Cell Phone Tracking Part Two

Published on May 2016 | Categories: Types, Research, Math & Engineering | Downloads: 34 | Comments: 0 | Views: 452
of 18
Download PDF   Embed   Report

it is a follow up of part One tutorial on Cell phone tracking.

Comments

Content

Cell Phone Tracking/Positioning Technology Review Part 2 M S Prasad
In this part TWO of Cell phone tracking/ positioning , we are going to explore the signal strength based tracking and positioning of Cell phones. The methods to improve accuracy using some signal processing algorithms are also given with further reading references.

GSM System

Global Mobile System ( GSM) is a digital wireless network developed by European Digital Mobile standards , operating on two frequency bands 900 & 1800 MHz. The GSM frequency band utilizes two bands separated by 25 MHz and each band divided into 200 KHz Channel commonly known as “ Absolute Radio frequency Channel Numbers ( ARFCN ) uses TDMA technique for Channel use by multiple users. A GSM TDMA slot is composed of 8 timeslots per frame ( each 156.25 bits wide) leading to 125x8 = 1000 traffic channels.( 200 KHz channel spacing in 25Mhz gives 125 channel ) The GSM system uses GMSK (Gaussian Minimum Shift Keying with Bt =0.3) modulation technique giving the effective data rate per user as 270.833 /8 = 33.854 kbps. This modulation technique has been adopted for its power and spectral efficiencies as well having smooth phase trajectory Due to other overheads actual transmission rate is 24.7 Kbps . The signaling bit duration is of 3.692 µs. The data burst( consisting of data& control signals encoded by a Cyclic polynomial ) is first converted into NRZ ( Є [ -1,1]) stream. This stream is passed through a Gaussian Filter given as : h(t) = exp ( ) and BT stands for bandwidth bit duration product = 0.3

where x = σ =

The modulation rate is 1/T = 162.5 K/6 symbols /sec
GSM Control Channels Besides the traffic channels there are a group of control channels defined which handle system information, connection setup and connection control.









● ●



Broadcast Control Channel (BCCH) group handles beacon signaling, synchronization of MS with the serving BTS, timing advance adjustment, it comprises of – BCCH – Broadcast Control Channel – FCCH – Frequency Control Channel – SCH – Synchronization Channel BCCH is responsible for – Sending out of beacon on one frequency per cell (by BTS) – Contains 16bit Location Area (LA) code – Must be on Time Slot #0, following time slots used by TCH BCCH provides: – Details of the control channel configuration – Parameters to be used in the cell – Random access back off values – Maximum power an MS may access (MS_TXPWR_MAX_CCCH) – BCCH provides: – Minimum received power at MS (RXLEV_ACCESS_MIN) – Is cell allowed? (CELL_BAR_ACCESS) – List of carriers used in the cell – Needed if frequency hopping is applied – List of BCCH carriers and BSIC of neighbouring cells – FCCH is responsible for first part of MS tuning (synchronisation of mobile device to BTS signal) – MS listens on strongest beacon for a pure sine wave (FCCH), first coarse bit synchronization used for fine tuning of oscillator Immediately after follows a SCH burst SCH: Fine tuning of synchronization (64 bits training sequence) – Read burst content for synchronization data – 25 bits (+ 10 parity + 4 tail + ½ convolution coding = 78bits) – 6 bits: BSIC, 19 bits: Frame Number (reduced) Finally MS is able to read BCCH information

Cell Identification Cell Identification technique operates in GSM, GPRS and WCDMA mobile/cellular networks. It is a simple and easy way to locate a cell phone by identifying the serving cell. This technique requires identifying, communicating and locating the base station to which the mobile phone is connected. It passes the location of the base station as the location of the mobile user to location service applications. As a mobile user moves around, network keeps tabs on which base station it can reach the mobile and hence the location is updated.

The accuracy of this technique to find the location depends upon the infrastructure / physical architecture of the network i.e. the size and density of the cells. Systems with smaller cells such as in rural areas will have more precision than systems with large cells. Accuracy is in between 100meter to 20kilometer.

A Base Transceiver Station (BTS) covers a set of cells, each of them identified by a unique CellID (i.e. C1, C2 and C3 in the figure). A Mobile Station (MS), continuously selects a cell, and exchanges data and signaling traffic with the corresponding BTS. Cells are grouped into clusters, each of them identified by a Location Area Identifier (LAI). In order to avoid excessive signaling traffic, as long as the MS is in idle mode, the network knows only the LAI. The network becomes aware of the Cell-ID only when the MS switch into dedicated mode, namely when the channel is used to actually establish a call. In contrast, the MS always knows the Cell-ID of the cell it is in.
Timing Advance (TA)

Number of milliseconds the signal from the mobile phone travels to base station corresponds to timing advance. The time at which a terminal sends its transmission burst is critical to the efficient functioning of a GSM network. GSM uses the Time Division Multiple Access technology for sharing one frequency between several users, assigning timeslots to the individual mobile users sharing a frequency; each mobile user can transmit only in a certain time. But the users are in different distances from the base station, the precise time the phone is allowed to transmit (timeslot) has to be adjusted accordingly.

This value indicates the number of bits that the mobile station has to consider to advance the transmission burst so that data arrives in the correct time slot of TDMA-frame. The resolution of this calculation is 1 bit , which is of 3.69μs in GSM. Hence based on this location of MS would be a ring of circle of 3.69 /2 = 1.85 μs or 554 m.
Signal Strength

Mobile phone continuously measures the strength of the signal from each of the base station and reports this information back to them, so that communication between the mobile phone and the base station has optimum signal strength. . Signal strength is measured in voltage per square area. Hence, theoretically we can calculate the proximate location of the mobile user by cell-id and signal strength. The mobile station MS measures the signal strength of at least 6 adjacent base station . when the signal of one of the cell is higher the MS connects to that Cell .

These measurements are transmitted to the network over the SACH channel. The mobile station (MS) measures the level and quality of the downlink-burst during the connection and the level of the neighbour cells. The signal strength is measured between - 110 dBm and - 48 dBm and can uniquely be allotted to a 64-ary RXLEV-parameter (RXLEV = 0 matches - 110 dBm, RXLEV = 63 matches - 48 dBm). Therefore, the resolution of the signal strength measurements is one dB The signal quality is measured according to the Bit Error Ratio (BER) before the channel coding. There are 8 discrete RXQUAL-values that describe the quality of the connection. The required precision is between 75% (RXQUAL 1) and 95% (RXQUAL 5-7). For RXQUAL 0 the bit error rate is less than 0,2%. The data that the mobile station transmits are: RXLEV and RXQUAL of the traffic channel, BCCH-RXLEV from up to 6 neighbour cells with information about BSIC and frequency of each BCCH. The time between two measurements is 4.615ms (TDMA-frame).
Several Transmission and propagation model empirical & theoretical exists to translate it into distance measurements. The common Propagation models are given below :Path Loss Analysis / Propagation Models Path Loss in case of free space propagation ( an Ideal situation ) is given as :-

Path loss = 32.44+ 20 log ( d) + 20 log ( f) – antenna gains of Tx and Rx.
Here d is separation between Transmitter and receiver in Kms , f = freq in Mhz. In practical measurement and analysis the path loss is generally calculated by empirical relations due to complex phenomena of propagation through different media . A. Hata-Okumura Model

This model gives a path loss expression for each of the urban, suburban and open environments. It defines a parameter a (hm) to be the mobile height correction factor or gain (dB). As a result Hata subdivided the urban environment into large and small/medium cities.

Path Loss = 69.55+26.16 log (f) – 13.82 log ( hb) – a ( hm) + ( 44.9 -6.55 log(hb)) log (d) This path loss is for URBAN area .For sub Urban area an additional term is added as - 2(log(f/28)) - here a(h) is a small & medium gain factor which empirically given as a(h) = 32 ( log( 11.5h)) -4.97 for large City 1.1 log ( f -0.7) h – 1.56 log(f) -0.8 hb = height of Base station in m hm = height of mobile d = distance between Base station and mobile set.( Kms) f = carrier Freq in Mhz
Based on this Path Loss for Highways are empirically defined as :Path loss = Path Loss For Urban area - 2 [ log ( f/28) ]2 - 5.4 without noise factor

for small & Medium city

B. COST 231 Hata Model This model is an extension of Hata Okumara Model for communication system operating at 1800 -2000 Mhz .The path loss in urban area is given by : Path Loss = 46.3 + 33.9 log ( f) – 13.82 log ( hb ) –a(hm ) + [ 44.9 – 6.55 log(hb )] log (d) + Cm a(hm ) = [ 1.1 log(f) – 0.7] hm – [ 1.56log(f) -0.8] & Cm = 0 for suburban area a(hm ) = 3.2 [ ( log 11.7 hm) ]2 – 4.97 & Cm = 3 dB for urban area

Note : There is another model of Cost 231 given as Walfish – Ikegami model containing factors like roofs and multi screen diffraction losses etc.

ECC – 33 Model The path loss model has been developed by Electronic Communication Committee and extrapolated from Okumara model with assumptions more suitable to wireless transmission ( fixed stations) Path Loss = A FS + B med - Height gain factor of Tx - correction factor .Where A = is free space attenuation and B is median path loss :A FS = 92.4 + 20 log (d) + log (f) B med
=

20.41 + 9.83 log( d) + 7.894 log ( f)+ 9.56 [ log (f)]2

Height gain Factor of Base station is GB = log ( HB /200 ) [ 13.958 + 5.8 ( log (d) ] Correction Factor Gr D. CCIR Model Path Loss = 69.55+26.16 log (f) – 13.82 log ( hb) – a ( hm) + ( 44.9 -6.55 log(hb)) log (d)- C Where a(hm ) = [ 1.1 log(f) – 0.7] hm – [ 1.56log(f) -0.8] and C = 30 -25 log ( % of area covered by buildings)
=

[ 42.57 + 13.7(log (f) ] . log ( hm ) - 0.585 ( it is a gain for Mobile set )

Signal Fading
There are two types fading generally occurs in Radio wave propagation i.e. Long term and short term fading. Long term fading is caused by obstacles ( due to shadowing & Diffraction) with a typical period of 10 -100 λ with the mean variation as 6- 10 dB. The long term fading has a LOG Normal Distribution. The Short term Fading is in the small distance or time less than λ with its mean value around 20 -30 dB. It has a Rayleigh Distribution in case there is no direct LOS. When the LOS is dominant , it follows

the Ricean Distribution. Rayleigh Flat fading Model is suitable for cities where we may have number of paths of signal and Ricean Fading model for Suburban areas where we have a dominant LOS and few scatter’s. Some suggeste d values are as under for computations σ 10.35 17.31 21.67 13.71 8.82

Surface Open roads Water Urban 4-6 story Urban 2-3 story

dB

( Ref : Sklan B “ Rayleigh Fading Channels in Mobile Digital Communication System Part 1 IEEE Communication Magazine July 1997 )

Method of calculation Method A Taking all the propagation effect into consideration , the signal strength actual received is translated into distance .This yields to less accuracy but simple estimation of location.

The general equation for empirical path loss models :Pr / Pt = k ( d0/d)2y where d0 is a reference distance, k is path loss constant, y is path loss exponential which is3 < y < 4for cellular networks. k and y change according to the empirical model. They are measured in the environment settings considered in every model. However, those models still do not account for local variations caused by the actual terrain. Simulations have shown accuracies of less than500metersfor such models.

Method B : If we have measurement of two or more Base station signal strength , then we can find out the co ordinates of MS as an Intersection of two circles or three circles as shown below :

R

r

x

d

Assume two circles with Radius R and r and centre at ( 0.0) and( 0,d). Equation of the circle are: X2 + Y2 = R2 and ( X-d)2 + Y2 = r2 solving this we get

X = d2 + R2 – r2 / 2d and d-x = d2 + r2 – R2 / 2d

Method C : We can generate Path loss prediction and received signal strength as a two dimensional land parcel data akin to pixels in image and its grey value. The land parcel resolution can be fixed depending to accuracy and urban area. Then the received signal strength from MS can be can be matched with the predicted Signal strength to get the location of the MS. This method is also known as Signature Generation / Finger Printing or Data base correlation ( DBC ) method. Data base correlation ( DBC ) method.
The Database Correlation Method (DCM) for estimating the location of the Mobile Stations (MS) in cellular networks relies on a pre-measured database of a location dependent variable seen by the MS.

The key idea here is to store the signal information seen by the Mobile Station (MS), within the coverage area, in a database as signal information samples called Fingerprints. If RSS is considered as the location dependent variable, then, a fingerprint consists of the RSS of all hearable cells labeled with the corresponding cell ID and the coordinates of the location at which the measurement is taken. In location estimation, a measured signal sample from the mobile to be located is compared with the fingerprints stored in the database. The location of the best matching fingerprint is given as the estimated location. The concept of the database correlation method is shown below :-

When the MS needs to be located, the necessary measurements are performed and transmitted to the location server. The location server then calculates the MS location by comparing the transmitted information and the fingerprints of the database. Hence the fingerprint matching algorithm and the location estimation algorithm plays a major role in the accuracy of the estimation. The fingerprint resolution of the reference database is another key factor that governs the accuracy of the technique. Thus the database should contain fingerprints, with a resolution comparable to the accuracy that is required and is obtainable.

Thus, a single fingerprint in the database consists of  Location coordinates  Received signal strength (from serving base station and other neighboring base station in that location TA value also to be noted which can be attached to an area Due to multi-path propagation and small-scale fading, RSS at a particular location would vary time to time. Some cells could undergo very slight RSS variation while others experience a severe fluctuation. Also, not all the hearable cells would appear in all the measurements. Accordingly it is obvious that a single measurement cannot be used t o characterize the RSS at a location, and requires several stationary measurements to reasonably characterize the RSS. Also if fingerprints are created using number of stationary measurements at several locations along a road, it would not characterize the RSS in between the fingerprint locations. In order to handle both of the above problems it is necessary to obtain several stationary measurements at each fingerprint location with a much higher fingerprint resolution. This would be less practical in an outdoor environment in terms of time and effort needed to create the fingerprint database. Thus ,drive tests were carried out continuously taking measurements along roads and used a “Sliding Window” approach for Finger prints Fingerprint Matching / Data Base Correlation After filtering the database fingerprints, fingerprint matching technique or a correlation method could be applied to find the difference between the RSS measurements at the MS to be located (observation) and each database fingerprint. Based on this difference the nearest fingerprints for the MS location could be identified and the location could be estimated using these nearest neighbors. Method-1 Method-1 is based on measuring the signal distance between each database fingerprint and the observation. The general equation to calculate the signal distance between the observation and the database fingerprint can be given as (1).

D(k) = [ [ ∑ fi – m(k) I ]q ]1/q

Where fi is the RSS from the ith hearable cell in the observation, gi(k) is the RSS from the same cell in the kth database fingerprint. The Manhattan distance and the Euclidean distance are two widely used distance measurements corresponding to q=1 and q=2 respectively.

Equation (1) could be directly applied to calculate the signal distance only if same set of cells appear in both vectors. Cells which appear only in one vector would contribute as penalty terms. Thus (1) should be modified to handle these penalty terms. Then the problem arises on how to handle these penalty terms. If a particular cell does not appear in one vector it is reasonable to think that the RSS from that cell is extremely low in this vector. Since several measurements are obtained in each test location and several measurements are used to create a fingerprint, it is possible to modify the penalty term by applying a weight based on the contribution of the corresponding cell in the observation or in the fingerprint.

Location Estimation After identifying the nearest neighbors, there are several algorithms for estimating the location of the MS during the online positioning phase. The basic one is the Nearest Neighbor (NN) approach. If multiple nearest neighbors are chosen, a K-Nearest Neighbor (KNN) or a Weighted KNearest Neighbor (WkNN) method could be applied. Performance of the NN and the WkNN approaches was evaluated during this research. Nearest Neighbor (NN) method : DCM-NN This simply estimates the location as that of the nearest or best matching database fingerprint. Weighted k Nearest Neighbor (WkNN) method : DCM-WkNN Here, the k (k >=2) nearest fingerprints are chosen and the location is estimated as the weighted average of the locations of the k neighbors. Among different tested weighting mechanisms the weighting mechanism depicted by (5) provided better performance.
Wk = [ 1/ D(k) ] / ∑ 1/D(k)

Where, wk is the corresponding weight of the kth nearest neighbor. The WkNN method was evaluated by varying the number of selected neighbors (i.e. k) from 2 to 10 to identify best matching value for k. The identified nearest neighbors could be close in signal space but might be far away in physical space. This would diminish the positioning accuracy of the developed algorithm. As a solution Geographical KMean Clustering approach [5] could be applied. It is reasonable to assume that this approach would reduce the effect of physically distant neighbors in positioning and would enhance positioning accuracy. The clustering approach was evaluated with K=2 to split the set of k neighbors into two geographical clusters. Then the weighted average could be applied for the most probable cluster. Most probable cluster could be the cluster with maximum number of clusters with maximum weights or neighbors .

Accuracy enhancement The location or positioning accuracy can be predict the range / distance values. Weighted Least Square method Let s assume MS location is xm ym and base station location is xi yi ( I = 1.2…..N)where is N is number of base station from where measurement is possible.9 sometimes referred as Hearable also. D = [( xm – xi )2 + ( ym - yi )2 ]1/2 further increased by using statistical model to

D = distance between MS and BTS

Also Pr(i) = Ki Pt(i) / Dia

Pr(i) = Power received by MS from i th base station

Ki = Factors affecting the received power such Antenna height etc Pt(i) =Transmitted Power if i th base station a is propagation constant i.e. path loss slope generally a =2 for free space and 4-5 for NLOS.
A factor can be added for range calculation taking noise into consideration assumed as White Gaussian noise process with Zero Mean and variance σ2. Hence the range measurement could be written as: -

Ri

= Ki Pt(i) / Pr(i) + n i

= Dia + n i

= [( xm – xi )2 + ( ym - yi )2 ]a/2 + n

This equation can be modeled in Vector form and weights computed a shown in by Y T Chan et al . In the literature couple of attempts has been made to use Kalman filter for mobile location prediction. -------------------------------------------------------------------------------------------------------------------------------References :

1] M.Hata Empirical Formula for propagation loss in land mobile radio service s. IEE Trans Veh Tech , Vol -29 , PP 317 -325 . 1980 2] COST 231 : Urban Transmission Model for mobile radio in 900 -1800 Mhz bands. Technical Report

D (91). European Cooperation in the Scientific and Technical Research ( COST) sep 1991 3] Masaharu Hata “ Empirical formula for propagation loss in Land mobile services ‘ IEEE - T on Veh Tech vol VT -29 pp 307 -324 Aug 80. [4] Paul Kemppi, “Database Correlation Method for Multi-system Location”, Master’s Thesis, Department of Electrical and Communications Engineering, Helsinki University Of Technology, August 2005. [5] Y . T . chan & K C Ho “ A simple & efficient estimator for hyperbolic location” IEE trans Signal Processing Vol 42 pp 1905 -1915 Aug 1994 [6] Veljo Otsason, Alex Varshavsky, Anthony LaMarca and Eyal de Lara, “Accurate GSM indoor location”, pp. 141–158, Springer-Verlag Berlin Heidelberg, 2005. [7] Veljo Otsason, “Indoor Localization Using Wide GSM Fingerprinting”, Master’s Thesis, Faculty of Mathematics and Computer Science, University of Tartu, 2005. [8] B.D.S.Lakmali, W.H.M.P. Wijesinghe, K.U.M. De Silva, K.G. Liyanagama, and S.A.D Dias, “Design, Implementation and Testing of Positioning Techniques in Mobile Networks”, International Conference on Information and Automation for Sustainability, December 2007 [9] Binghao Li, Yufei Wang, Hyung Keun Lee, Andrew Dempster, and Chris Rizos, “A New Method of Yielding a Database of Location Fingerprints in WLAN”, Communications, IEE Proceedings, 2005 [10] Y T Chan , Kw Cheung et al “ Received Signal Strength Based Mobile positioning via Constrained Weight ed Least Squares” ICASSP 2003 V 137-140. [11] Hemani S , Oussalah M & P hall “ Combination of GSM & GPS signal for mobile positioning & location service using Kalman Filter “ Proceedings of World Congress on Engineering 2007 , Vol II

Identification of mobile subscriber A unique International Mobile Subscriber Identity (IMSI) is given to each mobile subscriber in the GSM network. This identification number is 15 digits long and consists of numeric characters (0 to 9). This number contains: Three digits of Mobile Country Code (MCC), two digits of Mobile Network Code (MNC) and Mobile Subscriber Identification Number (MSIN) (ETS GSM 03.03, 1995). MCC identifies uniquely the country of the mobile subscriber. The MNC identifies the home GSM Public Land Mobile Network (PLMN) of the mobile subscriber. Each and every network in the country is given a unique identification number in GSM that is the MNC code. Allocation of Mobile Subscriber Identification Number (MSIN) depends on
the individual network. Nation Mobile Subscribers Identity is MNC + MSIN (ETS GSM 03.03, 1995). Figure 2.3 shows the structure of Mobile Subscriber Identification Number.

Location Area Identification (LAI) consists of MCC, MNC and Location Area Cod (LAC). MCC and MNC are same as the three and two digit codes used in IMSI. LAC i a fixed length code of 2 Octets identifying a location area within a GSM network. A

shown in Figure 2.4 Cell Global Identification (CGI) consists of Location Are Identification and the Cell Identity (CI). CI is of fixed length with 2 octets and it can b coded using a full Hexadecimal representation (ETS GSM 03.03, 1995).

Base Station Identity Code (BSIC) comprises of Network Colour Code (NCC) and Base Station Colour Code (BCC) which has a 3 bit in each. Figure 2.5 shows the structure of BSIC. BSIC is a local colour code a mobile station uses to distinguish between different neighbouring base stations. Each cell has an allocated BSIC, in each burst BSIC will be broadcasted on the Synchronization Channel (SCH). BSIC are used to avoid ambiguity or interference which can arise when a mobile station in a given position can receive two cells using the same Broadcast Control Channel (BCCH) frequency. The BCCs of each base station is assigned by the network operator, and it’s assigned such that no neighbour stations have equal BCC and thus equal BSIC. Figure 2.5 shows the structure of BSIC (ETS GSM 03.03, 1995).

BSIC is a value between 0 to 63 and for each cell a BSIC is allocated. In each cell its BSIC is broadcasted in every burst. When in idle mode, the mobile station identifies a

cell according to the cell identity broadcast on the BCCH and not by BSCI (ETS GSM

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close