Patent Grant
10762792
This application is a continuation of and claims priority of EP15382485 filed Oct. 5, 2015, entitled “System and Method for Verifying ADS-B Messages,” which application is incorporated herein in its entirety by this reference.
1. Field of the Invention
The present disclosure is generally related to the field of the security transmission of information between aircraft, and more particularly, to provide readable tools against ADS-B (Automatic Dependent Surveillance-Broadcast) spoofing.
2. Related Art
Automatic Dependent Surveillance Broadcast (ADS-B) systems are a source of surveillance for airborne aircraft. ADS-B OUT provides a means of automated aircraft parameter transmission between the aircraft and the Air Traffic Control (ATC), and ADS-B provides automated aircraft parameter transmission between the aircraft themselves. ADS-B systems broadcast information without any security measures like authentication or ciphering. Therefore, it is easy for an attacker to reproduce false ADS-B messages (“spoofing”) providing false aircraft position, aircraft velocity, aircraft ID, or any other ADS-B data.
One solution is provided in the U.S. Pat. Publication No. 2012/0041620 A1, Stayton et al., which discloses how an intruder bearing can be calculated based on the parameters from a Traffic Alert and Collision Avoidance System (TCAS) and from the ADS-B system. However, the provided solution depends on the accuracy of the signals emitted and received by the antenna of the TCAS system. Consequently, the provided solution is dependent on any reflections or blockages of the signals.
Accordingly, there is a need for an improved system and method that overcomes the above-mentioned drawbacks.
A system for and method of verifying ADS-B messages are disclosed. An aircraft may continuously receive ADS-B messages from other aircraft that are airborne in its vicinity, defined by ADS-B range of the s aircraft. Therefore a system for verifying the ADS-B messages is required. In general, the present disclosure provides a system for verifying ADS-B messages for an aircraft provided with an Automatic Dependent Surveillance-Broadcast (ADS-B) system comprising a Mode S transponder. A system of the present disclosure may comprise:
The present disclosure also provides a method for verifying ADS-B messages for an aircraft provided with an Automatic Dependent Surveillance Broadcast (ADS-B) systems. The method may comprise the following steps (or sub-processes):
As used herein, a system, apparatus, structure, article, element, component, or hardware configured to perform a specified function is indeed capable of performing the specified function without any alteration, rather than merely having potential to perform the specified function after further modification. In other words, the system, apparatus, structure, article, element, component, or hardware configured to perform a specified function is specifically selected, created, implemented, utilized, programmed, and/or designed for the purpose of performing the specified function. As used herein, “configured to” denotes existing characteristics of a system, apparatus, structure, article, element, component, or hardware which enable the system, apparatus, structure, article, element, component, or hardware to perform the specified function without further modification. For purposes of this disclosure, a system, apparatus, structure, article, element, component, or hardware described as being configured to perform a particular function may additionally or alternatively be described as being adapted to and/or as being operative to perform that function.
Other devices, apparatus, systems, methods, features and advantages of the invention will be or will become apparent to one with skill in the art upon examination of the following figures and detailed description. It is intended that all such additional systems, methods, features and advantages be included within this description, be within the scope of the invention, and be protected by the accompanying claims.
The invention may be better understood by referring to the following figures. The components in the figures are not necessarily to scale, emphasis instead being placed upon illustrating the principles of the invention. In the figures, like reference numerals designate corresponding parts throughout the different views.
In the following description, “node” is used as a synonym of “aircraft” because both have the same meaning within the field of the present disclosure. Additionally method and process may be used interchangeably herein where the method contains sub-processes.
The present disclosure describes embodiments of the system and method for verifying ADS-B (Automatic Dependent Surveillance-Broadcast) messages interchanged among several nodes. The disclosed verification system and method are effective against attackers which use ADS-B messages as a supporting platform for carrying out their attacks. Advantageously, the disclosed verification system and method are focused on the ADS-B messages received at the aircraft, in contrast to the prior art that uses encryption techniques.
Shown in
In order to do the above, Aircraft A and all the aircraft within ADS-B range of the Aircraft A have to be provided with the system and method of this disclosure. Shown in
The GNSS system 6 provides, for the example embodiment shown in
The receiver module 2 is a processor configured to demodulate and decode the signals received from the Mode S transponder 5. The system 1 of the present disclosure uses three types of messages: the ADS-B messages 18 commonly used by the ADS-B systems, request messages 20, and response messages 19. Consequently, the system 1 is also configured to determine the type of message received and then to extract and parse the information contained in each kind of message. In order to process each kind of message, the receiver module 2 may include the ADS-B detector 10 configured to identify the ADS-B messages 18, the request detector 11 configured to identify the request messages 20 and the response detector 12 configured to identify the response messages 19.
The processor module 3 may include several sub-modules 13-15, each one of them configured to process the information extracted and parsed by the receiver module. The processor module 3 may include a table 13, a brain 14, and a clock 15. The clock 15 provides the time reference to the system 1 and it is synchronized with the time provided by the GNSS system 6. The brain 14 is a processor 14a in charge of determining whether the ADS-B data received is truthful or not. The brain 14 receives information comprising aircraft ID, aircraft position, and time of arrival (TOA) from the receiver module 2, places it in the table 13, performs telemetry calculations 14b, compares the results with the ADS-B position claimed (aircraft position within the ADS-B message), and determines when to send a request message or a response message. With the method described herein, the system 1 is able to determine whether the information provided is enough to perform telemetry calculations and also whether the request messages or the response messages have to be sent.
If the information provided is enough to perform telemetry calculations, the processor 14a performs the telemetry calculations 14b and compares the telemetry calculations with the position 6a of the aircraft contained. ADS-B message being the ADS-B message TRUTHFUL if both match. If the information provided is not enough to perform telemetry calculations, a request message 20 from the node A is sent to the nodes B to E within ADS-B range. The nodes B to E respond to node A with response messages 19. The database 8 is in signal communication with the processor module 3 for storing the information needed by the processor module 3 and data to perform telemetry calculations.
The telemetry calculations are based on multilateration (MLAT). MLAT may be defined as a cooperative surveillance application that accurately establishes the position of transmitters. MLAT uses data from an aircraft that can be transmitted in response to different technologies such as Mode S or ADS-B. The transmitted signal by an aircraft will be received by each of the nodes at fractionally different times. Using advanced computer processing techniques, these individual time differences allow an aircraft's position to be accurately calculated. The basic idea in MLAT is to have at least “n” equations to estimate “n” variables. Considering an emitter (Aircraft A in
di=√{square root over ((xi−x)2+(yi−y)2+(zi−z)2)}.
The TDOA equation for receivers i and m is:
TDOAi-m=TDOAi−TOAm.
Considering the speed of light (c), there is a direct relation between the previous equations for ci and TDOAi-m:
c·TDOAi-m=di−dm
where:
TDOA is the Time-Difference of Arrival;
xi, yi and zi is the position of each receiver (aircraft as receiver stations); and
x, y, and z is the position of the emitter aircraft.
Thus, in order to accurately establish the position of the emitter, at least four receivers may be needed.
An example of a table included in the system for verifying ADS-B messages of the table 13 of
Thus, for the example embodiment of table 13 shown in
Returning to
The system performs a process that can be summarized as shown in
In order to verify the node, the system applies MLAT calculations (telemetry calculations) to the information contained in the ADS-B messages. It is advisable when applying telemetry calculations to be provided with at least four timestamps per each node to be verified. Decision step 22 determines if there are at least four timestamps gathered from each of the other aircraft. It is appreciated by thus skilled in the art that the number of timestamps gathered may vary under different circumstances or embodiments.
In case the system needs additional information to perform telemetry calculations, e.g., there are less than four timestamps for an aircraft, the process proceeds to decision step 23, where a check is made as to whether a request message from other aircraft within the ADS-B range has been received within a predetermined time delay. If the answer is affirmative, a response message having the ADS-B message information gathered for the periodic time window is broadcast in step 24, after which the process returns to step 21. If the answer is negative, the process proceeds directly to step 25.
As a security measure, the system may await a time (a random time delay) before broadcasting the request messages in step 25 to ensure that no other request messages from other nodes is received in step 23. Then, the system (
The above-mentioned gathering sub-process of ADS-B message information 21 is shown in more detail in
Time Window Listeners (TWLs) are periodic and are synchronized regardless of the system. TWLs may be triggered at the first second of every minute, and are repeated with a period of ten seconds. TWLs allow the system to receive and process at least one ADS-B message of each of the surrounding aircraft. Then, every TWL is identified by the system which comprises a 6-bit counter. If the time window is open, a 6-bit counter is incremented in step 28 with every new TWL and reset after reaching the value 59. This counter is used to identify the TWL during a period of 10 minutes (60 possible values, 0-59). The first TWL (“start timestamp counter”) of each hour is assigned the value of zero in step 29. The same value is assigned to the TWL that starts 10 minutes later, twenty minutes later and so on. This way of carrying out the synchronization ensures that each system in a group has the same TWL reference.
The system also comprises an internal counter for every TWL which is used to determine the exact moment of the TWL when an ADS-B message is received. When an ADS-B message is received, as determined in decision step 30, the system determines its timestamp in step M. The timestamp consists of the TWL number (TW1, . . . , TWn) and the value of the TWL internal counter. The message is then used by the system to extract both the 24-bit aircraft address in step 32, and the ADS-B position claimed in step 33. These data are recorded into the table in step 34. Then, if the TAT is still open, as determined in decision step 35, the system continues listening and processing the received ADS-B messages by returning to decision step 30. On the other hand, if the TWL is over, the system stops processing ADS-B messages until the next TWL.
The above mentioned step of broadcasting the request message (step 25 of
For this purpose, the request message may include a TWL identifier. Before sending the generated request message, the system establishes a random delay in step 38. This delay is meant to establish a stand-by period wherein the system is not required to transmit any request (in step 39), but rather listens to the 1030 MHz channel in order to detect any requests sent by other nodes of the group. If a request is received during the Random Time Delay of step 39, as determined in decision step 40, the system discards the own request message in step 42 and the process ends in step 43. If no request is received during the Random Time Delay, the system broadcasts the own request message in step 41. This message will be received by the rest of the nodes of the group (i.e., aircraft within the ADS-B range) and the response transmission sub-process shall be triggered. Once the request message has been broadcasted the broadcasting of request message sub-process ends in step 23.
The broadcasting message sub-process 24 of
Once the system knows its transmission time slot, it generates a response message in step 47. Each of the messages includes information regarding the timestamp of a single ADS-B received message. The message is transmitted during the transmission time slot previously determined. The exact instant to transmit the message is determined by a random time delay in step 48. The function of this random time delay is to reduce the probability of transmission collisions in case two or more nodes have chosen the same transmission time slot. The response message only transmitted during the assigned transmission time slot, as determined in decision step 49. It is transmitted when the random time delay has expired in step 50.
Each system transmits a single response message per time slot. Responses may be broadcast using the 1090 MHz channel at maximum transmission power in step 51. A response message may include data of a single row of the table; thus, steps 47 through 51 are repeated as many times as necessary until the information about each node in the table has been transmitted. Finally, the sub-process ends in step the table is completely transmitted, as determined in decision step 52.
The above mentioned sub-process of performing telemetry calculations 26 of
The circuits, components, modules, and/or devices of, or associated with, the system 1 for verifying ADS-B messages are shown as being connected to or in signal communication with each other, where this connection or signal communication may be any type of connection and/or signal communication between the circuits, components, modules, and/or devices that allows circuit, component, module, and/or device to pass and/or receive signals and/or information from another circuit, component, module, and/or device. The communication and/or connection may be along any signal path between the circuits, components, modules, and/or devices that allows signals and/or information to pass from one circuit, component, module, and/or device to another and includes wireless or wired signal paths. The signal paths may be physical, such as, for example, conductive wires, electromagnetic wave guides, cables, attached and/or electromagnetic or mechanically coupled terminals, semi-conductive or dielectric materials or devices, or other similar physical connections or couplings. Additionally, signal paths may be non-physical such as free-space (in the case of electromagnetic propagation) or information paths through digital components where communication information is passed from one circuit, component, module, and/or device to another in varying digital formats without passing through a direct electromagnetic connection.
It will be understood that various aspects or details of the invention may be changed without departing from the scope of the invention. It is not exhaustive and does not limit the claimed inventions to the precise form disclosed. Furthermore, the foregoing description is for the purpose of illustration only, and not for the purpose of limitation. Modifications and variations are possible in light of the above description or may be acquired from practicing the invention. The claims and their equivalents define the scope of the invention.
| Number | Date | Country | Kind |
|---|---|---|---|
| 15382485 | Oct 2015 | ES | national |
| Number | Name | Date | Kind |
|---|---|---|---|
| 7570214 | Smith | Aug 2009 | B2 |
| 8948933 | Pangilinan | Feb 2015 | B2 |
| 20110057830 | Sampigethaya | Mar 2011 | A1 |
| 20120041620 | Stayton | Feb 2012 | A1 |
| Number | Date | Country |
|---|---|---|
| 3088911 | Mar 2019 | EP |
| Entry |
|---|
| European Patent Office Search Opinion on EP15382485.9 dated May 3, 2016 (Year: 2016). |
| Communication Pursuant to Article 94(3) EPC issued in corresponding EP15382485.9 dated Apr. 16, 2019, 6 pages. |
| Office Action dated Jun. 18, 2019 issued by Canadian Intellectual Property Office in corresponding CA Application No. 2,940,826, 4 pgs. |
| Number | Date | Country | |
|---|---|---|---|
| 20170236425 A1 | Aug 2017 | US |
