Detect and localize interference sources for global navigation satellite systems

v 4.2 A Gaussian Mixture Model Based GNSS Spoofing Detector using Double Difference of Carrier Phase in simple spoofing scenario .... 108 4.3 A novel approach to classify authentic and

MINISTRY OF EDUCATION AND TRAINING

HANOI UNIVERSITY OF SCIENCE AND TECHNOLOGY

NGUYEN VAN HIEN

DETECT AND LOCALIZE INTERFERENCE SOURCES FOR GLOBAL NAVIGATION SATELLITE SYSTEMS

Major: Computer Engineering

Code No: 9480106

COMPUTER ENGINEERING DISSERTATION

SUPERVISORS:

1 Assoc Prof La The Vinh

2 Assoc Prof Fabio Dovis

Hanoi -2022

i

STATEMENT OF ORIGINALITY AND AUTHENTICITY

I hereby declare that all the content and organization of the thesis is the product of

my own research and does not compromise in any way the rights of third parties, and all citations are explicitly specified from credible sources I further confirm that all the data and results in the thesis are performed on actual devices completely true and have never been published by anyone else

Hanoi, August 2022

Prof Fabio Dovis

ii

ACKNOWLEDGEMENTS

First of all, I would like to thanks my supervisor Assoc.Prof La The Vinh sincerely, for his guiding, supporting and motivating me throughout the whole my PhD student time

I would also like to express my gratitude to the members of the Navigation, Signal Analysis and Simulation (NavSAS) and Navis Centre In many ways, they have contributed to all the research activities presented in the thesis Mainly, I want to express my gratitude to Dr Gianluca Falco and Dr Nguyen Dinh Thuan, their endless support and huge knowledge have greatly contributed to my work And I would like

to express my gratitude to Dr Emanuela Falletti, who offered scientific guidance and suggestions to help me develope and finish my research during my period at NavSAS Thanks to Assoc.Prof Fabio Dovis, who gave me important ideas and guided me to

do my research especially during my period at Politecnico Di Torino

I sincerely thanks to VINIF With the great financial support of the VINIF, my research conditions have greatly improved, and I am fully committed to the works with all of my creative energy

This work was funded by Vingroup Joint Stock Company and supported by the Domestic Master/ PhD Scholarship Programme of Vingroup Innovation Foundation (VINIF), Vingroup Big Data Institute (VINBIGDATA), code VINIF.2020.TS.129

I would also like to thank the members of the dissertation committee for their insightful suggestions, which have helped me develop and finish this dissertation Last but not least, I am grateful to my parents and my wife for their unconditional love, encouragement, support and motivation, as well as for inspiring me to overcome all challenges and difficulties in order to finish this thesis

iii

TABLE OF CONTENTS

STATEMENT OF ORIGINALITY AND AUTHENTICITY i

ACKNOWLEDGEMENTS ii

TABLE OF CONTENTS iii

LIST OF ACRONYMS vi

LIST OF TABLES viii

LIST OF FIGURES ix

ABSTRACT xiv

1 INTRODUCTION 16

1.1 Overview 16

1.2 Motivation 17

1.3 Problem statement 18

1.4 Scope of Research 19

1.5 Contribution 19

1.6 Thesis outline 20

2 RELATED WORK 21

2.1 Civil GNSS vulnerabilities to intentional interference 21

2.2 Radio Frequency Interference 23

2.3 GNSS Interference detection techniques 25

2.4 Spoofing detection techniques 26

2.4.1 Classification of spoofing threat 26

2.4.2 Spoofing detection algorithms 27

2.5 Conclusions 32

3 INTERMEDIATED GNSS SPOOFING DETECTOR BASED ON ANGLE OF ARRIVAL 33

3.1 Fundamental background of GNSS and Spoofing 33

3.1.1 GNSS positioning theory 33

3.1.2 GPS signal 34

3.1.3 GNSS receiver architecture 35

3.1.4 GNSS spoofing 35

iv

3.2 Detection of a subset of counterfeit GNSS signals based on the Dispersion

of the Double Differences (D

) 37

3.2.1 Differential Carrier-Phase Model and SoS Detector 38

3.2.2 Sum of Squares Detector Based on Double Differences 40

3.2.3 Some Limitations of the SoS Detector 42

3.2.4 Detection Of A Subset Of Counterfeit Signals Based On The Dispersion Of The Double Differences (D

) 44

3.2.5 Determination of the Decision Threshold 45

3.2.6 Cycle slip monitoring: the Doppler shift monitor 47

3.2.7 Reducing the probability of incorrect decision by time averaging 48

3.2.8 Experimental Results 49

3.3 Performance Analysis of the Dispersion of Double Differences Algorithm to Detect Single-Source GNSS Spoofing 54

3.3.1 Theoretical analysis of performance and decision threshold 54

3.3.2 Performance evaluation of robust D

implementations 65

3.3.3 Considerations on practical performance 69

3.3.4 Performance assessment 70

3.4 A Linear Regression Model of the Phase Double Differences to Improve the D

Spoofing Detection Algorithm 78

3.4.1 Limitations of D

algorithm 78

3.4.2 The piecewise linear model 80

3.4.3 The proposed LR-D

detector 83

3.4.4 Performance assessment with in-lab GNSS signals 87

3.5 Conclusions 92

4 SOPHISTICATED GNSS SPOOFING DETECTOR BASED ON ANGLE OF ARRIVAL 94

4.1 Gaussian Mixture Models and Expectation-Maximization for GMM (source [67]) 94

4.1.1 Gaussian distribution 94

4.1.2 GMM Distribution 95

4.1.3 Maximum likelihood for the Gaussian 100

4.1.4 The expectation maximization algorithm for GMM (source [67]) 101

v

4.2 A Gaussian Mixture Model Based GNSS Spoofing Detector using Double

Difference of Carrier Phase in simple spoofing scenario 108

4.3 A novel approach to classify authentic and fake GNSS signals in sophisticated spoofing scenario using Gaussian Mixture Model 109

4.3.1 Grouping of Double Carrier Phase Difference 109

4.4 Multi-Directional GNSS Simulation Data Generation Method Use of Software Defined Radio Technology 115

4.4.1 Multidirectional GNSS signal simulation 115

4.4.2 Signal and system model 116

4.5 Experimental result 117

4.5.1 Multidirectional GNSS signals simulation 117

4.5.2 Sophisticated GNSS spoofing detector 120

4.6 Conclusions 123

5 CONCLUSIONS AND FUTURE WORKS 125

PUBLICATIONS 127

REFERENCES 128

vi

LIST OF ACRONYMS

Acronym Meaning

ADC Analog to Digital Converters

AGC Automatic Gain Control

C/N0 Carrier-to-Noise density

CDMA Code Division Multiple Access

D

Dispersion of the Double Differences

DVBT Digital Video Broadcasting – Terrestrial

FDMA Frequency Division Multiple Access

FNR False Negative Rate

FPR False Positive Rate

GLRT General Likelihood Ratio Test

GMM Gaussian Mixture Model

GNSS Global Navigation Satellite Systems

GPS Global Positioning System

GSM Global System for Mobile Communications

vii

IMU Inertial Measurement Units

OEM Original Equipment Manufacturer

PVT Position, Velocity and Time

RFI Radio Frequency Interference

TPR True Positive Rate

UTMS Universal Mobile Telecommunications System

VSD Vestigial Signal Defense

viii

LIST OF TABLES

Table 2.1 Techniques of GNSS spoofing detector based on signal features 29 Table 3.1 Percentage of correct decisions for SoS and D

, in the three scenarios under test 52 Table 3.2 Statistical performance of the D

algorithm with two baselines 67 Table 3.3 Static tests: estimation of the probability of missed detection on the counterfeit signals (%) the ‘overall’ case is the probability of missed detection of three counterfeit signals 71 Table 3.4 Static tests: Estimation of the probability of false alarms on the authentic signals (%) 72 Table 3.5 Dynamic tests: aircraft trajectories description 73 Table 3.6 Dynamic test TRJ1: Estimation of the probability of missed detection on the counterfeit signals (%) The ‘overall’ case is the probability of missed detection

of three counterfeit signals 75 Table 3.7 Dynamic test TRJ1: Estimation of the probability of false alarm on the authentic signals (%) 75 Table 3.8 Dynamic test TRJ2: Estimation of the probability of missed detection on the counterfeit signals (%) 76 Table 3.9 Dynamic test TRJ2: Estimation of the probability of false alarm on the authentic signals (%) 76 Table 3.10 Static test with Real Measurements: Detection Results for Test #1 77 Table 3.11 Dynamic tests with Real Measurements: Tests trajectories description 77 Table 3.12 Dynamic tests with Real Measurements: Detection Results for Test #4 78 Table 3.13 Comparison of detection performance for 2 hours of signal simulation: LR-D

and standard D

algorithms 88 Table 3.14 Detection performance as a function of C/N0 91 Table 4.1 The result of cross validation testing 120 Table 4.2 The result of Fractional DDs in case of Intermediate spoofing attack, where the DDs of authentic satellites cross the ones related to the spoofed satellites 122 Table 4.3 Normalized confusion matrix of Fractional DDs in case of Intermediate spoofing attack 123

ix

LIST OF FIGURES

Figure 1.1 Applications of GNSS (source:[12]) 16

Figure 2.1 The enviroment for transmitting signals from satellites to receivers (source: [33]) 21

Figure 2.2 The low SIS signal power of GNSS (source: [35]) 22

Figure 2.3 GNSS frequency bands (source: [36]) 22

Figure 2.4 Radio frequency interference 23

Figure 2.5 Intermediated Spoofing Scenario 24

Figure 2.6 Cheap jammers are widely sold online (source: [38]) 24

Figure 2.7 Techniques for Detecting GNSS Interference 25

Figure 2.8 Three continuum of spoofing threat: simplistic, intermediate, and sophisticated attacks (source: [27]) 26

Figure 2.9 A summary of the various spoofing detection methods available in the literature (source: [13]) 28

Figure 2.10 Angle of arrival of GNSS satellite 30

Figure 2.11 Angle of arrival defense Spoofing 31

Figure 3.1 Spherical positioning system of GNSS 33

Figure 3.2 A fundamental GNSS receiver architecture (source: [46]) 35

Figure 3.3 Principles of GPS simulator 36

Figure 3.4 Blocks scheme of GPS simulator 37

Figure 3.5 Block diagram of SoS Detector 38

Figure 3.7 Reference geometry for the dual-antenna system 40

Figure 3.8 Fractional DDs and SoS detector results under simulated spoofing attack (H0) 41

Figure 3.9 Fractional DDs and SoS detector results in normal conditions (H1) 42

Figure 3.10 Fractional DD measurements and SoS detection metric in mixed tracking conditions under spoofing attack Only three signals out of nine are counterfeit The reference signal is authentic 43

Figure 3.11 Example of cycle slips effect on the SoS metric in the presence of single source The detector is not able to reveal a spoofing attack when cycle slips occur 43 Figure 3.12 Zero baseline fractional DD measurements for various values of input C/N0 ratio In this setup the ratio was equal for all the simulated signals 46

x

Figure 3.13 Empirical mapping of the relationship between threshold ξk and input

C/N0 ratio 47

Figure 3.14 Fractional DD measurements and SoS metric in the presence of single source after removing cycle slips 48

Figure 3.15 Authentic signals scenario 49

Figure 3.16 Simplistic spoofing attack scenario 50

Figure 3.17 Intermediate spoofing attack scenario 50

Figure 3.18 Fractional DD measurements and SoS metric in the Authentic signals scenario When cycle slips occur, the DDs are not computed 52

Figure 3.19 D

detector results in the Authentic signals scenario 53

Figure 3.20 Fractional DDs in case of Intermediate spoofing attack, where the DDs of authentic satellites (PRN 23) cross the ones related to the spoofed satellites 54

Figure 3.21 Fractional DD measurements in mixed tracking conditions under spoofing attack Five signals of eight are counterfeit The reference signal is counterfeit, so that Mcnt = 0 57

Figure 3.22 Normalized distribution under the h1 condition: comparison between theoretical and sample distribution 57

Figure 3.23 Normalized distribution under the h0 condition: comparison between theoretical and sample distribution 58

Figure 3.24 Relationship between ξ

and pairwise Pmd, under the h0 condition (logarithmic scale on the Y axis) 58

Figure 3.25 Comparison between the theoretical Pmd and the computed missed-detection rate Rmd for various values of missed-detection threshold ξ

59

Figure 3.26 Theoretical values of Pfa (3.24) as a function of ξ

and for several non-centrality parameters λ 60

Figure 3.27 Evaluation of the feasible range of values for the non-centrality parameter λ, as a function of the difference |mj-mk | and of the standard deviation of the measurement noise σ 61

Figure 3.28 Measured values of Rfa as a function of ξ

for a two-hours simulation in which |mj-mk | varies along time and so does the non-centrality parameter λ|(h1) 61

Figure 3.29 Pairwise operating curves (i.e., pairwise Pfa (λ) as a function of the pairwise Pmd ) for the D

detection rule, for several non-centrality parameters λ 62

Figure 3.30 Estimated PMD for the D

algorithm under the H0 condition 64

Figure 3.31 ROC curves for the D

spoofing detection algorithm, for several non-centrality parameters λ 64

xi

Figure 3.32 Estimated PMD for the D

algorithm with averaged fractional DDs, under the H0 condition and for different averaging window lengths η 66 Figure 3.33 Comparison of ROC curves for the D

spoofing detection algorithm with

1 and 2 baselines, for several non-centrality parameters λ 68 Figure 3.34 Static test: Double carrier phase differences with respect to a counterfeit reference satellite 72 Figure 3.35 Double carrier phase differences of the 1

baseline (top) and 2

baseline (bottom) in TRJ 1 74 Figure 3.36 Block diagram of LR-D

Detector 78 Figure 3.37 Fractional DD measurements in mixed tracking conditions under spoofing attack Five signals of eight are counterfeit 79 Figure 3.38 Sequences of decisions, with false alarms, in the standard D

spoofing detector algorithm for PRNs 25 and 16 80 Figure 3.39 Example of fractional DD approximated by piecewise straight lines 80 Figure 3.40 Example of estimated value of line slope and intercept 82 Figure 3.41 Measured pairwise missed-detection rate for the detection events Aij and Bij evaluated on three data collections at different SNR 86 Figure 3.42 Overall probability of missed-detection (PMD) estimated for the LR-D

and the standard D

algorithms 86 Figure 3.43 Measured pairwise false-alarm rate for the detection events Aij and Bij evaluated on three data collections at different SNR 87 Figure 3.44 Overall probability of false-alarm (PFA) estimated for the LR- D

and the standard D

algorithms 87 Figure 3.45 Time series of the fractional DD measurements computed from a GNSS dataset, including both authentic and spoofed signals 88 Figure 3.46 Decisions produced by the standard D

algorithm 89 Figure 3.47 Decisions produced by the LR-D

algorithm 90 Figure 3.48 Examples of slope estimates (a) and intercept estimates (c), and associated pairwise false alarm rates for events A7-25(b) and B7-25(d) Here PRN 7 ∈ S and PRN 25 ∈ A 90 Figure 3.49 Measured missed-detection rate and false alarm rate, evaluated on three data collections at different C/N0 (dataset 1: 39 dBHz; dataset 2: 42 dBHz, dataset 3:

45 dBHz) as a function of the detection threshold λ 91 Figure 3.50 Measured pairwise missed-detection rate for the detection events Aij and Bij evaluated on three data collections at different distance of two antennas 92 Figure 4.1 Block diagram of sophisticated gnss spoofing detector using GMM 94

xii

Figure 4.2 The single variable Gaussian are plotted with 𝜇𝜇 = 0 and 𝜎𝜎 = 1 95

Figure 4.3 Example of a Gaussian mixture distribution in one dimension, green, blue, and yellow are shown as components, and their sum is shown in black 96

Figure 4.4 Illustration of a mixture of 3 Gaussian components in 2D; a) Constant density contour for the 3 components of the mixture; b) The contour of the boundary probability density p(x) of the mixed distribution; c) Show the distribution of p(x) along the surface 97

Figure 4.5 Graph showing a mixed model in which the combined distribution is represented as p(x,z)=p(z)p(x|z)(source [67]) 98

Figure 4.6 Graph showing a GMM with matching latent points zn for a set of N i.i.d data points xn, where n = 1, ,N (source [67]) 100

Figure 4.7 Distribution of 2D and PDF datasets respectively according to GMM; (a) Distribution of 2D datasets and initialization of EM; b) PDF of 3 data sets after 38 iteration of EM; c) Log-Likelihood by number of iterations 104

Figure 4.8 Illustration of EM algorithm, data distribution and evaluation of PDF by EM a) After 1/100 iteration; b) After the 2/100 iteration; c) After the 5/100 iteration; d) After the 10/100 iteration; e) After the 15/100 iteration; f) After 20/100 iteration; g) After 30/100 iteration; h) After 38/100 iteration 106

Figure 4.9 Double carrier phase difference and GMM density functions of spoofed signals and authentic signals 109

Figure 4.10 Fractional DD measurements and SoS detection metric in mixed tracking conditions under spoofing attack with a fake satellite as the reference 110

Figure 4.11 Fractional DD measurements and SoS detection metric in mixed tracking conditions under spoofing attack with a authentic satellite as the reference 111

Figure 4.12 DD points distribution of all the 4-satellite combination (spoofed 1a 2s – all the points corresponding to the combinations in which the reference is spoofed, the other three contain 1 authentic and 2 spoofed satellites) 111

Figure 4.13 DD of real data and fake data to make the reasonability of the approach clear, we analyse the difficulty of spoofing identification in the below cases 112

Figure 4.14 DD of the data has only one fake satellite 112

Figure 4.15 GMM of DD of the data has only one fake satellite 113

Figure 4.16 The DD planes for the mixed data, including two spoofed satellites and two authentic satellites 113

Figure 4.17 GMM distribution of DDs 114

Figure 4.18 The GNSS simulator architecture is based on SDR technology 115

Figure 4.19 L1 GPS spectral code generation method (Source: [76] ) 117

xiii

Figure 4.20 Test configuration of GNSS simulation system 118

Figure 4.21 Phase difference for real signal 118

Figure 4.22 Phase difference of conventional simulation signal 119

Figure 4.23 Phase difference of the multi-directional simulation signal 119

Figure 4.24 Fractional DDs in case of Intermediate spoofing attack, where the DDs of authentic satellites (PRN 25) cross the ones related to the spoofed satellites 121

Figure 4.25 False alarm in the D

detector: a fractional DD from a genuine satellite crosses the DDs of the spoofed satellites 121

xiv

ABSTRACT

Global Navigation Satellite Systems (GNSS) spoofing is a pernicious type of intentional interference where a GNSS receiver is fooled into tracking counterfeit signals, with the purpose of inducing a misleading information into the application it

is used for

This work presents the development of a dual-antenna GNSS spoofing detection technique based on the analysis of the dispersion of the double differences of carrier phase measurements produced by two GNSS receivers (D

technique) No synchronization of the receivers is needed for the algorithm to properly work The algorithm is derived from the idea of the Sum of Squares (SoS) detector, recently presented as a simple and efficient way to detect a common angle of arrival for all the GNSS signals arriving to a pair of antennas The presence of such a common angle is recognized as an undiscussed indication of spoofed GNSS signals Nonetheless, some limitations can be identified in the SoS algorithm First of all, the assumption that all the signals arrive from the same source; situations are possible in which the receiver tracks only a subset of counterfeit signals, out of the whole signal ensemble The idea presented in this work intends to overcome such limitations, properly modifying the SoS detection metric to identify subsets of counterfeit signals The analysis is supported by several simulation tests, in both nominal and spoofed signal conditions,

to prove the effectiveness of the proposed method

However, the D

technique has not been analyzed in a rigorous theoretical way so far and the detection threshold was, for instance, set only empirically Aiming at filling these gaps, this work intends to revise the main concepts of the aforementioned technique in a clear mathematical way Thus, the detection threshold will be given according to a target probability of missed detection Moreover, the work provides a thorough analysis of expected performance in terms of probability of missed detection and probability of false alarm, addressing them first as pairwise probability, then as overall probability The effect of the signal C/N0 ratio on these detection performances is analyzed Methods to reduce the occurrence of events of false alarm are also discussed Eventually, an assessment of the performance of the D

algorithm

is evaluated through a set of tests that emulate real working conditions

Moreover, this work presents the development of a new metric to improve the performance of the D

algorithm The new metric is based on a linear regression applied to the fractional phase double differences The original D

algorithm is sometimes prone to false alarms and to missed detections The idea presented in this work intends to overcome such limitations by leveraging on the fact that the fractional double differences are characterized by having a piecewise linear trend, with different slopes and intercepts By evaluating the dispersion of such two parameters instead of the double difference measurements directly, it is possible to design a more robust spoofing detector The performance of this linear regression-based method is very

xv

promising, since no cases of false alarms or of missed detections have been observed

in all the performed tests

In the next contribution, we propose a novel method to effectively detect GNSS spoofing signals Our approach utilizes mixtures of Gaussian distributions to model the Double Carrier Phase Difference (DD) produced by two separated receivers DD values contain the angle of arrival (AoA) information and a small amount of Gaussian noise The authentic GNSS signals come from different directions, therefore AoA values are different for each satellite In contrast, spoofing signals from one broadcaster should always have the same direction Therefore, DD values of authentic satellites contain mainly the double difference of AoA values, while DD of spoofing satellites contains only an insignificant amount of Gaussian noise That rough observation is the theoretical basis for our proposal in which we use Gaussian Mixture Model (GMM) to learn the distribution of DD values calculated for both kinds of satellites The pre-trained GMMs are then utilized for detecting spoofed signals coming from spoofer

All these services could potentially be attacked by hackers for economical or even terroristic interests [1], [2] The fact that, almost all services rely on GNSS civil signals, which are easily interfered unintentionally or intentionally In reality, the threat of intentional Radio Frequency Interference (RFI), such as jamming or spoofing attacks, is growing in popularity The major hazard in this situation is when the receiver is not aware of being fooled; therefore, it does not raise any alarm to the hosting system, which is induced to make wrong and possibly hazardous decisions based on spoofed position, velocity and time (PVT) information [3] - [7] This attack

is known with the name of ‘spoofing’ [1]-[11]

Figure 1.1 Applications of GNSS (source:[12])

Over the last decade, spoofing has been perceived as a more and more concrete threat This perception has been motivated by technological progresses and by the availability of advanced software-defined radio (SDR) platforms making the

17

development of GNSS spoofers not only feasible but also affordable [13], [14] Furthermore, many public channels are active source of information and awareness,

as for example web sites, social platforms and online magazines [15]-[18]

Spoofing attacks can be defeated by exploiting specific features which are difficult to

be counterfeited at the signal, measurement, and position level [9], [10], [19]-[24]

A detailed survey of the most promising techniques for spoofing detection proposed

in the last decade for civil signals can be found in [10] where several methods are described and compared in terms of complexity and effectiveness Among all these

families of approaches, spatial processing based on the AoA defense is probably the

most robust and effective technique to detect and possibly mitigate the counterfeit signals [24], [25] However, AoA-based methods in cost-constrained mass-market applications are still difficult for several reasons: costs of the equipment, complexity

of the processing and size of the installation

In [13], [26], the authors developed a method for spoofing detection based on differential carrier phase measurements from a pair of receivers and antennas; it neither requires dedicated hardware nor needs special constraints on the geometry of the system; only the knowledge of the baseline (of the relative position of the two receiving antennas), is needed However, although these methods have been proved

to be simple but efficient technique to detect spoofing attacks, they still have some limitations that will be discussed in the following sections

According to [10], [22], [27], spoofed attacks can be divided into three main categories: simple spoofing attack, intermediated spoofing attack, sophisticated spoofing attack The simple spoofing attack can be easily detected by the existing techniques [10] However, these methods may not detect well the intermediated spoofing attack and sophisticated spoofing attack [10] Recently, those kinds of attacks are proved to be increasingly popular [2], [28]

Therefore, the thesis focuses to study the detection of spoofing in the intermediated and sophisticated cases to ensure the reliability and accuracy of services using GNSS

1.2 Motivation

From the analysis above, it can be seen that ensuring the safety and reliability of GNSS applications is increasingly important and urgent Currently, the proposed detection methods are not really practically effective [13], [27], [29]-[31] they either require directly interfering to the system signal or using ancillary equipment, leading

to higher costs Meanwhile, the affordable AoA approaches are however not really effective in complex attack situations Therefore, the first motivation in this work is

to propose a method to improve the performance of low-cost AoA-based methods to detect intermediate and complicated spoofings (spoofed signals comes from different directions)

18

Regarding the dataset for spoofing detection research, most of the GNSS simulators (IFEN, Spirent, SkyDel, Teleorbit, etc) generate uni-direction signals or require specific costly license for multi-direction signals Therefore, the second motivation of the thesis is to propose a method to generate fake signals from different directions for the validation of complicated spoofing detection methods

1.3 Problem statement

To the best of our knowledge, the spoofing detection based on AoA is perhaps the most powerful and efficient technique for detecting and possibly minimizing false signals [24], [25] However, its use in commercial applications is limited by a number

of reasons: costs, processing complexity and size of receiver

The authors of [13], [26] develop a simple method for spoofing detection based on differential carrier phase measurements from a pair of receivers and antennas It requires neither a specialized hardware nor special geometrical constraints; the only technical requirement is the synchronization of the receivers and the distance between the two antennas This method is known as sum of squared (SoS) detector Unlike other works [32], SoS models the integer ambiguity component of the carrier phase measurement as random variables having values in a set of integers ambiguities These variables are deduced using the general likelihood ratio test (GLRT) approach [21], [26]

Though the computational complexity is significantly decreased; this method leverages on carrier phase measurements, possible cycle slips can occur and need to

be detected and mitigated before forming double difference carrier phase measures Furthermore, the SoS approach considers just the condition of having the whole signal ensemble either counterfeit or authentic, while it does not consider possible scenarios where the victim’s receiver is locked onto a subset of spoofed satellites, while for the remaining are still authentic ones (so-called ‘mixed tracking’ in the rest

of the work) [2], [19], [28]

In this work, we focus on proposing AoA-based spoofing detection methods which address the limitations pointed out in typical existing work (especially in SoS approach) Furthermore, we are also interested in validating our method in complicated spoofing scenarios wherein spoofed signals may come from different directions However, it is the fact that generating multi-direction spoofed signals require special high-cost equipment installation; therefore, we propose to use a software-based receiver approach to modify the signal phase to simulate the signal’s angle of arrival

19

1.4 Scope of Research

The work focuses on the technique for detecting spoofed GNSS In the first methodology, a method to detect mixed spoofing signals using commercial receivers and dual antennas was proposed In this method, the distance between the two antennas is fixed at roughly two meters to avoid noise when performing differential computations between the two receivers The GMM machine learning model is used

in the second method to detect spoofing signals coming from multiple directions To attack spoofing from many different directions, we have to synchronize the spoofing signal generators To implement this method, we have to use high-precision and expensive clocks Therefore, we use the method of transmitting only one spoof satellite to fool the receiver

1.5 Contribution

This work focuses on solving the spoofing detection problem based on AoA approach In addition, to overcome the limitation of the lack of dataset for testing spoofing detectors, we also propose a method for simulating unauthentic signals in two typical scenarios: spoof only and mixed signals from different directions Our work has the below main contributions:

First, we propose AoA-based methods for spoof detection, in our proposal we utilize

D

measurement to overcome the limitation of the existing SoS methods

V.H Nguyen, G Falco, M Nicola, and E Falletti (2018) “A dual antenna GNSS

spoofing detector based on the dispersion of double difference measurements”, in

Proc Int 9th ESA Workshop on Satellite Navigation Technologies and European Workshop on GNSS Signals and Signal Processing (NAVITEC), Noordwijk, Netherlands, Dec 2018, 5-7, DOI: 10.1109/NAVITEC.2018.8642705

N Van Hien, G Falco, E Falletti, M Nicola and T V La (2020), “A Linear

Regression Model of the Phase Double Differences to Improve the D3 Spoofing Detection Algorithm,” 2020 European Navigation Conference (ENC), 2020, pp

1-14, doi: 10.23919/ENC48637.2020.9317320

E Falletti, G Falco, V H Nguyen and M Nicola (2021), “Performance Analysis

of the Dispersion of Double Differences Algorithm to Detect Single-Source GNSS Spoofing,” in IEEE Transactions on Aerospace and Electronic Systems, vol 57,

no 5, pp 2674-2688, Oct 2021, doi: 10.1109/TAES.2021.3061822

Second, this thesis introduces a novel approach to classify authentic and fake GNSS signals using Gaussian Mixture Models (GMMs) and increase detection accuracy while eliminating the need for any parameter tuning process through automated learning (Expectation Maximize algorithm) This method can improve the performance of the algorithm to detect spoofed signals in the sophisticated case

Nguyen Van Hien, Nguyen Dinh Thuan, Hoang Van Hiep, La The Vinh (2020)

“A Gaussian Mixture Model Based GNSS Spoofing Detector using Double Difference of Carrier Phase” Journal of Science and Technology of Technical

Universities, pp 042–047, Vol 144 (6-2020)

20

Third, we develop a method to simulate signals coming from different directions which are used to validate the detection algorithm in multi-direction attack scenarios

Nguy ễn Văn Hiên, Cao Văn Toàn, Nguyễn Đình Thuận, Hoàng Văn Hiệp (2020),

"Phương pháp sinh dữ liệu mô phỏng GNSS đa hướng sử dụng công nghệ vô tuyến điều khiển bằng phần mềm" 178-185, số Đặc san Viện Điện tử, 9 - 2020, Tạp chí

Nghiên cứu Khoa học Công nghệ quân sự

1.6 Thesis outline

The dissertation is composed of five chapters as follows:

Chapter 1 Introduction This chapter briefly introduces the research area The importance of the topic, the definitions and the existing approaches are clearly addressed Then the thesis focuses on the contributions are also presented clear

Chapter 2 Related Work This chapter first summarizes the importance of services using GNSS Then, a comprehensive survey of the previous algorithms, existing work relating to interference detector are presented The limitations of the previous algorithms are clearly analysed and resolved

Chapter 3 Intermediated GNSS Spoofing detector based on angle of arrive The development of a dual-antenna GNSS spoofing detection technique based on the dispersion of the double differences of carrier phase measurements created by two GNSS receivers is presented in this chapter

Chapter 4 Sophisticated GNSS spoofing detector based on angle of arrive The chapter present an algorithm that using an automated learning process, this approach can improve detection accuracy and detect GNSS spoofing in the sophisticated scenario while obviating the need for any parameter tuning procedures (Expectation Maximization algorithm)

Chapter 5 Conclusion and future works A conclusion is given in this chapter Furthermore, some limitations of the work are presented, along with possible solutions, which may need additional study

21

2 RELATED WORK

This chapter presents vulnerabilities of civil GNSS with more focus on different types

of spoofing techniques We also briefly introduce some state-of-the-art methods for GNSS spoofing detection and analyse the advantages as well as disadvantages of the surveyed methods From the analysis, we propose our approach to improve the current limitations of the existing work

2.1 Civil GNSS vulnerabilities to intentional interference

Because of the low SIS (Signal in Space) signal strength [33] (Figure 2.2) (GPS L1 C/A code: -158.5 dBW; Galileo E1: -157 dBW) and the physical environment in which signals are transmitted from satellites to receivers (Figure 2.1), GNSS receivers are extremely vulnerable An interfering signal that is just a few orders of magnitude stronger than the minimum received GNSS signal intensity will cause a receiver to lose lock on a satellite Navigation receivers are vulnerable to strong interfering signals such as jamming, ionospheric and tropospheric effects and RF emitters

Figure 2.1 The enviroment for transmitting signals from satellites to receivers

(source: [33])

According to [34], GNSS nowadays use Code Division Multiple Access (CDMA), while GLONASS legacy signals use the Frequency Division Multiple Access (FDMA) technique However, over the last decade, modernized GLONASS satellites, such as the GLONASS-K1 satellites (launched in 2011, transmitting CDMA signals

on L3-band), the GLONASS-M satellites (including CDMA signals on L3-band since 2014), and the GLONASS-K2 satellites, have begun to include additional CDMA signals (launched in 2018, transmitting CDMA signals also on L1- and L2-bands) In the presence of interfering signals, the receiver's dispreading procedure spreads the power of the interfering signal over a large bandwidth as show in Figure 2.2 Other radio frequency signals can also cause problems such as Digital Video Broadcasting

Figure 2.2 The low SIS signal power of GNSS (source: [35])

Figure 2.3 GNSS frequency bands (source: [36])

23

2.2 Radio Frequency Interference

With low power signal, GNSS can be attacked by RFI (Radio Frequency Interference), both unintentional and intentional as shown in Figure 2.4

(1) Unintentional interference

Radio frequency systems such as radar systems, DVTB, VHFs (Very High Frequency), mobile satellite services, and personal electronics with high power harmonics and intermodulation products [28] can inadvertently interfere with the GNSS signal However, this kind of interference is somewhat resolved by properly radio frequency band management policies which are currently used by all governments

(2) Intentional interference

The first type of intentional RFI is jamming A jamming attacker uses devices to generate powerful signals in the GNSS band (Figure 2.6), resulting in various effects (which may lead to failed operation of GNSS receivers) [37] With the existing handheld GNSS jammers, GNSS signals within a radius of a few tens of meters are completely disrupted The operating principle of these devices is to use a chirp signal

to intervene in the GNSS signal's operating frequency range To the best of our knowledge, there are no effective methods for reducing the impact of this type of attack

Spoofing is another form of intentional interference and is one of the most dangerous attacks (Figure 2.5) Because this technique uses devices to broadcast fake GNSS signals to mislead the victim GNSS receiver's position or time information without

Figure 2.4 Radio frequency interference

24

completely disrupting its operations The incorrect position, velocity and time

information produced by the attacked receiver may result in even more serious problems if they are used in other important systems like: financial transaction synchronization, energy transmission, etc

Figure 2.5 Intermediated Spoofing Scenario

Figure 2.6 Cheap jammers are widely sold online (source: [38])

25

2.3 GNSS Interference detection techniques

In the [12], [28], [33], [39], [40], the authors list some GNSS interference detection methods (as shown in Figure 2.7)

Figure 2.7 Techniques for Detecting GNSS Interference

(1) ADC/AGC monitoring

According to [28], the AGC gain variation can be used to detect the presence of interference because the AGC is driven by ambient noise or interference rather than GNSS satellite signal power However, this technique hardly can distinguish among interference, environmental changes or noise

(2) C/N0 monitoring

All GNSS receivers support the C/N0 parameter The interference can be modelled

as an addition to the noise variance [28] However, this technique may fail to work if the presence of the jammer is "masked" or "filtered" by an estimation algorithm

(3) Time-domain statistical analysis

In [33], non-stationary interference is typically concentrated in a small region of the time-frequency (TF) plane The general procedure is to compare the peak magnitude

GNSS Interference detection techniques

ADC/AGC monitoring

C/N0 monitoring

Time domain statistical analysis

Post correlation statistical analysis

Specifically used for spoofing detection

26

of the received signal's TF distribution with a predefined threshold However, this method has a high computational complexity Therefore, it is difficult to implement the algorithm on a commercial receiver with a limited computation capability

(4) Post-correlation statistical analysis

In this approach, the Chi-square Goodness of Fit test, implemented in a software receiver, is used and applied against two live spoofing datasets [42] The result obtained in two scenarios (static and dynamic) demonstrates the GoF's ability to detect the fake signal However, similar to time-domain statistical analysis technique, this method also has a high computational complexity In addition, this method is implemented on the software receiver making it hard to be available on existing commercial receivers

2.4 Spoofing detection techniques

Figure 2.8 Three continuum of spoofing threat: simplistic, intermediate, and

sophisticated attacks (source: [27])

2.4.1 Classification of spoofing threat

According to [10], [25], [27], spoofing attacks can be divided into three main categories (see Figure 2.8):

(1) Simplistic attacks

The construction of this spoofer includes a GNSS signal simulator in combination with an RF terminal used to mimic real GNSS signals These signals are not basically synchronized with the real GNSS signals Thus, the spoofing signals look like noises

in the receiver operating in monitor mode (even if the broadcast power is higher than the actual signal) [10] However, this type of device can deceive commercial receivers, especially if the power of the spoofing signal is higher than the authentic signal This signal simulator is easy to detect using various anti-splitting techniques

it generates fake signals based on the above information and emits it from transmits toward the target receiving antenna Some of the difficulties in building this system are referencing spoofing signals to the intended target receiver with the correct delay and signal strength Another downside is that the spoofing power must be higher than the authentication signal power to fool the GNSS receiver Carrier phase alignment with authentic signals This type of spoofer overcomes many of the spoofing detection techniques of conventional single receivers because they synchronize the authentication signal and can spoof the receiver in tracking mode This type of Spoof uses an antenna that transmits, so signals coming from the same direction can be detected via the AoA [13],[26]

(3) Sophisticated attacks

According to [10], this is the most complicated and dangerous of all the spoofer This type assumes knowing the centimeter-level position of the antenna-phase center of the receiver under attack in order to perfectly synchronize the spoofing signal code and carrier phase with the authenticated signal code This type of spoofer can take advantage of a number of special antennas that can pass direction-based detection techniques In this case, the spoofer needs to synthesize a matching array manifold with the authentic signal array to defeat the spoofing signal detection system by the direction The complexity of this device is much more complicated than the two above, and at the same time its high cost and high operating complexity [10] In addition, there are some physical limitations regarding the location of the transmitting antenna and target receiver antenna Detecting this fake case detection technique is quite complex This spoofing signal can be detected using the integrated inertial measurement systems Attacks of this type can be defended by using data encryption

2.4.2 Spoofing detection algorithms

Figure 2.9 depicts a high-level overview of various antispoofing approaches

(1) Cryptographic

According to [13], the most effective defense is cryptographic defense, but it necessitates that GNSS signals be designed to support cryptographic functions Cryptographic defenses are further classified as encryption-based approaches, which

28

require fully or partially encrypted GNSS signals, and authentication-based defenses, which require GNSS signals to have specific features that allow them to be authenticated Signal encryptions include code and navigation message encryptions

Figure 2.9 A summary of the various spoofing detection methods available in the

literature (source: [13])

(2) External Verification

Spoofing can be detected by comparing the GNSS PVT with alternative sources of

location, for example: inertial units, enhanced long-range navigation (eLORAN),

wireless fidelity (Wi-Fi), and cellular-based location A detailed survey of the most

promising techniques for spoofing detection proposed in the last decade for civil signals can be found in [23], where several methods are described and compared in terms of complexity and effectiveness

(3) Signal Features

Several spoofing detector techniques rely on signal characteristics that are difficult to

be faked as shown Table 2.1:

Vestigial signal defense: In [20], to detect spoofing attacks, this technique monitors

distortions in the complex correlation domain The ‘vestigial signal defense’ is based

on the assumption that original GNSS signals are present also during a spoofing attack

Spoofing detector Approaches

Cryptographic External Verification Signal Features

• Wi-Fi

• GSM/UTMS Any system providing PVT-related

information

• Vestigial signal defense

• Angle-of-arrival

• Amplitude correlation

• AGC gain, noise floor, clock bias, jumps

29

[20] and the presence of residual signal components can be verified by an ad-hoc

receiver The VSD is a stand-alone software-defined defense, which means it has a

low implementation cost and adds no size or weight to the receiver It cannot implement in the commercial receiver

Table 2.1 Techniques of GNSS spoofing detector based on signal features

Spoofing Detector based on Signal Features

Angle of Arrival Vestigial signal

defense

Amplitude correlation

Pros: It does not

necessitate the use

distortions in the complex

correlation domain [20]

Pros: this technique is a low

implementation cost and does not increase receiver size or weight

Cons: a alone software- defined defence It

stand-is constrained by the difficulty of distinguishing spoofing from multipathing

Spoofing detection method based on the correlation of the amplitudes of various received signals [41] This technique

investigates the use

of a moving antenna

to distinguish between the spatial signatures of authentic and spoofing signals by

monitoring the amplitude and Doppler correlation

of visible satellite signals

Pros: it is not affected by spatial multipath fading that the GNSS signals

complexity of implementation because of a moving receiver

A monitor in the RF front end that employs the automatic gain control (AGC) mechanism [43]

Pros: low computational

complexity and

is an extremely powerful

Cons: a alone software- defined defence

stand-It cannot implement in the

commercial receiver

Amplitude correlation: In [41], the authors investigated a moving antenna to

distinguish between the spatial signatures of authentic and spoofing signals by monitoring the amplitude and Doppler correlation of visible satellite signals it is not

affected by spatial multipath fading that the GNSS signals This technique is complexity of implementation because of moving receiver

30

In [19], the authors developed two methods of spoofing detection, that is square Goodness of Fit (GoF) and a signature test applied to paired correlation difference, for each satellite tracked by the receiver The algorithms show a certain effectiveness in detecting the spoofing attack The GoF test also seems reliable under dynamic conditions and in the case of a large energy difference of spoofing and authentic signals However, these two methods develop on soft receivers with complex algorithms, which are quite difficult to apply on commercial receivers

Chi-AGC gain: In [43], a monitor in the Radio Frequency (RF) front end using the

automatic gain control (AGC) mechanism is outlined GNSS simulator signal is broadcast and its power level is greater than that of the received true GNSS signal This technique is low computational complexity But this technique is implemented

on a stand-alone software-defined defense It cannot implement in the commercial receiver This technique can be difficult to distinguish between interference,

environmental changes or noise

Angle of Arrival: The angle-of-arrival (AoA) of GNSS signal (Figure 2.10) is the

direction in which the signal is received These techniques are analysed in terms of complexity, cost and performance as well as in terms of robustness against the type

of spoofing attack [44] Most of the techniques discussed in the literature are intended for single-antenna receivers, since this is the most common operative condition in which receivers operate Nonetheless, spoofing transmitters are expected to broadcast all the counterfeit signals from the one antenna, while the authentic signals are transmitted by the satellites in orbit from widely separate directions with respect to the receiver [10] The AoA defense exploits the fact that genuine GNSS signals come from different directions whereas counterfeit signals are likely transmitted from a

31

Figure 2.11 Angle of arrival defense Spoofing

Among all these families of approaches, spatial processing based on the AOA

defense is probably the most robust and effective technique to detect and possibly mitigate counterfeit signals [24], [25] However, this method has two approaches as shown in Figure 2.11 The first approach uses estimation of direction-of-arrival characteristics This technique uses multi antenna receiver with a common oscillator and deploy on the software receiver [25], [45] its use in cost-constrained mass- market applications is still difficult for several reasons: costs of the equipment, complexity of the processing and size of the installation

In [21], [26] the authors developed a simple method (according to the estimation of difference of direction-of-arrival characteristics) for spoofing detection based on differential carrier phase measurements (difference of direction-of-arrival) from a pair of receivers and antennas; it does not require dedicated hardware nor special constraints on the geometry of the system; only a basic synchronization of the receivers and the knowledge of the baseline, i.e., of the relative position of the two

receiving antennas, is needed This method is called sum-of-squares (SoS) detector

Differently from other works [32], the SoS models carrier phase cycle ambiguities as random variables that assume value on an arbitrary set of integers Thus, they do not need to be estimated This formulation, derived using the generalized likelihood ratio test (GLRT) approach, leads to the SoS detector, where the decision variable is

it does not consider possible scenarios where the victim’s receiver is locked onto a subset of spoofed satellites only, while for the remaining ones the tracking stage continues on the authentic signals This situation is indicated as ‘mixed tracking’ Several in-lab tests have shown this ‘mixed tracking’ condition as quite common, in particular at the beginning of an attack [13], [29]

The original SoS detector would fail in detecting the presence of the subset of spoofed signals Therefore, in this work, we modify the SoS method in order to make it robust against such a situation According to the fact that all the spoofing signals are spatially correlated due to the same direction of arrival, all the differential measurements related to such signals have a similar (correlated) magnitude and this correlation remains over time On the contrary, when we consider signals coming from the true satellites, the differential measurements have independent magnitudes, because the signals are not spatially correlated Such a correlation is another indicator of common transmitting source and will be used in this work as another degree of robustness added to the SoS to detect likely counterfeit signals In this way we identify a robust modification of the original SoS detector, based on a test metric built on the dispersion of the double difference measurements from a pair of antennas

on the GPS system, although it can be extended to all satellite navigation signal and systems and all algorithm, which is presented in this thesis based on GPS signal

Figure 3.1 Spherical positioning system of GNSS

In GNSS, the time measurement can be done as: receiver only receive the signal in one direction; satellites must be synchronized with high precision (within few ns)

A pulse transmitted by a satellite at time 𝑡𝑡

is received at time 𝑡𝑡

+ 𝜏𝜏 The (3.1) is an approximation of the distance between TX and RX:

Where 𝑐𝑐 is the speed of light (≈3.10^8 m/s) The measure of 𝑡𝑡

+ 𝜏𝜏 allows for R determination if both synchronized oscillators are perfects However, the clocks of receiver cannot be synchronized with the satellite time scale at low cost and

34

complexity Then, signals received from the satellite have a bias due to the difference in GNSS time and the receiver’s clock time The receiver’s measurements are known as pseudo-ranges GNSS system use four satellite to determine the location Pseudo-ranges can be written as (3.2):

Where ρ is pseudo-range, δtu is user clock bias

The user will calculate four unknowns by measuring four pseudo-ranges as (3.3) with respect to four satellites with known coordinates:

�𝑥𝑥

, 𝑦𝑦

, 𝑧𝑧

� is satellite position (center of the pseudo-sphere)

𝜌𝜌

is pseudo-range (radius of the pseudo-sphere), can be

𝜏𝜏

is the propagation delay of the 𝑘𝑘th satellite

Φ

is the initial carrier phase of the 𝑘𝑘th satellite

𝐶𝐶

is the Coarse/Acquisition (C/A) code of the 𝑘𝑘th satellite

𝐷𝐷

is the navigation data bits of the 𝑘𝑘th satellite

𝑛𝑛 = 0,1,2, …

𝑇𝑇

is sampling period, 𝑇𝑇

=

𝑆𝑆

; 𝑓𝑓

≈ 5 MHz

35

3.1.3 GNSS receiver architecture

In the Figure 3.2 show a basic GNSS receiver architecture The antenna receives the signals sent by the GPS satellites The input signal is amplified to the correct amplitude and the frequency is converted to the desired output frequency through the

RF front-end chain The RF front-end can be disturb by thermal noise, random fluctuations of electrical, electromagnetic, interference signals (random or deterministic) The output signal is digitalized using the Automatic Gain Control (AGC) that optimizes the gain according to the Analog-to digital Converter (ADC) dynamic range The receiver's hardware includes the antenna, RF chain, and ADC

The acquisition stage refers to the process of locating a satellite's signal The tracking stage is used to locate the navigation data's phase transition Subframes and navigation data can be accessed from the navigation data phase transformation The navigation data can be used to acquire ephemeris data and pseudo-ranges The satellite positions are calculated using ephemeris data Finally, for the satellite positions and pseudo-ranges, the user location can be determined

3.1.4 GNSS spoofing

As shown in Figure 3.3 in the forward direction, the receiver receives information about the satellite number (Coarse/Acquisition (C/A) code), the position of the satellites and the time at which the satellite transmitted the signal (the navigation data bits) From the information on the receiver, it is estimated that the distance is assumed When at least 4 satellites have received signals, the receiver solves the (3.3)

to determine the position (𝑥𝑥

, 𝑦𝑦

, 𝑧𝑧

)

In the opposite direction, to generate spurious signals: user position, based on satellite orbit information, the ephemeris is widely published on websites such as [47] Then

we can simulate the navigation data bits

RF end

Front-ADC/AGC Acquisition

stage

Tracking stage

Antenna

PVT calculation

User position

Figure 3.2 A fundamental GNSS receiver architecture (source: [46])

37

Figure 3.4 Blocks scheme of GPS simulator

Figure 3.4 shows how to generate spoofing signals To generate a fake position or time, the following parameters are needed: C/N0 to perform the calculation of the output signal power, Ephemeris, Almanac is published on the website of IGS [48] together with the location user to define satellite number, pseudo-range; The clock bias, ionospheric, tropospheric parameters are estimated to be similar to the authentic signal

3.2 Detection of a subset of counterfeit GNSS signals based on the

The first block in the Figure 3.6 shows the development of a dual-antenna GNSS spoofing detection technique based on the dispersion of the double differences of carrier phase measurements (D

) made by two GNSS receivers The approach does not require receiver synchronization to function effectively The approach is based

on the Sum of Squares (SoS) detector (as shown in Figure 3.5), which was recently introduced as a simple and efficient method of detecting a common angle of arrival

Interference model Continuous waves, narrow

band, pules … Multipath model Multipath of SV1, SV2, …

38

for all GNSS signals arriving at a pair of antennas The presence of such a common angle is recognized as an undiscussed indication of spoofed GNSS signals Despite this, various flaws in the SoS algorithm can be found To begin with, the assumption that all signals originate from the same source; it is feasible that the receiver only monitors a subset of counterfeit signals out of the entire signal ensemble The concept provided in this section aims to address these issues by changing the SoS detection measure to identify subsets of counterfeit signals The efficiency of the suggested strategy is demonstrated by many simulation experiments

in both authentic and spoofed signal situations

Figure 3.5 Block diagram of SoS Detector

Figure 3.6 Block diagram of D

Detector

3.2.1 Differential Carrier-Phase Model and SoS Detector

The carrier phase measurements for a stand-alone GNSS receiver can be written, according to [13], [26], as

𝜙𝜙

= 𝑟𝑟

+ 𝑁𝑁

𝜆𝜆 + 𝑐𝑐(𝛿𝛿𝑡𝑡

− 𝛿𝛿𝑇𝑇) − 𝜀𝜀

+ 𝜀𝜀

+ 𝜀𝜀

(3.5) where:

39

• 𝜙𝜙

is the carrier phase measurement for the 𝑖𝑖th satellite (𝑖𝑖 = 1,2, … 𝐼𝐼), expressed in meters;

• 𝑟𝑟

is the geometric range between the receiver and the

satellite;

• 𝑁𝑁

is the integer ambiguity;

• 𝜆𝜆 is the signal wavelength;

•

is the speed of the light;

• 𝛿𝛿𝑡𝑡

is the

satellite clock error;

• 𝛿𝛿𝑇𝑇 is the receiver clock error;

• 𝜀𝜀

is the ionospheric error;

• 𝜀𝜀

is the tropospheric error;

• 𝜀𝜀

is a noise term accounting for residual un-modeled errors, including thermal noise and multipath

If we consider two receivers observing the same satellites at the same time, we can use their output data to build single carrier phase differences for each satellite in

common view:

Δ𝜙𝜙

= 𝜙𝜙

− 𝜙𝜙

= �𝑟𝑟

− 𝑟𝑟

� + Δ𝑁𝑁

𝜆𝜆 + 𝑐𝑐�𝛿𝛿𝑇𝑇

− 𝛿𝛿𝑇𝑇

� + Δ𝜀𝜀

(3.6) where superscripts

and

denote measurements from the two receivers For short baselines, the ionospheric and tropospheric errors are cancelled out Moreover, the range difference between the satellite and the receivers �𝑟𝑟

− 𝑟𝑟

� can be expressed

as in [26]:

𝑟𝑟

− 𝑟𝑟

= 𝐷𝐷cos(𝛼𝛼

) (3.7)

where

is the distance between the two antennas and 𝛼𝛼

is the angle of arrival (AoA)

of the

satellite signal, as depicted in Figure 3.7 The Double carrier phase

Difference (DD) between the 𝑖𝑖-th satellite single difference and the reference satellite

single difference, here indicated with the subscript ‘r’, removes the difference clock

bias term �𝛿𝛿𝑇𝑇

− 𝛿𝛿𝑇𝑇

� from (3.6):

Δ∇𝜑𝜑

= 1 𝜆𝜆 (Δ𝜙𝜙

− Δ𝜙𝜙

) = 𝐷𝐷 𝜆𝜆 � cos (𝛼𝛼

) − cos(𝛼𝛼

)� + Δ∇𝑁𝑁

+ Δ∇𝜀𝜀

(3.8) expressed in units of cycle Notice that the choice of using the double difference measurements 𝛥𝛥𝛥𝛥𝜑𝜑

in the construction of the detector is equivalent to the option expressed in [26] -equation (10) and further discussed in [13] -equation (39)