вход по аккаунту



код для вставкиСкачать
Feature Article:
DOI. No. 10.1109/MAES.2017.160190
An Approach to Detect GNSS Spoofing
Ali Broumandan, Ranjeeth Siddakatte, Gérard Lachapelle, University of Calgary,
Alberta Canada
GNSS signal quality monitoring and authenticity verification is
gaining importance as different types of interference signals including jamming and spoofing are becoming more likely. There have
been several studies on jamming and spoofing detection at various levels of GNSS receiver operation layers. Spoofing signals are
structural interference that take advantage of the known structure
of legitimate signals and try to deceive their target receiver into a
false position and/or timing solution. This becomes much more important if the receiver is used in safety-of-life applications [1]–[5].
The features of spoofing signals are similar to those of authentic
GNSS signals; therefore, a stand-alone GNSS receiver may face
challenges in detecting this type of interference. Spoofing signals
can be designed to mislead the tracking procedure of GNSS receivers by generating synchronized pseudo random noise (PRN) codes,
thereby leading to counterfeit correlation peaks. This means that the
PRN index and signal parameters such as Doppler frequencies and
code delays of spoofing signals match those of the authentic ones.
These fake correlation peaks can overlay the authentic ones, distort the normal shape of authentic correlation peaks, and gradually
misdirect the tracking process of the target receiver. Detection and
mitigation of spoofing attacks on GNSS receivers in tracking mode
have become one of the important antispoofing topics. In [4]–[6],
the effect of interaction between authentic and spoofing peaks on
the tracking process of a GNSS receiver is analyzed. Most spoofing
detection metrics are designed to detect a spoofing attack assuming
there are only two states, namely, clean data or a spoofing attack
[7]–[10]. More specifically the spoofing detection threshold for a
given probability of false alarm is set in the presence of a clean data
set. However, in real operational conditions there might be several
situations in which the spoofing detection test statistics exceed the
predefined threshold due to other sources of interference signals
and cause false spoofing detection. For instance, [3] has proposed
a spoofing countermeasure method based on monitoring the receiver's automatic gain control (AGC) gain level. It is shown that
Authors' address: Schulich School of Engineering, Position Location and Navigation (PLAN) Group, University of
Calgary, Geomatics Eng, 2500 University Dr., Calgary, Alberta
T2N 1N4, Canada. E-mail: (
Manuscript received August 31, 2016, revised March 20, 2017,
June 5, 2017, and ready for publication June 7, 2017.
Review handled by A. Dempster.
0885/8985/17/$26.00 © 2017 IEEE
the presence of spoofing signals increases the power content of the
received signals, leading to changes in the AGC level. However, the
AGC gain can be disrupted by various interfering signals.
Predespreading structural power content analysis (SPCA) is a
promising spoofing detection method that uses the cyclo-stationarity of signals in order to detect an excessive amount of power in
the received sample [7]. However, as will be shown, this method is
not effective in distinguishing chirp from spoofing signals. Postdespreading spoofing detection metrics such as signal quality monitoring (SQM) are originally designed to monitor the correlation
peak quality affected by multipath [12]. Reference [15] showed
that the interaction between authentic and spoofing correlation
peaks is very similar to the case of direct and multipath signal component interaction. Therefore, it is challenging for a receiver to
discriminate between an overlapping matched power spoofing correlation peak and a specular multipath scenario and therefore utilizing these methods does not guaranty correct spoofing detection.
Spoofing countermeasures utilizing antenna arrays are another
powerful technique developed to mitigate spoofing attack. Spatial
processing can be implemented to analyze the spatial signature of
the received signals and identify spatially correlated signals and
place a null in the direction of spoofing signals [13]. Spoofing detection methods are also investigated in the navigation and measurement layers. In [14] a position solution authenticity verification technique based on clock bias variation analysis of a moving
receiver was investigated. Spoofing attacks can also be detected by
checking the consistency of the navigation solutions under test with
other reference sources. Consistency checks can be performed in
different ways including intrasystem, intersystem, multifrequency,
and multisensor approaches.
The main objective of this paper is to describe a receiver architecture using various detection metrics at the predespreading and
postdespreading layers of a single antenna stand-alone GNSS receiver to improve spoofing detection performance and to distinguish
the spoofing attack from other sources of electronic interference. An
overview of interference detection methods at different operational
levels of a GNSS receiver is provided. Predespreading metrics are
employed to detect the presence of an excessive amount of power in
GNSS bands. Afterwards, postdespreading methods are used to detect an abnormal behaviour of correlation peaks which may be caused
by multipath or overlapped spoofing signals. Data analyses using the
Texas Spoofing Test Battery (TEXBAT) data [25] and actual GNSS
signals are performed to evaluate the sensitivity of detection metrics
to various interference signals. A metric combining approach is proposed to simultaneously use both groups of predespreading and post-
despreading metrics towards achieving the correct spoofing detection. This approach focuses on the differences between spoofing and
other interfering sources that can be used for discrimination.
Interference signals considered herein include continuous wave
(CW) jammer, chirp jammer, wideband noise, multipath, and
spoofing. The signal model and description of these signals are
now provided.
This category of narrowband interference refers to a single sinusoidal tone within a GNSS frequency band. This type of interference
can be represented as
I CW ( t ) = A cos ( 2π f cwt + ϕ0 )(1)
where A is the amplitude, fcw is the interference frequency, and t
is the time. φ0 is the initial phase of the interference signal. For
CW interference it is assumed that the signal frequency is time
This category of interference consists of a sinusoidal waveform
whose frequency repeatedly sweeps across its bandwidth. Its mathematical representation is
I chirp ( t ) = A cos 2π f chirp ( t ) t + ϕ0 (2)
where fchirp(t) is the instantaneous frequency of chirp signal. This
type of interference is the most common signal transmitted by low
cost personal privacy device (PPD) jammers. The frequency span
is commonly between 7 MHz to 60 MHz and the sweep time is
on the order of tens of μs [17], [18]. This type of interference can
be considered as a wideband interference since it sweeps a large
amount of the frequency band several times during a coherent integration period of a typical receiver.
The source of this type of interference transmits wideband noise
across the entire frequency band of the target GNSS system. The
wideband noise jamming signals cannot be discarded via temporal/
spectral mitigation approaches since the power content is divided
across all frequency components.
This type of interference occurs when a receiver antenna receives
signal via two or more paths either through reflection or diffraction. As the path distance travelled by non-line-of-sight (NLOS)
signals is larger than that of the line-of-sight (LOS) part, multipath components are always delayed relative to the LOS signal. A
composite signal formed from LOS and NLOS is received by the
user and the measurement generated is erroneous [19]. The NLOS
signals can either sum up constructively or destructively, causing
amplification or attenuation of the composite signal [23]. The multipath effect on the correlator outputs is very similar to that of a
matched power intermediate spoofing attack [1].
Since the structure of civilian GNSS signals is public, a jammer
can generate a waveform with a structure similar to that of the
authentic signals. This type of interference could be very destructive since it can pass through the target receiver's correlator and
destructively affect its post correlation operations. The structural
interference signals may range from a randomly generated PRN
signal to more sophisticated meaconing and spoofing signals. For
the case of spoofing signals, the interference source generates multiple consistent PRN signals that lead to a fake navigation solution
[1]. Unlike other types of previously discussed jamming signals,
spoofing and meaconing signals do not deny the positioning capability of a receiver but they induce a fake position to the target receiver without the latter's knowledge. The spoofing signal scenario
and its effect on the correlation outputs depends on the spoofingauthentic signals' relative Doppler, delay, and amplitude values. In
the following, these metrics are investigated.
Relative Doppler
Based on the discussions provided in [24], [25], a spoofing attack
on tracking receivers in terms of their relative Doppler frequencies can be generally divided into two categories, namely locked
Doppler and consistent Doppler. In the locked Doppler mode, a
receiver based spoofer tries to align the Doppler frequency of the
fake signal with that of the authentic GNSS signal while their rela-
An Approach to Detect GNSS Spoofing
tive code delay is changing. The advantage of this approach is that
by reducing the Doppler difference of the spoofing and authentic
signal, the tracking loop can maintain carrier tracking, thus loss of
lock does not happen. However, if a receiver compares the carrier
and code Doppler values, there will be an inconsistency between
these values, which can be a sign of a spoofing attack. In the case
of consistent Doppler spoofing, the Doppler frequency and code
delay rates of spoofing signals are consistent. The consistent Doppler spoofing scenario is similar to a multipath interference case.
Relative Power
Spoofing power is an essential feature to misdirect a target receiver.
The relative power level of spoofing signals with respect to that of
the authentic ones can highly affect the effectiveness and error limit
of spoofing interference. Adjustment of the spoofing power level at
a target receiver is challenging since it requires information about
the propagation channel between the spoofer and target receiver,
the antenna gain pattern, and its orientation. Spoofing interference
can generate a dominant correlation peak that is more powerful than
the authentic peak and can mislead the tracking point of the target
receiver into an arbitrary point determined by spoofing signals.
In an ideal case, the power level of the spoofing signal should
be slightly higher than that of the authentic signals but it should not
excessively overpower the authentic peak in order to avoid being
detected by power monitoring techniques. A low power spoofing
interference is not able to take away the tracking point of the receiver but it can distort the shape of the correlation peak and lead
to a biased pseudorange measurement. This type of spoofing interference has a similar effect to that of multipath interference and
may lead to several metres of pseudorange measurement error [5].
Relative Delay
This section focuses on different spoofing detection methods
based on monitoring the received signal strength. These techniques generally rely on the assumption that interfering signals
are more powerful than the authentic ones. Predespreading methods evaluate the overall power content of the received signal set
without separately analyzing different PRN signals. This category of detection looks for any abnormal variation in the received
signal power prior to the despreading process in the receiver. At
this stage, the GNSS signals are buried under the noise floor and
a detection test is performed based on the analysis of the power
content of received baseband signals. Three spoofing detection
metrics are analyzed here.
Baseband Variance Analysis
This method continuously monitors the variance of baseband signals in order to detect additional power injected by interfering signals. Most commercial GNSS receivers are equipped with an AGC
module that adaptively changes the receiver input gain based on
the variance of the received signal in order to efficiently use the
quantization levels of the input analog-to-digital convertor (ADC)
module. A feedback circuit controls the AGC gain and monitoring
of this gain value is used to detect an inclined signal variance due
to the presence of spoofing interference [3]. In the case of fixed
AGC gain and adequate digitizer bits, the intermediate frequency
(IF) sample variance can be used to monitor the excessive power in
the band. Assuming that the received signal is zero mean, the input
signal variance σ2 can be represented as
σ2 =
The main goal of a spoofing attack is to misdirect the observations of a target receiver and this is associated with the relative
delays of spoofing signals with respect to those of the authentic
ones. A spoofing signal may slightly change its relative code delay
with respect to the authentic signal in order to gradually take away
the tracking point of the target receiver's delay lock loop (DLL)
without causing loss of lock. An accurately designed spoofing attack can change its relative power level as it changes its relative
delay with respect to that of the authentic ones. One of the main
differentiation factors of the spoofing and multipath signals is that
the former tries to gain control of the receiver tracking point and
slowly take the spoofing correlation peak away from the authentic
one to minimize the interference between authentic and spoofing
signals. However, in the multipath case, depending on the reflectors' geometry, multipath delays may vary within a certain range
depending on the operating environment.
Several spoofing detection metrics in different operation layers of a
receiver have been proposed. These metrics can generally be divided
into two categories, namely predespreading and postdespreading. In
the following, the metrics used in this investigation are defined.
 r (nT ) × r (nT )(3)
n =1
where r is the IF sample and N is the number of temporal samples
over which the expectation is calculated. This method does not
take advantage of any spoofing signal features and simply assumes
that the spoofing signals' power content elevates the ambient noise
floor. A spoofing (or generally interference) attack will be detected if the estimated variance is higher than a predefined detection
threshold. Defining a proper detection threshold requires an initial
power level calibration in the presence of clean signals in a typical
operational environment. As mentioned before, this method cannot
be used to distinguish spoofing from other interfering sources.
Power Spectral Density Analysis
Narrowband and partial band interference signals are more observable in the frequency domain using a spectrogram operator. The
latter is the optimal detector when the interference is a sinusoid of
unknown amplitude, phase and frequency [9], [18]. The detection
test statistic can be written as
 N s −1
 2π nk  
= max   r n exp  − j
 
N s  
 n = 0
Broumandan, Siddakatte, and Lachapelle
where exp(.) represents an exponential function and j is the square
root of –1. Ns represents the number of samples over which the discrete Fourier transform (DFT) is calculated and k ranges from 0 to
Ns – 1. An interference signal would be detected if ΓPSD (subscript
PSD is power spectral density) exceeds a predefined detection
threshold. The detection threshold is assumed to be determined
based on a clean assessment window and a predetermined falsealarm probability.
Structural Power Content Analysis
A low complexity predespreading spoofing detection approach
that takes advantage of the cyclo-stationarity of GNSS signals in
order to detect excessive amount of structured signal power in the
received sample set was introduced in [7]. In this approach, the received raw signal samples are first filtered within the GNSS signal
bandwidth and then multiplied by their one-chip delayed version
in order to remove the effect of Doppler frequency. The resulting signal has a line spectrum since it is generated by multiplication of cyclo-stationary signals. In the next stage, the signal and
noise components are filtered by suitably designed comb filters.
A detection test statistic is calculated based on the filter outputs
and is then compared with a threshold in order to differentiate between the presence and absence of spoofing signals [22]. Since
each PRN signal is received from a different satellite with different
relative dynamics with respect to a user, their corresponding Doppler frequencies are different from each other. Therefore, in order
to concentrate all signal components on the same spectral lines and
facilitate spectral filtering, the Doppler shifts of the signals should
be removed. To this end, the sampled baseband signal components
are first multiplied by the complex conjugate of their one (or more)
chip delayed version. This operation removes the phase rotation
due to the Doppler frequency of received signals. It also removes
the navigation data bits and secondary codes and GNSS subcarriers
that are modulated on each spreading code. SPCA does not need
a clean data set for the spoofing detection threshold calibration.
Signal Quality Monitoring
The interaction between authentic and spoofing signals causes distortion on the shape of the correlation function. SQM tests focus
on this feature in order to detect any asymmetry and/or abnormally
sharp or elevated correlation peaks due to the presence of undesired signals [21]. This metric is originally designed to monitor the
correlation peak quality affected by multipath signals. One of the
advantages of SQM tests is that they are not highly dependent on
training or a calibration process based on a clean dataset [8]. It is
assumed that the receiver is initially tracking authentic signals. A
symmetric ratio test is implemented to detect a spoofing attack [8].
The theoretical variance of the SQM metric is [11][12]
− I+d
1 − R ( 2d )
TcC / N 0
where Id is the in-phase value of the correlator output spaced by d
chips from the prompt correlator. The variance of the SQM metric
is a function of C/N0 and should be considered in defining a proper
detection threshold. As mentioned previously, SQM metrics are
originally designed to monitor correlation peak quality. Hence, it
might be challenging to discriminate a spoofing attack from multipath interference by monitoring only one PRN. SQM becomes an
excellent spoofing detection tool in the matched power spoofing
scenario where all PRNs are affected by spoofing. Table 1 summarizes the detection metrics used in this research.
Effective C/N0 Analysis
Effective C/N0 analysis is a common signal strength monitoring
metric and is available in most commercial receivers. The effectiveness of this metric towards the classification of an interference
signal is investigated herein. Generally, three terms can affect the
effective C/N0. The first one corresponds to the noise component
due to thermal noise or other interference sources, the second refers to the cross correlation between spoofing signals and authentic
replica, and the third refers to the cross correlation caused by other
authentic signals. The cross-correlation term caused by high power
spoofing signals can become the dominant term, which is directly
proportional to the power level of spoofing signals. This term considerably reduces the effective C/N0 of authentic PRNs and leads
to saturation of spoofing C/N0 values. The upper limit of a GNSS
signal power level is known apriori. Hence, for a given receiver,
an upper limit for the C/N0 value can be defined. The spoofing detection metric based on C/N0 monitoring works based on this fact.
An abnormally high C/N0 value can be an indication of a spoofing
attack. In addition, jamming signals also affect the effective C/N0
values by increasing the noise floor. A constructive multipath signal can cause a C/N0 value to exceed the spoofing detection threshold and result in a false alarm. Hence, this metric should be used in
conjunction with other spoofing detection metrics to reduce false
alarm probability.
Different detection metrics were introduced in the previous sections. All these metrics are effective in detecting spoofing attack.
However they are not individually capable of distinguishing spoofing from other interference sources. For instance, in the presence
of either spoofing or jamming signals, the variance analysis metric
detects additional power content in the GNSS frequency band.
Hence, when a spoofing detection flag using a variance metric is
raised, either a spoofing or jamming attack may have occurred. On
the other hand, other spoofing detection methods including postdespreading techniques detect spoofing attacks when the correlator
outputs deviate from their nominal values. However, the correlator
outputs can be distorted not only by the spoofing attacks but also by
other types of interfering signals such as multipath. This increases
the false-alarm spoofing detection probability. To correctly classify
interfering signals and reduce the false spoofing detection process,
the combination of different metrics at different operation layers of
An Approach to Detect GNSS Spoofing
Table 1.
Summary of Spoofing Detection Metrics
High power interference
Low, available in most receivers, predespreading
High power jammer
Low-Medium, implementation at the predespreading
Cyclo-stationarity signal structure
Medium, needs modification to current receiver
architecture at predespreading stage
All types of interference
Available and effective metric in postdespreading
Correlation distortion
Low, already available in some receivers
Note: PSD is power spectral density.
Table 2.
Spoofing Detection Architecture
Clean data
Chirp/ nonoverlapped
a receiver is proposed for classification, as summarized in Table 2.
In this paper the C/N0 metric detects spoofing signals if C/N0 values
pass a predefined threshold. Here it is assumed that the detection
threshold of each metric is calculated based on statistics of the clean
data set and intersection of different metrics outputs results in reduced probability of false alarm. In Table 2, 1 and 0 define whether
the test statistic value for each metric is above the threshold or not.
In case 1 none of the metrics detect abnormal activities, hence the
receiver is operating with clean data. In case 2 the interference detection flag based on variance analysis is set. However, the SPCA
and SQM metrics are not affected. In this case, the receiver is most
probably affected by a CW or a wideband noise jammer. It should
be noted that in the presence of all types of interfering signals, C/
N0 values are affected. In the presence of CW, noise, and chirp jammers, the C/N0 values decrease and hence do not affect the C/N0
metric proposed for the spoofing detection method that detects a
spoofing attack if C/N0 is above the nominal GNSS signal level
near ground. However, constructive and destructive multipath and
spoofing signals may increase C/N0 values and raise the spoofing
flag. Case 3 considers a scenario where the variance and SPCA
metric values are set whereas the SQM and C/N0 metrics are not
affected. This case resembles the chirp jammer or a nonoverlapped
spoofing attack. In the nonoverlapped spoofing attack, since there
is no interaction between authentic and spoofing correlation peaks,
the SQM metrics are not affected. A possible approach to classify
chirp jammers from nonoverlapped matched-power spoofing signals is to search in the cross-ambiguity function for extra correlation peaks above the acquisition threshold. Case 4 considers multipath scenarios where the constructive and destructive effect of a
multipath signal with the desired signal raises the SQM and C/N0
detection flags. Case 5 correctly detects a spoofing attack when all
the detection flags are raised.
The above procedure is one of many possible approaches to
correctly identify spoofing signals. Other spoofing and interference scenarios and detection metrics can be added to this table. In
the following sections real and simulated data are used to evaluate
the performance of the proposed strategy.
The goal of this section is to analyse the sensitivity of various detection metrics in the presence of different interference signals and
to validate the proposed method summarized in Table 2 for correct
spoofing detection. In order to detect a spoofing event, all detection
metrics discussed beforehand should be triggered. In this regard, data
set 3 (DS3) of the TEXBAT was utilized [25] as baseline. This data
set is a complex baseband data sampled at 25 mega samples per seconds with a 16-bit quantization. DS3 represents the matched power
spoofing scenario where the mean power of spoofing PRNs is 1.3
dB higher than that of the authentic signals. Matched power spoofing attacks are potentially more difficult to detect by received signal
strength spoofing detection methods since considerable C/N0 variations might not be detected for spoofed PRNs. The first 120 s of this
data set is clean (only authentic signal) and a spoofing attack starts
after that. The performance of the detection metrics in the presence of
interfering signals, namely wideband noise, CW interference, chirp,
multipath, and spoofing, are considered here. The GNSS signal affected by spoofing interference for data analysis in the rest of this paper refers to that part of DS3 that is contaminated by spoofing (after
120 s from the beginning of DS3). The clean data set refers to the first
120 s of DS3. To generate interference signals, a dedicated interference software simulator generated various interference signals and
added those to the clean part of DS3. For instance, to analyze the
effect of CW on the detection metrics CW samples were generated
Broumandan, Siddakatte, and Lachapelle
Table 3.
Interference Types and Characteristics
Interference Type
JNR = 10 dB
Jammer frequency varied between 8 and 12 KHz in 60 s
JNR = 10 dB
Sweep time: 50 μs
Bandwidth: 12 MHz
Wideband noise
JNR = 10 dB
−6 dB
−6 dB
Bandwidth: 25 MHz
Initial delay: 15 m
Phase varied by 2 carrier cycles
Initial delay: 150 m
Phase varied by 2 carrier cycles
+1.3 dB
TEXBAT DS3, Static matched power time push
and added to the clean part of DS3. The baseband samples affected by
interference signals were stored in a hard disk for further processing.
The relative power of jamming signals (wideband noise, CW, and
chirp) to that of ambient noise, also called jamming-to-noise ratio
(JNR), was 10 dB. At this power level of jamming signals, the receiver is still able to track GNSS signals but the jamming signal considerably degrades tracking loop performance. The CW interference
frequency was linearly varied from 8 kHz to 12 KHz in 60 s from the
L1 carrier centre frequency. The sweep time of the chirp jammer was
50 μs and the interference bandwidth was set to 12 MHz around the
L1 centre frequency. The wideband noise covered the entire sampling
bandwidth of the receiver. To investigate the effect of multipath signals on the detection metrics, a multipath propagation scenario where
the LOS correlation peak is affected by multipath reflection in a static
case was considered. Two multipath scenarios were simulated, name-
ly, short and long multipath with initial delay values of 15 m and 150
m with respect to the LOS signal. The multipath signal power was 6
dB below that of the LOS component.
Table 3 summarizes the interference types and characteristics.
Figure 1 shows the IF sample variance outputs and SPCA detection metrics for the entire DS3. The spoofing attack starts at 120
s. Both SPCA and IF sample variance outputs are triggered as soon
as the spoofing attack starts. The GNSS signal affected by various
interference signals is generated by adding the interfering signals
to the clean data set.
Figure 2 shows the spectrum analyses of various signals
using the pwelch power spectral density method. Figure 2(a)
Figure 1.
Figure 2.
IF variance and SPCA tests for DS3 (the values are normalized to clean
data set).
Spectrum analyses of various signals using pwelch power spectral
An Approach to Detect GNSS Spoofing
Figure 3.
Figure 4.
shows a clean data set spectrum as benchmark in a 25 MHz
bandwidth. The GPS L1 C/A signal main beam occupying about
2 MHz of bandwidth is observable in the figure. The centre of
the main GPS signal spectrum is located at 12.5 MHz. Figure
2(b) shows the GNSS signal spectrum in the presence of the CW
interference. Only a small sector of the spectrum is affected by
the interference. Figure 2(c) shows the signal affected by the
chirp interference. This type of interference is affecting almost
12 MHz of the signal spectrum. Figure 2(d) shows the signal
spectrum in the presence of the wideband noise. The entire receiver bandwidth is affected by this jammer. Figure 2(e) and
Figure 2(f) show the signal spectrum affected by spoofing and
multipath, respectively. In the spoofing case, the energy of the
signal is increased due to the presence of several higher power
spoofing signals.
The extra bump in the power spectral density in the spoofing
case is the spoofing image frequency in the up-conversion process
of DS3. This image frequency does not affect the spoofing simulation scenario or detection performance.
As can be seen in Figure 2, power spectral density analyses can
be used to detect and classify the interfering signals. This metric is
probably more practical for high power jamming signal detection
and classification compared with the matched power spoofing and
multipath interference.
Figure 3 shows the mean value of SPCA metric outputs of
various interference signals normalized to that of the clean data
set. As discussed, SPCA can detect a cyclo-stationary signal in the
band, which in this case consists of chirp and spoofing signals. The
SPCA metric values in the case of CW and noise are lower than
the clean data set. This is due to the fact that the presence of these
jammers has increased the noise power and consequently affects
the total GNSS signal power-to-noise ratios. The SPCA metric values in the case of multipath is slightly higher than that of the clean
data set due to the existence of multipath; however it is still below
the detection threshold (details of detection threshold calculation
is provided in [7]). The SPCA metric outputs in the presence of
the spoofing attack are much higher than those of the clean data
set. The SPCA metric outputs in the case of chirp jammer also
exceeds the detection threshold. Hence, if the SPCA metric detects
a signal above the threshold, it can be due to both spoofing or chirp
interference sources. This is in agreement with the decision logic
provided in Table 2.
Figure 4 shows the mean values of IF sample variances for
different data sets. These values are normalized to the variance
of the clean data set. IF sample variance values of CW, chirp,
and wideband noise jammers are all the same (since JNR for
these three cases were the same) and about six times that of the
clean data set. The multipath sample variance is not affected by
multipath propagation and it is at the same level as the clean data
set. The spoofing signal variance metric values are enhanced due
to the existence of additional signal power in the band. This is
the main differentiation factor between spoofing and multipath
signals as provided in Table 2. The IF samples variance values
as a function of time for clean and spoofing data are also shown
in Figure 1.
Figure 5 shows C/N0 metric outputs for CW, chirp, and
wideband noise jammers in the case of PRN 3. The CW jammer
causes up to 20 dB attenuation on C/N0 values. The variation in
C/N0 values in the case of the CW jammer is due to the variable
jammer frequency during the attack. The CW jammer distortion
on GNSS signals depends on the relative jammer and Doppler
frequencies of each PRN [20]. The CW jammers are most effective when they overlap spectral lines of GNSS signals. Chirp
and wideband noise jammers also decreased the C/N0 values by
about 8 dB. Although the mean C/N0 values in the case of noise
and chirp jammers are almost the same, the chirp jammer affects
Normalized IF sample variances.
SPCA test statistics.
Broumandan, Siddakatte, and Lachapelle
Figure 6.
SQM values of GPS PRN 3 in the presence of jamming signals.
Figure 5.
C/N0 values of GPS PRN 3 in the presence of jamming signals.
the carrier tracking performance more than that of the noise jammer and causes fluctuations in signal tracking and consequently
in C/N0 values. Comparing the three jammers' distortion for the
given jamming scenario, chirp and noise jammers' effects on C/
N0 values are a function of the received jammer power. The chirp
jammers cause more fluctuations on C/N0 values compared with
the noise and CW jammers. The CW jammer's effect on the C/
N0 metric is a function of received signal power and CW carrier
frequency and therefore it causes a slow variation on C/N0 values in the given example.
Figure 6 shows the absolute values of the SQM metric outputs for jamming signals. The green plots are SQM detection
thresholds that are three times the theoretical values of the SQM
metric standard deviations provided in (6). These thresholds satisfy the probability of false alarm of 0.003 in the presence of
a clean data set. The SQM metric variance is a function of C/
N0 and that is why it is varying during the test. The C/N0 was
calculated based on the computation of the narrow to wide band
power ratio [16] and smoothed over 1 s. CW and wideband noise
jammers do not significantly affect the SQM metric outputs.
However, SQM metric outputs in the case of chirp interference
are significantly affected and in some cases pass the detection
threshold. Among jamming signals considered herein, the chirp
interference has the highest effect on the SQM metric. This is
due to the fact that chirp interference disturbs carrier tracking
performance and causes fluctuations in the code and carrier
tracking loops.
The standard deviation of the SQM metric outputs is higher
than that of the other jamming sources. The reason for this is the
structure of the SQM metric used as it is a single difference metric that is sensitive to code tracking errors, which can be induced
Figure 7.
PRN 3 C/N0 values and SQM metric for multipath1 scenario.
by multipath or other distortions affecting tracking performance.
As discussed before, chirp jammer affects tracking performance
and the SQM metric variance is increased. To avoid false spoofing
detection utilizing SQM metrics, the detection threshold should be
adjusted in the presence of chirp interference.
Figure 7 shows SQM outputs for short- and long-range multipath corresponding to the Multipath1 and Multipath2 scenarios
described in Table 3.
During the test scenario, the distance between LOS and multipath signals was gradually increased by 60 cm. The SQM monitoring correlators were located at 0.2 chips from the prompt correlator. Considering the SQM results of Figure 7(a), the SQM metric
can only detect the multipath signal when it is out of phase with
respect to the LOS signal at t = 25 s and t = 45 s for short multipath
An Approach to Detect GNSS Spoofing
Figure 8.
SQM metric outputs for the entire DS3.
Figure 9.
Data collection environments (GoogleMaps).
case. However, as shown in Figure 7(b) the SQM metric outputs
exceed the threshold almost in most parts of the data for the long
multipath scenario.
Figure 8 shows the SQM outputs for the entire DS3 data
(spoofing attack starts at t = 120 s) for various PRNs. As shown
at epoch t = 120, when the spoofer starts to deviate its correlation
peaks from the authentic ones, the SQM metrics are not affected.
The spoofing remains undetected for about 30 s. As shown in
Figure 8 different PRNs have different detection times, with PRN
6 having the fastest detection time of 30 s from the start of the
spoofing attack. One possible reason for the difference in spoofing detection times of different PRNs is due to the different Doppler difference values between the spoofing and the authentic signals. As shown in Figure 8 the SQM metric is not sensitive when
the authentic spoofing delay difference is short, which was also
observed in the short-delay multipath case of Figure 7. In practical GNSS applications, short-range multipath mostly perturbs
typical GNSS signals, which does not affect SQM metrics. By
increasing multipath distance, the multipath signal power fades
away and becomes ineffective. However, for a high power spoofer to be effective, it should gradually take control of correlation
peaks and eventually take it out of the authentic signals to avoid
possible interaction between authentic and spoofing signals. The
spoofing signals should sweep away the entire delay range (one
chip) of an authentic signal, thereby increasing the chance of de72
tection with SQM metrics in the spoofing case. Another feature
that can be used to separate spoofing from multipath distortion is
the number of affected PRNs.
One of the main differentiating factors between spoofing and
multipath signals is the status of the predespreading metrics. In
the previous section, it was shown that in typical multipath environments the predespreading spoofing detection metrics, namely
time/spectral analysis and SPCA, are not affected whereas in a
spoofing scenario the metrics exceed the predefined threshold.
This is justified since in typical multipath environments only
some of the authentic signals are affected by low power multipath
signals and some of the satellite signals are blocked by surrounding obstructions. As a result, the total signal power does not increase compared with the open sky clean data set. To validate this
assumption, some GNSS signal sets at L1 band were collected in
various locations in Calgary. Data collection environments are
shown in Figure 9. The first and last data sets were collected in
open sky conditions in an empty parking lot and serve as clean
reference data sets. Another 13 data sets were collected in various
suburban, urban, and downtown locations. A NovAtel 702 GG
Broumandan, Siddakatte, and Lachapelle
Figure 10.
IF variance and SPCA metrics outputs.
antenna was placed on the roof of a vehicle moving at speeds of
up to 50 km/h. A front-end using an 8-bit ADC, disabled AGC,
and 10 MHz bandwidth was used to collect digital samples. The
data collection environment was surrounded by up to 30 story
concrete and glass buildings as shown in Figure 9. Each data set
consists of 40 s of raw IF samples. The IF samples were passed
to predespreading interference detection metrics, namely time/
frequency power analysis and SPCA. Each metric analyzed 1 s of
IF samples to output decision statistics. Hence, for each data set,
there were 40 detection metric outputs.
Figure 10 shows IF sample variance and SPCA metric outputs as a function of time for various data sets. There are a few
data sets with variance metric outputs above the predefined
threshold indicating there are high power signals in the bandwidth. The signal variance has its highest values for data set 10.
Existence of excessive power in the bandwidth can be due to
the presence of spoofing or jamming signals. The SPCA metrics
outputs shown in Figure 10 do not exhibit the same pattern as
that of the variance output analysis. In fact, the SPCA metric
outputs are high in open sky conditions (data sets 1 and 15) and
low during the data collection in dense multipath environments.
Comparing the results of variance and SPCA outputs with those
of Figure 3 and Figure 4, one concludes that the increase in the
IF sample variance in dense urban environments is due to CW
jamming signals of unknown sources which affected the samples
during the test.
The power spectral density of the received signals for data
set 1 (clean data) and data set 10 (affected by jamming) were
Figure 11.
Power spectral density of data set 1 and 10.
also analyzed and the results are shown in Figure 11, which also
shows power spectral density plots of data set 10 for 40 epochs.
Comparing the results of data set 1 and data set 10 reveals that the
signals of data set 10 are affected by interfering signals spread all
over the signal bandwidth. The existence of these jamming signals elevated the IF samples level and hence at various epochs the
variance detection metric values exceeded the detection threshold. This is not due to multipath but jamming signals as observed
in Figure 11. The existence of CW jamming signals did not affect
the SPCA metric outputs since SPCA is sensitive to a structural
signal type such as spoofing signals. As shown, the SPCA metric values in all of the 15 data sets were below the threshold.
Considering the collected data sets, predespreading metrics are
not affected by multipath distortion. These experimental results
justify the use of predespreading metrics to discriminate between
spoofing and multipath signals. These results are in agreement
with the data analyses results provided in the previous section.
In the next step, postspreading detection metrics are analyzed for
different data sets.
Figure 12 shows the C/N0 values and SQM metrics for PRN9 in
data set 3 and 13. In data set 3 the SQM metric values exceed the
detection threshold at t = 28 s. At this epoch the C/N0 values drop
by about 10 dB. There are several fluctuations in the C/N0 of data
An Approach to Detect GNSS Spoofing
tive effect on the performance of a receiver and consequently
severely affected the performance of the postdespreading detection metrics. The chirp jammer also affected the SPCA spoofing
detection metric and its behaviour on detection metrics is very
similar to that of a nonoverlapped spoofing attack. The SQM
metric was implemented to detect spoofing and multipath at the
postdespreading level. As shown in the scenarios used, the SQM
metric is not overly sensitive for short-range multipath/spoofing
Figure 12.
C/N0 and SQM metrics for data sets 3 and 13.
set 13 which may be due to multipath interference. However, the
SQM metric values in this case did not pass the detection threshold. This is likely due to signal blockages or short multipath signals
which only affects the C/N0 but have a minimal effect on the SQM
metric. Analyzing other data sets and different PRNs revealed that,
given the data utilized in this investigation, the SQM metrics are
less sensitive in dense urban environments affected by multipath.
This observation confirms the simulation results provided in the
previous section.
The focus here has been on correct detection of spoofing attacks
from interference sources. To this end several predespreading and
postdespreading spoofing detection metrics, namely temporal/
spectral analyses, SPCA, C/N0, and SQM, were implemented and
analysed under different interference signals, namely CW jammer, wideband noise, chirp jammer, and multipath. Considering
the real data analysis results, the predespreading detection metrics, namely variance analysis and SPCA, are not affected under multipath and hence used to discriminate between spoofing
and multipath signals based on the assumption that these metrics
are not affected in typical multipath scenarios. The assumption
was validated by collecting several data sets in dense urban environments and analysing the metric results. The temporal/spectral analyses in the presence of jamming signals were affected.
Among jamming signals, the chirp jammer had the most destruc74
[1] Humphreys, T. E., Ledvina, B. M., Psiaki, M. L., O'Hanlon, B. W.,
and Kintner, P. M. Assessing the spoofing threat: Development of
a portable GPS civilian spoofer. In Proceedings of ION GNSS 21st.
International Technical Meeting of the Satellite Division, Savannah,
GA, Sept. 16–19, 2008, 2314–2325
[2] Jafarnia, A., Lin, T., Broumandan, A., Nielsen, J., and Lachapelle, G.
Detection and mitigation of spoofing attacks on a vector based tracking GPS receiver. In Proceedings of International Technical Meeting
of the Institute of Navigation (ION ITM 2012), Newport Beach, CA,
Jan. 30–Feb. 1, 2012, 790–800.
[3] Akos, D. M. Who's afraid of the spoofer? GPS/GNSS spoofing detection via automatic gain control (AGC). Journal of Navigation, Vol. 59,
4 (Winter 2012), 281–290.
[4] Broumandan, A., Jafarnia-Jahromi, A., Daneshmand, S., and Lachapelle, G. Effect of tracking parameters on GNSS receiver vulnerability to spoofing attack. In Proceedings of ION GNSS+, Portland, OR,
Sept. 12–16, 2016.
[5] Broumandan, A., Jafarnia-Jahromi, A., Ioannides, R. T., and Lachapelle, G. An approach to discriminate GNSS spoofing from multipath
fading. In Proceedings of NAVITEC 2016, Noordwijk, Netherlands,
Dec. 14–16, 2016.
[6] Cavaleri, A., Motella, B., Pini, M., and Fantino, M. Detection of
spoofed GPS signals at code and carrier tracking level. In Proceedings of Satellite Navigation Technologies and European Workshop on
GNSS Signals and Signal Processing (NAVITEC), Noordwijk, Netherlands, Dec. 8–10, 2010, 1–6.
[7] Jafarnia-Jahromi, A., Broumandan, A., Nielsen, J., and Lachapelle,
G. Predespreading authenticity verification for GPS L1 C/A signals.
NAVIGATION, Journal of The Institute of Navigation, Vol. 61, 1
[8] Jafarnia, A., Broumandan, A., Daneshmand, S., Ioannides, R. T., and
Lachapelle, G. (2016) Galileo signal authenticity verification using
signal quality monitoring methods. In Proceedings of ICL GNSS, Barcelona, Spain, June 28–30, 2016.
[9] Jafarnia, A., Fadaue, N., Daneshmand, S., Broumandan, A., and
Lachapelle, G. Listening for RF noise: An analysis of pre-despreading
GNSS interference detection techniques. Inside GNSS (May/June
[10] Parro-Jimenez, J. M., Ioannides, R. T., Crisci, M., and Lopez-Salcedo,
J. A. Detection and mitigation of non-authentic GNSS signals: Preliminary sensitivity analysis of receiver tracking loops. In 6th ESA
Workshop on Satellite Navigation Technologies and GNSS Signals
and Signal Processing (NAVITEC), Noordwijk, Netherlands, Dec.
5–7, 2012, 1–9.
Broumandan, Siddakatte, and Lachapelle
[11] Wesson, K. D., Evans, B. L., and Humphreys, T. E. A combined symmetric difference and power monitoring GNSS anti-spoofing technique. In IEEE Global Conference on Signal and Information Processing, 2013.
[12] Phelts, R. E. Multicorrelator techniques for robust mitigation of threats
to GPS signal quality. Ph.D. dissertation, Department of Mechanical
Engineering, Stanford University, Palo Alto, CA, 2001.
[13] Broumandan, A., Jafarnia-Jahromi, A., Daneshmand, S., and Lachapelle, G. Overview of spatial processing approaches for GNSS structural interference detection and mitigation. Proceedings of the IEEE
(2016), 99–111; 10.1109/JPROC.2016.2529600.
[14] Jafarnia, A., Daneshmand, S., Broumandan, A., Nielsen, J., and
Lachapelle G. PVT solution authentication based on monitoring the
clock state for a moving GNSS receiver. In European Navigation Conference (ENC2013), Vienna, Austria, Apr. 23–25, 2013.
[15] Pini, M., Fantino, M., Cavaleri, A., Ugazio, S., and Lo Presti, L. Signal quality monitoring applied to spoofing detection. In Proceedings
of the 24th International Technical Meeting of The Satellite Division
of the Institute of Navigation (ION GNSS 2011), 2011, 1888–1896.
[16] Van Dierendonck, A. J. GPS receivers. In Global Positioning System:
Theory and Applications, Vol. 1, B. Parkinson and J. J. Spilker, Jr.,
Eds. Washington DC: American Institute of Aeronautics and Astronautics, 1993, ch. 8, pp. 390–393.
[17] Mitch, R. H., Dougherty, R. C., Psiaki, M. L., Powell, S. P., O'Hanlon,
B. W., Bhatti, J. A. et al. Signal characteristics of civil GPS jammers.
In Proceedings of ION GNSS 2011, Portland, OR, Sept. 20–23, 2011.
[18] Bauernfeind, R., Kraus, T., Sicramaz Ayaz, A., Dotterbock, D., and
Eissfeller, B. Analysis, detection and mitigation of InCar GNSS jam-
mer interference in intelligent transport systems. In Deutscher Luftund Raumfahrtkongress, 2012.
Irsigler, M. Multipath propagation, mitigation and monitoring in the
light of Galileo and the modernized GPS. Ph.D. thesis, Bundeswehr
University, Munich, Germany, 2008.
Borio. D., O'Driscoll, C., and Fortuny, J. GNSS jammers: Effects and
countermeasures. Satellite Navigation Technologies and European
Workshop on GNSS Signals and Signal Processing, (NAVITEC), 2012.
Manfredini, E. G., Dovis, F., and Motella, B. Validation of a signal quality monitoring technique over a set of spoofed scenarios. In 7th ESA
Workshop on Satellite Navigation Technologies and European Workshop on GNSS Signals and Signal Processing (NAVITEC), 2014, 1–7.
Gamba, M. T., Motella, B., and Pini, M. Statistical test applied to
detect distortions of GNSS signals. In International Conference on
Localization and GNSS (ICL-GNSS), 2013, 1–6.
Broumandan, A., and Lin, T. (2008) Performance of GNSS time of arrival estimation techniques in multipath environments. In Proceedings
of GNSS08, Session C2, Savannah, GA, Sept. 16–19, 2008.
Crosta, P., and Alenia, T. A novel approach to the performance evaluation of an arctangent discriminator for phase locked loop and application to the carrier tracking of the ionospheric scintillation. In Proceedings of European Navigation Conference-GNSS 2009, Naples, Italy,
May 3–6, 2009.
Humphreys, T. E., Bhatti, J., Shepard, D., and Wesson, K. The Texas
Spoofing Test Battery: Toward a standard for evaluating GPS signal
authentication techniques. In Proceedings of the 25th International
Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS 2012), Nashville, TN, Sept. 17–21, 2012, 3569–3583.
Без категории
Размер файла
2 159 Кб
2017, 160190, maes
Пожаловаться на содержимое документа