SG188069A1 - Method and system for detecting mobile device position information fraud - Google Patents

Abstract

METHOD AND SYSTEM FOR DETECTING MOBILE DEVICE POSITION INFORMATION FRAUDMethod for authenticating the position Pi(t) of amobile element (10), a mobile element comprising at least one GNSS receiver, k, having a function for estimating the position P1 (t) of this mobile element (10), from said signals "authentic" of the GNSS constellation, the aforementioned receiver being potentially allocated by falsified signals, this method being characterized in that it comprises, in combination, at least the following steps:determining at least one datum (21) associatedwith the position P1 of a GNSS receiver, i, Transmitting and storing said data (21), aggregating a number of data (22) associated with the position of a number of GNSS receivers belonging to a set Ech(Pi), on a size of sampleand a period of time superior to given thresholds, to obtain a significant statistical data (25) characteristic of the authentic signal,determining at least one consistency indicatorIc(Pi), (26), by comparing the first datum associated with said receiver i and the aggregated data (25) obtained from the set Ech of receivers k, on an interval of time including at least a position Pi (t),authenticating (27) the position Pi of saidmobile element (10) by using one or more of said consistency indicators Ic(Pi) in an authenticity decision function or to raise a suspicion of fraud on behalf of the user of this receiver i,as regards the position Pi.Figure 1 to be published

Description

(PTE —_ _ *|8Q180x__ . METHOD AND SYSTEM FOR DETECTING MOBILE DEVICE POSITION

INFORMATION FRAUD

The subject of the present invention relates to a 5 method and a system for authenticating the GNSS position, GNSS being an acronym deriving from the expression "Global Navigation Satellite Systems", of a mobile element or device. It aims to detect, not jamming, but spoofing (the usurpation of a sender's identity), and applies, for example, to the field of road, motorway, urban remote toll systems and to any other geolocated monitoring or payment system.

A mobile element corresponds, for example, to a person or an animal, a vehicle or even any object.

The mobile electronic terminals that implement applications requiring information concerning their geographical position comprise means for estimating their position as accurately as possible. For this, satellite geolocation systems are commonly used, these : systems being designated by the acronym GNSS. An example of a GNSS system 1s the GPS system, GPS standing for Global Positioning System.

The integrity of positions is a strong requirement in a positioning application that is critical from a legal point of view (pay-per-use system: insurance, parking and road network notably), or a judicial application (electronic bracelet or tag) just as in an application that is critical from the viewpoint of security of goods (tracking of containers), user safety (driving assistance).

The equipment used in systems that implement this type of application are usually inviolable and use secure communication means. However, the radio link with the satellites is an open and vulnerable signal, unless

MAA

CL *GO0002*

v ' - - 2 - : to these markets because of the broadcasting and the management of the access keys.

It is consequently possible for a non-cooperative user or an ill-intentioned person to induce false positions in a receiver, even without interfering in the onboard unit (OBU), and to do so with inexpensive equipment of receiver-regenerator type,covering the antenna of the receiver, that is also easy to set up surreptitiously.

Contrary to the equipment of jamming or of spoofing emitting on a zone, attacking the service to the users in this zone, such devices affect only a receiver, that : of the non-cooperative user. More or less complex strategies can be implemented in a receiver-regenerator to inject a GNSS signal corresponding to the desired trajectory to bypass the application: for example, to avoid the generation of an alert in monitoring : equipment, such as the electronic bracelet or the charging events triggered by the passage through virtual doors, in pay-per-use applications, and do so while minimizing the risk of discovery. The systems envisaged for these applications do not currently make it possible to avoid such frauds.

The typical charging solution is based on passage through a virtual gate or positioning in a paying area (parking, town centre). The checking of the operation of the vehicle equipment is done statistically on fixed or mobile control points, where the consistency of the charging events is checked a posteriori with the registration details of the observed vehicles. Fraud equipment can also be designed to be silent in these checks, its position being published to such equipment by a centralized service (official information for the points that are fixed or shared by the users, for the mobile points).

B - 3 - : Different methods for checking the consistency of the position estimations do exist. This consistency can be checked by monitoring the absolute or relative strength of the GNSS signals or by comparison with secondary sources such as motion sensors, or the measurement of other radio signals.

The consistency of the measurements can also be checked by using digital tattooing techniques notably enabling the terminals to locate the transmitters of a network.

This technique is often referred to as "watermarking".

An example of the implementation of digital tattooing is disclosed in the patent application WO 2009/037133.

Moreover, the securing of the location applications presupposes known anti-tampering protection measures, on the securing of the exchanges, on the protection of the data originating from other sensors in the vehicle.

Such methods are not these days implemented in the available commercial receivers. For some, they assume a significant cost resulting from redesign work at the chip level and/or at the driver software level. In particular, redesigning the chip for receivers on the consumer market represents a significant cost and leadtime. Other methods presuppose the addition of sensors in the mobile equipment:inertial units such as described in the application FR 1000588, measurement of radiofrequency signals or information of the cellular network, for example, as described in the application

FR 0807400. They are not guaranteed and sophisticated attacks can at least partially circumvent them.

The idea implemented by the present invention, unlike the existing approaches which generally require the addition of secondary position information, or more sophisticated signal processing in the GNSS reception, is notably to use the information supplied by the receivers, of existing type, without requiring the use

1 3 - - 4 - - of other sensors, in the case of normal operation of the device. This method is based on collaboration between receivers via a centralized infrastructure for example.

No hypothesis is made on the preliminary functioning of a receiver in normal mode without attack, but we shall suppose that proportion of receivers subject to cheating is enough weak so that statistical data can be built, which are little affected by the possible devices of spoofing.

The receiver installed on a mobile vehicle collects the

GNSS position information and transmits it to an authentication module which combines and consolidates this information in a current and historical base, and computes confidence indicators on the measured trajectories from which a probability of fraud can be - estimated, indicators which are based on: ee the quality of the signal received from a satellite, in a given area: the signal/noise density ratio, or

C/NO (carrier-to-noise density ratio), the user differential range error, better known by the acronym

UDRE, or the global position quality: position uncertainty, e the signal quality compared to the history in this place, oe the azimuth, the elevation of the satellites seen compared to the historical map, and/or ee the associated cell in which a receiver may be located in a communication network.

The invention relates to a method for authenticating the position P;(t) of a mobile element, a mobile element comprising at least one GNSS receiver, i, having a function for estimating the position P;(t) of this mobile element, from said signals "authentic" of the constellation GNSS, the aforementioned receiver being

- potentially impacted by falsified signals, this method being characterized in that it comprises, in combination, at least the following steps: e determining at least one datum associated with the position P; of a GNSS receiver, i, e¢ Transmitting and storing said data, e aggregating a number of data associated with the position of a number of GNSS receivers belonging to a set Ech(Pi), on a size of sample and a period of time superior to given thresholds, to obtain a significant statistical data that is characteristic of the authentic signal, e determining at least one consistency indicator

Ic(Pi), by comparing the first data associated with said receiver i and the aggregated data obtained from the set Ech of receivers k, on an interval of time including at least a position P; (t), e authenticating the position P; of said mobile element by using one or more of said consistency indicators Ic(P;) in an authenticity decision function or to raise a suspicion of fraud on behalf of the user of this receiver 1, as regards the position Pi.

The aggregation and indicator computation steps are performed, for example, in a centralized device linked by a communication network to said mobile elements.

According to a variant the aggregation and indicator computation steps are performed within said mobile elements linked together and forming a network, following the principles of distributed computation.

To authenticate the position P;(t) of a mobile element the consistency indicator Ic(P;) 1s, for instance, computed on the basis of the strength Sx(n, t) of signal received by the receiver Kk, by considering the

! b .- - 6 - : - receivers k in the vicinity of the receiver 1, arranged at a range less than &, at the instant (tix), with tx - t < At, and At, & being parameters of said consistency indicator, in which n is the pseudo range number (PRN) of a satellite in sight of the receivers.

According to a variant to authenticate the position

P,(t) of a mobile element, according to a measurement associated with a satellite n, the method uses a set of samples obtained from a historical positions base, in which the position Px of a sample at the instant t' and the orientation of the satellite n indicated by the azimuth, elevation pair ab(t',k) is sufficiently close to P(t) and ab(t,1).

According to a variant to authenticate the position

P.(t) of a mobile element, according to a global measure relating to all the satellites seen, the method uses a set of samples from a historical positions base, for which the position Px at the instant t' is sufficiently close to Pi (t).

The data aggregation step, for example, comprises, combining at least the following steps: ethe construction of a map of visibility of a satellite based on reports of positions of the receivers k stored in a database, eanalysis of the cloud of points in order to determine the density and the border, ethe computation of the probability estimate of : finding a satellite n at a position P; as a function of the azimuth direction a, elevation 0, for an assumption as to the uncertainty of the direction §, and ethe probability p(P;, {n}), as a consistency indicator is deduced from these probability estimates for each satellite PRN n, with Ng: =

.- - 7 = - card({n}), in which {n} is the set of the visible satellite numbers reported by the receiver i.

According to a variant the method constructs a table of network cells based on the reports of the historical positions Xh stored in the database and of contingent information supplied by the communication network such as the cell identity Cell-Id in a mobile cellular network and in that it determines, as indicator of consistency between the database and the candidate position Py, a range metric between Py and the aggregated positions Xh and in that it uses, as authenticity function, the value of the probability that the cell reported for the target receiver corresponds to the position P;) and the sample E(P4) which serves as reference is the set of the positions stored for this cell.

Method uses, for example, the measure and the decision of authenticity in feedback on the selection of the sample.

According to a variant said method uses a data filtering mechanism excluding any past and future datum concerning the terminal of a user for which at least a suspicion of fraud is raised.

Method uses, for example, an obsolescence mechanism in which the data for which the exactitude and utility are diminished by age are deleted from the base, by establishing obsolescence criteria adapted to the datum, said criteria being chosen from the following list: e the code quality, strength, UDRE data are deleted when the satellite n is the subject of a notification by the control authority,

t . o- - 8 - - e the global quality, uncertainty and availability data are deleted when the constellation has been modified, e¢ the satellite visibility data are deleted when the positive spoofing indicator frequency on the same place to within ¢ is above an observed likelihood threshold, e the cell data are deleted when the positive spoofing indicator frequency on the same cell is above an observed likelihood threshold, e any datum is deleted when an age limit is reached, e or any other «criterion characterizing the possible obsolescence of the datum. :

Method uses, for example, a data filtering mechanism excluding any past and future data relating to a place on which the false alarm rate exceeds a defined threshold.

The invention also relates to a system for authenticating the position P;(t) of a mobile element, a mobile element comprising at least one GNSS receiver, k, having a function for estimating the position P; (t) of this mobile element, characterized in that it comprises at least the following elements: e¢ a location and broadcasting device suitable for determining the position and/or the speed of a mobile element and for transmitting this location information to a position server responsible for storing and/or using said information, e a receiver of GNSS navigation signals transmitted by a constellation of satellites and a mobile communication transceiver, ee a database containing reference data originating from these receivers, e a processing module executing a data aggregation process,

- e a module for determining consistency indicators which receives data, the GNSS position values and from the base, e¢ a module for detecting suspect data or positions of a mobile element.

Other features and advantages of the present invention will become more apparent on reading the description of an illustrative and nonlimiting example with appended figures which represent: e Figure 1, an example of a system for locating a mobile device, such as a vehicle, by satellite, e Figure 2, a diagram of the various elements involved in the method and the system according to the invention, e Figure 3, an illustration of the space-time vicinity of a point P,, e Figure 4, an illustration of the satellite orientation and of the definition masking, ee Figure 5, a map according to azimuth and elevation of visibility at a point, e Figure 6, the measurement of range to the cloud observed, e Figure 7, an illustration of the spatial vicinity and orientation for a satellite observation at a point P, and e Figure 8, a representation of a cell reconstruction topology.

To sum up, denerically, the method according to the invention for authenticating the GNSS position of a mobile device without having recourse to a second position source, and by using the architecture of the receivers currently used, consists notably in evaluating the temporal consistency and/or the spatial consistency of the positioning information transferred between a number of users.

Bp - 10 - - Figure 1 represents an example of location of a mobile element 10 by satellite, the mobile element being able to be a vehicle. The location system comprises, onboard the vehicle 10, a location and broadcasting device 2, called "mobile device", intended to determine the position and/or the speed of a vehicle and to transmit this location information to a position server 3 responsible for storing it and/or using it. The location and broadcasting device comprises a receiver 4 of GNSS (Global Navigation Satellite System) signals, such as a GPS (Global Positioning System) receiver, transmitted by a constellation of satellites 5a, 5b and a mobile communication transceiver 6.

The position information is computed by the GNSS receiver 4 through the use of signals 13a and 13b transmitted by the satellites 5a, 5b according to methods known to those skilled in the art.

Figure 2 schematically represents, in a simplified manner, the architecture of the system for : authenticating the position of a mobile device according to the invention.

The trajectory of the GNSS receiver installed on a mobile device consists of a series 21 of GNSS positions

P,(t), estimated at instants t which have associated with them a position uncertainty AP and a time uncertainty At. The mobile device is said to be "true" and the positions are “authentic” if they are computed from "authentic" signals, that 1s to say signals transmitted by the GNSS constellation. The mobile device is said to be "fraudulent" and the positions "not authentic" in the contrary case.

The data 21 relative to a position P; of a receiver

GNSS, k, will be transmitted and memorized in a centralized device, not represented on the figure for

B - 11 - - reasons of simplification, within a database 24, the centralized device will be connected by a communication network to the mobile elements 10. Another way of process is to memorize these data within the mobile elements 10, the aforementionned elements being interconnected and forming a network to exchange such data, according to the principles of the distributed calculus.

One of the objectives of the system is, notably, to determine the authenticity of the position of a GNSS receiver by using the collaboration between receivers k via a centralized infrastructure, for example the position server 3 (Figure 1) which allows for the comparison of recent or historical positioning data supplied by the various user receivers, without identification, in order to guarantee respect for privacy. It is also possible to use a decentralized infrastructure by equipping each of the receivers Kk with means suitable for executing the steps of the method according to the invention.

The sample E. of the reference data associated with the receivers which are taken into account to determine the authenticity is, for example, obtained from a statistical base 24 which combines and consolidates data such as: e the position, the speed, the direction, of a mobile device equipped with a GNSS receiver, ee the signal number from the satellite or PRN (Pseudo-

Random Number), the value of the user differential range error (UDRE) and the ratio C/NO (carrier-to- noise density ratio) of the visible satellites.

The process according to the invention is going to select a relevant sample Ech of data, from positions of the other receivers, for example, on criteria as the nearness or proximity in the space and according to

~- indicator type, nearness in orientation or of nearness in the time.

An optional almanac of the constellation of satellites, 23, supplies the (elevation, azimuth) pairs of the satellites theoretically visible by a receiver k. The values (elevation, azimuth) are either computed as and when needed, or stored with the other position data to speed up the computation of the indicator as will be described below. The almanac 23 is used to determine the indicators of historical quality and visibility type.

The function of a processing module 22 is notably to execute a data aggregation process according to methods known to those skilled in the art, by optimizing the statistical computations which are presented hereinbelow for each of the indicators described below. ~ The statistical operation on this sample extracts an average (the sum of measures on Ech divided by card (Ech)) or the border of a cloud of point (type of indicators " map of visibility " and " map of networks "). The result of this aggregation is a statistical data 25 little affected by equipments spoofing or swindler, the number of these equipments being weak in the sample Ech. This characteristic measure of the authentic signal, relevant for a position Pq, is considered as an autonomous reference for the position

P,.

As described in the following equations, the calculation of indicators, without contribution of technology of secondary positioning, and without period devoid of attacks, bases itself on no predetermined data, but the reference emerges from stored data. The capacity of authentification appears after the initiation of the database, the quality of this reference being increasing with time since the

.- initialization of the device and the number of concerned receivers.

The module processing 22 contains, for example, at least one mechanism of filtering receiving the results, which modifies the conposition of samples, and has the effect of decreasing the frequency of erroneous results.

The feedback in the device between decision of authenticity and selection of sample, realizes a learning process within the system formed by the receivers and the proposed device. This feedback on the selection of the sample is known to improve the reliability of the device.

The function of the aggregation of data in a statistical base 24 is notably to retain, in an optimum manner, consistent data obtained from the authentic signals received by the GNSS receivers. The use of this base 24 can be done with data obtained from terminals known to be true, or a large majority of true terminals is assumed from the outset. Three mechanisms are, for example, provided for aggregating data, aiming to increase the robustness of the system to the errors present in the collected data, and therefore the detection efficiency.

A module 26 makes it possible to determine consistency indicators. This module 26 notably receives the data from the almanac 23, the GNSS position values and from the base 24.

The function of a module 27 is notably to detect the suspect data or positions.

The system comprises a filtering mechanism by which the doubtful data are excluded from the base 24, on the

- basis of the available detection mechanisms, notably the data of a doubtful user (for whom there has been proven or assumed fraud). This filter excludes from the base any past and future datum concerning the terminal of a user for whom at least a suspicion of fraud is raised by the spoofing detection, or by any other checking means. This filtering targets the quality of the base used as reference, in order not to depend on the proportion of honest users. The filtering mechanism is, for example, implemented in the module 22.

A filtering mechanism excludes from the base 24, the places on which the detection is not reliable, in order to prevent the false alarms due to the highly variable multiple paths and local environments. This filter excludes from the base any past and future datum concerning a place on which the false alarm rate exceeds a defined threshold.

An obsolescence mechanism is used to delete from the base 24 the data for which the exactitude and the utility are diminished by age, and does so by establishing obsolescence criteria suited to a datum.

Examples of criteria are given below for several types of data.

This method involves a set of mobile and connected terminals. Two implementations of the method are described: centralized and distributed.

The use is made, for example, of a database centralized in one or more servers that can be accessed from each receiver, which receive the positioning data. The service area of a server and of the database is determined in an implementation by a trade-off between cost and performance. In a typical implementation, a base will cover a country or a region.

- An alternative implementation of the method according to the invention is to use a database that is distributed between a number of servers in the communication network, or even the sharing of this information between mobile equipment. The direct collaboration between receivers may be based on ad-hoc dynamic groups (a group being defined by a radius or a number of terminals).

The modules 26 and 27 may be implemented either in a

GNSS terminal or in a central server 3. In the case of a totally decentralized implementation, each of the receivers reconstructs the data needed to compute the indicator by interacting with the receivers belonging to the sample and itself evaluates the spoofing criteria.

These variations relate to the implementation and not the principle of the method, explained in the centralized implementation. In this case, the techniques "known to those skilled in the art" in distributed computing, services qualified as "peer-to- peer", as well as the cognitive science field of collaborative problem solving, are applied in order to perform the aggregation function and the indicator computation within the mobile device.

The algorithms used allow for the aggregation of data on a relevant scale according to the consolidated datum. The aggregation of a sufficient number of positions, or the sample Ec illustrated in Figure 3, as a vicinity of the point P;, increases the confidence in the average measurements, as long as the temporal and spatial deviation (limited by At and & respectively) of these positions does not result in the dispersion of these measurements. It will be noted that the data aggregation step uses statistical techniques "known to those skilled in the art", to optimize the search in

. the base and the computations. In the formulae presented below, the sum of measurements on Es divided by card(Eg) has been chosen for the aggregation means or aggregator. To optimize the detection, this value may, in certain cases, be pre-computed, and stored in the base.

The module 27 for detecting suspect data or positions, may be identical to the one described in its general principle by patent No. FR11/00961, for example, which estimates one or more statistical indicators, module 26, denoted Ic(P;) or Ic(n, P;) in which n corresponds to a satellite number, and P; to the position of a receiver 1 at a given instant, from which it is possible to construct a decision function concerning the position authenticity of a mobile device or of a receiver i mounted on the device. To this end, it is possible to use, typically, a true/false logic value, a fraud probability estimator p (Pi) or possibility/necessity values according to the fuzzy logic of Lofti Zadeh (Zadeh, L.A. (1965). "Fuzzy sets",

Information and Control 8 (3): 338-353, Novak, V. "Are fuzzy sets a reasonable tool for modeling vague phenomena?", Fuzzy Sets and Systems 156 (2005) 341 - 348), this value being a digital representation of a degree of confidence in the position Px of the receiver k: eo logic flag L(P;) = Ic(n, Pi) > T, e€ {0;1}, in which T is a chosen threshold, or ee probability estimator p(P;i) = £(Ic(n, P;)) in which f: [0; ow — [0; 1] is an increasing function which standardizes the indicator on [0;1]. This function is chosen from a model or experimentation to be a valid estimator of the probability of fraud, adjusted using parameters.

For example: p(P:) = 2/n*arctan(f Ic") ee [0;1] is continuous and satisfies these bounds.

The parameterizing values are, for example, the threshold value T > 0, or the factors f > 0 and m > 0.

They allow for the adjustment of the decision according to the observed distribution of the indicator used on samples representative of real trajectories and of falsified trajectories for a given mobile device. B is defined as the inverse of the value Ic corresponding to a probability of confidence of %. m can be used to set the "ramp" of the function.

Since p(P;) 1s the probability of spoofing, the complement 1-p(P;) to this value is a probability of authenticity. This probability p(P1) confidence indicator Ic(n, Pi) is obtained from one of the consistency indicators or statistical indicators 26 or a combination of some of these indicators by applying the methods known to those skilled in the art, those described in the patent FR11/00961, and at least one of the four original types of indicator: real time quality, historical quality, visibility, network, described below, using the collaboration between receivers.

Signal quality in real time

One possibility of implementing the invention consists in detecting the spoofing by using a signal quality index, when an apparatus transmits to a GNSS receiver

GNSS signals generated or transformed from authentic signals (receiver-regenerators). In practice, such a device transmits a set of signals with propagation delays an alleged location. However, this "spoofing" cannot imitate the quality of the signal which is received at a given location. In practice, the spoofing device is not exactly at the alleged position; as a matter of fact it cannot, without a collaboration of

. other receivers, be capable of reproducing the quality of the signal at this place.

The signal quality data computed for a receiver are compared to the signal quality data reported by the receivers that are closest, signal strength, uncertainty as to the user position, absence of position.

A real-time collaboration is possible by taking into account a significant population of receivers, which is the case of road toll. One alternative is to perform a historical comparison with data originating from the cooperative devices.

These characteristics of GNSS signals (received by the central server in the example of a centralized service) are managed, for example, in real-time collaboration: e the satellite numbers being tracked by the receiver (Tracked PRN) depend on the location, on the instant, on the obstacles, on the multiple paths, e signal-noise ratio (C/NO) for each satellite (PRN) received, relative to the total signal, depends on the interference, reflections and maskings (notably by foliage).

Signal/frequency noise ratio (C/NO) of the signal

The idea implemented by the method according to the invention is, in this exemplary embodiment, to construct an indicator comparing the C/NO, either absolute or relative (the instantaneous value divided by a chosen reference value, as the average over a given interval) of a signal received by a mobile device to the average of C/NO of a signal associated with other receivers in a given temporal sample.

.- = 19 - - Let S;(n, t) be the ratio C/NO of the signal received on a first receiver 1, for a location or an alleged position P;(t). Since this value S:(n, t) depends on the receiver, on the antenna and on the installation thereof on the mobile element, the recommended method is to use a relative measurement in order to dispense with the differences between terminals k. S:;(n, t) is subjected to random variations. In order to minimize the false alarm rate, the indicator Ics is expressed by integrating over the duration of this interval [tO0; tl], containing a sufficient number of measurements, this relative C/NO, divided by a chosen reference value, and this ratio being compared to the values of the relative C/NO of the received signals Sx(n, t), on a specific sample E.(P;) of receivers k. The position Py of each of the receivers k is stored in the database 24 and the method will consider the receivers k in the vicinity of the receiver 1 arranged at a range less than &, at the instant (tx), |tkx - t| < At.

Let Ex, = {k such that (Px, P1)<e and [tx - t|<At} (0) in which d(Pg,P:) is the range between two transmitter positions or locations, and At, & are parameters for the vicinity in time and space of the measurement P(t) to be checked.

The indicator Icg of the C/NO of the signal received by a receiver k over a time interval [tO;tl] is expressed as follows: 5 S, (nt) (1) with Ex (P;) defined in ley B)= [| 20 ZS 0) wl 8, card(E,(P)) in which the notation §, (dot over 8x) signifies a reference value of Sy as the average over a larger time

BR sample than the interval [to;ti], pp being chosen according to statistical criteria (p=1 combines the deviations as absolute value, and p=1 as quadratic) and n is the number of a satellite in view of the receivers. The formula for the absolute C/NO is (1) with 5, = S,=1.

User error

According to another way of proceeding, it is possible to determine an indicator based on statistics from measurements of quality of these signals received by the receiver k, such as user differential range error (UDRE) by satellite PRN, inherent in the transmitted signal. The position uncertainty also depends on these range errors between satellite and user, on the number of satellites used, on the indicator concerning the position of satellites, better known by the acronym DOP (Dilution of Precision), on the propagation delay in the ionosphere, and on the strengths (C/NO) . A consistency indicator is then constructed on the basis of the UDREs: 3 Unt) f & | @ w| U ~~ card(E,(P)) in which Ug(n,tx) is the UDRE value computed by the receiver k at the time t, and the formula is similar to the formula (1), since the definition of Uj, p and n in which the notation Uy (dot over Ux) signifies a reference value of Uy.

The absence of GNSS position, if the cases of startup of the receiver, or of failure of the receiver itself

E are excluded, is due notably to interference, reflection and masking. Typically, in a road path, such interruptions appear when passing under a bridge or through a tunnel.

The absence of GNSS position is reflected by a logic value 0, (tt), which can be compared to the unavailabilities undergone by another user by using a "global" indicator determined as follows: p

Ie,(R) = [fo ®) Zn] (3) 0 card(E (Pp )

It will be noted in the formulae (1), (2), (3) that the data are compared over times t, tx which are very close and the sample E. is defined at (0) by the instantaneous range of the receivers.

To combine these indicators Icg(n, Pi) or Icy(n, P;) of "code" quality (by satellite) into a single "global" indicator, an average is then applied to all the visible satellites according to the formula:

Ieg(P) =D _Ics(n,P) [eard(VIS)

VIS or Ie, (P) =D Ic, (n,P,) [eard(VIS) :

VIS

) 2) Signal quality history

According to another implementation, it is possible to determine indicators by using historical data resulting from a storage of positions for a number of users or receivers over time. These data have already been accumulated in proximity to the position Px of a receiver to be checked. This method makes it possible to base the computation on a sufficient sample, when the instantaneous sample E. 1s too small. However, it oc - 22 - ~ does require filtering on azimuth and elevation, which conditions the measurements of the signal from a satellite, as illustrated in Figure 4. A distinction will be drawn for global measurements (relating to all the satellites seen, see formulae 5 and 6) or measurements for a satellite at the same elevation and azimuth relative to Py (formulae 8 and 9).

The measurements of global signal quality, user and unavailability (Ics, Icy and Ico) may be associated with a single position, with no relation to time; thus, the global indicators use the definition of the sample

E, =tid(B.R)<e}.

Thus, the historical user uncertainty indicator and the set of samples considered are p with eld @) L(t) "

Ie,(R)= |! PF B42 card(E,,(P))| . (5)

E. (P) defined above.

Since the absence of GNSS reception is specified to a total masking situation, it 1s also possible to directly define the global indicator without reference to the orientation:

Yo,

Ieo(R) =" 0,() - LREalt) | (5) fo card(E,, (P ) with defined abawve.

E, (P)

The global quality data (uncertainty and availability) are deleted when the constellation has been modified (satellite removed or added).

However, the measurements on a satellite PRN (UDRE,

C/NO) are mandatorily associated with the user position and with the orientation of the satellite. From this orientation of the satellite devolve the range to the

Er satellite, the maskings, the reflections at this point, which because of this determine the attenuation and the multiple-path, and ultimately the measured strength, and the pseudo-range error.

The C/No, UDRE data are initially associated in the base 24 with a receiver k and with an instant t, and, by derivation, with the satellite orientation, given by the two angles (azimuth, elevation) at the reported point P(k), by computing, from the almanac 23, the position of the satellite n at the instant t.

The code quality data (strength, UDRE) are deleted when the satellite n is the subject of a notification by the control authority (called NANU).

On a given satellite, the set Eun(P1) of the samples taken into account for the computation of the indicators (Ics, Icy, Ico) on a measurement of strength

W, is defined in addition by a limit value § with a range function (as maximum, Euclidian) between the pair of angles (a,0) representing the satellite orientations of the receiver k and the angles for the target receiver 1:

E,(R)=k.EdBE)RO) <e et d(@dE)),@00k)<E) (7) in which o is the azimuth and 0 the elevation of the satellite n for the user at Px, at the instant t', or the pair af(t',k), and similarly a,0(t',k) for the checked position P; at the instant t. This is illustrated in Figure 7 where each axis in fact represents two dimensions.

By modifying the formulae (1), (2), (3) to use the history, the data are compared for the instants t', and the sample E'n(P;) is defined in position and time, in addition to the range of the receivers by an angular orientation range of the satellite received. The

- formulae (4), (5), (6) are thus obtained respectively for the indicators (Ics, Icy, Ice), in which the data are compared on one and the same time t.

The consistency indicator based on the signal strength, and the "pseudo range" error become, respectively: 5 S, (n,t") p with 4S, (n,t k).€E' S,

Jes(n,B) = [| 2A) _nfult) Se , (8) E'en(P1) defined ofS card(E',(R) above. with t' a variable time over which the measurements are performed, 5 U, (nt) p with

JU, nt ' k).eE' U \

Jey (n,B) = [|UD _wosFut) Ze , (9) E'c, (P1) defined fo U, card(E ch (R ) above.

These indicators can be consolidated for each observed satellite, as given by the formulae (4). 3) The visibility history map (azimuth, elevation)

Another consistency indicator 26 1s based on the visibility of satellites. For this, the aggregation step 22 involves constructing a map of visibility of satellites based on the historical position reports, in any place defined typically by an interval of coordinates in a given reference, bearing in mind that the visibility is determined mainly by fixed obstacles such as assemblages, buildings and a density of leaves or forests. Thus, the possible orientation of the visible satellites is an envelope of all the iE - 25 - - occurrences received by any receiver in a given position, illustrated in Figure 6.

This observed visibility being very variable in urban, forested or mountainous zone, is a discriminating measure with regard to the real position. On the other hand, the visibility following the almanac can be identical on hundreds of km. The statistical method of construction of such a map of visibility thus presents a decisive advantage of relevance as criterion of detection of spoofing with regard to the use of almanac, and on the other hand an economic advantage compared with other methods of forecast of the visibility. : A consistency indicator is defined between the visibility map and each satellite reported as being visible or not accordance to the position of a candidate or of a receiver. The reference procedure for this principle is to compute the probability estimate

E(n,Px) of seeing the satellite n at a point Py, at the orientation (a, 6), from the negative form of Figure 6, extracted from the cloud of the satellites of orientation (a, 6) seen at this point Px, to within eg, the observations being stored in the historical base H.

The inclusion of an observation at a point Y, under the orientation (B,p), in this cloud, is defined according to a measure of distance in a system of coordinates chosen (for Example maxi (xi-yi) <e or xi, resp yi being coordinates (latitude, longitude, height) in the

WGS84 (World Geodetic System - on 1984) for the positions P; and Y), and in a similar way a distance between (a, 6) and (3, p).

The probability estimateof a satellite visibility is computed as a function of the range inside or outside

E of this cloud, and of the density of the cloud. The more dense the cloud is inside, and empty outside, the more "rigid" the function may be because the knowledge of the visibility is unambiguous. However, the appearance of dispersed orientations would be a sign of local conditions (partial or temporary maskings, or multiple-paths), which render the indicator less certain. In order to increase the detection robustness to these conditions, the satellite visibility data are deleted when the positive indicator (or spoofing) frequency at the same place (to within eg) is above an observed likelihood threshold (environmental filter as described above).

The probability estimateof finding a satellite n at a position P; as a function of the direction ay, On, (azimuth, elevation) given by the almanac, for an assumption concerning the uncertainty of the direction §¢, is obtained by the following formula:

E(n,X) Ela, 6, } . x)=1- Minid(a.8.4,.6,). Xh.a.61¢ H. dX. Xh) ££) da.dé in which (a, 0) are observations of satellites associated with a historical position Xh and (da, 80) the acceptable deviations defined by the cloud of the observations.

The statistical indicator deduced from these probability estimatesis therefore the probability P(P: , {n}) combining the probability for each satellite PRN n, which aggregates the probability with Ng: = card({n}), in which {n} is the set of the numbers of visible satellites reported by the target receiver, done by a known method. 4) The network history map (Position, Cell)

- Figure 8 schematically represents another way of proceeding consisting in constructing a table of network cells from the reports of the historical positions Xh of a receiver 1i=1 in a cell, and contingent information supplied by the communication network, upon the reporting of the positions by the mobile device, then using said table of cells to check the positions reported by the target receiver. The principle is illustrated with the cell identity Cell-Id in a mobile cellular network obtained by the communication network according to a method known to those skilled in the art.

The collaborative building of this cross-reference table cells and positions presents an economic advantage with regard to the network use of data existing as criterion of authentification.

The indicator of consistency between the database and the candidate position X is a metric of range d(P., Xh) between P; and the aggregated positions Xh in the database H.

The probability that the cell Cig reported for the target receiver 1=1 «corresponds to the reported position P; is computed on the basis of the near positions stored in the base, or: P(cell=Ci4, knowing P; — 3 —_ Lig JE p(cellule= C,,, knowing P,) = Sd, Xb) (11) (Xh.C;y')eH in which this denominator is calculated only once for the complete base (or for all the C;q'), and the sample

Ec.n(P;) which serves as reference is the set of the positions of a receiver k stored for this cell. The learning of the field of each cell by the base 24 is illustrated in Figure 8.

- It will be noted that the method uses the Cell-Id as a tag associated with the GNSS positions during the aggregation, and does not require any secondary position by a method of "network" type. In that, it differs from the comparison of the GNSS position with the true network position, already described in the patent FR0807400.

The deletion of obsolete data can be triggered when a number of alarms reflecting a possibility of fraud in the value of the position transmitted are raised on the same cell within a short time (above a likelihood threshold), which implicate the validity of these data, or simply after a fixed age. Since the data are stored permanently, sufficient valid data remain for the check.

The aggregation of the data for statistical purposes comprises techniques “known to those skilled in the art”, in order to optimize the storage space and the search in the base and the statistical computations in the indicators. For example, the sums of measurements divided by card(E) are aggregators of the data (k,t) on a subset of the base, which can in certain cases be precomputed. Very close data can be replaced in the base by an average datum, without substantially modifying the principle explained.

It should be noted that it is essential to manage, in this base, the obsolescence of the data, the relevance of the measurements observed being able to be challenged by modifications to the environment. For example, the coverage of a cell is modified with any change to the topology of the network.

The method and the system according to the invention make it possible to avoid subtle fraud mechanisms which would try to avoid the events triggering road charging

E (areas or virtual gate) or attacks aimed at the security of goods or of people.

The solution ought to allow for a high fraud detection percentage, even subtle fraud, from inexpensive hardware equipment. No addition or modification is needed on the existing GPS receiver. It supplies incriminating information that may possibly serve as proof.

Finally, the use of these criteria outside of a pay- per-use context also makes it possible to improve the integrity in urban areas.

The collaboration of the users, most of them "non defrauders" (true terminals with authentic navigation signal) makes it possible to detect the "defrauding" users who report information inconsistent with this signal, and with no additional sensor in the mobile equipment, and also with no change to the GPS receiver.

Claims (12)

i. - 30 - . CLAIMS

1. Method for authenticating the position P;(t) of a mobile element (10), a mobile element comprising at least one GNSS receiver, k, having a function for estimating the position P; (t) of this mobile element (10), from said signals "authentic" of the GNSS constellation, the aforementioned receiver being potentially allocated by falsified signals, this method being characterized in that it : comprises, in combination, at least the following steps: e determining at least one datum (21) associated with the position P; of a GNSS receiver, i, e¢ Transmitting and storing said data (21), e aggregating a number of data (22) associated with the position of a number of GNSS receivers belonging to a set Ech(Pi), on a size of sample and a period of time superior to given thresholds, to obtain a significant statistical data (25) characteristic of the authentic signal, e determining at least one consistency indicator Ic(Pi}, (26), by comparing the first datum associated with said receiver i and the aggregated data (25) obtained from the set Ech of receivers k, on an interval of time including at least a position P; (t), e authenticating (27) the position P; of said mobile element (10) by using one or more of said consistency indicators Ic(P;) in an authenticity decision function or to raise a suspicion of fraud on behalf of the user of this receiver i, as regards the position Pi.

2. Method according to Claim 1, characterized in that the aggregation and indicator computation steps are performed in a centralized device linked by a

E communication network to said mobile elements (10).

3. Method according to Claim 1, characterized in that the aggregation and indicator computation steps are performed within said mobile elements (10) linked together and forming a network, following the principles of distributed computation.

4, Method according to Claim 1, 2 or 3, characterized in that, to authenticate the position P;(t) of a mobile element (10), the consistency indicator Ic(P;) is computed on the basis of the strength Sx(n, t) of signal received by the receiver k, by considering the receivers k in the vicinity of the receiver 1, arranged at a range less than g, at the instant (tk), with tx - t < At, and At, & being parameters of said consistency indicator, in which n 1s the satellite number in sight of the receivers.

5. Method according to Claim 1, 2 or 3, characterized in that, to authenticate the position P;(t) of a mobile element, according to a measurement associated with a satellite n, the method uses a set of samples obtained from a historical positions base, in which the position Px of a sample at the instant t' and the orientation of the satellite n indicated by the azimuth, elevation pair af(t',k) is sufficiently close to P,(t) and af(t,1).

6. Method according to Claim 1, 2 or 3, characterized in that, to authenticate the position P;(t) of a mobile element, according to a global measurement relating to all the satellites seen, the method uses a set of samples from a historical positions

ST - 32 - E base, for which the position Px at the instant t' is sufficiently close to Py (t).

7. Method according to Claim 1, 2 or 3, characterized in that the data aggregation step comprises in combining at least the following steps: oe the construction of a map of visibility of a satellite based on reports of positions of the receivers k stored in a database (24), e¢ analysis of the cloud of point in order to determine the density and the border, e the computation of the probability estimate of finding a satellite n at a position X as a function of the azimuth direction a, elevation 0, for an assumption as to the uncertainty of the direction §, and in that the probability p(P., {n}) is deduced from these probability estimates, as consistency indicator for each satellite PRN n, with Ngat = card({n}), in which {n} is the set of the visible satellite numbers reported by the receiver k.

8. Method according to Claim 1, 2 or 3, characterized in that said method constructs a table of network cells based on the reports of the historical positions Xh stored in the database (24) and of contingent information supplied by the communication network such as the cell identity Cell-Id in a mobile cellular network and in that it determines, as indicator of consistency between the database and the candidate position X, a range metric between X and the aggregated positions Xh and in that it uses, as authenticity function, the value of the probability that the cell reported for the target receiver corresponds to the position X and the sample Eu which serves as

E reference is the set of the positions stored for this cell.

9. Method according to Claim 1, 2 or 3, characterized in that it uses, uses the measure and the decision of authenticity in feedback on the selection of the sample.

10. Method according to Claim 9, characterized in that it uses a data filtering mechanism excluding any past and future datum concerning the terminal of a user for which at least a suspicion of fraud is raised.

11. Method according to Claim 1, 2 or 3, characterized in that it uses an obsolescence mechanism in which the data for which the exactitude and utility are diminished by age are deleted from the base (24), by establishing obsolescence criteria adapted to the datum, said criteria being chosen from the following list: e the code quality, strength, UDRE data are deleted when the satellite n is the subject of a notification by the control authority, e the global quality, uncertainty and availability data are deleted when the constellation has been modified, e the satellite visibility data are deleted when the positive spoofing indicator frequency on the same place to within & is above an observed likelihood threshold, eo the cell data are deleted when the positive spoofing indicator frequency on the same cell is above an observed likelihood threshold, e any datum is deleted when an age limit is reached, e or any other «criterion characterizing the possible obsolescence of the datum.

12. Method according to one of Claims 9, characterized in that it uses a data filtering mechanism excluding any past and future data relating to a place on which the false alarm rate exceeds a defined threshold.