1

Overview of Spatial Processing Approaches for GNSS Structural Interference Detection and Mitigation

Ali Broumandan, Ali Jafarnia-Jahromi, Saeed Daneshmand, Gérard Lachapelle

Position Location and Navigation (PLAN) Group

University of Calgary

abrouman@ucalgary.ca, ajafarni@ucalgary.ca, sdaneshm@ucalgary.ca, lachapel@ucalgary.ca

Abstract— GNSS-dependent positioning, navigation and timing synchronization procedures

have a significant impact on everyday life. Thus, such an extensively used system progressively

become an attractive target for illegal exploitation and attacks. Position and timing solutions

provided by GNSS receivers can be threatened by structural interference such as spoofing

threats. This paper provides an overview of recent research work on GNSS signal authentication

utilizing spatial processing methods. Different spatial processing approaches for spoofing

detection, classification and mitigation are characterized and compared. Three different

processing methods, namely antenna array processing, moving receiver and cloud based

spoofing countermeasure are analyzed in details. The benefits and disadvantages of each are

discussed.

I. Introduction

Spoofing and meaconing are structural wideband intentional interference which misdirect

target Global Navigation Satellite System (GNSS) receivers into generating fictitious position

and/or timing solutions [1]-[2]. Meaconing is a replayed version of a recorded genuine GNSS

signal whereas spoofing is a fake signal that is designed to mimic the authentic signal’s structure

[3]. Under a spoofing or meaconing attack, a receiver provides position and timing solutions with

good signal quality measures. However, the solutions do not represent the actual location or

time of the victim user. Due to the widespread use of civilian GNSS dependent systems,

motivation has increased to spoof GNSS signals for scores of illegal activities. Therefore,

spoofing is becoming a more serious type of threat for future applications and this necessitates

proper countermeasures [4]-[6]. Many research groups have been involved in the vulnerability

analysis of GNSS to spoofing attack (e.g. [1],[2],[6],[7],[8]).

© 2016 IEEE. This material is posted here with permission of the IEEE. Internal or personal use of this material is

permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating

new collective works for resale or redistribution must be obtained from the IEEE by writing to pubspermissions@ieee.org.

2

Spoofing countermeasure methods analyze specific features of spoofing signals that make

them different from authentic ones. Anti-spoofing techniques can be generally divided into three

main categories, namely spoofing detection, authentic/spoofing signal classification and spoofing

mitigation. Spoofing detection algorithms focus on detecting the presence of spoofing attacks [9],

authentic/spoofing signal classification methods are intended to distinguish between spoofing

and authentic signals, and spoofing mitigation techniques aim to neutralize the spoofing threat

and to recover the positioning and timing capabilities [3]. Several anti-spoofing techniques based

on single-antenna processing have been proposed. Amplitude discrimination [10],[11],[12], time-

of-arrival (TOA) discrimination [13], solution consistency cross-check with inertial measurement

units (IMU) [14], polarization discrimination [15], spatial processing based spoofing

discrimination [16], position deviation [17], signal quality monitoring [18] and cryptographic

authentication [19] are some of the most current spoofing detection techniques. Many single

receiver spoofing countermeasure techniques rely on power level monitoring of the received

GNSS signals in order to detect spoofing pseudo random number (PRN)s. In [10] the presence

of high power spoofing signals is detected based on their abnormally high carrier-to noise ratio

(C/N0) values. [20] monitors the receiver automatic gain control (AGC) level as a mean of

detecting high power spoofing attacks. A pre-despreading spoofing detection method that

checks for the excessive structural power content of received GNSS signals is proposed in [21].

Spoofing countermeasures using spatial processing is one of the most powerful techniques

developed. Most spatial processing methods rely on the assumption that the spoofing source is

a single-antenna source transmitting several PRNs [1],[3]. Spatial processing can be

implemented to analyze the spatial signature of the received signals and discriminate spatially

correlated signals (e.g. [7]). These methods can be divided into three groups, namely antenna

array, moving receiver and network/cloud based processing.

The receiver structure in the antenna array case consists of several antennas each connected

to a separate radio frequency (RF) down-conversion channel and digitizer unit in a phase

coherent mode usually utilizing a single oscillator [7]. The antenna elements separation in such

cases is about half of the carrier wavelength and the antenna array is considered a single

receiver unit for a specific application [7].

Some spatial processing methods are proposed to take advantage of the receiver motion to

detect spoofing attacks and discriminate such signals. The hardware complexity of these

techniques is much lower than that of the multi-antenna technique. In such cases, the spoofing

3

countermeasure methods operate based on employing a single moving antenna to detect and

classify the spoofing signals.

Network or cloud based GNSS signal authenticity verification methods consist of spatially

distributed GNSS receivers operating in a nearby region [22]. The receivers in these cases are

not physically connected and they are operating independently [23]. It is assumed that there is a

communication link among the receivers where each one can have access to low-rate GNSS

measurements of the others or where all receivers transmit their measurements to a

central/cloud-based processing station. The measurements can then be analyzed to detect and

classify spoofing PRNs [23].

In Section II signal authentication using antenna array processing is discussed. Section III

discusses signal authentication utilizing a moving antenna receiver. In Section IV, network based

spoofing detection and mitigation is provided. Summary and conclusions are provided in Section

V.

II. GNSS Signals Authentication using Antenna Array Processing

A receiver equipped with an antenna array can employ spatial filtering techniques in order to

shape its reception beam pattern. This type of receivers can steer a null toward the spoofing

source and suppress its destructive effect [24]. Antenna array processing to mitigate spoofing

attacks can be implemented at the pre-despreading or post-despreading stage of a GNSS

receiver. In the following the pros and cons of each implementation approach are discussed.

a) Pre-despreading spoofing mitigation:

Assume a spoofing attack scenario where a single source transmitter propagates several high

bogus PRNs. A low computational complexity multi-antenna spoofing mitigation method that is

able to spatially filter out the spoofing signals has been proposed in [7]. This method cross-

correlates the baseband samples from different antennas in order to form a spatial correlation

matrix and extract the spatial signature of high power spoofing signals. All these operations are

performed on the digitized baseband samples before the despreading process. The steering

vector corresponding to the spoofing signals can be extracted since all of the spoofing signal

energy is coming from the same spatial sector. This type of spoofing mitigation approach

considers the spoofing source as a wideband interference signal and successfully mitigates the

spoofing source. The pre-despreading approach toward spoofing detection and mitigation is a

power minimization problem [25]. Considering the fact that several spoofing PRNs impinge on

4

the antenna array from the same direction, it can be observed that their power outputs are added

constructively from a specific spatial sector. In other words, the spatial power density of the

spoofing signals is considerably higher than that of the authentic signals. The spatial correlation

matrix of the received signal can be written as

2 2H

vσ σ≈ +R a a I (1)

in which 2

vσ is the total power of the spoofing signal, a is the one column steering-vector of

spoofing signals and 2σ is the noise variance. Here it is assumed that the authentic signals are

buried under the noise floor. To estimate the spoofing sub-space or equivalently the spoofing

steering vector a , one can employ Eigen value decomposition of the correlation matrix R as

[ ]2 2

2

0

0

H

v

H

σ σ

σ

+≈

bR b U

U (2)

where b is the Eigen vector corresponding to the largest eigenvalue of R , U is the vector of

eigenvectors corresponding to the noise-plus-authentic signals subspace. Hence, projecting the

received signal into the reduced-rank spoofing free subspace H=P U mitigates the spoofing

signals [16]. This projection may cause attenuation for those authentic signals located in or close

to the nulls of the antenna beam pattern [9]. One of the advantages of this method is that it does

not require array calibration and its computational complexity is low. Figure 1 shows the block

diagram of the pre-despreading spoofing detection and mitigation approach. Digitized baseband

samples from a multiple-channel synchronized front-end are passed to the null-steering unit

where the weights to suppress a spoofing signals are calculated. The output of the null-steering

unit is baseband spoofing free complex samples that are passed to a conventional receiver

acquisition and tracking module. One may use an up-convertor and digital-to-analog convertor to

provide analog spoofing free GNSS signals at the GNSS frequency bands. Hence, the multi-

antenna front-end, null-steering unit and up converter can be formed as a single inline anti-

spoofing unit, which can be easily connected to any receiver to protect it from spoofing and

jamming signals without the need to modify the receiver structure.

5

Figure 1: Pre-despreading spoofing mitigation (MSR: Measurements, PVT: Position, Velocity and Time )

b) Post-despreading spoofing mitigation:

In post-despreading antenna-array based spoofing mitigation methods the despreading and

accumulation process are applied to each digitized baseband antenna samples. Figure 2 shows

the post-despreading spoofing detection and mitigation block diagram. The output baseband

samples from different front-end channels are first fed to the acquisition engine to detect

available signals including spoofing and authentic signals. The acquisition routine in this case is

modified to detect all the peaks above the detection threshold and passes all the initial code

phases and Doppler frequencies to the tracking unit. The despread samples of different detected

signals are then fed to the steering vector estimation unit. The spoofing detection unit correlates

the estimated steering vectors of all detected signals [26]. High correlation among estimated

steering vectors indicates that the signals are transmitted from a single source. The estimated

steering vector then is passed to the classification and weight calculation unit. The output of the

weight calculation unit is then forwarded to the beamforming and null-steering module. The

output of the beamforming/null-steering module is a single channel spoof free signal used to

calculate GNSS measurements for different PRNs.

6

Figure 2: Post-despreading spoofing detection and mitigation (MSR: Measurements, PVT: Position, Velocity and Time )

For the post-despreading spoofing detection and mitigation method, two cases are discussed

here.

- Un-calibrated antenna array: It is assumed that the antenna array is not calibrated. More

specifically the relative phase and gain of the antenna elements are unknown and the

orientation of the array is not known. After tracking all spoofing and authentic signals, the

spoofing detection module correlates the array responses (steering vector) of different

signals. The spoofing signals sourced from a single antenna have the same spatial

signature, which means that all the PRNs experience the same channel parameter

variation in the spatial domain. This can be used as a metric to detect a spoofing attack

and classify spoofing and authentic signals. In [27] a method based on estimating the

steering vector of each PRN and subsequently discriminating authentic and spoofing

signals based on their spatial signature is proposed. The spoofing classification unit places

all signals with the same spatial signature in the spoofing group. After spoofing detection

and classification the array places nulls in direction of the spoofing signals. Since this

method is implemented in the post-despreading stage, it imposes more processing power

to the receiver and requires some modification to acquisition and tracking units compared

to the pre-despreading method. Thus this method cannot be implemented as an in-line

module. In this case, the same as pre-despreading spoofing detection and mitigation,

spatial filtering beampattern may unintentionally distort the authentic signals. This is due to

the fact that the array is not calibrated and the receiver orientation is not known. However,

7

for those applications in which the authentic signal attenuation is not tolerable, the spatial

filtering method can be extended to maximize signal-to-noise ratio (SNR) for individual

authentic PRNs as proposed in [28].

- Calibrated antenna array: Here it is assumed that the relative phase of the baseband

samples from different antennas for a given signal is related to the direction of arrival of

that signal and the antenna array orientation is known. This is the most sophisticated

approach to detect a spoofing attack, classify spoofing and authentic signals and eventually

mitigate the spoofing signals. In this scenario, the single antenna spoofer source

assumption can be relaxed. Thus, a multi-antenna spoofing attack can be detected and

mitigated as long as the spoofing transmitters do not have the same directions of arrival as

those of the authentic signals. In addition, the satellites almanac information is available

where the approximate Direction of Arrival (DoA) of each satellite can be determined.

Considering this, after capturing signal samples and the despreading process, the receiver

estimates the DoA of each signal and compares it to the predetermined value; deviation

indicates spoofing or multipath signal existence.

To demonstrate the effectiveness and performance of the antenna array based spoofing

mitigation method discussed earlier, an illustrative simulation employing GPS L1 Coarse

Acquisition (C/A) signals is provided herein. The average power of the authentic signals and

noise are -158 dBW and -203 dBW respectively [29]. All spoofing signals are transmitted from

the same direction with a 3 dB power advantage compared to the authentic signals. A circular

antenna array with six elements and half wavelength spacing is used. Figure 3 shows the beam

pattern of the antenna array for a single source spoofer. The location of the authentic and

spoofing signals are also shown. Figure 3a shows the antenna array beam pattern employing

the pre-despreading method. This method successfully nullifies the spoofing source located at

azimuth and elevation (250˚, 20˚). However, since the authentic signal steering vector is not

used in the filter design the authentic signal located at azimuth and elevation (200˚, 75˚) is highly

attenuated. Figure 3b shows the antenna array beampattern after despreading the authentic

signal. This spatial filter not only places a deep null in the direction of the spoofing signals but

also maximizes SNR for the authentic PRN case.

8

Figure 3: Antenna array beampattern a) pre-despreading, b) PRN 1 post-despreading

Figure 4 shows the average SNR values of the authentic and spoofing signals for a single

antenna and antenna array processing as a function of the average input spoofing power. The

authentic average SNR (black curve) does not significantly decrease when the average spoofer

power is below the authentic signals power (-160 dBW). However, when the average spoofer

power suppresses that of the authentic signals, the authentic signals’ SNR decreases as the

input spoofing power increases. This is due to an increase in the cross correlation terms caused

by the higher power spoofing signals. The SNR of the spoofing signals before null-steering (red

curve) increases as the power of the spoofing PRNs increases. It is observed that as the

spoofing power increases, the average SNR of the authentic signals after beamforming utilizing

pre-despreading (blue curve) and post-despreading (purple curve) remains constant, which

means that the null-steering method successfully cancels the spoofing signals. The post-

despreading average SNR is higher than that of the pre-despreading method. This is because in

the post-despreading case the antenna main beampattern is oriented to the direction of arrival of

each PRN to maximize the SNR output of the spatial filter. In the pre-despreading case the

spatial filter does not have any knowledge of the location of each PRN and hence in some cases

unintentional attenuation on authentic PRNs may occur. The spoofing SNR after mitigation when

the average spoofing power is in the range of -170 dBW to -160 dBW initially increases. This is

due to the fact that the average spoofing power is below the authentic signals power level and

consequently there is no well-defined eigenvector associated with the spoofing source direction.

In this spoofing power range the SNR values of the authentic signals are not affected by

Authentic

Spoofing Spoofing

Authentic

a) b)

9

spoofing signals. When the average spoofing power exceeds -160 dBW the spoofing signal SNR

decreases significantly.

Figure 4: Authentic and spoofing average SNR values after and before null-steering

Table 1 compares different features of the antenna array anti-spoofing methods.

Table 1: Summary of array processing based anti-spoofing techniques

Anti-Spoofing Method

Spoofing Feature

Pros Cons Receiver Required Capability

Pre-despreading

Single Antenna,

numerous PRNs

Low complexity, efficient for both

jamming and spoofing mitigation, in-line anti spoofing

application

To be effective requires several spoofing signals,

may reduce power of authentic signals

Eigen analyses on baseband samples

Post-despreading, array is not calibrated

Single Antenna

Effective in low power spoofing

cases with limited number of spoofing

signals, SNR maximization can be implemented

Higher complexity

compared to the pre-despreading

method

Despreading all the channels, higher number of

correlators

Post-despreading,

array is calibrated

Single/Multiple Antenna

Can handle multi-antenna

spoofing attack, beamforming and

null-steering

Higher complexity

compared to non-calibrated case

Array calibration,

attitude determination, DoA estimation

-170 -160 -150 -140 -130-30

-20

-10

0

10

20

30

Average Spoofing Power (SP) [dBW]

SN

R [dB

]

Spoofing before mitigation

Spoofing after mitigation

Auth pre-despreading

Auth post-despreading

Auth before mitigation

10

III. GNSS Signals Authentication using Antenna Motion

Consider a single source spoofing attack where all fake GNSS signals are transmitted from a

single antenna; the receiver motion can be used to detect spoofing and classify authentic and

spoofing signals [6]. The difference between a single moving antenna and the antenna array is

that in the moving antenna case the receiver takes spatial samples sequentially over a time

period, whereas in the antenna array case all of the spatial samples are taken at the same time.

Utilizing antenna motion to detect spoofing attack and classify them can be implemented in

different layers of the GNSS receiver architecture, as will be discussed later. Figure 5 shows the

receiver motion scenario in the presence of a spoofing source where sP and uP are the spoofer

and user locations.

Figure 5: Receiver motion in the presence of spoofing signals

- Spoofing detection and classification at the tracking level:

If the spoofing signals are transmitted from a single source, the propagation channel is

common to all spoofing PRNs and as such the spoofing signals amplitude, phase and Doppler

variations are highly correlated. This characteristic of the spoofer signal is independent of the

propagation environment (e.g. line of sight (LOS), non-line of sight) and can be used to detect

and classify the spoofing signals. In [30] a spoofing detection technique that takes advantage of

a moving antenna is proposed. This technique is based on the fact that all spoofing PRNs

experience the same propagation path and therefore, their corresponding amplitude and phase

variations are highly correlated; this correlation can be detected by changing the channel

Spoofer

[ ]0u

P

sP

[ ]0su

ρ

[ ]1u

P

[ ]ukP

[ ]uNP [ ]1

suρ

[ ]sukρ

[ ]suNρ

RXRX

RX

RX

[1]u

∆P

[ ]u

k∆P

[ ]u

N∆P

11

response based on receiver antenna motion. If the spoofer only transmits one PRN a moving

receiver cannot detect the spoofing signal. However, a single spoofing PRN is not effective and

can be easily discarded in the navigation process. Although these techniques can successfully

detect spoofing signals radiated from a single antenna transmitter, they do not provide any

capability toward discarding the spoofing signals. [31] and [32] have proposed spoofing

classification methods that employ a single antenna handheld receiver moving along a random

trajectory. The received signals’ amplitude and phase corresponding to different signals are

continually compared to each other using a correlation coefficient metric. The highly correlated

signals are then categorized as spoofing PRNs. This approach is further extended by [6] in order

to incorporate a rapid antenna motion to discriminate spoofing attacks. In the method of [31] a

standard correlation coefficient is utilized to measure the correlation between different PRNs’

parameters as the spoofing detection metric. The correlation coefficient between signal

parameters of PRN i and PRN j is defined as

.

H

i j

ijH H

i i j j

E

E Eρ

=

x x

x x x x (3)

where i

x is signal parameters for PRN i.

Figure 6 shows the block diagram of the spoofing classification method based on a moving

antenna. The acquisition engine detects all signals above the detection threshold and passes all

the signals to the tracking unit. The tracking unit tracks all of the detected signals including the

spoofing and authentic ones and forwards the signal parameters to the spoofing detection and

classification unit. Signal parameters used to detect and classify the spoofing signals include

signal amplitude (C/N0), phase and Doppler frequency [6]. Existence of high correlation between

two signal parameters indicates a spoofing attack. The receiver places the signals with a high

correlation value in the spoofing group. The accuracy of the spoofing detection and classification

method utilizing the antenna motion is a function of the signal parameter estimation accuracy,

the receiver motion pattern, user velocity and the receiver oscillator stability.

12

Figure 6: Block diagram of spoofing classification in the tracking level using a moving antenna

To demonstrate the effectiveness of this method test measurements have been performed by

combining authentic signals received from a rooftop antenna with spoofing signals radiated from

an indoor directional antenna and received by a spatially translated single antenna. Figure 7

shows the data collection scenario.

Start

No Yes

Spoofing PRN Set

Monitor signal parameters

Evaluate Correlation Coefficients

Highly Correlated?

AuthenticPRN Set

Position solution

Position solution

Interchange PRN set

members

Track all signals above a threshold

13

Figure 7: Data collection scenario under spoofing attack

In this test, a hardware simulator output has been used as a spoofing generator, which is

radiated indoor with a controlled power level. The test results for Doppler variation due to the

user motion are shown in Figure 8. It is clear from Figure 8.a that the Doppler variation plots in

the case of the authentic signals are not correlated. This is not happening in the case of the

spoofing signals sourced from a single transmitter. As shown in Figure 8.b the Doppler variation

due to the receiver motion is highly correlated among different PRNs, which has been used to

detect and classify the spoofing signals.

14

Figure 8: Doppler variations, a) authentic, b) spoofing

- Spoofing Detection at Navigation level:

This section focuses on detecting the presence of spoofing signals employing position level

observables of a moving receiver. In [35] a position solution authenticity verification technique

based on the clock bias variation analysis of a moving receiver was proposed. In the spoofing

case the receiver clock bias variation is highly correlated with the receiver motion and this could

be used to detect a spoofing attack. This work was extended by [36] in order to use the

estimated Allan Variance of the receiver clock bias to detect spoofing signals. The moving

antenna techniques work effectively even in multipath environments since all the spoofing

signals experience the same propagation path and they are all similarly affected by multipath

reflections. However, a stable clock source is required for their proper operation. In [3] and [35] it

is shown that relative motion between the spoofer and receiver imposes a variable bias in the

clock bias measurements of the receiver and this bias can be utilized to reveal the presence of

the spoofer. More specifically, the relative clock bias changes in time become a function of the

1 2 3 4 5

-5

0

5

10

Time (s)

Do

pp

ler

(Hz)

b) Spoofing

PRN 6

PRN 25

PRN 26

PRN 28

PRN 21

1 2 3 4 5

-5

0

5

10

Do

pp

ler

(Hz)

a) Authentic

PRN 20

PRN 23

PRN 31

PRN 25

PRN 14

15

receiver velocity (receiver speed and motion pattern). In [35] a spoofing detection technique

based on time solution analysis of the moving receiver was discussed. The proposed technique

is based on the correlation of the clock bias solution with the receiver motion. Different motion

scenarios including known arbitrary, circular, random walk, constant speed linear and completely

unknown motion were considered. The presence of a spoofer can be detected if the clock bias

deviates considerably from its prediction. The detection performance varies depending on the

level of receiver trajectory’s knowledge, clock stability and clock model accuracy.

If the spoofer and target receiver are not co-located on a single platform, the relative motion

between the spoofing source and user does not change position and velocity solutions. This is

due to the fact that all spoofed PRNs share the same propagation channel, hence changes in

distance of a receiver from the spoofer source do not change the position and velocity solutions.

However, the clock bias of the spoofing measurements is a function of the receiver-spoofer

Euclidean distance. A simplified pseudorange model can be written as [35]

ˆ:

ˆ ˆˆ ˆ. . .t Tu su TS

Specific to PRN C Common among all PRNs

P c d c d c dρ ρ η= + + + − +14243 144424443

(4)

where ρ is the fake range between the spoofer generated counterfeit position and the GNSS

satellite, ˆtd is the timing error corresponding to the counterfeit satellite, Tud is the user clock

error and ρsu is the physical range between the spoofer and the receiver antenna. TSd shows a

deliberate time advance that might be added to the spoofer’s transmit signal in order to

compensate for the propagation delay between the spoofer antenna and the target receiver

antenna plus the spoofer clock bias. c is the speed of light in vacuum and η represents other

error sources such as ambient noise and multipath. C defined in Equation 4 is common among

all PRNs, hence it will be resolved in the clock bias of the position, velocity and time (PVT)

solution of the spoofing signals. It is observed that clock bias measurements of the spoofed PVT

solutions contain the range information from the spoofer to the target receiver(s). Figure 9 shows

the clock bias variation due to the circular hand-held antenna motion in a horizontal plane for the

spoofing and authentic cases utilizing the data collection scenario shown in Figure 7. Monitoring

the clock bias variation over time can be a means to detect the spoofing attack initiated from a

single source. Table 2 compares spoofing countermeasure techniques utilizing a single moving

receiver.

16

Figure 9: Clock bias variations for the spoofing and authentic signals

Table 2: Summary of spoofing detection/classification methods based on antenna motion

Anti-Spoofing Method

Pros Cons Receiver Required Capability

Tracking level Requires a single moving antenna, detects and classifies spoofing

signals

Requires modification in

acquisition and tracking units of GNSS receivers,

detection and classification

performance is a function of the receiver

moving profile and oscillator stability

Pairwise correlation between signal parameters, Despreading all the

spoofing and authentic signals, higher number of correlators, carrier

Doppler predication

PVT level Requires a single moving antenna, low

computational complexity, can be implemented with

minimal modification in GNSS receivers

Only can detect a spoofed PVT solution,

detection performance is a function of the receiver moving profile, requires

a stable oscillator

Having access to the clock bias

variations

IV. Cloud based GNSS Signals Authentication

Cloud based GNSS spoofing authenticity verification refers to the case when several

receivers are operating in a neighborhood and share their measurements. It is assumed here

0 10 20 30 40 50 60-0.5

-0.4

-0.3

-0.2

-0.1

0

0.1

0.2

0.3

0.4

0.5

Time (s)

Clo

ck b

ias d

evia

tion fro

m first ord

er fit

(m

)

Circular Handheld Motion (Spoofed PVT)

Circular Handheld Motion (Authentic PVT)

17

that there is a low rate communication link between receivers (such as vehicle-to-vehicle

applications) or that they are sending their measurements to the cloud as shown in Figure 10.

Figure 10: Block diagram of the cloud-based anti-spoofing system

The idea of alleviating spoofing attacks based on processing several receiver measurements

is discussed in some recent research work. Authors in [34] have proposed a spoofing detection

method utilizing commercial off-the-shelf receivers by comparing the position solutions from

multiple receivers located on the same platform. The spoofing detection metric works based on

the fact that the existence of a spoofer would make the statistical relationship of the observed

positions different than it is during normal, non-spoofed operation. [37] introduces a signal

authentication architecture based on a network of cooperative receivers. A receiver in the

network correlates its received military code with those received by other receivers so as to

detect spoofing attacks.

[23] proposes a network-based anti-spoofing receiver architecture that uses spatially

distributed receivers connected to a central authenticity verification (CAV) unit. The essence of

this method is that the CAV receives simultaneous measurements from nearby receivers,

detects a spoofing attack and classifies authentic and spoofing signals. This might be the case of

driverless car navigation systems where each car transmits navigation measurements to the

CAV unit; or a network of distributed high precision receivers communicating with one or several

base stations. After spoofing detection, the proposed anti-spoofing architecture commences to

18

classify the spoofing and authentic signals. In [38] an approach based on the carrier phase

variation of multiple receivers is used to classify the signals. It is shown that the double

difference (between two receivers and two PRNs) carrier phase observations in the spoofing

case for a short receiver separation (about a km) are time-invariant, whereas in the case of the

authentic signals due to the satellite motion the relative phase difference between receivers

varies with time. This is regardless of user or spoofer motion. Hence, double differences

between carrier phase observations over time constitute a means to discriminate between

spoofing and authentic signals. Thus, the CAV unit can monitor the phase differences among

different receivers for different PRNs to detect and classify the spoofing/authentic signals. The

carrier phase observation at the ith receiver for the lth PRN signal can be written as [35]

[ ] [ ] [ ] [ ]( ) [ ] [ ] [ ]. . il l

i i i i i i

l l l l l rk k c t k T k N I k T k w kρ λΦ

Φ = + − + − + + (5)

where i

lρ is the actual range between the lth satellite and ith receiver antenna. lt and iT are the

clock errors corresponding to the lth satellite and ith receiver. i

lI and l

i

rT are ionospheric and

tropospheric delays. il

wΦ

is the noise term including range errors, receiver noise and multipath.

c and λ are the light velocity in vacuum and the carrier wavelength of GNSS signal. i

lN is an

integer number which corresponds to cycle ambiguity of the lth PRN at ith antenna and k is the

time sample. The double difference of the carrier phase measurements can be written as

,,

, , , , ,

, , , i jm l

i j i j i j i j i j

m l m l m l m lN wρ λ∇∆Φ

∇∆Φ = ∆Φ − ∆Φ = ∇∆ + ∇∆ + (6)

where ,

,

i j

m l∇∆Φ is the double carrier phase difference of the ith and jth receivers for the mth and ith

PRNs. ,i j

m∆Φ is single carrier phase difference of the ith and jth receivers for the mth PRN. ,

,

i j

m lρ∇∆

is the double difference range of the ith and jth receivers for the mth and ith PRNs and ,

,

i j

m lN∇∆ is

the double difference ambiguity cycles of the ith and jth receivers for the mth and ith PRNs. It can

be shown that the single phase difference between two receivers is a function of receivers

spacing and changes of direction of arrival of signals over time. In the case of single source

spoofing transmitter all of the PRNs have the same azimuth and elevation angles with respect to

the antenna baseline. As such, for the case that m and l are both spoofing signals, the

pseudorange double difference, ,

,

i j

m lρ∇∆ , become zero. Therefore, Equation 6 in the spoofing

scenario becomes time invariant and this does not depend on the receiver dynamics or relative

19

receiver clock drifts. However, for the case of the authentic signals, this phenomenon does not

hold since these signals are transmitted from different angles which vary independently from

each other. Therefore, spoofed PRNs can be distinguished from the authentic ones based on the

double difference of the carrier phase measurements of two or more spatially separated

antennas. The carrier phase double differences of spoofed PRNs have a zero-slope temporal

variation whereas for the case of the authentic signals a non-zero slope is visible in the carrier

phase double differences. This fact is the basis for authentic and spoofing PRN classification. A

generalized likelihood ratio test (GLRT) based detection approach has been developed in [38]

and extended in [23] to authenticate GNSS signals based on the double difference processing.

The experimental results of [39] have shown that the signal authentication time is a function of

the antenna spacing and its orientation with respect to the satellite motion. Figure 11 shows

carrier phase double differences for a 2-metre antenna separation for authentic and spoofing

signals; the carrier phase double differences in the case of spoofing signals have a zero-slope

temporal variation which is the essence of spoofing classification.

Figure 11: Double difference carrier phase measurements

V. Summary

An overview of GNSS spatial processing based signal authentication methods was provided.

The methods were categorized into three different groups, namely antenna array processing,

moving antenna and cloud based. Antenna array jammer and spoofing mitigation methods are

0 50 100 150-1

-0.8

-0.6

-0.4

-0.2

0

0.2

0.4

0.6

0.8

1

Time (s)

∆∆ ∆∆∇∇ ∇∇

ΦΦ ΦΦ1

,2

i,j

(cy

cle

s)

SpoofingAuthentic

20

the most effective countermeasure against interference signals and recently has gain more

attention in GNSS community. The antenna array system consists of several synchronized front-

ends with closely spaced antennas. A receiver equipped with an antenna array can employ

spatial filtering techniques in order to shape its beam pattern to attenuate a specific spatial

sector while providing gain at some specific angles. Antenna array processing methods can be

implemented at different operational layers of a receiver, namely pre-despreading and post-

despreading. The blind pre-despreading spoofing mitigation is an effective and low

computationally complex method. Post-despreading mitigations are effective in both low and

high power spoofing attacks. However, implementation of these methods requires some

changes in the receiver acquisition and tracking architecture. These methods can detect, classify

and mitigate the spoofing attack.

Antenna motion is another spatial processing method to detect and discriminate spoofing

attacks. In this case, the spatial samples are taken over an observation window. In the case of a

single source spoofing transmitter, the propagation channel is common among all spoofing

PRNs and hence these signals are spatially coherent at the receiver antenna; this method is

used to detect and classify spoofing attacks. The spoofing countermeasure methods based on a

moving antenna can be implemented at the tracking or navigation level of a receiver. Spoofing

countermeasure methods utilizing antenna motion can generally detect and classify the spoofing

PRNs. The performance of the methods employing the receiver motion can be improved by

incorporating the user motion pattern into the detection and classification problem. This can be

done by coupling IMU with GNSS measurements.

A cloud-based spoofing countermeasure was also introduced. This is a promising approach

for emerging technologies such as driverless car and autonomous vehicle application. This

method consists of spatially distributed receivers operating in a nearby region. The receivers in

this case are not physically connected and they are operating independently. Temporal

variations of carrier phase double differences from multiple GNSS receivers are used for

authenticity verification and measurement classification of observable GNSS signals. For the

case of authentic signals the double difference observables change based on the relative

satellite variation of azimuth and elevation angles, while this is not the case for counterfeit

signals when all PRNs are transmitted from a common source.

21

Table 3 compares advantages and disadvantages of different spatial processing based anti-

spoofing methods.

Table 3: Comparison of different GNSS spatial processing anti-spoofing methods

Anti-Spoofing Method

Analyzing metric Pros Cons

Antenna array Spatial power, steering

vector correlation

The most effective stand-alone jammer and spoofing mitigation

method, works in static and dynamic cases

Requires additional hardware, increased cost and power consumption,

calibration in some cases is required

Moving antenna Signal parameters pairwise correlation

Requires a single moving antenna, low complexity, can be

implemented with minimal modification in receivers, can

detect and classify spoofing attack

Mitigation is not performed by spatial processing.

The accuracy is a function of the receiver motion pattern and its oscillator

stability.

Cloud based Carrier phase double

difference

Low complexity in terms of software and hardware design, can detect and classify spoofing

attack

Requires a data transfer network and high power processing server to

analyze big data

22

REFERENCES

[1] T. E. Humphreys, B. M. Ledvina, M. L. Psiaki, B. W. O'Hanlon and P. M. Kintner “Assessing the Spoofing Threat: Development of a Portable GPS Civilian Spoofer,” ION GNSS 21st. International Technical Meeting of the Satellite Division, Savannah GA, pp. 2314-2325, 16-19 September 2008

[2] B. M. Ledvina, W. J. Bencze, B. Galusha and I. Miller “An In-Line Anti-Spoofing Device for Legacy Civil GPS Receivers” Proceedings of the 2010 International Technical Meeting of The Institute of Navigation, 25-27, San Deigo CA, pp. 698-712, January 2010

[3] A. Jafarnia-Jahromi, “GNSS Signal Authenticity Verification in the Presence of Structural Interference,” PhD Thesis, Department of Geomatics Engineering, University of Calgary, September 2013.

[4] R. G. Hartman and P. Minn “Spoofing detection system for a satellite positioning system” US Patent 5557284, 1995

[5] C. E. McDowell “GPS Spoofer and Repeater Mitigation System using Digital Spatial Nulling”, US Patent 7250903 B1, 2007

[6] M. L. Psiaki, M. L., Powell, S.P., O'Hanlon, B.W., “GNSS Spoofing Detection using High-Frequency Antenna Motion and Carrier-Phase Data,” Proceedings of the 26th International Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS 2013), Nashville, TN, pp. 2949-2991, September 2013.

[7] S. Daneshmand, A. Jafarnia, A. Broumandan and G. Lachapelle “A Low-Complexity GPS Anti-Spoofing Method Using a Multi-Antenna Array” in Proceedings of ION GNSS 2012, Nashville TN, 11 pages, 17-21 September 2012

[8] T. E., D. Humphreys, Shepard, J. Bhatti, and K. Wesson “A testbed for developing and evaluating GNSS signal authentication techniques” in IEEE Transactions on Aerospace and Electronic Systems, 15 pages, 2011.

[9] P. F. Swaszek, and R. J. Hartnett “Spoof detection using multiple COTS receivers in safety critical applications” in ION GNSS+ 2013, Nashville, Tennessee, September 2013.

[10] J. Nielsen, V. Dehghanian and G. Lachapelle (2012) “Effectiveness of GNSS Spoofing Countermeasure based on Receiver CNR Measurements” International Journal of Navigation and Observations, vol. 2012, Article ID 501679, 9 pages, 2012.

[11] A. Jafarnia, A. Broumandan, J. Nielsen and G. Lachapelle “GPS Spoofer Countermeasure Effectiveness based on Using Signal Strength, Noise Power and C/N0 Observables” International Journal of Satellite Communications and Networking, vol 30, no 4, pp. 181–191, July 2012.

[12] A. Jafarnia, A. Broumandan, J. Nielsen and G. Lachapelle “Pre-Despreading Authenticity Verification for GPS L1 C/A Signals,” NAVIGATION, Journal of The Institute of Navigation, Vol. 61, Issue 1, pp 1-11, 2014.

[13] , S. L. Cho, M. Y. Shin, S. Lim, D. H. Hwang, S. J. Lee, and C. Park “Design of a TOA-based Anti-Spoofing Method for GPS Civil Signal” ION GNSS PNT symposium 2008

[14] P. F. Swaszek , S. A. Pratz, B. N. Arocho, K.C. Seals, and R. J. Hartnett “GNSS Spoof Detection Using Shipboard IMU Measurements” ION GNSS+ 14, Tampa, FL,745 – 758, September 8-12, ,2014, pp

[15] E. McMilin, D. S. De Lorenzo, T. Walter, T. H. Lee, and P. Enge “Single Antenna GPS Spoof Detection that is Simple, Static, Instantaneous and Backwards Compatible for Aerial Applications” Proc. ION GNSS+ 2014, Tampa, FL, Sept. 9-12 2014.

[16] S. Daneshmand, A. Jafarnia Jahromi, A. Broumandan, J. Nielsen and G. Lachapelle “GNSS Spoofing Mitigation in Multipath Environments Using Space-Time Processing,” Proceedings of the European Navigation Conference (ENC2013), Vienna, 23-25 April 2013.

[17] J. C. Juang “Analysis of global navigation satellite system position deviation under spoofing,” IET Radar, Sonar & Navigation vol.3, No. 1, pp. 1-7, February 2009

[18] E. G. Manfredini, F. Dovis, and B. Motella “Validation of a signal quality monitoring technique over a set of spoofed scenarios” 7th ESA Workshop on Satellite Navigation Technologies and European Workshop on GNSS Signals and Signal Processing (NAVITEC), pp. 1-7, 2014.

[19] T. E. Humphreys “Detection strategy for cryptographic GNSS anti-spoofing,” IEEE Transactions on Aerospace and Electronic Systems, vol. 49 issue 2, pp. 1073-1090, 2013.

[20] D. M. Akos, “Who’s Afraid of the Spoofer? GPS/GNSS Spoofing Detection via Automatic Gain Control (AGC),” Jounral of Navigation, vol. 59, No. 4, Winter, Institute of Navigation, pp. 281-290, 2012.

[21] A. Jafarnia-Jahromi, A. Broumandan, J. Nielsen and G. Lachapelle “Pre-Despreading Authenticity Verification for GPS L1 C/A Signals” NAVIGATION, Journal of The Institute of Navigation, Vol. 61, Issue 1, pp 1-11, 2014.

23

[22] L. Scot “J911: The Case for Fast Jammer Detection and Location Using Crowdsourcing Approaches,” proceedings of ION-GNSS-2011, September 20-23, 2011

[23] A. Broumandan, A.Jafarnia-Jahromi, S. Daneshmand, and G. Lachapelle “A Network-based GNSS Structural Interference Detection, Classification and Source Localization,” proceeding of ION GNSS+2015 , Tampa Florida, September 2015.

[24] Y. Guo, M. Fan, and M. Kong “Spoofing interference suppression using space-time process for GNSS receiver,” International Congress on Image and Signal Processing (CISP), Sichuan, China, pp. 1537-1541, Oct 16-18 2012

[25] M. D. Zoltowski, and A. S Gecan “Advanced adaptive null steering concepts for GPS”, Military Communications Conference, MILCOM 95, IEEE, San Diego, CA, USA, , pp. 1214-1218, 5-8 November 1995

[26] C.E. McDowell “GPS Spoofer and Repeater Mitigation System using Digital Spatial Nulling” US Patent 7250903 B1, 7 pages 2007

[27] Meurer, M., A. Konovaltsev, M. Cuntz, C. Hättich “Robust Joint Multi-Antenna Spoofing Detection and Attitude Estimation using Direction Assisted Multiple Hypotheses RAIM,” Proceedings of the 25th International Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS 2012), Nashville, TN, pp. 3007-3016, September 17-21, 2012

[28] S. Daneshmand; A. Jahromi, A. Broumandan and G. Lachapelle “A GNSS structural interference mitigation technique using antenna array processing” IEEE Sensor Array and Multichannel Signal Processing Workshop (SAM), Coruna, Spain, pp. 109-112, 22-25 June 2014

[29] IS-GPS-200G: Global Positioning System Directorate, Systems Enginerring & Integration, Interface Specification, Navstar GPS Space Segment/Navigation User Interfaces Rev G, 2012.

[30] M. L. Psiaki, B. W. O’Hanlon, J. A. Bhatti, D. P. Shepard, and T. E. Humphreys “Civilian GPS spoofing detection based on dual-receiver correlation of military signals” Proceedings of the Institute of Navigation GNSS (ION GNSS 2011), Portland, OR, 2011.

[31] J. Nielsen, A. Broumandan, and G. Lachapelle “GNSS Spoofing Detection for Single Antenna Handheld Receivers” Journal of Navigation, vol 58, no 4, pp. 335-344, Winter 2011.

[32] J. Nielsen, G. Lachapelle, and A. Broumandan “Method and System for Detecting GNSS Spoofing Signals” U.S. Patent No. 7,952,519 B1, 2010.

[33] S. Daneshmand, A. Jafarnia, A. Broumandan and G. Lachapelle “A Low Complexity GNSS Spoofing Mitigation Technique Using a Double Antenna Array” GPS World magazine, vol 22, no 12, pp. 44-46, December 2011

[34] P. F. Swaszek, and R. J. Hartnett “A Multiple COTS Receiver GNSS Spoof Detector—Extensions” in Proc. Of ION ITM, San Diego, California, 2014.

[35] A. Jafarnia, S. Daneshmand, A. Broumandan, J. Nielsen and G. Lachapelle “PVT Solution Authentication Based on Monitoring the Clock State for a Moving GNSS Receiver” European Navigation Conference (ENC2013), Vienna, Austria, April 23-25 2013

[36] P. Y. Hwang, and G. A. McGraw “Receiver Autonomous Signal Authentication (RASA) based on clock stability analysis,” Position, Location and Navigation Symposium-PLANS 2014, IEEE/ION pp. 270-281, 2014

[37] L. Heng, D. B. Work, and G. X. Gao “GPS Signal Authentication From Cooperative Peers” IEEE Transactions on Intelligent Transportation Systems, 2014.

[38] A. Jafarnia, A. Broumandan, S. Daneshmand, N. Sokhandan and G. Lachapelle “A Double Antenna Approach toward Detection, Classification and Mitigation of GNSS Structural Interference,” Proceedings of NAVITEC 2014, Noordwijk, Netherlands, 3-5 December 2014.

[39] A. Jafarnia, A. Broumandan, and G. Lachapelle “Dual Antenna GNSS Signal Authenticity Verification and Measurement Classification,” submitted to the Journal of Navigation, Royal Institute of Navigation 2015.