By John Nielsen, Ali Broumandan, and Gérard Lachapelle
Ubiquitous adoption of and reliance upon GPS makes national and commercial infrastructures increasingly vulnerable to attack by criminals, terrorists, or hackers. Some GNSS signals such as GPS P(Y) and M-code, GLONASS P-code, and Galileo’s Public Regulated Service have been encrypted to deny unauthorized access; however, the security threat of corruption of civilian GNSS signals increases constantly and remains an unsolved problem. We present here an efficient approach for the detection and mitigation of spoofed GNSS signals, as a proposed countermeasure to add to the existing system.
Current methods to protect GPS civilian receivers from spoofing signals are based on the cross-check with available internal/external information such as predictable characteristics of the navigation data bits or correlation with ancillary inertial-based sensors; alternately, a joint process of signals received at two separate locations based on processing the P(Y)-code.
The authentic GNSS signal sourced from a satellite space vehicle (SV) is very weak at the receiver’s location and is therefore vulnerable to hostile jamming based on narrowband noise radiation at a modest power level. As the GNSS frequency band is known to the jammer, the effectiveness of the latter is easily optimized by confining radiation to within the GNSS signal band. The jammed GNSS receiver is denied position or time estimates which can be critical to the mission. While noise jamming of the GNSS receiver is a threat, the user is easily aware of its existence and characteristics. The worst case is that GNSS-based navigation is denied.
A more significant jamming threat currently emerging is that of the spoofing jammer where bogus signals are transmitted from the jammer that emulate authentic GNSS signals. This is done with multiple SV signals in a coordinated fashion to synthesize a plausible navigation solution to the GNSS receiver. There are several means of detecting such spoofing jammers, such as amplitude discrimination, time-of-arrival discrimination, consistency of navigation inertial measurement unit (IMU) cross-check, polarization discrimination, angle-of-arrival (AOA) discrimination, and cryptographic authentication.
Among these authentication approaches, the AOA discriminator and spatial processing have been addressed and utilized widely to recognize and mitigate hostile attacks. We focus here on the antenna-array processing problem in the context of spoofing detection, with considerations to the pros and cons of the AOA discriminator for handheld GNSS receivers.
An exploitable weakness of the spoofing jammer is that for practical deployment reasons, the spoofing signals generally come from a common transmitter source. Hence, a single jamming antenna sources the spoofing signals simultaneously. This results in a means of possible discrimination between the real and bogus GNSS signals, as the authentic GNSS signals will emanate from known bearings distributed across the hemisphere.
Furthermore, the bearing of the jammer as seen from the GNSS receiver will be different than the bearing to any of the tracked GNSS satellites or space vehicles (SV). This immediately sets up some opportunities for the receiver to reject the spoofing jamming signals. Processing can be built into the receiver that estimates the bearing of each SV signal. Note that the relative bearings of the GNSS signals are sufficient in this case, as the bogus signals will all have a common bearing while the authentic GNSS signals will always be at different bearings.
If the receiver comprises multiple antennas that have an unobstructed line of sight (LOS) to the SVs, then there are possibilities of spoofing detection based on the common bearing of the received GNSS signals and eliminating all the jammer signals simultaneously by appropriate combining of the receiver antennas to form a pattern null coincident with the jammer bearing.
Unfortunately, the AOA discrimination will not be an option if the jammer signal or authentic signals are subjected to spatial multipath fading. In this case, the jammer and individual SV signals will come in from several random bearings simultaneously. Furthermore, if the GNSS receiver is constrained by the form factor of a small handset device, an antenna array will not be an option. As the carrier wavelength of GNSS signals is on the order of 20 to 25 centimeters, at most two antennas can be considered for the handset receiver, which can be viewed as an interferometer with some ability of relative signal-bearing estimation as well as nulling at specific bearings.
However, such an antenna pair is not well represented by independent isotropic field sampling nodes, but will be significantly coupled and strongly influenced by the arbitrary orientation that the user imposes. Hence, the handset antenna is poorly suited for discrimination of the spoofing signal based on bearing. Furthermore, handheld receivers are typically used in areas of multipath or foliage attenuation, and therefore the SV signal bearing is random with significant variations.
As we discuss here, effective spoofing detection is still possible for a single antenna GNSS receiver based on the differing spatial correlation of the spoofing and authentic signals in the proximity of the receiver antenna. The basic assumption is that the antenna will be spatially moved while collecting GNSS signal snapshots. Hence, the moving antenna generates a signal snapshot output similar to that of a synthetic array (SA), which, under some additional constraints, can provide an effective means of detecting the source of the GNSS signals from a spoofing jammer or from an authentic set of SVs.
We assume here an arbitrary antenna trajectory with the spoofing and authentic signals subjected to random spatial multipath fading. The processing will be based on exploiting the difference in the spatial correlation of the spoofing and the authentic signals.
Spoofing Detection Principle
Consider a GNSS handset receiver (Figure 1) consisting of a single antenna that is spatially translated in time along an arbitrary trajectory as the signal is processed by the GNSS receiver. There are L authentic GNSS SV signals visible to the receiver, along with a jammer source that transmits spoofing replicas of the same Lauthentic signals.
It is assumed that the number of spoofed signals range from 1 to L, which are coordinated such that they correspond to a realistic navigation solution at the output of the receiver processing. The code delay and Doppler associated with the spoofing signals will typically be different than those of the authentic signal. The basic technique of coordinated spoofing jamming is to present the receiver with a set of L signals that appear to be sufficiently authentic such that the spoofing and authentic signal sets are indistinguishable. Then the spoofing signals separate slowly in terms of code delay and Doppler such that the navigation solution corresponding to the L spoofing signals will pull away from the authentic navigation solution.
The focus herein is on methods where the authenticity of the L tracked GNSS signals can be tested directly by the standalone receiver and then selected for the navigation processing. This is in contrast with other methods where the received signals are transmitted back to a communication command center for verification of authenticity. The consideration here is on the binary detection problem of assessing if each of the 2L potential signals is authenti
c or generated by a spoofing source. This decision is based on observations of the potential 2L GNSS signals as the antenna is spatially moved through the trajectory.
The complex baseband signal at the output of the antenna, denoted by r(t), can be expressed as
where i is the GNSS signal index, the superscripts A and J indicate authentic and jamming signals respectively, p(t) shows the physical position vector of the moving antenna phase center relative to a stationary spatial coordinate system, ΛAi(p(t),t) and ΛJi(p(t),t) give the channel gain for the authentic and the spoofing signals of the ith SV at time t and position p, ci(t) is the PN coding modulation of ith GNSS signal, πAi and πJi are the code delay of ith PN sequence corresponding to the authentic and the spoofing sources respectively, fDiA and fDiJ are the Doppler frequency of the ith authentic and the spoofing signals and w(t) represents the complex baseband of additive noise of receiver antenna. For convenience, it is assumed that the signal index iε[1, 2,...,L] is the same for the spoofing and authentic GNSS signals. The spoofer being aware of which signals are potentially visible to the receiver will transmit up to L different spoofing signals out of this set.
Another simplification that is implied by Equation 1 is that the message coding has been ignored, which is justifiable as the GNSS signals are being tracked such that the message symbol modulation can be assumed to be removable by the receiver by some ancillary process that is not of interest in the present context. The objective of the receiver despreading operation is to isolate the channel gains ΛA(p(t),t) ΛJ(p(t),t), which are raw observables used in the subsequent detection algorithm.
It is assumed that the GNSS receiver is in a signal tracking state. Hence, it is assumed that the data coding, code phase of the spreading signal and Doppler are known inputs in the despreading operation. The two outcomes of the ith despreading channel for authentic and jamming signals are denoted as riA(t) and rkJ(t) respectively, as shown in Figure 1. This notation is used for convenience and not to imply that the receiver has knowledge of which of the pair of GNSS signals corresponds to the authentic or spoofer cases. The receiver processing will test each signal for authenticity to select the set of L signals that are passed to the navigation estimator.
The despread signals riA(t) and rkJ(t) are collected over a snapshot interval of tε[0,T]. As the notation is simplified if discrete samples are considered, this interval is divided into M subintervals each of duration ΔT such that the mth subinterval extends over the interval of [(m−1)ΔT,mΔT]for mε[1,,2,...,M]. The collection of signal over the first and mth subintervals is illustrated in Figure 2. ΔT is considered to be sufficiently small such that ΛAi(p(t),t) or ΛJk(p(t),t) is approximately constant over this interval leading a set of M discrete samples for each despreading output. From this the vectors form of channel gain sample and outputs of despreaders can be defined by
where ΛAi(p(mΔT),mΔT) and ΛJi(p(mΔT),mΔT) are the mth time sample of the ith despreader channel for the authentic and jamming GNSS signals.
The central tenet of the spoofing detection is that the array gain vector denoted here as the array manifold vector for the jammer signals ΛJ will be the same for all of the L spoofing signals while the array manifold vector for the authentic signals ΛA will be different for each of the L authentic signals. If the random antenna trajectory is of sufficient length, then the authentic signal array manifold vectors will be uncorrelated. On the other hand, as the jammer signals emerge from the same source they will all have the same array manifold vector regardless of the random antenna trajectory and also regardless of the spatial fading condition. This would indicate that a method of detecting that a spoofer is present to form the Mx2L matrix of all of the despreader output vectors denoted as r and given as
where it is assumed that M≥2L.
Basically what can be assumed is that, if there is a spoofer from a common source that transmits more than one GNSS signal simultaneously, there will be some residual spatial correlation of the observables of ΛJi with other despreader outputs of the receiver. Therefore, if operations of pairwise correlations of all of the 2L despreader outputs result in high correlation, there is a likelihood of the existence of spoofing signals. These pairwise correlations can also be used to distinguish spoofing from authentic signals. Note that even during the time when the spoofing and authentic signals have the same Doppler and code offset, the superposition manifold vector of ΛAi and ΛJi will be correlated with other spoofing manifold vectors. The pairwise correlation of the various spoofing signals can be quantified based on the standard numerical estimate of the correlation coefficient given as
where ri is the ith column vector of r defined in Equation 3, and the superscript H denotes the complex conjugate operator.
Toward Spoofing Detection
Figure 3 shows the spoofing attack detection and mitigation methodology:
- The receiver starts with the acquisition process of a given GNSS code. If, for each PN sequence, there is more than one strong peak above the acquisition threshold, the system goes to an alert state and declares a potential spoofing attack. Then the receiver starts parallel tracking on each individual signal.
- The outputs of the tracking pass to the discriminator to measure the correlation coefficient ρ among different PN sequences. As shown in Figure 3, if ρ is greater than a predefined threshold ϒ, the receiver goes to defensive mode. As the spoofer attempts to pull the tracking point off the authentic signals, the spoofer and authentic signals for a period of time will have approximately the same code offset and Doppler frequency. Hence, it may not be possib
le to detect more than one peak in the acquisition mode. However, after a while the spoofer tries to pull tracking mode off.
- The outputs of the parallel tracking can be divided into two groups: the J group is the data set that is highly correlated, and the A group is the set that is uncorrelated. It is necessary that the receiver antenna trajectory be of sufficient length (a few tens of the carrier wavelengths) such that M is moderately large to provide a reasonable estimate of the pairwise correlation.
- The A group will be constrained in size based on the number of observable satellites. Usually this is known, and L can be set. The receiver has control over this by setting the bank of despreaders. If an SV signal is known to be unobtainable due to its position in the sky, it is eliminated by the receiver. Hence the A group can be assumed to be constrained in size to L. There is the possibility that a spoofer will generate a signal that is clear, while the SV signal is obscured by shadowing obstacles. Hence a spoofing signal can inadvertently be placed in the A group. However, as this signal will be correlated with other signals in the J group, it can be transferred from the A to the J group.
- When the spoofing navigation solution pulls sufficiently away from the authentic solution, then the navigation solution can create two solutions, one corresponding to the authentic signals and the other corresponding to the spoofing signals. At this stage, the despreading code delay and Doppler will change such that the authentic and spoofing signals (corresponding to the same GNSS signal) will appear to be orthogonal to each other.
- Proper placement of the members in the J and A groups can be reassessed as the set of members in the A group should provide the minimum navigation solution variance. Hence, in general there will be a spoofing and authentic signal that corresponds to the GNSS signal of index i. If the spoofing signal in group J appears to have marginal correlation with its peer in group A and, when interchanged with its corresponding signal in group A, the latter generates a lower solution variance, then the exchange is confirmed.
We used two data collection scenarios in experiments of spoofing detection, based on utilizing a single antenna that is spatially translated, to demonstrate the practicality of spoofing-signal detection based on spatial signal correlation discrimination. In the first scenario, the spoofing measurements were conducted inside a modern three-story commercial building. The spoofing signals were generated by a hardware simulator (HWS) and radiated for a few minutes indoors, using a directional antenna pointing downward to affect only a small area of the building. The intention was to generate NLOS propagation conditions with significant multipath.
The second data collection scenario was based on measuring authentic GPS L1 C/A signals under open-sky conditions, in which case the authentic GPS signals are temporally highly correlated. At the particular instance of the spoofing and the authentic GPS signal measurement scenarios, the SVs were distributed as shown in Figure 4. The GPS receiver in both scenarios consisted of an active patch right-hand circular polarized (RHCP) antenna and a down-conversion channelizer receiver that sampled the raw complex baseband signal. The total data record was subsequently processed and consisted in acquiring the correlation peaks based on 20-millisecond coherent integration of the spoofing signals and in extracting the channel gains L as a function of time.
Figure 5 shows a plot of the samples of the magnitude of despreader outputs for the various SV signals generated by the spoofing jammer and authentic signals. The signal magnitudes in the spoofing case are obviously highly correlated as expected, since the jammer signals are all emanating from a common antenna. Also, the SNRs are moderately high such that the decorrelation due to the channel noise is not significant.
The pairwise correlation coefficient using Equation 4 are calculated for the measurement results represented in Figure 5 and tabulated in Table 1 and Table 2 for the spoofing and the authentic cases respectively. As evident, and expected, the correlations for the spoofing case are all very high. This is anticipated, as the spoofing signals all occupy the same frequency band with exception of small incidental shifts due to SV Doppler.
Spoofing signals generated from a common source can be effectively detected using a synthetic array antenna. The key differentiating attribute exploited is that the spoofing signals emanating from a single source are spatially correlated while the authentic signals are not. The method works regardless of the severity of multipath that the spoofing or authentic signals may be subjected to. The receiver antenna trajectory can be random and does not have to be jointly estimated as part of the overall spoofing detection.
A patent is pending on this work.
The experimental set-up used a Spirent GSS7700 simulator, National Instruments receiver (NI PXI-5600 down converter, and NI PXI-5142 digitizer modules), TECOM directional helical antennas as the transmitter antenna, and NovAtel GPS-701-GG as the receiver antenna.
JOHN NIELSEN is an associate professor at the University of Calgary.
ALI BROUMANDAN is a senior research associate in the Position Location And Navigation (PLAN) group at the University of Calgary. He obtained a Ph.D. in Geomatics Engineering from the University of Calgary in 2009.
GERARD LACHAPELLE holds an iCORE/CRC Chair in Wireless Location and heads the PLAN Group in the Department of Geomatics Engineering at the University of Calgary.