calculating the score of the satellite observation data according to the path length of the satellite observation data, wherein the path length of the satellite observation data is the distance from the node of the satellite observation data in the binary tree to the root node of the binary tree.
More specifically, the calculating the score of the satellite observation data according to the distance from the node where the satellite observation data is located in the binary tree to the root node of the binary tree includes:
s10511: defining the number of all edges passed by the node of the satellite observation data in the binary tree to the root node of the binary tree as the path length of the satellite observation data;
s10512: acquiring the average path length of the satellite observation data in all binary trees;
s10513: calculating the average path length of the binary tree according to a first preset formula;
s10514: substituting the average path length of the binary tree and the average path length of the satellite observation data in all binary trees into a second preset formula to calculate and obtain a score of the satellite observation data;
the first preset formula includes:
Figure BDA0002942703170000091
wherein (c) (n) represents the average path length when the total number of satellite observation data in the binary tree is n, (h) (i) represents the sum of the tones of i, i is n-1 or n, and h (i) is lni + 0.5772156649;
the second preset formula includes:
Figure BDA0002942703170000092
s (x, n) represents the score of the satellite observation x, and E (h (x)) represents the average path length of the satellite observation x in all binary trees.
Correspondingly, the judging whether the satellite observation data are abnormal data according to the scores of the satellite observation data comprises:
s1052: when the difference value between the score of the satellite observation data and 0.5 is smaller than a preset difference value, judging that the satellite observation data in the whole data set are normal data;
s1053: and when the difference value between the score of the satellite observation data and 1 is smaller than the preset difference value, judging that the satellite observation data is abnormal data.
The preset difference may be a preset value, for example, 0.01, 0.005, and the like, and when the difference between the score of the satellite observation data and 0.5 is smaller than the preset difference, it may also be stated that the score of the satellite observation data approaches 0.5, and correspondingly, when the difference between the score of the satellite observation data and 1 is smaller than the preset difference, it may also be stated that the score of the satellite observation data approaches 1.
In addition, in one embodiment of the present application, when the score of the satellite observation data approaches 0, the satellite observation data is likely to be normal satellite sensing data.
Optionally, the determining, according to the abnormal data in the data set, whether the satellite signal corresponding to the data set is interfered by an attacker and data is tampered includes:
when the abnormal data in the data set is smaller than a first preset number and the abnormal data in the data set are all located in the satellite observation data with the first preset number which is the latest in history in the data set, judging that the satellite signals corresponding to the data set are interfered by an attacker and tampering the data;
the first preset number is the amount of satellite observation data updated in the satellite observation data of the plurality of time nodes obtained currently compared with the satellite observation data of the plurality of time nodes obtained last time in history.
The detection method of the spoofing attack provided by the embodiment of the present application is verified by using a specific example.
A satellite observation file of JFNG satellite base stations of 2020, 4, 29 days is selected as experimental data, wherein the data in the file are correct data. The JFNG satellite base station is positioned in the nine-peak village in Wuhan city, Hubei province, coordinates of 114.2927 degrees at east longitude and 30.3056 degrees at north latitude. And randomly selecting 120 pieces of satellite observation data within one hour, and dividing the 120 pieces of satellite observation data into a plurality of data sets according to different satellite numbers. The data set is divided into six columns, data number (from 1), satellite number, pseudorange, doppler shift, carrier phase shift and signal-to-noise ratio. During actual detection, the algorithm only carries out detection scoring on the last four columns of data. The method comprises the steps of selecting five data sets to replace one piece of data respectively, wherein the five data sets are used as a group of experimental data sets of tampered one piece of data. And selecting five data sets to replace three pieces of data respectively, selecting five data sets to replace five pieces of data respectively, selecting five data sets to replace seven pieces of data respectively, selecting five data sets to replace nine pieces of data respectively, and thus obtaining five data sets of one, three, five, seven and nine pieces of data which are tampered. The twenty-five data sets are respectively used for abnormal data detection by the detection method of the spoofing attack provided by the embodiment of the application, the output abnormal data, the score and the distribution of the data in the data sets are recorded, the detection results of each data set are summarized, the detection results in each group are averaged, and the results are shown in fig. 4 and fig. 5.
As can be seen from fig. 4 and 5, the detection method for spoofing attacks provided in the embodiment of the present application can accurately detect spoofing attacks, and the detection accuracy can be maintained at 95% to 99%.
The detection system for spoofing attacks provided by the embodiment of the present application is described below, and the detection system for spoofing attacks described below and the detection method for spoofing attacks described above may be referred to in correspondence.
Correspondingly, an embodiment of the present application further provides a system for detecting a spoofing attack, including:
the data updating module is used for updating a satellite observation file at intervals of first preset time, wherein the satellite observation file comprises satellite observation data acquired by at least one satellite;
the data acquisition module is used for acquiring satellite observation data of a plurality of time nodes from a current satellite observation file every second preset time, wherein the second preset time is longer than the first preset time;
the data set dividing module is used for dividing the acquired satellite observation data into a plurality of data sets according to different satellite numbers, wherein each data set corresponds to one satellite number;
the data segmentation module is used for segmenting each data set for multiple times, establishing a binary tree corresponding to the data set according to segmentation results, wherein in the binary tree, the dispersion of satellite observation data in a node and other satellite observation data is in negative correlation with the distance between the node and a root node;
and the attack detection module is used for scoring each satellite observation data according to the position of the satellite observation data in the data set in the node in the binary tree, judging whether the satellite observation data is abnormal data according to the scoring of the satellite observation data, and judging whether the satellite signal corresponding to the data set is interfered by an attacker and tampering the data according to the abnormal data in the data set.
Correspondingly, the embodiment of the application also provides a detection system of the spoofing attack, which comprises a memory and a processor;
the memory is used for storing program codes, the processor is used for calling the program codes, and the program codes are used for executing the detection method of the spoofing attack in any embodiment.
Correspondingly, an embodiment of the present application further provides a storage medium, where the storage medium stores program codes, and the program codes, when executed, implement the detection method for spoofing attacks described in any of the above embodiments.
In summary, the embodiment of the present application provides a detection method of a spoofing attack and a related device, wherein the detection method of the spoofing attack first classifies acquired satellite observation data according to different satellite numbers to obtain a plurality of data sets corresponding to the satellite numbers one by one, then establishes a binary tree for the satellite observation data in the data sets according to the dispersion with other satellite observation data, the closer the distance between a node where the satellite observation data with the greater dispersion is located in the binary tree and a root node, and since the acquired satellite observation data is continuous data in time and the dispersion between normal data is small, the satellite observation data can be scored according to the position of the satellite observation data in the data sets in the node in the binary tree, and whether the satellite observation data is abnormal data or not can be judged according to the score of the satellite observation data, and then whether the satellite signal corresponding to the data set is interfered by an attacker and the data is tampered or not is judged according to the abnormal data in the data set, so that the detection of the deception attack is realized, and the detection method of the deception attack does not need to modify a receiver of the satellite or label the satellite observation data, so that the method has the advantages of simplicity, quickness and high efficiency.
Features described in the embodiments in the present specification may be replaced with or combined with each other, each embodiment is described with a focus on differences from other embodiments, and the same and similar portions among the embodiments may be referred to each other.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A detection method of a spoofing attack, comprising:
updating a satellite observation file at intervals of first preset time, wherein the satellite observation file comprises satellite observation data acquired by at least one satellite;
acquiring satellite observation data of a plurality of time nodes from a current satellite observation file every second preset time, wherein the second preset time is greater than the first preset time;
dividing the acquired satellite observation data into a plurality of data sets according to different satellite numbers, wherein each data set corresponds to one satellite number;
dividing each data set for multiple times, and establishing a binary tree corresponding to the data sets according to a division result, wherein in the binary tree, the dispersion of satellite observation data in a node and other satellite observation data is in negative correlation with the distance between the node and a root node;
scoring each satellite observation data according to the position of the satellite observation data in the data set in the node of the binary tree, judging whether the satellite observation data is abnormal data according to the scoring of the satellite observation data, and judging whether the satellite signal corresponding to the data set is interfered by an attacker and the data is tampered according to the abnormal data in the data set.
2. The method of claim 1, wherein the partitioning each of the data sets a plurality of times, and the building a binary tree corresponding to the data set according to the partitioning result comprises:
determining a root node, and putting all satellite observation data in a data set into the root node;
randomly determining a segmentation characteristic value, and dividing satellite observation data in the root node to obtain two child nodes of the root node, wherein a left node of the root node comprises satellite observation data of which the characteristic value is greater than the segmentation characteristic value, and a right node of the root node comprises satellite observation data of which the characteristic value is less than the segmentation characteristic value;
dividing each subnode for multiple times until the binary tree or the currently divided subnode meets a division stopping condition, randomly determining a division characteristic value in each division process, and dividing satellite observation data in the subnode according to the determined division characteristic value to obtain two subnodes of the currently divided subnode, wherein the left node of the currently divided subnode comprises satellite observation data with the characteristic value larger than the division characteristic value, and the right node of the currently divided subnode comprises satellite observation data with the characteristic value smaller than the division characteristic value;
the stop division condition includes: the binary tree reaches a preset limit height or only one satellite observation data in the currently divided sub-nodes or all the satellite observation data in the currently divided sub-nodes have the same characteristic value.
3. The method of claim 1, wherein scoring each of the satellite observations in the data set based on their positions at nodes in the binary tree comprises:
and calculating the score of the satellite observation data according to the path length of the satellite observation data, wherein the path length of the satellite observation data is the distance from the node of the satellite observation data in the binary tree to the root node of the binary tree.
4. The method of claim 3, wherein the calculating the score for the satellite observation data based on the distance from the node in the binary tree where the satellite observation data is located to the root node of the binary tree comprises:
defining the number of all edges passed by the node of the satellite observation data in the binary tree to the root node of the binary tree as the path length of the satellite observation data;
acquiring the average path length of the satellite observation data in all binary trees;
calculating the average path length of the binary tree according to a first preset formula;
substituting the average path length of the binary tree and the average path length of the satellite observation data in all binary trees into a second preset formula to calculate and obtain a score of the satellite observation data;
the first preset formula includes:
Figure FDA0002942703160000021
wherein (c) (n) represents the average path length when the total number of satellite observation data in the binary tree is n, (h) (i) represents the sum of the tones of i, i is n-1 or n, and h (i) is lni + 0.5772156649;
the second preset formula includes:
Figure FDA0002942703160000022
s (x, n) represents the score of the satellite observation x, and E (h (x)) represents the average path length of the satellite observation x in all binary trees.
5. The method of claim 4, wherein determining whether the satellite observations are anomalous data based on the scores for the satellite observations comprises:
when the difference value between the score of the satellite observation data and 0.5 is smaller than a preset difference value, judging that the satellite observation data in the whole data set are normal data;
and when the difference value between the score of the satellite observation data and 1 is smaller than the preset difference value, judging that the satellite observation data is abnormal data.
6. The method of claim 1, wherein the determining whether the satellite signal corresponding to the data set is interfered by an attacker and tampering with the data according to the abnormal data in the data set comprises:
when the abnormal data in the data set is smaller than a first preset number and the abnormal data in the data set are all located in the satellite observation data with the first preset number which is the latest in history in the data set, judging that the satellite signals corresponding to the data set are interfered by an attacker and tampering the data;
the first preset number is the amount of satellite observation data updated in the satellite observation data of the plurality of time nodes obtained currently compared with the satellite observation data of the plurality of time nodes obtained last time in history.
7. The method of claim 1, wherein updating the satellite observation file every first predetermined time comprises:
receiving all satellite observation data capable of receiving the satellite once every 30 seconds by using a receiver, and recording the received satellite observation data in a satellite observation file;
the acquiring the satellite observation data of a plurality of time nodes from the current satellite observation file every second preset time comprises the following steps:
and acquiring the latest satellite observation data of 120 time nodes from the current satellite observation file every 5 minutes.
8. A detection system for spoofing attacks, comprising:
the data updating module is used for updating a satellite observation file at intervals of first preset time, wherein the satellite observation file comprises satellite observation data acquired by at least one satellite;
the data acquisition module is used for acquiring satellite observation data of a plurality of time nodes from a current satellite observation file every second preset time, wherein the second preset time is longer than the first preset time;
the data set dividing module is used for dividing the acquired satellite observation data into a plurality of data sets according to different satellite numbers, wherein each data set corresponds to one satellite number;
the data segmentation module is used for segmenting each data set for multiple times, establishing a binary tree corresponding to the data set according to segmentation results, wherein in the binary tree, the dispersion of satellite observation data in a node and other satellite observation data is in negative correlation with the distance between the node and a root node;
and the attack detection module is used for scoring each satellite observation data according to the position of the satellite observation data in the data set in the node in the binary tree, judging whether the satellite observation data is abnormal data according to the scoring of the satellite observation data, and judging whether the satellite signal corresponding to the data set is interfered by an attacker and tampering the data according to the abnormal data in the data set.
9. A detection system for spoofing attacks, comprising a memory and a processor;
the memory is configured to store program code, and the processor is configured to invoke the program code, the program code being configured to perform the detection method of a spoofing attack as set forth in any one of claims 1-7.
10. A storage medium having stored thereon program code which, when executed, implements the detection method of a spoofing attack as in any one of claims 1-7.
CN202110183353.XA 2021-02-10 2021-02-10 Detection method and related device for spoofing attack Active CN112987037B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110183353.XA CN112987037B (en) 2021-02-10 2021-02-10 Detection method and related device for spoofing attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110183353.XA CN112987037B (en) 2021-02-10 2021-02-10 Detection method and related device for spoofing attack

Publications (2)

Publication Number Publication Date
CN112987037A true CN112987037A (en) 2021-06-18
CN112987037B CN112987037B (en) 2023-02-28

Family

ID=76393283

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110183353.XA Active CN112987037B (en) 2021-02-10 2021-02-10 Detection method and related device for spoofing attack

Country Status (1)

Country Link
CN (1) CN112987037B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2746813A1 (en) * 2012-12-21 2014-06-25 Astrium GmbH Detection of spoofing of GNSS navigation signals
US20150123846A1 (en) * 2013-11-04 2015-05-07 Electronics And Telecommunications Research Institute Apparatus and method for detecting deception signal in global navigation satellite receiver
US20150226855A1 (en) * 2013-08-07 2015-08-13 Topcon Positioning Systems, Inc. Mitigation of Scintillations in Signals of Global Navigation Satellite Systems Caused by Ionospheric Irregularities
CA2933209A1 (en) * 2015-06-23 2016-12-23 Honeywell International Inc. Global navigation satellite system (gnss) spoofing detection with carrier phase and inertial sensors
CN108931789A (en) * 2018-03-02 2018-12-04 和芯星通(上海)科技有限公司 Attack detection method, attack detectors, computer readable storage medium and terminal
CN109884669A (en) * 2019-05-07 2019-06-14 湖南国科防务电子科技有限公司 Satellite navigation cheating interference detection method, system and equipment based on prior information
WO2019162839A1 (en) * 2018-02-26 2019-08-29 Magellan Systems Japan, Inc. Spoofing detection in real time kinematic positioning
CN111060935A (en) * 2020-01-17 2020-04-24 中山大学 GNSS deception jamming detection method
US20200341154A1 (en) * 2019-04-23 2020-10-29 Leica Geosystems Ag Providing atmospheric correction data for a gnss network-rtk system by encoding the data according to a quad-tree hierarchy
WO2020234885A1 (en) * 2019-05-21 2020-11-26 Regulus Cyber Ltd. Detection of spoofing attacks on satellite navigation systems

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2746813A1 (en) * 2012-12-21 2014-06-25 Astrium GmbH Detection of spoofing of GNSS navigation signals
US20150226855A1 (en) * 2013-08-07 2015-08-13 Topcon Positioning Systems, Inc. Mitigation of Scintillations in Signals of Global Navigation Satellite Systems Caused by Ionospheric Irregularities
US20150123846A1 (en) * 2013-11-04 2015-05-07 Electronics And Telecommunications Research Institute Apparatus and method for detecting deception signal in global navigation satellite receiver
CA2933209A1 (en) * 2015-06-23 2016-12-23 Honeywell International Inc. Global navigation satellite system (gnss) spoofing detection with carrier phase and inertial sensors
WO2019162839A1 (en) * 2018-02-26 2019-08-29 Magellan Systems Japan, Inc. Spoofing detection in real time kinematic positioning
CN108931789A (en) * 2018-03-02 2018-12-04 和芯星通(上海)科技有限公司 Attack detection method, attack detectors, computer readable storage medium and terminal
US20200341154A1 (en) * 2019-04-23 2020-10-29 Leica Geosystems Ag Providing atmospheric correction data for a gnss network-rtk system by encoding the data according to a quad-tree hierarchy
CN109884669A (en) * 2019-05-07 2019-06-14 湖南国科防务电子科技有限公司 Satellite navigation cheating interference detection method, system and equipment based on prior information
WO2020234885A1 (en) * 2019-05-21 2020-11-26 Regulus Cyber Ltd. Detection of spoofing attacks on satellite navigation systems
CN111060935A (en) * 2020-01-17 2020-04-24 中山大学 GNSS deception jamming detection method

Also Published As

Publication number Publication date
CN112987037B (en) 2023-02-28

Similar Documents

Publication Publication Date Title
CN112104495B (en) System fault root cause positioning method based on network topology
US9125067B2 (en) System and method for mobile location using ranked parameter labels
JP2000092556A (en) Method for identifying geographic position of pattern recognition base
CN105334522A (en) GPS attack detection method and device
CN106332271B (en) Interference source positioning method and device
CN111983655B (en) Method and device for determining urban canyon area, electronic equipment and storage medium
CN111538043B (en) Method and device for eliminating non-through-view satellite in complex environment and electronic equipment
CN112083447B (en) Method and device for positioning navigation spoofing source
CN110046179B (en) Mining method, device and equipment for alarm dimension
CN111988115B (en) ADS-B distributed processing system based on parallel computing on general platform
CN108770057B (en) Method for determining predetermined fingerprint database, method and device for positioning fingerprint, and storage medium
CN113970761A (en) Non-line-of-sight signal identification method, system, computer equipment and storage medium
CN112987037B (en) Detection method and related device for spoofing attack
CN111651681A (en) Message pushing method and device based on intelligent information recommendation in cloud network fusion environment
CN106446102B (en) Terminal positioning method and device based on map fence
CN108574927B (en) Mobile terminal positioning method and device
CN103095774B (en) Map constructing method and equipment and the method and apparatus that map structuring information is provided
CN101931866A (en) Node positioning method for mobile wireless sensor network
CN116151437A (en) Shallow collapse disaster early warning model establishment method, device, equipment and medium
CN114222307B (en) Method and device for determining sector overlapping coverage area and electronic equipment
CN116184445A (en) GNSS spoofing signal detection method, device and equipment based on multiple frequency points
Chitraranjan et al. Tracking vehicle trajectories by local dynamic time warping of mobile phone signal strengths and its potential in travel-time estimation
CN114025375A (en) 5G tracking area abnormity detection method and system based on honeycomb distribution identification technology
CN113960640A (en) Detection method and device of deception signal
CN112558113A (en) GNSS interference source positioning method based on grid probability traversal by using ADS-B

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information

Inventor after: Zuo Shenzheng

Inventor after: Liu Yinan

Inventor after: Xin Pengpeng

Inventor after: Wang Yan

Inventor after: Zhang Dongmei

Inventor before: Zuo Shenzheng

Inventor before: Liu Yinan

Inventor before: Wang Yan

Inventor before: Zhang Yifan

Inventor before: Zhang Dongmei

CB03 Change of inventor or designer information
GR01 Patent grant
GR01 Patent grant