CN117353985A - A GNSS generative spoofing attack detection method based on CNN-LSTM - Google Patents

Abstract

A GNSS generation type deception attack detection method based on CNN-LSTM includes: 1) Performing a generative spoofing attack on the GNSS, i.e. misleading the GNSS receiver by forging a spoofing signal; 2) The acquired GNSS data is collected and pre-processed, including normalization and the like, to prepare the data sets for training and testing the model. 3) Constructing a CNN-LSTM network model: constructing a network model by using a method of combining a Convolutional Neural Network (CNN) and a long-term and short-term memory neural network, optimizing parameters of the model by using a self-adaptive moment estimation method, and applying the parameters to the network model; 4) Training a model and evaluating detection effects: training the constructed CNN-LSTM network model by using the mean square error and the accuracy as evaluation indexes, and evaluating the effect of the CNN-LSTM network model in the aspects of detecting and classifying abnormal signals; 5) Attack detection: the trained model is selected to be applied to the detection of GNSS generated spoofing attacks in the actual scene. The method combines the convolution network with the LSTM for detecting the deception signal, and improves the detection accuracy by using the CNN for feature extraction and the LSTM for sequence modeling.

Description

GNSS generation type spoofing attack detection method based on CNN-LSTM

Technical Field

The invention relates to the technical field of signal security, in particular to a GNSS generation type spoofing attack detection method based on CNN-LSTM.

Background

Today, global positioning system (GNSS) services have been widely used in a variety of fields, including smartphones, wearable devices, and almost all traffic systems. These applications all rely on GNSS-provided location-based services such as navigation, vehicle monitoring, and self-positioning and rescue in emergency situations. Although GNSS is widely used today, it is also vulnerable to spoofing attacks that can lead to catastrophic results.

In view of the potential hazards of GNSS spoofing attacks, many effective countermeasures have been investigated. These countermeasures can be divided into three categories: cryptography-based methods, signal processing methods and external mobility characteristics. Cryptography-based methods utilize encryption techniques to encrypt GPS signals and require keys to decrypt. Signal processing methods extract spatial and geometric features from legitimate GPS signals, or extract physical layer features such as angle of arrival, signal strength, signal phase, and discontinuities. Whereas methods based on external mobility characteristics measure the speed and acceleration of the mobility device by means of sensors of the control system, such as barometers, inertial measurement units and compasses. However, these GPS spoofing detection methods have some drawbacks that limit their application. For example, encryption methods are not suitable for residential applications because these applications require acquisition of unencrypted GPS signals. While methods based on signal processing or external mobility characteristics may require additional hardware (sensors or antennas) or auxiliary equipment, may require changing interface specifications or increasing the overhead of signal processing, thereby adversely affecting the performance of the real-time system or adding additional communication overhead.

Therefore, the prior art does not achieve an obvious and accurate prediction effect in the aspect of abnormality detection. Some studies based on conventional machine learning techniques have been proposed to classify and detect GPS spoofing attacks against drones. These models provide an effective solution to the problem in GPS spoofing detection. In order to solve these problems, in the current complex attack environment, it is highly desirable to provide an effective fraud detection method.

Disclosure of Invention

In order to overcome the defects of the existing detection method, the invention provides a GNSS generated type spoofing attack detection method based on CNN-LSTM.

The technical scheme adopted for solving the technical problems is as follows:

a CNN-LSTM based GNSS generated spoofing attack detection method, the method comprising the steps of:

1) Global positioning System GNSS generated spoofing attack: generating GNSS deception signals in real time by using an online map through a signal transmitter to attack;

2) Data acquisition and preprocessing: collecting GNSS clean signal samples and deception signal samples respectively, and extracting key observables of the signal sample files to obtain feature vectors serving as input quantities of the neural network model; then preprocessing the data, including normalization and first-order differential processing;

3) Constructing a CNN-LSTM network model: constructing a neural network model combined by a convolutional neural network CNN and a long-short-term memory neural network LSTM based on unsupervised learning; training and verifying by using clean signal sample data, and testing by using deceptive signal sample data;

4) Model test: selecting a proper deception data set to test the model, and using a Mean Square Error (MSE) and an Accuracy (Accuracy) as evaluation indexes to evaluate the prediction and deception detection effects of the model;

5) Attack detection: the trained model is selected to be applied to the detection of GNSS generated spoofing attacks in the actual scene.

Further, in the step 1), the GNSS-generated spoofing attack includes the following procedures:

and step 101, acquiring fake GPS coordinate data through programming of a Web server based on PyWeb, and modifying the spoofed target position in real time by utilizing an online map to generate a spoofed signal file.

Step 102, sending the deception signal file to a specific input port of a signal generation transmitting terminal through a socket to realize real-time GNSS deception attack.

Still further, in the step 2), the data acquisition and preprocessing includes the following processes;

step 201, collecting clean signal samples and spoofed signal samples by using USRP, GNU Radio and UHD respectively, and performing observably data extraction on the signal sample file.

Step 202, screening out critical observable variables by comparing significant differences of amplitudes of observable variables of signal processing blocks (acquisition, tracking, observable and PVT) in the clean signal samples and the spoofed signal samples in different modes, and obtaining feature vectors input as a neural network model. The eigenvectors include doppler shift, signal-to-noise ratio, values of the hinting correlation factor in the in-phase component, and values of the hinting correlation factor in the quadrature component.

Step 203, preprocessing the screened observable variable data, including Z-Score normalization and first order difference processing, and calculating the following formula:

wherein μ, σ are the mean and variance of the original dataset, respectively.

A(n)＝A(n)-A(n-1) (2)

Where A (n) is the value of the current data point and A (n-1) represents the value of the previous data point.

In the step 3), constructing the CNN-LSTM network model comprises the following steps:

step 301, constructing a neural network model formed by combining a convolutional neural network CNN based on unsupervised learning and a long-term and short-term memory neural network LSTM. The model includes an input layer, an encoder, a hidden layer, a decoder, and an output layer.

The encoder and decoder consist of two convolutional layers and two transposed convolutional layers, respectively, with the hidden layer being the LSTM used to extract meaningful feature representations to reconstruct the data. The number of nodes of the input layer and the output layer is 4, the number of nodes of the hidden layer is 8, and the numbers of nodes of the encoder and the decoder are 16 and 8 respectively.

The loss function uses a mean square error. The optimization method selects the self-adaptive moment estimation to realize the fastest convergence of model training and the optimization of model parameters, and the calculation formula is as follows:

wherein m is the first moment of the gradient, beta1 is the first moment attenuation coefficient, dx is the original gradient, v is the second moment of the gradient, bata2 is the second moment attenuation coefficient, x is the updated parameter, learning_rate is the learning rate, eps is the steady state value, in order to ensure that the square root term in the denominator does not become too small, prevent the divide by 0 error, and thereby avoid numerical instability.

The activation function is selected from elu function and linear function, and the calculation formula is as follows:

where α is a constant used to control the curve shape of the elu function in the negative region.

f(x)＝mx+b (5)

Where m is the slope and m+.0, b is the intercept of f (x) on the y-axis.

The filling mode adopts the same method.

Step 302, clean signal sample data is used for training and verification, and spoof signal sample data is used for testing.

Further, eps is a very small number defaulting to 1e-8; typically α takes a small positive number, such as 1.0.

In the step 4), the model test comprises the following steps:

step 401, model test is performed using a real acquisition spoof dataset TEXBAT published by the university of texas, which contains eight scene datasets. Wherein, the data is set to instantaneous switch in ds1 scene. ds2 allows the GNSS receiver to track the spoofed signal with greater power advantage. The power of the spoofing signal in ds3, ds4 gradually increases from low to high, and finally remains substantially the same as the true satellite signal power. ds5, ds6 are both dynamic data collected by in-vehicle experiments. Because the dynamic data is greatly influenced by environmental factors such as multipath, the invention only considers the influence of the deception signal on the GNSS receiver in the static environment, and therefore, the invention does not test on ds5 and ds 6. ds7 is similar to ds3, but the carrier phase of the spoofed signal in ds7 is perfectly matched to the true signal. ds8 is substantially the same as ds7 but contains zero delay security code estimates. In the test phase, predictions and detections are made on spoof data samples using models that have been trained on clean signal sample data.

In step 402, in order to quantitatively evaluate the prediction and detection performance of the CNN-LSTM model, a Mean Square Error (MSE) and an Accuracy (Accuracy) are used as evaluation indexes, and the calculation formula is as follows:

wherein, right_prediction is the number of correctly detected labels, and test_total_num is the total number of test labels.

The attack detection in step 5) specifically includes:

in step 501, the trained attack detection model is integrated into the unmanned GNSS receiver module. Once the unmanned aerial vehicle starts, the receiver will constantly monitor unmanned aerial vehicle's GNSS signal, and the embedded model can monitor whether there is abnormal signal to interfere normal satellite signal simultaneously.

In step 502, the receiver integrated with the attack detection model performs real-time GNSS signal data analysis to identify whether a rogue signal exists. When a spoofing signal is detected, the receiver module of the drone may sound an alarm.

The technical concept of the invention is that the invention provides a method for combining LSTM with convolutional neural network, carrying out data preprocessing by using spoofing signal data acquired by USRP and other systems, and then adopting CNN-LSTM method to detect the data.

The beneficial effects of the invention are mainly shown in the following steps: the two network structures are combined together, so that detection is successfully performed, and compared with the traditional machine learning method, a better detection effect is achieved.

Drawings

Fig. 1 is a flow chart of the method of the present invention.

Fig. 2 is a block diagram of a CNN-LSTM network model.

Detailed Description

The invention will be further described with reference to the accompanying drawings,

referring to fig. 1, a GNSS-generated spoofing attack detecting method based on CNN-LSTM includes the steps of:

1) Global positioning System GNSS generated spoofing attack: generating GNSS deception signals in real time by using an online map through a signal transmitter to attack;

2) Data acquisition and preprocessing: collecting GNSS clean signal samples and deception signal samples respectively, and extracting key observables of the signal sample files to obtain feature vectors serving as input quantities of the neural network model; then preprocessing the data, including normalization and first-order differential processing;

3) Constructing a CNN-LSTM network model: constructing a neural network model combined by a convolutional neural network CNN and a long-short-term memory neural network LSTM based on unsupervised learning; training and verifying by using clean signal sample data, and testing by using deceptive signal sample data;

4) Model test: selecting a proper deception data set to test the model, and using a Mean Square Error (MSE) and an Accuracy (Accuracy) as evaluation indexes to evaluate the prediction and deception detection effects of the model;

5) Attack detection: the trained model is selected to be applied to the detection of GNSS generated spoofing attacks in the actual scene.

Further, in the step 1), the GNSS-generated spoofing attack includes the following procedures:

and step 101, acquiring fake GPS coordinate data through programming of a Web server based on PyWeb, and modifying the spoofed target position in real time by utilizing an online map to generate a spoofed signal file.

Step 102, sending the deception signal file to a specific input port of a signal generation transmitting terminal through a socket to realize real-time GNSS deception attack.

Still further, in step 2), the data acquisition and preprocessing includes the following steps;

step 201, collecting clean signal samples and spoofed signal samples by using USRP, GNU Radio and UHD respectively, and performing observably data extraction on the signal sample file.

Step 202, screening out critical observable variables by comparing significant differences of amplitudes of observable variables of signal processing blocks (acquisition, tracking, observable and PVT) in the clean signal samples and the spoofed signal samples in different modes, and obtaining feature vectors input as a neural network model. The eigenvectors include doppler shift, signal-to-noise ratio, values of the hinting correlation factor in the in-phase component, and values of the hinting correlation factor in the quadrature component.

Step 203, preprocessing the screened observable variable data, including Z-Score normalization and first order difference processing, and calculating the following formula:

wherein μ, σ are the mean and variance of the original dataset, respectively.

A(n)＝A(n)-A(n-1) (2)

Where A (n) is the value of the current data point and A (n-1) represents the value of the previous data point.

In the step 3), constructing the CNN-LSTM network model comprises the following steps:

step 301, a neural network model formed by combining a convolutional neural network CNN based on unsupervised learning and a long-short-term memory neural network LSTM is constructed, referring to fig. 2. The model includes an input layer, an encoder, a hidden layer, a decoder, and an output layer.

The encoder and decoder consist of two convolutional layers and two transposed convolutional layers, respectively, with the hidden layer being the LSTM used to extract meaningful feature representations to reconstruct the data. The number of nodes of the input layer and the output layer is 4, the number of nodes of the hidden layer is 8, and the numbers of nodes of the encoder and the decoder are 16 and 8 respectively.

The loss function uses a mean square error. The optimization method selects the self-adaptive moment estimation to realize the fastest convergence of model training and the optimization of model parameters, and the calculation formula is as follows:

wherein m is the first moment of the gradient, beta1 is the first moment attenuation coefficient, dx is the original gradient, v is the second moment of the gradient, bata2 is the second moment attenuation coefficient, x is the updated parameter, learning_rate is the learning rate, eps is the steady state value, in order to ensure that the square root term in the denominator does not become too small, prevent the divide by 0 error, and thereby avoid numerical instability.

The activation function is selected from elu function and linear function, and the calculation formula is as follows:

where α is a constant used to control the curve shape of the elu function in the negative region.

f(x)＝mx+b (5)

Where m is the slope and m+.0, b is the intercept of f (x) on the y-axis.

The filling mode adopts the same method.

Step 302, clean signal sample data is used for training and verification, and spoof signal sample data is used for testing.

eps is a very small number defaulting to 1e-8; typically α takes a small positive number, such as 1.0.

In the step 4), the model test comprises the following steps:

step 401, model test is performed using a real acquisition spoof dataset TEXBAT published by the university of texas, which contains eight scene datasets. Wherein, the data is set to instantaneous switch in ds1 scene. ds2 allows the GNSS receiver to track the spoofed signal with greater power advantage. The power of the spoofing signal in ds3, ds4 gradually increases from low to high, and finally remains substantially the same as the true satellite signal power. ds5, ds6 are both dynamic data collected by in-vehicle experiments. Because the dynamic data is greatly influenced by environmental factors such as multipath, the invention only considers the influence of the deception signal on the GNSS receiver in the static environment, and therefore, the invention does not test on ds5 and ds 6. ds7 is similar to ds3, but the carrier phase of the spoofed signal in ds7 is perfectly matched to the true signal. ds8 is substantially the same as ds7 but contains zero delay security code estimates. In the test phase, predictions and detections are made on spoof data samples using models that have been trained on clean signal sample data.

In step 402, in order to quantitatively evaluate the prediction and detection performance of the CNN-LSTM model, a Mean Square Error (MSE) and an Accuracy (Accuracy) are used as evaluation indexes, and the calculation formula is as follows:

wherein, right_prediction is the number of correctly detected labels, and test_total_num is the total number of test labels.

The attack detection in step 5) specifically includes:

in step 501, the trained attack detection model is integrated into the unmanned GNSS receiver module. Once the unmanned aerial vehicle starts, the receiver will constantly monitor unmanned aerial vehicle's GNSS signal, and the embedded model can monitor whether there is abnormal signal to interfere normal satellite signal simultaneously.

In step 502, the receiver integrated with the attack detection model performs real-time GNSS signal data analysis to identify whether a rogue signal exists. When a spoofing signal is detected, the receiver module of the drone may sound an alarm.

The present invention combines a convolutional network with an LSTM for spoofing signal detection. By using CNN for feature extraction and LSTM for sequence modeling, the method aims to improve detection accuracy. The method belongs to the technical field of anomaly detection, and successfully realizes accurate detection of the deception signal.

The embodiments described in the present specification are merely examples of implementation forms of the inventive concept, and the scope of protection of the present invention should not be construed as being limited to the specific forms set forth in the embodiments, and the scope of protection of the present invention and equivalent technical means that can be conceived by those skilled in the art based on the inventive concept.

Claims (7)

1. A GNSS generation type deception attack detection method based on CNN-LSTM is characterized in that: the method comprises the following steps:

1) Global positioning System GNSS generated spoofing attack: generating GNSS deception signals in real time by using an online map through a signal transmitter to attack;

2) Data acquisition and preprocessing: collecting GNSS clean signal samples and deception signal samples respectively, and extracting key observables of the signal sample files to obtain feature vectors serving as input quantities of the neural network model; then preprocessing the data, including normalization and first-order differential processing;

3) Constructing a CNN-LSTM network model: constructing a neural network model combined by a convolutional neural network CNN and a long-short-term memory neural network LSTM based on unsupervised learning; training and verifying by using clean signal sample data, and testing by using deceptive signal sample data;

4) Model test: selecting a proper deception data set to test the model, and using a Mean Square Error (MSE) and an Accuracy (Accuracy) as evaluation indexes to evaluate the prediction and deception detection effects of the model;

5) Attack detection: the trained model is selected to be applied to the detection of GNSS generated spoofing attacks in the actual scene.

2. The method for detecting GNSS-generated spoofing attack of claim 1 wherein the method is based on CNN-LSTM, wherein: the GNSS-generated spoofing attack described in step 1) specifically includes:

step 101, acquiring fake GPS coordinate data through programming of a Web server based on PyWeb, and modifying a spoofing target position in real time by utilizing an online map to generate a spoofing signal file;

step 102, sending the deception signal file to a specific input port of a signal generation transmitting terminal through a socket to realize real-time GNSS deception attack.

3. The method for detecting GNSS-generated spoofing attack of claim 1 wherein the method is based on CNN-LSTM, wherein: the data acquisition and preprocessing in the step 2) specifically comprises the following steps:

step 201, respectively collecting a clean signal sample and a deception signal sample by using USRP, GNU Radio and UHD, and performing observably data extraction on a signal sample file;

step 202, screening out key observable variables by comparing significant differences of amplitudes of observable variables of signal processing blocks in clean signal samples and spoofed signal samples in different modes, and obtaining feature vectors input as a neural network model; the feature vector comprises Doppler frequency shift, signal to noise ratio, and value of prompt correlation factor in-phase component, and value of prompt correlation factor in quadrature component;

step 203, preprocessing the screened observable variable data, including Z-Score normalization and first order difference processing, and calculating the following formula:

wherein μ and σ are the mean and variance of the original dataset, respectively;

A(n)＝A(n)-A(n-1) (2)

where A (n) is the value of the current data point and A (n-1) represents the value of the previous data point.

4. The method for detecting GNSS-generated spoofing attack of claim 1 wherein the method is based on CNN-LSTM, wherein: the constructing the CNN-LSTM network model in the step 3) specifically comprises the following steps:

step 301, constructing a neural network model formed by combining a convolutional neural network CNN based on unsupervised learning and a long-term and short-term memory neural network LSTM; the model comprises an input layer, an encoder, a hidden layer, a decoder and an output layer;

the encoder and decoder are respectively composed of two convolution layers and two transposed convolution layers, the hidden layer being an LSTM for extracting meaningful feature representations to reconstruct the data; the number of nodes of the input layer and the output layer is 4, the number of nodes of the hidden layer is 8, and the numbers of nodes of the encoder and the decoder are 16 and 8 respectively;

the loss function selects mean square error; the optimization method selects the self-adaptive moment estimation to realize the fastest convergence of model training and the optimization of model parameters, and the calculation formula is as follows:

wherein m is the first moment of the gradient, beta1 is the first moment attenuation coefficient, dx is the original gradient, v is the second moment of the gradient, bata2 is the second moment attenuation coefficient, x is the updated parameter, learning_rate is the learning rate, eps is the steady state value, in order to ensure that the square root term in the denominator does not become too small, prevent 0 removal error, and avoid numerical instability;

the activation function is selected from elu function and linear function, and the calculation formula is as follows:

where α is a constant for controlling the curve shape of the elu function in the negative region;

f(x)＝mx+b (5)

wherein m is the slope and m is not equal to 0, b is the intercept of f (x) on the y axis;

the filling mode adopts the same method;

step 302, clean signal sample data is used for training and verification.

5. The method for detecting GNSS-generated fraud based on CNN-LSTM according to claim 4, wherein: eps is a very small number defaulting to 1e-8; α takes a small positive number, such as 1.0.

6. The method for detecting GNSS-generated fraud based on CNN-LSTM according to claim 1, wherein:

the model test in the step 4) specifically comprises the following steps:

step 401, performing model testing using a real acquisition spoof dataset TEXBAT published by university of texas, which dataset contains eight scene datasets; wherein, the data under ds1 scene is set as instantaneous switching; ds2 allows the GNSS receiver to track the spoofing signal with greater power advantage; the power of the deception signals in ds3 and ds4 is gradually changed from low to high, and finally, the power is basically consistent with the power of the real satellite signals; ds5, ds6 are both dynamic data collected by in-vehicle experiments; because the dynamic data is greatly influenced by environmental factors such as multipath and the like, only the influence of the deception signal on the GNSS receiver in the static environment is considered, so that the testing is not performed on ds5 and ds 6; ds7 is similar to ds3, but the carrier phase of the spoofed signal in ds7 is perfectly matched to the true signal; ds8 is substantially the same as ds7, but contains zero delay security code estimates; in the test stage, predicting and detecting on the deception data samples using a model trained on clean signal sample data;

in step 402, in order to quantitatively evaluate the prediction and detection performance of the CNN-LSTM model, a Mean Square Error (MSE) and an Accuracy (Accuracy) are used as evaluation indexes, and the calculation formula is as follows:

where a smaller value of MSE represents a higher accuracy of the predictive model because it measures the square of the average error between the model's predictions and the actual observations. The right_prediction is the number of correctly detected labels, and the test_total_num is the total number of test labels.

7. The method for detecting GNSS-generated fraud based on CNN-LSTM according to claim 1, wherein: the attack detection in step 5) specifically includes:

in step 501, the trained attack detection model is integrated into the unmanned GNSS receiver module. Once the unmanned aerial vehicle starts, the receiver will constantly monitor unmanned aerial vehicle's GNSS signal, and the embedded model can monitor whether there is abnormal signal to interfere normal satellite signal simultaneously.

In step 502, the receiver integrated with the attack detection model performs real-time GNSS signal data analysis to identify whether a rogue signal exists. When a spoofing signal is detected, the receiver module of the drone may sound an alarm.