WO2016003262A1 - A system and method for detecting global positioning system anomalies - Google Patents

A system and method for detecting global positioning system anomalies Download PDF

Info

Publication number
WO2016003262A1
WO2016003262A1 PCT/MY2015/050064 MY2015050064W WO2016003262A1 WO 2016003262 A1 WO2016003262 A1 WO 2016003262A1 MY 2015050064 W MY2015050064 W MY 2015050064W WO 2016003262 A1 WO2016003262 A1 WO 2016003262A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
analyser
location
local area
gps
Prior art date
Application number
PCT/MY2015/050064
Other languages
French (fr)
Inventor
Chin Teong TAN
Horng Yih YAP
Kum Khoon ZEE
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2016003262A1 publication Critical patent/WO2016003262A1/en

Links

Classifications

    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S19/00Satellite radio beacon positioning systems; Determining position, velocity or attitude using signals transmitted by such systems
    • G01S19/01Satellite radio beacon positioning systems transmitting time-stamped messages, e.g. GPS [Global Positioning System], GLONASS [Global Orbiting Navigation Satellite System] or GALILEO
    • G01S19/13Receivers
    • G01S19/21Interference related issues ; Issues related to cross-correlation, spoofing or other methods of denial of service
    • G01S19/215Interference related issues ; Issues related to cross-correlation, spoofing or other methods of denial of service issues related to spoofing
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04KSECRET COMMUNICATION; JAMMING OF COMMUNICATION
    • H04K3/00Jamming of communication; Counter-measures
    • H04K3/20Countermeasures against jamming
    • H04K3/22Countermeasures against jamming including jamming detection and monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04KSECRET COMMUNICATION; JAMMING OF COMMUNICATION
    • H04K3/00Jamming of communication; Counter-measures
    • H04K3/60Jamming involving special techniques
    • H04K3/65Jamming involving special techniques using deceptive jamming or spoofing, e.g. transmission of false signals for premature triggering of RCIED, for forced connection or disconnection to/from a network or for generation of dummy target signal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04KSECRET COMMUNICATION; JAMMING OF COMMUNICATION
    • H04K3/00Jamming of communication; Counter-measures
    • H04K3/80Jamming or countermeasure characterized by its function
    • H04K3/90Jamming or countermeasure characterized by its function related to allowing or preventing navigation or positioning, e.g. GPS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04KSECRET COMMUNICATION; JAMMING OF COMMUNICATION
    • H04K2203/00Jamming of communication; Countermeasures
    • H04K2203/10Jamming or countermeasure used for a particular application
    • H04K2203/18Jamming or countermeasure used for a particular application for wireless local area networks or WLAN

Definitions

  • the present invention relates to a Global Positioning System (GPS). More particularly, the present invention relates to a system and method for detecting anomalies of a GPS.
  • GPS Global Positioning System
  • GPS Global Positioning System
  • an anti-spoofing detection system is disclosed in a United States Patent Publication No. 2013/0328719 A1 , wherein the anti-spoofing detecting system detects counterfeit position location data that are transmitted by a counterfeit signal source. This is done through a comparison with signals from higher reliability sources or by comparison against known transmitter information. The system then marks inconsistent data based on the comparison.
  • the present invention relates to a system (1000) and method for detecting anomalies of a Global Positioning System (GPS) in a mobile device.
  • the system (1000) comprises of a GPS receiver (200) to provide location information connected to a processor (100); a memory (300) and a storage (400) to store programs and data; a clock (500) to provide date and time data; a signal processor (600) to convert analogue signals to digital signals, wherein the signal processor (600) is connected to an antenna switch (650); and a Decision Display Module (700) to display a final result of any detected anomaly.
  • GPS Global Positioning System
  • the system (1000) is characterized in that the processor (100) includes a Tracking Module (10) to track time, GPS data, telecommunication network signal data and wireless local area network signal data, wherein these data are stored in the storage (400); an Application Programming Interface (API) Module (20) to synchronise a centralised date and time data with the date and time data of the mobile device; and an Analysis Module (30) to obtain data snapshots of the mobile device's state, analyse the data and detect any potential anomaly of the GPS in the mobile device.
  • a Tracking Module to track time, GPS data, telecommunication network signal data and wireless local area network signal data, wherein these data are stored in the storage (400); an Application Programming Interface (API) Module (20) to synchronise a centralised date and time data with the date and time data of the mobile device; and an Analysis Module (30) to obtain data snapshots of the mobile device's state, analyse the data and detect any potential anomaly of the GPS in the mobile device.
  • API Application Programming Interface
  • the Analysis Module (30) includes a High Frequency Data Acquisition component (31) to obtain data snapshots of the state of the mobile device; a Travel Motion Analyser (32) to calculate the speed between each stored GPS location data using the GPS coordinates and the centralised date and time data; a Wifi Displacement Model Analyser (33) used to detect anomaly by performing a rule-based correlation between wireless local area network signal strength and GPS location data; a GSM Location Analyser (34) to detect anomaly by performing a rule-based correlation between telecommunication network signal data and GPS location data; a Modal Analysis Logic component (35) to merge the output results from the Travel Motion Analyser (32), the Wifi Displacement Analyser (33) and the GSM Location Analyser (34); and an Interface component (36) to send a final result to the Decision Display Module (700).
  • a High Frequency Data Acquisition component (31) to obtain data snapshots of the state of the mobile device
  • a Travel Motion Analyser (32) to calculate the speed between each stored
  • the data snapshots obtained by the High Frequency Data Acquisition component (31) include GPS coordinates, telecommunication network signals, wireless local area network signals and date and time data.
  • a method for detecting anomalies of a Global Positioning System (GPS) in a mobile device is characterised by the steps of obtaining data snapshots of the mobile device's state at a default interval of 10 minutes; calculating the speed between each data snapshot by using GPS coordinates, centralised based date and time data and the mobile device's date and time data by a Travel Motion Analyser (32); testing the correlation of each data snapshot by using the GPS coordinates and the wireless local area network signal data by a Wifi Displacement Model Analyser (33); testing the correlation of each data snapshot using GPS coordinates and telecommunication network location by a GSM Location Analyser (34); merging output results from the Travel Motion Analyser (32), the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34) by a Modal Analysis Logic component (35); and sending the merged output results to a Decision Display Module (700) via an Interface component (36).
  • GPS Global Positioning System
  • the step of calculating the speed between each data snapshot by the Travel Motion Analyser (32) includes computing distance travelled between two records in a log file; computing travelling speed by using the computed distance travelled and time obtained between the two records; determining a travel mode of the mobile device as a flight mode if the distance travelled is more than or equal to a predefined distance; determining the travel mode of the mobile device as a normal mode if the distance travelled is less than the predefined distance; comparing the computed travelling speed against a pre-set travelling speed limit; triggering a speed violation if the computed travelling speed limit exceeds the pre-set travelling speed limit; comparing the mobile device's date and time data against the centralised date and time data if the computed travelling speed does not exceed the pre-set travelling speed limit; triggering a date and time violation if the date and time data of the mobile device and the centralised date and time data are not the same; and sending the computed violation results to the Modal Analysis Logic component (35).
  • the step of testing the correlation of each data snapshot by using the GPS coordinates and the wireless local area network signal data by the Wifi Displacement Model Analyser (33) includes obtaining a list of wireless local area network and location information from previous data snapshots and current data snapshots; iterating the wireless local area network list; obtaining the distance between a previous and current location; determining the changes in the wireless local area network signal if the distance between the previous and current location is equal or more than a first predetermined distance; adding the data snapshot in an abnormal list if the location distance has a change of more than a second predetermined distance but the wireless local area network signal level has not changed; adding the data snapshot in a normal list if the location distance has a change of more than the second predetermined distance and the wireless local area network signal level has changed; computing the percentage of abnormal wireless local area network among the total wireless local area network; triggering a wireless local area network signal violation if the percentage of abnormal wireless local area network is more than 50%; determining if there is any unusual wireless local area network signal pattern
  • the steps include determining if a threshold quantity is exceeded; adding the data snapshot in the abnormal list if a threshold quantity is exceeded; adding the data snapshot in the normal list is the threshold quantity is not exceeded; computing the percentage of abnormal wireless local area network among the total wireless local area network; generating an alert signal if the percentage is more than 50%; determining if there is any unusual wireless local area network signal pattern if the percentage of abnormal wireless local area network is less than 50%; triggering a wireless local area network signal violation if any anomaly is detected; and sending the computed violation results to the Modal Analysis Logic component (35).
  • GPS coordinates and telecommunication network location by a GSM Location Analyser includes obtaining a current telecommunication network location and a current GPS discovered location from the data snapshots; obtaining a previous telecommunication network location and a previous GPS discovered location from the previous data snapshots; computing a telecommunication network location data; computing a GPS discovered location data; computing a violation result using a logic based on the computed values of the telecommunication network location data and the GPS discovered location data; and sending the computed violation results to the Modal Analysis Logic component (35).
  • the step of merging output results from the Travel Motion Analyser (32), the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34) by a Modal Analysis Logic component (35) includes obtaining individual binary results produced by the Travel Motion Analyser (32), the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34); multiplying each result with a weightage based on the type of analysis; computing a total score by summing up all the scores from the Travel Motion Analyser (32), the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34); comparing the total score to a predefined scoring threshold; merging output results as anomaly if the total score exceeds the predefined scoring threshold; and merging output results as normal if the total score is less than the predefined scoring threshold.
  • FIG. 1 illustrates a block diagram of a system (1000) for detecting anomalies of a Global Positioning System (GPS) according to an embodiment of the present invention.
  • FIG. 2 illustrates a detailed block diagram of a processor (100) of the system (1000) of FIG. 1.
  • FIG. 3 illustrates a flowchart of a method for detecting anomalies of a GPS according to an embodiment of the present invention.
  • FIG. 4 illustrates an example of a data snapshot of a mobile device.
  • FIG. 5 illustrates a flowchart of the substeps for validating the speed data and the date and time data of the mobile device by a Travel Motion Analyser (32).
  • FIG. 6 (a) illustrates an example of speed data anomaly detection by the Travel Motion Analyser (32)
  • FIG. 6 (b) illustrates an example of date and time data anomaly detection by the Travel Motion Analyser (32).
  • FIG. 7 illustrates a flowchart of the substeps for testing the correlation of data snapshots by a Wifi Displacement Model Analyser (33).
  • FIG. 8 (a) illustrates an example of a normal condition for a Wifi signal level unusual pattern checking.
  • FIG. 8 (b) illustrates an example of an abnormal condition for a Wifi signal level unusual pattern checking.
  • FIG. 9 illustrates a flowchart of the substeps for testing the correlation of data snapshots by a Global System for Mobile communication (GSM) Location Analyser (34).
  • GSM Global System for Mobile communication
  • FIG. 10 illustrates an example of a comparison between a normal scenario and an abnormal scenario of a correlation between GPS coordinates and GSM location data.
  • FIG. 11 illustrates a flowchart of the substeps for merging output results by a Modal Analysis Logic component (35).
  • FIG. 12 illustrates an example of merging the output results from all analysers for anomaly detection.
  • FIG. 1 illustrates a block diagram of a system (1000) for detecting anomalies of a Global Positioning System (GPS) according to an embodiment of the present invention.
  • the system (1000) that is implemented in a mobile device, comprises of a processor (100) which is connected to a GPS receiver (200) to provide location information; a memory (300) and a storage (400) to store programs and data; a clock (500) to provide date and time data; a signal processor (600) to convert analogue signals to digital signals, wherein the signal processor (600) is connected to an antenna switch (650); and a Decision Display Module (700) to display a final result of any detected anomaly.
  • FIG. 2 A detailed block diagram of the processor (100) is shown in FIG. 2, wherein the processor (100) comprises of three modules which are a Tracking Module (10); an Application Programming Interface (API) Module (20); and an Analysis Module (30).
  • the Tracking Module (10) is used to track time, GPS data, Global System for Mobile communication (GSM) signal data and Wifi signal data, wherein these data are stored in the storage (400).
  • GSM Global System for Mobile communication
  • the API Module (20) is used to synchronise a centralised date and time data with the date and time data of the mobile device, wherein the API Module (20) automatically synchronises the date and time data of the mobile device periodically using a network time protocol (NTP) server.
  • NTP network time protocol
  • the Analysis Module (30) is used to obtain data snapshots of the mobile device's state, analyse the data and detect any potential anomaly of the GPS in the mobile device.
  • the Analysis Module (30) further comprises of a High Frequency Data Acquisition component (31), a Travel Motion Analyser (32), a Wifi Displacement Model Analyser (33), a GSM Location Analyser (34), a Modal Analysis Logic component (35) and an Interface component (36).
  • the High Frequency Data Acquisition component (31) is also connected to the Travel Motion Analyser (32), the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34).
  • the Travel Motion Analyser (32) which is also connected to the Modal
  • Travel Motion Analyser (32) detects potential speed anomaly and date and time data anomaly based on a calculation result.
  • the Wifi Displacement Model Analyser (33) is used to detect anomaly by performing a rule-based correlation between Wifi signal strength and GPS location data.
  • the Wifi Displacement Model Analyser (33) is also connected to the Modal Analysis Logic component (35).
  • the GSM Location Analyser (34) detects anomaly by performing a rule-based correlation between GSM signal data and GPS location data.
  • the GSM Location Analyser (34) is also connected to the Modal Analysis Logic component (35).
  • the Modal Analysis Logic component (35) merges the output results from the
  • FIG. 3 it illustrates a flowchart of a method for detecting anomalies of the GPS according to an embodiment of the present invention.
  • the High Frequency Data Acquisition component (31) obtains data snapshots of the state of the mobile device at a default interval of 10 minutes.
  • the data may include the GPS coordinates, Wifi signal data, GSM signal data, mobile device's date and time data and the centralised based date and time data as in step 2100.
  • the High Frequency Data Acquisition component (31) receives a centralised date and time data which is stored as a first record. Subsequent records are the calculated records which are added to the previous record with a default interval of 10 minutes.
  • FIG. 4 An example of a data snapshot of the mobile device is shown in FIG. 4, wherein the data snapshot has records of the GPS location data; centralised date and time data; and the date and time data of the mobile device with an interval of 10 minutes.
  • the High Frequency Data Acquisition component (31) only reads the first record from the configured NTP server through the API Module (20), while the subsequent data is calculated by incrementing 10 minutes interval for each record.
  • the Travel Motion Analyser (32) calculates the speed between each data snapshot as in step 2200 by using GPS coordinate, centralised date and time data and the mobile device's date and time data.
  • the Travel Motion Analyser (32) also determines the travel mode of the mobile device which can either be a flight mode or a normal mode, besides checking the validity of the speed data and the validity of the date and time data of the mobile device.
  • the Wifi Displacement Model Analyser (33) then tests the correlation of each data snapshot by using the GPS coordinates and the Wifi signal data as in step 2300.
  • the GSM Location Analyser (34) tests the correlation of each data snapshot using GPS coordinates and GSM location data as in step 2400.
  • the output results from the Travel Motion Analyser (32), the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34) are merged by the Modal Analysis Logic component (35) and before the Modal Analysis Logic component (35) sends the merged output results to the Decision Display Module (700) via the Interface component (36) as in step 2500.
  • FIG. 5 illustrates a flowchart of the substeps for the step 2200, wherein the Travel Motion Analyser (32) calculates the speed between each data snapshot.
  • the Travel Motion Analyser (32) reads the log file in the mobile device as in steps 2210 to 2220.
  • the record of the log file includes the current and subsequent records of the centralised and the mobile device's date and time data; and the GPS coordinates of the mobile device which is in longitude and latitude.
  • the Travel Motion Analyser (32) computes the distance travelled between two records from the log file as in step 2225. By using the computed distance travelled and time obtained between the two records, the travelling speed is determined as in step 2230. If the distance travelled is more than or equal to a predefined distance of x km as in decision 2235, a pre-set travelling speed limit of F km/H is used as in step 2240, wherein the Travel Motion Analyser (32) determines the travel mode of the mobile device as a flight mode.
  • the predefined distance is 50 km and preferably, the pre-set travelling speed limit is 920 km/H.
  • step 2245 if the distance travelled is less than the predefined distance, x km, another pre-set travelling speed limit of L km/H is used as in step 2245, wherein the Travel Motion Analyser (32) determines the travel mode of the mobile device as a normal mode.
  • the predefined distance is 50 km and preferably, the pre-set travelling speed limit is 250 km/H.
  • the computed travelling speed is checked against the pre-set travelling speed limit as in decision 2250. If the computed travelling speed exceeds the pre-set travelling speed limit, a speed violation is triggered with an output result of a value of "1" as in step 2255. The speed violation output result is then used by the Modal Analysis Logic component (35) to be merged with other output results.
  • FIG. 6 (a) An example of speed data anomaly detection by the Travel Motion Analyser (32) is shown in FIG. 6 (a), wherein the Travel Motion Analyser (32) determines a travelling speed of a mobile device by using the distance of sibling records.
  • the Travel Motion Analyser (32) computes the distance travelled between the time data of 01 :20 and 01 :30, wherein the location of the mobile device at 01 :20 is at Kulim HiTech Park (KHTP), and wherein the location of the mobile device at 01 :30 is at Technology Park Malaysia (TPM).
  • KHTP Kulim HiTech Park
  • TPM Technology Park Malaysia
  • the Travel Motion Analyser (32) computes that the distance travelled is more than 290 km with a travelling speed of 1740 km/H, wherein the travel mode of the mobile device is determined as a flight mode. Since the travelling speed exceeds the pre-set travelling speed limit of 920 km/H, the speed violation is triggered.
  • the mobile device's date and time data is checked against the centralised date and time data as in step 2255 and decision 2265. If both date and time data are the same, the Travel Motion Analyser (32) continues reading and processing the next record until the last record as in decision 2275 and step 2280 before the process repeats from step 2215 which is to read the log file in the mobile device.
  • the date and time violation is triggered with an output result of a value of "1" as in step 2275.
  • the time violation output result is then used by the Modal Analysis component (35) to be merged with other output results.
  • FIG. 6 (b) An example of date and time data anomaly detection by the Travel Motion Analyser is shown in FIG. 6 (b), wherein the Travel Motion Analyser (32) detects the date and time data violation by comparing the date and time data of the mobile device against the centralised date and time data. Since the Travel Motion Analyser (32) detects the mobile device's time data which is 02:30 is not synchronised with the centralised time data which is 01 :40, the date and time data violation is triggered.
  • step 2300 it illustrates a flowchart of the substeps for step 2300 which is to test the correlation of each data snapshot by using the GPS coordinates and the Wifi signal data by the Wifi Displacement Model Analyser (33).
  • the Wifi Displacement Model Analyser (33) After the Travel Motion Analyser (32) checks the validity of the speed data and the validity of the mobile device's date and time data, the Wifi Displacement Model Analyser (33) reads the list of Wifi networks and location information from the previous data snapshots and the current data snapshots as in steps 2310 and 2315. Once all the data is obtained, the Wifi Displacement Model Analyser (33) starts iterating the Wifi network list as in step 2320. During the iteration, the Wifi Displacement Model Analyser (33) obtains the distance between a previous and a current location of the mobile device.
  • the Wifi Displacement Model Analyser (33) determines the changes in the Wifi signal as in decision 2325.
  • the first predetermined distance is 10 meters.
  • the Wifi Signal level changes and actual location distant has a change of more than a second predetermined distance as in decision 2330, no anomaly is detected and the Wifi Displacement Model Analyser (33) adds the data snapshot in a normal list as in step 2345.
  • the second predetermined distance is 30 meters.
  • the Wifi Displacement Model Analyser (33) adds the data snapshot in an abnormal list as in step 2340.
  • the second predetermined distance is 30 meters.
  • the Wifi Displacement Model Analyser (33) determines if there is a new discovered Wifi network or if a threshold quantity is exceeded as in decision 2335.
  • the Wifi Displacement Model Analyser (33) adds the data snapshot in the normal list as in step 2345.
  • the Wifi Displacement Model Analyser (33) adds the data snapshot in the abnormal list as in step 2340. Once the iteration is completed as in decision 2350, the Wifi Displacement
  • Model Analyser (33) computes the percentage of abnormal Wifi network among the total Wifi network which comprises of the normal and abnormal Wifi network. If the percentage is more than 50% as in decision 2355, a Wifi signal violation is triggered, wherein an alert signal is generated as in step 2365. The output result has a value of "1", wherein the violation result is then used by the Modal Analysis Logic component (35) to be merged with other output results.
  • the Wifi Displacement Model Analyser (33) determines if there is any unusual Wifi signal pattern as in decision 2360 called as Unusual Wifi Signal pattern checking. During the Unusual Wifi Signal pattern checking, anomaly is detected if the Wifi signal violates the signal pattern checking.
  • a normal signal is generated as in step 2370, wherein the output result has a value of "0".
  • a Wifi signal violation is triggered, wherein an alert signal is generated as in step 2365, and wherein the output result has a value of "1".
  • the violation result is then used by the Modal Analysis Logic component (35) to be merged with other output results.
  • FIG. 8 (a) An example of a normal condition for a Wifi signal level unusual pattern checking is shown in FIG. 8 (a), wherein when the distance is nearer to a Wifi antenna station, the signal is strong, whereas as the distance gets further, the signal gets weaker.
  • FIG. 8 (b) An example of an abnormal condition for a Wifi signal level unusual pattern checking is shown in FIG. 8 (b). Since the Wifi signal strength does not correlate to the distance relative to the Wifi antenna station, the alert signal is generated.
  • FIG. 9 illustrates a flowchart of the substeps for step 2400 which is to test the correlation of each data snapshot by using the GPS coordinates and GSM location data by the GSM Location Analyser (34).
  • the GSM Location Analyser Besides using a location name that is identified by using a GSM location, A which is a GSM signal data, the GSM Location Analyser (34) also uses a GPS discovered location, B that is identified by using the GPS coordinates from the satellite signal as in step 2410 to provide the current location of the mobile device.
  • the GSM Location Analyser (34) obtains a current GSM location, A1 and a current GPS discovered location, B1 from the data snapshots as in step 2415. Thereon, the GSM Location Analyser (34) obtains a previous GSM location, AO and a previous GPS discovered location, B0 from the previous data snapshots as in step 2420.
  • the GSM location data is computed based on the change in state between A 1 and AO as in step 2425.
  • the computed value, A' is in a state of true when there is any changes in the signal received from radio towers.
  • the computed value, A' is in a state of false when there is no change in the signal received from radio towers.
  • the GPS discovered location data is also computed based on the change in state between B1 and B0.
  • the computed value, B' is in a state of true when there is any change in the signal received from radio towers.
  • the computed value, B' is in a state of false when there is no change in the signal received from radio towers.
  • the GSM Location Analyser (34) computes a violation result as in decision 2430 using a logic.
  • the logic states that if A' is true and if B' is false, it is considered as an abnormal scenario of a correlation between GSM location data and GPS coordinates. Hence, a violation is triggered.
  • the final result has a value of "1" as in step 2440.
  • the GSM Location Analyser (34) then sends the computed violation results to be used later by the Modal Analysis Logic component (35) to merge the output results.
  • the logic states that if A' is true and if B' is true; or if A' is false and if B' is false; or if A' is false but if B' is true; it is considered as a normal scenario of a correlation between GSM location data and GPS coordinates. Hence, the violation is not triggered. When the violation is not triggered, the final result has a value of "0" as in step 2435.
  • the computed violation results are then sent to the Modal Analysis Logic component (35) by the GSM Location Analyser (34) to be merged with the other output results.
  • FIG. 10 shows an example of a comparison between a normal scenario and an abnormal scenario of a correlation between GSM location data and GPS coordinates; wherein 0 represents a normal scenario and 1 represents an abnormal scenario.
  • FIG. 11 illustrates the substeps of merging the output results by the Modal Analysis Logic component (35), wherein the output results are from the Travel Motion Analyser (32), the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34).
  • the Modal Analysis Logic component (35) obtains the individual binary results produced by the Travel Motion Analyser (32), the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34) as in step 2510.
  • the Modal Analysis Logic component (35) multiplies each result with a weightage based on the type of the analysis as in step 2515.
  • the Modal Analysis Logic component (35) then computes a total score by summing up all the scores from all the analysers as in step 2520.
  • the analysers include the Travel Motion Analyser (32), the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34). The total score is compared to a predefined scoring threshold as in step 2525.
  • FIG. 12 illustrates an example of computing a total score from all analysers for anomaly detection.
  • the Travel Motion Analyser (32) has the biggest percentage contribution in computing the total score for anomaly detection, wherein the Travel Motion Analyser (32) has a weight of 60% whereas the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34) contribute a weightage of 20% each to enhance a full system accuracy of detecting the anomalies of different behaviour. Since the readings for the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34) only change when the resolution of the location data is more than 30 meters, these two analysers have less accuracy compared to the Travel Motion Analyser (32).

Landscapes

  • Engineering & Computer Science (AREA)
  • Radar, Positioning & Navigation (AREA)
  • Remote Sensing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Position Fixing By Use Of Radio Waves (AREA)
  • Debugging And Monitoring (AREA)
  • Traffic Control Systems (AREA)

Abstract

The present invention relates to a system (1000) and method for detecting anomalies of a Global Positioning System (GPS). The system (1000) that is implemented in a mobile device, comprises of a processor (100) having three modules. The three modules are a Tracking Module (10) to track time, GPS data, Global System for Mobile communication (GSM) signal data and Wifi signal data; an Application Programming Interface (API) Module (20) to synchronise the centralised date and time data with the date and time data of the mobile device; and an Analysis Module (30) to obtain data snapshots of the mobile device's state, analyse the data and detect any potential anomaly of the GPS in the mobile device.

Description

A SYSTEM AND METHOD FOR DETECTING GLOBAL POSITIONING SYSTEM
ANOMALIES
FIELD OF INVENTION
The present invention relates to a Global Positioning System (GPS). More particularly, the present invention relates to a system and method for detecting anomalies of a GPS.
BACKGROUND OF THE INVENTION
Global Positioning System (GPS) is a convenient device and useful in everyday life as it provides the exact position anywhere on the Earth. With a GPS receiver, people can determine the current location, time and velocity by using a mobile device. It is also used by civilians as a navigation system, wherein the GPS receiver provides a result in the form of a geographic position which is longitude and latitude.
However recently, many GPS spoofing attacks or GPS hackings have been attempted by people with wrongful intentions. This includes the act of broadcasting false GPS signals, rebroadcasting real signals captured elsewhere or at a different time and many others. The purpose of these malicious acts is to allow the hacker to be granted with access to resources whether for redeeming monetary value or for breaching security.
As a result of that, many researches have been done to produce devices that can detect GPS anomalies. An example of an anti-spoofing detection system is disclosed in a United States Patent Publication No. 2013/0328719 A1 , wherein the anti-spoofing detecting system detects counterfeit position location data that are transmitted by a counterfeit signal source. This is done through a comparison with signals from higher reliability sources or by comparison against known transmitter information. The system then marks inconsistent data based on the comparison.
In another United States Patent Publication No. 2013/0002477 A1 , it discloses a method and system for detecting, identifying and mitigating GPS spoofing attacks. It provides a collaborative approach through corresponding software analysis for detecting and mitigating GPS spoofing attacks in an information network. The disclosed system utilises a combination of information acquired from a GPS-based and an inertial navigation system (INS) based devices to accurately detect the presence of a GPS spoofing signals via binary hypothesis testing process. Although there are many systems that address the GPS spoofing and hacking issues, many mobile devices are not designed to be flexible to meet a wide range of end-user needs. Many mobile devices have limited hardware capability such as a volatile storage space and processing power. Due to the increasing demand of such GPS anomaly detection system, there is a need to have a GPS anomaly detection system that is efficient and deals with the above mentioned constraint. .
SUMMARY OF INVENTION
The present invention relates to a system (1000) and method for detecting anomalies of a Global Positioning System (GPS) in a mobile device. The system (1000) comprises of a GPS receiver (200) to provide location information connected to a processor (100); a memory (300) and a storage (400) to store programs and data; a clock (500) to provide date and time data; a signal processor (600) to convert analogue signals to digital signals, wherein the signal processor (600) is connected to an antenna switch (650); and a Decision Display Module (700) to display a final result of any detected anomaly.
The system (1000) is characterized in that the processor (100) includes a Tracking Module (10) to track time, GPS data, telecommunication network signal data and wireless local area network signal data, wherein these data are stored in the storage (400); an Application Programming Interface (API) Module (20) to synchronise a centralised date and time data with the date and time data of the mobile device; and an Analysis Module (30) to obtain data snapshots of the mobile device's state, analyse the data and detect any potential anomaly of the GPS in the mobile device.
Preferably, the Analysis Module (30) includes a High Frequency Data Acquisition component (31) to obtain data snapshots of the state of the mobile device; a Travel Motion Analyser (32) to calculate the speed between each stored GPS location data using the GPS coordinates and the centralised date and time data; a Wifi Displacement Model Analyser (33) used to detect anomaly by performing a rule-based correlation between wireless local area network signal strength and GPS location data; a GSM Location Analyser (34) to detect anomaly by performing a rule-based correlation between telecommunication network signal data and GPS location data; a Modal Analysis Logic component (35) to merge the output results from the Travel Motion Analyser (32), the Wifi Displacement Analyser (33) and the GSM Location Analyser (34); and an Interface component (36) to send a final result to the Decision Display Module (700).
Preferably, the data snapshots obtained by the High Frequency Data Acquisition component (31) include GPS coordinates, telecommunication network signals, wireless local area network signals and date and time data.
A method for detecting anomalies of a Global Positioning System (GPS) in a mobile device is characterised by the steps of obtaining data snapshots of the mobile device's state at a default interval of 10 minutes; calculating the speed between each data snapshot by using GPS coordinates, centralised based date and time data and the mobile device's date and time data by a Travel Motion Analyser (32); testing the correlation of each data snapshot by using the GPS coordinates and the wireless local area network signal data by a Wifi Displacement Model Analyser (33); testing the correlation of each data snapshot using GPS coordinates and telecommunication network location by a GSM Location Analyser (34); merging output results from the Travel Motion Analyser (32), the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34) by a Modal Analysis Logic component (35); and sending the merged output results to a Decision Display Module (700) via an Interface component (36).
Preferably, the step of calculating the speed between each data snapshot by the Travel Motion Analyser (32) includes computing distance travelled between two records in a log file; computing travelling speed by using the computed distance travelled and time obtained between the two records; determining a travel mode of the mobile device as a flight mode if the distance travelled is more than or equal to a predefined distance; determining the travel mode of the mobile device as a normal mode if the distance travelled is less than the predefined distance; comparing the computed travelling speed against a pre-set travelling speed limit; triggering a speed violation if the computed travelling speed limit exceeds the pre-set travelling speed limit; comparing the mobile device's date and time data against the centralised date and time data if the computed travelling speed does not exceed the pre-set travelling speed limit; triggering a date and time violation if the date and time data of the mobile device and the centralised date and time data are not the same; and sending the computed violation results to the Modal Analysis Logic component (35).
Preferably, the step of testing the correlation of each data snapshot by using the GPS coordinates and the wireless local area network signal data by the Wifi Displacement Model Analyser (33) includes obtaining a list of wireless local area network and location information from previous data snapshots and current data snapshots; iterating the wireless local area network list; obtaining the distance between a previous and current location; determining the changes in the wireless local area network signal if the distance between the previous and current location is equal or more than a first predetermined distance; adding the data snapshot in an abnormal list if the location distance has a change of more than a second predetermined distance but the wireless local area network signal level has not changed; adding the data snapshot in a normal list if the location distance has a change of more than the second predetermined distance and the wireless local area network signal level has changed; computing the percentage of abnormal wireless local area network among the total wireless local area network; triggering a wireless local area network signal violation if the percentage of abnormal wireless local area network is more than 50%; determining if there is any unusual wireless local area network signal pattern if the percentage of abnormal wireless local area network is less than 50%; triggering a wireless local area network signal violation if any anomaly is detected; and sending the computed violation results to the Modal Analysis Logic component (35).
Preferably, if the distance between the previous and current location is less than the first predetermined distance, the steps include determining if a threshold quantity is exceeded; adding the data snapshot in the abnormal list if a threshold quantity is exceeded; adding the data snapshot in the normal list is the threshold quantity is not exceeded; computing the percentage of abnormal wireless local area network among the total wireless local area network; generating an alert signal if the percentage is more than 50%; determining if there is any unusual wireless local area network signal pattern if the percentage of abnormal wireless local area network is less than 50%; triggering a wireless local area network signal violation if any anomaly is detected; and sending the computed violation results to the Modal Analysis Logic component (35). Preferably, the step of testing the correlation of each data snapshot using
GPS coordinates and telecommunication network location by a GSM Location Analyser (34) includes obtaining a current telecommunication network location and a current GPS discovered location from the data snapshots; obtaining a previous telecommunication network location and a previous GPS discovered location from the previous data snapshots; computing a telecommunication network location data; computing a GPS discovered location data; computing a violation result using a logic based on the computed values of the telecommunication network location data and the GPS discovered location data; and sending the computed violation results to the Modal Analysis Logic component (35).
Preferably, the step of merging output results from the Travel Motion Analyser (32), the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34) by a Modal Analysis Logic component (35) includes obtaining individual binary results produced by the Travel Motion Analyser (32), the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34); multiplying each result with a weightage based on the type of analysis; computing a total score by summing up all the scores from the Travel Motion Analyser (32), the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34); comparing the total score to a predefined scoring threshold; merging output results as anomaly if the total score exceeds the predefined scoring threshold; and merging output results as normal if the total score is less than the predefined scoring threshold.
BRIEF DESCRIPTION OF THE DRAWINGS
The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the invention.
FIG. 1 illustrates a block diagram of a system (1000) for detecting anomalies of a Global Positioning System (GPS) according to an embodiment of the present invention. FIG. 2 illustrates a detailed block diagram of a processor (100) of the system (1000) of FIG. 1. FIG. 3 illustrates a flowchart of a method for detecting anomalies of a GPS according to an embodiment of the present invention.
FIG. 4 illustrates an example of a data snapshot of a mobile device. FIG. 5 illustrates a flowchart of the substeps for validating the speed data and the date and time data of the mobile device by a Travel Motion Analyser (32).
FIG. 6 (a) illustrates an example of speed data anomaly detection by the Travel Motion Analyser (32)
FIG. 6 (b) illustrates an example of date and time data anomaly detection by the Travel Motion Analyser (32).
FIG. 7 illustrates a flowchart of the substeps for testing the correlation of data snapshots by a Wifi Displacement Model Analyser (33).
FIG. 8 (a) illustrates an example of a normal condition for a Wifi signal level unusual pattern checking. FIG. 8 (b) illustrates an example of an abnormal condition for a Wifi signal level unusual pattern checking.
FIG. 9 illustrates a flowchart of the substeps for testing the correlation of data snapshots by a Global System for Mobile communication (GSM) Location Analyser (34).
FIG. 10 illustrates an example of a comparison between a normal scenario and an abnormal scenario of a correlation between GPS coordinates and GSM location data. FIG. 11 illustrates a flowchart of the substeps for merging output results by a Modal Analysis Logic component (35).
FIG. 12 illustrates an example of merging the output results from all analysers for anomaly detection.
DESCRIPTION OF THE PREFERRED EMBODIMENT
A preferred embodiment of the present invention will be described herein below with reference to the accompanying drawings. In the following description, well known functions or constructions are not described in detail since they would obscure the description with unnecessary detail.
Reference is made initially to FIG. 1 , which illustrates a block diagram of a system (1000) for detecting anomalies of a Global Positioning System (GPS) according to an embodiment of the present invention. The system (1000) that is implemented in a mobile device, comprises of a processor (100) which is connected to a GPS receiver (200) to provide location information; a memory (300) and a storage (400) to store programs and data; a clock (500) to provide date and time data; a signal processor (600) to convert analogue signals to digital signals, wherein the signal processor (600) is connected to an antenna switch (650); and a Decision Display Module (700) to display a final result of any detected anomaly.
A detailed block diagram of the processor (100) is shown in FIG. 2, wherein the processor (100) comprises of three modules which are a Tracking Module (10); an Application Programming Interface (API) Module (20); and an Analysis Module (30). The Tracking Module (10) is used to track time, GPS data, Global System for Mobile communication (GSM) signal data and Wifi signal data, wherein these data are stored in the storage (400).
The API Module (20) is used to synchronise a centralised date and time data with the date and time data of the mobile device, wherein the API Module (20) automatically synchronises the date and time data of the mobile device periodically using a network time protocol (NTP) server. Finally, the Analysis Module (30) is used to obtain data snapshots of the mobile device's state, analyse the data and detect any potential anomaly of the GPS in the mobile device. The Analysis Module (30) further comprises of a High Frequency Data Acquisition component (31), a Travel Motion Analyser (32), a Wifi Displacement Model Analyser (33), a GSM Location Analyser (34), a Modal Analysis Logic component (35) and an Interface component (36).
The High Frequency Data Acquisition component (31), which is connected to the Tracking Module (10), is used to obtain data snapshots of the state of the mobile device such as the GPS coordinates, GSM signals, Wifi signals and date and time data. The High Frequency Data Acquisition component (31) is also connected to the Travel Motion Analyser (32), the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34). The Travel Motion Analyser (32), which is also connected to the Modal
Analysis Logic component (35), is used to calculate the speed between each stored GPS location data using the GPS coordinates and the centralised date and time data. Furthermore, the Travel Motion Analyser (32) detects potential speed anomaly and date and time data anomaly based on a calculation result.
The Wifi Displacement Model Analyser (33) is used to detect anomaly by performing a rule-based correlation between Wifi signal strength and GPS location data. The Wifi Displacement Model Analyser (33) is also connected to the Modal Analysis Logic component (35).
The GSM Location Analyser (34) detects anomaly by performing a rule-based correlation between GSM signal data and GPS location data. The GSM Location Analyser (34) is also connected to the Modal Analysis Logic component (35). The Modal Analysis Logic component (35) merges the output results from the
Travel Motion Analyser (32), Wifi Displacement Analyser (33) and GSM Location Analyser (34) before it sends the final result which is an anomaly confidence level value ranging from 0 to 100 to the Interface component (36). The Interface component (36) then sends the final result to the Decision Display Module (700). Referring now to FIG. 3, it illustrates a flowchart of a method for detecting anomalies of the GPS according to an embodiment of the present invention. Initially, the High Frequency Data Acquisition component (31) obtains data snapshots of the state of the mobile device at a default interval of 10 minutes. The data may include the GPS coordinates, Wifi signal data, GSM signal data, mobile device's date and time data and the centralised based date and time data as in step 2100.
To obtain data snapshots of the state of the mobile device, the High Frequency Data Acquisition component (31) receives a centralised date and time data which is stored as a first record. Subsequent records are the calculated records which are added to the previous record with a default interval of 10 minutes.
An example of a data snapshot of the mobile device is shown in FIG. 4, wherein the data snapshot has records of the GPS location data; centralised date and time data; and the date and time data of the mobile device with an interval of 10 minutes. For the centralised date and time data, the High Frequency Data Acquisition component (31) only reads the first record from the configured NTP server through the API Module (20), while the subsequent data is calculated by incrementing 10 minutes interval for each record.
Thereon, as shown in FIG. 3, the Travel Motion Analyser (32) calculates the speed between each data snapshot as in step 2200 by using GPS coordinate, centralised date and time data and the mobile device's date and time data. The Travel Motion Analyser (32) also determines the travel mode of the mobile device which can either be a flight mode or a normal mode, besides checking the validity of the speed data and the validity of the date and time data of the mobile device.
The Wifi Displacement Model Analyser (33) then tests the correlation of each data snapshot by using the GPS coordinates and the Wifi signal data as in step 2300. Thereon, the GSM Location Analyser (34) tests the correlation of each data snapshot using GPS coordinates and GSM location data as in step 2400.
Finally, the output results from the Travel Motion Analyser (32), the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34) are merged by the Modal Analysis Logic component (35) and before the Modal Analysis Logic component (35) sends the merged output results to the Decision Display Module (700) via the Interface component (36) as in step 2500.
Reference is now made to FIG. 5 that illustrates a flowchart of the substeps for the step 2200, wherein the Travel Motion Analyser (32) calculates the speed between each data snapshot. Initially, if a log file which contains the data snapshot exists in the storage (400), the Travel Motion Analyser (32) reads the log file in the mobile device as in steps 2210 to 2220. The record of the log file includes the current and subsequent records of the centralised and the mobile device's date and time data; and the GPS coordinates of the mobile device which is in longitude and latitude.
Thereon, the Travel Motion Analyser (32) computes the distance travelled between two records from the log file as in step 2225. By using the computed distance travelled and time obtained between the two records, the travelling speed is determined as in step 2230. If the distance travelled is more than or equal to a predefined distance of x km as in decision 2235, a pre-set travelling speed limit of F km/H is used as in step 2240, wherein the Travel Motion Analyser (32) determines the travel mode of the mobile device as a flight mode. Preferably, the predefined distance is 50 km and preferably, the pre-set travelling speed limit is 920 km/H.
On the other hand, if the distance travelled is less than the predefined distance, x km, another pre-set travelling speed limit of L km/H is used as in step 2245, wherein the Travel Motion Analyser (32) determines the travel mode of the mobile device as a normal mode. Preferably, the predefined distance is 50 km and preferably, the pre-set travelling speed limit is 250 km/H.
Next, the computed travelling speed is checked against the pre-set travelling speed limit as in decision 2250. If the computed travelling speed exceeds the pre-set travelling speed limit, a speed violation is triggered with an output result of a value of "1" as in step 2255. The speed violation output result is then used by the Modal Analysis Logic component (35) to be merged with other output results.
An example of speed data anomaly detection by the Travel Motion Analyser (32) is shown in FIG. 6 (a), wherein the Travel Motion Analyser (32) determines a travelling speed of a mobile device by using the distance of sibling records. The Travel Motion Analyser (32) computes the distance travelled between the time data of 01 :20 and 01 :30, wherein the location of the mobile device at 01 :20 is at Kulim HiTech Park (KHTP), and wherein the location of the mobile device at 01 :30 is at Technology Park Malaysia (TPM). From the 2 GPS coordinates, the Travel Motion Analyser (32) computes that the distance travelled is more than 290 km with a travelling speed of 1740 km/H, wherein the travel mode of the mobile device is determined as a flight mode. Since the travelling speed exceeds the pre-set travelling speed limit of 920 km/H, the speed violation is triggered.
On the other hand, if the computed travelling speed does not exceed the preset travelling speed limit, the mobile device's date and time data is checked against the centralised date and time data as in step 2255 and decision 2265. If both date and time data are the same, the Travel Motion Analyser (32) continues reading and processing the next record until the last record as in decision 2275 and step 2280 before the process repeats from step 2215 which is to read the log file in the mobile device.
However, if the date and time data of the mobile device and the centralised date and time data are not the same, the date and time violation is triggered with an output result of a value of "1" as in step 2275. The time violation output result is then used by the Modal Analysis component (35) to be merged with other output results.
An example of date and time data anomaly detection by the Travel Motion Analyser is shown in FIG. 6 (b), wherein the Travel Motion Analyser (32) detects the date and time data violation by comparing the date and time data of the mobile device against the centralised date and time data. Since the Travel Motion Analyser (32) detects the mobile device's time data which is 02:30 is not synchronised with the centralised time data which is 01 :40, the date and time data violation is triggered.
Referring now to FIG. 7, it illustrates a flowchart of the substeps for step 2300 which is to test the correlation of each data snapshot by using the GPS coordinates and the Wifi signal data by the Wifi Displacement Model Analyser (33). After the Travel Motion Analyser (32) checks the validity of the speed data and the validity of the mobile device's date and time data, the Wifi Displacement Model Analyser (33) reads the list of Wifi networks and location information from the previous data snapshots and the current data snapshots as in steps 2310 and 2315. Once all the data is obtained, the Wifi Displacement Model Analyser (33) starts iterating the Wifi network list as in step 2320. During the iteration, the Wifi Displacement Model Analyser (33) obtains the distance between a previous and a current location of the mobile device.
If the distance between the previous and the current location is equal or more than a first predetermined distance, the Wifi Displacement Model Analyser (33) determines the changes in the Wifi signal as in decision 2325. Preferably, the first predetermined distance is 10 meters.
If the Wifi Signal level changes and actual location distant has a change of more than a second predetermined distance as in decision 2330, no anomaly is detected and the Wifi Displacement Model Analyser (33) adds the data snapshot in a normal list as in step 2345. Preferably, the second predetermined distance is 30 meters.
On the other hand, if the location distance has a change of more than the second predetermined distance but the Wifi signal level has not changed, an anomaly is detected and the Wifi Displacement Model Analyser (33) adds the data snapshot in an abnormal list as in step 2340. Preferably, the second predetermined distance is 30 meters. On the other hand, if the distance between the previous and the current location is less than the first predetermined distance as in decision 2325, the Wifi Displacement Model Analyser (33) determines if there is a new discovered Wifi network or if a threshold quantity is exceeded as in decision 2335. If the distance between the previous and the current location is less than the first predetermined distance and a threshold quantity is not exceeded, which means no new Wifi network is discovered, no anomaly is detected. Hence, the Wifi Displacement Model Analyser (33) adds the data snapshot in the normal list as in step 2345.
On the other hand, if the distance between the previous and the current location is less than the first predetermined distance but a threshold quantity is exceeded, which means a new Wifi network is discovered, an anomaly is detected. Hence, the Wifi Displacement Model Analyser (33) adds the data snapshot in the abnormal list as in step 2340. Once the iteration is completed as in decision 2350, the Wifi Displacement
Model Analyser (33) computes the percentage of abnormal Wifi network among the total Wifi network which comprises of the normal and abnormal Wifi network. If the percentage is more than 50% as in decision 2355, a Wifi signal violation is triggered, wherein an alert signal is generated as in step 2365. The output result has a value of "1", wherein the violation result is then used by the Modal Analysis Logic component (35) to be merged with other output results.
However, if the percentage of abnormal Wifi network is less than 50%, the Wifi Displacement Model Analyser (33) determines if there is any unusual Wifi signal pattern as in decision 2360 called as Unusual Wifi Signal pattern checking. During the Unusual Wifi Signal pattern checking, anomaly is detected if the Wifi signal violates the signal pattern checking.
If no anomaly is detected, a normal signal is generated as in step 2370, wherein the output result has a value of "0". On the other hand, if any anomaly is detected, a Wifi signal violation is triggered, wherein an alert signal is generated as in step 2365, and wherein the output result has a value of "1". The violation result is then used by the Modal Analysis Logic component (35) to be merged with other output results.
An example of a normal condition for a Wifi signal level unusual pattern checking is shown in FIG. 8 (a), wherein when the distance is nearer to a Wifi antenna station, the signal is strong, whereas as the distance gets further, the signal gets weaker. On the other hand, an example of an abnormal condition for a Wifi signal level unusual pattern checking is shown in FIG. 8 (b). Since the Wifi signal strength does not correlate to the distance relative to the Wifi antenna station, the alert signal is generated.
FIG. 9 illustrates a flowchart of the substeps for step 2400 which is to test the correlation of each data snapshot by using the GPS coordinates and GSM location data by the GSM Location Analyser (34). Besides using a location name that is identified by using a GSM location, A which is a GSM signal data, the GSM Location Analyser (34) also uses a GPS discovered location, B that is identified by using the GPS coordinates from the satellite signal as in step 2410 to provide the current location of the mobile device.
The GSM Location Analyser (34) obtains a current GSM location, A1 and a current GPS discovered location, B1 from the data snapshots as in step 2415. Thereon, the GSM Location Analyser (34) obtains a previous GSM location, AO and a previous GPS discovered location, B0 from the previous data snapshots as in step 2420. The GSM location data is computed based on the change in state between A 1 and AO as in step 2425. The computed value, A' is in a state of true when there is any changes in the signal received from radio towers. On the other hand, the computed value, A' is in a state of false when there is no change in the signal received from radio towers.
Similarly, the GPS discovered location data is also computed based on the change in state between B1 and B0. The computed value, B' is in a state of true when there is any change in the signal received from radio towers. On the other hand, the computed value, B' is in a state of false when there is no change in the signal received from radio towers.
Based on the computed values of A' and B', the GSM Location Analyser (34) computes a violation result as in decision 2430 using a logic. The logic states that if A' is true and if B' is false, it is considered as an abnormal scenario of a correlation between GSM location data and GPS coordinates. Hence, a violation is triggered. When the violation is triggered, the final result has a value of "1" as in step 2440. The GSM Location Analyser (34) then sends the computed violation results to be used later by the Modal Analysis Logic component (35) to merge the output results.
On the other hand, the logic states that if A' is true and if B' is true; or if A' is false and if B' is false; or if A' is false but if B' is true; it is considered as a normal scenario of a correlation between GSM location data and GPS coordinates. Hence, the violation is not triggered. When the violation is not triggered, the final result has a value of "0" as in step 2435. The computed violation results are then sent to the Modal Analysis Logic component (35) by the GSM Location Analyser (34) to be merged with the other output results.
FIG. 10 shows an example of a comparison between a normal scenario and an abnormal scenario of a correlation between GSM location data and GPS coordinates; wherein 0 represents a normal scenario and 1 represents an abnormal scenario. From the GSM location data of 'scenario d', there is a change between the current and previous locations which shows that A' is true. However, as there is no change in the GPS coordinates, it shows that B' is false. From the logic, it states that if A' is true and if B' is false, it is considered as an abnormal scenario of a correlation between GSM location data and GPS coordinates. Hence, a violation is triggered with a final result of a value of "1"
Reference is now made to FIG. 11 which illustrates the substeps of merging the output results by the Modal Analysis Logic component (35), wherein the output results are from the Travel Motion Analyser (32), the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34). The Modal Analysis Logic component (35) obtains the individual binary results produced by the Travel Motion Analyser (32), the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34) as in step 2510.
Thereon, the Modal Analysis Logic component (35) multiplies each result with a weightage based on the type of the analysis as in step 2515. The Modal Analysis Logic component (35) then computes a total score by summing up all the scores from all the analysers as in step 2520. The analysers include the Travel Motion Analyser (32), the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34). The total score is compared to a predefined scoring threshold as in step 2525.
If the total score exceeds the predefined scoring threshold as in decision 2530, an anomaly signal is sent to the Interface component (36) as in step 2535. On the other hand, if the total score is less than the predefined scoring threshold, a normal signal is sent to the Interface component (36) as in step 2340. Finally, the analysed result which is either the anomaly signal or the normal signal is sent to the Decision Display Module (600) as in step 2545. FIG. 12 illustrates an example of computing a total score from all analysers for anomaly detection. As the nature of a GPS reading is accurate up to 10 meters, the Travel Motion Analyser (32) has the biggest percentage contribution in computing the total score for anomaly detection, wherein the Travel Motion Analyser (32) has a weight of 60% whereas the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34) contribute a weightage of 20% each to enhance a full system accuracy of detecting the anomalies of different behaviour. Since the readings for the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34) only change when the resolution of the location data is more than 30 meters, these two analysers have less accuracy compared to the Travel Motion Analyser (32).
Although GSM and Wifi technology terminologies are used in the description, such terminologies are intended to refer also to the parallel terms in other network technologies.
While embodiments of the invention have been illustrated and described, it is not intended that these embodiments illustrate and describe all possible forms of the invention. Rather, the words used in the specifications are words of description rather than limitation and various changes may be made without departing from the scope of the invention.

Claims

1. A system (1000) for detecting anomalies of a Global Positioning System (GPS) in a mobile device comprises of:
a) a GPS receiver (200) to provide location information connected to a processor (100);
b) a memory (300) and a storage (400) to store programs and data; c) a clock (500) to provide date and time data;
d) a signal processor (600) to convert analogue signals to digital signals, wherein the signal processor (600) is connected to an antenna switch (650); and
e) a Decision Display Module (700) to display a final result of any detected anomaly,
wherein the system (1000) is characterized in that the processor (100) includes:
i. a Tracking Module (10) to track time, GPS data, telecommunication network signal data and wireless local area network signal data, wherein these data are stored in the storage (400);
ii. an Application Programming Interface (API) Module (20) to synchronise a centralised date and time data with the date and time data of the mobile device; and
iii. an Analysis Module (30) to obtain data snapshots of the mobile device's state, analyse the data and detect any potential anomaly of the GPS in the mobile device.
2. The system (1000) as claimed in claim 1 , wherein the Analysis Module (30) includes:
a) a High Frequency Data Acquisition component (31) to obtain data snapshots of the state of the mobile device;
b) a Travel Motion Analyser (32) to calculate the speed between each stored GPS location data using the GPS coordinates and the centralised date and time data;
c) a Wifi Displacement Model Analyser (33) used to detect anomaly by performing a rule-based correlation between wireless local area network signal strength and GPS location data; a GSM Location Analyser (34) to detect anomaly by performing a rule- based correlation between telecommunication network signal data and GPS location data;
a Modal Analysis Logic component (35) to merge the output results from the Travel Motion Analyser (32), Wifi Displacement Analyser (33) and GSM Location Analyser (34); and
an Interface component (36) to send a final result to the Decision Display Module (700).
The system (1000) as claimed in claim 1 , wherein the data snapshots obtained by the High Frequency Data Acquisition component (31) include GPS coordinates, telecommunication network signals, wireless local area network signals and date and time data.
A method for detecting anomalies of a Global Positioning System (GPS) in a mobile device is characterised by the steps of:
a) obtaining data snapshots of the mobile device's state at a default interval of 10 minutes;
b) calculating the speed between each data snapshot by using GPS coordinates, centralised based date and time data and the mobile device's date and time data by a Travel Motion Analyser (32);
c) testing the correlation of each data snapshot by using the GPS coordinates and the wireless local area network signal data by a Wifi Displacement Model Analyser (33);
d) testing the correlation of each data snapshot using GPS coordinates and telecommunication network location by a GSM Location Analyser (34);
e) merging output results from the Travel Motion Analyser (32), the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34) by a Modal Analysis Logic component (35); and
f) sending the merged output results to a Decision Display Module (700) via an Interface component (36).
The method as claimed in claim 4, wherein the step of calculating the speed between each data snapshot by the Travel Motion Analyser (32) includes: a) computing distance travelled between two records in a log file;
b) computing travelling speed by using the computed distance travelled and time obtained between the two records;
c) determining a travel mode of the mobile device as a flight mode if the distance travelled is more than or equal to a predefined distance; d) determining the travel mode of the mobile device as a normal mode if the distance travelled is less than the predefined distance;
e) comparing the computed travelling speed against a pre-set travelling speed limit;
f) triggering a speed violation if the computed travelling speed limit exceeds the pre-set travelling speed limit;
g) comparing the mobile device's date and time data against the centralised date and time data if the computed travelling speed does not exceed the pre-set travelling speed limit;
h) triggering a date and time violation if the date and time data of the mobile device and the centralised date and time data are not the same; and
i) sending the computed violation results to the Modal Analysis Logic component (35).
The method as claimed in claim 4, wherein the step of testing the correlation of each data snapshot by using the GPS coordinates and the wireless local area network signal data by the Wifi Displacement Model Analyser (33) includes:
a) obtaining a list of wireless local area network and location information from previous data snapshots and current data snapshots;
b) iterating the wireless local area network list;
c) obtaining the distance between a previous and current location;
d) determining the changes in the wireless local area network signal if the distance between the previous and current location is equal or more than a first predetermined distance; e) adding the data snapshot in an abnormal list if the location distance has a change of more than a second predetermined distance but the wireless local area network signal level has not changed; f) adding the data snapshot in a normal list if the location distance has a change of more than the second predetermined distance and the wireless local area network signal level has changed;
g) computing the percentage of abnormal wireless local area network among the total wireless local area network;
h) triggering a wireless local area network signal violation if the percentage of abnormal wireless local area network is more than 50%; i) determining if there is any unusual wireless local area network signal pattern if the percentage of abnormal wireless local area network is less than 50%;
j) triggering a wireless local area network signal violation if any anomaly is detected; and
k) sending the computed violation results to the Modal Analysis Logic component (35).
7. The method as claimed in claim 6, wherein if the distance between the previous and current location is less than the first predetermined distance, the steps include:
a) determining if a threshold quantity is exceeded;
b) adding the data snapshot in the abnormal list if a threshold quantity is exceeded;
c) adding the data snapshot in the normal list is the threshold quantity is not exceeded;
d) computing the percentage of abnormal wireless local area network among the total wireless local area network;
e) generating an alert signal if the percentage is more than 50%; f) determining if there is any unusual wireless local area network signal pattern if the percentage of abnormal wireless local area network is less than 50%;
g) triggering a wireless local area network signal violation if any anomaly is detected; and h) sending the computed violation results to the Modal Analysis Logic component (35).
The method as claimed in claim 4, wherein the step of testing the correlation of each data snapshot using GPS coordinates and telecommunication network location by a GSM Location Analyser (34) includes:
a) obtaining a current telecommunication network location and a current GPS discovered location from the data snapshots;
b) obtaining a previous telecommunication network location and a previous GPS discovered location from the previous data snapshots; c) computing a telecommunication network location data;
d) computing a GPS discovered location data;
e) computing a violation result using a logic based on the computed values of the telecommunication network location data and the GPS discovered location data; and
f) sending the computed violation results to the Modal Analysis Logic component (35).
The method as claimed in claim 4, wherein the step of merging output results from the Travel Motion Analyser (32), the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34) by the Modal Analysis Logic component (35) includes:
a) obtaining individual binary results produced by the Travel Motion Analyser (32), the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34);
b) multiplying each result with a weightage based on the type of analysis; c) computing a total score by summing up all the scores from the Travel Motion Analyser (32), the Wifi Displacement Model Analyser (33) and the GSM Location Analyser (34);
d) comparing the total score to a predefined scoring threshold;
e) merging output results as anomaly if the total score exceeds the predefined scoring threshold; and
f) merging output results as normal if the total score is less than the predefined scoring threshold.
PCT/MY2015/050064 2014-07-02 2015-06-30 A system and method for detecting global positioning system anomalies WO2016003262A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2014701843 2014-07-02
MYPI2014701843A MY189316A (en) 2014-07-02 2014-07-02 A system and method for detecting global positioning system anomalies

Publications (1)

Publication Number Publication Date
WO2016003262A1 true WO2016003262A1 (en) 2016-01-07

Family

ID=53887160

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2015/050064 WO2016003262A1 (en) 2014-07-02 2015-06-30 A system and method for detecting global positioning system anomalies

Country Status (2)

Country Link
MY (1) MY189316A (en)
WO (1) WO2016003262A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2020046380A (en) * 2018-09-21 2020-03-26 株式会社Subaru Flight controller for unmanned aircraft, method for controlling flight of unmanned aircraft, and flight control program of unmanned aircraft
US11693688B2 (en) 2019-07-23 2023-07-04 Vmware, Inc. Recommendation generation based on selection of selectable elements of visual representation
US11743135B2 (en) 2019-07-23 2023-08-29 Vmware, Inc. Presenting data regarding grouped flows
US11785032B2 (en) 2021-01-22 2023-10-10 Vmware, Inc. Security threat detection based on network flow analysis
US11792151B2 (en) 2021-10-21 2023-10-17 Vmware, Inc. Detection of threats based on responses to name resolution requests
US11831667B2 (en) 2021-07-09 2023-11-28 Vmware, Inc. Identification of time-ordered sets of connections to identify threats to a datacenter
US11921610B2 (en) 2020-01-16 2024-03-05 VMware LLC Correlation key used to correlate flow and context data
US11991187B2 (en) 2021-01-22 2024-05-21 VMware LLC Security threat detection based on network flow analysis
US11997120B2 (en) 2021-07-09 2024-05-28 VMware LLC Detecting threats to datacenter based on analysis of anomalous events
US12015591B2 (en) 2021-12-06 2024-06-18 VMware LLC Reuse of groups in security policy

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110287779A1 (en) * 2010-05-21 2011-11-24 Andrew Llc System and Method for Location Assurance of A Mobile Device
US20130002477A1 (en) 2011-06-29 2013-01-03 Sintayehu Dehnie Methods and systems for detecting GPS spoofing attacks
US20130328719A1 (en) 2010-03-22 2013-12-12 Qualcomm Incorporated Anti-spoofing detection system
US20140097984A1 (en) * 2011-09-21 2014-04-10 Lockheed Martin Corporation System and method for monitoring integrity of a global navigation satellite system
US20140111249A1 (en) * 2012-10-19 2014-04-24 Schweitzer Engineering Laboratories, Inc. Time Distribution Switch

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130328719A1 (en) 2010-03-22 2013-12-12 Qualcomm Incorporated Anti-spoofing detection system
US20110287779A1 (en) * 2010-05-21 2011-11-24 Andrew Llc System and Method for Location Assurance of A Mobile Device
US20130002477A1 (en) 2011-06-29 2013-01-03 Sintayehu Dehnie Methods and systems for detecting GPS spoofing attacks
US20140097984A1 (en) * 2011-09-21 2014-04-10 Lockheed Martin Corporation System and method for monitoring integrity of a global navigation satellite system
US20140111249A1 (en) * 2012-10-19 2014-04-24 Schweitzer Engineering Laboratories, Inc. Time Distribution Switch

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2020046380A (en) * 2018-09-21 2020-03-26 株式会社Subaru Flight controller for unmanned aircraft, method for controlling flight of unmanned aircraft, and flight control program of unmanned aircraft
US11543539B2 (en) 2018-09-21 2023-01-03 Subaru Corporation Aircraft flight control apparatus, aircraft flight controlling method, and non-transitory storage medium
US11693688B2 (en) 2019-07-23 2023-07-04 Vmware, Inc. Recommendation generation based on selection of selectable elements of visual representation
US11743135B2 (en) 2019-07-23 2023-08-29 Vmware, Inc. Presenting data regarding grouped flows
US11921610B2 (en) 2020-01-16 2024-03-05 VMware LLC Correlation key used to correlate flow and context data
US11785032B2 (en) 2021-01-22 2023-10-10 Vmware, Inc. Security threat detection based on network flow analysis
US11991187B2 (en) 2021-01-22 2024-05-21 VMware LLC Security threat detection based on network flow analysis
US11831667B2 (en) 2021-07-09 2023-11-28 Vmware, Inc. Identification of time-ordered sets of connections to identify threats to a datacenter
US11997120B2 (en) 2021-07-09 2024-05-28 VMware LLC Detecting threats to datacenter based on analysis of anomalous events
US11792151B2 (en) 2021-10-21 2023-10-17 Vmware, Inc. Detection of threats based on responses to name resolution requests
US12015591B2 (en) 2021-12-06 2024-06-18 VMware LLC Reuse of groups in security policy

Also Published As

Publication number Publication date
MY189316A (en) 2022-02-04

Similar Documents

Publication Publication Date Title
WO2016003262A1 (en) A system and method for detecting global positioning system anomalies
JP5584816B2 (en) Anti-spoofing detection system
KR101125496B1 (en) Apparatus and methods for geographic position approximation of an event occurring on a wireless device
US20220236425A1 (en) Detection of spoofing attacks on satellite navigation systems
US10746880B2 (en) Navigation system interference locator
US10830604B2 (en) Methods and systems for detecting a closure of a navigable element
US20140217168A1 (en) Identifier generation for visual beacon
US10908294B2 (en) Detection and elimination of GNSS spoofing signals with PVT solution estimation
KR102205329B1 (en) Method for estimating the level of error in satellite geolocation measurements and for monitoring the reliability of said estimations and associated device
Ceccato et al. Exploiting side-information for resilient GNSS positioning in mobile phones
US10663556B2 (en) Validation of position indication
Casey et al. Structuring the evaluation of location-related mobile device evidence
Stenberg et al. Results on GNSS spoofing mitigation using multiple receivers
Gabela et al. Case study of Bayesian RAIM algorithm integrated with Spatial Feature Constraint and Fault Detection and Exclusion algorithms for multi‐sensor positioning
US20240151525A1 (en) Gps-based spatial measurements
US20200329378A1 (en) Spoofing detection device and a spoofing detection method
US9207331B2 (en) Using statistical analysis to infer an accurate GPS location for use in tracking devices
Li et al. Performance analysis of a civilian gps position authentication system
Lyu et al. Urban area GNSS in‐car‐jammer localization based on pattern recognition
Giofrè et al. Localization issues in the use of ITS
Formaggio et al. Context-based detection of GNSS position spoofing for smartphones
TW202418859A (en) Method and apparatus for providing signal intelligence and security
WO2024074363A1 (en) Integrity event monitoring for ai/ml based positioning
Baldoni et al. A context-based framework for enhancing GNSS performance and security
Raiyn A Performance Analysis of GNSS Positioning Data Used for ISA

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15753200

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15753200

Country of ref document: EP

Kind code of ref document: A1