v 4.2 A Gaussian Mixture Model Based GNSS Spoofing Detector using Double Difference of Carrier Phase in simple spoofing scenario .... 108 4.3 A novel approach to classify authentic and
INTRODUCTION
Overview
The Global Navigation Satellite Systems are used in many civil fields for positioning services that need accuracy and security (Figure 1.1), such as vehicle tracking, unmanned aircraft, precise agriculture, pay-as-you-drive, financial transactions, etc
All these services could potentially be attacked by hackers for economical or even terroristic interests [1], [2] The fact that, almost all services rely on GNSS civil signals, which are easily interfered unintentionally or intentionally In reality, the threat of intentional Radio Frequency Interference (RFI), such as jamming or spoofing attacks, is growing in popularity The major hazard in this situation is when the receiver is not aware of being fooled; therefore, it does not raise any alarm to the hosting system, which is induced to make wrong and possibly hazardous decisions based on spoofed position, velocity and time (PVT) information [3] - [7] This attack is known with the name of ‘spoofing’ [1]-[11]
Figure 1.1 Applications of GNSS (source:[12])
Over the last decade, spoofing has been perceived as a more and more concrete threat This perception has been motivated by technological progresses and by the availability of advanced software-defined radio (SDR) platforms making the
17 development of GNSS spoofers not only feasible but also affordable [13], [14] Furthermore, many public channels are active source of information and awareness, as for example web sites, social platforms and online magazines [15]-[18]
Spoofing attacks can be defeated by exploiting specific features which are difficult to be counterfeited at the signal, measurement, and position level [9], [10], [19]-[24]
A detailed survey of the most promising techniques for spoofing detection proposed in the last decade for civil signals can be found in [10] where several methods are described and compared in terms of complexity and effectiveness Among all these families of approaches, spatial processing based on the AoA defense is probably the most robust and effective technique to detect and possibly mitigate the counterfeit signals [24], [25] However, AoA-based methods in cost-constrained mass-market applications are still difficult for several reasons: costs of the equipment, complexity of the processing and size of the installation
In [13], [26], the authors developed a method for spoofing detection based on differential carrier phase measurements from a pair of receivers and antennas; it neither requires dedicated hardware nor needs special constraints on the geometry of the system; only the knowledge of the baseline (of the relative position of the two receiving antennas), is needed However, although these methods have been proved to be simple but efficient technique to detect spoofing attacks, they still have some limitations that will be discussed in the following sections
According to [10], [22], [27], spoofed attacks can be divided into three main categories: simple spoofing attack, intermediated spoofing attack, sophisticated spoofing attack The simple spoofing attack can be easily detected by the existing techniques [10] However, these methods may not detect well the intermediated spoofing attack and sophisticated spoofing attack [10] Recently, those kinds of attacks are proved to be increasingly popular [2], [28]
Therefore, the thesis focuses to study the detection of spoofing in the intermediated and sophisticated cases to ensure the reliability and accuracy of services using GNSS.
Motivation
From the analysis above, it can be seen that ensuring the safety and reliability of GNSS applications is increasingly important and urgent Currently, the proposed detection methods are not really practically effective [13], [27], [29]-[31] they either require directly interfering to the system signal or using ancillary equipment, leading to higher costs Meanwhile, the affordable AoA approaches are however not really effective in complex attack situations Therefore, the first motivation in this work is to propose a method to improve the performance of low-cost AoA-based methods to detect intermediate and complicated spoofings (spoofed signals comes from different directions)
Regarding the dataset for spoofing detection research, most of the GNSS simulators (IFEN, Spirent, SkyDel, Teleorbit, etc) generate uni-direction signals or require specific costly license for multi-direction signals Therefore, the second motivation of the thesis is to propose a method to generate fake signals from different directions for the validation of complicated spoofing detection methods.
Problem statement
To the best of our knowledge, the spoofing detection based on AoA is perhaps the most powerful and efficient technique for detecting and possibly minimizing false signals [24], [25] However, its use in commercial applications is limited by a number of reasons: costs, processing complexity and size of receiver
The authors of [13], [26] develop a simple method for spoofing detection based on differential carrier phase measurements from a pair of receivers and antennas It requires neither a specialized hardware nor special geometrical constraints; the only technical requirement is the synchronization of the receivers and the distance between the two antennas This method is known as sum of squared (SoS) detector Unlike other works [32], SoS models the integer ambiguity component of the carrier phase measurement as random variables having values in a set of integers ambiguities These variables are deduced using the general likelihood ratio test (GLRT) approach
Though the computational complexity is significantly decreased; this method leverages on carrier phase measurements, possible cycle slips can occur and need to be detected and mitigated before forming double difference carrier phase measures Furthermore, the SoS approach considers just the condition of having the whole signal ensemble either counterfeit or authentic, while it does not consider possible scenarios where the victim’s receiver is locked onto a subset of spoofed satellites, while for the remaining are still authentic ones (so-called ‘mixed tracking’ in the rest of the work) [2], [19], [28]
In this work, we focus on proposing AoA-based spoofing detection methods which address the limitations pointed out in typical existing work (especially in SoS approach) Furthermore, we are also interested in validating our method in complicated spoofing scenarios wherein spoofed signals may come from different directions However, it is the fact that generating multi-direction spoofed signals require special high-cost equipment installation; therefore, we propose to use a software-based receiver approach to modify the signal phase to simulate the signal’s angle of arrival
Scope of Research
The work focuses on the technique for detecting spoofed GNSS In the first methodology, a method to detect mixed spoofing signals using commercial receivers and dual antennas was proposed In this method, the distance between the two antennas is fixed at roughly two meters to avoid noise when performing differential computations between the two receivers The GMM machine learning model is used in the second method to detect spoofing signals coming from multiple directions To attack spoofing from many different directions, we have to synchronize the spoofing signal generators To implement this method, we have to use high-precision and expensive clocks Therefore, we use the method of transmitting only one spoof satellite to fool the receiver.
Contribution
This work focuses on solving the spoofing detection problem based on AoA approach In addition, to overcome the limitation of the lack of dataset for testing spoofing detectors, we also propose a method for simulating unauthentic signals in two typical scenarios: spoof only and mixed signals from different directions Our work has the below main contributions:
First, we propose AoA-based methods for spoof detection, in our proposal we utilize
D 3 measurement to overcome the limitation of the existing SoS methods
V.H Nguyen, G Falco, M Nicola, and E Falletti (2018) “A dual antenna GNSS spoofing detector based on the dispersion of double difference measurements”, in
Proc Int 9th ESA Workshop on Satellite Navigation Technologies and European Workshop on GNSS Signals and Signal Processing (NAVITEC), Noordwijk, Netherlands, Dec 2018, 5-7, DOI: 10.1109/NAVITEC.2018.8642705
N Van Hien, G Falco, E Falletti, M Nicola and T V La (2020), “A Linear
Regression Model of the Phase Double Differences to Improve the D3 Spoofing Detection Algorithm,” 2020 European Navigation Conference (ENC), 2020, pp
E Falletti, G Falco, V H Nguyen and M Nicola (2021), “Performance Analysis of the Dispersion of Double Differences Algorithm to Detect Single-Source GNSS Spoofing,” in IEEE Transactions on Aerospace and Electronic Systems, vol 57, no 5, pp 2674-2688, Oct 2021, doi: 10.1109/TAES.2021.3061822
Second, this thesis introduces a novel approach to classify authentic and fake GNSS signals using Gaussian Mixture Models (GMMs) and increase detection accuracy while eliminating the need for any parameter tuning process through automated learning (Expectation Maximize algorithm) This method can improve the performance of the algorithm to detect spoofed signals in the sophisticated case
Nguyen Van Hien, Nguyen Dinh Thuan, Hoang Van Hiep, La The Vinh (2020)
“A Gaussian Mixture Model Based GNSS Spoofing Detector using Double Difference of Carrier Phase” Journal of Science and Technology of Technical
Third, we develop a method to simulate signals coming from different directions which are used to validate the detection algorithm in multi-direction attack scenarios
Nguyễn Văn Hiên, Cao Văn Toàn, Nguyễn Đình Thuận, Hoàng Văn Hiệp (2020),
"Phương pháp sinh dữ liệu mô phỏng GNSS đa hướng sử dụng công nghệ vô tuyến điều khiển bằng phần mềm" 178-185, số Đặc san Viện Điện tử, 9 - 2020, Tạp chí
Nghiên cứu Khoa học Công nghệ quân sự.
Thesis outline
The dissertation is composed of five chapters as follows:
Chapter 1 Introduction This chapter briefly introduces the research area The importance of the topic, the definitions and the existing approaches are clearly addressed Then the thesis focuses on the contributions are also presented clear
Chapter 2 Related Work This chapter first summarizes the importance of services using GNSS Then, a comprehensive survey of the previous algorithms, existing work relating to interference detector are presented The limitations of the previous algorithms are clearly analysed and resolved
Chapter 3 Intermediated GNSS Spoofing detector based on angle of arrive The development of a dual-antenna GNSS spoofing detection technique based on the dispersion of the double differences of carrier phase measurements created by two GNSS receivers is presented in this chapter
Chapter 4 Sophisticated GNSS spoofing detector based on angle of arrive The chapter present an algorithm that using an automated learning process, this approach can improve detection accuracy and detect GNSS spoofing in the sophisticated scenario while obviating the need for any parameter tuning procedures (Expectation Maximization algorithm)
Chapter 5 Conclusion and future works A conclusion is given in this chapter Furthermore, some limitations of the work are presented, along with possible solutions, which may need additional study
RELATED WORK
Civil GNSS vulnerabilities to intentional interference
Because of the low SIS (Signal in Space) signal strength [33] (Figure 2.2) (GPS L1 C/A code: -158.5 dBW; Galileo E1: -157 dBW) and the physical environment in which signals are transmitted from satellites to receivers (Figure 2.1), GNSS receivers are extremely vulnerable An interfering signal that is just a few orders of magnitude stronger than the minimum received GNSS signal intensity will cause a receiver to lose lock on a satellite Navigation receivers are vulnerable to strong interfering signals such as jamming, ionospheric and tropospheric effects and RF emitters
Figure 2.1 The enviroment for transmitting signals from satellites to receivers
According to [34], GNSS nowadays use Code Division Multiple Access (CDMA), while GLONASS legacy signals use the Frequency Division Multiple Access (FDMA) technique However, over the last decade, modernized GLONASS satellites, such as the GLONASS-K1 satellites (launched in 2011, transmitting CDMA signals on L3-band), the GLONASS-M satellites (including CDMA signals on L3-band since
2014), and the GLONASS-K2 satellites, have begun to include additional CDMA signals (launched in 2018, transmitting CDMA signals also on L1- and L2-bands) In the presence of interfering signals, the receiver's dispreading procedure spreads the power of the interfering signal over a large bandwidth as show in Figure 2.2 Other radio frequency signals can also cause problems such as Digital Video Broadcasting
– Terrestrial (DVBT), which is used as an incentive signal, has harmonics in the GNSS bandwidth
Because the GNSS signal structure is publicly open, it is vulnerable to the illicit transmission of counterfeit signals, which may fool an unprotected receiver The use of false GNSS signals to deceive the victim GNSS receiver's location or time information without completely disrupting its operations is one of the most dangerous attacks
Figure 2.2 The low SIS signal power of GNSS (source: [35])
Figure 2.3 GNSS frequency bands (source: [36])
Radio Frequency Interference
With low power signal, GNSS can be attacked by RFI (Radio Frequency Interference), both unintentional and intentional as shown in Figure 2.4
Radio frequency systems such as radar systems, DVTB, VHFs (Very High Frequency), mobile satellite services, and personal electronics with high power harmonics and intermodulation products [28] can inadvertently interfere with the GNSS signal However, this kind of interference is somewhat resolved by properly radio frequency band management policies which are currently used by all governments
The first type of intentional RFI is jamming A jamming attacker uses devices to generate powerful signals in the GNSS band (Figure 2.6), resulting in various effects (which may lead to failed operation of GNSS receivers) [37] With the existing handheld GNSS jammers, GNSS signals within a radius of a few tens of meters are completely disrupted The operating principle of these devices is to use a chirp signal to intervene in the GNSS signal's operating frequency range To the best of our knowledge, there are no effective methods for reducing the impact of this type of attack
Spoofing is another form of intentional interference and is one of the most dangerous attacks (Figure 2.5) Because this technique uses devices to broadcast fake GNSS signals to mislead the victim GNSS receiver's position or time information without
24 completely disrupting its operations The incorrect position, velocity and time information produced by the attacked receiver may result in even more serious problems if they are used in other important systems like: financial transaction synchronization, energy transmission, etc
Figure 2.6 Cheap jammers are widely sold online (source: [38])
GNSS Interference detection techniques
In the [12], [28], [33], [39], [40], the authors list some GNSS interference detection methods (as shown in Figure 2.7)
Figure 2.7 Techniques for Detecting GNSS Interference
According to [28], the AGC gain variation can be used to detect the presence of interference because the AGC is driven by ambient noise or interference rather than GNSS satellite signal power However, this technique hardly can distinguish among interference, environmental changes or noise
All GNSS receivers support the C/N0 parameter The interference can be modelled as an addition to the noise variance [28] However, this technique may fail to work if the presence of the jammer is "masked" or "filtered" by an estimation algorithm
In [33], non-stationary interference is typically concentrated in a small region of the time-frequency (TF) plane The general procedure is to compare the peak magnitude
Post correlation statistical analysis Specifically used for spoofing detection
26 of the received signal's TF distribution with a predefined threshold However, this method has a high computational complexity Therefore, it is difficult to implement the algorithm on a commercial receiver with a limited computation capability
In this approach, the Chi-square Goodness of Fit test, implemented in a software receiver, is used and applied against two live spoofing datasets [42] The result obtained in two scenarios (static and dynamic) demonstrates the GoF's ability to detect the fake signal However, similar to time-domain statistical analysis technique, this method also has a high computational complexity In addition, this method is implemented on the software receiver making it hard to be available on existing commercial receivers.
Spoofing detection techniques
Figure 2.8 Three continuum of spoofing threat: simplistic, intermediate, and sophisticated attacks (source: [27])
According to [10], [25], [27], spoofing attacks can be divided into three main categories (see Figure 2.8):
The construction of this spoofer includes a GNSS signal simulator in combination with an RF terminal used to mimic real GNSS signals These signals are not basically synchronized with the real GNSS signals Thus, the spoofing signals look like noises in the receiver operating in monitor mode (even if the broadcast power is higher than the actual signal) [10] However, this type of device can deceive commercial receivers, especially if the power of the spoofing signal is higher than the authentic signal This signal simulator is easy to detect using various anti-splitting techniques
27 such as amplitude tracking, checking consistency between different measurements and checking for consistency with inertial measurement units (IMU)
This is more advanced than the simple spoofer It includes a GNSS receiver combined with a spoofed transmitter The system first synchronizes with the GNSS signal by extracting the current satellite position, time and calendar from the GPS receiver, then it generates fake signals based on the above information and emits it from transmits toward the target receiving antenna Some of the difficulties in building this system are referencing spoofing signals to the intended target receiver with the correct delay and signal strength Another downside is that the spoofing power must be higher than the authentication signal power to fool the GNSS receiver Carrier phase alignment with authentic signals This type of spoofer overcomes many of the spoofing detection techniques of conventional single receivers because they synchronize the authentication signal and can spoof the receiver in tracking mode This type of Spoof uses an antenna that transmits, so signals coming from the same direction can be detected via the AoA [13],[26]
According to [10], this is the most complicated and dangerous of all the spoofer This type assumes knowing the centimeter-level position of the antenna-phase center of the receiver under attack in order to perfectly synchronize the spoofing signal code and carrier phase with the authenticated signal code This type of spoofer can take advantage of a number of special antennas that can pass direction-based detection techniques In this case, the spoofer needs to synthesize a matching array manifold with the authentic signal array to defeat the spoofing signal detection system by the direction The complexity of this device is much more complicated than the two above, and at the same time its high cost and high operating complexity [10] In addition, there are some physical limitations regarding the location of the transmitting antenna and target receiver antenna Detecting this fake case detection technique is quite complex This spoofing signal can be detected using the integrated inertial measurement systems Attacks of this type can be defended by using data encryption
Figure 2.9 depicts a high-level overview of various antispoofing approaches
According to [13], the most effective defense is cryptographic defense, but it necessitates that GNSS signals be designed to support cryptographic functions Cryptographic defenses are further classified as encryption-based approaches, which
28 require fully or partially encrypted GNSS signals, and authentication-based defenses, which require GNSS signals to have specific features that allow them to be authenticated Signal encryptions include code and navigation message encryptions
Figure 2.9 A summary of the various spoofing detection methods available in the literature (source: [13])
Spoofing can be detected by comparing the GNSS PVT with alternative sources of location, for example: inertial units, enhanced long-range navigation (eLORAN), wireless fidelity (Wi-Fi), and cellular-based location A detailed survey of the most promising techniques for spoofing detection proposed in the last decade for civil signals can be found in [23], where several methods are described and compared in terms of complexity and effectiveness
Several spoofing detector techniques rely on signal characteristics that are difficult to be faked as shown Table 2.1:
Vestigial signal defense: In [20], to detect spoofing attacks, this technique monitors distortions in the complex correlation domain The ‘vestigial signal defense’ is based on the assumption that original GNSS signals are present also during a spoofing attack
Cryptographic External Verification Signal Features
•GSM/UTMS Any system providing PVT-related information
•AGC gain, noise floor, clock bias, jumps
[20] and the presence of residual signal components can be verified by an ad-hoc receiver The VSD is a stand-alone software-defined defense, which means it has a low implementation cost and adds no size or weight to the receiver It cannot implement in the commercial receiver
Table 2.1 Techniques of GNSS spoofing detector based on signal features
Spoofing Detector based on Signal Features
Angle of Arrival Vestigial signal defense
AoA defense takes advantage of the fact that genuine GNSS signals come from multiple directions, whereas counterfeit signals come from a single source
Pros: It does not necessitate the use of external infrastructures that provide complementary
PVT information or cryptographic signal features
This technique can implement in the software receiver or commercial receiver
Cons: this technique cannot detect sophisticated case
To detect spoofing attacks, this technique monitors distortions in the complex correlation domain [20]
Pros: this technique is a low implementation cost and does not increase receiver size or weight
Cons: a stand- alone software- defined defence It is constrained by the difficulty of distinguishing spoofing from multipathing
Spoofing detection method based on the correlation of the amplitudes of various received signals [41] This technique investigates the use of a moving antenna to distinguish between the spatial signatures of authentic and spoofing signals by monitoring the amplitude and Doppler correlation of visible satellite signals
Pros: it is not affected by spatial multipath fading that the GNSS signals
Cons: the complexity of implementation because of a moving receiver
A monitor in the RF front end that employs the automatic gain control (AGC) mechanism [43]
Pros: low computational complexity and is an extremely powerful
Cons: a stand- alone software- defined defence
It cannot implement in the commercial receiver
Amplitude correlation: In [41], the authors investigated a moving antenna to distinguish between the spatial signatures of authentic and spoofing signals by monitoring the amplitude and Doppler correlation of visible satellite signals it is not affected by spatial multipath fading that the GNSS signals This technique is complexity of implementation because of moving receiver
In [19], the authors developed two methods of spoofing detection, that is Chi- square Goodness of Fit (GoF) and a signature test applied to paired correlation difference, for each satellite tracked by the receiver The algorithms show a certain effectiveness in detecting the spoofing attack The GoF test also seems reliable under dynamic conditions and in the case of a large energy difference of spoofing and authentic signals However, these two methods develop on soft receivers with complex algorithms, which are quite difficult to apply on commercial receivers
AGC gain: In [43], a monitor in the Radio Frequency (RF) front end using the automatic gain control (AGC) mechanism is outlined GNSS simulator signal is broadcast and its power level is greater than that of the received true GNSS signal This technique is low computational complexity But this technique is implemented on a stand-alone software-defined defense It cannot implement in the commercial receiver This technique can be difficult to distinguish between interference, environmental changes or noise
Angle of Arrival: The angle-of-arrival (AoA) of GNSS signal (Figure 2.10) is the direction in which the signal is received These techniques are analysed in terms of complexity, cost and performance as well as in terms of robustness against the type of spoofing attack [44] Most of the techniques discussed in the literature are intended for single-antenna receivers, since this is the most common operative condition in which receivers operate Nonetheless, spoofing transmitters are expected to broadcast all the counterfeit signals from the one antenna, while the authentic signals are transmitted by the satellites in orbit from widely separate directions with respect to the receiver [10] The AoA defense exploits the fact that genuine GNSS signals come from different directions whereas counterfeit signals are likely transmitted from a single source [23]-[25]
Figure 2.10 Angle of arrival of GNSS satellite
Figure 2.11 Angle of arrival defense Spoofing
Among all these families of approaches, spatial processing based on the AOA defense is probably the most robust and effective technique to detect and possibly mitigate counterfeit signals [24], [25] However, this method has two approaches as shown in Figure 2.11 The first approach uses estimation of direction-of-arrival characteristics This technique uses multi antenna receiver with a common oscillator and deploy on the software receiver [25], [45] its use in cost-constrained mass- market applications is still difficult for several reasons: costs of the equipment, complexity of the processing and size of the installation
In [21], [26] the authors developed a simple method (according to the estimation of difference of direction-of-arrival characteristics) for spoofing detection based on differential carrier phase measurements (difference of direction-of-arrival) from a pair of receivers and antennas; it does not require dedicated hardware nor special constraints on the geometry of the system; only a basic synchronization of the receivers and the knowledge of the baseline, i.e., of the relative position of the two receiving antennas, is needed This method is called sum-of-squares (SoS) detector Differently from other works [32], the SoS models carrier phase cycle ambiguities as random variables that assume value on an arbitrary set of integers Thus, they do not need to be estimated This formulation, derived using the generalized likelihood ratio test (GLRT) approach, leads to the SoS detector, where the decision variable is
32 expressed as the sum of squared carrier phase single differences corrected for a pseudo mean and for their integer parts [21], [26]
Conclusions
In this chapter 2, we have presented an overview of techniques for detecting interference signals on GNSS The first part of this chapter shows the vulnerability of GNSS, which is low signal power and the hard environment for signal transmission from satellites to receivers Because of the above vulnerability, GNSS is very vulnerable to intentional and unintentional interference which is described in the second part The most serious of the interferences is the spoofing attack In this chapter, the existing algorithm for detecting spoofed signals are clearly analyzed The methods that use AoA are the most effective among the GNSS spoofed signal detecting algorithms The techniques for detecting spoofed signals based on AoA are the topic of this thesis
INTERMEDIATED GNSS SPOOFING DETECTOR BASED ON ANGLE OF
Fundamental background of GNSS and Spoofing
Global Navigation Satellite Systems use a constellation of satellites to transmit data The purpose of GNSS is almost complete coverage of the Earth's surface The system is based on a spherical positioning system in which all transmitters (satellites) are synchronized The receiver calculates a signal parameter whose value is proportional to the distance between the sources: Time of Arrival (ToA) The signals must be timestamped to correspond to the transmission time The centres of the spheres are the satellites, and the distance is the radius The intersection of at least three spheres must be used to determine the location as show Figure 3.1 In this thesis we will focus on the GPS system, although it can be extended to all satellite navigation signal and systems and all algorithm, which is presented in this thesis based on GPS signal
Figure 3.1 Spherical positioning system of GNSS
In GNSS, the time measurement can be done as: receiver only receive the signal in one direction; satellites must be synchronized with high precision (within few ns)
A pulse transmitted by a satellite at time 𝑡𝑡 0 is received at time 𝑡𝑡 0 +𝜏𝜏 The (3.1) is an approximation of the distance between TX and RX:
Where 𝑐𝑐 is the speed of light (≈3.10^8 m/s) The measure of 𝑡𝑡 0 +𝜏𝜏 allows for R determination if both synchronized oscillators are perfects However, the clocks of receiver cannot be synchronized with the satellite time scale at low cost and
34 complexity Then, signals received from the satellite have a bias due to the difference in GNSS time and the receiver’s clock time The receiver’s measurements are known as pseudo-ranges GNSS system use four satellite to determine the location Pseudo-ranges can be written as (3.2):
Where ρ is pseudo-range, δtu is user clock bias
The user will calculate four unknowns by measuring four pseudo-ranges as (3.3) with respect to four satellites with known coordinates:
�𝑥𝑥 𝑗𝑗 ,𝑦𝑦 𝑗𝑗 ,𝑧𝑧 𝑗𝑗 � is satellite position (center of the pseudo-sphere)
𝜌𝜌 𝑗𝑗 is pseudo-range (radius of the pseudo-sphere), can be
The (3.3) can be solved by using linearization process [46]
The GPS Signal in Space (SIS) received at the antenna can be described as [34], [46]:
𝑃𝑃𝑠𝑠,𝑘𝑘 is the received signal power of the 𝑘𝑘th satellite
𝜏𝜏 𝑘𝑘 is the propagation delay of the 𝑘𝑘th satellite
𝑓𝑓 𝑑𝑑,𝑘𝑘 is the Doppler frequency of the 𝑘𝑘th satellite Φ 𝑘𝑘 is the initial carrier phase of the 𝑘𝑘th satellite
𝐶𝐶 𝑘𝑘 is the Coarse/Acquisition (C/A) code of the 𝑘𝑘th satellite
𝐷𝐷 𝑘𝑘 is the navigation data bits of the 𝑘𝑘th satellite
In the Figure 3.2 show a basic GNSS receiver architecture The antenna receives the signals sent by the GPS satellites The input signal is amplified to the correct amplitude and the frequency is converted to the desired output frequency through the
RF front-end chain The RF front-end can be disturb by thermal noise, random fluctuations of electrical, electromagnetic, interference signals (random or deterministic) The output signal is digitalized using the Automatic Gain Control (AGC) that optimizes the gain according to the Analog-to digital Converter (ADC) dynamic range The receiver's hardware includes the antenna, RF chain, and ADC
The acquisition stage refers to the process of locating a satellite's signal The tracking stage is used to locate the navigation data's phase transition Subframes and navigation data can be accessed from the navigation data phase transformation The navigation data can be used to acquire ephemeris data and pseudo-ranges The satellite positions are calculated using ephemeris data Finally, for the satellite positions and pseudo-ranges, the user location can be determined
As shown in Figure 3.3 in the forward direction, the receiver receives information about the satellite number (Coarse/Acquisition (C/A) code), the position of the satellites and the time at which the satellite transmitted the signal (the navigation data bits) From the information on the receiver, it is estimated that the distance is assumed When at least 4 satellites have received signals, the receiver solves the (3.3) to determine the position (𝑥𝑥 𝑢𝑢 ,𝑦𝑦 𝑢𝑢 ,𝑧𝑧 𝑢𝑢 )
In the opposite direction, to generate spurious signals: user position, based on satellite orbit information, the ephemeris is widely published on websites such as [47] Then we can simulate the navigation data bits
Figure 3.2 A fundamental GNSS receiver architecture (source: [46])
Figure 3.3 Principles of GPS simulator
Figure 3.4 Blocks scheme of GPS simulator
Figure 3.4 shows how to generate spoofing signals To generate a fake position or time, the following parameters are needed: C/N0 to perform the calculation of the output signal power, Ephemeris, Almanac is published on the website of IGS [48] together with the location user to define satellite number, pseudo-range; The clock bias, ionospheric, tropospheric parameters are estimated to be similar to the authentic signal
3.2 Detection of a subset of counterfeit GNSS signals based on the Dispersion of the Double Differences (D 3 )
The first block in the Figure 3.6 shows the development of a dual-antenna GNSS spoofing detection technique based on the dispersion of the double differences of carrier phase measurements (D 3 ) made by two GNSS receivers The approach does not require receiver synchronization to function effectively The approach is based on the Sum of Squares (SoS) detector (as shown in Figure 3.5), which was recently introduced as a simple and efficient method of detecting a common angle of arrival
Interference model Continuous waves, narrow band, pules … Multipath model Multipath of SV1, SV2, …
Power of signal Spreading Data Carrier frequency
38 for all GNSS signals arriving at a pair of antennas The presence of such a common angle is recognized as an undiscussed indication of spoofed GNSS signals Despite this, various flaws in the SoS algorithm can be found To begin with, the assumption that all signals originate from the same source; it is feasible that the receiver only monitors a subset of counterfeit signals out of the entire signal ensemble The concept provided in this section aims to address these issues by changing the SoS detection measure to identify subsets of counterfeit signals The efficiency of the suggested strategy is demonstrated by many simulation experiments in both authentic and spoofed signal situations
Figure 3.5 Block diagram of SoS Detector
Figure 3.6 Block diagram of D 3 Detector
3.2.1 Differential Carrier-Phase Model and SoS Detector
The carrier phase measurements for a stand-alone GNSS receiver can be written, according to [13], [26], as
• 𝜙𝜙 𝑖𝑖 is the carrier phase measurement for the 𝑖𝑖th satellite (𝑖𝑖 = 1,2, …𝐼𝐼), expressed in meters;
• 𝑟𝑟𝑖𝑖 is the geometric range between the receiver and the i th satellite;
• c is the speed of the light;
• 𝛿𝛿𝑡𝑡 𝑖𝑖 is the i th satellite clock error;
• 𝛿𝛿𝑇𝑇 is the receiver clock error;
• 𝜀𝜀 𝑖𝑖 is a noise term accounting for residual un-modeled errors, including thermal noise and multipath
If we consider two receivers observing the same satellites at the same time, we can use their output data to build single carrier phase differences for each satellite in common view: Δ𝜙𝜙 𝑖𝑖 =𝜙𝜙 𝑖𝑖 (1) − 𝜙𝜙 𝑖𝑖 (2) =�𝑟𝑟 𝑖𝑖 (1) − 𝑟𝑟 𝑖𝑖 (2) �+Δ𝑁𝑁 𝑖𝑖 𝜆𝜆+𝑐𝑐�𝛿𝛿𝑇𝑇 (2) − 𝛿𝛿𝑇𝑇 (1) �+Δ𝜀𝜀 𝑖𝑖 (3.6) where superscripts (1) and (2) denote measurements from the two receivers For short baselines, the ionospheric and tropospheric errors are cancelled out Moreover, the range difference between the satellite and the receivers �𝑟𝑟 𝑖𝑖 (1) − 𝑟𝑟 𝑖𝑖 (2) � can be expressed as in [26]:
𝑟𝑟 𝑖𝑖 (1) − 𝑟𝑟 𝑖𝑖 (2) =𝐷𝐷cos(𝛼𝛼 𝑖𝑖 ) (3.7) where D is the distance between the two antennas and 𝛼𝛼 𝑖𝑖 is the angle of arrival (AoA) of the i th satellite signal, as depicted in Figure 3.7 The Double carrier phase
Difference (DD) between the 𝑖𝑖-th satellite single difference and the reference satellite single difference, here indicated with the subscript ‘r’, removes the difference clock bias term �𝛿𝛿𝑇𝑇 (2) − 𝛿𝛿𝑇𝑇 (1) � from (3.6): Δ∇𝜑𝜑 𝑖𝑖 =1
𝜆𝜆 �cos(𝛼𝛼 𝑖𝑖 )−cos(𝛼𝛼 𝑟𝑟 )�+Δ∇𝑁𝑁 𝑖𝑖 +Δ∇𝜀𝜀 𝑖𝑖 (3.8) expressed in units of cycle Notice that the choice of using the double difference measurements 𝛥𝛥𝛥𝛥𝜑𝜑 𝑖𝑖 in the construction of the detector is equivalent to the option expressed in [26] -equation (10) and further discussed in [13] -equation (39)
Figure 3.7 Reference geometry for the dual-antenna system
3.2.2 Sum of Squares Detector Based on Double Differences
In (3.8), the term �cos(𝛼𝛼 𝑖𝑖 )−cos(𝛼𝛼 𝑟𝑟 )� only depends on the AoA of the 𝑖𝑖-th and reference received signals In normal conditions, GNSS signals are transmitted by different satellites and arrive at the receiver from different directions: cos(𝛼𝛼 𝑖𝑖 ) ≠ cos�𝛼𝛼 𝑗𝑗 �∀(𝑖𝑖,𝑗𝑗) On the contrary, in case of counterfeit signals all transmitted from the same source, the received signals share a common AoA, meaning that cos(𝛼𝛼 𝑖𝑖 )−cos�𝛼𝛼 𝑗𝑗 �= 0∀(𝑖𝑖,𝑗𝑗) Thus, [26]-equation (10) and [13]-equation (39) demonstrate that the double differences stated in (3.8) can be used to design a statistical test, formulated on the two hypotheses:
𝐻𝐻 1 ) ∃𝑖𝑖,𝑗𝑗 ∶ cos(𝛼𝛼 𝑖𝑖 )−cos(𝛼𝛼 𝑗𝑗 ) ≠0 (3.9) where the null hypothesis 𝐻𝐻 0 indicates counterfeit signals and 𝐻𝐻 1 is the case of nominal condition where the signals are authentic The Generalized Likelihood Ratio Test (GLRT) approach is proposed in [13], [26] to discriminate between 𝐻𝐻 0 and 𝐻𝐻 1 at each observation epoch, based on the following test statistic: ΛSoS(Δ∇𝜑𝜑) =� 𝜔𝜔𝑖𝑖[Δ∇𝜑𝜑 𝑖𝑖 − 𝑟𝑟𝑟𝑟𝑟𝑟𝑛𝑛𝑟𝑟(Δ∇𝜑𝜑 𝑖𝑖 )] 2
Performance Analysis of the Dispersion of Double Differences Algorithm to
3.3.1 Theoretical analysis of performance and decision threshold
The test metric (3.19) is the squared difference of fractional DDs between pairs of signals (𝑗𝑗,𝑘𝑘), having Gaussian distribution according to (3.13) Therefore, the normalized metric Λ 𝐷𝐷 3 (𝑗𝑗,𝑘𝑘)/�𝜎𝜎 𝑗𝑗 2 +𝜎𝜎 𝑘𝑘 2 � can be described as a random variable with
𝜒𝜒 2 distribution with one degree of freedom, because it is written, in any instant, as the square of the Gaussian random variable �𝜇𝜇𝑗𝑗 − 𝜇𝜇𝑘𝑘� having variance 𝜎𝜎 𝑗𝑗 2 +𝜎𝜎 𝑘𝑘 2 : Λ 𝐷𝐷 3 (𝑗𝑗,𝑘𝑘)
𝜎𝜎 𝑗𝑗 2 +𝜎𝜎 𝑘𝑘 2 ~𝜒𝜒 1 2 (𝜆𝜆) (3.22) where 𝜆𝜆 is the non-centrality parameter of the distribution, which depends on the mean value of �𝜇𝜇𝑗𝑗− 𝜇𝜇𝑘𝑘�:
It is worth noticing explicitly that 𝜆𝜆 can be time-variant, following the variations of
𝜇𝜇 𝑗𝑗 ,𝜇𝜇 𝑘𝑘 along the time However, the relationship (3.22) does not change Since the test hypotheses (3.18) are formulated for a single epoch, then the following discussion is
55 independent from the temporal variation of the non-centrality parameter 𝜆𝜆
If we define the pairwise hypotheses as
ℎ0 (null pairwise hypothesis): the two signals are counterfeit;
ℎ1 (alternative pairwise hypothesis): at least one of the two signals is genuine; then the 𝜒𝜒1 2(𝜆𝜆) distribution (3.22) is central under ℎ0, i.e.:
Notice that (3.25) expresses the fact that 𝜇𝜇 𝑗𝑗 ,𝜇𝜇 𝑘𝑘 cluster around the same mean value, which is not necessarily 0, neither necessarily constant in time On the other hand, the
𝜒𝜒 1 2 (𝜆𝜆) distribution (3.22) is non-central under ℎ1, i.e.:
The distribution function of the theoretical 𝜒𝜒 2 distribution with one degree of freedom [53]-[56] is reported for the ℎ 0 and ℎ 1 hypotheses in (3.28), where 𝐼𝐼 𝜈𝜈 (𝑡𝑡) is the modified Bessel function of the first kind, with order 𝜈𝜈
In order to verify the above assumptions with numerical results, we simulate three time series of DD measurements, generated according to the model (3.5) and (3.8): two of them share the same geometrical term and thus fall in the null hypothesis ℎ0; the third one has a different geometrical term and thus falls in the alternative hypothesis ℎ 1 All the series have the same variance 𝜎𝜎 2 For the two pairs of DDs, we calculate the numerical distribution of the values of the normalized decision metric Λ 𝐷𝐷 3 (𝑗𝑗,𝑘𝑘)/(2𝜎𝜎 2 ) in the form of a normalized histogram of occurrences and we compare it with the theoretical distributions (3.28) The comparison between sample and theoretical distributions is shown in Figure 3.22 for the ℎ 1 condition and in Figure 3.23 for the ℎ 0 one, confirming in both cases the correct matching It is worth noticing that in the ℎ1 hypothesis, the slopes of DD time series generated by authentic signals
56 are different each other (see Figure 3.21) and therefore the value of the geometrical terms 𝑚𝑚𝑗𝑗,𝑚𝑚𝑘𝑘 in (3.15) change over time at different rates In these conditions the non-centrality parameter of the 𝜒𝜒 1 2 distribution is time-varying and the sample distribution cannot be estimated from the time series To overcome this effect, it is necessary to apply a de-trending process to the DD measurements before forming the decision metrics; after that, the sample distribution can be estimated and the
𝑓𝑓 𝜒𝜒 2 (𝑥𝑥; 1,𝜆𝜆) function can represent on a two-dimensional plot, as in Figure 3.22
(2) Hypothesis ℎ0 : Determination of the pairwise detection threshold and missed detections
Based on the theoretical characterization above, this subsection derives the pairwise detection threshold 𝜉𝜉 𝑗𝑗𝑘𝑘 2 as a parameter determined from a target pairwise probability of missed detection The approach used here is similar to the guidelines stated in [58]
Under the ℎ 0 hypothesis, consider two fractional DDs 𝜇𝜇 𝑗𝑗 ,𝜇𝜇 𝑘𝑘 ∈ 𝒮𝒮 According to (3.19), we can define the pairwise probability of detection 𝑃𝑃𝑑𝑑 as:
The corresponding pairwise probability of missed-detection 𝑃𝑃 𝑚𝑚𝑑𝑑 can be stated then as:
By exploiting (3.22) and (3.28), the 𝑃𝑃 𝑚𝑚𝑑𝑑 can be formulated as:
(3.31) where 𝐹𝐹 𝜒𝜒 2 (⋅) is the Cumulative Distribution Function (CDF) of the 𝜒𝜒 2 function and
𝜉𝜉 2 is the threshold value Notice that the normalization (3.22) implies:
Figure 3.21 Fractional DD measurements in mixed tracking conditions under spoofing attack Five signals of eight are counterfeit The reference signal is counterfeit, so that M cnt = 0
Expression (3.30) cannot be resolved in closed-form but it can be numerically approximated through a quantile function [53] Thus, for a given target 𝑃𝑃𝑚𝑚𝑑𝑑, the threshold 𝜉𝜉 2 can be found by inverting (3.30) [58] Thus, the values of 𝜉𝜉 2 for different values of pairwise 𝑃𝑃 𝑚𝑚𝑑𝑑 are reported in Figure 3.24, where, as a function of a range of possible values of Λ 𝐷𝐷 3 /(2𝜎𝜎 2 ) in (3.29), the curves of CDF 𝐹𝐹 𝜒𝜒 2 (⋅) and 1-CDF (3.30) are reported in blue dash-dotted and red continuous line respectively: then for instance, the black dotted line sets a target pairwise 𝑃𝑃𝑚𝑚𝑑𝑑 = 0.01 and determines the correspondent detection threshold 𝜉𝜉 2 = 6.26 read on the 1− 𝐹𝐹 𝜒𝜒 2 (𝜉𝜉 2 ) curve
Figure 3.22 Normalized distribution under the h 1 condition: comparison between theoretical and sample distribution
PRN 5PRN 7PRN 8PRN 16PRN 17PRN 21PRN 25PRN 32
Figure 3.23 Normalized distribution under the h 0 condition: comparison between theoretical and sample distribution
The validity of the relationship (3.30) between detection threshold and pairwise probability of missed detection can be numerically checked via simulation We employ two hours-long time series of carrier phase measurements computed by two software receivers on RF simulated signals, generated under the hypothesis of single transmitting source and equal C/N0 ratio Then, the DD measurements 𝜇𝜇 𝑗𝑗 ,𝜇𝜇 𝑘𝑘 ∈ 𝒮𝒮 are generated at 1 Hz (with 𝜎𝜎 𝑗𝑗 2 =𝜎𝜎 𝑘𝑘 2 = 𝜎𝜎 2 ), the test metric (3.19) is computed at each epoch, normalized to 2𝜎𝜎 2 and it is compared with the threshold 𝜉𝜉 2 In this way, a good estimator of 𝑃𝑃 𝑚𝑚𝑑𝑑 is the missed-detection rate 𝑅𝑅 𝑚𝑚𝑑𝑑 , defined as:
Figure 3.24 Relationship between ξ 2 and pairwise P md , under the h 0 condition
(logarithmic scale on the Y axis)
Setting the Pairwise Detection Threshold 2 @P md = 0.01
For example, for a detection threshold set to 𝜉𝜉 2 = 6.26, the resulting 𝑅𝑅 𝑚𝑚𝑑𝑑 is equal to 0.0114, which is close to the target 𝑃𝑃 𝑚𝑚𝑑𝑑 = 0.01, with confidence of this estimate on the order of 𝑃𝑃𝑚𝑚𝑑𝑑/10 for the available simulation length Using the same simulated dataset, the spoofing detection test is applied setting different values of the target
𝑃𝑃𝑚𝑚𝑑𝑑, which correspond to different values of the threshold 𝜉𝜉 2 The comparison between estimated 𝑅𝑅 𝑚𝑚𝑑𝑑 (3.33) and target 𝑃𝑃 𝑚𝑚𝑑𝑑 is always satisfactory, as can be appreciated in Figure 3.25, which reports the curve of the target 𝑃𝑃 𝑚𝑚𝑑𝑑 (blue line) as a function of the corresponding threshold 𝜉𝜉 2 , compared with the estimated 𝑅𝑅𝑚𝑚𝑑𝑑 (red dotted line) The confidence interval for each estimate is indicated with the black segments: for 𝑃𝑃 𝑚𝑚𝑑𝑑 < 0.005 the simulation length is not sufficient for a reliable estimate using (3.33)
Figure 3.25 Comparison between the theoretical P md and the computed missed- detection rate R md for various values of detection threshold ξ 2
(3) Hypothesis ℎ 1 : Analysis of the false alarms
Under the ℎ 1 hypothesis, for two measurements 𝜇𝜇 𝑗𝑗 ,𝜇𝜇 𝑘𝑘 such that 𝜇𝜇 𝑗𝑗 or 𝜇𝜇 𝑘𝑘 ∈ 𝒜𝒜 , the event �𝜇𝜇 𝑗𝑗 − 𝜇𝜇 𝑘𝑘 � 2 ≤ 𝜉𝜉 𝑗𝑗𝑘𝑘 2 is a wrong detection, i.e., a false alarm Then, we define the pairwise probability of false alarms 𝑃𝑃 𝑓𝑓𝑓𝑓 as
𝑃𝑃 𝑓𝑓𝑓𝑓 = Prob��𝜇𝜇 𝑗𝑗 − 𝜇𝜇 𝑘𝑘 � 2 ≤ 𝜉𝜉 𝑗𝑗𝑘𝑘 2 �ℎ 1 � (3.34) which is a function of 𝑃𝑃 𝑚𝑚𝑑𝑑 through the threshold 𝜉𝜉 𝑗𝑗𝑘𝑘 2 (3.32) and of �𝑚𝑚 𝑗𝑗 − 𝑚𝑚 𝑘𝑘 � 2 through the non-centrality parameter (3.26) Using the theoretical expression of the cumulative density function related to the distribution function (3.28), the pairwise probability of false alarm (3.24) can be written as
60 whose numerical integration is reported in Figure 3.26 for various possible values of 𝜆𝜆| ℎ 1
Notice that the range of feasible values for the non-centrality parameter 𝜆𝜆| ℎ 1 can be computed looking at the possible values of the differential geometrical term
�𝑚𝑚𝑗𝑗− 𝑚𝑚𝑘𝑘� and of the standard deviation of the measurement noise variance; such an analysis is reported in Figure 3.27 where it appears that 𝜆𝜆| ℎ 1 is small (i.e., say, 𝜆𝜆| ℎ 1