Cooperative GPS Signal Authenticationfrom Unreliable Peers

Liang Heng, Daniel Chou, and Grace Xingxin Gao

University of Illinois at Urbana-Champaign

BIOGRAPHY

Liang Heng is a postdoctoral research associate in the De-partment of Aerospace Engineering, University of Illinois atUrbana-Champaign. He received the B.S. and M.S. degreesfrom Tsinghua University, China in 2006 and 2008, andthe Ph.D. degree from Stanford University in 2012, each inElectrical Engineering. His research interests are coopera-tive navigation and satellite navigation. He is a member ofthe Institute of Electrical and Electronics Engineer (IEEE)and the Institute of Navigation (ION).

Daniel Chou is a graduate student in the Department ofElectrical and Computer Engineering, University of Illinoisat Urbana-Champaign. He received his B.S. in ElectricalEngineering from Arizona State University in 2013. Hiscurrent research projects includes designing and implement-ing countermeasures against malicious attacks on civiliangrade GPS receivers utilized in phasor measurement units.

Grace Xingxin Gao is an assistant professor in theAerospace Engineering Department at University of Illinoisat Urbana-Champaign. She received her B.S. degree inMechanical Engineering in 2001 and her M.S. degree inElectrical Engineering in 2003, both at Tsinghua University,China. She obtained her Ph.D. degree in Electrical Engineer-ing at Stanford University in 2008. Before joining Illinoisat Urbana-Champaign as an assistant professor in 2012,Prof. Gao was a research associate at Stanford University.Prof. Gao has won a number of awards, including RTCAWilliam E. Jackson Award, Institute of Navigation EarlyAchievement Award, 50 GNSS Leaders to Watch by GPSWorld Magazine, and multiple best presentation awards atION GNSS conferences.

ABSTRACT

Secure, reliable position and time information is indispens-able for many civil GPS applications such as guiding aircraft,tracking freight, synchronizing power grids and cellular net-works, and time-stamping financial transactions. This paper

introduces a signal authentication architecture based on anetwork of cooperative receivers. A receiver in the net-work correlates its received military P(Y) signal with thosereceived by other receivers (hereinafter referred to as cross-check receivers) so as to detect spoofing attacks. This paperdescribes a candidate structures to implement this architec-ture. Our theoretical analysis shows that the signal-to-noise-ratio significantly affects pair-wise check performance, andthe final authentication performance improves exponentiallywith increasing number of cross-check receivers. We haveconducted two field experiments to evaluate pair-wise checkperformance in different spatial conditions (urban canyonand open space) and different transport modes (static andmoving). The experiments shows that pair-wise check per-formance is sensitive to spatial conditions, but insensitive totransport modes.

INTRODUCTION

During the past two decades, the Global Positioning Sys-tem (GPS) has become an essential element of the globalinformation infrastructure, with myriad applications in al-most every facet of modern businesses and lifestyles, in-cluding communication, energy distribution, finance, andtransportation. Ever-growing dependence on GPS createsstrong incentives to attack civil GPS receivers, for either anillegitimate advantage or a terrorism purpose.

Unfortunately, the civil GPS signal was not designed forsecurity-critical applications. Unlike its military counter-part, the civil signal is not encrypted or authenticated. Thesignal specification is publicly available [1]. An attacker cansynthesize and broadcast spoofing signals that are structuredto resemble a set of authentic GPS signals. A victim receiverfed with the spoofing signals will report position and timesolutions that are manipulated by the spoofer [2, 3]. Spoof-ing poses a great security risk because it is surreptitiousand usually undetected by most commercial-off-the-shelfreceivers [2–4].

Previous work on spoofing countermeasures

A variety of methods have been proposed to harden civilGPS receivers against spoofing attacks. These methods canbe generally categorized into three groups: external assis-tance, signal statistics, and cryptographic authentication.The first group performs consistency checks against metricsexternal to the GPS subsystem, such as the information frominertial sensors, odometers, cellular networks, and high-stability clocks [5, 6]. The second group performs statisticaltests on features inherent in GPS signals, including angleof arrival [7, 8], signal quality [9], signal power [10, 11],and multipath [12]. The third group relies on cryptographic,unpredictable information carried by GPS signals [13–16].Unlike the first group of methods, cryptographic methodsdo not require any additional hardware, which can be a hur-dle to mass-market GPS applications that are sensitive tocost, weight, or volume. In comparison to the second group,cryptographic methods enable users to differentiate authen-tic signals from counterfeit signals with higher confidenceand robustness, especially in a harsh environment where thestatistics of authentic signals can be highly unstable.

Three types of cryptographic spoofing countermeasureshave been explored in recent literature. The first option,known as navigation message authentication (NMA), in-serts public-key digital signature into the navigation mes-sage [13, 16–18]. Another strategy is to interleave spreadspectrum security codes (SSSC) with normal civil GPSspreading codes so that parts of spreading sequences areperiodically unpredictable [13,19]. Both NMA and SSSCrequire significant modifications to the legacy GPS signalstructure. They are unlikely to be implemented in the com-ing decade due to the static nature of GPS interface spec-ification (IS) and long deployment cycles. The third ap-proach relies on codeless cross-correlation of unpredictableencrypted military P(Y) code between two civil GPS re-ceivers [14, 15, 20]. Without any modification to the GPSIS, this approach is practical today.

Figure 1 illustrates how cross-correlation spoofing detec-tion works. It correlates a snippet of L1 signal from thereceivers to be authenticated (hereafter referred to as “userreceivers”) with a snippet from the reference receiver. Bothsnippets are known to contain the same part of the mili-tary P(Y) codes broadcast by a GPS satellite visible to bothreceivers. Although the P(Y) code is encrypted and thusunknown, and although its received versions are noisy andmay be distorted by a narrow-band radio frequency (RF)front-end [15], when conducting cross-correlation, the P(Y)code components in the two snippets are similar enough tocreate a high correlation peak if neither the user receiver northe reference receiver is spoofed. However, if the referencereceiver is spoofed, especially by the same spoofer to the

Figure 1. Principle of cross-correlation spoofing detection(adapted from Fig. 1 in [15]). The publicly-known C/Asignal and encrypted P(Y) signal are modulated on to theL1 carrier in-phase and quadrature, respectively. Eachreceiver tracks the C/A code, and uses its phase andtiming relationships to the P(Y) code to take a snippetof the same part of the P(Y) code. A high correlationwill appear if the two snippets contain the same P(Y)code.

user receiver, the authentication result will be incorrect.

Previous papers [14, 15] have analyzed the performance ofthe cross-correlation spoofing detection method using onereference receiver. In addition, they proposed employinga few dedicated reference stations to provide GPS signalauthentication service for a wide area. Despite the strongmerits, such a client-server authentication service has someweakness. First and foremost, it requires considerable in-vestment into the setup of reference stations, not to mentionthe maintenance cost. Second, since fixed reference stationscan be located, they are vulnerable to organized, targetedjamming and spoofing attacks, and loss of a majority of thereference stations may paralyze the authentication service.

Authentication based on a network of ad-hoc receivers

In this paper, we extend the dual-receiver P(Y)-code corre-lation method to a network of receivers, and present a GPSsignal authentication architecture in an ad hoc, cooperativemanner. The fundamental difference from the client-servermanner mentioned above is that our architecture relies onmultiple receivers (hereinafter referred to as “ad-hoc cross-check receivers” or simply “cross-check receivers”) as refer-ences. The cross-check receivers can be mobile, low-quality,unreliable, and even spoofed. The authentication processconsists of two steps: pair-wise check and decision aggrega-tion. In pair-wise check, the P(Y) signal received by a userreceiver is correlated with that received by each cross-checkreceiver. Each such correlation provides a decision as to theauthenticity of the signal received by the user receiver. In

decision aggregation, the pair-wise decisions are aggregatedto determine if the user receiver is spoofed.

The cooperative manner is superior to the client-server man-ner in terms of cost, user capacity, and robustness, thanks tounlimited geographically-dispersed low-cost ad-hoc cross-check receivers. However, one should be aware that anad-hoc cross-check receiver is less reliable than a dedicatedreference receiver. First, a mass-market GPS receiver, espe-cially one embedded in a smartphone, may not be as good asa dedicated geodetic-grade receiver in terms of the antennaand the signal conditioning circuit. Second, a cross-checkreceiver may intentionally be malicious so that it providesno or even negative contribution to the final authenticationresult. Third, a cross-check receiver can also be spoofed,and sometimes a user receiver and a cross-check receivermay be spoofed by the same spoofer if they are not suffi-ciently far apart. We shall further show in this paper thatour proposed architecture is actually robust against these po-tential issues because 1) low-cost receivers can still providesatisfactory pair-wise check performance, and 2) the finalauthentication performance improves exponentially withincreasing number of cross-check receivers.

Content of this paper

Pair-wise check and decision aggregation are two stagesin our proposed authentication system. We have theoreti-cally proven that in the second stage, decision aggregationachieves authentication performance that improves expo-nentially with increasing number of cross-check receivers[21, 22]. In this paper, we focus on the performance ofpair-wise check and conduct field experiments to evaluateauthentication performance in different spatial conditions(urban canyon and open space) and different transport modes(static and moving).

For the remainder of this paper, we start with a descriptionof a candidate structure to implement our proposed cooper-ative authentication architecture. In section “PerformanceAnalysis,” we theoretically analyze the spoofing detectionperformance of pair-wise check and briefly revisit the finalauthentication of decision aggregation. Section “Experi-ments” presents experiment results on the pair-wise checkperformance using low-cost receivers.

SYSTEM STRUCTURE

There are several approaches to implementing our proposedcooperative authentication system. These approaches differfrom one another mainly in where correlations are computed.One approach is to distribute correlation computation toeither cross-check receivers or a cloud service. Anotheroption is to compute all the correlations in a centralized

User receiver(aggregating

decisions)

Cross-checkreceiver 1

(computingcorrelation)

Cross-checkreceiver 2

(computingcorrelation)

...Cross-checkreceiver N(computingcorrelation)

snippet

decision 1

snippet

decision 2

snippetdecision N

Figure 2. A candidate structure of authentication system. Eachcross-check receiver computes the correlation betweenits own snippet and the one from the user receiver, anddecides whether the signal received by the user receiveris authentic or not. The user receiver collects the de-cisions from all cross-check receivers, and finally de-termines the authenticity of its received signal by anappropriate statistical measure.

way, either by the user receiver itself or by a third partywhich wants to ensure the validity of the position and clockreported by the user receiver. In this paper, we focus on acandidate structure in which cross-check receivers computethe correlations.

Figure 2 illustrates this structure, in which correlation com-putation is distributed to cross-check receivers. The wholeprocedure is explained in detail in Table 1. In the beginning,a user receiver wants to know whether its received signal isauthentic or not, and it finds N peers as cross-check refer-ences. The user receiver and all cross-check receivers agreeto collect a snippet of quadrature-phase baseband signalfor a GPS satellite at a time in the immediate future. Theuser receiver sends its snippet to the reference receivers viasecure channels. Then each reference receiver correlates itsown snippet with the one from the user receiver, and decidesif the signal received by the user receiver is authentic ornot. Finally, the user receiver aggregates the decisions fromthe N reference receivers, and determines the authenticityof its received signal by an appropriate statistical measure.Since snippets of GPS signals have to be transported over acommunication network, a security protocol, such as TLSand IPsec [23], should be used to avoid man-in-the-middle

Steps Actions

1 User receiver sends out authentication re-quests with its rough location.

2 Available receivers within an appropriatearea* respond to requests.

3 User receiver chooses N cross-check re-ceivers, chooses a common-view GPS satel-lite, and sends them a GPS time in the imme-diate future.

4 User receiver and cross-check receivers col-lect snippets of quadrature-phase basebandsignal from the GPS satellite at the GPS time.

5 User receiver sends its snippet to the N cross-check receivers.

6 Each cross-check receiver correlates its snip-pet with user receiver’s, and replies to theuser receiver with a decision “authentic” or“unauthentic.”

7 User receiver determines the authenticity ofits received signal by aggregating all thesedecisions.

* Cross-check receivers should be at least several kilometers awayfrom the user receiver. There should be at least one GPS satellitevisible to the user receiver and all the cross-check receivers.

Table 1. Procedure of the authentication process.

attacks.

The authentication process can be performed in near real-time, and the time delay mainly depends on data collection,communication, and computation. According to Psiaki etal. [15], a snippet of approximate 1 second is generallyneeded for reliable spoofing detection. A narrow-band GPSfront-end usually has a bandwidth of 2.4 MHz, and 1-second1-bit quadrature-phase samples yield 2.4 M bits of data. Forcurrent 3G/4G cellular networks, it typically takes 1 secondor less to transfer one snippet. The time of computationdepends, but a rule of thumb is that a receiver must havethe capability of processing 1-second data within 1 second.Since the time for sending and responding requests and ag-gregating decisions is usually negligible, the authenticationprocess can take as short as 2 + N seconds: 1 second forcollecting snippets, N seconds for transferring the user re-ceiver’s snippet to N cross-check receivers, and 1 secondfor computing the correlations. It is worth nothing that ourcooperative authentication does not require highly reliablespoofing detection for each cross-check receiver, and thus

allows a much shorter snippet to be collected. Therefore, adelay of 2 + N seconds is a conservative estimate. Besides,if the user receiver can upload its snippet to a cloud ser-vice for file-sharing, from which the cross-check receiverscan download the snippet simultaneously, then the authen-tication delay can be shortened to 4 seconds: 1 second forcollecting snippets, 1 second for uploading, 1 second fordownloading, and 1 second for computing the correlations.

An issue with cooperative authentication is that there mayexist some spam receivers being deliberately malicious (orplayfully mischievous). In this structure, a malicious cross-check receiver may reply to the user receiver with a randomdecision independent of the correlation, or even worse, adecision always opposite to the correct decision based onthe correlation. In Section “Performance Analysis,” we shallshow that the performance deterioration due to maliciouscross-check receivers can be compensated by more cross-check receivers.

PERFORMANCE ANALYSIS

Authentication is essentially a statistical hypothesis test, so ithas a probability of making two types of errors: false alarmand missed detection. This section analyzes the probabilityof the two types of errors in pair-wise check and in decisionaggregation.

Assumptions and notations

In order to simplify the analysis, we assume that all ad-hoc cross-check receivers have the same spoofing detectionperformance, namely, the same probability of false alarmand the same probability of missed detection. A cross-check receiver can be malicious with certain probability.Additionally, a cross-check receiver can be spoofed witha certain probability, and the spoofer can be the same asor different from the spoofer to the user receiver. The listbelow summaries the notations used throughout this article.

N Number of cross-check receivers.T Snippet length, i.e., number of samples in a snippet.C Normalized cross-correlation, used as the pair-wise

check test statistic.H0 Null hypothesis that a user receiver’s snippet and a

cross-check receiver’s snippet contain the same P(Y)code.

H1 Alternative hypothesis that a user receiver’s snippetand a cross-check receiver’s snippet contain differentP(Y) codes.

N (µ,σ2) Normal distribution with mean µ and varianceσ2.

S Actual status of user receiver: S = 0 authentic, andS = 1 spoofed.

Ai Pair-wise check decision using the ith cross-checkreceiver, i = 1, . . . ,N : Ai = 0 authentic, and Ai = 1spoofed.

A Final authentication result from aggregating all Ai ,i = 1, . . . ,N .

α Equal to Prob(Ai = 1|S = 0), for all i = 1, . . . ,N ,probability of false alarm using an unspoofed, non-malicious cross-check receiver.

β Equal to Prob(Ai = 0|S = 1), for all i = 1, . . . ,N ,probability of missed detection using an unspoofed,nonmalicious cross-check receiver.

PFA Equal to Prob(A = 1|S = 0), probability of falsealarm of the final authentication result.

PMD Equal to Prob(A = 0|S = 1), probability of misseddetection of the final authentication result.

PD Equal to 1 − PMD , probability of detection, alsoreferred to as detection power.

PSS Probability of (a) a cross-check receiver beingspoofed by the same spoofer to the user receiver and(b) a cross-check receiver being malicious such thatits pair-wise check decision is always opposite to thecorrect decision based on the correlation.

PSD Probability of (a) a cross-check receiver beingspoofed by a different spoofer to the user receiverand (b) a cross-check receiver being malicious suchthat its pair-wise check decision is based on thecorrelation involving a random, irrelevant snippet.

Signal model and performance of pair-wise check

In this subsection, let Receiver 1 be a user receiver, andReceiver 2 be a cross-check receiver. Suppose that bothreceivers track the L1 signal with perfect carrier and symboltiming recovery. The quadrature-phase baseband signalsthat contain the L1 P(Y) code are given by

s1[t] = Λ1p1[t] + n1[t], (1)

s2[t] = Λ2p2[t] + n2[t], (2)where t ∈ {1,2, . . . ,T } is the index of a total of T samples,Λ1 and Λ2 are the received P(Y) code amplitudes (afterdistortion and attenuation) for the two receivers, p1[t] andp2[t] = ±1 denote the unknown P(Y) code sequences, andn1[t] ∼ N (0,σ2

1) and n2[t] ∼ N (0,σ22) account for receiver

noises and other irrelevant GPS signals. The spoofing detec-tion is based on the test statistic

C =1T

T∑t=1

s1[t]s2[t]. (3)

Define c[t] = s1[t]s2[t] for all t ∈ {1,2, . . . ,T }. Underthe hypothesis H0 that both receivers receive the same P(Y)

code, i.e., p1[t] = p2[t] for all t, the expectation and varianceof c[t] are given by

E(c[t]) = E((Λ1p1[t] + n1[t])(Λ2p2[t] + n2[t])

)= Λ1Λ2;

(4)

Var(c[t]) = E((Λ1p1[t] + n1[t])2(Λ2p2[t] + n2[t])2)−

(E(c[t])

)2,

= Λ21σ

22 + Λ2

2σ21 + σ2

1σ22 .

(5)

By the central limit theorem (CLT), for a very large T , wehave

CH0 ∼ N (µH0 ,σ2H0

) = N

(Λ1Λ2,

Λ21σ

22 + Λ2

2σ21 + σ2

1σ22

T

).

(6)

Under the hypothesis H1 that the two receivers receive dif-ferent P(Y) codes, let us assume that p1[t] is independentfrom p2[t] for all t. Then, the expectation and variance ofc[t] are given by

E(c[t]) = E((Λ1p1[t] + n1[t])(Λ2p2[t] + n2[t])

)= 0;

(7)

Var(c[t]) = E((Λ1p1[t] + n1[t])2(Λ2p2[t] + n2[t])2)−

(E(c[t])

)2,

= (Λ21 + σ2

1)(Λ22 + σ2

2).

(8)

By CLT, for a very large T , we have

CH1 ∼ N (µH1 ,σ2H1

) = N

(0,

(Λ21 + σ2

1)(Λ22 + σ2

2)T

). (9)

The signal-to-noise ratio (SNR) for the received signals aregiven by γ1 = Λ2

1/σ21 and γ2 = Λ2

2/σ22 . Normalizing (1) by

σ1 and (2) by σ2, and considering the fact that γ1 � 1 andγ2 � 1, we can finally simplify (6) and (9) into

CH0 ∼ N

(√γ1γ2,

γ1 + γ2 + 1T

)≈ N (

√γ1γ2,1/T ), (10)

CH1 ∼ N

(0,

(1 + γ1)(1 + γ2)T

)≈ N (0,1/T ). (11)

Given a spoofing detection threshold ζ , if C ≥ ζ then thenull hypothesis H0 will be accepted, otherwise the alterna-tive hypothesis H1 will be accepted. Thus, the probabilityof false alarm α and the probability of missed detection β

are given by

α = Q((√γ1γ2 − ζ )

√T), (12)

β = Q(ζ√

T ), (13)

where the Q-function Q(x) = (2π)−1/2∫ ∞x

exp(−u2/2) duis the tail probability of the standard normal distribution.

The Chernoff bound of Q-function is Q(x) ≤ 12 exp(−x2/2)

for all x > 0. When the threshold ζ is chosen properly,i.e., 0 < ζ <

√γ1γ2, increasing T decreases both α and β

exponentially, as shown by

α ≤12

exp(−(√γ1γ2 − ζ )2T

), (14)

β ≤12

exp(−ζ2T ). (15)

If we choose ζ = 12√γ1γ2, both α and β will decreases at

the same rate, on the order of exp(−γ1γ2T/4)/2. Therefore,for low-cost receivers which typically have low SNR, inorder to achieve certain authentication performance, wemust increase T and/or use multiple receivers.

Final authentication performance after aggregatingdecisions

Let X =∑N

i=1 Ai and ξ be a preset threshold, where ξ isan integer such that 0 ≤ ξ ≤ N . The user receiver isdetermined to be “authentic” if X < ξ and to be “spoofed”if X ≥ ξ. Our previous work [21, 22] has proven

PFA = Prob(A = 1|S = 0) = Prob(X ≥ ξ |S = 0)

=

N∑m=ξ

(Nm

)α̃m (1 − α̃)N−m ,

(16)

PD = Prob(A = 1|S = 1) = Prob(X ≥ ξ |S = 1)

=

N∑m=ξ

(Nm

)(1 − β̃)m β̃N−m .

(17)

where

α̃ = (1 − PSS − PSD )α + (PSS + PSD )(1 − β), (18)

β̃ = (1 − PSS ) β + (PSS )(1 − α) (19)

account for the performance degradation due to unreliabilityof cross-check receivers.

Consider a threshold selection strategy ξ = κN such that

N α̃ ≤ ξ = κN ≤ N (1 − β̃). (20)

In [22], we have proven the following upper bounds usingHoeffding’s inequality [24]:

PFA ≤ exp(−2

(ξ − α̃N )2

N

)= exp

(−2N (κ − α̃)2) , (21)

PMD ≤ F (ξ; N,1 − β̃) ≤ exp(−2

(N (1 − β̃) − ξ)2

N

)= exp

(−2N (1 − β̃ − κ)2) .

(22)

It can be seen that both PFA and PMD decrease exponen-tially with increase of N . The parameter κ determines howfast PFA and PMD shrink. A larger κ hastens exponentialdecay of PFA, while a smaller κ hastens exponential decayof PMD .

In (21) and (22), if we choose κ = 12 (1 + α̃ − β̃), both

PFA and PMD decrease at the same rate, on the order of

exp(−N (1 − α̃ − β̃)2) . Therefore, the parameter λ = 1 −

α̃ − β̃ is a figure of merit characterizing how fast the finalauthentication performance improves with an increasing N .By (18) and (19), we have

λ = 1 − α̃ − β̃

= (1 − α − β)(1 − 2PSS − PSD ),(23)

which indicates that the factor 1−2PSS −PSD is the penaltyfor the unreliability of cross-check receivers.

In addition, (23) implies a fundamental requirement on pair-wise check:

α̃ + β̃ < 1. (24)

Unless the requirement was met, increasing N would notimprove authentication performance.

EXPERIMENTS

In this section, we conduct field experiments to evaluateauthentication performance in real environments. In theexperiments, we employ multiple SiGe GN3S samplers andportable antennas to collect raw intermediate frequency (IF)samples of GPS signals. The data are post-processed usingour developed software receiver. Snippets of P(Y) codes areextracted from the tracking loops, and then used to computecorrelations.

SNR loss in low-cost receivers

Most commercial-off-the-shelf low-cost GPS receivers donot have the capability of streaming out raw IF samples. Weuse SiGe GN3S samplers as a substitute. The SiGe front-end is a thumb-sized USB device designed for low-costsoftware-defined GPS and Galileo receivers. It has a sam-pling frequency from 4 MHz to 16 MHz and a quantizationresolution of 2 bits (4 levels). The price of one SiGe deviceis around $450.

We use a 89600 series Agilent Vector Signal Analyzer(VSA) as a representative of high-cost GPS receivers. TheVSA has a sampling frequency up to 40 MHz and a quan-tization resolution of 16 bits. The price of one device isaround $50,000.

We collected multiple concurrent data sets with the SiGe andVSA using the same antenna and RF splitter. Our softwarereceiver shows that relative to the VSA, the average SNRlost by using the SiGe front-end is in the range of 1.5–2 dB.

In addition to the RF front-ends, we compared the portablepatch antenna (around $10) used with the SiGe to a fixedchoke ring antenna (around $1,000) commonly used with ageodetic-grade GPS receiver. The low-cost patch antennaloses 3–4 dB in SNR relative to the high-cost antenna.

Figure 3. Experiment 1: One SiGe receiver was in a urban canyonin San Francisco, CA. The receiver was able to acquireonly three satellites. Fortunately, the three satelliteswere visible to the other SiGe receiver in Urbana, IL.

To sum up, the low-cost front-end and antenna combinationhas SNRs 4.5–6dB lower than its high-cost counterpart.

Experiment 1: 3000 kilometers apart, one receiver in urbancanyon

The first data set was collected on 27 March 2014. As shownin Fig. 3, one SiGe receiver was in a urban canyon in SanFrancisco, CA with open sky to the south east. The otherreceiver was in Urbana, IL with a clear view of the sky.Two receivers were approximately 3000 kilometers apart.Both receivers were static. The San Francisco receiver wasable to track three satellites, although the SNRs were low.Fortunately, the Urbana receiver was able to see all the threesatellites tracked by the San Francisco receiver.

We performed cross-correlation of the P(Y) snippets gen-erated from the data set. The snippets are normalized, i.e.,Λ2

1 + σ21 = Λ2

2 + σ22 = 1. The correlation shows that the

estimate of Λ1Λ2 is 0.00507, with a 95% confidence interval(0.00481,0.00534). Fig. 4 shows the pair-wise check perfor-mance curves calculated by (12) and (13) for snippet lengthT = 105, 4× 105, 7× 105, and 106. Due to the relatively lowSNR, even when T = 106, probability of spoofing detectionerrors α + β are on the order of 10−2. This experimentshows that it is possible, although not preferable, to usereceivers in urban canyons for cooperative authentication.This experiment also shows that low-cost receivers can beused as cross-check receivers even though their SNRs maybe several dBs lower than high-cost reference receivers.

Experiment 2: 22 kilometers apart, one moving receiver

The second data set was collected on 3 April 2014. OneSiGe receiver was on a car moving at roughly 45 miles perhour in Rantoul, IL. The other receiver was in Urbana, IL.Two receivers were approximately 22 kilometers apart. Bothreceivers had a clear view of the sky. Ten satellites were

10−4

10−3

10−2

10−1

100

10−4

10−3

10−2

10−1

100

Prob. of false alarm α

Pro

b. o

f mis

sed

dete

ctio

n β

T = 105

T = 4×105

T = 7×105

T = 106

Figure 4. Experiment 1 (3000 kilometers apart, one receiver inurban canyon): Pair-wise check performance curves fornumber of snippet samples T = 105, 4 × 105, 7 × 105,and 106.

10−15

10−10

10−5

100

10−15

10−10

10−5

100

Prob. of false alarm α

Pro

b. o

f mis

sed

dete

ctio

n β

T = 105

T = 4×105

T = 7×105

T = 106

Figure 5. Experiment 2 (22 kilometers apart, one moving re-ceiver): Pair-wise check performance curves for numberof snippet samples T = 105, 4 × 105, 7 × 105, and 106.

visible to both receivers, and 8 of them were tracked by bothreceivers.

We performed similar cross-correlation as done in Experi-ment 1. The correlation shows that the estimate of Λ1Λ2 is0.01334, with a 95% confidence interval (0.01265,0.01403).Fig. 5 shows the pair-wise check performance curves calcu-lated by (12) and (13) for snippet length T = 105, 4 × 105,7 × 105, and 106. Due to the relatively high SNR, whenT = 4 × 105, probability of spoofing detection errors α + β

are on the order of 10−5. In comparison to Experiment 1,this experiment shows that pair-wise check performance issensitive to spatial conditions (e.g., urban canyon or openspace), and insensitive to transport modes (e.g., static or

moving). This observation agrees with (12) and (13), whichshow that SNR significantly affects pair-wise check perfor-mance.

CONCLUSION

This paper has presented a GPS signal authentication ar-chitecture that relies on a network of cooperative, low-costreceivers. Given the availability of numerous mobile de-vices with GPS and communication capability today, it ispractical to build a cooperative authentication system basedon these existing mobile devices. In out architecture, the en-crypted military GPS signals are sampled by a user receiverand several ad-hoc cross-check receivers at the same time.The samples from the user receiver and each cross-checkreceiver are cross-correlated in order to detect spoofing at-tacks. The spoofing detection results from all cross-checkreceivers are aggregated to reach the final decision of theauthenticity of the signal received by the user receiver. Thispaper has described a candidate structure to implement thisconcept.

Furthermore, this paper has validated the concept througha theoretical analysis. The analysis shows that SNR signif-icantly affects pair-wise check performance, and the finalauthentication performance improves exponentially withincreasing number of cross-check receivers.

We have conducted two field experiments to evaluate pair-wise check performance in different spatial conditions (ur-ban canyon and open space) and different transport modes(static and moving). The experiments shows that pair-wisecheck performance is sensitive to spatial conditions, butinsensitive to transport modes.

REFERENCES

[1] GPS Wing, Interface Specification IS-GPS-200E, Jun.2010.

[2] T. E. Humphreys, B. M. Ledvina, M. L. Psiaki, B. W.O’Hanlon, and J. Kintner, Paul M., “Assessing thespoofing threat: Development of a portable GPS civil-ian spoofer,” in Proceedings of the 21st InternationalTechnical Meeting of the Satellite Division of the Insti-tute of Navigation (ION GNSS 2008), Savannah, GA,Sep. 2008, pp. 2314–2325.

[3] X. Jiang, J. Zhang, B. J. Harding, J. J. Makela, andA. D. Domínguez-García, “Spoofing GPS receiverclock offset of phasor measurement units,” IEEETransactions on Power Systems, vol. 28, no. 3, pp.3253–3262, 2013.

[4] J. S. Warner and R. G. Johnston, “A simple demon-stration that the Global Positioning System (GPS) isvulnerable to spoofing,” Journal of Security Adminis-tration, vol. 25, no. 2, pp. 19–27, 2002.

[5] J. Krumm and K. Hinckley, “The NearMe wirelessproximity server,” in UbiComp 2004: UbiquitousComputing, ser. Lecture Notes in Computer Science,N. Davies, E. Mynatt, and I. Siio, Eds. SpringerBerlin Heidelberg, 2004, vol. 3205, pp. 283–300.

[6] Y. Bardout, “Authentication of GNSS position: Anassessment of spoofing detection methods,” in Pro-ceedings of the 24th International Technical Meetingof the Satellite Division of the Institute of Navigation(ION GNSS 2011), Portland, OR, Sep. 2011, pp. 436–446.

[7] S. Daneshmand, A. Jafarnia-Jahromi, A. Brouman-don, and G. Lachapelle, “A low-complexity GPS anti-spoofing method using a multi-antenna array,” in Pro-ceedings of the 25th International Technical Meetingof the Satellite Division of the Institute of Naviga-tion (ION GNSS 2012), Nashville, TN, Sep. 2012, pp.1233–1243.

[8] D. Borio, “Panova tests and their application to GNSSspoofing detection,” IEEE Transactions on Aerospaceand Electronic Systems, vol. 49, no. 1, pp. 381–394,2013.

[9] M. Pini, M. Fantino, A. Cavaleri, S. Ugazio, and L. L.Presti, “Signal quality monitoring applied to spoofingdetection,” in Proceedings of the 24th InternationalTechnical Meeting of the Satellite Division of the In-stitute of Navigation (ION GNSS 2011), Portland, OR,Sep. 2011, pp. 1888–1896.

[10] D. M. Akos, “Who’s afraid of the spoofer? GPS/GNSSspoofing detection via automatic gain control (AGC),”NAVIGATION, vol. 59, no. 4, pp. 281–290, Winter2012.

[11] V. Dehghanian, J. Nielsen, and G. Lachapelle, “GNSSspoofing detection based on receiver C/No estimates,”in Proceedings of the 25th International TechnicalMeeting of the Satellite Division of the Institute ofNavigation (ION GNSS 2012), Nashville, TN, Sep.2012, pp. 2878–2884.

[12] F. Dovis, X. Chen, A. Cavaleri, K. Ali, and M. Pini,“Detection of spoofing threats by means of signal pa-rameters estimation,” in Proceedings of the 24th Inter-national Technical Meeting of the Satellite Division ofthe Institute of Navigation (ION GNSS 2011), Portland,OR, Sep. 2011, pp. 416–421.

[13] L. Scott, “Anti-spoofing & authenticated signal archi-tectures for civil navigation systems,” in Proceedingsof the 16th International Technical Meeting of theSatellite Division of The Institute of Navigation (IONGPS/GNSS 2003), Portland, OR, Sep. 2003, pp. 1543–1552.

[14] S. Lo, D. D. Lorenzo, P. Enge, D. Akos, and P. Bradley,“Signal authentication: A secure civil GNSS for today,”Inside GNSS, Sep. 2009.

[15] M. L. Psiaki, B. W. O’Hanlon, J. A. Bhatti, D. P. Shep-ard, and T. E. Humphreys, “GPS spoofing detectionvia dual-receiver correlation of military signals,” IEEETransactions on Aerospace and Electronic Systems,vol. 49, no. 4, pp. 2250–2267, Oct. 2013.

[16] K. Wesson, M. Rothlisberger, and T. E. Humphreys,“Practical cryptographic civil GPS signal authentica-tion,” NAVIGATION, vol. 59, no. 3, pp. 177–193, Fall2012.

[17] C. J. Wullems, “A spoofing detection method for civil-ian L1 GPS and the E1-B Galileo safety of life service,”IEEE Transactions on Aerospace and Electronic Sys-tems, vol. 48, no. 4, pp. 2849–2864, 2012.

[18] T. E. Humphreys, “Detection strategy for crypto-graphic GNSS anti-spoofing,” IEEE Transactions onAerospace and Electronic Systems, vol. 49, no. 2, pp.1073–1090, 2013.

[19] M. G. Kuhn, “An asymmetric security mechanism fornavigation signals,” in Proceedings of the 6th inter-national conference on Information Hiding (IH’04),Toronto, Canada, 2004, pp. 239–252.

[20] B. W. O’Hanlon, M. L. Psiaki, T. E. Humphreys, andJ. A. Bhatti, “Real-time spoofing detection using cor-relation between two civil GPS receiver,” in Proceed-ings of the 25th International Technical Meeting of theSatellite Division of the Institute of Navigation (IONGNSS 2012), Nashville, TN, Sep. 2012.

[21] L. Heng, D. B. Work, and G. X. Gao, “Coopera-tive GNSS authentication: Reliability from unreliablepeers,” Inside GNSS, vol. 8, no. 5, pp. 70–75, Sep.2013.

[22] ——, “GPS signal authentication from cooperativepeers,” IEEE Transactions on Intelligent Transporta-tion Systems, Apr. 2014, submitted.

[23] C. Kaufman, R. Perlman, and M. Speciner, NetworkSecurity: Private Communication in a Public World.Prentice Hall PTR, 2002.

[24] W. Hoeffding, “Probability inequalities for sums ofbounded random variables,” Journal of the AmericanStatistical Association, vol. 58, no. 301, pp. 13–30,1963.