Method and system of reactive interferer detection

Abstract

A method and system of reliably detecting a reactive jamming attack and estimating the jammer's listening interval for exploitation by a communication system comprises channelizing one or more signals of interest (SOI), channelizing one or more signals of unknown origin (SUO), identifying frequency support patterns for the SOI and SUO using Bayes thresholds, comparing SOI and SUO detection map histories, and determining a percent match, where a match percentage above a specified minimum indicates a reactive attack. Edge detection can be used to enhance jammer support. Embodiments further detect reactive jammer adaptation to changes in the SOI's frequency support. Embodiments include detectors that are insensitive to jammer modulation and/or signal type. A jammer reaction delay and/or size and periodicity of receive window can be detected. Embodiments determine if a jammer is copying and retransmitting the SOI's waveform(s), and/or if the jammer is anticipatory.

Claims

1. A method of analyzing a signal of unknown origin (SUO) so as to determine if it contains an interferer attack on a signal of interest (SOI), the method comprising: channelizing the SOI; channelizing the SUO, applying edge detection to the channelized SUO and estimating therefrom a receiver gate period for the SUO; identifying frequency support patterns for the SOI and SUO and using the estimated SUO receiver gate period to enhance the identification of the SUO frequency support patterns; cross correlating the identified frequency support patterns of the SOI and SUO, and determining therefrom a percentage match, wherein the cross correlating occurs without prior information about the SUO; determining if the SUO constitutes the interferer attack on the SOI if the percentage match is above a specified threshold; and if the SUO is determined to be the interferer attack, at least one of sending an alert of the interferer attack and implementing an attack mitigation strategy.

2. The method of claim 1, wherein identifying the frequency support patterns comprises applying Bayes thresholds.

3. The method of claim 1, wherein channelizing the SUO includes adding a metric incoherently over at least one channel of the channelized SUO.

4. The method of claim 3, wherein the metric is given by:
=.sub.k ln(1k) where is the metric and 1.sub.k is a normalized mean square SOI-jammer error for channel k.

5. The method of claim 1, further comprising: recording detection map histories for the channelized SOI and SUO; and correlating the detection map histories for the channelized SOI and SUO.

6. The method of claim 5, further comprising determining a likelihood that the interferer attack is reactive to changes in the SOI frequency support pattern.

7. The method of claim 6, further comprising, if the interferer attack is reactive, determining if the reactive interferer attack is anticipatory of the SOI frequency support pattern.

8. The method of claim 6, further comprising estimating a reaction delay of the interferer attack.

9. The method of claim 1, further comprising estimating a periodicity of the interferer attack.

10. The method of claim 1, further comprising determining if the interferer attack includes copying and retransmitting waveforms of the SOT.

11. The method of claim 10, further comprising determining if the interferer attack is at regular intervals.

12. The method of claim 10, further comprising determining if the interferer attack occurs at particular intervals, wherein the particular intervals may be regular or irregular.

13. The method of claim 10, further comprising determining if the interferer attack includes altering the retransmitted waveforms of the SOI before retransmission thereof, while preserving the frequency support pattern thereof.

14. The method of claim 1, wherein determining if the SUO contains the interferer attack includes using a hypothesis test over a plurality of local frequency shifts.

15. The method of claim 1, further comprising providing look-throughs to further enhance characterization of the interferer attack.

16. A system configured for analyzing a signal of unknown origin (SUO) so as to determine if it contains an interferer attack on a signal of interest (SOI), the system comprising: a receiver configured for detecting the SUO; at least one channelizer configured to channelize the SUO and the SOI; and a computing device configured to execute programming instructions that: apply edge detection to the channelized SUO and estimating therefrom a receiver gate period for the SUO; identify frequency support patterns for the SOI and SUO and using the estimated SUO receiver gate period to enhance the identification of the SUO frequency support patterns; cross correlate the identified frequency support patterns of the SOI and SUO without prior information about the SUO, and determining therefrom a percentage match; determine that the SUO constitutes the interferer attack on the SOI if the percentage match is above a specified threshold; and if the SUO is determined to be the interferer attack, at least one of notify a user of the attack and implement an attack mitigation strategy.

17. A non-transitory computer-readable storage medium having an executable program stored thereon for analyzing a signal of unknown origin (SUO) so as to determine if it contains an interferer attack on a signal of interest (SOI), wherein the program instructs a processor to: channelize the SUO and the SOI of received signals, apply edge detection to the channelized SUO and estimate therefrom a receiver gate period for the SUO; identify frequency support patterns for the SOI and SUO and using the estimated SUO receiver gate period to enhance the identification of the SUO frequency support patterns; cross correlate the identified frequency support patterns of the SOI and SUO without prior information about the SUO, and determining therefrom a percentage match; determine that the SUO constitutes the interferer attack on the SOI if the percentage match is above a specified threshold; and if the SUO is determined to be the interferer attack, at least one of notify a user of the attack and implement an attack mitigation strategy.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) FIG. 1 is a flow diagram that illustrates the operation of a time/frequency support detector in an embodiment of the present system;

(2) FIG. 2 illustrates the application of a test for a reactive jammer in an embodiment of the present system;

(3) FIG. 3 is a graphical plot of a correlation peak over time in an embodiment of the present system;

(4) FIG. 4A is a flow diagram that illustrates the operation of an embodiment of the present technique which implements receive gate estimation;

(5) FIG. 4B is a graphical plot of edge detection of FFT peaks at multiples of a jammer receive period;

(6) FIG. 5 is a graphical plot of the log likelihood of digital radio frequency memory detection over time in an embodiment of the present system;

(7) FIG. 6 is a flow diagram that illustrates a channelized detection history correlation system in an embodiment of the present system; and

(8) FIG. 7 is a block representation of the elements of the present system according to one embodiment.

DETAILED DESCRIPTION

(9) The present disclosure is an improved system and method of reliably detecting a reactive jamming attack and estimating the jammer's listening interval for exploitation by a communication system.

(10) In particular, the system and method compares time/frequency detection maps of communications systems to time/frequency detection maps of jammers or other interferers. Certain embodiments perform this comparison while being aware of times when the SOI communication system is not sensing the environment, typically because it is transmitting.

(11) FIG. 1 is a flow diagram of a time/frequency support detector in an embodiment that detects jamming attacks based on correlations between the frequency support of the attack and the frequency support of the SOI. Specifically, in the embodiment of FIG. 1, a time/frequency transform is applied to channelize 104 both a SOI 100 and a jammer signal 102, after which Bayesian threshold 106 is applied so as to identify the frequency support in each case. In the embodiment of FIG. 1, the two values are cross-correlated 108 and a peak is detected 110, from which the reactive delay of the jamming signal and a percentage value of the match is determined 112. In embodiments, the probability P of a jammer detection is given by the formula:
P(H.sub.1(n)|x(n),)=(1+(+(+1)(.sub.n.sup.11)exp((+1))|y(n)2|).sup.1(Eq. 1)
where H.sub.1(n) is the amplitude of the SOI in frequency channel n, x(n) is the amplitude of the jammer signal in frequency channel n, .sub.n is the prior probability, and is the signal-and-interference-to-noise-ratio (SINR) of the jamming signal. Based on the probability, a specified threshold can be used to determine if the SOU is an interferer attack. The specified threshold in one example is a predetermined value based on simulations and/or actual data.

(12) FIG. 2 illustrates a test of the embodiment of FIG. 1 for identifying a reactive jammer. In the test illustrated by FIG. 2, the random hoping of the SOI was in a 200 kHz spread over 5 MHz. The jammer had a 10 s receive window and a 40 s transmit window. The jammer had a jamming-wave signal to noise ratio (JWNR) of 20 dB, and the SOI had a 10 dB signal wave to noise ratio (SWNR) with SOI leakage. There was a reactive delay of 102.4 s. Two dimensional plots of time vs. frequency are presented in the figure for the SOI 200 and the jammer signal 202, as well as the results 204, 206 after the two signals had been channelized 104 and the thresholds had been detected 106.

(13) FIG. 3 presents two plots of correlation peaks over time for the test presented in FIG. 2, where the upper plot is an expansion of the lower plot. For the example shown in the figure there was a 91% overlap of the SOI and jamming signal, and the system correctly estimated the jamming delay as being 102.4 s.

(14) FIG. 4A presents a flow chart outlining a method used in an embodiment of the present system that makes use of an estimated receiver gate period to improve time/frequency support detection. In the illustrated embodiment, the Bayes threshold 106 is used to determine the energy support in the time domain, the DC bias is removed 400, and then a fast Fourier transform (FFT) is performed 402 on the jamming signal.

(15) The result of this FFT 402 is shown in FIG. 4B. A periodic receive gate is assumed, the position of the first peak 404 is used to determine the jamming delay, and edge detection 406 of the frequency peaks is used to obtain an estimate of the jammer receiver gate 408. In the illustrated example, the peaks are separated by 20 kHz, leading to an estimated gate period of 50 microseconds. at multiples of the estimated receiver gate period. This information is then compared with the receiver gate 408 of the SOI so as to enhance the detection of the time/frequency support 410, and thereby to determine the reactive delay and the percent match. In the embodiment of FIGS. 4A and 4B this result is achieved without knowledge of the jammer receive window or SOI leakage.

(16) Embodiments of the present system compare the SOI's time/frequency detection maps to the jammer detector's time/frequency detection maps. In certain embodiments, during the comparison the system is aware of time intervals when the communication system is not sensing the environment. These intervals are usually when the communication systems are transmitting. In certain embodiments, the system does not require prior information regarding the jammer and is capable of comparing various instances of recording and jammer transmitting including, but not limited to, IFFT/FFT, DRFM, detect/follow, and the like.

(17) FIG. 5 presents a plot of the log likelihood of digital radio frequency memory (DRFM) detection over time, i.e. attacks where the SOI is recorded and played back, in an embodiment of the present techniques. According to the embodiment of FIG. 5, the jammer signal is channelized 104 and time correlated with the SOI over each channel 108. In certain embodiments, a metric (p) is added incoherently over each channel, i.e. the amplitudes are added while the phase information is discarded, for example according to the formula:
=.sub.k ln(1k)(Eq. 2)
where 1.sub.k is the normalized mean square SOI-jammer error for channel k.

(18) In some embodiments, the system can detect DRFM with arbitrary filtering. Embodiments use a hypothesis test over many local frequency shifts to further extend the detection capabilities.

(19) In some embodiments, the system detects replay jammers that are on a fixed schedule. In other embodiments, the system recognizes jammers that have stochastic or irregular listening intervals. In embodiments, the system recognizes jammers that filter or change the received signal, but preserve the time/frequency content of the SOI. In various embodiments, the system provides look-throughs, i.e. time periods where the transceiver is forced to receive even if it is in a high-duty cycle transmit state and would otherwise have continued to transmit, therefore ensuring that receive time is provided to measure a jamming waveform and thereby aid in jammer behavior estimation. In various embodiments, the system is able to recognize jammers that are not otherwise clearly separable by correlating the SOI with itself when no jamming waveform can be decomposed from the received signal. In some of these embodiments, the zero time offset correlation is ignored and later correlations are considered to determine if they are reactive a tracks or simply multipath reflections.

(20) FIG. 6 is a flow diagram of the reactive jammer detection system in an embodiment of the present system. The system utilizes channelized detection history correlation 602 which accumulates beamformed time/frequency detection maps for a signal of interest (SOI) over a plurality of recognizer windows, and correlates 600 that history against accumulated beamformed time/frequency detection maps for all of the interferers present. In certain embodiments, the channelized detection history correlation system 600 evaluates the likelihood that the interferer is reacting 604 to the behavior of the SOI.

(21) In embodiments, the delay at the peak 606 gives the delay of a jammer relative to the SOI. Unobserved times (e.g., where the receiver has no information about the jammer because it is transmitting or in a wait state) are weighted 608 to properly compute the likelihoods that the interferer is reacting to the behavior of the SOI. In the embodiment of FIG. 6, the SOI time frequency map is shifted to align with the jammer's 610 based on the reactive delay 606, and then a correlation between the two maps is computed 612 and compared to the sum of each time frequency map to determine an observable termed isReactive 604.

(22) In certain embodiments, to find the jammer's listening window, the system evaluates the periodic nature of the jammer's timing. This is achieved coarsely through frequency analysis of the on/off periods 614, followed by refinement in the time domain 616. Embodiments then compute an observable dubbed IsListening 618 which indicates if a periodic receive window has not been identified, implying that the jammer does not remain in a receive state for a predetermined period of time, but instead bases its receive timing on whether or not it has detected energy on the channels it is scanning.

(23) FIG. 7 is a simplified illustration of the disclosed system 700, which includes a receiver 702 that receives a signal using at least one antenna 704, the received signal including a signal of interest (SOI) as well as a signal of unknown origin (SUO). The receiver 702 typically comprises elements such as downconverters, amplifiers, analog-to-digital converters, filters, memory, processors and the like. A channelizer 706 then channelizes the SUO and the SOI, and a computing device 708 executes programming instructions that identify frequency support patterns for the SOI and SUO, cross correlate the identified frequency support patterns of the SOI and SUO, and determine therefrom a percentage match. The computing device 708 then determines that the SUO constitutes an interferer attack on the SOI if the percentage match is above a specified threshold, and if the SUO is determined to be an interferer attack, a user is notified of the attack and/or an attack mitigation strategy is implemented. The attack mitigation strategy in one example blocks the signals from interfering and can issue an alert to other systems. In another example, the interferer attack signal can be analyzed to determine a point of origin that can become a target.

(24) It will be understood by one of skill in the art that the modules 702, 706, 708 shown in FIG. 7 represent functional elements of the system 700, and do not necessarily imply the physical arrangement of the system or the locations where the functions are performed. In embodiments, for example, channelizing of the SUO and SOI does not require a dedicated hardware device 706, but instead is accomplished as a digital processing step by the computing device 708. Also, it should be noted that in embodiments a single apparatus performs more than one of the indicated functions, and in some embodiments all of the indicated functions 702, 706, 708 reside within a single, physical apparatus.

(25) The foregoing description of the embodiments of the invention has been presented for the purposes of illustration and description. Each and every page of this submission, and all contents thereon, however characterized, identified, or numbered, is considered a substantive part of this application for all purposes, irrespective of form or placement within the application.

(26) The invention illustratively disclosed herein suitably may be practiced in the absence of any element which is not specifically disclosed herein and is not inherently necessary. However, this specification is not intended to be exhaustive. Although the present application is shown in a limited number of forms, the scope of the invention is not limited to just these forms, but is amenable to various changes and modifications without departing from the spirit thereof. One or ordinary skill in the art should appreciate after learning the teachings related to the claimed subject matter contained in the foregoing description that many modifications and variations are possible in light of this disclosure. Accordingly, the claimed subject matter includes any combination of the above-described elements in all possible variations thereof, unless otherwise indicated herein or otherwise clearly contradicted by context. In particular, the limitations presented in dependent claims below can be combined with their corresponding independent claims in any number and in any order without departing from the scope of this disclosure, unless the dependent claims are logically incompatible with each other.