overview of spatial processing approaches for gnss ... · time of the victim user. due to the...
TRANSCRIPT
1
Overview of Spatial Processing Approaches for GNSS Structural Interference Detection and Mitigation
Ali Broumandan, Ali Jafarnia-Jahromi, Saeed Daneshmand, Gérard Lachapelle
Position Location and Navigation (PLAN) Group
University of Calgary
[email protected], [email protected], [email protected], [email protected]
Abstract— GNSS-dependent positioning, navigation and timing synchronization procedures
have a significant impact on everyday life. Thus, such an extensively used system progressively
become an attractive target for illegal exploitation and attacks. Position and timing solutions
provided by GNSS receivers can be threatened by structural interference such as spoofing
threats. This paper provides an overview of recent research work on GNSS signal authentication
utilizing spatial processing methods. Different spatial processing approaches for spoofing
detection, classification and mitigation are characterized and compared. Three different
processing methods, namely antenna array processing, moving receiver and cloud based
spoofing countermeasure are analyzed in details. The benefits and disadvantages of each are
discussed.
I. Introduction
Spoofing and meaconing are structural wideband intentional interference which misdirect
target Global Navigation Satellite System (GNSS) receivers into generating fictitious position
and/or timing solutions [1]-[2]. Meaconing is a replayed version of a recorded genuine GNSS
signal whereas spoofing is a fake signal that is designed to mimic the authentic signal’s structure
[3]. Under a spoofing or meaconing attack, a receiver provides position and timing solutions with
good signal quality measures. However, the solutions do not represent the actual location or
time of the victim user. Due to the widespread use of civilian GNSS dependent systems,
motivation has increased to spoof GNSS signals for scores of illegal activities. Therefore,
spoofing is becoming a more serious type of threat for future applications and this necessitates
proper countermeasures [4]-[6]. Many research groups have been involved in the vulnerability
analysis of GNSS to spoofing attack (e.g. [1],[2],[6],[7],[8]).
© 2016 IEEE. This material is posted here with permission of the IEEE. Internal or personal use of this material is
permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating
new collective works for resale or redistribution must be obtained from the IEEE by writing to [email protected].
2
Spoofing countermeasure methods analyze specific features of spoofing signals that make
them different from authentic ones. Anti-spoofing techniques can be generally divided into three
main categories, namely spoofing detection, authentic/spoofing signal classification and spoofing
mitigation. Spoofing detection algorithms focus on detecting the presence of spoofing attacks [9],
authentic/spoofing signal classification methods are intended to distinguish between spoofing
and authentic signals, and spoofing mitigation techniques aim to neutralize the spoofing threat
and to recover the positioning and timing capabilities [3]. Several anti-spoofing techniques based
on single-antenna processing have been proposed. Amplitude discrimination [10],[11],[12], time-
of-arrival (TOA) discrimination [13], solution consistency cross-check with inertial measurement
units (IMU) [14], polarization discrimination [15], spatial processing based spoofing
discrimination [16], position deviation [17], signal quality monitoring [18] and cryptographic
authentication [19] are some of the most current spoofing detection techniques. Many single
receiver spoofing countermeasure techniques rely on power level monitoring of the received
GNSS signals in order to detect spoofing pseudo random number (PRN)s. In [10] the presence
of high power spoofing signals is detected based on their abnormally high carrier-to noise ratio
(C/N0) values. [20] monitors the receiver automatic gain control (AGC) level as a mean of
detecting high power spoofing attacks. A pre-despreading spoofing detection method that
checks for the excessive structural power content of received GNSS signals is proposed in [21].
Spoofing countermeasures using spatial processing is one of the most powerful techniques
developed. Most spatial processing methods rely on the assumption that the spoofing source is
a single-antenna source transmitting several PRNs [1],[3]. Spatial processing can be
implemented to analyze the spatial signature of the received signals and discriminate spatially
correlated signals (e.g. [7]). These methods can be divided into three groups, namely antenna
array, moving receiver and network/cloud based processing.
The receiver structure in the antenna array case consists of several antennas each connected
to a separate radio frequency (RF) down-conversion channel and digitizer unit in a phase
coherent mode usually utilizing a single oscillator [7]. The antenna elements separation in such
cases is about half of the carrier wavelength and the antenna array is considered a single
receiver unit for a specific application [7].
Some spatial processing methods are proposed to take advantage of the receiver motion to
detect spoofing attacks and discriminate such signals. The hardware complexity of these
techniques is much lower than that of the multi-antenna technique. In such cases, the spoofing
3
countermeasure methods operate based on employing a single moving antenna to detect and
classify the spoofing signals.
Network or cloud based GNSS signal authenticity verification methods consist of spatially
distributed GNSS receivers operating in a nearby region [22]. The receivers in these cases are
not physically connected and they are operating independently [23]. It is assumed that there is a
communication link among the receivers where each one can have access to low-rate GNSS
measurements of the others or where all receivers transmit their measurements to a
central/cloud-based processing station. The measurements can then be analyzed to detect and
classify spoofing PRNs [23].
In Section II signal authentication using antenna array processing is discussed. Section III
discusses signal authentication utilizing a moving antenna receiver. In Section IV, network based
spoofing detection and mitigation is provided. Summary and conclusions are provided in Section
V.
II. GNSS Signals Authentication using Antenna Array Processing
A receiver equipped with an antenna array can employ spatial filtering techniques in order to
shape its reception beam pattern. This type of receivers can steer a null toward the spoofing
source and suppress its destructive effect [24]. Antenna array processing to mitigate spoofing
attacks can be implemented at the pre-despreading or post-despreading stage of a GNSS
receiver. In the following the pros and cons of each implementation approach are discussed.
a) Pre-despreading spoofing mitigation:
Assume a spoofing attack scenario where a single source transmitter propagates several high
bogus PRNs. A low computational complexity multi-antenna spoofing mitigation method that is
able to spatially filter out the spoofing signals has been proposed in [7]. This method cross-
correlates the baseband samples from different antennas in order to form a spatial correlation
matrix and extract the spatial signature of high power spoofing signals. All these operations are
performed on the digitized baseband samples before the despreading process. The steering
vector corresponding to the spoofing signals can be extracted since all of the spoofing signal
energy is coming from the same spatial sector. This type of spoofing mitigation approach
considers the spoofing source as a wideband interference signal and successfully mitigates the
spoofing source. The pre-despreading approach toward spoofing detection and mitigation is a
power minimization problem [25]. Considering the fact that several spoofing PRNs impinge on
4
the antenna array from the same direction, it can be observed that their power outputs are added
constructively from a specific spatial sector. In other words, the spatial power density of the
spoofing signals is considerably higher than that of the authentic signals. The spatial correlation
matrix of the received signal can be written as
2 2H
vσ σ≈ +R a a I (1)
in which 2
vσ is the total power of the spoofing signal, a is the one column steering-vector of
spoofing signals and 2σ is the noise variance. Here it is assumed that the authentic signals are
buried under the noise floor. To estimate the spoofing sub-space or equivalently the spoofing
steering vector a , one can employ Eigen value decomposition of the correlation matrix R as
[ ]2 2
2
0
0
H
v
H
σ σ
σ
+≈
bR b U
U (2)
where b is the Eigen vector corresponding to the largest eigenvalue of R , U is the vector of
eigenvectors corresponding to the noise-plus-authentic signals subspace. Hence, projecting the
received signal into the reduced-rank spoofing free subspace H=P U mitigates the spoofing
signals [16]. This projection may cause attenuation for those authentic signals located in or close
to the nulls of the antenna beam pattern [9]. One of the advantages of this method is that it does
not require array calibration and its computational complexity is low. Figure 1 shows the block
diagram of the pre-despreading spoofing detection and mitigation approach. Digitized baseband
samples from a multiple-channel synchronized front-end are passed to the null-steering unit
where the weights to suppress a spoofing signals are calculated. The output of the null-steering
unit is baseband spoofing free complex samples that are passed to a conventional receiver
acquisition and tracking module. One may use an up-convertor and digital-to-analog convertor to
provide analog spoofing free GNSS signals at the GNSS frequency bands. Hence, the multi-
antenna front-end, null-steering unit and up converter can be formed as a single inline anti-
spoofing unit, which can be easily connected to any receiver to protect it from spoofing and
jamming signals without the need to modify the receiver structure.
5
Figure 1: Pre-despreading spoofing mitigation (MSR: Measurements, PVT: Position, Velocity and Time )
b) Post-despreading spoofing mitigation:
In post-despreading antenna-array based spoofing mitigation methods the despreading and
accumulation process are applied to each digitized baseband antenna samples. Figure 2 shows
the post-despreading spoofing detection and mitigation block diagram. The output baseband
samples from different front-end channels are first fed to the acquisition engine to detect
available signals including spoofing and authentic signals. The acquisition routine in this case is
modified to detect all the peaks above the detection threshold and passes all the initial code
phases and Doppler frequencies to the tracking unit. The despread samples of different detected
signals are then fed to the steering vector estimation unit. The spoofing detection unit correlates
the estimated steering vectors of all detected signals [26]. High correlation among estimated
steering vectors indicates that the signals are transmitted from a single source. The estimated
steering vector then is passed to the classification and weight calculation unit. The output of the
weight calculation unit is then forwarded to the beamforming and null-steering module. The
output of the beamforming/null-steering module is a single channel spoof free signal used to
calculate GNSS measurements for different PRNs.
6
Figure 2: Post-despreading spoofing detection and mitigation (MSR: Measurements, PVT: Position, Velocity and Time )
For the post-despreading spoofing detection and mitigation method, two cases are discussed
here.
- Un-calibrated antenna array: It is assumed that the antenna array is not calibrated. More
specifically the relative phase and gain of the antenna elements are unknown and the
orientation of the array is not known. After tracking all spoofing and authentic signals, the
spoofing detection module correlates the array responses (steering vector) of different
signals. The spoofing signals sourced from a single antenna have the same spatial
signature, which means that all the PRNs experience the same channel parameter
variation in the spatial domain. This can be used as a metric to detect a spoofing attack
and classify spoofing and authentic signals. In [27] a method based on estimating the
steering vector of each PRN and subsequently discriminating authentic and spoofing
signals based on their spatial signature is proposed. The spoofing classification unit places
all signals with the same spatial signature in the spoofing group. After spoofing detection
and classification the array places nulls in direction of the spoofing signals. Since this
method is implemented in the post-despreading stage, it imposes more processing power
to the receiver and requires some modification to acquisition and tracking units compared
to the pre-despreading method. Thus this method cannot be implemented as an in-line
module. In this case, the same as pre-despreading spoofing detection and mitigation,
spatial filtering beampattern may unintentionally distort the authentic signals. This is due to
the fact that the array is not calibrated and the receiver orientation is not known. However,
7
for those applications in which the authentic signal attenuation is not tolerable, the spatial
filtering method can be extended to maximize signal-to-noise ratio (SNR) for individual
authentic PRNs as proposed in [28].
- Calibrated antenna array: Here it is assumed that the relative phase of the baseband
samples from different antennas for a given signal is related to the direction of arrival of
that signal and the antenna array orientation is known. This is the most sophisticated
approach to detect a spoofing attack, classify spoofing and authentic signals and eventually
mitigate the spoofing signals. In this scenario, the single antenna spoofer source
assumption can be relaxed. Thus, a multi-antenna spoofing attack can be detected and
mitigated as long as the spoofing transmitters do not have the same directions of arrival as
those of the authentic signals. In addition, the satellites almanac information is available
where the approximate Direction of Arrival (DoA) of each satellite can be determined.
Considering this, after capturing signal samples and the despreading process, the receiver
estimates the DoA of each signal and compares it to the predetermined value; deviation
indicates spoofing or multipath signal existence.
To demonstrate the effectiveness and performance of the antenna array based spoofing
mitigation method discussed earlier, an illustrative simulation employing GPS L1 Coarse
Acquisition (C/A) signals is provided herein. The average power of the authentic signals and
noise are -158 dBW and -203 dBW respectively [29]. All spoofing signals are transmitted from
the same direction with a 3 dB power advantage compared to the authentic signals. A circular
antenna array with six elements and half wavelength spacing is used. Figure 3 shows the beam
pattern of the antenna array for a single source spoofer. The location of the authentic and
spoofing signals are also shown. Figure 3a shows the antenna array beam pattern employing
the pre-despreading method. This method successfully nullifies the spoofing source located at
azimuth and elevation (250˚, 20˚). However, since the authentic signal steering vector is not
used in the filter design the authentic signal located at azimuth and elevation (200˚, 75˚) is highly
attenuated. Figure 3b shows the antenna array beampattern after despreading the authentic
signal. This spatial filter not only places a deep null in the direction of the spoofing signals but
also maximizes SNR for the authentic PRN case.
8
Figure 3: Antenna array beampattern a) pre-despreading, b) PRN 1 post-despreading
Figure 4 shows the average SNR values of the authentic and spoofing signals for a single
antenna and antenna array processing as a function of the average input spoofing power. The
authentic average SNR (black curve) does not significantly decrease when the average spoofer
power is below the authentic signals power (-160 dBW). However, when the average spoofer
power suppresses that of the authentic signals, the authentic signals’ SNR decreases as the
input spoofing power increases. This is due to an increase in the cross correlation terms caused
by the higher power spoofing signals. The SNR of the spoofing signals before null-steering (red
curve) increases as the power of the spoofing PRNs increases. It is observed that as the
spoofing power increases, the average SNR of the authentic signals after beamforming utilizing
pre-despreading (blue curve) and post-despreading (purple curve) remains constant, which
means that the null-steering method successfully cancels the spoofing signals. The post-
despreading average SNR is higher than that of the pre-despreading method. This is because in
the post-despreading case the antenna main beampattern is oriented to the direction of arrival of
each PRN to maximize the SNR output of the spatial filter. In the pre-despreading case the
spatial filter does not have any knowledge of the location of each PRN and hence in some cases
unintentional attenuation on authentic PRNs may occur. The spoofing SNR after mitigation when
the average spoofing power is in the range of -170 dBW to -160 dBW initially increases. This is
due to the fact that the average spoofing power is below the authentic signals power level and
consequently there is no well-defined eigenvector associated with the spoofing source direction.
In this spoofing power range the SNR values of the authentic signals are not affected by
Authentic
Spoofing Spoofing
Authentic
a) b)
9
spoofing signals. When the average spoofing power exceeds -160 dBW the spoofing signal SNR
decreases significantly.
Figure 4: Authentic and spoofing average SNR values after and before null-steering
Table 1 compares different features of the antenna array anti-spoofing methods.
Table 1: Summary of array processing based anti-spoofing techniques
Anti-Spoofing Method
Spoofing Feature
Pros Cons Receiver Required Capability
Pre-despreading
Single Antenna,
numerous PRNs
Low complexity, efficient for both
jamming and spoofing mitigation, in-line anti spoofing
application
To be effective requires several spoofing signals,
may reduce power of authentic signals
Eigen analyses on baseband samples
Post-despreading, array is not calibrated
Single Antenna
Effective in low power spoofing
cases with limited number of spoofing
signals, SNR maximization can be implemented
Higher complexity
compared to the pre-despreading
method
Despreading all the channels, higher number of
correlators
Post-despreading,
array is calibrated
Single/Multiple Antenna
Can handle multi-antenna
spoofing attack, beamforming and
null-steering
Higher complexity
compared to non-calibrated case
Array calibration,
attitude determination, DoA estimation
-170 -160 -150 -140 -130-30
-20
-10
0
10
20
30
Average Spoofing Power (SP) [dBW]
SN
R [dB
]
Spoofing before mitigation
Spoofing after mitigation
Auth pre-despreading
Auth post-despreading
Auth before mitigation
10
III. GNSS Signals Authentication using Antenna Motion
Consider a single source spoofing attack where all fake GNSS signals are transmitted from a
single antenna; the receiver motion can be used to detect spoofing and classify authentic and
spoofing signals [6]. The difference between a single moving antenna and the antenna array is
that in the moving antenna case the receiver takes spatial samples sequentially over a time
period, whereas in the antenna array case all of the spatial samples are taken at the same time.
Utilizing antenna motion to detect spoofing attack and classify them can be implemented in
different layers of the GNSS receiver architecture, as will be discussed later. Figure 5 shows the
receiver motion scenario in the presence of a spoofing source where sP and uP are the spoofer
and user locations.
Figure 5: Receiver motion in the presence of spoofing signals
- Spoofing detection and classification at the tracking level:
If the spoofing signals are transmitted from a single source, the propagation channel is
common to all spoofing PRNs and as such the spoofing signals amplitude, phase and Doppler
variations are highly correlated. This characteristic of the spoofer signal is independent of the
propagation environment (e.g. line of sight (LOS), non-line of sight) and can be used to detect
and classify the spoofing signals. In [30] a spoofing detection technique that takes advantage of
a moving antenna is proposed. This technique is based on the fact that all spoofing PRNs
experience the same propagation path and therefore, their corresponding amplitude and phase
variations are highly correlated; this correlation can be detected by changing the channel
Spoofer
[ ]0u
P
sP
[ ]0su
ρ
[ ]1u
P
[ ]ukP
[ ]uNP [ ]1
suρ
[ ]sukρ
[ ]suNρ
RXRX
RX
RX
[1]u
∆P
[ ]u
k∆P
[ ]u
N∆P
11
response based on receiver antenna motion. If the spoofer only transmits one PRN a moving
receiver cannot detect the spoofing signal. However, a single spoofing PRN is not effective and
can be easily discarded in the navigation process. Although these techniques can successfully
detect spoofing signals radiated from a single antenna transmitter, they do not provide any
capability toward discarding the spoofing signals. [31] and [32] have proposed spoofing
classification methods that employ a single antenna handheld receiver moving along a random
trajectory. The received signals’ amplitude and phase corresponding to different signals are
continually compared to each other using a correlation coefficient metric. The highly correlated
signals are then categorized as spoofing PRNs. This approach is further extended by [6] in order
to incorporate a rapid antenna motion to discriminate spoofing attacks. In the method of [31] a
standard correlation coefficient is utilized to measure the correlation between different PRNs’
parameters as the spoofing detection metric. The correlation coefficient between signal
parameters of PRN i and PRN j is defined as
.
H
i j
ijH H
i i j j
E
E Eρ
=
x x
x x x x (3)
where i
x is signal parameters for PRN i.
Figure 6 shows the block diagram of the spoofing classification method based on a moving
antenna. The acquisition engine detects all signals above the detection threshold and passes all
the signals to the tracking unit. The tracking unit tracks all of the detected signals including the
spoofing and authentic ones and forwards the signal parameters to the spoofing detection and
classification unit. Signal parameters used to detect and classify the spoofing signals include
signal amplitude (C/N0), phase and Doppler frequency [6]. Existence of high correlation between
two signal parameters indicates a spoofing attack. The receiver places the signals with a high
correlation value in the spoofing group. The accuracy of the spoofing detection and classification
method utilizing the antenna motion is a function of the signal parameter estimation accuracy,
the receiver motion pattern, user velocity and the receiver oscillator stability.
12
Figure 6: Block diagram of spoofing classification in the tracking level using a moving antenna
To demonstrate the effectiveness of this method test measurements have been performed by
combining authentic signals received from a rooftop antenna with spoofing signals radiated from
an indoor directional antenna and received by a spatially translated single antenna. Figure 7
shows the data collection scenario.
Start
No Yes
Spoofing PRN Set
Monitor signal parameters
Evaluate Correlation Coefficients
Highly Correlated?
AuthenticPRN Set
Position solution
Position solution
Interchange PRN set
members
Track all signals above a threshold
13
Figure 7: Data collection scenario under spoofing attack
In this test, a hardware simulator output has been used as a spoofing generator, which is
radiated indoor with a controlled power level. The test results for Doppler variation due to the
user motion are shown in Figure 8. It is clear from Figure 8.a that the Doppler variation plots in
the case of the authentic signals are not correlated. This is not happening in the case of the
spoofing signals sourced from a single transmitter. As shown in Figure 8.b the Doppler variation
due to the receiver motion is highly correlated among different PRNs, which has been used to
detect and classify the spoofing signals.
14
Figure 8: Doppler variations, a) authentic, b) spoofing
- Spoofing Detection at Navigation level:
This section focuses on detecting the presence of spoofing signals employing position level
observables of a moving receiver. In [35] a position solution authenticity verification technique
based on the clock bias variation analysis of a moving receiver was proposed. In the spoofing
case the receiver clock bias variation is highly correlated with the receiver motion and this could
be used to detect a spoofing attack. This work was extended by [36] in order to use the
estimated Allan Variance of the receiver clock bias to detect spoofing signals. The moving
antenna techniques work effectively even in multipath environments since all the spoofing
signals experience the same propagation path and they are all similarly affected by multipath
reflections. However, a stable clock source is required for their proper operation. In [3] and [35] it
is shown that relative motion between the spoofer and receiver imposes a variable bias in the
clock bias measurements of the receiver and this bias can be utilized to reveal the presence of
the spoofer. More specifically, the relative clock bias changes in time become a function of the
1 2 3 4 5
-5
0
5
10
Time (s)
Do
pp
ler
(Hz)
b) Spoofing
PRN 6
PRN 25
PRN 26
PRN 28
PRN 21
1 2 3 4 5
-5
0
5
10
Do
pp
ler
(Hz)
a) Authentic
PRN 20
PRN 23
PRN 31
PRN 25
PRN 14
15
receiver velocity (receiver speed and motion pattern). In [35] a spoofing detection technique
based on time solution analysis of the moving receiver was discussed. The proposed technique
is based on the correlation of the clock bias solution with the receiver motion. Different motion
scenarios including known arbitrary, circular, random walk, constant speed linear and completely
unknown motion were considered. The presence of a spoofer can be detected if the clock bias
deviates considerably from its prediction. The detection performance varies depending on the
level of receiver trajectory’s knowledge, clock stability and clock model accuracy.
If the spoofer and target receiver are not co-located on a single platform, the relative motion
between the spoofing source and user does not change position and velocity solutions. This is
due to the fact that all spoofed PRNs share the same propagation channel, hence changes in
distance of a receiver from the spoofer source do not change the position and velocity solutions.
However, the clock bias of the spoofing measurements is a function of the receiver-spoofer
Euclidean distance. A simplified pseudorange model can be written as [35]
ˆ:
ˆ ˆˆ ˆ. . .t Tu su TS
Specific to PRN C Common among all PRNs
P c d c d c dρ ρ η= + + + − +14243 144424443
(4)
where ρ is the fake range between the spoofer generated counterfeit position and the GNSS
satellite, ˆtd is the timing error corresponding to the counterfeit satellite, Tud is the user clock
error and ρsu is the physical range between the spoofer and the receiver antenna. TSd shows a
deliberate time advance that might be added to the spoofer’s transmit signal in order to
compensate for the propagation delay between the spoofer antenna and the target receiver
antenna plus the spoofer clock bias. c is the speed of light in vacuum and η represents other
error sources such as ambient noise and multipath. C defined in Equation 4 is common among
all PRNs, hence it will be resolved in the clock bias of the position, velocity and time (PVT)
solution of the spoofing signals. It is observed that clock bias measurements of the spoofed PVT
solutions contain the range information from the spoofer to the target receiver(s). Figure 9 shows
the clock bias variation due to the circular hand-held antenna motion in a horizontal plane for the
spoofing and authentic cases utilizing the data collection scenario shown in Figure 7. Monitoring
the clock bias variation over time can be a means to detect the spoofing attack initiated from a
single source. Table 2 compares spoofing countermeasure techniques utilizing a single moving
receiver.
16
Figure 9: Clock bias variations for the spoofing and authentic signals
Table 2: Summary of spoofing detection/classification methods based on antenna motion
Anti-Spoofing Method
Pros Cons Receiver Required Capability
Tracking level Requires a single moving antenna, detects and classifies spoofing
signals
Requires modification in
acquisition and tracking units of GNSS receivers,
detection and classification
performance is a function of the receiver
moving profile and oscillator stability
Pairwise correlation between signal parameters, Despreading all the
spoofing and authentic signals, higher number of correlators, carrier
Doppler predication
PVT level Requires a single moving antenna, low
computational complexity, can be implemented with
minimal modification in GNSS receivers
Only can detect a spoofed PVT solution,
detection performance is a function of the receiver moving profile, requires
a stable oscillator
Having access to the clock bias
variations
IV. Cloud based GNSS Signals Authentication
Cloud based GNSS spoofing authenticity verification refers to the case when several
receivers are operating in a neighborhood and share their measurements. It is assumed here
0 10 20 30 40 50 60-0.5
-0.4
-0.3
-0.2
-0.1
0
0.1
0.2
0.3
0.4
0.5
Time (s)
Clo
ck b
ias d
evia
tion fro
m first ord
er fit
(m
)
Circular Handheld Motion (Spoofed PVT)
Circular Handheld Motion (Authentic PVT)
17
that there is a low rate communication link between receivers (such as vehicle-to-vehicle
applications) or that they are sending their measurements to the cloud as shown in Figure 10.
Figure 10: Block diagram of the cloud-based anti-spoofing system
The idea of alleviating spoofing attacks based on processing several receiver measurements
is discussed in some recent research work. Authors in [34] have proposed a spoofing detection
method utilizing commercial off-the-shelf receivers by comparing the position solutions from
multiple receivers located on the same platform. The spoofing detection metric works based on
the fact that the existence of a spoofer would make the statistical relationship of the observed
positions different than it is during normal, non-spoofed operation. [37] introduces a signal
authentication architecture based on a network of cooperative receivers. A receiver in the
network correlates its received military code with those received by other receivers so as to
detect spoofing attacks.
[23] proposes a network-based anti-spoofing receiver architecture that uses spatially
distributed receivers connected to a central authenticity verification (CAV) unit. The essence of
this method is that the CAV receives simultaneous measurements from nearby receivers,
detects a spoofing attack and classifies authentic and spoofing signals. This might be the case of
driverless car navigation systems where each car transmits navigation measurements to the
CAV unit; or a network of distributed high precision receivers communicating with one or several
base stations. After spoofing detection, the proposed anti-spoofing architecture commences to
18
classify the spoofing and authentic signals. In [38] an approach based on the carrier phase
variation of multiple receivers is used to classify the signals. It is shown that the double
difference (between two receivers and two PRNs) carrier phase observations in the spoofing
case for a short receiver separation (about a km) are time-invariant, whereas in the case of the
authentic signals due to the satellite motion the relative phase difference between receivers
varies with time. This is regardless of user or spoofer motion. Hence, double differences
between carrier phase observations over time constitute a means to discriminate between
spoofing and authentic signals. Thus, the CAV unit can monitor the phase differences among
different receivers for different PRNs to detect and classify the spoofing/authentic signals. The
carrier phase observation at the ith receiver for the lth PRN signal can be written as [35]
[ ] [ ] [ ] [ ]( ) [ ] [ ] [ ]. . il l
i i i i i i
l l l l l rk k c t k T k N I k T k w kρ λΦ
Φ = + − + − + + (5)
where i
lρ is the actual range between the lth satellite and ith receiver antenna. lt and iT are the
clock errors corresponding to the lth satellite and ith receiver. i
lI and l
i
rT are ionospheric and
tropospheric delays. il
wΦ
is the noise term including range errors, receiver noise and multipath.
c and λ are the light velocity in vacuum and the carrier wavelength of GNSS signal. i
lN is an
integer number which corresponds to cycle ambiguity of the lth PRN at ith antenna and k is the
time sample. The double difference of the carrier phase measurements can be written as
,,
, , , , ,
, , , i jm l
i j i j i j i j i j
m l m l m l m lN wρ λ∇∆Φ
∇∆Φ = ∆Φ − ∆Φ = ∇∆ + ∇∆ + (6)
where ,
,
i j
m l∇∆Φ is the double carrier phase difference of the ith and jth receivers for the mth and ith
PRNs. ,i j
m∆Φ is single carrier phase difference of the ith and jth receivers for the mth PRN. ,
,
i j
m lρ∇∆
is the double difference range of the ith and jth receivers for the mth and ith PRNs and ,
,
i j
m lN∇∆ is
the double difference ambiguity cycles of the ith and jth receivers for the mth and ith PRNs. It can
be shown that the single phase difference between two receivers is a function of receivers
spacing and changes of direction of arrival of signals over time. In the case of single source
spoofing transmitter all of the PRNs have the same azimuth and elevation angles with respect to
the antenna baseline. As such, for the case that m and l are both spoofing signals, the
pseudorange double difference, ,
,
i j
m lρ∇∆ , become zero. Therefore, Equation 6 in the spoofing
scenario becomes time invariant and this does not depend on the receiver dynamics or relative
19
receiver clock drifts. However, for the case of the authentic signals, this phenomenon does not
hold since these signals are transmitted from different angles which vary independently from
each other. Therefore, spoofed PRNs can be distinguished from the authentic ones based on the
double difference of the carrier phase measurements of two or more spatially separated
antennas. The carrier phase double differences of spoofed PRNs have a zero-slope temporal
variation whereas for the case of the authentic signals a non-zero slope is visible in the carrier
phase double differences. This fact is the basis for authentic and spoofing PRN classification. A
generalized likelihood ratio test (GLRT) based detection approach has been developed in [38]
and extended in [23] to authenticate GNSS signals based on the double difference processing.
The experimental results of [39] have shown that the signal authentication time is a function of
the antenna spacing and its orientation with respect to the satellite motion. Figure 11 shows
carrier phase double differences for a 2-metre antenna separation for authentic and spoofing
signals; the carrier phase double differences in the case of spoofing signals have a zero-slope
temporal variation which is the essence of spoofing classification.
Figure 11: Double difference carrier phase measurements
V. Summary
An overview of GNSS spatial processing based signal authentication methods was provided.
The methods were categorized into three different groups, namely antenna array processing,
moving antenna and cloud based. Antenna array jammer and spoofing mitigation methods are
0 50 100 150-1
-0.8
-0.6
-0.4
-0.2
0
0.2
0.4
0.6
0.8
1
Time (s)
∆∆ ∆∆∇∇ ∇∇
ΦΦ ΦΦ1
,2
i,j
(cy
cle
s)
SpoofingAuthentic
20
the most effective countermeasure against interference signals and recently has gain more
attention in GNSS community. The antenna array system consists of several synchronized front-
ends with closely spaced antennas. A receiver equipped with an antenna array can employ
spatial filtering techniques in order to shape its beam pattern to attenuate a specific spatial
sector while providing gain at some specific angles. Antenna array processing methods can be
implemented at different operational layers of a receiver, namely pre-despreading and post-
despreading. The blind pre-despreading spoofing mitigation is an effective and low
computationally complex method. Post-despreading mitigations are effective in both low and
high power spoofing attacks. However, implementation of these methods requires some
changes in the receiver acquisition and tracking architecture. These methods can detect, classify
and mitigate the spoofing attack.
Antenna motion is another spatial processing method to detect and discriminate spoofing
attacks. In this case, the spatial samples are taken over an observation window. In the case of a
single source spoofing transmitter, the propagation channel is common among all spoofing
PRNs and hence these signals are spatially coherent at the receiver antenna; this method is
used to detect and classify spoofing attacks. The spoofing countermeasure methods based on a
moving antenna can be implemented at the tracking or navigation level of a receiver. Spoofing
countermeasure methods utilizing antenna motion can generally detect and classify the spoofing
PRNs. The performance of the methods employing the receiver motion can be improved by
incorporating the user motion pattern into the detection and classification problem. This can be
done by coupling IMU with GNSS measurements.
A cloud-based spoofing countermeasure was also introduced. This is a promising approach
for emerging technologies such as driverless car and autonomous vehicle application. This
method consists of spatially distributed receivers operating in a nearby region. The receivers in
this case are not physically connected and they are operating independently. Temporal
variations of carrier phase double differences from multiple GNSS receivers are used for
authenticity verification and measurement classification of observable GNSS signals. For the
case of authentic signals the double difference observables change based on the relative
satellite variation of azimuth and elevation angles, while this is not the case for counterfeit
signals when all PRNs are transmitted from a common source.
21
Table 3 compares advantages and disadvantages of different spatial processing based anti-
spoofing methods.
Table 3: Comparison of different GNSS spatial processing anti-spoofing methods
Anti-Spoofing Method
Analyzing metric Pros Cons
Antenna array Spatial power, steering
vector correlation
The most effective stand-alone jammer and spoofing mitigation
method, works in static and dynamic cases
Requires additional hardware, increased cost and power consumption,
calibration in some cases is required
Moving antenna Signal parameters pairwise correlation
Requires a single moving antenna, low complexity, can be
implemented with minimal modification in receivers, can
detect and classify spoofing attack
Mitigation is not performed by spatial processing.
The accuracy is a function of the receiver motion pattern and its oscillator
stability.
Cloud based Carrier phase double
difference
Low complexity in terms of software and hardware design, can detect and classify spoofing
attack
Requires a data transfer network and high power processing server to
analyze big data
22
REFERENCES
[1] T. E. Humphreys, B. M. Ledvina, M. L. Psiaki, B. W. O'Hanlon and P. M. Kintner “Assessing the Spoofing Threat: Development of a Portable GPS Civilian Spoofer,” ION GNSS 21st. International Technical Meeting of the Satellite Division, Savannah GA, pp. 2314-2325, 16-19 September 2008
[2] B. M. Ledvina, W. J. Bencze, B. Galusha and I. Miller “An In-Line Anti-Spoofing Device for Legacy Civil GPS Receivers” Proceedings of the 2010 International Technical Meeting of The Institute of Navigation, 25-27, San Deigo CA, pp. 698-712, January 2010
[3] A. Jafarnia-Jahromi, “GNSS Signal Authenticity Verification in the Presence of Structural Interference,” PhD Thesis, Department of Geomatics Engineering, University of Calgary, September 2013.
[4] R. G. Hartman and P. Minn “Spoofing detection system for a satellite positioning system” US Patent 5557284, 1995
[5] C. E. McDowell “GPS Spoofer and Repeater Mitigation System using Digital Spatial Nulling”, US Patent 7250903 B1, 2007
[6] M. L. Psiaki, M. L., Powell, S.P., O'Hanlon, B.W., “GNSS Spoofing Detection using High-Frequency Antenna Motion and Carrier-Phase Data,” Proceedings of the 26th International Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS 2013), Nashville, TN, pp. 2949-2991, September 2013.
[7] S. Daneshmand, A. Jafarnia, A. Broumandan and G. Lachapelle “A Low-Complexity GPS Anti-Spoofing Method Using a Multi-Antenna Array” in Proceedings of ION GNSS 2012, Nashville TN, 11 pages, 17-21 September 2012
[8] T. E., D. Humphreys, Shepard, J. Bhatti, and K. Wesson “A testbed for developing and evaluating GNSS signal authentication techniques” in IEEE Transactions on Aerospace and Electronic Systems, 15 pages, 2011.
[9] P. F. Swaszek, and R. J. Hartnett “Spoof detection using multiple COTS receivers in safety critical applications” in ION GNSS+ 2013, Nashville, Tennessee, September 2013.
[10] J. Nielsen, V. Dehghanian and G. Lachapelle (2012) “Effectiveness of GNSS Spoofing Countermeasure based on Receiver CNR Measurements” International Journal of Navigation and Observations, vol. 2012, Article ID 501679, 9 pages, 2012.
[11] A. Jafarnia, A. Broumandan, J. Nielsen and G. Lachapelle “GPS Spoofer Countermeasure Effectiveness based on Using Signal Strength, Noise Power and C/N0 Observables” International Journal of Satellite Communications and Networking, vol 30, no 4, pp. 181–191, July 2012.
[12] A. Jafarnia, A. Broumandan, J. Nielsen and G. Lachapelle “Pre-Despreading Authenticity Verification for GPS L1 C/A Signals,” NAVIGATION, Journal of The Institute of Navigation, Vol. 61, Issue 1, pp 1-11, 2014.
[13] , S. L. Cho, M. Y. Shin, S. Lim, D. H. Hwang, S. J. Lee, and C. Park “Design of a TOA-based Anti-Spoofing Method for GPS Civil Signal” ION GNSS PNT symposium 2008
[14] P. F. Swaszek , S. A. Pratz, B. N. Arocho, K.C. Seals, and R. J. Hartnett “GNSS Spoof Detection Using Shipboard IMU Measurements” ION GNSS+ 14, Tampa, FL,745 – 758, September 8-12, ,2014, pp
[15] E. McMilin, D. S. De Lorenzo, T. Walter, T. H. Lee, and P. Enge “Single Antenna GPS Spoof Detection that is Simple, Static, Instantaneous and Backwards Compatible for Aerial Applications” Proc. ION GNSS+ 2014, Tampa, FL, Sept. 9-12 2014.
[16] S. Daneshmand, A. Jafarnia Jahromi, A. Broumandan, J. Nielsen and G. Lachapelle “GNSS Spoofing Mitigation in Multipath Environments Using Space-Time Processing,” Proceedings of the European Navigation Conference (ENC2013), Vienna, 23-25 April 2013.
[17] J. C. Juang “Analysis of global navigation satellite system position deviation under spoofing,” IET Radar, Sonar & Navigation vol.3, No. 1, pp. 1-7, February 2009
[18] E. G. Manfredini, F. Dovis, and B. Motella “Validation of a signal quality monitoring technique over a set of spoofed scenarios” 7th ESA Workshop on Satellite Navigation Technologies and European Workshop on GNSS Signals and Signal Processing (NAVITEC), pp. 1-7, 2014.
[19] T. E. Humphreys “Detection strategy for cryptographic GNSS anti-spoofing,” IEEE Transactions on Aerospace and Electronic Systems, vol. 49 issue 2, pp. 1073-1090, 2013.
[20] D. M. Akos, “Who’s Afraid of the Spoofer? GPS/GNSS Spoofing Detection via Automatic Gain Control (AGC),” Jounral of Navigation, vol. 59, No. 4, Winter, Institute of Navigation, pp. 281-290, 2012.
[21] A. Jafarnia-Jahromi, A. Broumandan, J. Nielsen and G. Lachapelle “Pre-Despreading Authenticity Verification for GPS L1 C/A Signals” NAVIGATION, Journal of The Institute of Navigation, Vol. 61, Issue 1, pp 1-11, 2014.
23
[22] L. Scot “J911: The Case for Fast Jammer Detection and Location Using Crowdsourcing Approaches,” proceedings of ION-GNSS-2011, September 20-23, 2011
[23] A. Broumandan, A.Jafarnia-Jahromi, S. Daneshmand, and G. Lachapelle “A Network-based GNSS Structural Interference Detection, Classification and Source Localization,” proceeding of ION GNSS+2015 , Tampa Florida, September 2015.
[24] Y. Guo, M. Fan, and M. Kong “Spoofing interference suppression using space-time process for GNSS receiver,” International Congress on Image and Signal Processing (CISP), Sichuan, China, pp. 1537-1541, Oct 16-18 2012
[25] M. D. Zoltowski, and A. S Gecan “Advanced adaptive null steering concepts for GPS”, Military Communications Conference, MILCOM 95, IEEE, San Diego, CA, USA, , pp. 1214-1218, 5-8 November 1995
[26] C.E. McDowell “GPS Spoofer and Repeater Mitigation System using Digital Spatial Nulling” US Patent 7250903 B1, 7 pages 2007
[27] Meurer, M., A. Konovaltsev, M. Cuntz, C. Hättich “Robust Joint Multi-Antenna Spoofing Detection and Attitude Estimation using Direction Assisted Multiple Hypotheses RAIM,” Proceedings of the 25th International Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS 2012), Nashville, TN, pp. 3007-3016, September 17-21, 2012
[28] S. Daneshmand; A. Jahromi, A. Broumandan and G. Lachapelle “A GNSS structural interference mitigation technique using antenna array processing” IEEE Sensor Array and Multichannel Signal Processing Workshop (SAM), Coruna, Spain, pp. 109-112, 22-25 June 2014
[29] IS-GPS-200G: Global Positioning System Directorate, Systems Enginerring & Integration, Interface Specification, Navstar GPS Space Segment/Navigation User Interfaces Rev G, 2012.
[30] M. L. Psiaki, B. W. O’Hanlon, J. A. Bhatti, D. P. Shepard, and T. E. Humphreys “Civilian GPS spoofing detection based on dual-receiver correlation of military signals” Proceedings of the Institute of Navigation GNSS (ION GNSS 2011), Portland, OR, 2011.
[31] J. Nielsen, A. Broumandan, and G. Lachapelle “GNSS Spoofing Detection for Single Antenna Handheld Receivers” Journal of Navigation, vol 58, no 4, pp. 335-344, Winter 2011.
[32] J. Nielsen, G. Lachapelle, and A. Broumandan “Method and System for Detecting GNSS Spoofing Signals” U.S. Patent No. 7,952,519 B1, 2010.
[33] S. Daneshmand, A. Jafarnia, A. Broumandan and G. Lachapelle “A Low Complexity GNSS Spoofing Mitigation Technique Using a Double Antenna Array” GPS World magazine, vol 22, no 12, pp. 44-46, December 2011
[34] P. F. Swaszek, and R. J. Hartnett “A Multiple COTS Receiver GNSS Spoof Detector—Extensions” in Proc. Of ION ITM, San Diego, California, 2014.
[35] A. Jafarnia, S. Daneshmand, A. Broumandan, J. Nielsen and G. Lachapelle “PVT Solution Authentication Based on Monitoring the Clock State for a Moving GNSS Receiver” European Navigation Conference (ENC2013), Vienna, Austria, April 23-25 2013
[36] P. Y. Hwang, and G. A. McGraw “Receiver Autonomous Signal Authentication (RASA) based on clock stability analysis,” Position, Location and Navigation Symposium-PLANS 2014, IEEE/ION pp. 270-281, 2014
[37] L. Heng, D. B. Work, and G. X. Gao “GPS Signal Authentication From Cooperative Peers” IEEE Transactions on Intelligent Transportation Systems, 2014.
[38] A. Jafarnia, A. Broumandan, S. Daneshmand, N. Sokhandan and G. Lachapelle “A Double Antenna Approach toward Detection, Classification and Mitigation of GNSS Structural Interference,” Proceedings of NAVITEC 2014, Noordwijk, Netherlands, 3-5 December 2014.
[39] A. Jafarnia, A. Broumandan, and G. Lachapelle “Dual Antenna GNSS Signal Authenticity Verification and Measurement Classification,” submitted to the Journal of Navigation, Royal Institute of Navigation 2015.