Conference PaperPDF Available

Effect of Tracking Parameters on GNSS Receiver Vulnerability to Spoofing Attack

Authors:
ION GNSS + 2016 Conference, Session E5, Portland, OR, Sept 12-16 2016 1/11
E
FFECT OF
T
RACKING
P
ARAMETERS ON
GNSS
R
ECEIVER
V
ULNERABILITY TO
S
POOFING
A
TTACK
Ali Broumandan, Ali Jafarnia Jahromi, Saeed Daneshmand, Gérard Lachapelle
Geomatics Engineering Department, University of Calgary, Calgary, Canada
BIOGRAPHIES
Ali Broumandan received his Ph.D. degree in the Geomatics
Engineering from the University of Calgary. Since November
2013, he is working in the PLAN Group as a senior research
associate where his research focuses on GNSS interference
mitigation utilizing single and multiple antenna processing.
He has been involved in several industrial research projects
focusing on spatial/temporal GNSS signal processing.
Ali Jafarnia Jahromi received his Ph.D. in Geomatics
Engineering from the University of Calgary in 2013. He holds
B.Sc. and M.Sc. degrees in Telecommunications Engineering.
He was a post-doctoral fellow in the PLAN group from 2013
to early 2016 before starting to work in industry. His research
interests include GNSS signal processing and receiver design.
Saeed Daneshmand Saeed Daneshmand holds a Ph.D.
degree in Geomatics Engineering from the University of
Calgary. Since May 2013 he has been a senior research
associate/post-doctoral fellow in the PLAN Group. His
research interests are in the area of software receivers and
signal processing for GNSS.
Gérard Lachapelle, Professor Emeritus, has been involved
in a multitude of GNSS R&D projects since 1980, ranging
from RTK positioning to indoor location and signal
processing enhancements, first in industry and since 1988, at
the University of Calgary
ABSTRACT
Civilian GNSS signals are highly vulnerable to spoofing
attacks due to the publicly known signal structure and lack of
protection against it. A spoofing signal which is synchronized
to authentic ones can deceive the tracking process of a
receiver and may lead to a fake position solution. This paper
focuses on analyzing the effect of spoofing signal parameters
on a target receiver in overlapped spoofing attack scenarios.
It is assumed that the receiver is operating in a tracking loop
and the spoofing tries to grab the correlation function without
causing loss of lock. The spoofing parameters to successfully
capture the tracking point as a function of the target receiver’s
PLL and DLL parameters are discussed. The problem of
interest is to detect a spoofing attack by utilizing different
signal quality monitoring (SQM) metrics and characterizing
the pseudorange measurement error induced by the spoofer as
a function of delay lock loop parameters. The statistical
properties of the spoofing detection metrics are analyzed and
proper detection thresholds are calculated. Some
experimental results in dense multipath environments for
vehicular applications have been performed to adjust the
SQM metrics detection threshold and to reduce the false
spoofing detection probability.
INTRODUCTION
Due to rapidly increasing applications of GNSS dependent
systems, motivation has increased to spoof these signals for
illegal or concealed transportation and misleading receiver
timing used by infrastructure such as power distribution grids,
cellular networks and interrupting financial transactions to
name a few. Spoofing signals can be designed to mislead a
receiver at the tracking stage by generating synchronized
spreading codes leading to counterfeit/distorted correlation
peaks. These fake correlation peaks can overlay with the
authentic ones and gradually misdirect the tracking process of
the target receiver. Detection and mitigation of such kinds of
the spoofing attack have become an important anti-spoofing
topic (e.g. Closas et 2016, Chen & Fan 2016, Broumandan et
al 2015, Wesson et al 2013, Cavaleri et al 2010, Shepard et al
2011, Parro-Jimenez et al 2012).
Different types of spoofing generators have been discussed in
the literature (e.g. Humphreys et al 2012). One such specific
receiver based spoofing attack is considered here. It first
synchronizes with authentic signals and extracts its position,
time and satellite ephemeris, and then generates a spoofing
signal knowing the position of the target receiver’s antenna.
The code phase of the spoofing signals generated by a receiver
based spoofer may or may not be synchronized with that of
the authentic signals. In the case of a synchronized code phase
spoofing attack the correlation peaks of the spoofing PRNs
overlap with those of the authentic ones and cause distortion
on the shape of correlation function. This distortion is very
similar to that of multipath propagation, which makes it
difficult to distinguish a spoofing attack from multipath
interference (Shepard et al 2011). When a GNSS receiver
focuses on tracking an authentic correlation peak, it does not
consider other regions of the Cross Ambiguity Function
(CAF) and therefore even a higher power spoofing signal
might not affect the receiver tracking procedure if the delays
or Doppler frequencies are not aligned. Even if a spoofer jams
a receiver in tracking mode for a few seconds, most receivers
initiate the re-acquisition process based on the last code phase
and Doppler information (hot start). Thus synchronized code
phase spoofing attack causing authentic/spoofing correlation
peak interaction is an inevitable feature of an effective
spoofing scenario and this paper considers this scenario.
ION GNSS + 2016 Conference, Session E5, Portland, OR, Sept 12-16 2016 2/11
Several contributions have been made on the detection of a
spoofing attack based on monitoring a few correlator outputs
around the prompt correlator of a receiver in tracking mode.
Shepard et al (2011) showed that the interaction between the
authentic and spoofing correlation peaks is very similar to the
case of direct and multipath signal components interaction.
Therefore, multipath detection and mitigation techniques can
be generalized to the case of spoofing countermeasure. Signal
quality monitoring (SQM) techniques, previously designed to
check the quality of correlation peaks in the presence of
multipath and satellite malfunction (Phelts 2001) have been
adopted to detect spoofing attacks on a receiver in tracking
mode (Cavaleri et al 2010, Ledvina et al 2010, Wesson et al
2011 & 2013, Manfredini & Motella 2014, Gamba et al 2013,
Pini et al 2011). They have employed the ratio, delta and some
other SQM tests in order to detect any abnormal asymmetry
and/or flatness of GNSS correlation peaks that is imposed by
the interaction between authentic and spoofing signals. In fact
these metrics detect distortion on the correlation function
regardless of the interference source (i.e. spoofing or
multipath).
Most of the research work on spoofing detection is based on
the assumption that the spoofer has a very good knowledge of
signals received at the victim receiver’s antenna. In coherent
spoofing attacks where a spoofer synchronizes its carrier
phase with that of the authentic signals, it is assumed that the
spoofer has a prior knowledge of the position of the phase
centre of the receiver antenna. In matched power coherent
phase spoofing attacks, a spoofer needs to know the
approximate relative position of the target receiver’s antenna
within a few cm with respect to its own antenna, the
parameters of the propagation channel between spoofer and
target receiver as well as the antenna gain pattern of that
receiver in order to accurately adjust its transmit power within
an effective level (Jafarnia et al 2012). These conditions are
highly challenging to meet and in many real scenarios are not
practical. Also, spoofer’s knowledge of other signal
parameters such as carrier Doppler and signal amplitude
depends on various parameters such as operational
environment and the receiver tracking architecture. Hence,
considering the limited spoofing knowledge of the target
receiver architecture, it is of interest to characterize the
vulnerability of GNSS receivers to spoofing attacks with
respect to realistic receiver tracking parameters.
This paper focuses on the analysis of the interaction between
authentic and spoofing signals during the tracking stage of a
receiver. The contributions are twofold. Firstly, realistic user
scenarios are defined to establish a foundation to analyse
receiver sensitivity to a spoofing attack as a function of
different receiver tracking parameters. Secondly, spoofing
detection metrics utilizing delta metrics based on signal
quality monitoring is investigated. A data collection in dense
multipath environments for vehicular applications have been
performed to analyse the delta metrics performance in the
presence of multipath fading. This is done to set a proper
detection threshold for correct spoofing detection.
It is assumed that the receiver is initially locked to the
authentic signals while a spoofing attack attempts to deceive
it into tracking fake signals. The spoofing deviation from the
authentic signals causes Doppler frequency differences
between authentic and spoofing signals. It has been shown
that if the Doppler difference between desired and undesired
signals is much higher than the DLL bandwidth, the effect of
the undesired signals can be reduced (Kalyanaraman &
Braasch 2004). Hence, the spoofing distortion on a receiver
in tracking mode becomes a function of the spoofing scenario
(e.g. Doppler difference of authentic and spoofing signals
known as lift off rate) and the receiver tracking parameters
(e.g. code loop bandwidth).
SPOOFING SCENARIOS
A spoofing attack from a receiver operation point of view can
be categorized as overlapped and non-overlapped attacks. In
the following these scenarios are discussed in more details.
a) Non-overlapped
In this scenario the correlation peak of the spoofing PRNs are
not overlapped with that of the authentic ones. This attack is
usually generated by a hardware simulator type signal
generator which is not equipped with a GNSS receiver. This
scenario can affect the operation of a GNSS receiver in
different ways. In cold start scenario if the spoofing power is
higher than that of the authentic signals the acquisition engine
may be misled by the spoofing signal. Indeed this depends on
the acquisition search strategy. For instance if a receiver uses
a serial search strategy it acquires the first correlator outputs
which is above the detection threshold. This is different from
a receiver which implements a maximum likelihood based
acquisition strategy. Even in warm or hot start acquisition
scenarios depending on the situation and the receiver strategy
the spoofing attack without considering the receiver
acquisition architecture may not be effective. An effective
way to spoof a receiver in a non-overlapped scenario is to first
jam and then spoof the receiver. The non-overlapped spoofing
attack is not an effective approach to deceive a receiver since
in a high power spoofing attack a receiver operating in the
acquisition level may or may not be affected by the spoofing
signal depending on the receiver operation process. In
addition, this scenario is less effective on a GNSS receiver
operating in tracking level since the spoofing signal appears
as a noise and only affects the effective C/N
0
. In addition, this
scenario can be easily detected and removed using successive
spoofing cancelation method (Broumandan et al 2014).
b) Overlapped
In an overlapped spoofing attack the correlation peak of
spoofing and authentic signals overlay and this interaction
constructively or destructively misshapes the correlation
peak. This type of spoofing attack is generated by a receiver
based spoofing generator where the spoofer knows the current
time and observable satellites and location and signal
parameters of the target receiver. If the spoofer knows the
exact location of the phase centre of the target receiver’s
ION GNSS + 2016 Conference, Session E5, Portland, OR, Sept 12-16 2016 3/11
antenna and can calculate and calibrate all the systematic and
cable biases between its transmit antennas and the receiver
antenna, it can generate a phase coherent signal. That means
the spoofer can completely cancel out the authentic signals
and generate a fake signal without being detected by a single
antenna receiver. However, due to several practical
limitations this is not feasible and there are some mismatches
between generated spoofing signal and the receiver one in
power, delay and Doppler frequencies. These cause signal
amplitude fluctuations similar to those of multipath fading
scenarios in the overlapped spoofing attack. In a multipath
fading environment due to the Doppler difference between the
direct and reflected signals the relative phase of signals varies
by time and causes fading phenomenon. Correct detection of
an overlapped spoofing attack is a challenging problem since
the distortions induced by spoofing signals on the correlation
function are very similar to multipath fading cases.
Classification and mitigation of a spoofing attack at the
correlator level is also complicated using a single antenna
receiver process.
SYSTEM MODEL
Considering a GNSS signal, the received signal affected by a
spoofing attack can be modeled as
( )
( ) ( )
( ) ( )
( )
2
2
a a
m m s
a
s s
q q s
s
j j f nT
a a a a a
s m m s m m s m
m
j j f nT
s s s s s
q q s q q s q
q
s
r nT p h nT c nT e
p h nT c nT e
nT
+
+
= − −
+ − −
+
φ π
φ π
τ τ
τ τ
η
J
J
(1)
where T
s
is the sampling interval and
a
m
φ
,
a
f
,
a
m
p
and
a
m
τ
are
the carrier phase, Doppler frequency, received signal power
and code delay of the m
th
authentic signal, respectively.
s
q
φ
,
s
f
,
s
q
p
and
s
q
τ
are the carrier phase, Doppler frequency,
received signal power and code delay of the q
th
spoofing
signal.
c
is the PRN sequence corresponding to the authentic
or spoofing signal set at time instant
s
nT
.
η
is complex
additive white Gaussian noise with variance
2
σ
.
a
m
h
and
s
q
h
represent the navigation data bits for m
th
authentic and q
th
spoofing PRN signals. The subscripts m and q correspond to
the m
th
and q
th
received authentic and spoofing PRN signals.
During the spoofing attack on a receiver in the tracking mode
and assuming the receiver is initially locked onto the l
th
authentic PRN Doppler frequency, the correlator output can
be approximately written as
[ ] [ ]
[ ] [ ]
( )
[ ]
( )
[ ]
( )
[ ]
( )
( )
[ ]
, ,
,0
,
,
,
2 1 1
sin
sin
a s a s
s
l l
a a
l l l
a s
l s
s s a s
l l l a s
l s
j f k k N T j
l
u k p h k
f k NT
p h k R k
N f k T
e
k
+ ∆
=
 
 
 
+
 
 
 
+
π φ
π
τπ
η
(2)
where
l
η
represents the low pass filtered Gaussian noise
component at the output of the l
th
PRN correlator.
,
a s
l
τ
,
,
a s
l
f
and
,
a s
l
φ
represent the differences between code
delays, Doppler frequencies and initial carrier phases of
authentic and spoofing signals.
R
is the correlation function
which is closely related to the choice of the GNSS signal’s
subcarrier. It is assumed that the spoofer smoothly changes
the code delay and the Doppler frequency of its signal in order
to gradually lift-off the tracking point of its target receiver
without causing it to lose lock.
SPOOFING PARAMETERS
Spoofing signal parameters can affect the interaction between
authentic and spoofing correlation peaks and plays a critical
role in capturing the stable tracking point of a receiver without
causing loss of lock. In the following sub-sections these
parameters are discussed in more details.
Relative Doppler
Based on the discussions provided in (Crosta & Alenia 2009)
and (Humphreys et al 2012) a spoofing attack on a receiver in
the tracking mode in terms of their relative Doppler
frequencies can be generally divided into the two following
categories:
a)
Locked Doppler spoofing
In this case, a receiver based spoofer tries to align Doppler
frequency of the fake signal with that of the authentic GNSS
signal while their relative code delay is changing. Therefore,
by substituting
,
0
a s
l
f
∆ =
and
τ
s,Ll
0 in Equation (2), the
correlation output can be modeled by
[ ] [ ] [ ]
[ ] [ ]
( )
()
,
,0
,
.
s a
l
a a
l l l
j
s s s a
l l l
u k p h k k
p h k R k e
= + +
l
φ
η
τ
(3)
In this case, the carrier phase difference between authentic
and spoofing signals remains constant (or with slight temporal
variations) during the interaction between authentic and
spoofing signals. If the spoofer does not know the carrier
phase difference of spoofing and authentic signals in some
cases (e.g.
,
a s
l
φ
=
/ 2
π
) it may not be effective. In practical
cases of receiver based spoofing attacks there will be some
discrepancy between Doppler values of the authentic and
spoofing signals and hence
,
a s
l
φ
changes during the attack.
b)
Non-Locked Doppler spoofing
In this case, the spoofing signals Doppler frequency is not
consistent with that of the authentic signals. In addition, it is
assumed that the Doppler frequency and code delay rates of
spoofing signals are consistent in order to mimic the case of a
real GNSS signal. Therefore, a linear variation in relative
delays between authentic and spoofing signals leads to a
constant Doppler difference between these signals. Non-
locked Doppler spoofing attacks cannot be detected by
ION GNSS + 2016 Conference, Session E5, Portland, OR, Sept 12-16 2016 4/11
monitoring inconsistency between code and carrier Doppler
values as a spoofing detection metrics discussed by Jafarnia
(2013). If the Doppler difference of the authentic and
spoofing signals
,a s
f
is within a few Hz the spoofer can
covertly spoof a receiver without causing loss of lock.
,a s
f
is an important parameters which affect the spoofing
detection performance. Ideally a spoofer tries to minimize
,a s
f
to avoid being detected by frequency monitoring
metrics. In Kerns et al (2014) it has been shown that for a
successful covert spoofing attack the Doppler difference
between authentic and spoofing signals should not exceed 10
Hz for nominal tracking loop parameters. Hence, locked
Doppler spoofing attack with minimal Doppler difference is a
serious threat to a receiver since the spoofer can covertly
deceive a receiver which is not equipped with anti-spoofing
metrics. In the locked Doppler spoofing attacks the code
Doppler and carrier Doppler of the spoofing signal does not
match. This inconsistency may be detected by a receiver
(Jafarnia 2013). None-zero
,a s
l
f
causes free relative phase
rotation of the spoofing and authentic signals and this leads to
fluctuations in correlator output amplitude. A receiver
equipped with a signal quality monitoring metric can easily
detect an spoofing attack with None-zero
,a s
l
f
.
Relative Power
The relative power level of spoofing signals with respect to
that of the authentic ones can highly affect the effectiveness
of a spoofing attack. Adjustment of the spoofing power level
at a target receiver is challenging since it requires information
about the propagation channel between the spoofer and target
receiver and the antenna gain pattern and its orientation.
A lower power spoofing signals is not able to take away the
tracking point of the receiver but it can distort the shape of the
correlation peak and lead to a biased pseudorange
measurement (Parro-Jimenez et al 2012). This type of
spoofing attack has a similar effect as multipath interference
and may lead to several metres of pseudorange measurement
errors. In addition, depending on the tracking loop parameters
the spoofing effect in a lower power spoofing attack may be
reduced or removed and consequently the navigation solution
does not converge to a desired fake location.
A powerful spoofing interference can generate a dominant
correlation peak that is more powerful than the authentic peak
and can mislead the tracking point of the target receiver into
an arbitrary point determined by spoofing signals. In an ideal
case, the power level of the spoofing signal is slightly higher
than that of the authentic signals to control the stable point of
the tracking loops.
Relative Delay
The main goal of a spoofing attack is to misdirect the
pseudorange observations of a target receiver and this is
associated with the relative delays of spoofing signals with
respect to those of the authentic ones. A spoofing signal may
slightly change its relative code delay with respect to the
authentic signal in order to gradually take away the tracking
point of target receiver’s DLL without causing loss of lock.
The relative delay rate of a spoofer should be adjusted
depending on the operation scenario (static or dynamic target)
and the target receiver DLL parameters. As mentioned before
during the attack, the relative code delay rate may not match
with the relative carrier Doppler.
Figure 1: GNSS receiver tracking loop architecture
ION GNSS + 2016 Conference, Session E5, Portland, OR, Sept 12-16 2016 5/11
RECEIVER PARAMETERS
Process of a GNSS receiver consists of acquiring signals and
then tracking their parameters. In the acquisition stage a
receiver searches over a wide range of code delay and carrier
Doppler frequencies to detect a signal above the acquisition
threshold. In the presence of a spoofing attack depending on
the acquisition strategy the spoofer may or may not
successfully mislead a GNSS receiver. Generally, a non-
overlapped spoofing attack cannot deceive a receiver
operating in the tracking stage unless it increases the signals
power to jam the target receiver. Hence, to successfully spoof
a receiver, a spoofer should try to align its correlation peak to
that of the authentic signals. In the overlapped spoofing attack
there are several spoofing parameters which affect the GNSS
receiver operation. In general a high power overlapped
spoofing attack can successfully grab the correlation peak.
Depending on the spoofer-authentic Doppler difference the
receiver may or may not lose carrier tracking lock. The
receiver loss of lock performance depends on the signal pull-
in ranges for phase-lock loops (PLLs) and delay-lock loops
(DLLs) (Zhuang, 1996). During a spoofing attack, spoofing
signals try to grab control of the target receiver’s tracking
loops. This is similar to the case of severe multipath except
that the spoofing signals are usually more powerful than the
authentic signal. Here it is assumed that each signal is tracked
by a phase-rate feedback PLL and a carrier-aided early-late
DLL as shown in Figure 1. This is a standard configuration
for most of commercial GNSS receivers (Misra and Enge
2012, Braasch and Van Dierendonck 1999). The received
signal is first multiplied by three local spreading code replicas
to produce the correlator outputs. Next, the code-correlated
signals are multiplied by the local carrier replica, which is
based on the PLL’s. Several PLL parameters affect the
frequency pull-in range namely discriminator type, coherent
integration time and PLL bandwidth. A four-quadrant PLL
discriminator has a wider linear region compared to that of a
two-quadrant carrier discriminator hence it is more robust
against different interference sources. Here it is assumed that
the target receiver uses a two-quadrant carrier discriminator
which is commonly employed in conventional receivers.
Another tracking parameter which affects the pull in range is
the product of coherent integration (T
c
) time and the PLL
bandwidth (B
PLL
). A higher T
c
B
PLL
value leads to a wider pull-
in range and as a result it creates a more robust tracking loop.
A more robust tracking loop becomes more vulnerable to a
spoofing attack since it may track correlation peaks with a
wider frequency difference with respect to authentic one.
Depending on the application and environment a typical
receiver choses coherent integration between 1 to 20 ms with
B
PLL
of about 15 Hz. This B
PLL
is a tradeoff between noise and
interface rejection and tracking signals dynamics and the
oscillator variations. Lower PLL bandwidth is more robust
against interfering signal however it is not recommended for
mobile platforms.
The investigation and simulation results of Kerns et al (2014)
has shown that the Doppler frequency alignment errors must
be small to enable covert receiver capture (not losing carrier
tracking). It has been shown that to covertly capture a target
receiver’s tracking loops, the spoofer must not cause
frequency unlock. For this, the spoofer must ensure that,
within the target receiver, all spoofing signals are closely
aligned with their authentic counterparts in both code phase
and Doppler frequency. A range of acceptable spoofing-
authentic Doppler difference (
,
a s
f
) as a function of PLL
tracking loop parameters using a numerical simulation are
provided in Kerns et al (2014). Considering initial PLL and
DLL lock on the authentic signals before attack it has been
shown that the frequency difference should be less than 10 Hz
for a receiver not to lose lock during the spoofing attack.
Nevertheless for a successful spoofer attack the spoofing
power should be higher than that of the authentic one.
In the PLL assisted DLL tracking loop architecture as shown
in Figure 1, an aiding Doppler from PLL is injected to the
code Doppler tracking structure. In such case a first order
DLL is sufficient to track the residual dynamic differences
between carrier and code signals (e.g. multipath and
ionospher). In such case the code tracking loop bandwidth can
be reduced significantly. This is an important factor since
DLL bandwidth reduction can filter out spoofing induced
error on pseudorange measurements. If the authentic-spoofing
Doppler difference is much higher than that of the code
tracking loop bandwidth, the spoofing error can be reduced
significantly (Kalyanaraman & Braasch 2004). This indeed
depends on the spoofing power level as well. In the case of
lower spoofer power the range error can be significantly
reduced whereas in the higher power spoofing attack the
spoofing signals grab the stable point of the tracking loop.
Another parameter which affects the amount of pseudorange
error in an early-minus-late discriminator is the correlator
spacing which will be investigated in the following sections.
SPOOFING DETECTION
Several spoofing detection metrics in different operation
layers of a GNSS receiver have proposed. In general these
metrics can be divided in two categories: pre-despreading and
post-despreading techniques. Herein the focus is on the post-
despreading spoofing detection metrics on overlapped
spoofing scenarios. The post-despreading methods take
advantage of the known signal structure of spoofing signals
and analyze each PRN in order to discriminate between
authentic and spoofing signals. In the following spoofing
detection metrics based on signal quality monitoring method
is provided.
SQM for Spoofing Detection
The interaction between authentic and spoofing signals causes
distortion on the shape of the correlation function. Signal
quality monitoring (SQM) tests focus on this feature in order
to detect any asymmetry and/or abnormally sharp or elevated
correlation peaks due to the presence of undesired signals.
This metric is originally designed to monitor the correlation
peak quality affected by multipath signals. Here it is assumed
ION GNSS + 2016 Conference, Session E5, Portland, OR, Sept 12-16 2016 6/11
that the receiver is initially tracking authentic signals. Five
correlator outputs were used to detect malicious activity on
the correlator outputs as shown in Figure 1. Delta test and
symmetric ratio tests are implemented to detect spoofing
attack. These metrics are tabulated in Table 1. The theoretical
variance of the SQM metrics are also provided in Table 1
(Phelts 2001). I
d
is in-phase value of the correlator output
spaced by d chip from the prompt correlator.
Table 1: List of SQM metrics
Delta Test Variance
( ) ( )
2 2
1
0
d d d d
I I I I
mI
− −
− − −
=
(
)
( ) ( )
1
2
0
0
2 4 2 ( )
/
2 3 2
/
m
c
c
R d R d
T C N
R d R d
T C N
− −
= +
σ
Symmetric Ratio Tests Variance
(
)
( )
2
0
2 2
3
0
d d
d d
I I
mI
I I
mI
− +
− +
=
=
(
)
2
2
0
1 2
/
m
c
R d
T C N
=
σ
( )
3
2
0
1 4
/
m
c
R d
T C N
=
σ
SQM metrics are originally designed to monitor correlation
peak quality affected by structural interference signals such
as multipath. Hence, it is very challenging to discriminate a
spoofing attack from a multipath interference using only this
method.
VULNERABILITY ANALYSES OF SPOOFING
ATTACK AND SPOOFING DETECTION
PERFORMANCE
A GNSS receiver architecture and typical tracking loop
parameters were discussed in the previous sections.
Depending on the spoofing relative power the spoofer may
grab the control of the tracking loop. This section analyzes the
spoofing detection performance as a function of different
tracking loop parameters. In addition, the pseudorange errors
induced by a spoofing attack as a function of the spoofer
power is analyzed. To set a proper spoofing detection
threshold using SQM metrics first some actual data sets in
multipath environment were collected (this is the closest non-
spoofed scenario which may affect the spoofing detection
metrics) and the performance of the proposed metrics were
analysed.
SQM Threshold Setting using Experimental Results
To evaluate the multipath propagation effect on the SQM
detection metrics a test set up collecting actual GPS signals in
urban and downtown Calgary was performed. This has been
done to set a proper threshold for spoofing detection
algorithms to reduce the false spoofing detection probability.
Figure 2: Data collection in multipath environments
Figure 3: SQM metric outputs and C/N
0
for data Set 1
A NovAtel 702 GG antenna was placed on the roof of a
vehicle which was moved with a speed of up to 50 km/h
during the test. A front-end using an 8-bit ADC and 10 MHz
bandwidth was used to collect digital samples. A sample data
collection location in multipath environments is shown in
Figure 2. The data collection environment was surrounded by
up to 30 story concrete buildings. Each data set consists of
ION GNSS + 2016 Conference, Session E5, Portland, OR, Sept 12-16 2016 7/11
about 40 s of data. The receiver processed the data in PLL
mode. PRN 7 has been chosen in these analyses since it was
available in all of the data sets. During the data collection the
elevation angle of PRN 7 varied between 50 and 70 degrees.
Eight data sets in different locations were collected. The
detection metric outputs of three data sets namely data set1, 2
and 5 are shown in Figure 3, Figure 4 and Figure 5 since they
represents all of the data sets.
Figure 3 shows the outputs of different SQM metrics as a
function of time for data set 1. The C/N
0
variations of the
received signal is also shown. The green threshold lines in
Figure 3 are
3
σ
threshold considering the theoretical
variance provided in Table 1. The data set 1 was collected in
suburban environment and as such the SQM metrics are not
significantly affected by multipath signals. The variance of
the SQM metrics matches with the theoretical noise variance
which confirms that the data is not affected by any structural
interference. The C/N
0
variations during the data collection is
also smooth and does not show any fluctuations due to
multipath fading. As shown in Figure 3 none of the SQM
metrics and C/N
0
values detect an abnormal correlator outputs
activities.
Figure 4 shows outputs of different SQM metrics and C/N
0
values for data set 2. This data set was collected at University
of Calgary as shown in Figure 2. The data collection path was
surrounded by up to 10 story buildings with highly reflective
materials. Considering C/N
0
values the first 8 s of the data is
not affected by multipath. However, after that the C/N
0
values
shows lots of fluctuations and after 20 s from the beginning
of the data set the C/N
0
fluctuations becomes periodic.
Constructive and destructive effect of multipath signals
affects the prompt correlator values and consequently affects
the
.
C/N
0
observations.
As such
.
C/N
0
fluctuations could be
considered as another sign of a signal being affected by
multipath. Nevertheless, SQM output values for this data set
does not show any abnormal activates and it does not detect
any distortion. This can be due to the fact that the reflection
point was very close to the receiver antenna (e.g. vehicle roof
top) and as such it only affected the prompt correlator. Thus
the multipath effect is not observable on the correlator
branches. This type of short range multipath can significantly
affect the carrier phase measurements without considerably
affecting pseudorange measurements.
Figure 5 shows the results of data set 5. The first 23 s of data
sets does not show any sign of distortion on the correlation
functions as it is clear from the SQM outputs. However, the
last 7 s of the data set is severely affected. The C/N
0
values
are dropped by about 10 dB-Hz and as shown SQM metrics
detect multipath distorted signal in this epoch. As shown the
variance of the SQM metrics are increased. The sources of
this increase are twofold: multipath and reduction in the C/N
0
values.
Figure 6 shows the theoretical variance and the measured one
for all of the data sets considering SQM metrics.
Figure 4: SQM metric outputs and C/N
0
for data Set 2
Figure 5: SQM metric outputs and C/N
0
for data Set 5
The theoretical variances are calculated based on the formulas
provided in Table 1
.
As shown in most cases the SQM metrics
variance values matches with the theoretical noise values.
This suggests that the effect of multipath in collected data sets
were minimal.
As shown using the collected data in vehicular scenarios the
variance of SQM metrics were not significantly affected. This
results are only valid for the moving receiver scenario in
above mentioned data collection sites and it may change in
other multipath and user cases.
ION GNSS + 2016 Conference, Session E5, Portland, OR, Sept 12-16 2016
8/11
Figure 6: Theoretical and measured SQM metrics variance
Figure 7: Spoofing generation system
Spoofing Detection Performance
In the previous section experimental results in multipath
environments were used to select a proper threshold to
minimize false detection due to the multipath propagation. In
this section the performance of the spoofing detection metrics
in the presence of spoofing signals and the effect of the
different tracking loop parameters on the pseudorange
measurements are analyzed. In order to test the performance
of previously discussed spoofing detection techniques,
authentic GPS signals were collected using a rooftop antenna
and then down-converted and sampled using a National
Instrument (NI) front-end. The authentic signals were
acquired and tracked in a software receiver and different
scenarios of a spoofing attack were generated and added to
the authentic signals using a custom designed spoofing
generation software. The spoofing signals are generated based
on authentic signal information including Doppler frequency,
code delay and amplitude of authentic signals. The block
diagram of data collection and spoofing generation software
is provided in Figure 7. In this data collection the IF sampling
frequency is F
s
= 10 MSPS.
Figure 8 shows the trend of different spoofing signal
parameters with respect to those of authentic signals. The
spoofing attack takes place over a 100 s interval and the
relative delays of spoofing signals with respect to the
authentic ones are generated using a first order polynomial.
Figure 8: Spoofing signal parameters
The spoofing signal delay starts at 0.01 chips and gradually
starts to deviate from the authentic correlation peak and ends
up with a 0.55 chips relative delay at t=100 s. In this scenario,
the carrier Doppler difference of spoofing-authentic signals
,a s
f
remains at about 2 Hz throughout the spoofing attack.
This can be a practical assumption since 2 Hz Doppler
difference does not cause tracking loss of lock and satisfies
covert spoofing attack requirements. Two spoofing power
levels namely -3 and 3 dB relative to the authentic signal
power were simulated. Different tracking loop parameters are
considered that are tabulated in Table 2. It is assumed in all
the scenarios the receiver is operating in PLL assisted DLL
mode. The carrier tracking loop bandwidth and coherent
integration time control the tracking loop pull-in range. A
higher product of the bandwidth and coherent integration time
leads to a wider pull-in range. Here a third order PLL with 15
Hz bandwidth and 10 ms coherent integration time is used.
The reason for fixing the coherent integration time and carrier
tracking loop bandwidth with their nominal values is that this
paper focuses on small
,
a s
f
values. In such cases the spoofer
does not cause loss of lock on the carrier tracking performance
for various ranges of PLL bandwidth and integration time.
Consequently the choice of carrier tracking loop bandwidth
and integration time does not affect the SQM detection
metrics and pseudorange measurements. Hence this paper
focused on analysing the SQM metrics outputs and
pseudorange measurement errors as a function of DLL
parameters. To this end two DLL parameters namely
bandwidth and correlator spacing are analysed. These two
parameters play a critical role in structural interference
mitigation performance. Reducing the correlator spacing in
the Early-Minus-Late (EML) discriminator significantly
reduced the structural interference (multipath and spoofer)
errors (Irsigler 2008). The code tracking loop bandwidth
value becomes an important factor in structural interference
ION GNSS + 2016 Conference, Session E5, Portland, OR, Sept 12-16 2016
9/11
Table 2: Tracking loop scenarios
Scenario
1 2 3
DLL BW
(Hz)
0.05 0.05 1
Correlator
spacing
(Chip)
0.1 0.5 0.1
Code
discriminator
Non-
Coherent
EML
Non-
Coherent
EML
Non-
Coherent
EML
Code order
1 1 1
PLL BW (Hz)
15 15 15
PLL order
3 3 3
Coherent
Integration
(ms)
10 10 10
reduction when the Doppler difference between the LOS and
multipath signals are much higher than the DLL bandwidth.
Figure 9 shows different SQM metrics along with their
corresponding spoofing detection thresholds. Herein, the false
alarm probability is assumed to be
P
FA
= 10
-3
and the C/N
0
value is 48 dB-Hz. The interaction of the authentic and
spoofing signals results in considerable deviations of the
SQM metrics from their nominal values. In the +3 dB case the
spoofing signal power was higher than that of the authentic
signals and consequently it took over the tracking loop
control. The 3 dB power advantage also causes the SQM
metrics values to deviate more compared to the -3 dB case.
Nevertheless, as shown the spoofing attack in both power
cases is detected as soon as the spoofing signal initiated. SQM
metrics fluctuations around the detection threshold is due to
the frequency difference between the authentic and spoofing
signals. This frequency causes a phase shift between the
authentic and spoofing signals and as a result there are several
level crossing events. This phenomena reduces the probability
of the spoofing detection during the attack.
Figure 10 shows the outputs of different SQM metrics for
scenario 2. The difference of scenario 1 and scenario 2 is in
correlator spacing. In scenario 2 a wider correlator spacing
was used. As shown M1 in scenario 2 barely detects the
spoofing attack in the first 25 s of data whereas M2 and M3
could detect spoofing attack. Figure 11 shows the SQM
metric outputs for scenario 3. In this case the DLL bandwidth
was increased to 1 Hz compared to the previous scenarios. As
shown increasing the DLL bandwidth does not change the
probability of spoofing detection using SQM metrics.
Comparing the SQM metric outputs of Figure 9-Figure 11 and
comparing them with the results of Figure 3-Figure 5 one can
increase the detection threshold to avoid false spoofing
detection probability due to multipath fading.
Figure 9: SQM metric outputs for scenario 1
Figure 10: SQM metric outputs for scenario 2
Figure 11: SQM metric outputs for scenario 3
ION GNSS + 2016 Conference, Session E5, Portland, OR, Sept 12-16 2016
10/11
Figure 12: Probability of exceeding threshold for different
SQM metrics and different scenarios
The probability of exceeding spoofing detection threshold for
different spoofing power levels and scenarios are provided in
Figure 12. In all of the cases the performance of M1 metric is
poorer compared to M2 and M3. The combined (Com)
detection performance considering these 3 metrics are also
provided in Figure 12. The combined metric detects a
spoofing attack if either of the SQM metrics pass the detection
threshold. Since these metrics are highly correlated the
combined detection performance is not improved
significantly.
Figure 13 shows the range errors induced by the spoofer for
different spoofing power levels and different DLL parameter
scenarios. As shown the correlator spacing and bandwidth
significantly affect the range error. A low bandwidth and
correlator spacing reduce the range error values. Scenario 1
takes advantage of 0.1 chip correlator spacing and 0.05 Hz
DLL bandwidth. The DLL bandwidth in this case is much
smaller than the Doppler difference between the authentic and
multipath signals and as such the spoofing induced error in
this case is a few decimetre. Increasing the correlator spacing
and keeping the same DLL bandwidth of 0.05 Hz is
considered in scenario 2. As shown increasing the correlator
spacing increases the range error to a few metres. However,
this values is much smaller than that of the a few tens of metre
for the cases where the spoofing and authentic Doppler
difference is much smaller than the DLL BW (e.g. static case).
In scenario 3 0.1 chip correlator spacing along with 1 Hz DLL
bandwidth was considered. As shown the range error is
increased compared to scenario 1. Figure 13 below shows the
range error values for the case of a higher power spoofing
attack. As shown in all of the scenarios the spoofing signal
grabs the control of the correlation function and causes
significant errors on the range measurements. In summary, for
the low power spoofing attack reducing the correlator spacing
and the DLL bandwidth helps to reduce the induced range
errors. However, in the high power spoofing attack the
improvement in range measurements errors compared to the
spoofer induced errors is minimal.
Figure 13: Pseudorange error for low and high power
spoofing scenarios
CONCLUSIONS
Vulnerability analysis of a GNSS receiver to an overlapped
spoofing attack considering different receiver parameters was
investigated. A covert spoofing attack was considered
wherein the target receiver does not lose lock during the
attack. The performance of different SQM metrics as a
function of receiver parameters were investigated. The
analysis results revealed that the SQM metrics are not
sensitive to the DLL bandwidth but they are sensitive to the
correlator spacing. The induced spoofing error on
pseudorange measurements was also analyzed. The results
showed that the spoofing distortion on the correlation
function is a function of the spoofer power, Doppler
differences of the spoofing and authentic signals and the type
of discriminator used. For the low power spoofing attack if
the spoofing-authentic Doppler difference is much higher
than the DLL bandwidth the spoofing induced errors on
pseudorange measurements are minimal. The experimental
results using actual GPS data in dense multipath
environments were used to adjust the SQM detection
threshold to reduce the false spoofing detection due to
multipath propagation.
REFERENCES
Broumandan, A., Ali Jafarnia-Jahromi, Saeed Daneshmand,
Gérard Lachapelle (2015) “A Network-based GNSS
Structural Interference Detection, Classification and Source
Localization,” Proceedings of the 28th International
Technical Meeting of The Satellite Division of the Institute of
Navigation (ION GNSS+ 2015)
ION GNSS + 2016 Conference, Session E5, Portland, OR, Sept 12-16 2016
11/11
Chen, H., and H. H Fan (2016) “A Kalman Filter Based
Method for GPS Spoofing Detection,” Proceedings of the
2016 International Technical Meeting of The Institute of
Navigation January 25 – 28
Closas, P., J. Arribas, and C.Fernández-Prades (2016)
“Spoofing Detection by a Reduced Acquisition Process,”
Proceedings of the 2016 International Technical Meeting of
The Institute of Navigation January 25 – 28.
Cavaleri, A., B. Motella, M. Pini, and M. Fantino (2010)
“Detection of Spoofed GPS Signals at Code and Carrier
Tracking Level, in
Proceedings of
Satellite Navigation
Technologies and European Workshop on GNSS Signals and
Signal Processing (NAVITEC)
, Dec 8-10, Noordwijk,
Netherlands, pp.1-6
Crosta, P., and T. Alenia (2009) “A Novel Approach to the
Performance Evaluation of an Arctangent Discriminator for
Phase Locked Loop and application to the carrier tracking of
the Ionospheric Scintillation,”in
Proceedings of European
Navigation Conference -GNSS 2009
, 3 - 6 May, Naples, Italy,
10 pages
Gamba, M. T., B. Motella, and M. Pini (2013) “Statistical test
applied to detect distortions of GNSS signals” in International
Conference on Localization and GNSS (ICL-GNSS), pp. 1-6
Humphreys, T. E., J. Bhatti, D. Shepard, K. Wesson (2012)
“The Texas Spoofing Test Battery: Toward a Standard for
Evaluating GPS Signal Authentication Techniques,” in
Proceedings of the 25th International Technical Meeting of
The Satellite Division of the Institute of Navigation (ION
GNSS 2012)
, September 17-21, Nashville, TN, pp. 3569-3583
Irsigler, M. (2008) Multipath Propagation, Mitigation and
Monitoring in the Light of Galileo and the Modernized GPS.
PhD Thesis, Bundeswehr University Munich
Jafarnia, A., T. Lin, A. Broumandan, J. Nielsen and G.
Lachapelle (2012) “Detection and Mitigation of Spoofing
Attacks on a Vector Based Tracking GPS Receiver,”
Proceedings of International Technical Meeting of the
Institute of Navigation (ION ITM 2012)
, 30 January-1
February, Newport Beach, CA, pp. 790-800
Kalyanaraman, S. K., and M. S. Braasch (2004) “Fading
Multipath Reduction via FLL-aided Code Tracking in GPS”
Proceedings of the 60th Annual Meeting of The Institute of
Navigation June 7 - 9, Dayton, OH
Kerns, A.J., D. P. Shepard and T. E. Humphreys (2014)
“Unmanned Aircraft Capture and Control via GPS Spoofing”
Journal of Field Robotics Volume 31 Issue Pages 617-636
Ledvina, B. M., W. J. Bencze, B. Galusha, and I. Miller
(2010) “An In-Line Anti-Spoofing Device for Legacy Civil
GPS Receivers,” in
Proceedings of
the 2010 International
Technical Meeting of The Institute of Navigation
, January 25
- 27, San Diego, CA, 2010, pp. 698-712
Manfredini, E. G., F. Dovis, and B. Motella (2014)
“Validation of a signal quality monitoring technique over a
set of spoofed scenarios” in 7th ESA Workshop on Satellite
Navigation Technologies and European Workshop on GNSS
Signals and Signal Processing (NAVITEC), pp. 1-7
Manfredini, E. G., B. Motella, F. Dovis (2015) “Signal
Quality Monitoring for Discrimination between Spoofing and
Environmental Effects, Based on Multidimensional Ratio
Metric Tests,” Proceedings of the 28th International
Technical Meeting of The Satellite Division of the Institute of
Navigation (ION GNSS+ 2015)
Misra, P. and P. Enge (2012). Global Positioning System:
Signals, Measurements, and Performance. Ganga- Jumana
Press, Lincoln, MA, revised second edition
Braasch, M. S. and A.Van Dierendonck, (1999). GPS receiver
architectures and measurements. Proceedings of the IEEE,
87(1):48–87.
Parro-Jimenez, J. M., R. T. Ioannides, M. Crisci, and J. A.
Lopez-Salcedo (2012) “Detection and mitigation of non-
authentic GNSS signals: Preliminary sensitivity analysis of
receiver tracking loops,” in
6th ESA Workshop on Satellite
Navigation Technologies and GNSS Signals and Signal
Processing (NAVITEC),
Dec. 5-7, Noordwijk, Netherlands,
pp. 1-9
Phelts, R. E. (2001)
Multicorrelator techniques for robust
mitigation of threats to GPS signal quality,
Ph.D. dissertation,
Department of Mechanical Engineering, Standford
University, Palo Alto, CA
Pini, M., M. Fantino, A. Cavaleri, S. Ugazio, and L. L. Presti
(2011) “Signal quality monitoring applied to spoofing
detection” in Proceedings of the 24th International Technical
Meeting of The Satellite Division of the Institute of
Navigation (ION GNSS 2011), pp. 1888-1896
Shepard, D., and T. E. Humphreys (2011) “Characterization
of Receiver Response to a Spoofing Attack,” in
Proceedings
of the 24th International Technical Meeting of The Satellite
Division of the Institute of Navigation (ION GNSS 2011)
,
September 20-23, Portland, OR, pp. 2608-2618
Wesson, K. D., B. L. Evans, and T. E. Humphreys (2013) “A
combined symmetric difference and power monitoring GNSS
anti-spoofing technique” in IEEE Global Conference on
Signal and Information Processing, 4 pages.
Wesson, K. D., D. P. Shepard, J. A. Bhatti, and T. E.
Humphreys (2011) “An Evaluation of the Vestigial Signal
Defense for Civil GPS Anti-Spoofing,” in
Proceedings of the
24th International Technical Meeting of The Satellite
Division of the Institute of Navigation (ION GNSS 2011)
,
September 20-23, Portland, OR, pp. 2646-2656
Zhuang, W. (1996). Performance analysis of GPS carrier
phase observable. IEEE Transactions on Aerospace and
Electronic Systems, 32(2):754–767.
... This also requires the spoofer to precisely calibrate its systematic and cabling offsets. In this case, the spoofer will be able to thoroughly neutralize the authentic correlation peaks and effectively impose the spoofing signals to be acquired and tracked by the receiver (Broumandan et al 2016a). In practice however, there will be some misalignments between spoofer and receiver in terms of code and carrier phase, carrier frequency and signal power resulting in distortions and fluctuations in overlapped correlation peaks similar to those of multipath interference (Broumandan et al 2016a). ...
... In this case, the spoofer will be able to thoroughly neutralize the authentic correlation peaks and effectively impose the spoofing signals to be acquired and tracked by the receiver (Broumandan et al 2016a). In practice however, there will be some misalignments between spoofer and receiver in terms of code and carrier phase, carrier frequency and signal power resulting in distortions and fluctuations in overlapped correlation peaks similar to those of multipath interference (Broumandan et al 2016a). These fluctuations can be monitored in both code and Doppler domains as a metric of signal quality as is discussed in Pirsiavash et al (2016Pirsiavash et al ( , 2017c. ...
... This is the case for an overlapped spoofing scenario where a spoofing signal interacts with the authentic one in terms of code and carrier parameters such as PRN code delay and Doppler frequency. As mentioned in Chapter 2, the effectiveness of a non-overlapped spoofing attack depends on different factors such as receiver acquisition strategy and can be detected by several detection metrics at the pre and post-despreading stages (Broumandan et al 2016a). This chapter focuses on overlapped scenarios. ...
Thesis
Full-text available
Global Navigation Satellite Systems (GNSS) are widely used in everyday and safety of life services as the main system for positioning and timing solutions. Reliability and service integrity are of utmost importance given a variety of error sources and threats. In the case of aviation and maritime applications, system integrity includes ground and space-based augmentation systems. These externally-aided monitoring systems do not provide a satisfactory solution for land users due to the multiplicity of error sources in the user's local environment, such as multipath. This research investigates receiver level stand-alone integrity monitoring solutions for such users. The methodology is based on Signal and Measurement Quality Monitoring (SQM and MQM) to detect and exclude or de-weight faulty measurements, with multipath and spoofing being the major concerns. Different monitoring metrics are defined and investigated for multipath detection and new geometry-based exclusion and de-weighting techniques are developed. Following an analytical discussion of metric sensitivity and effectiveness, simulated and field data analysis are provided to verify practical performance. Results obtained for the designed SQM and MQM-based detection metrics show reliable performance of 3 to 5 m Minimum Detectable Multipath Error (MDME). Although limited by multipath characteristics and measurement geometry, when detected faulty measurements are excluded or de-weighted, positioning performance improves for various multipath scenarios. In order to effectively classify multipath and spoofing, a spoofing simulator is designed, implemented and tested for selected time and position spoofing scenarios. A new spoofing strategy is described to investigate the minimum number of satellite signals required for an effective spoofing attack. Results show that in an overlapped spoofing scenario, at least 60% of signals are spoofed and thus distorted. This rate of signal distortion is not the case in all but harsh multipath scenarios and is used to distinguish spoofing attacks from multipath. More importantly, it is shown that distortion of more than half of the signals makes position solutions unreliable regardless of the error source. For selected scenarios, two-dimensional time/frequency widely-spaced SQM metrics are also developed to detect spoofing signals with about 3% false alarm probability imposed by multipath and other sources of signal distortion.
... This attack is usually generated by a hardware simulator or replayed by a signal transponder. An effective way to spoof a receiver in a non-overlapped scenario is to first jam and make the receiver lose its lock on the real signal and instead capture the spoofing signal [9]. In this scenario, the spoofing signal appears as a noise and only affects the effective carrier noise power ratio (C/No). ...
... To compare the differences between the position vector of the spoofing detection algorithm proposed in this paper and the position vector of the traditional least squares method in the analytic expression, we add a row to the matrix M and L, respectively. Equation (9) can then be rewritten as: ...
Article
Full-text available
Intentional spoofing interference can cause damage to the navigation terminal and threaten the security of a global navigation satellite system (GNSS). For spoofing interference, an anti-spoofing algorithm based on pseudorange differences for a single receiver is proposed, which can be used to detect simplistic and intermediate spoofing attacks, as well as meaconing attacks. Double-difference models using the pseudorange of two adjacent epochs are established followed by the application of Taylor expansion to the position relationship between the satellite and the receiver (or the spoofer). The authenticity of the signal can be verified by comparing the results of the proposed spoofing detection algorithm with the traditional least squares method. The results will differ when spoofing is present. The parameter setting of the proposed algorithm is introduced. The algorithm has the advantage of both simplicity and efficiency and needs only a single receiver and pseudorange data. A NovAtel receiver is adopted for the actual experiments. The Texas spoofing test battery (TEXBAT), as well as two other simulation experiments are used to verify the performance of the algorithm. The simulation results validate the feasibility and effectiveness of the algorithm.
... Such errors are not tolerable for many applications, such as during the aircraft landing. Methods based on signal quality monitoring and correlator output distribution can defend consistent Doppler spoofing when SACDD is less than 1 chip [5,[13][14][15][16], but they are difficult to distinguish between multipath and spoofing. The methods based on the combination of power and correlation peak distortion monitoring can detect consistent Doppler spoofing when SACDD is less than 1 chip, and it can also distinguish spoofing from multipath [17,18]. ...
Article
Full-text available
GNSS intermediate spoofing is a big threat to GNSS‐dependent services because of its strong concealment. When the carrier Doppler of the spoofing signal is not locked to that of the authentic signal, such spoofing will result in the presence of dual‐peak in the signal spectrum. In the absence of interference, there should be no dual‐peak. In the multipath scenario, dual‐peak may exist, but the number of dual‐peaks and relative velocity residual magnitudes of dual‐peak signals are different from those in the spoofing scenario. Therefore, an intermediate spoofing detection technique based on dual‐peak in frequency domain and relative velocity residuals is proposed in this study, which can not only detect spoofing but also distinguish spoofing scenario from the multipath scenario. Fast Fourier transform based methods are used to detect the dual‐peak and extract the Doppler difference of the dual‐peak, and the relative velocity residual calculation based on Doppler differences is derived. The performance of this approach is evaluated both analytically and experimentally: simulation results show spoofing false alarm probability in the multipath scenario is small, which indicates that spoofing scenario and multipath scenario can be well distinguished; and the effectiveness is verified based on the Texas Spoofing Test Battery (TEXBAT).
... Depending on the satellite geometry and spoofing scenario, the authentic and spoofing signals will be either overlapped or non-overlapped in their Pseudorandom Noise (PRN) code delays. In this case, the spoofing signals can degrade the positioning performance by increasing the level of noise (or spoof the position if the receiver is forced to reacquire), but the signals not closely overlapped with the authentic ones (compared to the receiver tracking correlator spacing) are usually neglected as noise by a tracking receiver [6,7]. Knowing the approximate position and velocity of the target receiver makes the spoofer able to generate an intermediate spoofing scenario. ...
Conference Paper
Full-text available
The widely used civilian Global Navigation Satellite Systems (GNSS) are an attractive target for spoofing attacks to mislead target receiver position and/or timing solutions. Several detection techniques have been investigated to monitor spoofing-caused anomalies. Although effective under different scenarios, the techniques each have limitations and their performance needs to be updated based on new emerging spoofing scenarios. Following a comprehensive review of different spoofing scenarios and state-of-the-art detection techniques, this paper investigates the possibility of a new scenario where the spoofer transmits only a subset of the satellite signals in view. In such cases, the performance of some spoofing detection metrics may be affected. The outcome of this study can be used to improve the performance of authentication techniques for overlapped spoofing scenarios. For pseudorange-based static positioning, results presented for short-range spoofing scenarios (the 3D distance between spoofed and authentic position is 15 to 20 m) show that the number of spoofed PRNs can be reduced by 10 to 40% without significant degradation in spoofed positioning performance.
... Detection and mitigation of spoofing attacks on GNSS receivers in tracking mode have become one of the important antispoofing topics. In [4]- [6], the effect of interaction between authentic and spoofing peaks on the tracking process of a GNSS receiver is analyzed. Most spoofing detection metrics are designed to detect a spoofing attack assuming there are only two states, namely, clean data or a spoofing attack [7]- [10]. ...
Article
The focus here has been on correct detection of spoofing attacks from interference sources. To this end several predespreading and postdespreading spoofing detection metrics, namely temporal/ spectral analyses, SPCA, C/N<sub>0</sub>, and SQM, were implemented and analysed under different interference signals, namely CW jammer, wideband noise, chirp jammer, and multipath. Considering the real data analysis results, the predespreading detection metrics, namely variance analysis and SPCA, are not affected under multipath and hence used to discriminate between spoofing and multipath signals based on the assumption that these metrics are not affected in typical multipath scenarios. The assumption was validated by collecting several data sets in dense urban environments and analysing the metric results. The temporal/spectral analyses in the presence of jamming signals were affected. Among jamming signals, the chirp jammer had the most destructive effect on the performance of a receiver and consequently severely affected the performance of the postdespreading detection metrics. The chirp jammer also affected the SPCA spoofing detection metric and its behaviour on detection metrics is very similar to that of a nonoverlapped spoofing attack. The SQM metric was implemented to detect spoofing and multipath at the postdespreading level. As shown in the scenarios used, the SQM metric is not overly sensitive for short-range multipath/spoofing signals.
Conference Paper
Full-text available
Spoofing is a major threat of GNSS-based positioning. Early detection of spoofing signals is paramount in counteracting its malicious effects. In this article, a pre-correlation spoofing detection method is presented based on the solid theory of hypothesis testing. The method assumes that the legitimate signal is being tracked, and thus its synchronization parameters are known, when the spoofing signal appears. Two versions of the detector are presented, one assuming that both signals are uncorrelated and another, more general, without assumptions. The former is computationally lighter, although shows reduced detection performance than the latter when the relative time-delays of the legitimate and the counterfeit signals approach. Computer simulations are used to validate the proposed methodology.
Conference Paper
Full-text available
Civil Global Navigation Satellite System (GNSS) signals are vulnerable to spoofing attacks that deceive a victim receiver into reporting counterfeit position or time information. The primary contribution of this paper is a non-cryptographic GNSS anti-spoofing technique that “sandwiches” a spoofer between a correlation function distortion monitor and a total in-band power monitor. The defense exploits the difficulty of mounting an effective spoofing attack that simultaneously maintains a low-enough counterfeit signal power to avoid power monitoring alarms while minimizing distortions of the received cross-correlation profile that are indicative of a spoofing attack. Results presented in this paper demonstrate the defense's effectiveness against a sophisticated spoofing attack.
Conference Paper
Full-text available
The extremely low power of Global Navigation Satellite System (GNSS) signals makes them vulnerable to disturbances and interference from external sources. These induce distortions on the correlation function that reflect upon a degraded pseudoranges measurement and poor positioning accuracy. On the other hand, the wide spread use of GNSS receivers in critical applications demands for improved performance in terms of positioning accuracy and integrity. This paper proposes a new algorithm based on the statistical testing of post-correlation measurements to detect signal distortions and to prevent degradations in the receiver positioning performance. The application of statistical tests to GNSS is not yet deeply investigated, but some recent works already show good performance when Goodness of Fit (GoF) tests are applied to raw signal samples to detect interference. The paper presents a quality monitoring algorithm, based on the application of a statistical testing, known as sign test, applied to the post correlation stage of a GNSS receiver. Promising results are obtained to detect distortions in the correlation shape, for two different harsh environments, i.e., with the presence of interference sources and under a spoofing attack. The main advantages of the proposed method are the low complexity, the indipendence from the type of disturbance and the possibility of its application to any GNSS modulation.
Article
A battery of recorded spoofing scenarios has been compiled for evaluating civil Global Positioning System (GPS) signal authentication techniques. The battery can be considered the data component of an evolving standard meant to define the notion of spoof resistance for commercial GPS receivers. The setup used to record the scenarios is described. A detailed description of each scenario reveals readily detectable anomalies that spoofing detectors could target to improve GPS security.
Article
Radionavi-gation Laboratory. His research interests are in the devel-opment of small satellites, software-defined radio applica-tions, space weather, and GNSS security and integrity. Todd E. Humphreys is an assistant professor in the depart-ment of Aerospace Engineering and Engineering Mechan-ics at the University of Texas at Austin and Director of the UT Radionavigation Laboratory. He received a B.S. and M.S. in Electrical and Computer Engineering from Utah State University and a Ph.D. in Aerospace Engineering from Cornell University. His research interests are in esti-mation and filtering, GNSS technology, GNSS-based study of the ionosphere and neutral atmosphere, and GNSS se-curity and integrity. ABSTRACT A receiver-autonomous non-cryptographic civil GPS anti-spoofing technique called the vestigial signal defense (VSD) is defined and evaluated. This technique moni-tors distortions in the complex correlation domain to de-tect spoofing attacks. Multipath and spoofing interference models are developed to illustrate the challenge of distin-guishing the two phenomena in the VSD. A campaign to collect spoofing and multipath data is described, which specific candidate VSD techniques can be tested against. Test results indicate that the presence of multipath com-plicated the setting of an appropriate spoofing detection threshold.
Article
The theory and practice of unmanned aerial vehicle (UAV) capture and control via Global Positioning System (GPS) signal spoofing are analyzed and demonstrated. The goal of this work is to explore UAV vulnerability to deceptive GPS signals. Specifically, this paper (1) establishes the necessary conditions for UAV capture via GPS spoofing, and (2) explores the spoofer's range of possible post-capture control over the UAV. A UAV is considered captured when a spoofer gains the ability to eventually specify the UAV's position and velocity estimates. During post-capture control, the spoofer manipulates the true state of the UAV, potentially resulting in the UAV flying far from its flight plan without raising alarms. Both overt and covert spoofing strategies are considered, as distinguished by the spoofer's attempts to evade detection by the target GPS receiver and by the target navigation system's state estimator, which is presumed to have access to non-GPS navigation sensor data. GPS receiver tracking loops are analyzed and tested to assess the spoofer's capability for covert capture of a mobile target. The coupled dynamics of a UAV and spoofer are analyzed and simulated to explore practical post-capture control scenarios. A field test demonstrates capture and rudimentary control of a rotorcraft UAV, which results in unrecoverable navigation errors that cause the UAV to crash.