International Journal of Navigation and Observation

Volume 2012 (2012), Article ID 313527, 8 pages

http://dx.doi.org/10.1155/2012/313527

## GNSS Spoofing Detection Based on Signal Power Measurements: Statistical Analysis

^{1}Position Location And Navigation (PLAN) Group, University of Calgary, Calgary, AB, Canada T2N 1N4^{2}Department of Math Physics and Engineering, Calgary, Mount Royal University, AB, Canada T3E 6K6

Received 18 June 2012; Revised 14 September 2012; Accepted 15 September 2012

Academic Editor: Jinling Wang

Copyright © 2012 V. Dehghanian et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

A threat to GNSS receivers is posed by a spoofing transmitter that emulates authentic signals but with randomized code phase and Doppler values over a small range. Such spoofing signals can result in large navigational solution errors that are passed onto the unsuspecting user with potentially dire consequences. An effective spoofing detection technique is developed in this paper, based on signal power measurements and that can be readily applied to present consumer grade GNSS receivers with minimal firmware changes. An extensive statistical analysis is carried out based on formulating a multihypothesis detection problem. Expressions are developed to devise a set of thresholds required for signal detection and identification. The detection processing methods developed are further manipulated to exploit incidental antenna motion arising from user interaction with a GNSS handheld receiver to further enhance the detection performance of the proposed algorithm. The statistical analysis supports the effectiveness of the proposed spoofing detection technique under various multipath conditions.

#### 1. Introduction

The received GNSS signal power at the output of a 3 dB gain hemispherical linearly polarized antenna at ground level is approximately −130 dBm [1]. This makes GNSS receivers susceptible to nearby noise jammers and standoff spoofers (SS) that can easily transmit power levels well above −130 dBm. A high processing gain based on a long integration time is often the only option available to overcome a noise jammer. Nevertheless, if the GNSS receiver undergoes random motion, then the channel decorrelates quickly such that attaining such large processing gains to overcome jamming is neither feasible nor desirable from an operational perspective. Also a jammer is relatively easy to locate with radio direction finding and to potentially disable as its spectrum is significantly larger than the ambient noise [2, 3]. In addition, the noise jammer is at least detectable as the spectral power in the affected GNSS receiver band will be abnormally high. Hence the jammer can deny service but the user is aware of being jammed, limiting the damage potential of the jammer. A more insidious threat is the standoff spoofer that broadcasts a set of replicas of the authentic satellite vehicle (SV) signals visible to the mobile GNSS receiver [2]. Disruption of GNSS services is achieved by randomly modulating the code phase over a small region of the overall Code Delay Space (CDS) that is commensurate with a target area. The spoofing attack is assumed to happen during the acquisition stage. Therefore, it is not possible to identify the SS signal based on the code phase as corresponding to an outlier navigation solution. The SS is assumed to remain synchronized with currently visible GNSS signals and then transmit a set of signals that would correspond to the typical GNSS signals observable by a receiver in the target area. Note that an effective SS does not necessarily synthesize a specific counterfeit location for a specific GNSS receiver but rather aims to disrupt GNSS services over a general target area by matching the Doppler offset of the replicated SV signals and adjusting the code phase such that it is commensurate with the intended target region. Hence the GNSS receiver cannot easily detect the contribution of these counterfeit signals as obvious outliers. An unaware receiver computes the navigation solution based on the SS generated counterfeit signals which are passed on to the user as being reliable with potentially damaging consequences.

GNSS receivers tethered to a wireless data service provider will typically provide the user with an aided-GNSS (AGNSS) service, significantly reducing the CDS corresponding to a physical area of several square kilometres [4]. Hence there is a diminishing gain for the spoofer attempting to affect a larger target area than this. Hence the counterfeit SS navigation solutions will be construed as plausible. As such, receiver-autonomous integrity monitoring (RAIM) and fault detection and exclusion (FDE) are ineffective in discriminating signals sourced from the envisioned SS [5].

The typical handheld consumer GNSS receiver coherently integrates the signal for about 10 to 20 ms resulting in a correlation peak in the CDS that has a spread in Doppler of about 100 Hz, which is commensurate with the Doppler spread of typical urban traffic (<50 km/hr) [6]. Even if the GNSS receiver is equipped with other ancillary sensors such that the receiver velocity vector is independently known, this cannot be used to discriminate the SS signal as multipath Doppler spreading is approximately equivalent for both the SS and the authentic SV signals.

Note that the receiver processing gain used for suppressing a jamming signal is not effective in the case of the spoofer signal. Consequently, the spoofer transmit power can be orders of magnitude less than that of the noise jammer, which makes the spoofer source much more difficult to locate and disable through radio direction finding and beam forming.

The objective of this paper is to address a computationally efficient processing technique that can be added to relatively unsophisticated consumer grade GNSS receivers to discriminate the spoofer signals transmitted by an SS. The proposed processing is based on estimating and comparing the receiver signal power with a set of thresholds to verify the authenticity of the signal. The detection problem is formulated based on a Rayleigh fading multipath scenario. Nevertheless, it is shown that although suboptimal, the deduced expressions can be utilized for spoofing detection in a generalized Rician multipath channel with minimal performance degradation.

The proposed technique is further extended to include incidental motions of the handheld receiver, instigated through the user interaction with the handset device, in the form of spatial translation and polarization rotation. User interaction with the handheld creates variability in the antenna response, which can be transformed into a diversity gain that adds to the general processing gain of the receiver [7–10]. This processing gain enhances the estimation of the received signal power of the correlation peaks, that, is necessary information in spoofer discrimination. A case study based on GPS L1 C/A signals is developed to demonstrate the effectiveness of the proposed technique. Nevertheless, this technique can be directly extended for other GNSS signal formats such as GPS L2 C/A and GLONASS.

The rest of the paper is organized as follows. In Section 2 the system definition and the assumptions are given. Section 3 formulates a multihypothesis detection problem and focuses on the statistical evaluation of the proposed technique, with the conclusions provided in Section 4.

#### 2. System Definition

This paper considers the analysis of individual GNSS satellite signals, while realizing that simultaneous processing of the available GNSS signals provide extra diversity that can be used to further improve the performance of the proposed spoofer detection technique. The received complex GNSS baseband signal is denoted here by where the signal component of is represented by , where “” is time, is the channel response to the incident signal at the antenna, and is the complex baseband component of the satellite signal, which can be written as where is the navigation data modulation, is the Pseudo Random Noise (PRN) code, is the code phase, represents carrier frequency offset (due to the Doppler of the GNSS signal as well as any frequency offset of the receivers local oscillator), and is the initial phase offset. is known to the receiver except for the navigation data, the code phase, the carrier frequency offset, and the initial phase offset . The received signal, , is corrupted by additive noise (WGN) which has an equivalent complex baseband representation denoted by . It is assumed that is a complex normal random process, independent of the signal, and has a Power Spectral Density (PSD) that is constant within the bandwidth of the received signal.

The GNSS receiver integrates a temporal snapshot of over the interval of , where is typically smaller than the duration of one navigation data bit (20 ms). The signal snapshot of is collected by the receiver and then despread by a locally generated copy of during the initial acquisition. The initial acquisition is typical of a multi-hypothesis detection in which the receiver searches the Code Doppler Space (CDS) for the frequency offset and the code delay, [11, 12]. Note that the initial phase offset is not known to the receiver during the initial acquisition and as such the output of the despreading matched filter is a random complex variable.

The despread baseband signal samples at a correlator output are represented by where “” is a complex conjugate, the subscript “” denotes the th signal sampling interval which extends over , and , are the postintegration signal and the WGN components, respectively. In addition, and represent the estimated code phase and Doppler based on the initial acquisition which consists of a maximum likelihood search over the CDS of a signal sample, , such that where are the maximum likelihood (ML) estimates of the true code phase and Doppler frequency, respectively. The estimated code phase and Doppler are then passed on to the tracking loops to facilitate further receiver processing. Consequently, signal samples, namely, , can be collected and used for spoofer detection.

#### 3. Theoretical Analysis of Spoofer Detection

A hypothetical scenario is considered based on an SS transmitting spoofing signals in an urban environment as shown in Figure 1. The authentic signal and the spoofer signal are affected by multipath fading and therefore, the received signal power is random in space and polarization. In other words, multipath fading results in signal power fluctuation when the receiver is spatially translated or undergoes polarization changes due to rotation. Unlike the authentic signal power which is insensitive to signal power variations arising from pathloss in the target area (this is due to the fact that the satellite-receiver separation is approximately unchanged over a period of several minutes), the spoofer signal power varies with variation in the spoofer-receiver separation. An empirical model of order can be utilized to model the spoofer signal power variation due to pathloss as where is a reference range, is the spoofer-receiver range, is the pathloss exponent, is the average spoofer SNR at , and is the average received spoofer SNR at in dBs. Note that, for the spoofer to be effective, the average received spoofer signal power needs to be higher than that of the authentic signal in the target area. Therefore, the received signal power from a standoff spoofer varies significantly with range due to pathloss, meaning that the spoofer signal power is abnormally higher than that of the authentic signal when the receiver is in the proximity of the standoff spoofer. This characteristic of the spoofer signal can be exploited to limit the effectiveness of the SS in its target area based on comparing the measured signal power against a preset threshold.

As stated earlier, a receiver records signal samples with each of these signal samples belonging to one of the three hypotheses, namely, the noise hypothesis H0, the authentic signal hypothesis , and the spoofer signal hypothesis as
where the normalization is assumed and are suppressed for notational convenience. and represent channel gains associated with the authentic and the spoofer signals, respectively. Consequently, a detection variable, , can be formulated to decide between the three hypotheses of (6) based on comparing “” with a set of thresholds, , as shown in Figure 2. Note that is a function that maps the measured signal samples to a single variable, *,* which is a sufficient statistic with respect to , , and . As will be shown in Section 3.1, *r* can be found from the probability density functions (PDF) of [13] or alternatively from the PDFs of “” which are denoted here by
where denotes a PDF.

One optimization criteria for determining the thresholds () is based on minimizing the probability of error, namely,
where for are the probabilities of , , and states and denotes the conditional probability that indicates that of deciding H*i* if H*i* is correct. Consequently,
where denotes a cumulative distribution function (CDF) of the random variable “” under . As can be seen from (9), is a function of the authentic signal, the spoofer, and the noise statistics. Therefore, any optimization based on minimizing the probability of error hinges on knowing the spoofer signal statistics, which is not available to an unsuspecting receiver given the capricious nature of a spoofer.

Alternatively, a second optimization can be made based on maximizing the probability of detection for a given probability of false alarm. Assuming , the threshold can be determined based on selecting a probability of false alarm as

Therefore, As is evident from (11), depends on and on the noise statistic, which is approximately known to the receiver.

As stated earlier, the average spoofer SNR is not known and varies with varying spoofer-receiver separation due to pathloss, spoofer transmit power variations, and so forth. However, the average authentic line of sight (LOS) SNR is approximately known, given that the average LOS CNR of GNSS signals at the ground level is typically within [40–50] (dB-Hz), which maps into a postprocessing SNR of approximately [10–20] dB based on 1 ms of coherent integration. This a priori information can be used to determine a second threshold, , based on selecting a probability of false alarm associated with as

Given that the satellite geometry is not known to an acquiring receiver, it is reasonable to assume that SVs are approximately uniformly distributed in the sky. Consequently, the PDF of the average post processing SNR of the authentic GNSS signals, , can be approximated as where denotes a uniform PDF and denotes the lower and the upper bounds of the uniform distribution. Consequently,

can be numerically computed by inserting (14) into (12). Finally, the probability of detection associated with can be computed as

##### 3.1. Spoofer Detection Based on a Moving Antenna

As stated earlier, the typical usage mode of a handheld receiver includes incidental motion in the form of spatial translation, polarization rotation, and blocking of the receiver antenna. It is known that any temporal variation in the antenna response results in a temporal signal decorrelation in a multipath environment such that extra diversity branches can be made available for receiver processing [7–10].

To exploit the extra processing gain arising from antenna motion, the statistical properties of need to be considered. Distribution of scatterers in many multipath environments such as indoors or urban areas approximately resembles a uniform sphere of scatterers [9, 14]. The correlation coefficient between signal samples, , collected through spatially translating an antenna over an arbitrary trajectory in a Rayleigh fading environment that resembles a sphere of scatterers can be shown to be [7] where is the propagation constant, is the spatial separation between the antenna positions at which signal samples and are collected (see Figure 3), and is the variance of . Consequently, are statistically uncorrelated if the spatial separation between the antenna positions at which the samples are measured are greater than half a carrier wavelength (in GPS L1 frequency this maps into a spatial separation of 10 cm), resulting in the approximation of , where is an identity matrix.

Rotation is another form of user interaction with a handheld receiver that results in variation in antenna’s polarization. Variation in antenna’s polarization is known to result in signal decorrelation. It can be shown that the covariance of signal samples measured through polarization rotation of a handheld antenna follows from [15] as where is the angular separation of the polarization vectors at which signal samples and are collected (see Figure 3). Note that only three degrees of freedom are realizable based on a polarization rotation of a linearly polarized antenna [16]. Therefore, uncorrelated signal samples are realizable based on a polarization rotation.

A combination of polarization rotation and spatial translation can be utilized to further increase the number of diversity branches [9]. The cross-covariance arising from a combined spatial-polarization translation of a GNSS handheld antenna can be shown to be [9]

As can be seen from (18), the receiver motion in the form of a combined translation in space and rotation of polarization decorrelates the received signal and therefore can be utilized to synthesize several diversity branches useful for receiver processing.

###### 3.1.1. Uncorrelated Rayleigh Fading Channels

Assume that uncorrelated signal samples are obtained based on a combined spatial and polarization translation of a GNSS handheld receiver in an uncorrelated Rayleigh fading channel such that . Consequently, are jointly CN zero-mean RVs with . denotes a covariance matrix of with as the noise covariance matrix. To simplify the expressions to follow and without any loss of generality, the noise covariance is normalized such that . Therefore, the SNR can be written as

Consequently, the signal samples collected by a moving antenna in an uncorrelated Rayleigh fading channel are distributed according to . It can be shown that is a sufficient statistics with respect to the hypotheses , , and H2 and as such is the detection variable [13]. The thresholds () can be found by determining the PDF of and substituting in (10)–(15) for any given .

Note that is a measure of the received signal power. Therefore, the detection problem is based on comparing the received signal power, , with a set of thresholds, (), to determine the authenticity of the received signal. For the spoofer to be effective, the spoofer signal power must be higher than that of the authentic signal in the target area such that the ML search in the CDS results in selecting the spoofer signal which has the largest correlation peaks. Therefore, , which is a measure of the received signal power, can be utilized to discriminate the spoofer from the authentic signals.

###### 3.1.2. Generalized Rician Channels

In a generalized Rician channel, the channel gain, , is a random variable distributed according to where is the complex mean with denoting the phase of the complex mean and is the variance of the in-phase and the quadrature-phase Gaussian components of the channel gain. Consequently, are jointly CN RVs and are distributed according to **,** where is an vector with denoting the phase, is a covariance matrix of , and is the normalized noise covariance. In a Rician channel, the average SNR, , can be defined as , and the magnitude of the mean, , and the variance, , are related through the Rician *K*-factor, , such that . Since the angle of arrival (AoA) of the dominant signal component is not known to the receiver, cannot be estimated and therefore and subsequently are unknown which makes it impossible to formulate a sufficient statistics based on a likelihood ratio test [13]. Nevertheless, as will be shown here, the performance of the spoofer detection is approximately insensitive to the variation in the *K*-factor, , and to the cross-correlation of signal samples as long as the cross-correlation remains moderately low, for example, <0.7. This is reasonable since diversity gain arising from combining equal-power diversity branches remains mostly unchanged for branch cross-correlations <0.7. Therefore, the suboptimal detection variable of (20) can be applied for spoofing detection in a generalized Rician channel with small performance degradation. Figure 4 shows being computed from (14) for various authentic and spoofer channel *K*-factors (and ) and based on (dB) and (dB), two typical , and for . As can be seen from Figure 4, smaller *K*-factors result in larger values. This is due to the increased uncertainty in the received signal power as the *K*-factor decreases. Nevertheless, the variation in is limited to a few dB and as such the *K*-factor does not play a major role in the optimization problem and may be ignored in the expense of slightly lower performance. Therefore, (20) can be applied to a generalized Rician channel as a suboptimal detector. In addition, as can be seen from this figure, a larger results in a smaller for the same performance requirement of . This is due to the diversity gain made available through the extra diversity branches for .

Figures 5 and 6 show the receiver operating characteristics (ROC) based on the detection variable of (20) and for , various and , and based on and . As can be seen in these figures, the detection performance improves with increasing the number of diversity branches, . Also, larger result in a better detection due to the further separation between the PDFs of the authentic and spoofing signals. When a stronger LOS signal component is present ( in Figure 6), a better detection performance is realized due to the reduced uncertainty in the authentic signal power. Note that setting in (12) results in and therefore . This corresponds to a receiver not equipped with any spoofer detection.

To provide an alternative measure of performance improvement, the probability of error of (9) can be used. Figure 7 shows for various , , and and based on and (dB). As can be seen from this figure, is approximately independent of the exact value of *K*-factor, which emphasizes the previous observations of Figure 4 where it was shown that the threshold is not very sensitive to the variations of the *K*-factor. decreases rapidly with increasing the number of diversity branches. The latter demonstrates the performance enhancement arising from the extra diversity branches made available through utilising a moving antenna.

Figure 8 shows for (dB) and various , , and for . Similarly, larger and larger , which provide a better separation between the authentic and the spoofing signal PDFs, result in a smaller . This is further demonstrated in Figure 9 where is plotted for –20, , and 10–25 (dB). Note that, as the PDFs of the authentic and the spoofer signals become more alike,for example, , becomes larger.

As stated earlier, the spoofer signal power is affected by pathloss quantifiable by (5). As a result, the received spoofer SNR varies with the proximity to the spoofer transmitter. To provide an average measure of performance enhancement arising from utilizing the proposed technique, the average probability of error, *,* can be defined as

Figure 10 shows for various based on and (dB), and for (dB). The effect of diversity is further emphasized in this figure where the average probability of error decreases by increasing such that for , implying that the proposed technique is very effective in reducing the spoofer effectiveness in the target area.

#### 4. Conclusions

A multi-hypothesis detection problem was formulated based on a likelihood ratio test applicable to GNSS spoofing detection. A straight forward spoofing detection technique based on signal power measurements was proposed and was shown to be effective for verifying the authenticity of the received GNSS signals in urban multipath environments, meaning that the spoofer signal power is abnormally higher than that of the authentic signal when the receiver is in the proximity of the standoff spoofer.

The proposed processing was further extended to exploit extra diversity branches made available based on a moving handheld receiver and was shown to further improve the spoofer detection performance. Unlike the previously proposed antispoofing techniques, the proposed technique does not require any hardware modification and can be readily applied to any handheld GNSS receiver with minimal firmware changes. It was shown that the proposed technique is largely insensitive to uncertainties in the statistical properties of the multipath channel as long as the collected signal samples are not strongly correlated. A suboptimal detector was proposed and effectively applied to a generalized Rician channel in which the channel parameters are not available to the receiver. An extensive statistical analysis was performed to assess the performance of the proposed technique. It was shown that the average probability of error can be reduced to less than 20% in a typical urban environment.

#### References

- E. D. Kaplan and C. J. Hegarty,
*Understanding GPS: Principles and Applications*, Artech House, Norwood, Mass, USA, 2006. - B. M. Ledvina, W. J. Bencze, B. Galusha, and I. Miller, “An in-line anti-spoofing device for legacy civil GPS receivers,” in
*Proceedings of the International Technical Meeting (ITM '10)*, pp. 868–882, San Diego, Calif, USA, January 2010. View at Scopus - T. E. Humphreys, B. M. Ledvina, M. L. Psiaki, B. W. O'Hanlon, and P. M. Kintner, “Assessing the spoofing threat: development of a portable gps civilian spoofer,” in
*Proceedings of the 21st International Technical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS '08)*, pp. 1198–1209, Savanna, Calif, USA, September 2008. View at Scopus - F. S. T. V. Diggele,
*A-GPS: Assisted GPS, GNSS, and SBAS*, Artech House, 2009. - L. Scott, “Location assurance,”
*GPS World*, vol. 18, no. 7, pp. 14–18, 2007. View at Google Scholar · View at Scopus - W. C. Jakes,
*Microwave Mobile Communications*, IEEE Press, New York, NY, USA, 1974. - A. Broumandan, J. Nielsen, and G. Lachapelle, “Indoor GNSS signal acquisition performance using a synthetic antenna array,”
*IEEE Transactions on Aerospace and Electronic Systems*, vol. 47, no. 2, pp. 1337–1350, 2011. View at Publisher · View at Google Scholar · View at Scopus - V. Dehghanian,
*Generalized diversity gain of a mobile antenna [Ph.D. thesis]*, Electrical and Computer Engineering, University of Calgary, Calgary, Canada, 2011. - V. Dehghanian, J. Nielsen, and G. Lachapelle, “Combined spatial-polarization correlation function for indoor multipath environments,”
*IEEE Antennas and Wireless Propagation Letters*, vol. 9, pp. 950–953, 2010. View at Publisher · View at Google Scholar · View at Scopus - V. Dehghanian, J. Nielsen, and G. Lachapelle, “Diversity gain through antenna blocking,”
*International Journal of Antennas and Propagation*, vol. 2012, Article ID 735080, 6 pages, 2012. View at Publisher · View at Google Scholar - G. E. Corazza, C. Caini, A. Vanelli-Coralli, and A. Polydoros, “DS-CDMA code acquisition in the presence of correlated fading—part I: theoretical aspects,”
*IEEE Transactions on Communications*, vol. 52, no. 7, pp. 1160–1168, 2004. View at Publisher · View at Google Scholar · View at Scopus - C. Caini, G. E. Corazza, and A. Vanelli-Coralli, “DS-CDMA code acquisition in the presence of correlated fading—part II: Application to cellular networks,”
*IEEE Transactions on Communications*, vol. 52, no. 8, pp. 1397–1407, 2004. View at Publisher · View at Google Scholar · View at Scopus - S. Kay,
*Fundamentals of Statistical Signal Processing: Detection Theory*, vol. 2, Prentice-Hall, Upper Saddle River, NJ, USA, 1998. - H. L. VanTrees,
*Detection Estimation and Modulation Theory: Part IV*, John Wiley & Sons, NewYork, NY, USA, 2002. - V. Dehghanian, J. Nielsen, and G. Lachapelle, “Combined spatial-polarization correlation function for indoor multipath environments,” in
*Proceedings of the 7th International Symposium on Wireless Communication Systems (ISWCS '10)*, pp. 874–876, September 2010. View at Publisher · View at Google Scholar · View at Scopus - A. S. Y. Poon and D. N. C. Tse, “Degree-of-freedom gain from using polarimetric antenna elements,”
*IEEE Transactions on Information Theory*, vol. 57, no. 9, pp. 5695–5709, 2011. View at Publisher · View at Google Scholar