Professional Documents
Culture Documents
An INS Monitor Against GNSS Spoofing Attacks During GBAS and SBAS-Assisted Aircraft Landing Approaches Tanil - Gnss - 16
An INS Monitor Against GNSS Spoofing Attacks During GBAS and SBAS-Assisted Aircraft Landing Approaches Tanil - Gnss - 16
which the INS directly aids the GNSS tracking loops [30].
Unlike the prior work [1–6] assumed a tightly-coupled INS- where x0k refers to all the states in xk except r k .
GNSS integration in a Kalman filter, to be consistent with The main assumption in a Kalman filter is that the mea-
the GBAS and SBAS-assisted landing approaches, this work surements are uncorrelated over time. On the other hand,
assumes a loosely-coupled integration where the GBAS posi- r̂ LS
k in (6) are time-correlated. The reason is that the GBAS
tion solution (obtained from a weighted least squares estimator measurement noise ✏ in (1) is time-correlated due to the prior
using differential carrier-smoothed code ⇢) is directly fed to hatch (smoothing) filtering. Assuming time constant of the
a Kalman filter that calibrates INS (Fig. 1). hatch filter is larger than that of the multipath (⌧h > ⌧m ), the
time correlation of the measurement noise ✏ can be captured
A. GBAS-assisted Weighted Least Squares Estimator with a first-order Gauss Markov process driven with a white
noise ⇠ N (0, K) as
The GBAS measurement equation linearized about a nom-
2 13 2 ⌧ t 32 3 2 1 3
inal position, is represented for the k th time epoch as ✏k e h 0 ✏1k 1
6 .. 7 6 . 7 6 . 7 6 k. 1 7
6 .. 7
⇥ T
⇢ k = ek 1
⇤ rk
+ ✏k (1)
4 . 5 =4 5 4 .. 5 + 4 .. 5 (7)
| {z } c tk n
✏k
t n n
e ⌧h | ✏k{z 1 } | k{z 1 }
Gk | {z } | 0 {z }
✏k ✏k 1 k 1
h
where ⇢k is the differentially corrected carrier-smoothed code
measurement vector, ek is the line of sight matrix, r k is the where t and ⌧h are the GNSS receiver sampling time and
deviation on the position of the aircraft relative to the reference the hatch filter time constant, respectively. The components of
station, tk is the receiver clock error relative to the receiver of ✏ and superscripted from 1 to n are the errors corresponding
the reference station, c is the speed of light, ✏k ⇠ N (0, V k ) to the measurements obtained from different satellites.
is a vector containing the errors in ⇢k . The measurement error covariance V k is a diagonal matrix
Utilizing the measurement model in (1), the weighted least obtained from the hatch filter at steady-state. The error models
squares estimate r̂ LS
k of the position is obtained by
to construct V k are defined as a function of elevation of each
satellite in GBAS [35]. Incorparating this steady-state value
r̂ LS +
k = T r Gk ⇢k (2) of V k in the process model (7), the driving noise covariance
matrix K k is obtained as
where T r is the transformation matrix that extracts the position
r k from the augmented GNSS state vector [r k , c tk ]T and G+ k K k = (I 2
h) V k (8)
is the weighted pseudo-inverse matrix of Gk
To capture the correlation in Kalman filter equations, we
1
G+ T 1
k = Gk V k Gk GTk V k 1 (3) first obtain a zero-noise measurement model by substituting
(4) into (6) and augmenting the colored noise ✏k into the state
vector as [38]
2 3 Actual Trajectory
⇥ ⇤ rk
r̂ LS
k = I 0 T G
r k
+ 4 05
x k (9) Faulty GNSS Trajectory
| {z } ✏ (injected by spoofer)
k
Hk | {z }
xk
Nominal Trajectory
Then, we also augment the Gauss Markov process model for
✏ in (7) with the INS process model in (5) as Steady-state
Response Trajectory
xn k 0 xk 1 wk 1
= + ũk 1 +
✏k 0 ✏k 1 0 k 1
| {z } (10)
h
| {z } | {z } |{z}
x
xk 1 x
w xk
Fig. 2. Impact of the position fault and the consequent autopilot response
where wxk ⇠ N (0, W x ). to the spoofing attack on aircraft trajectory. The dotted line is the nominal
Given the augmented process model in (10), the Kalman or planned approach trajectory, the blue line represents the faulty positions
injected by the spoofer, the red line is the steady- state trajectory that the
filter time update is aircraft will maneuver and reach to after responding to the spoofed signal,
and the black curve is the actual flight path deviated from the nominal due
xKF
k =
KF
x x̂k 1 + x ũk 1 (11) to autopilots response to the spoofing attack. Note that the blue and red
trajectories are symmetric about the nominal approach line.
where xKF
k is the a priori estimate of x at time epoch k.
The measurement update at time epoch k gives the a
posteriori estimate x̂k as Under fault free conditions, the test statistic qk is centrally
x̂KF = xKF + Lk r̂ LS H k xKF (12) chi-square distributed with 3k degrees of freedom. For a given
k k k k
false alarm requirement, the threshold T 2 is determined from
where Lk is the Kalman gain at time epoch k, and optimally the inverse cumulative chi-square distribution. The INS mon-
computed by the aircraft estimator as itor alarms for a fault if qk > T 2 . Under faulted conditions,
qk is non-centrally chi-square distributed with a non-centrality
Lk = P xk H Tk (H k P xk H Tk ) 1
(13) parameter 2k ,
and P xk is the pre-measurement estimate error covariance of k
X
xk and is obtained as 2
k = E[ i ]T S i 1 E[ i ] (20)
T i=1
P xk = x P̂ xk 1 x + W xk 1
(14)
which is used to evaluate the performance of the monitor by
and P̂ xk is the post-measurement estimate error covariance of computing the probability of missed detection.
xk and computed as
III. MONITOR PERFORMANCE EVALUATION
P̂ xk = (I Lk H k )P xk (15) In this section, we derive an evaluation model for the
C. Kalman Filter-based INS Monitor performance of the proposed monitor by fusing the spoofed
measurements into the loosely-coupled Kalman filter estima-
We use an innovation-based INS monitor, which utilizes
tor and detector derived in the previous section. Using this
Kalman filter in a loosely-coupled INS-GNSS integration. The
evaluation model, we derive a methodology to quantify the
innovation vector at time epoch k is defined as
performance of the INS monitor in terms of integrity risk under
k = r̂ LS
k H k xKF
k (16) worst-case spoofing attacks with aircraft position tracking.
Cumulative test statistic q at time epoch k is defined as the A. Evaluation Model for Spoofing Monitor Performance
sum of weighted norm of the innovation vectors as To quantify the impact of the spoofing attack with position
k tracking on the proposed monitor performance, we construct
X
qk = T
Si 1
(17) a Kalman filter-based estimation error model capturing the
i i
i=1 impact of the spoofed measurements that contain the spoofer’s
tracking sensor errors and fault.
where S i is innovation vector covariance matrix
In a spoofing attack, the spoofer broadcasts raw code and
S i = H i P xi H Ti (18) carrier signals, which mimics the actual GNSS signals with
an additional fault
The proposed INS monitor checks whether the test statistic s
qk is smaller than a pre-defined threshold T 2 as ⇢k ⇢k I
s = + (f + eT r̃ s ) (21)
k k I | k {z k k}
qk < T 2 (19) f0
1 ment update as a function of the fault as
(t) ⌧h s +
+
⇢(t)
1 + ⌧h s x̂KF
k = I Lk H k xKF 00
k + Lk H k x k + Lk f k
| {z } (25)
0
Lk
⇢(t)
Substituting the Kalman filter time update equation (11) into
Fig. 3. Block diagram of the continuous carrier-smoothing system (hatch (25)
filter). The inputs ⇢(t) and (t) are the code and carrier measurements, 0 0
respectively. The output of the filter ⇢(t) is the carrier-smoothed code x̂KF
k = Lk
KF
x x̂k 1 + Lk H k xKF
k + Lk x ũk 1 + Lk f 00k
measurement. ⌧h and are the filter time constant and L1 carrier wavelength,
respectively. (26)
Let us define the state estimate error as x̃KF KF
k = x̂k xk .
Subtracting the INS process model (10) from (26) gives the
where ⇢sk and sk are the spoofed code and carrier signals,
state estimate error dynamics as
⇢k and k are the original code and carrier signals, and f 0k
0 0
is the resultant fault vector containing the spoofer’s position x̃KF
k = Lk
KF
x x̃k 1 L k w xk 1
+ Lk f 00k (27)
tracking estimation error r̃ sk = r̂ sk r k and the computed fault
f k. Similarly, the innovation vector under a spoofing attack is
Equation (21) assumes that the spoofer preserves the con- obtained by substituting (24) into (16) as
sistency in the code and carrier signals by using the same k = f 00k Hk x x̃k 1 w xk 1
(28)
fault for both the code and carrier signals. Otherwise, the
spoofing attack detected by the Code Carrier Divergence Augmenting the state estimate error model in (27), and the
(CCD) airborne monitors in [10]. Also, the spoofer’s position innovation model in (28) results in a performance evaluation
estimation error r̃ s in (21) is modeled as a white Gaussian model capturing the impact of the error in spoofer’s tracking
noise additive to the computed fault f k , which is a conserva- sensors and the fault on the state estimate error, and the
tive assumption. The reason is that, filtering or smoothing the innovation:
tracking noise will automatically cause a delay between the y yk 1 ⌥y
z }|k { z }| { z }|k {
spoofer’s position estimate and the aircraft’s actual dynamic KF 0 0
Substituting (24) in (12) gives the Kalman filter measure- threshold for detection which is the same as that in (19).
Since the error in altitude is the most critical in landing and
approach and vertical requirements are usually the most strin- h iT
T T
gent, it is convenient to evaluate the performance with respect B 1:k = B 1 . . . B k
⇥ ⇤ (40)
to vertical direction only. The error associated with the altitude B i = H k x Ak 1 I n⇥n 0n⇥n(k i)
"k can be extracted from x̃k using the row transformation 0
vector T " as where H i , x , Li , and Li for i = 1, 2, .., k can be extracted
"k = T " x̃k (33) using the evaluation model in (29), and n is the number of
Kalman filter measurements at each time epoch (n = 3 in the
where "k is normally distributed. loosely-coupled integration).
Cumulative test statistic qk in (17) is expressed in vector The magnitude ↵ in (38) is a scalar that is determined to
form as maximize the integrity risk Irk in (37), which is influenced
2 1 32 3
S1 1
by the spoofer’s position tracking sensor noise r̃ s . In Sec-
⇥ ⇤6 .. 7 6 .. 7 tions III-A and III-B, we explained how to compute the joint
qk = T1 . . . Tk 4 . 54 . 5 (34)
1
probability Pr |"k | > l, qk < T 2 for a given deterministic
Sk k error r̃ s . To statistically account for r̃ s in the worst-case fault
| {z } | {z }
derivation, we generate m number of samples r̃ s1 , r̃ s2 , . . . , r̃ sm
S 1:k1 1:k
from the normally distributed white error r̃ s ⇠ N (0, P s ) and
where S k is the innovation covariance obtained from Y k in compute the integrity risk for different values of ↵ as defined
(31) as in [6]:
Sk = T Y kT T (35) m
1 X
Irk (↵) = Pr (|"k | > l; ↵ | r̃ si ) Pr qk < T 2 ; ↵ | r̃ si
where T extracts the rows of y k corresponding to k . m i=1
Similarly, non-centrality parameter 2 of the cumulative test (41)
statistic in (20) is The worst-case value for the fault magnitude ↵ is determined
2 T 1 through one dimensional search to maximize Irk (↵) in (41).
k = E[ 1:k ] S 1:k E[ 1:k ] (36)
IV. PERFORMANCE ANALYSIS RESULTS
Using the Kalman filter-based evaluation model in (29), it
To test the performance of the proposed INS spoofing
is proved in [5] that E[x̃i Tj ] = 0 for all i j. Therefore, the
monitor, a covariance analysis with a B747 flight on GBAS-
cumulative test statistic qk obtained from innovations and the
assisted approach is simulated at the standard trimmed flight
altitude error "k obtained from the current state estimate error
conditions at 131 knots [17]. The aviation-grade IMU sensor
will be statistically independent. As a result, the integrity risk
specifications and the parameters for the GBAS error model
Irk can be written as a product of two probabilities as
defined in Appendix B are provided in Table I and Table II,
Irk = Pr (|"k | > l) Pr qk < T 2 (37) respectively. We assume that the airborne estimator has been
running at fault free conditions and has reached steady state
C. Kalman Filter-based Worst-case Fault Derivation before the spoofing attack starts.
A worst-case fault derivation based on a Kalman filter To quantify the impact of the spoofing attack period on
estimator using tightly-coupled INS-GNSS integration was the integrity risk, we obtained the worst-case fault profiles for
first introduced by the authors in [5, 6]. This derivation pro- different attack periods ranging from 152 to 232 s and com-
vides an analytical solution to the worst-case fault profile that puted the corresponding integrity risks assuming the spoofer
maximizes the Kalman filter estimate error associated with the has perfect position tracking sensors (i.e., r̃ sk = 0). As
most hazardous state "k while minimizing the cumulative test seen in Fig. 4, increasing the attack period causes higher
statistic qk or in other words, maximizing the integrity risk. integrity risks. The reason is that, increasing the spoofing time
In this work, we incorporate the same methodology to obtain allows the spoofer to inject faults to the system in a less
a worst-case fault solution for the GBAS systems utilizing aggressive way, slowly corrupting the estimation of INS states
loosely-coupled INS-GNSS integration in a Kalman filter. The
worst case fault history vector f 00w1:k that maximizes the failure TABLE I
mode slope E["k ]2 / 2k was derived in [5] as AVIATION - GRADE IMU E RROR PARAMETERS [16]
1 T
f 00w1:k = ↵ B 1:k S 1:k B 1:k ATk T T" (38) Parameter Value Unit
p
where Ak and B 1:k are the constant matrices defined in [5] Gyro angle random walk 0.001 deg/ h
as functions of the deterministic Kalman filter parameters as Gyro bias error 0.01 deg/h
⇥ ⇤ Gyro time constant 3600 s
Ak = A1k . . . Akk Accelerometer white noise 10 5 g m/s2
( 0 0 0
Lk x Lk 1 x . . . L1+i x Li if i < k (39) Accelerometer bias error 10 5 g m/s2
Aik = Accelerometer bias time constant 3600 s
Li if i = k
TABLE II
GBAS E RROR M ODEL PARAMETERS [36]
Integrity Risk
−3
10
Ionospheric vertical gradient 4 mm/km
Airborne receiver noise (AAD-B) 15 cm
−6
Number of ground antenna 4 - 10
Number of satellites in view 6 -
0
Satellite elevations 31o ✓ 63o deg 10
−9
3 ]
160 of [cm
180 6 a t ion rror
Spoo vi E
0
10 fing A 200 De king
ttack
Perio 220 9 d ard Trac
n n
d [s] Sta sitio
Po
−3
10 Fig. 5. The influence of spoofer’s tracking errors on detection performance
Integrity Risk
−6
10 0
10
Tightly coupled
Loosely coupled
−9 (GBAS)
10 −3
10
160 180 200 220
Integrity Risk
Fig. 4. The impact of spoofing attack period on the integrity risk. The results −6
are obtained for B747 GBAS-assisted approaches in the presence of worst- 10
case spoofing attacks when the spoofer is capable of tracking the aircraft
position with perfect accuracy.
−9
10
160 180 200 220 0 15 30 45 60
and thereby reducing the monitors ability to detect the spoofing Spoofing Attack Period 1−σ Position Tracking Error
[s] [mm]
attack. On the other hand, even though we conservatively
assumed that the spoofer tracks the aircraft position with Fig. 6. Comparison of performance of the INS monitors for the tightly
zero-error, the worst-case spoofing fault for a standard B747 and loosely-coupled systems. The integrity risk are given as a function of
approach of 150 s results in an integrity risk of less than spoofing attack period in the presence of worst-case spoofing attacks with
perfect tracking (left). The monitor sensitivity to the spoofer’s tracking error
10 9 , which satisfies the most stringent safety requirement for an example approach of 200 s is also given in terms of the integrity risk
in aviation [34]. (right). The integrity risk values for the tightly-coupled systems (black curves)
The results so far assume that the spoofer is able to estimate are obtained from the prior work in [5] and [6].
the exact position of the aircraft. In a more realistic scenario,
the errors in position tracking must be accounted for. There-
fore, we assume that the spoofers position estimate error is a due to uncertainties in the lever arm from the GNSS antenna
zero-mean white noise r̃ sk sequence. White noise is typical for location to the spoofer’s measuring point on the aircraft.
laser tracking errors. Utilizing (41), we illustrate how the INS The covariance analysis so far demonstrates the perfor-
monitor leverages the spoofers altitude tracking errors to detect mance of the INS monitor using loosely-coupled systems (i.e.,
spoofing attacks. Fig. 5 shows that for a position tracking error GBAS). The monitor performance for tightly-coupled systems
of more than 6 cm (1- ), the integrity risk always remains (i.e., shipboard landing and autonomous airborne refueling)
below 10 9 for spoofing attacks having a period of up to 200 was shown in the prior work [5, 6]. Fig. 6 compares detection
s. This 200 s attack period is conservative since the standard capability of the monitor implemented with the loosely and
B747 approach is 150 s and the spoofer have a limited range. tightly-coupled systems. The left plot shows the integrity risk
The results are promising because such tracking accuracy is values as a function of the spoofing attack period in presence
high considering existing high-grade position tracking systems of worst-case spoofing attacks with perfect position tracking.
(e.g., laser, radar, vision). Also, maintaining this high tracking The plot shows that the loosely coupled INS/GNSS integration
accuracy during whole approach of the aircraft is unrealistic results in a better integrity than the tightly-coupled integration
does. The reason is that the tightly-coupled integration scheme a 6 ⇥ 1 IMU bias vector that is modeled as a first order Gauss
gives the spoofer better opportunity to fuse the GNSS spoofing Markov process as
fault into the system and thereby corrupt the IMU biases. On
ḃ = F b b + ⌘ b (44)
the other hand, in a more realistic scenario where the spoofer
has position tracking errors, the right plot illustrates that the where ⌘ b represents the bias driving white noise and F b is a
monitor with the tightly-coupled systems is more sensitive to diagonal bias dynamic matrix, the elements of which are the
the spoofer’s tracking errors than that with the loosely-coupled negative inverses of the bias time constants of the sensors.
systems. For example, for the same spoofing attack period (200 Using (43), we augment the bias dynamics in (44) with
s), the tracking error (1- ) resulting in a 10 9 integrity risk the INS model in (42), which yields a process model for the
is 4 mm in the tightly-coupled systems, whereas it is 60 mm Kalman filter as
in the loosely-coupled systems. ẋn Fn Gu xn Gu Gu 0 ⌫ n
= + ũ +
ḃ 0 Fb b 0 0 I ⌘b
V. CONCLUSION | {z } | {z } | {z } | {z } | {z }
F x 0
Gw w
This work proposed a monitor to detect spoofing attacks Gu
during GBAS and SBAS-assisted aircraft final approaches. It (45)
is an innovation-based monitor using loosely-coupled IMU Defining w = Gw w, discrete form of the process model in
sensors and GNSS receivers. To evaluate the performance (45) is written as:
of the monitor, we first established a stochastic spoofing
integrity analysis methodology, then obtained the worst-case xk = xk 1 + ũk 1 + wk 1 (46)
spoofing fault that maximizes the integrity risk. The B747 where is the state transition0 matrix of the process model,
simulation results show that even when the spoofer achieves and is the discrete form of Gu . wk ⇠ N (0, W k ). The IMU
the worst-case scenario by closed-loop tracking of the aircraft measurement ũk can be treated as a deterministic input to the
position, the monitor is still highly effective in detecting process model in (46).
spoofing attacks during GBAS-assisted approaches with low
integrity risk. Also, different INS/GNSS integration schemes Appendix B
were evaluated by quantifying trade-offs between the loosely GBAS ERROR MODELS
and tightly-coupled navigation systems. It was found that the
tightly-coupled INS/GNSS monitor is more sensitive to the In this section, standard error models for GBAS differential
spoofer’s tracking errors. processing are given based on Ground Accuracy Designator-C
(GAD-C) and Airborne Accuracy Designator-B (AAD-B). The
total GBAS measurement error vector ✏ in (1) has a diagonal
ACKNOWLEDGMENT covariance matrix
The authors gratefully acknowledge the FAA for supporting 2 2 3
(✓1 )
this research. However, the opinions expressed in this paper 6 .. 7
are the authors alone and do not necessarily represent those V =4 . 5 (47)
of any other organization or person. 2
(✓n )
where (✓j ) is the standard deviation of the total GBAS
Appendix A measurement error corresponding to j th satellite, ✓ is the
INS KINEMATIC MODEL elevation angle, n is the total number of satellites.
The estimator in INS utilizes a kinematic model to predict is a function of elevation angle of satellites and com-
the aircraft motion as [14] posed of airborne a , ground station g , tropospheric t , and
ionospheric i standard deviations [35]
ẋn = F n xn + Gu u (42) q
where xn = [r, v, E]T is referred to as the INS state vector (✓) = 2 2 2
a+ g + t + i
2 (48)
including deviations in position vector r, velocity vector v, where a contains airborne receiver noise and multipath
n
and attitude vector E of the aircraft. F n is plant matrix of
m components [36]
the kinematic model, Gu is input coefficient matrix, and u = p
[f, !]T contains the deviations in specific force f and angular a =
2
n+ m
2 (49)
velocity ! relative to the inertial frame. and m is modeled as [35]
IMU measures the deviations in specific force and angular ✓/10o
velocity, and the IMU measurement ũ is expressed in terms m (✓) = 0.13 + 0.53 e (50)
of u in (42) as The residual tropospheric error for the airborne equipment
ũ = u + b + ⌫ n (43) t is computed as [35]
6
⌫ n is a 6 ⇥ 1 vector including accelerometer and gyroscope 10 h/h
t (✓) = N h0 p (1 e 0
) (51)
white noises, which are uncorrelated and zero-mean and b is 0.002 + sin ✓ 2
where N is the refractivity uncertainty transmitted by ground [10] Simili, D., V., and Pervan, B., Code-Carrier Divergence Monitoring
subsystem, h0 is the tropospheric scale height, and h is the for the GPS Local Area Augmentation System, 2006 IEEE/ION Po-
sition, Location, And Navigation Symposium, 2006, pp. 483-493. doi:
height of the aircraft above the GBAS reference point. 10.1109/PLANS.2006.1650636
The ionospheric error model is given as [35] [11] Parkinson, B. W., and Axelrad, P., Autonomous GNSS Integrity Moni-
toring Using the Pseudorange Residual, NAVIGATION, Washington, DC,
i (✓) = Fp ri
(xa + 2 ⌧h va ) (52) Vol. 35, No. 2, 1988, pp. 225-274.
[12] Humphreys, T. E., Ledvina, B. M., Psiaki, M. L., O’Hanlon, B. W.,
where ri is the standard deviation for the nominal iono- Kintner, P. M. Jr., Assessing the Spoofing Threat: Development of a
spheric vertical spatial gradient, xa is the slant range distance Portable GPS Civilian Spoofer, ION GNSS Conference, Savannah, GA,
September 2008.
between current aircraft location and the ground station, va is [13] Mark L. Psiaki, Steven P. Powell, and Brady W. OHanlon, GNSS
the horizontal aircraft velocity, and Fp is the vertical-to-slant Spoofing Detection Using High-Frequency Antenna Motion and Carrier-
obliquity factor defined as [35] Phase Data, Proceedings of the 26th International Technical Meeting of
The Satellite Division of the Institute of Navigation (ION GNSS 2013),
1 Nashville, TN, September 2013
Fp = s ✓ ◆2 (53) [14] Farrell, J. (2008). Aided navigation: GNSS with high rate sensors.
Re cos✓ McGraw-Hill, Inc.
1 [15] Misra, P., Enge, P. (2006). Global Positioning System: Signals, Mea-
R e + hI surements and Performance Second Edition. Lincoln, MA: Ganga-Jamuna
Press.
where hI is the ionospheric shell height. [16] Brown, R. G., P. Y. C Hwang, Introduction to Random Signals and
The total ground station error is composed of the ground Applied Kalman Filtering. 3rd Ed. New York: John Wiley Sons, 1997.
reference receiver errors g,r and the signal-in-space errors [17] Heffley, R. K., Jewell, W. F. (1972). Aircraft Handling Qualities Data.
[18] Ali Jafarnia-Jahromi, Ali Broumandan, John Nielsen, and Grard
g,s as [37] s Lachapelle, GPS Vulnerability to Spoofing Threats and a Review of Anti-
2 spoofing Techniques, International Journal of Navigation and Observation,
g,r
g (✓) = + 2
g,s (54) vol. 2012, Article ID 127072, 16 pages, 2012. doi:10.1155/2012/127072
M [19] Jovanovic, A.; Botteron, C.; Farine, P.-A., ”Multi-test detection and
protection algorithm against spoofing attacks on GNSS receivers,” in
where M is the number of reference station antennas. Position, Location and Navigation Symposium - PLANS 2014, 2014
The total ground reference receiver error including noise IEEE/ION , vol., no., pp.1258-1271, 5-8 May 2014
and multipath is modeled as [37] [20] Wesson, K. D., Rothlisberger, M. P., Humphreys, T. E., ”A Proposed
( Navigation Message Authentication Implementation for Civil GNSS Anti-
o
0.15 + 0.84 e✓/15.5 , ✓ 35o Spoofing,” Proceedings of the 24th International Technical Meeting of
g,r (✓) = (55) The Satellite Division of the Institute of Navigation (ION GNSS 2011),
0.24, ✓ < 35o Portland, OR, September 2011, pp. 3129-3140.
[21] Ledvina, M. Brent and Bencze, J. William and Galusha, Brian and
and the ground signal-in-space errors are modeled as [37] Miller, Issac, An In-Line Spoofing Module for Legacy GPS Receivers,
q in Proceedings of the US Institute of Navigation International Technical
g,s (✓) = 0.042 + 0.012 Fp (56) Meeting, 2010, pp. 698-712.
[22] G. W. Hein, F. Kneissl, J. A. Avila-Rodriguez, and S. Wallner, Authen-
ticating GNSS: Proofs Against Spoofs Part 2, GNSS magazine, pp. 5863,
2007
[23] Akos, Dennis M., Whos Afraid of the Spoofer? GPS/GNSS Spoofing
REFERENCES Detection via Automatic Gain Control (AGC), NAVIGATION, Journal of
[1] Khanafseh, S., Roshan, N., Langel, S., Chan, F., Joerger, M., Pervan, B., The Institute of Navigation, Vol. 59, No. 4, Winter 2012, pp. 281-290.
GPS Spoofing Detection Using RAIM with INS Coupling, ION PLANS [24] C. E. McDowell, GPS Spoofer and Repeater Mitigation System using
Conference, Monterey, CA, May 2014. Digital Spatial NullingUS Patent 7250903 B1, 2007.
[2] Tanil, C., Khanafseh, S., Pervan, B., The Impact of Wind Gust on [25] J. Nielsen, A. Broumandan, and G. Lachapelle, Spoofing detection and
Detectability of GPS Spoofing Attack Using RAIM with INS Coupling, mitigation with a moving handheld receiver, GPS World, vol. 21, no. 9,
IEEE/ION PNT Conference, Honolulu, HI, April 2015. pp. 2733, 2010.
[3] Tanil, C., Khanafseh, S., Pervan, B., Detecting GNSS Spoofing Attacks [26] Meurer, Michael, Konovaltsev, Andriy, Cuntz, Manuel, HŁttich, Chris-
Using Inertial Sensing of Aircraft Disturbance Response, submitted to the tian, ”Robust Joint Multi-Antenna Spoofing Detection and Attitude Es-
Journal of Navigation on March 2016. timation using Direction Assisted Multiple Hypotheses RAIM,” Pro-
[4] Tanil, C., Khanafseh, S., Pervan, B. GNSS Spoofing Attack Detection ceedings of the 25th International Technical Meeting of The Satellite
using Aircraft Autopilot Response to Deceptive Trajectory, ION GNSS+ Division of the Institute of Navigation (ION GNSS 2012), Nashville, TN,
Conference, Tampa, FL, September 2015. September 2012, pp. 3007-3016.
[5] Tanil, C., Khanafseh, S., Joerger, M., Pervan, B. Kalman Filter-based INS [27] S. Moshavi, Multi-user detection for DS-CDMA communications, IEEE
Monitor to Detect GNSS Spoofers Capable of Attacking Aircraft Position, Communications Magazine, vol. 34, no. 10, pp. 124135, 1996.
ION PLANS Conference, Savannah, GA, April 2016. [28] A. Jafarnia-Jahromi, A. Broumandan, J. Nielsen, and G. Lachapelle,
[6] Tanil, C., Khanafseh, S., Joerger, M., Pervan, B., An INS Monitor to GPS spoofer countermeasure effectiveness based on signal strength,
Detect GNSS Spoofers Capable of Tracking Vehicle Position, submitted noise power and C/N0 observables, International Journal of Satellite
to the IEEE Transactions on Aerospace and Electronics on July 2016. Communications and Networking, vol. 30, no. 4, pp. 181191, 2012.
[7] Joerger, M., B. Pervan, Kalman Filter-Based Integrity Monitoring Against [29] H. Wen, P. Y. R. Huang, J. Dyer, A. Archinal, and J. Fagan, Countermea-
Sensor Faults, Journal of Guidance, Control, and Dynamics, Vol. 36, No. sures for GPS signal spoofing, in Proceedings of the 18th International
2 (2013), pp. 349-361. Technical Meeting of the Satellite Division of The Institute of Navigation
[8] Steven Langel, Samer Khanafseh, Fang-C. Chan, and Boris Pervan, (ION GNSS ’05), pp. 12851290, Long Beach, Calif, USA, September
Tightly Coupled GPS/INS Integration for Differential Carrier Phase 2005.
Navigation Systems Using Decentralized Estimation, in Proceedings of [30] D.H Titterton, J.L. Weston, Strapdown Inertial Navigation Technology,
IEEE/ION PLANS 2010, Palm Springs, CA, May 2010. The American Institute of Aeronautics and Astronautics, 2004.
[9] Khanafseh, S. and Pervan, B. ”Autonomous Airborne Refueling of Un- [31] J. S. Warner and R. G. Johnston, GPS spoofing countermeasures,
manned Air Vehicles Using the Global Positioning System,” Journal of Homeland Security Journal, Dec. 2003.
Aircraft, Vol. 44, No. 5, Sep.-Oct. 2007 [32] P. F. Swaszek, K. C. Seals, S. A. Pratz, B. N. Arocho, and R. J. Hartnett,
GNSS spoof detection using shipboard IMU measurements, Proc. ION
GNSS+ 2014, Tampa FL, Sept. 2014.
[33] P. F. Swaszek, R. J. Hartnett, K. C. Seals, ”GNSS Spoof Detection using
Independent Range Information,” Proceedings of the 2016 International
Technical Meeting of The Institute of Navigation, Monterey, California,
January 2016, pp. 739-747.
[34] International Civil Aviation Organization. International Standards and
Recommended Practices, Annex 10, volume I: Radio Navigation Aids.
New Zealand, sixth edition, July 2006.
[35] RTCA DO-253C. Minimum Operational Performance Standards for the
Local Area Augmentation System (LAAS), December 2008.
[36] RTCA DO-245A. Minimum Aviation System Performance Standards for
the Local Area Augmentation System (LAAS), December 2004.
[37] McGraw, Gary A., Murphy, Tim, Brenner, Mats, Pullen, Sam, Van
Dierendonck, A. J., ”Development of the LAAS Accuracy Models,”
Proceedings of the 13th International Technical Meeting of the Satellite
Division of The Institute of Navigation (ION GPS 2000), Salt Lake City,
UT, September 2000, pp. 1212-1223.
[38] Crassidis, John L., and John L. Junkins. Optimal estimation of dynamic
systems. CRC press, 2011.