Upload
leduong
View
215
Download
0
Embed Size (px)
Citation preview
University of Illinois at Urbana-Champaign 0
Detecting GPS Spoofing via a Multi-Receiver
Hybrid Communication Network for Power Grids
Tara Mina, Sriramya Bhamidipati, and Grace Xingxin Gao
University of Illinois at Urbana-Champaign
1
1
Goals for Power Grid Modernization
• Automatic control of power grid
• Reduce failures or large-scale
blackouts (Ex: NE Blackout 2003)
• Improve visualization of power flow
• Continuously monitor state of
U.S. power grid network
• Install robust network of monitoring devices across the grid
University of Illinois at Urbana-Champaign
2
Synchronizing Data in Power Grid Network
Real-time monitoring of power grid through a widely dispersed
network of Phasor Measurement Units (PMUs)
− PMUs measure voltage and current phasors
− Provides measurement with precise time-stamp, via GPS
− Significant timing inaccuracies can induce a generator to trip [1]
2
GPS used for synchronization of
PMU measurements
Power grid
PMUGPS clockGPS
Antenna
[1] Shepard, et al, GPS World, 2012
University of Illinois at Urbana-Champaign
3
Global Positioning System (GPS)
• Number of satellites: 31 operational
• Orbit: ≈ 20,200 𝑘𝑚 in altitude ( ≈ 12 ℎ𝑟 period orbit )
• Each satellite:
− Carries several atomic clocks (Cesium and/or Rubidium)
− Continuously sends precisely timed signals to Earth
3
Block IIF
Satellite
(Boeing)
University of Illinois at Urbana-Champaign
4
How GPS Enables Navigation
• Precise satellite position (𝑿𝑺, 𝒀𝑺, 𝒁𝑺) provided to user
• After receiver obtains the satellite signal:
− Deciphers exact time of transmission 𝒕𝑻𝑿 of received signal
− Notes user’s received time 𝒕𝑹𝑿, and compares to
compute distance from the satellite
4
University of Illinois at Urbana-Champaign
5
How GPS Enables Navigation
• Precise satellite position (𝑿𝑺, 𝒀𝑺, 𝒁𝑺) provided to user
• After receiver obtains the satellite signal:
− Deciphers exact time of transmission 𝒕𝑻𝑿 of received signal
− Notes user’s received time 𝒕𝑹𝑿, and compares to
compute distance from the satellite
4
But, user’s clock is not accurate…
University of Illinois at Urbana-Champaign
6
How GPS Enables Navigation
• Precise satellite position (𝑿𝑺, 𝒀𝑺, 𝒁𝑺) provided to user
• After receiver obtains the satellite signal:
− Deciphers exact time of transmission 𝒕𝑻𝑿 of received signal
− Notes user’s received time 𝒕𝑹𝑿, and compares to
compute distance from the satellite
4
But, user’s clock is not accurate…
→ 𝑡𝑅𝑋 is inaccurate
University of Illinois at Urbana-Champaign
7
How GPS Enables Navigation
• Precise satellite position (𝑿𝑺, 𝒀𝑺, 𝒁𝑺) provided to user
• After receiver obtains the satellite signal:
− Deciphers exact time of transmission 𝒕𝑻𝑿 of received signal
− Notes user’s received time 𝒕𝑹𝑿, and compares to
roughly approximate distance from the satellite
4
University of Illinois at Urbana-Champaign
8
How GPS Enables Navigation
• Precise satellite position (𝑿𝑺, 𝒀𝑺, 𝒁𝑺) provided to user
• After receiver obtains the satellite signal:
− Deciphers exact time of transmission 𝒕𝑻𝑿 of received signal
− Notes user’s received time 𝒕𝑹𝑿, and compares to
roughly approximate distance from the satellite
4
“Pseudo” because:
Receiver clock is inaccurate
→ 𝑡𝑅𝑋 is inaccurate
→ 𝑐 𝑡𝑅𝑋 − 𝑡𝑇𝑋 ≠ 𝑑 (true range)
computed pseudorange 𝝆
University of Illinois at Urbana-Champaign
9
How GPS Enables Navigation
• Precise satellite position (𝑿𝑺, 𝒀𝑺, 𝒁𝑺) provided to user
• After receiver obtains the satellite signal:
− Deciphers exact time of transmission 𝒕𝑻𝑿 of received signal
− Notes user’s received time 𝒕𝑹𝑿, and compares to
roughly approximate distance from the satellite
4
receiver clock bias correction
University of Illinois at Urbana-Champaign
10
How GPS Enables Navigation
5
• User has 4 unknowns:
− 3D Position 𝑿𝑹, 𝒀𝑹, 𝒁𝑹− Clock bias 𝚫𝒕
• Require at least 4 equations,
or satellites in view(usually ≥ 6 in open environments)
• For each satellite signal, we
have 1 equation:
𝜌 = 𝑐(𝑡𝑅𝑋 − 𝑡𝑇𝑋) = 𝑑 − 𝑐 Δ𝑡
= 𝑋𝑆 − 𝑿𝑹2 + 𝑌𝑆 − 𝒀𝑹
2 + 𝑍𝑆 − 𝒁𝑹2 − 𝑐 𝚫𝒕
University of Illinois at Urbana-Champaign
11
Civilian GPS and its Vulnerability
6
• Commercial (non-military) users utilize civilian GPS signal
• Civilian GPS signal (C/A) in L1 band:
− Center frequency: 1575.42 MHz
− Bandwidth: 2.046 MHz
− Available to all users
University of Illinois at Urbana-Champaign
12
Military Signals for Authentication
Encrypted Military P(Y) GPS signal
− Orthogonal to civilian GPS signals, with same center frequency
− Because of encryption, cannot be generated by spoofer
− Presence of P(Y) signal in quadrature phase component
indicates authentic GPS signal [2-3]
7
[2] Lo, et al, Inside GPS, 2009
[3] Psiaki, et al, ION GNSS, 2011[3]
University of Illinois at Urbana-Champaign
13
Prior Work and Main Challenges
• Shown handful of receivers (2-8) can be authenticated [4]
• Utilized centralized framework approach [5]
• Must extend to entire widespread network of PMUs
8
[4] Heng, Work & Gao, IEEE ITS, 2015
[5] Bhamidipati, Mina & Gao, ION PLANS, 2018
[6] Hazra, et al, IEEE PES ISGT, 2014[6]
University of Illinois at Urbana-Champaign
14
Key Objectives
• Develop spoofing detection architecture for coordinated
authentication of all PMUs, with existing resources
• Provide defense against coordinated spoofing attacks
• Demonstrate successful operation of algorithm during
government-sponsored, real-world spoofing scenario
9
University of Illinois at Urbana-Champaign
15
Outline• GPS: How it Works
• Hybrid Network Architecture Framework
• Spoofing Detection Approach
− Pairwise Check and Preliminary Statistic Computation
− Regionally Representative Snippet
• Implementational Considerations
− Communication Protocol
− Spoofing Risk Assessment
− Subset Selection Algorithm
• Experimental Setup and Results
• Summary
10
University of Illinois at Urbana-Champaign
16
NASPInet Communication Structure
• North American
Synchrophasor
Initiative network
(NASPInet) [9]
• Regional utility
networks connected
via Data Bus
• Resources
prioritized in regional
sub-networks
11
[9] Hu, Yi, NASPInet Technical Specifications, U.S. DOE, 2009
University of Illinois at Urbana-Champaign
17
Hierarchical Architecture Network
• Utilize communication to compare received GPS signals
• Proposed hybrid architecture network will overlay NASPInet
12
University of Illinois at Urbana-Champaign
19
Outline
14
• GPS: How it Works
• Hybrid Network Architecture Framework
• Spoofing Detection Approach
− Pairwise Check and Preliminary Statistic Computation
− Regionally Representative Snippet
• Implementational Considerations
− Communication Protocol
− Spoofing Risk Assessment
− Subset Selection Algorithm
• Experimental Setup and Results
• Summary
University of Illinois at Urbana-Champaign
20
Typical Correlation Observed (Authentic)
15
Typical correlation (authentic): single peak above noise floor
University of Illinois at Urbana-Champaign
21
Typical Correlation Observed (Spoofed)
16
Typical correlation (spoofed): no peak above noise floor
University of Illinois at Urbana-Champaign
22
Pairwise Statistic for Cross-Checking
17
• Correlation result 𝑃𝑟𝑖𝑟𝑗,𝑘 between receivers 𝑟𝑖 and 𝑟𝑗 for PRN 𝑘:
− Authentic: 𝑃𝑟𝑖𝑟𝑗,𝑘 ∼ 𝑝0 = 𝒩 𝜇, 𝜎2 where 𝜇 > 0
− Spoofed: 𝑃𝑟𝑖𝑟𝑗,𝑘 ∼ 𝑝1 = 𝒩 0, 𝜎2
• Pairwise statistic 𝛾𝑟𝑖𝑟𝑗,𝑘 :
− Indicates amount of signal match for PRN 𝑘 between receivers 𝑟𝑖 and 𝑟𝑗− Consists of 2 terms:
○ Thresholded correlation result: 𝑃𝑟𝑖𝑟𝑗,𝑘𝑇 = 𝑃𝑟𝑖𝑟𝑗,𝑘𝟙 𝑃𝑟𝑖𝑟𝑗,𝑘 ≥ 𝜏𝑝𝑎𝑖𝑟
○ Pairwise weight 𝑤𝑟𝑖𝑟𝑗,𝑘, accounts for signal quality, receiver reliability, etc.
𝛾𝑟𝑖𝑟𝑗,𝑘 = 𝑤𝑟𝑖𝑟𝑗,𝑘 𝑃𝑟𝑖𝑟𝑗,𝑘𝑇
University of Illinois at Urbana-Champaign
25
Outline
20
• GPS: How it Works
• Hybrid Network Architecture Framework
• Spoofing Detection Approach
− Pairwise Check and Preliminary Statistic Computation
− Regionally Representative Snippet
• Implementational Considerations
− Communication Protocol
− Spoofing Risk Assessment
− Subset Selection Algorithm
• Experimental Setup and Results
• Summary
University of Illinois at Urbana-Champaign
26
Data Required for Communication Protocol
21
Data items to be sent by each PMU:
− Raw GPS signal fragment
− Signal tracking parameters for each visible satellite PRN
○ Time of transmission start index
○ Doppler Frequency
○ Carrier phase
University of Illinois at Urbana-Champaign
27
Communication Protocol Structure
22
• Data block: data for
each authentication
time
• Data Packet: ~1 KB
of specific data with
header information
• Data Frame:
organizes data into
segments, includes
check sum
Segmented data structure allows for:➢ Isolation of corrupted/missing data ➢ Optimized rate of data transfer and storage
University of Illinois at Urbana-Champaign
28
Bandwidth Requirements
23
• Reducing communication bandwidth requirements:
− Raw GPS signal fragment sent from PMU devices to PDC
− Appropriate signal tracking parameters sent for processing
• Main factors affecting overall bandwidth:
− Signal fragment length (500 milliseconds)
− Sampling rate (2.5 MHz)
− Data sample resolution (8-bit samples)
− Tracking parameter resolution (32-bit samples)
− Number of visible satellite PRNs (about 6)
− Desired rate of authentication (assuming 1 per minute)
• Bandwidth computed: ~23 KB per second
• Fiber optic cable: ~10 GB per second ( < 0.001% bandwidth)
University of Illinois at Urbana-Champaign
29
Evaluation of Spoofing Risk
24
Historical
data
Pseudorange
residuals
SNR
values
Clock
residuals
Known
position
Bernoulli
distribution
Local
oscillator
Chi-squared
distribution
Empirical
distribution
Weighted
average
Spoofing risk
𝑝 𝑟𝑡 𝑟𝑡−1:𝑡−𝑊𝑝 𝑟𝑡 𝑆𝑁𝑅1:𝑁
𝑝 𝑟𝑡 Δ𝜌1:𝑁 𝑝 𝑟𝑡 Δ𝑇
𝑝(𝑟𝑡)
University of Illinois at Urbana-Champaign
30
Optimization: Subset Selection
• For cross-checking:
− Utilizing all PMUs, quite
computationally expensive
− Optimal subset of PMUs
• Cost function:
𝑓 Ω =
𝑖,𝑗 ∈ Ω; i≠j
𝑔 𝑖 𝑔(𝑗)ℎ(𝑖, 𝑗)
25
• 𝑔 𝑖 = 1 − spoofing risk ∗ comm. link ∗ security
• ℎ 𝑖, 𝑗 = 𝑑𝑖𝑠𝑡(𝑖, 𝑗): Larger the separation, lesser
likelihood of both spoofed
University of Illinois at Urbana-Champaign
31
Outline
26
• GPS: How it Works
• Hybrid Network Architecture Framework
• Spoofing Detection Approach
− Pairwise Check and Preliminary Statistic Computation
− Regionally Representative Snippet
• Implementational Considerations
− Communication Protocol
− Spoofing Risk Assessment
− Subset Selection Algorithm
• Experimental Setup and Results
• Summary
University of Illinois at Urbana-Champaign
32
Experimental Setup
Recorded GPS signal during live-sky spoofing event
27
Sample rate: 2.5 𝑀𝐻𝑧
Snippet length: 500 𝑚𝑠
Post-process: PyGNSS [10]
Spoofing Data
Collection Setup
Rooftop
Antenna
Setup
[10] Wycoff & Gao, GPS World, 2015
University of Illinois at Urbana-Champaign
33
Preliminary Threshold Determination
28
Threshold chosen to maximize authentic / spoofed conditional probabilities
Authentic:
𝛼 = 27.2𝑐 = 0.517𝛽 = 1.82𝑙 = 486
Spoofed:
𝛼 = 11.3𝑐 = 0.370𝛽 = 0.346𝑙 = 0
Generalized Gamma pdf:
𝑓 𝑥, 𝛼, 𝑐, 𝛽, 𝑙 =𝑐 𝑦𝑐𝛼−1exp(−𝑦𝑐)
𝛾(𝛼)
𝑦 = 𝛽(𝑥 − 𝑙)
University of Illinois at Urbana-Champaign
34
Preliminary Statistics – Regional Networks
29
Spoofed
Authentic
Threshold
Threshold Authentic
University of Illinois at Urbana-Champaign
35
Secondary Threshold Determination
30
Threshold chosen to maximize authentic / spoofed conditional probabilities
Authentic:
𝛼 = 1.53𝑐 = 1.74𝛽 = 33.7𝑙 = 20.0
Spoofed:
𝛼 = 1.18𝑐 = 2.69𝛽 = 5.80𝑙 = 13.7
Generalized Gamma pdf:
𝑓 𝑥, 𝛼, 𝑐, 𝛽, 𝑙 =𝑐 𝑦𝑐𝛼−1exp(−𝑦𝑐)
𝛾(𝛼)
𝑦 = 𝛽(𝑥 − 𝑙)
University of Illinois at Urbana-Champaign
36
Final Statistic – Representative Snippets
31
• U.S. representative snippet matches that of South America
• Snippet at Western U.S. receiver (spoofed) has poor match
ThresholdSpoofed
Signal from
Authentic
Receivers
University of Illinois at Urbana-Champaign
37
Summary
• Proposed hybrid architecture to detect spoofing at each PMU
− Provides a defense against coordinated attacks on regional networks
− Uses regionally representative snippets to reduce bandwidth/processing
• Demonstrated algorithm successfully operates on wide-spread
network during government-sponsored, real-world spoofing attack
− Detects signal manipulation on victim receiver
− Simultaneously authenticates other receivers in hybrid network
32
University of Illinois at Urbana-Champaign
38
Acknowledgements
Special thanks to:
Prof. Jade Morton and Mr. Steve Taylor
for collecting data at the Peru, Chile, Colorado, and Ohio sites.
Additionally, thanks to our lab members:
Craig Babiarz, Arthur Chu, Matthew Peretic, and Cara Yang
for assisting with the experimental setup and data collection at the
Illinois site and the Western U.S. spoofing location.
33
University of Illinois at Urbana-Champaign
39
34
Thank You!
Tara Yasmin Mina
Electrical and Computer Engineering
Email: [email protected]
Sriramya Bhamidipati
Aerospace Engineering
Email: [email protected]