A Flexible GNSS Spoofer Localization System: Spoofing Discrimination and Localization Method

2.1 Overview of the PrDD Method

Suppose there are two receivers, and each can receive two signals identified by PRN code numbers. When the two receivers are synchronous, they can obtain raw measurements of the signals at the same instant t' and produce a synchronous PrDD as:

1

where ρ (t) is pseudorange at the moment t.

If both signals are spoofing signals and transmitted from the same antenna, they have the same propagation path to each receiver, and will be equal to zero. For example, in Figure 2, of the two spoofing signals is equal to , where is the real distance from the n-th receiver to the source of the i-th signal. Otherwise, if the two signals come from different sources, the propagation paths of the signals differ, and can be other values besides zero. For example, in Figure 2, of the two satellite signals is equal to , that of the first satellite signal and one of the spoofing signals is equal to , and both are not zero. Therefore, spoofing signals can be discriminated by the value of .

• Download figure
• Open in new tab
• Download powerpoint

FIGURE 2

Paths of authentic signals and spoofing signals

However, if the two receivers are asynchronous, they might obtain raw measurements of the signals at two different moments t″ and t′, respectively. Then, an asynchronous direct PrDD is:

2

As explained and demonstrated in our previous work (Wen et al., 2019), , needs correction to be useful for discriminating spoofing signals. The correction is approximating using and pseudorange rate.

In practice, pseudoranges are usually measured by signal transmit time and local time as:

3

where t_n is real receiver local time, δt_n is the receiver clock bias from reference time, is signal transmit time measurement, and c is the speed of light. Thus, convert pseudorange to signal transmit time, and the corrected asynchronous PrDD can be calculated by:

4

where is the pseudorange rate at the moment t, and the last two lines are tire correction to . In Equation (4), is obtained using two common raw measurements: signal transmit time and pseudorange rate. The latter raw measurement comes from carrier frequency, and the relation between pseudorange rate and carrier Doppler shift is , where f_D denotes carrier Doppler shift and f_T is nominal carrier frequency of signal.

The formation of in Equation (4) is the same as Equation (12) of Wen et al. (2019), which is approximately equal to in Equation (1) and can be used to discriminate spoofing signals based on asynchronous receivers. A detailed derivation of Equation (4) can be found in Wen et al. (2019).

However, due to unfavorable relative geometry, a certain pair of authentic signals could be easily misjudged as spoofing signals. An example is shown in Figure 13(a) and explained in Section 5.1. Thus, to improve performance and make the PrDD method more practical, we extend the PrDD method by using more than two receivers.

2.2 The Proposed Extended PrDD Method

In the spoofer localization system, at least four receivers are available, and it is natural to employ all of them to discriminate spoofing signals. More receivers mean that more spatial information can be obtained, which will improve the performance.

In practice, the central receiver collects periodic raw measurements from each peripheral receiver continuously, and calculates the PrDD for each pair of receivers and each pair of signals using Equation (4). Let for convenience, where l is an integer and Δt is the interval of two successive sets of measurements. As explained in Section 2.1 about Figure 2, for a pair of spoofing signals, the PrDD of all receiver pairings is equal to zero regardless of noise terms.

Consider two signals denoted by i and j. Based on Wen et al. (2019), when the receivers and spoofer are stationary, spoofing discrimination can be viewed as distinguishing between the two hypotheses:

5

where a and b are uncertain parameters that describe how s changes with time; w is the noise term, a random variable whose probability density function (PDF) is (0, σ ²) with σ uncertain; 𝔻 = {1, 2, …, N} is a set of integers used for numbering the receivers; and 𝔻² = {(n, m) |n ∈ 𝔻, m ∈ 𝔻, n < m} is the set of all possible two-receiver combinations. represents that both signals are spoofing signals, and represents a situation in which at least one of the two signals is authentic. In other words, means the total absence of authentic signals, and means the presence of them. A similar design was also adopted by Broumandan et al. (2015), Borio and Gioia (2016), and Wang et al. (2018).

There are two situations under : both signals are authentic, or one signal is authentic and the other is spoofing. Since a satellite keeps moving and the motion is approximately linear in a short period of time, the PrDD under these two situations can be seen as changing linearly with time as described in Equation (5).

According to Kay (1998), given the unknown parameters a, b, and σ, a generalized likelihood ratio test (GLRT) approach is suitable to solve the binary hypothesis testing problem. Suppose there are (2L + 1) available s[l] for each combination (n, m, i, j) and l ∈ [−L, L], L ≥ 1, a test statistic can be derived as:

6

where:

7

8

and I is an identity matrix. To be clear, l is used to number the PrDD measurements, all of which in Equation (7) are from past time but not future. When a decision is to be made, the past (2L + 1) PrDD measurements are collected as in Equation (7) and numbered from −L to L.

For two signals denoted by (i, j), a test statistic is calculated using Equation (6) for each two-receiver combination. Then, for all possible receiver combinations, we compare all the test statistics with a threshold γ to make a decision on or .

When signals i and j are both spoofing, is distributed as F_2,2L–1, an F distribution with 2 numerator degrees of freedom and (2L – 1) denominator degrees of freedom. First, consider only two receivers, such as the n-th and m-th receivers. If , it will be decided that both signals are spoofing. Otherwise, an error will be made if , which can be seen as a false alarm of the presence of an authentic signal. We define the probability of such error as the probability of false alarm P_FA. Therefore, for a given P_FA, the threshold can be determined by:

9

where Q_F (⋅) denotes the right-tail probability function of the corresponding F distribution, and is the inverse function. The right-tail probability function equals one minus the cumulative distribution function (CDF). Then, the measurements provided by other receivers are used following the same rule. Finally, we decide on . Alternatively, an overall test statistic can be expressed as:

10

and decide if T^{(i, j)} < γ.

The above rules show how to make a decision about either of the two signals, and the same rules should be followed for all possible signal combinations. Afterwards, all the signal combinations that lead to an decision should be designated as spoofing signals, while the remainder of signals should be seen as authentic.

Since we need to test every signal combination one by one, it is necessary to evaluate the complexity of this method. For a given L, the matrix F can be seen as constant, and F(F^TF)⁻¹F^T needs to be calculated only once. Besides, each element of s is calculated by Equation (4), of which the complexity is 𝒪(1). Therefore, the complexity of calculating test statistics using Equation (6) is 𝒪(L²). Suppose there are in total M_all signals of each receiver to be tested, and then to finish the test we need to calculate Equation (6) for times. Therefore, the complexity of testing these signals is .

2.3 Performance Analysis and Simulation Results

Generally, for a given threshold γ, the probability of detection P_D can be used to evaluate the performance of the GLRT detector. P_D is defined as the probability of deciding when is true, which means a successful detection of the presence of an authentic signal. For two signals denoted by (i, j):

11

When is true, is distributed as , a non-central F distribution with 2 numerator degrees of freedom, (2L – 1) denominator degrees of freedom, noncentrality parameter λ, and:

12

Therefore, P_D is affected by λ and γ. More precisely, according to Equations (9) and (12), it is affected by the total number of used measurements (2L + 1), P_FA, and the three unknown parameters a, b, and σ. Among these factors, a and b are decided by two factors: time difference t_B = t′ − t″, and the relative geometry of receivers, satellites, and spoofer. σ denotes the uncertainty of noise term w in Equation (5).

According to the model given in Equation (1), can be modeled as:

13

where and the relatively small random errors in are ignored. Thus, there may be a correlation between two test statistics, such as and , since correlates with . In consequence, it is very difficult to determine the probability in Equation (11) analytically or numerically, so we will use simulation results to evaluate P_D as proposed in Kay (1998).

First, a simulation is performed to show the influence of correlation. We take the Global Positioning System (GPS) L1 C/A code signal as an example. Suppose four receivers are placed as shown in Figure 3, forming a regular triangle with one of the receivers at the very center. The altitude is 100 meters, and Receiver 1 is placed at 116°E, 40°N. The distance between Receiver 1 and Receiver 2 is denoted by g. Assume the time is 5:30 on June 17, 2020 (GPS time). Ephemeris of a past time is public on the internet, and the positions of satellites in view can be calculated accordingly. We choose two satellites with the PRN code numbers of 1 and 22 and run Monte Carlo simulations for 10⁵ times. The model in Equation (13) is used to add Gaussian noise to PrDD measurements, and we assume each term at the right side has independent and identical distribution in the simulation. Thus, when we set to σ′, the distribution of will be . Then, the correct GLRT decisions are counted, and the frequency of them is regarded as empirical P_D. The results are shown in Figure 4, and the empirical P_D is labeled as Simulation. If in Equation (11) is assumed independent of each other, P_D will become:

14

• Download figure
• Open in new tab
• Download powerpoint

FIGURE 3

Receiver arrangements on the ground in the simulations

• Download figure
• Open in new tab
• Download powerpoint

FIGURE 4

Comparison between P_ind and empirical P_D, when P_FA = 0.01, L = 30, and t_B = 100 ms

the values of which are labeled as Independence in Figure 4. The results show that the correlation of test statistics would decrease P_D in this situation, compared with assumed independent test statistics. However, if at least one of the is large enough, P_D will approximate one regardless of the correlation, such as the red dotted line with circle markers in Figure 4.

It should be noted that the probability P_FA in Equation (9) is not about the overall test statistic in Equation (10). It is about a two-receiver combination test statistic, and is used to determine the threshold γ. The overall probability of false alarm can be expressed as:

15

Due to the correlation in Equation (13), it is also difficult to determine this probability analytically or numerically. Therefore, another simulation is carried out based on the settings in Figure 4. The model in Equation (13) is also used to produce the noise under , then count the incorrect GLRT decisions on , and use the frequency of these decisions as empirical . By sliding the threshold γ in a certain range, we can get the results shown in Figure 5, which shows the overall detector operating characteristics in this specific situation.

• Download figure
• Open in new tab
• Download powerpoint

FIGURE 5

Overall detector operating characteristics, when g = 100 m, L = 30, and t_B = 100 ms

As can be seen in Equation (11), the more usable receivers 𝔻 includes, the more elements 𝔻² has, and the larger P_D will be. Therefore, more simulations are run based on the simulations above to show to what degree an additional receiver can improve performance compared with two receivers, and moreover, how the factors mentioned above affect the performance. For a certain pair of signals, there are two situations under : both are authentic, or one is authentic and the other is spoofing. The simulations are based on these two situations, respectively.

In the following simulations, since P_D is affected by the relative geometry between satellites and receivers, we consider all possible signal combinations at a specific time, and the time is set to every 15 minutes from 00:00 through the whole day of June 17, 2020 (GPS time). Thus, there are in total 96 intervals, and each interval generates a group of PrDD measurements. We use the same method as above to add random noise, and run 2 × 10⁵ times simulations for each PrDD measurement. Then, we count the correct GLRT decisions and treat the frequency as P_D. At last, without loss of generality, we find the minimum P_D of the 96 groups of PrDD measurements to evaluate performance.

First, consider there is no spoofing attack, and all the signals that are received by the receivers are authentic. Under the conditions, set P_FA to 0.01 and L to 30, and then we get the results shown in Figure 6. There are nine curves in this figure, in the legend of which N = 2 means only Receiver 1 and Receiver 2 are used for simulation, i.e., 𝔻 = {1, 2}, N = 3 means 𝔻 = {1, 2, 3}, and N = 4 means 𝔻 = {1, 2, 3, 4}.

• Download figure
• Open in new tab
• Download powerpoint

FIGURE 6

Minimum P_D during a whole day, while P_FA = 0.01 and L = 30, without spoofing signals

While setting g to 200 m and t_B to 100 ms, simulation results are shown in Figure 7. When only two receivers are used, the minimum P_D is close to zero in all cases, which means there are always two authentic signals that will most possibly be misjudged as spoofing signals. However, when three or four receivers are used, the performance can be improved greatly, and especially, the blue curves with an asterisk marker show in that case that authentic signals can be correctly recognized with high confidence during the whole day. Besides, increasing L, g, or t_B is beneficial to improving performance. The influence of t_B is not readily intelligible, and a brief explanation is that, although t_B is usually not controllable, increasing t_B tends to magnify the double difference in satellite distances and thus leads to a bigger absolute value of the PrDD and a better performance.

• Download figure
• Open in new tab
• Download powerpoint

FIGURE 7

Minimum P_D during a whole day, while g = 200 m and t_B = 100 ms, without spoofing signals

Next, consider there is one spoofer. Generally, the spoofer position is unpredictable. We simply put the imaginary spoofer at 115.995°E and 39.995°N with an altitude of 150 m. The distance between the spoofer and Receiver 1 is about 700 m, and the elevation angle of the spoofer is about 4.07° from Receiver 1. The spoofer is assumed to replay the signals from GPS satellites without delay. Here, we only consider signal pairings that are composed of one authentic signal and one spoofing signal. Figure 8 shows the simulation results when we set P_FA to 0.01 and L to 30, and Figure 9 shows the results when g is set to 250 m and t_B = 100 ms. Similarly, the minimum P_D is also close to zero in all cases when using only two receivers, but using more receivers and increasing L or g still improves performance. However, in this situation, to attain comparable performance to that in Figure 6 and Figure 7, g has to be increased. Sometimes the direction of the spoofer is very similar to that of a certain satellite, and consequently, this method cannot distinguish the signal of this satellite from spoofing signals with full confidence, while two satellites typically do not have similar directions. The influence of g is much more significant in Figure 8, because the spoofer is much closer to the receivers than the satellites and increasing g greatly improves the relative geometry. However, increasing t_B does not yield any benefit for performance at all, because in that case, the difference in distances between this satellite and either of the two receivers is so close to that of the spoofer that there is little double difference to be magnified by t_B.

• Download figure
• Open in new tab
• Download powerpoint

FIGURE 8

Minimum P_D during a whole day, while P_FA = 0.01 and L = 30, with spoofing signals

• Download figure
• Open in new tab
• Download powerpoint

FIGURE 9

Minimum P_D during a whole day, while g = 250 m and t_B = 100 ms, with spoofing signals

Thus, to make better use of this method, it is suggested to use more receivers and increase the distance between them as much as possible. Besides, improving the accuracy of the measurements, i.e., decreasing σ, is certainly helpful.

In summary, by using multiple receivers, the extended PrDD method is superior to the previous PrDD method based on only two receivers. The simulation results show that this method can discriminate spoofing signals with high confidence at any point in a day. Furthermore, the effectiveness of this method has also been verified by a field experiment described later in Section 5.1.

3.1 The QSSL Method

Suppose there are N usable receivers, the unknown true position of the n-th receiver is p_n = [x_n, y_n, z_n]^T, n = 1, 2, …, N, and a spoofer is located at p₀ = [x₀, y₀, z₀]^T. The distance of the spoofer from the n-th receiver is denoted by r_n ∥p_n = − p₀∥, and the difference between r_n and r_m is denoted by r_n,m = r_n − r_m.

First, we use the raw measurements of authentic GNSS signals to estimate each receiver’s position p_n and local time bias δ t_n. According to Kaplan and Hegarty (2005) and later Xie (2009), this can be done by solving the equation:

16

where p⁽ⁱ⁾ denotes position of the i-th satellite and is regarded as precisely known from GNSS ephemeris. δ t_n and are defined in Equation (3), in which t_n and δ t_n are not known, but t_n + δ t_n is known as biased local time. Thus, after solving Equation (16), we get unbiased estimations and . Then, local time estimation of the n-th receiver is .

Next, we must estimate the range difference r_n,m between two receivers and the spoofer, which is to obtain TDOA measurements and transfer that TDOA data into a range difference. Since the receivers are not accurately synchronized, the raw measurements from different receivers may be obtained at different moments, but TDOA techniques require that the raw measurements be obtained at the same time. Thus, two special processes of raw measurements are needed. First, the pseudorange rate should be employed to transfer the difference of transmit time into a difference of distance. Second, the TDOA measurement needs to be synchronized using , and since is inaccurate, the TDOA measurement is quasi-synchronized. Therefore, let the index n of the central receiver be one, and using the measurements of the i-th spoofing signal, r_n,1 can be estimated by:

17

The deduction of Equation (17) is given in Appendix A. Then, including the measurements of all the other spoofing signals, the final estimation of is a weighted average of as:

18

where is the positive weight determined by the covariance of all , and .

Here, the estimation is seen as inaccurate since it has random errors in it. As is known, can be as accurate as tens of nanoseconds. The random errors in will go into and then . Tens of nanoseconds multiplied by c mean several to more than ten meters in terms of length. Such a level of random errors cannot be neglected, especially when the spoofer is not as far from the receiver. However, an accurate synchronization achieved by long cables would not bring such random errors. Therefore, the TDOA measurement obtained above is called quasi-synchronized.

With all the prior estimations, including receiver positions and range differences , TDOA equations can be formed as:

19

If we have more than three equations, i.e., N ≥ 4, an estimation of the unknown spoofer position p₀ can be obtained by solving these equations. We make use of an iterative WLS algorithm as follows. First, we decide on an initial guess of spoofer position . Second, we linearize Equation (19) by first-order Taylor series expansions about , and the (N – 1) equations can be expressed in matrix form as G₀ Δp = Δr, where G₀ is given in Equation (26), Δr is given in Equation (29), and . Third, estimate Δp as:

20

where W₀ is a weighting matrix. Finally, we return to the second step, replace with , iterate until convergence, at which point an estimation can be obtained. The mean square error (MSE) matrix is .

By now, the main purpose of locating the spoofer has been achieved. However, due to the existence of the spoofer, the previously obtained and δ can be refined by jointly solving Equation (16) and (19), which means to jointly estimate:

21

Still, an iterative WLS algorithm is introduced. First, since we have got an estimation as well as and , which can be denoted by:

22

it is natural to use them as the initial guess. Second, linearize Equation (16) and (19) by first-order Taylor series expansions about , and the equations can be expressed in matrix form as:

23

where:

24

25

and . Let [⋅]_k represent the k-th row of a matrix or the k-th element of a column vector. Then, when 1 ≤ k ≤ (N – 1):

26

27

28

29

and when 1 ≤ k ≤ M_n (M_n is the total number of available authentic signals of the n-th receiver):

30

31

Third, estimate ∆θ as:

32

where W is weighting matrix. Fourth, replace with return to the second step, and iterate until convergence. Now, a refined estimate of θ can be obtained, and its MSE matrix is . All the estimations in can attain the CRLB by selecting the right weighting matrix, which is detailed in Section 3.2.

3.2 Localization Accuracy Analysis

This subsection will analyze the CRLB of an unbiased spoofer position estimator.

In this problem, unknown parameters, given by θ in Equation (21), include spoofer position, receiver position, and receiver time. The observations include spoofer range difference and pseudorange , where . The random errors in and are assumed jointly Gaussian, respectively. includes measurements of spoofing signals, and includes those of real satellite signals. Spoofing signals and real satellite signals come from different sources, and thus we assume the measurement errors of spoofing signals and that of authentic signals are independent. Therefore, the PDF is:

33

where C is a constant, ε = [ε_2,1,ε_3,1,···,ε_N,1]^T is an error vector with its elements being:

34

, Q_r is the covariance matrix of ε, and Q_p is the covariance matrix of . Then, the log-likelihood function is:

35

Thus, the Fisher information matrix (FIM) is:

36

where:

37

When J (θ) has full rank, the covariance matrix of any unbiased estimation of θ is bounded below by J^–1 (θ).

Since all raw measurements are assumed to be unbiased and have independent Gaussian distributions, the WLS estimation of θ is also unbiased. Let , and then , which means this estimation attains the CRLB.

According to Shen and Win (2010) and Shen et al. (2010), the equivalent Fisher information matrix (EFIM) of spoofer position is given by:

38

and equals the upper left 3 × 3 submatrix of J^–1 (θ). Thus, the covariance matrix of any unbiased estimation of p₀ is bounded below by .

According to Cao et al. (2015) and matrix inversion lemma in Zhang (2017), substitute Equation (37) into (38), and then:

39

where:

40

Therefore, let , and then the about Equation (20) is equal to regardless of the errors in G₀. As explained in Ho et al. (2007) and Wang and Ho (2013), the decrease in localization accuracy due to errors in G₀ is insignificant. We will verify through simulation in Section 3.4 that, when the errors in and are not large, the estimation of Equation (20) also attains the CRLB.

3.3 Localization on the Same Height

This subsection considers a special situation in which all the receivers and the spoofer are of the same height, such as on the surface of the ground or sea. In that case, in Equation (20) does not exist, and estimating p₀ is impossible.

To successfully estimate spoofer position, the information about height should be made use of, which can be formulated by:

41

where h₀ denotes the height of spoofer, and h_n denotes the height of the n-th receiver. Then, at first, we determine the geodetic coordinates of both receivers and the spoofer, which means to calculate longitude, latitude, and height of and of (Hegarty & Kaplan, 2005). Second, linearize Equation (41) about , and then we have:

42

At last, we put Equation (42) together with Equation (23), continue the iterative WLS algorithm until convergence, and then θ can be estimated.

3.4 Simulation

In this subsection, another simulation is carried out to compare the performance of the WLS algorithm with the CRLB. Consider the four receivers in Figure 3 while g = 200 m. A spoofer is right above Receiver 1 with its altitude at 200 m. The time is assumed 12:00 on June 17, 2020 (GPS time). For convenience, suppose Q_ρ = I and Q_r = ν ²I + ν ²U, where U is a matrix with all its entries equal to one. According to Shen and Win (2010) and Shen et al. (2010), the trace of MSE matrix can be called average squared position error (ASPE) as , and squared position error bound (SPEB), an alternate form of the CRLB, is . Then, ASPE is bounded below by SPEB based on the properties of matrix trace, and Figure 10 depicts their curves under different values of ν, where ASPE are the results of l0⁵ simulations. It can be seen that the performance of the WLS algorithm attains the CRLB in this case.

• Download figure
• Open in new tab
• Download powerpoint

FIGURE 10

Comparison of SPEB and ASPE of spoofer position estimation