International Journal of Navigation and Observation

Volume 2012 (2012), Article ID 501679, 9 pages

http://dx.doi.org/10.1155/2012/501679

## Effectiveness of GNSS Spoofing Countermeasure Based on Receiver CNR Measurements

Position Location and Navigation Group, University of Calgary, Calgary, AB, Canada T2N 1N4

Received 2 January 2012; Revised 4 May 2012; Accepted 30 May 2012

Academic Editor: Dennis M. Akos

Copyright © 2012 J. Nielsen et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

A perceived emerging threat to GNSS receivers is posed by a spoofing transmitter that emulates authentic signals but with randomized code phase and Doppler over a small range. Such spoofing signals can result in large navigational solution errors that are passed onto the unsuspecting user with potentially dire consequences. In this paper, a simple and readily implementable processing rule based on CNR estimates of the correlation peaks of the despread GNSS signals is developed expressly for reducing the effectiveness of such a spoofer threat. Consequently, a comprehensive statistical analysis is given to evaluate the effectiveness of the proposed technique in various LOS and NLOS environments. It is demonstrated that the proposed receiver processing is highly effective in both line-of-sight and multipath propagation conditions.

#### 1. Introduction

GNSS satellites are approximately 20,000 km away and transmit several watts of signal power such that at the ground level, the power output of a 3-dB gain linearly polarized antenna is nominally −130 dBm [1]. As such, a modest jammer can easily disrupt GNSS signals by increasing the noise floor, making the acquisition of GNSS signals rather difficult. A high processing gain based on a long integration time is one of the possible countermeasures to overcome a noise jammer. Nevertheless, if the GNSS receiver undergoes random motion and is subjected to multipath fading as in a typical urban environment, then the channel decorrelates quickly such that attaining such large processing gains to overcome the jamming is not feasible. However, the noise jammer is at least detectable as the spectral power in the affected GNSS receiver band will be abnormally high. Hence, the jammer can deny service but the user is aware of being jammed, limiting the damage potential of the jammer. Also the jammer is relatively easy to locate with radio direction finding and to potentially disable as its spectrum is significantly larger than the ambient noise [2, 3].

A more insidious threat is the standoff spoofer which broadcasts a set of replicas of the authentic SV signals currently visible to the mobile GNSS receiver [2]. The unaware receiver computes the navigation solution based on these counterfeit signals which are passed on to the user as being reliable with potentially damaging consequences. GNSS-based location estimates that are inaccurate but assumed to be accurate are potentially more damaging to the user than in the jamming case where at least the user knows that the service is temporarily unavailable. As the receiver processing gain used for suppressing the jammer is not applicable in the case of the spoofer signal, the spoofer transmit power can be orders of magnitude less than that of the noise jammer. This makes the spoofer signal much more difficult to locate and disable.

There are essentially two categories of spoofer threats envisioned. The first is the self-intentional spoofer that provides the user a means of compromising its GNSS position. An example is a fishing vessel wishing to enter prohibited areas undetected by a GNSS-based monitoring system. A collocated spoofer could provide counterfeit signals to fabricate navigation solution that falls outside the prohibited area [4, 5]. Another example is that of an offender required to wear a mandatory GNSS tracker to ensure compliance with travel restrictions [2].

The second type of spoofers is the standoff spoofer (SS) that could be used in urban areas for malicious purposes ranging from sporadic disruptive hacking to sophisticated organized terrorist activities. The SS is illustrated in Figure 1 which covers a target area as a sector of an annulus ring. Multiple SS devices could potentially be used to collectively cover a given area such as an urban downtown core. Based on this, the perceived spoofer threat is a network of terrestrial SSs that can cause widespread disruption of GNSS-based location services in dense urban areas.

The SS is of interest in this paper specifically for the scenario of a terrestrial transmitter source that broadcasts replicas of the GNSS signals that are visible in the target area illustrated in Figure 1. Disruption of GNSS services in the target area is achieved by randomly modulating the code phase over a small region of the overall Code-Delay Space (CDS) that is commensurate with the target area. Therefore, at least two correlation peaks will be observed in the CDS. An unsuspecting receiver detects the larger of the correlation peaks which can belong to the spoofer signal. The code phase and the Doppler associated with the spoofer signal are then passed onto the tracking segment and consequently a false navigation solution is generated. Note that, while the target area depicted in Figure 1 has hard boundaries, such boundaries are generally blurry and not well defined. The effectiveness of the SS is considered to drop off outside the depicted annulus sector region with vague boundaries between radii and . In a typical scenario, and are envisioned to be of the order of about 500 m and 2 km such that each SS covers an area of several square kilometres. A modest network of SS devices can then adequately cover a downtown core area. However, for sake of simplicity, only a single isolated SS will be considered in this paper.

The SS is assumed to remain synchronized with currently visible GNSS signals and then synthesize a set of GNSS signals corresponding to the target area. The objective of the SS is not to synthesize a specific counterfeit location for a specific GNSS receiver within the target area. This is not possible as the location of the GNSS receiver is not known to the SS. Furthermore, the objective of the SS is disruption over the general target area rather than affecting specific receivers. As such, the SS transmission signal synthesis does not have to be overly sophisticated. It matches the Doppler offset of the replicated SV signals and adjusts the code phase such that it is commensurate with the intended target region. Note that an urban area is a primarily non-line-of-sight (NLOS) multipath channel. Therefore, the Doppler spectrum as perceived by the GNSS receiver will be spread by an amount commensurating with the magnitude of the receiver velocity but will not be sensitive to direction. Hence, other than the deterministic Doppler offset of the SV to stationary ground-based receiver, no further modulation of the Doppler is required by the SS to ensure a plausible counterfeit signal. The typical handheld consumer GNSS receiver coherently integrates the signal for about 10 to 20 ms. Based on this, the correlation peak in the CDS will have a spread in Doppler of about 100 Hz which is commensurate with the Doppler spread of typical urban traffic (<50 km/hr) [6]. Even if the GNSS receiver is equipped with other inertial means such that the receiver velocity vector is known, this cannot be used to discriminate the SS signal as multipath Doppler spreading occurs for both the SS and the authentic signals.

The code phase of the SS transmissions matches the nominal code phase of the authentic GNSS signals in the target area. Note that the target area is limited to one or two kilometres and hence, the code phase only differs by several chips from one extreme of the target area to the other. For example, in a 90-degree sector with m and m, the average spread is only about four chips. The SS generated code phase will correspond to a random location within the target area generated by slowly and randomly modulating the code phase over a small domain commensurating with the dimensions of the target area. Note that a sophisticated GNSS receiver can potentially discriminate against the SS signal based on the code phase corresponding to an outlier navigation solution. However, as the target region is not very large, the counterfeit SS navigation solutions will be plausible and cannot be easily dismissed as outliers. Furthermore, the typical consumer grade GNSS unit does not possess processing to track multiple candidate navigation solutions let alone discriminate plausible outliers. Also, receiver autonomous integrity monitoring (RAIM) and fault detection and exclusion (FDE) are not effective in detecting such navigationally consistent spoofing signals [4]. Finally, it should also be mentioned that typically GNSS receivers tethered to a wireless data service provider will typically provide the user with an aided GNSS (AGNSS) service, significantly reducing the CDS corresponding to a physical area of several square kilometres [7]. Hence, there is a diminishing gain for the spoofer attempting to affect an area larger than this.

As stated earlier, current consumer-grade receivers are equipped with RAIM and FDE which are not effective in mitigating the navigationally consistent spoofing attacks. A more sophisticated countermeasure to the SS with a random code delay modulation is to carefully tracking all combinations of possible navigation solutions and then dismissing solutions that are less likely based on tracking records spanning several tens of seconds up to the current time. This solution likelihood can be augmented with the use of ancillary sensors and other prior knowledge or belief maps [8]. However, the consumer-grade GNSS receivers considered herein are assumed not to possess this level of sophistication. Rather, the objective is to address a computationally efficient processing method that can be added to relatively unsophisticated consumer grade GNSS receivers and that will be effective in discriminating against the SS. Such processing is based on the received carrier-to-noise ratio (CNR) measurements of the received GNSS signals. CNR measurement is an integrated part of all GNSS receivers as the navigation algorithm heavily relies on determining the weight of the observables based on measuring the instantaneous CNR. A simple discriminant is that if the CNR is implausibly high then an SS is suspected. Such processing is easily implemented with essentially minor firmware changes to the receiver or an in-line filter component [2]. However, there is the question of how to optimally set the threshold used for CNR comparison. The optimum threshold is easily determined and justified for LOS propagation with a known antenna gain and orientation. However, for a handheld unit operating in an urban canyon with a compromised multiband antenna that is randomly oriented and potentially shadowed, setting the optimum threshold is no longer deterministic nor trivial. Optimization is necessarily based on a statistical analysis, which is the focus of this paper.

The rest of the paper is organized as follows. In Section 2, the system definition and simplifying assumptions are given. A difficulty encountered with the statistical assessment of the SS effectiveness is the plethora of disparate parameters and plausible scenarios encountered. For this paper, a constrained set of idealized parameters and assumptions is necessary to obtain fundamental insights. In Section 3, the effectiveness of the SS and the receiver countermeasures is considered for a variety of LOS and NLOS scenarios. Section 3.5 relates these findings to the plausible physical coverage range of the SS. Finally, Section 4 states the major conclusions.

#### 2. System Description and Assumptions

The performance of spoofer detection based on a threshold applied to the CNR in conjunction with a simple decision rule is analyzed for various propagation conditions. To do this in a comprehensive manner that is not obscured by details, it is necessary to use simplifying assumptions and constraints. While these may erode generality, the benefit is a set of insights gained that are applicable to less idealized and more realistic scenarios.

It is assumed that the GNSS receiver performs a reduced search over the CDS based on traditional despreading correlation processing for each candidate GNSS signal that is potentially visible to the receiver. Assuming that both the authentic and SS signals are present at the receiver for a given despread GNSS signal, the outcome is a set of two correlation peaks corresponding to the spoofer and the authentic signal. The complex amplitude of the authentic and spoofer correlation peaks is represented as where and are the average CNRs of the authentic and SS signals, respectively. The complex channel gains are denoted by and with where denotes the expected value operation. Also and represent the normalized white Gaussian noise samples distributed according to with denoting a circularly normal multivariate distribution with a mean of and a variance of . Note that the noise variance is normalized to simplify the expressions to follow.

It is assumed that there are nominally two correlation peaks in the CDS hypothesis space that correspond to the spoofer and the authentic signal for a specific GNSS signal with sample-based CNRs denoted as and , respectively, namely, There are many variations as to how the receiver implements the correlation search over the CDS; however, this assumption of the correlator structure simplifies the system description and subsequent analysis. Furthermore, the possibility of the authentic signal resulting in two distinct correlation peaks due to resolvable multipath or poor receiver design is not considered. The GNSS receiver cannot determine which correlation peak corresponds to the desired authentic signal. However, recognizing that there are two possible choices from which it suspects spoofer activity, it can impose the following simple heuristic rule for selecting the authentic signal: Choose the larger of the two peaks as the authentic peak if , otherwise choose the smaller peak.

Here is a threshold CNR that and will be compared to, which is the subject of some adaptive optimization process. Based on this formulation, the probability of a selection error can be evaluated. An error occurs every time the spoofer correlation peak is selected instead of the authentic peak with the Doppler and code delay coordinates passed on to the navigation solution processor. As such there are two types of errors described as A graphical aid is introduced in Figure 2 which provides a method of calculating the probability of receiver error as the sum of the probabilities of the two types of errors. This probability will be denoted as and is a measure of the effectiveness of the spoofer; that is, the higher is over a given target area of the spoofer, the more effective it is, and is therefore a suitable metric for quantifying the effectiveness of the SS. depends on the probability density function (PDF) of the CNRs of the authentic and spoofing correlation peaks.

To proceed further, the following definitions are made: : PDF of with the parameter ; : PDF of with the parameter ; : cumulative distribution of the authentic signal; : cumulative distribution of the authentic signal.

Assuming that the authentic and the spoofer CNR samples, , are statistically independent random variables, then the joint PDF can be expressed as the product of This assumption is based on the authentic SV original signal and the terrestrial source SS signal coming from different bearings and hence, in a dense urban area, the fast fading and nominal path-loss is independent. As the bearings are sufficiently different, the longer-term fading or shadowing is not correlated [6]. Hence, the assumption of independence implied by (4) is made herein. However, there are instances where shadowing does become correlated especially if the bearings of the authentic and SS signals are similar. Based on the graphic shown in Figure 2, is given by where the simplified notation omits the parameters and which are initially assumed to be known parameters. Using , (5) becomes The minimum value of can be determined by setting such that the condition emerges and reduces to which is then solved for the optimum value of . Equation (8) is mathematically equivalent to A useful observation is that if the PDFs of the authentic and the spoofer signals are scaled versions of each other, that is, ; then (9) holds only if and , since a cumulative distribution function (CDF) is a monotonically increasing function. This means that a finite threshold other than and does not exist. In other words, for the common case when is a monomodal function then it is easily shown that is a monotonically decreasing function. Hence, if is approximately a translation of the function , then the intersection points of and can only be at and . This observation will be used in the next section. Note that a threshold of is equivalent to having no threshold rather than applying a nonrealistically large threshold.

#### 3. Performance of Antispoofing for LOS and NLOS Conditions

In this section, is determined for LOS and NLOS scenarios. This is generally done by first solving for the optimum threshold and then determining .

##### 3.1. LOS with Additive Noise

As defined in (1), the in-phase and quadrature components of the demodulated signal are normalized such that the additive noise is of unit variance for the in-phase and quadrature Gaussian components. With this, the LOS signal from the authentic signal will have a mean square magnitude of . Likewise the LOS from the SS will have a mean square magnitude of . Hence, the PDF of the square magnitudes of the correlation peaks corresponding to the authentic and spoofer signals will then be given as where is the noncentral chi-square PDF of variable with degrees of freedom (DOF), the noncentrality parameter , and the corresponding variance of the Gaussian parameter [9]. is plotted in Figure 3 as a function of for specific cases where and . As stated earlier, when the optimum threshold is , while for the optimum threshold is . This is tantamount to selecting the larger of the two peaks if the average power of the authentic signal is larger than the average power of the spoofer. Otherwise, choose the smaller of the two peaks if the average power of the spoofer is larger than the average power of the authentic signal. This trivial conclusion is a manifestation of the assumption that and are known, which is not generally the case.

Note that as is approximately a translation of the function then the intersection points of and can only be at and as observed before.

Figure 4 shows a plot of for a receiver with no spoofer mitigation, herein denoted by Rx, compared to the for a receiver with spoofer mitigation, herein denoted by SMRx, with for and for . The GNSS receiver with no spoofer mitigation is equivalent to setting . As such there is no difference in the performance of the GNSS receivers with and without spoofer mitigation when . However, for the case of , the effectiveness of the spoofer mitigation is clearly evident in the reduction of .

##### 3.2. NLOS with Additive Noise

In this section, it is assumed that and are again deterministic and known to the receiver. The PDFs of the magnitude of the correlation peaks corresponding to the authentic and spoofer signals are then be given as where is the central chi-square PDF of variable with 2 DOF, with a variance of each DOF of for the authentic signal and for the spoofing signal.

Figure 5 shows a plot of for a receiver with no spoofer mitigation (Rx) compared to the for a receiver with spoofer mitigation (SMRx) with for and for . Comparing Figure 5 with Figure 4, it is evident that the spoofer mitigation is more effective when a LOS rather than a NLOS scenario is encountered. Hence, when the spoofer and authentic signals are more random as in the NLOS case, distinguishing them based on the sample CNR is more difficult and hence, subject to higher .

Figure 6 shows as a function of and for various . The effectiveness of the spoofer countermeasure is again evident in the region where . The same behavior as before occurs, namely, that the optimum for spoofer power less than authentic power is while for spoofer power greater than authentic power is , which is again a manifestation of the assumed known average powers.

##### 3.3. Diversity NLOS with Additive Noise

Assuming a ring or a sphere of scatterers to model a typical urban environment, the signals arriving at antennas with an approximate separation of half a carrier wavelength, are statistically uncorrelated. Consequently, statistically independent samples of the receiver correlator output can be made available through accumulating successive samples of the correlator outputs as the receiver is moving. The CNR of each correlation sample is and for the authentic and spoofing signals, respectively, which are again assumed to be deterministic and known to the receiver.

A plot of based on independent samples is shown in Figure 7. Similar to the no diversity case with , the optimum for spoofer power less than the authentic power is , while for spoofer power greater than the authentic power, the maximum is . Again, this is reasonable as the spoofer and authentic signal is identically distributed except for the deterministic and known average powers. Clearly, if it is known that then the larger peak would correspond to the authentic signal more often than the lower peak.

##### 3.4. Measurement Uncertainty and Unknown Spoofer Average Power

In the previous sections, the outcome was a trivial optimization of as if and if , which resulted from the assumption that was known to the receiver. In this section, the more realistic multipath propagation case is considered where the average spoofer CNR is completely unknown. This is reasonable as the spoofer could be of arbitrary transmit power and range from the receiver. However, it will be assumed that is known approximately to the receiver. This is reasonable as the average power of a GNSS SV signal is approximately known in a multipath environment with the exception of factors such as shadowing and building penetration losses. Antenna orientation is typically not a factor as the multipath is distributed across a large angular sector.

As is unknown, it is reasonable to assume a uniform PDF for such that where is a constant. Consequently, can be found from (6) as Now the optimum can be found from which simplifies to Equation (13) can be solved to find the optimum . Figure 8 shows for based on a Rayleigh fading channel and (dB). As can be seen from this figure, is optimum for . This means that a finite threshold does not exist for and as such the proposed spoofing countermeasure does not reduce the spoofer effectiveness as is equivalent to a receiver with no spoofing countermeasure. However, as the diversity order increases, an optimum other than or can be found from (13). As will be shown in the next section, the optimum value of reduces and as such reduces the spoofer effective range.

##### 3.5. Relating Observations of Spoofer Effectiveness to Physical Range

Having evaluated for various scenarios, it is of interest to determine the spoofer effectiveness as a function of the physical range. The potential target area of the spoofer as illustrated in Figure 1 is conceptually the physical region in which is large enough to impact the navigation solution. In this section, an approximation of the physical range of spoofer effectiveness is determined based on the empirical path-loss model of order as where is a reference range, is the spoofer-receiver range, is the path-loss exponent, and is the average received spoofer CNR at .

For a LOS scenario with measurement errors, the PDFs of the SS CNR and SV CNR estimates are noncentral chi-square with DOF with denoting the number independent diversity branches used to estimate the CNR. can therefore be found by computing using (13) and substituting it in (6). Figure 9 shows for the spoofer mitigated receiver (SMRx) as well as a conventional Rx for various spoofer-receiver separations and . As can be seen from this figure, aSMRx significantly reduces the effectiveness of the spoofer through reducing . Also observed is that the higher the diversity order is, the more effective the spoofer mitigation is. For a Rayleigh fading channel, the PDFs of the spoofer and the authentic CNRs are central chi-square with DOF. can be found by numerically computing from (13) and setting it in (6). Figure 10 shows for an SMRx as well as a conventional Rx with no spoofing countermeasures. Note that the performance of the SMRx is significantly better than that of a conventional Rx with higher diversity branches resulting in better performance. In addition, Figures 11 and 12 compare the of SMRx and Rx under a generalized Rician channel with various -factors such that [10] where and are the Rician -factors associated with the SV and the SS channels, respectively. Similar to the LOS and the Rayleigh channels, a noticable improvement spoofer mitigation is realizable. In order to quantify the reduction in spoofer effective range, a heuristic metric is introduced here as where SRRF denotes the spoofer range reduction factor. The SRRF is computed for various channel scenarios and diversity branches and the results are summarized in Table 1.

#### 4. Conclusions

It was shown that a relatively unsophisticated standoff spoofer can effectively disrupt a large physical area. However, processing based on estimating the CNR of the spoofer and the authentic received signals and applying a straightforward threshold rule can significantly reduce the effectiveness of the standoff spoofer. This was shown for LOS, NLOS, and Ricean multipath conditions. If the average spoofer and authentic signal power is known then the setting of is trivial. However, if is completely unknown then it has a finite optimum, that is, a function of and the type of propagation environment detected by the receiver. An expression for computing the optimum was deduced and applied to various channels. The results demonstrated the effectiveness of the proposed spoofer mitigation technique. A heuristic metric of spoofer effectiveness (SRRF) was proposed. It was shown that SRRF is reduced by up to 75% for LOS, 45% for NLOS Rayleigh , and 60% for NLOS Rayleigh and 70% based on a Rician channel with for , hence aptly demonstrating the effectiveness of the proposed countermeasure approach.

#### References

- E. D. Kaplan and C. J. Hegarty,
*Understanding GPS: Principles and Applications*, Artech House, Norwood, Mass, USA, 2006. - B. M. Ledvina, W. J. Bencze, B. Galusha, and I. Miller, “An in-line anti-spoofing device for legacy civil GPS receivers,” in
*Institute of Navigation—International Technical Meeting (ITM '10)*, pp. 868–882, San Diego, Calif, USA, January 2010. View at Scopus - T. E. Humphreys, B. M. Ledvina, M. L. Psiaki, B. W. O'Hanlon, and P. M. Kintner, “Assessing the spoofing threat: development of a portable gps civilian spoofer,” in
*Proceedings of the 21st International Technical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS '08)*, pp. 1198–1209, Savanna, Calif, USA, September 2008. View at Scopus - L. Scott, “Location assurance,”
*GPS World*, vol. 18, no. 7, pp. 14–18, 2007. View at Google Scholar · View at Scopus - L. Scott, “Anti-spoofing and authenticated signal architetures for civil navigation systems,” in
*Proceedings of the ION GPS/GNSS*, Portland, Ore, USA, September 2003. - W. C. Jakes,
*Microwave Mobile Communications*, IEEE Press, New York, NY, USA, 1974. - F. S. T. V. Diggele,
*A-GPS: Assisted GPS, GNSS, and SBAS*, Artech House, 2009. - S. Thurun, W. Burgard, and D. Fox,
*Probabilistic Robotics*, MIT Press, 2006. - S. Kay,
*Fundamentals of Statistical Signal Processing: Detection Theory*, vol. 2, Printice-Hall, Upper Saddle River, NJ, USA, 1998. - J. G. Proakis,
*Digital Communications*, McGraw-Hill, New York, NY, USA, 2001.