Rothmaier 2021

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TAES.2021.3082673, IEEE
Transactions on Aerospace and Electronic Systems
IEEE TRANSACTIONS ON AEROSPACE AND ELECTRONIC SYSTEMS 1
A Framework for GNSS Spoofing Detection

through Combinations of Metrics
Fabian Rothmaier, Yu-Hsuan Chen, Sherman Lo, and Todd Walter, Stanford University
Abstract—We present a framework for GNSS spoofing detec- The cited work has focused on GNSS spoofing detection
tion combining an arbitrary number of metrics while guaran- through a single metric. [20], [21], [22] go further and combine
teeing a fixed maximum false alert probability. The detection several metrics measuring the shape of the autocorrelation
test assumes a simple form that makes it suitable for real
time applications. We define criteria for metrics to be used function that outperform monitors based on a single SQM
within this framework and demonstrate compatibility with a metric. The Power-Distortion detector presented in [23] and
range of commonly used metrics. We achieve a more than 70% its extension in [24] measure both the distortion of the auto-
reduction in worst-case missed detection probability compared correlation function and the total received power. This neatly
to conventional metric combination techniques. combines two complementary defense strategies. An attack
Index Terms—GNSS, spoofing detection, GLRT. that overpowers the authentic signals will cause a noticeable
increase in the received power. A spoofing attack carefully
I. I NTRODUCTION tuned to excite the victim’s antenna with a power level similar
to the authentic signals on the other hand will noticeably
GNSS is increasingly used as the main source for Position,
distort the peak of the autocorrelation function during signal
Navigation and Time (PNT) in safety of life applications. It
drag-off. The same complementary characteristic is leveraged
is the foundation of services like Performance Based Nav-
in [25] by combining Automatic Gain Control (AGC) and
igation and the aviation community is ”now dependent on
Cross Ambiguity Function monitoring. Similarly complemen-
uninterrupted access to GNSS PNT services” [1]. However, the
tary is a combination of DoA measurements and pseudorange
accuracy, availability and integrity of the service that has made
residuals as presented in [26]. DoA based techniques shine
satellite navigation a trusted cornerstone of PNT is nowadays
when all or a significant amount of the satellites in view are
challenged by increasing levels of interference.
spoofed from a single transmitting antenna. Should only a
Various types of GNSS interference exist, each posing
small subset of satellite signals be spoofed, the combination of
different challenges and threats. A classification specifically
authentic and spoofed pseudoranges received by the receiver
for the aviation sector is given by [2]. This paper focuses on
will start to disagree as soon as the attacker tries to alter the
the detection of intentional interference known as spoofing, a
victim’s position. Once again the attacker is trapped between
targeted attack where a malicious actor takes control of the
two complementary defenses. A more general approach to
victim’s position and/or time solution by broadcasting coun-
combine techniques is followed in [27] through the use of
terfeit GNSS signals. This takeover has been demonstrated,
belief functions. [28] presents the compelling general concept
among others by the authors of [3].
of a PNT trust-inference engine, but a lot of work remains
GNSS spoofing, its detection and mitigation is a field
to be done until its final implementation and it is unclear
of active research. A detailed review of GNSS spoofing or
how similar performance guarantees can be given as with the
common mitigation techniques is not the purpose of this paper,
approach followed in this paper.
and we assume a reader familiar with the topic. Overviews
All presented combinations of techniques known to the au-
of attack modes and common defense strategies are given by
thors are either limited to SQM based techniques, specifically
[4], [5] and [6]. The remainder of this paper will focus on
tailored to their respective metrics or have not been devel-
techniques that can be implemented by the user segment and
oped further than their general conceptual idea. Furthermore,
rely on GNSS signals alone. Specifically, we consider but do
especially in a safety of life application such as an aircraft, a
not limit the application of this work to combinations of Signal
guarantee on the detector’s performance is essential as GNSS
Quality Monitoring (SQM) metrics like the ones presented
is meeting stringent Availability and Continuity requirements
in [7], [8], [9], [10], received power monitoring as in [11],
[29]. Neither of the prior complementary metric combinations
[12], pseudorange residual checks, and signal Direction of
has currently been designed for such a guarantee.
Arrival (DoA) based approaches described in [13], [14], [15],
This paper makes several contributions towards an optimal
[16], [17]. But we exclude encryption-based defenses like the
decision about the presence of an attack based on any number
one presented in [18] and defenses based on drift monitoring
of techniques. We present the Generalized Likelihood Ratio
with the help of inertial sensors such as in [19]. The goal
Test (GLRT) as a general framework for a wide range of
is to support the most educated decision on the presence of
metrics. We formalize algorithms to combine GLRTs with
a spoofing attack by the GNSS receiver itself and without
traceable performance values and demonstrate how to combine
changes to the GNSS signal structure.
several metrics in a single GLRT for increased performance.
Manuscript received We finally present application examples of two common
0018-9251 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: BOURNEMOUTH UNIVERSITY. Downloaded on July 01,2021 at 10:51:00 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TAES.2021.3082673, IEEE
metric combinations in a worst-case simulation and using the In a setup of multiple monitors, the false alert budget needs
TEXBAT dataset [30] and make suggestions for future metric to be allocated among the monitors to guarantee the overall
combinations. compliance with the constraint. Thanks to the associativity of
In this paper we focus on the theoretical derivation of the boolean AND and OR operators, a sequence of operations
framework. It is complemented by a conference paper [31] can be broken down into a recursive series of operations with
that entails a measurement model calibration and application two arguments each. The following statements are therefore
examples in an attempt to validate the theoretical derivations. sufficient for combinations of any number of monitors. This
The remaining paper is organized in three main sections and concept is well established in the integrity community as a
a summary and conclusions. Section II considers processing continuity fault tree [36], [37], [38].
separate metrics in individual monitors, a concept known as We work with the definition of the probability of false alert
the continuity fault tree. Section III presents the GLRT applied PF A to be the conditional probability of an alert given nominal
to spoofing detection and how multiple metrics can be joined conditions. We denote nominal conditions from here on as the
in a single test. In section IV we then apply the presented null hypothesis H0 and spoofed conditions as the alternate
concepts to two examples of metric combinations. hypothesis H1 . For two monitors combined through an OR
gate, the PF A is then given by
II. A M ONITOR F RAMEWORK
PF AOR = P (alert1 ∨ alert2 |H0 )
A straight forward way to employ multiple metrics for
spoofing detection is to process each metric separately. In this = P (alert1 |H0 ) + P (alert2 |H0 )
(1)
paper we follow the Neyman-Pearson paradigm, minimizing − P (alert1 |H0 )P (alert2 |H0 )
missed detections while satisfying a constraint on the maxi- ≤ P (alert1 |H0 ) + P (alert2 |H0 )
mum probability of false alerts PF Amax [32]. Each separate
Neyman-Pearson detector is a function that maps evidence, The PF A from multiple monitors connected through OR
measurement model and its PF Amax to the binary decision gates is therefore less than or equal to the sum of individual
about the presence of a spoofing attack. The individual outputs false alert probabilities. If we let individual budgets αm sum
of each separate test are then combined through logical gates up to the total false alert budged PF Amax , the resulting PF A
to determine the overall decision. will be less than or equal to the total budget. Given M
We will now define the framework used for these com- monitors connected through OR gates, the PF A budget of the
binations to preserve the compliance with the constraint on mth monitor can hence be described by
PF A . They will then serve as baseline comparisons in the
examples in section IV. For the sake of simplicity we will PF A,m = αm (2)
limit this paper’s derivations to logical OR and AND gates
between individual monitors, but the presented concepts can such that
M
easily be expanded to other logical gates. OR gates are used
X
αm = PF Amax (3)
to combine complementary metrics in [33], [21], [22], [34] m=1
or to test for multiple hypothesis in parallel as in Receiver
Autonomous Integrity Monitoring (RAIM) [35] and in our The choice of individual αm is up to the designer. The
examples in section IV. AND gates are often used to represent PF Amax budget is shared among the monitors, individual
specific knowledge or assumptions about characteristics of the thresholds have to be set more conservatively than if monitors
attack as in [20] or as we show in section IV-B. were used by themselves.
The underlying assumption in a setup of multiple monitors When analyzing a detector’s performance, we consider the
is that metrics can be considered statistically mutually inde- probability of missing the detection of a specific attack, PM D .
pendent conditioned on either hypothesis. This assumption is We define it as the conditional probability of not raising
not necessarily correct at all times. Under nominal conditions, an alert given a threat model defined by H1 . Under the
unmodeled effects such as multipath or scintillation can for independence assumption, the overall PM D of M monitors
example affect various metrics simultaneously. Independence connected through OR gates is simply equal to the product of
is often assumed as an approximation as the true correlation individual missed detection probabilities.
model is not known [20], [23]. Just like the validity of any M
measurement model, this approximation has to be verified
Y
PM DOR = PM D,m (4)
for specific applications through measurement campaigns. We m=1
give one such example for flight data in [31]. Conditional
independence under spoofed conditions is assumed when For two monitors combined through an AND gate, the PF A
calculating the missed detection probability PM D for specific is given by
attack modes. We employ this assumption in the qualitative PF AAN D = P (alert1 ∧ alert2 |H0 )
analysis in sections III-C and IV-A. We reasonably assume that (5)
= P (alert1 |H0 )P (alert2 |H0 )
the framework presented in this paper as well as the common
techniques summarized in this section are similarly affected by The false alert probability of independent monitors connected
any unmodeled correlation, nevertheless we have to interpret through AND gates is equal to the product of individual false
these results with the appropriate caution. alert probabilities. For M monitors connected through AND
Equation (9), it describes the goal underlying all of the ensuing

work.
min P (log Λ(y) ≥ γ|H1 )

γ
(9)
s.t. P (log Λ(y) < γ|H0 ) ≤ PF Amax
γ is the detection threshold, Λ is the test’s decision variable

defined by
maxθ0 ∈Ω0 p(y|θ0 )
log Λ(y) = log (10)
Fig. 1. Continuity Fault Tree for an example setup of three monitors. An maxθ1 ∈Ω1 p(y|θ1 )
alarm is raised if either Monitor 1 raises an alarm, OR if Monitor 2A AND
Monitor 2B raise an alarm. Monitor 1 joins two metrics, Monitors 2A and
for a measurement or evidence y, distribution parameters
2B use one metric each. Parameters along the arrows indicate the PF Amax θi , and the parameter space under the ith hypothesis Ωi . The
budget that is allocated for each Monitor. parameters θi represent unknown aspects about the distribution
of y under either hypothesis, for example its mean. H0 is
rejected and a spoofing alarm raised if log Λ < γ.
gates, the PF A budget of the mth monitor is therefore given
The solution to Eq. (9), the detection threshold γ, requires
by
a solution to the inverse cumulative density function (cdf) or
PF A,m = βm (6)
quantile function of log Λ|H0 .
such that Z γ
M
Y PF Amax = p(log Λ|H0 )d log Λ (11)
βm = PF Amax (7) −∞
m=1 An analytic expression for the missed detection probability
Again the choice of βm is up to the designer. The PF A,1 PM D requires a description of log Λ|H1 .
budget of an individual monitor is increased when combined Z ∞
with a second monitor with β2 < 1. Detection thresholds can PM D = p(log Λ|H1 )d log Λ (12)
γ
overall be set more aggressively than if monitors were used
by themselves. An online monitor has to be able to solve at least Eq. (11)
The overall probability of detection is equal to the product for γ in real time, requiring a description of the probability
of individual detection probabilities. With Pdetection = 1 − distribution of p(log Λ|H0 ). To this end, we will now develop
PM D , the overall PM DAN D is therefore given by the general formulation in Eq. (10) for a special case of the
general Gaussian problem [32]: for evidence that is Normally
M
Y distributed with equal covariance Σ (usually the measurement
PM DAN D = 1 − (1 − PM D,m ) (8) noise) under H0 and H1 . The hypothesis differ only in the
m=1
means of the distributions, hence θi = µi .
We illustrate an example Continuity Fault Tree of three
monitors in Figure 1. The propagation of the PF A budget is y|H0 ∼ N (µ0 , Σ); µ0 ∈ Ω0
indicated along each branch. (13)
y|H1 ∼ N (µ1 , Σ); µ1 ∈ Ω1
III. T HE GLRT FOR S POOF D ETECTION This is a common pattern among spoofing detection ap-
The GLRT is a statistical hypothesis test between composite proaches. [22] gives Normal approximations for various auto-
hypotheses [32]. The unknown parameters of either hypothesis correlation distortion metrics, in [23] the received power and
are estimated through their Maximum Likelihood Estimate autocorrelation distortion metrics (the latter after some modi-
(MLE) before a decision is made. The GLRT has been fication) are characterized as Normally distributed variables or
employed for GNSS spoofing detection for example in [39], functions thereof, [35] and many others describe pseudoranges
[16] and [40]. While the test is not optimal in all cases, and for example [41], [14], [16], and [42] characterize or
we will demonstrate in the following sections that thanks to approximate DoA measurements through multivariate Normal
its generality many anti-spoofing tests can be formulated in distributions. While being of very different physical natures,
this framework and combined with reasonable computational many of the metrics employed for spoofing detection therefore
complexity. take very similar mathematical shapes when processed as in
the cited literature.
For Normally distributed evidence with equal covariance
A. The Solution to an Optimization Problem under either hypothesis Eq. (10) takes the form
We employ the GLRT to solve an optimization problem.
We attempt to minimize missed detections while satisfying a p(y|µ0 , Σ)
constraint on the probability of false alerts PF Amax and hence log Λ = log
p(y|µ1 , Σ) (14)
follow the Neyman-Pearson paradigm independent of prior 1 T
probabilities [32]. We formalize the optimization problem in = (µ0 − µ1 ) Σ−1 (y − µ0 + y − µ1 )
2
Similar to the first case, the GLRT now represents a χ2 -test of

where the µi are either known a priori or given by their how well the measurements match H1 . Under H0 2 log ΛCS
MLE. follows a noncentral χ2 with noncentrality parameter λ, under
H1 it follows a χ2 distribution with k degrees of freedom.
µi = arg max p(y|µ, Σ) (15)
µ∈Ωi
2 log ΛCS |H0 ∼ χ2k,λ
We can categorize the decision metrics by their respective (20)
parameter spaces Ωi in three separate scenarios described in 2 log ΛCS |H1 ∼ χ2k
the following and summarized in Table I. To determine a detection threshold γ that satisfies the con-
1) Simple H0 , composite H1 : This is the most common straint in Eq. (9) the distribution of log ΛCS |H0 and therefore
scenario. H0 is a simple hypothesis, we can precisely describe λ needs to be defined. This is dependent on the specific metric
the metric’s behavior under nominal conditions. Ω0 is equal and user profile and might not always be possible. Further
to a certain µ0 . Depending on the metric, µ0 is known by def- analysis is necessary to apply the concept of this paper to this
inition, obtained through calibration or parameter estimation scenario, for example through a conservative study of the worst
prior to the spoofing detection test. Similarly, the covariance case. This is left for future work. We do note that as shown in
Σ is usually obtained by calibration during trusted conditions. [17], with an available attitude estimate the defense presented
In the meantime, we are unsure about the metric’s mean in [16] can be turned into a simple vs. simple scenario detailed
under spoofed conditions (we for example don’t know the in the next paragraph.
pseudoranges and resulting residuals generated by a spoofer). 3) Simple H0 , simple H1 : This is the classic setup of the
For N measurements Ω1 = RN , H1 is a composite hypothesis. Neyman-Pearson test. For well-defined µ0 and µ1 , log ΛSS is
For a Normal distribution, the solution to Eq. (15) is given by described by Equation (14). This Likelihood Ratio Test (LRT)
µ1 = y and Equation (14) takes the form is the most powerful test according to the Neyman-Pearson
lemma [32]. The decision variable is conveniently Normally
1
log ΛSC = − ||y − µ0 ||2Σ−1 (16) distributed.
2
1
where the subscript SC indicates the mix of simple and log ΛSS |H0 ∼ N ( ||µ0 − µ1 ||2Σ−1 , ||µ0 − µ1 ||2Σ−1 )
2
composite hypothesis and the notation || ◦ ||2Σ−1 defines the 1
(21)
squared Mahalanobis distance. log ΛSS |H1 ∼ N (− ||µ0 − µ1 ||2Σ−1 , ||µ0 − µ1 ||2Σ−1 )
2
T
||y − µ0 ||2Σ−1 = (y − µ0 ) Σ−1 (y − µ0 ) (17) After some modification, many DoA based techniques can
be phrased this way [43], [17]. We will analyze an example
The GLRT essentially turns into a χ2 -test of how well the
of this scenario in section IV.
measurements match H0 . Under H0 , −2 log ΛSC follows a χ2
4) Partial definition of a hypothesis: The three scenarios
distribution with k degrees of freedom. Under H1 it follows
considered so far allow for only two options: Ωi = µi or
a noncentral χ2 with noncentrality parameter λ.
Ωi = RN . Either the mean under a hypothesis is known
exactly or completely unknown. It is however possible to
−2 log ΛSC |H0 ∼ χ2k have partial knowledge about its value. For example while
(18)
−2 log ΛSC |H1 ∼ χ2k,λ the expected received power under H1 is unknown, we might
assume that it is larger than under nominal conditions [11].
Metrics around the autocorrelation function, received power, Hence Ω1 = {x|x > µ0 }. Such partial knowledge can be
DoA measurements processed according to [41], and with introduced through a separate monitor connected through an
some modification pseudorange residuals belong to this cat- AND gate as shown in section II. We consider an example
egory. k ≤ N , depending on the number of independent of combining GLRTs with constraints on Ωi through this
measurements in y. λ and therefore PM D depend on the attack framework in section IV-B.
mode. We consider various examples of this scenario, each
with their respective k and computation of λ in section IV.
2) Composite H0 , simple H1 : For certain metrics we can B. The Joint GLRT
exactly define the behavior under H1 for a specific attack The simple forms of the general Gaussian problem intro-
mode, but not under H0 . An example is detection using the duced in the previous subsection have one major flaw with
carrier phase single difference between two closely spaced respect to the goal of this paper: they still are not specifically
antennas in [16]. Given an attacker using a single transmit- set up for multiple metrics. We now expand our considerations
ting antenna, all carrier phase differences align. Due to the to address this deficiency. We show how to process evidence
nonlinear relationship between satellite geometry and single from any number of metrics in a single, joint GLRT as opposed
differences, their distribution under nominal conditions can through separate tests for each metric.
not exactly be defined without knowing the orientation of the Multiple measurements of the same metric are likely cor-
antenna pair. In this case log Λ takes the form related. They then need to be considered in a single GLRT
1 with the covariance matrix Σ reflecting the correlation. [43]
log ΛCS = ||y − µ1 ||2Σ−1 (19) shows for example how to combine multiple correlated DoA
2
TABLE I
OVERVIEW OF GLRT SCENARIOS The families of Normal and χ2 distributions are closed
Scenario SC CS SS
under addition, the sums are Normal and χ2 distributed.
X
Ω0 , Ω1 µ0 , RN RN , µ 1 µ0 , µ1 2
log Λm |H0 ∼ N (µSS,0 , σSS )
m∈MSS
X
2
(µ0 − µ1 ) Σ−1 T log Λm |H1 ∼ N (µSS,1 , σSS )
log Λ(y) − 12 ||y−µ0 ||2Σ−1 1
2
||y −µ1 ||2Σ−1
1 m∈MSS
y − (µ0 + µ1 ) X (25)
2 −2 log Λm |H0 ∼ χ2kSC
m∈MSC
Received power, X
autocorrelation
Carrier
−2 log Λm |H1 ∼ χ2kSC ,λSC
Detection function m∈MSC
phase single Direction of Arrival
metrics distortion,
difference
pseudorange
residuals The distribution parameters are defined as the sums of the
parameters of the individual distributions defined in Eqs. (18)
and (21).
measurements in a single LRT for improved detection power. X
µSS,0 = µm |H0
The concept can be extended to combine different metrics
m∈MSS
of the same of the three scenarios outlined in section III-A. X
Keeping in mind our discussion in section II, we from now µSS,1 = µm |H1
on assume that measurements from different metrics are sta- m∈MSS
X
tistically mutually independent. 2 2
σSS = σm (26)
We concatenate all measurements in the vector y. Lever- m∈MSS
aging the independence assumption, we can factorize the
X
kSC = km
expression in Equation (10) into a product of likelihood ratios, m∈MSC
one for each metric. Depending on the combined metrics, X
log Λ is simply equal to a sum of terms of the forms in λSC = λm
m∈MSC
Equations (14), (16), and (19). For M metrics we write
M
X We denote the probability density function (pdf) of the
log Λ1:M = log Λm (22) combination under either hypothesis as p (log Λ1:M |Hi ) =
m=1 f1:M (z|Hi ). It is given by
We can expand the original optimization problem from

f1:M (z|H0 ) = pSS (z|H0 ) ∗ pSC (z|H0 )
Equation (9) with an emphasis on M mutually independent (27)
metrics. f1:M (z|H1 ) = pSS (z|H1 ) ∗ pSC (z|H1 )
M
! where symbol ∗ denotes the convolutionP product, pSS
X
min P log Λm ≥ γ|H1 and pSC are the respective pdfs of m∈M SS
log Λm and
γ
P
m=1 m∈MSC log Λm .
M
! (23) The distribution f1:M (z|H0 ) determines the detection
X
s.t. P log Λm < γ|H0 ≤ PF Amax threshold as given by (11). Depending on the metrics em-
m=1 ployed, the threshold depends on the number of satellites
in view or even the satellite geometry and therefore varies
The solution to Eq. (23) is straightforward if all used metrics continuously. Solving for the inverse cdf of f1:M (z|H0 ) would
are from the same of the three scenarios described in section require a numerical search for the solution to a double integral.
III-A and summarized in Table I, as the families of Normal This is likely not feasible to be computed with sufficient nu-
and χ2 distributions are closed under addition. merical accuracy in real time by a receiver. We therefore offer
The combination is less trivial if a spatial metric (scenario a solution to the convolution integral. The somewhat lengthy
2 or 3) is combined with a metric from scenario 1. derivation of our solution is given in Appendix A together
1) Scenario 1 and 2: This combination creates a sum of with a more numerically stable variation. The resulting pdf is
terms of the form of Eq. (16) and Eq. (19). As mentioned in
section III-A we leave an analysis of the more exotic case of
1 1 (z − µ)2
scenario 2 to future work. f1:M (z|H0 ) = 2k/4−1 σ k/2−1 √ exp −
2) Scenario 1 and 3: We denote the set of variables of 2π Γ(k/2) 2σ 2
∞
X1 √ l
scenario 1 as MSC and the set of variables in scenario 3 as z−µ
MSS . log Λ1:M is given by (− 2)l + σ Γ(k/4 + l/2)
l! σ
X X l=0
log Λ1:M = log Λm + log Λm (24) (28)
m∈MSS m∈MSC
for µ, σ and k given by µSS,0 , σSS and kSC in Eq. (26).

2
In Appendix B we prove the convergence of the infinite Y
PM DOR = P1,λi (C1−1 (1 − 0.5PF Amax )) (33)
sum in Eq. (28). A Matlab package for the type of distribution
i=1
defined by Eqs. (24 - 26) has recently been published in [44].
The detection threshold is equal to the inverse cdf F1:M −1 where
evaluated at PF Amax . • Pk,λ (x) is the cdf of the noncentral chi-squared dis-
tribution with k degrees of freedom and noncentrality
−1
γ = F1:M (PF Amax ) (29) parameter λ evaluated at x.
−1 2
• Ck (p) is the inverse χ cdf with k degrees of freedom
We solve Eq. (29) by minimizing
evaluated at p.
γ = arg min ||F1:M (γ|H0 ) − PF Amax ||2 (30) The joint monitor is a single χ2 test with two degrees of
γ
freedom. The PM D is given by
We compute values of F1:M (γ) through numerical integra-
tion of Eq. (28). Any cdf is an increasing function, the cost PM Djoint = P2,λ1 +λ2 (C2−1 (1 − PF Amax )) (34)
function is therefore unimodal. By the definition of log Λ1:M , λ1 and λ2 encode the power advantage and autocorrelation
γ further lies within the interval function distortion of different attack scenarios. We illustrate
the log ratio of the missed detection probabilities of both
1 −1 approaches through a contour plot in Figure 2 for different
Φ−1
µSS,0 ,σSS (PF Amax ) − CkSC (PF Amax ) values of λ1 and λ2 . Positive values correspond to PM DOR >
2
< γ < Φ−1 PM Djoint , indicating that the single joint GLRT outperforms
µSS,0 ,σSS (PF Amax ) (31)
the OR combination of individual monitors. We observe in
where Φ−1
µSS,0 ,σSS is the inverse cdf of a Normal distribution Figure 2 that this is the case for most combinations of λ1
with mean µSS,0 and standard deviation σSS . Ck−1 SC
is the and λ2 but not all. In situations where one λi is small and
inverse of the χ2 cdf with kSC degrees of freedom. the other large, the OR combination misses fewer detections.
A simple bracketing algorithm efficiently solves for γ with This represents situations when one of the two metrics shows
the interval of Eq. (31) as a reasonable initial bracket [45]. very little indication of an attack. In our simple example, this
This finally solves our original detection problem formulated could be the case for an attack with large power advantage
in Eq. (23). that results in no detectable distortion of the autocorrelation
The missed detection probability of this joint monitor is function. For extreme cases along the left and lower edge of
the tail of the cdf under H1 evaluated at γ. Since it is Figure 2 a simple monitor using only the more powerful metric
computed rather for performance analysis than in real time even outperforms both the OR combination or the joint GLRT.
by the receiver, it can be calculated by numerically solving Not surprisingly, adding a metric showing no indication of
an attack to the consideration is detrimental to the detection
Z γ probability.
PM Djoint = 1−F1:M (γ|H1 ) = 1− f1:M (z|H1 )dz (32) This simplistic example points to an important aspect. The
−∞ optimal choice and combination of detection metrics depends
We note here that evaluating Eq. (32) requires a detailed on the attack scenario. While adding metrics adds robustness
definition of H1 . Depending on the employed defenses, this towards detecting a larger variety of attacks, it can reduce
could be e.g. the attacker’s power advantage, the number of detection performance in specific edge cases. We will revisit
spoofed satellites or the induced position bias. this argument and observe similar results when analyzing more
complex examples in section IV.
C. A first Performance Comparison
IV. A PPLICATION E XAMPLES
We have now fully described a GLRT based on any number
We have now formalized how a decision based on a bank
of variables that each adhere to the form of the scenarios 1
of monitors using mutually independent metrics can be made
or 3 described in section III-A. We have characterized the
while guaranteeing PF A ≤ PF Amax , and how the same
probability distribution of the joint decision variable log Λ1:M ,
metrics can be used in a single GLRT. We will now consider
know how to compute the detection threshold γ and the
two complementary combinations of metrics proposed for
probability of missed detections.
example in [6] and implemented in [23], [46] and [26]. The
Before analyzing specific examples, we conduct a brief
code used to generate the examples in this section is avail-
analysis of the performance of this joint monitor. Let us
able at https://github.com/stanford-gps-lab/spoofing-detection.
consider a monitor with the received power and a single delta
git for the reader’s benefit.
metric on the autocorrelation function [7] at its disposal. Both
metrics belong to scenario 1 and form a simple vs. composite
GLRT, the decision variables of each individual monitor follow A. DoA and prr Evidence
the distribution given by (18). Assuming that the same PF A DoA measurements and pseudorange residuals (prrs) are
budget is allocated to each monitor, the PM D of an OR a compelling combination. DoA based approaches are very
combination is given by the standard form of the χ2 test. powerful means to detect spoofing if all signals are spoofed
50
where R ∈ RN ×N is the covariance matrix of N azimuthal
3
0
4
1
2.5
2
3.5
0.5
1.5
45 DoA measurements.
40
Multiplying the measurement equations by A takes the sin-
gle difference between measurements, making the hypotheses
35
3 independent of the nuisance parameter antenna heading [43].
2.5
30
1.
2
The decision variable log ΛDoA is distributed according to
1
5
Eq. (21), with µ0 = Aφ, µ1 = 0 and Σ = ARAT .
0
0.5
25
2) Pseudorange residuals: We introduce pseudorange off-
20
1
sets similar to the fault model defined for RAIM. We closely
15
0.5
follow the nomenclature and build upon the work in [48],
10 [35], [49] and [50]. RAIM is well known and documented, but
much less work has been done on spoofing attack models. We
0
5 0
0 therefore offer a detailed derivation of an attack that minimizes
0
0
0
10 20 30 40 50
pseudorange residuals for a given navigation solution bias. We
note that this problem setup and resulting worst case threat
model is analogous to, but different from the considerations
Fig. 2. Contour plot of log PM DOR − log PM Djoint for two simple
vs. composite monitors using a single measurement each as a function of
around RAIM with multiple faults in [50] and [49]. We start
noncentrality parameters λ1 , λ2 . Positive values indicate that the joint GLRT by defining pseudoranges to N satellites based on the linear
is stronger, negative values indicate that individual monitors combined through approximation to the position solution [51]
an OR gate is stronger.
y = Gx + Iss yb + (38)
from a single transmitting antenna and therefore are received
where
from the same direction [14], [15], [16]. But if only a
N
subset of satellites is spoofed, the detection power deteriorates • y ∈ R is the vector of N pseudorange measurements
significantly [42], [26]. Any disagreement between the subset minus the expected pseudorange for the all-in-view con-
of spoofed and the remaining authentic pseudoranges will verged position solution
N ×p
however cause an increase in the resulting residuals. Detection • G∈R is the geometry matrix
through prrs complements DoA based techniques well. • p is the number of states
p
We explore this combination in a comprehensive simulation • x ∈ R is the state vector update
s
study in the next paragraphs. We underline that for this type • yb ∈ R is the vector of s pseudorange biases introduced
of defense, the most dangerous attack can consist of only a by the attacker
N ×s
subset of spoofed satellites and show how the framework of • Iss ∈ R maps these to the N pseudoranges
N
this paper helps to protect against it. • ∈R is the measurement noise
1) DoA measurements: As we outlined in section III, DoA The measurement noise follows a Normal distribution.
measurements can be considered as a simple vs. composite
∼ N 0, W −1

or as a simple vs. simple test. Our goal in this example is to (39)
demonstrate the combination of a simple vs. simple DoA test
with the simple vs. composite test of pseudorange residuals. We assume an unbiased least-squares state estimator [51].
We therefore follow the simple vs. simple DoA formula-
tion and notation from [43], [17]. Any DoA measurements x̂ = Sy (40)
matching the format of the cited literature could be used.
For simplicity, we consider azimuthal DoA measurements as −1 T
obtained e.g. from a Dual Polarization Antenna [43], [47]. S = GT W G G W (41)
The hypothesis are defined by the differences between DoA
measurements Thanks to the unbiased estimator, a mean state bias xb is a
H0 : Ay = Aφ + A linear function of pseudorange biases.
(35)
H1 : Ay = A xb = Sss yb
(42)
with the vector of N azimuthal DoA measurements y, true Sss = SIss
DoAs φ, the banded matrix
  The χ2 statistic is given by [49].
1 −1 . . . 0 0
 0 1 −1 . . . 0 
A=  ∈ RN −1×N (36) ||y − Gx̂||2P = −2 log Λprr (43)
 ... 
0 0 . . . 1 −1 with −1 T
and Gaussian measurement noise. P = W − W G GT W G G W (44)
A ∼ N (0, ARAT ) (37)
100
−2 log Λprr matches the model of the simple vs. composite
decision variable described in Equation (18). The degrees of 80
freedom k and noncentrality parameter λ are given by
60
k =N −p 40
λ= ybT Iss
T
P Iss yb (45) 20
= yb Wss yb − xTb GT W Gxb

T
0
4 5 6 7 8 9 10 11 12
with
T
Wss = Iss W Iss (46) 10 0
yb depends on the attack scenario. We consider a spoofer

who knows the user position, satellite geometry, pseudorange 10 -2
covariance, used estimator and intentionally spoofs a specific
subset of satellites. The attacker might aim to minimize the
10 -4
chi-squared statistic while introducing a certain state bias.
Leveraging Eq. (45) this is achieved by solving the following
optimization problem 10 -6
4 5 6 7 8 9 10 11 12
min ybT Wss yb

yb
(47) Fig. 3. ”Worst case” subsets and their PM D depending on metric and
s.t. Sss yb = xb combination technique in % and on a log-scale. A 10 m offset in the z-
direction is caused by the attacker in every case.
When s ≥ p pseudoranges are spoofed, the spoofer can
introduce any state bias xb . Eq. (47) then describes a classic
weighted norm minimization problem with equality constraints would result in significantly reduced detection power [42].
[52]. The solution and vector of pseudorange biases is given If computational capabilities are limited, the single test or a
by greedy approach as presented in [42], [17] can be pursued,
resulting in elevated PM D values.
−1 T −1 T
−1 In Figure 3 we depict for each number of satellites the
yb = Wss Sss Sss Wss Sss xb (48)
maximum PM D across all possible subsets both in % and on
a log scale. The PM D values are empirical results of Monte
In this example we consider a scenario with 12 satellites Carlo simulations of 1 million measurements for each subset.
from a single constellation. Hence p = 4 states for 3 co- We show results for each metric alone, combinations through
ordinates and 1 clock unknown. The precise geometry can logical AND and OR gates as well as in a single joint GLRT.
be found in the code published on GitHub. The spoofer Figure 3 should be interpreted on a qualitative basis only, as
intentionally transmits between 4 and 12 satellite signals the absolute detection power depends entirely on the DoA and
to cause the same position offset xb . The complete list of pseudorange measurement covariance, satellite geometry and
simulation parameters is given by state bias xb .
xb = [0, 0, 10, 0]T Figure 3 provides a lot of valuable insights. Each metric
alone can be fooled when the right number of satellites is
W −1 = σpr
2
I(N ) spoofed. A combination of metrics through a logical AND is
σpr = 4m not sensible, a combination through an OR gate leads to good
2
(49)
R = σDoA I(N ) performance. Significantly improved performance in terms of
◦ the goal min max PM D is achieved by combining both metrics
σDoA = 30
in a single ”joint” GLRT, the maximum PM D value is reduced
PF Amax = 10−7 by 72%.
where I(N ) is an N × N identity matrix. The covariance If fewer than 6 satellites are spoofed, the residuals χ2 test
matrices are scaled identity matrices for simplicity but could outperforms the OR combination. For more than 10 spoofed
be any positive definite matrix. PF Amax sets the false alert satellites the OR combination and DoA only test outperform
probability per measurement epoch. the joint monitor. As indicated in the previous section, in edge
3) Monitor performance: On the defense side we assume cases the OR monitor can outperform the joint monitor. In
sufficient computational capabilities to test all subsets between the extreme cases the single metric tests even outperform the
4 and 12 satellites for spoofing, a total of 3797 tests. By OR test. The robustness to a wider variety of attack scenarios
testing multiple hypothesis, we take into account the fact delivered by the OR combination and joint monitor comes
that the receiver might be tracking a mix of spoofed and with small performance penalties in edge case scenarios.
authentic signals. In such cases, a single test on ”all N Choosing the right defense strategy based on the results
satellites spoofed” H1 against ”all N satellites nominal” H0 in Figure 3 is a question of game theory. The figure depicts
relation distortion metrics. The benefit of this combination of

metrics has been shown in [23], [55] and [46]. We first show
how the symmetric difference metric in [23] can be interpreted
as a joint GLRT of simpler metrics. We then demonstrate the
inclusion of partial information about the parameter space Ω1
through logical AND gates and finally present results on the
TEXBAT dataset [30].
Several means of measuring the received power are possible,
among others through the AGC gain [11], predespreading
structural power content analysis (SPCA) [12] or by analyzing
the discrete samples of the combined signal exiting the RF
front end [23]. The exact implementation varies with the user
environment and capabilities of the receiver. Any means can
be applied to the approach presented in this paper as long
as it matches the definitions given by the simple-composite
scenario in section III-A. In this example we will work
with the intermediate frequency input sample sigma as power
Fig. 4. Example of decision thresholds of OR, AND and ”joint”, all satisfying
the same PF Amax . Scattered points show simulated measurements of DoA, measurement.
prr when a subset of 7 out of 12 satellites in view are spoofed top
create a 10 Several metrics measuring the distortion of the autocorre-
m vertical position error. α1 = α2 = 21 PF Amax , β1 = β2 = PF Amax
for OR and AND thresholds respectively. lation function have been proposed in the literature [7], [8],
[9], [10], [34]. A detailed comparison or analysis of these
techniques is not the purpose of this paper, but rather a
an adversarial minimax game between the spoofer and the framework that applies to most of the presented techniques.
defense [53]: the spoofer wants to maximize his chances of The reader is encouraged to expand on this work by exploring
success by maximizing PM D (and will select the subset of further metrics in this framework. For illustration purposes we
satellites to spoof), while we on the defense side want to consider the symmetric difference metric D employed in [23].
minimize the maximum PM D possible (and select our de-
fense accordingly). A alternative defense philosophy would be |ξ(−τ ) − ξ(τ )|
the ”expectimax” strategy, maximizing the average detection D(τ ) = (50)
σN 0
probability instead of the worst case detection probability. [54]
offers a more detailed treatment of this interesting perspective
on the spoofing problem.
where τ is the offset of early and late correlator tabs, ξ(τ )
It is worth noting that the displayed values for a certain
is the complex value of the autocorrelation function at offset
number of spoofed satellites for the different metrics and
τ and the standard deviation of the correlation function due
combinations do not necessarily correspond to the same subset
to thermal and multi-access noise is σN 0 . Before assessing
of satellites. For each metric, a different subset of satellites
the performance on spoofing data, we show that D(τ ) is
might be the worst case for detection.
effectively a joint GLRT of simpler Delta metrics [7] applied
To illustrate and understand this result better, we examine a
to the In-phase (real) and Quadrature (imaginary) components.
situation for a specific set of 7 spoofed satellites in more detail
Squaring the nonnegative D(τ ) results in
in Figure 4. The figure shows a scatter plot of a Monte Carlo
simulation of the decision variables of both metrics, denoted
2 2
log Λ(yprr ) for pseudorange residuals and log Λ(yDoA ) for (R[ξ(−τ )] − R[ξ(τ )]) + (I[ξ(−τ )] − I[ξ(τ )])
D(τ )2 = 2
DoA measurements. For each metric smaller values indicate σN 0
spoofed conditions. Black lines show the decision thresholds (51)
for the three possible combinations of metrics, measurements Both the In-phase (real, R) and Quadrature (imaginary, I)
depicted to the left and below the thresholds cause an alarm. part of ξ(τ ) are under H0 Normally distributed with variance
Figure 4 shows how the single joint GLRT works particu- [23]
larly well in this situation, when both countermeasures show
an indication of an attack. Both the OR and AND combination σd2 = 2τ σN
2
0 (52)
miss a significant number of detections. We can further note
that the individual thresholds of the AND combination are set
more aggressively than of the OR combination to result in the
same PF A as outlined in section II. Each of the difference terms in (51) is then zero-mean
Normal with variance 2σd2 . We can hence normalize each of
the squared terms in Eq. (51) using the variance of (52) to
B. Power and Distortion Evidence obtain the sum of two squared, standard Normally distributed
As a second application example we apply the concepts of variables equal to a χ2 variable with 2 degrees of freedom.
this paper to a combination of received power and autocor- We further multiply the result with − 12 to obtain
2
D(τ )2 1 (R[ξ(−τ )] − R[ξ(τ )])
− =− 2
8τ 2 4τ σN 0
2
1 (I[ξ(−τ )] − I[ξ(τ )]) (53)
− 2
2 4τ σN 0
= log ΛD
Equation (53) now represents the sum of two log ΛSC
variables defined in Equation (16). A test on D(τ ) is hence
equivalent to a joint GLRT of Delta metrics applied to the
In-phase and Quadrature components.
Within the framework presented in this paper, the decision
metrics are the Delta metrics on R and I as well as the received
power metric P . We summarize their behavior under H0 in
Eq. (54).
P − P0 |H0 ∼ N (0, σP2 )
2
R[ξ(−τ )] − R[ξ(τ )]|H0 ∼ N (0, 4τ σN 0) (54)
2
I[ξ(−τ )] − I[ξ(τ )]|H0 ∼ N (0, 4τ σN 0)
where P0 is the expected power value obtained by calibration

during nominal conditions and σP2 is its variance as defined by
Fig. 5. D and normalized P measurements from TEXBAT scenarios ds1
[23]. We construct and compare two monitors, one traditional to ds4 together with detection thresholds for the OR monitor, joint monitor,
OR combination and the joint GLRT. For illustration purposes and the joint monitor when combined with the P − P0 > 0 constraint.
we map the Delta metrics on R[ξ] and I[ξ] to D(τ ) using Eq. Measurements within the threshold lines are correctly identified as nominal.
All spoofed measurements are correctly identified, except for scenario ds1 if
(51). the P − P0 > 0 constraint is enforced. Scenario ds1 represents a static switch
1) The OR monitor: We combine two GLRTs on P and where the attacker has direct access to the victim’s antenna cable. This allows
2
−D 8τ , each of the shape of Eq. (16), through a logical OR gate.
for an attack with lower transmitted power, violating the assumption inherent
to the P − P0 > 0 constraint.
We would further like to include the assumption that a spoofing
attack leads to an increase in expected power. We include it
as the constraint E[P |H1 ] > P0 by connecting an additional
Once again the 50% false alert rate of the P − P0 > 0 test
monitor P −P0 > 0 through an AND gate. This combination is
doubles the PF A budget available for the joint detector. The
valid since under nominal conditions the metrics are mutually detector is run on all N satellites in view, following Eq. (3)
independent sgn(P − P0 )⊥(P − P0 )2 ⊥D(τ ) . Formally, an
we once again have to divide the budget accordingly.
alarm is raised if
3) Monitor performance: We display results of scenarios
1 ds1 through ds4 of the TEXBAT dataset [30] as an example.
δOR = log ΛP < − C1 (1 − 2α1 )
2 The scenarios represent a static switch (ds1), a static over-

1 2 (55) powered time push with 10dB power advantage (ds2), a static
∨ log ΛD < − C2 1 − (PF A − α1 )
2 N matched-power time push with 1.3dB power advantage (ds3)
∧ (P − P0 > 0) and a static matched-power position push with 0.4 dB power
advantage (ds4). Figure 5 shows the measurements for every
where log ΛP is given by Eq. (16) with the distribution satellite during the nominal and spoofed period of the dataset.
defined by Eq. (54) and Ck (x) is the χ2 cdf with k degrees of We plot detection thresholds for the OR and joint monitor,
freedom. α1 is a hyperparameter that can be chosen according both with and without the P − P0 > 0 constraint. Instead of
to Eq. (3). P − P0 > 0 by itself has a false alert rate of displaying the log Λ values as in Figure 4, we map the values
β = 50%. Using Eq. (7) we see that this doubles the PF A to the P-D plane for a more intuitive interpretation and easier
budget for the two GLRTs. The test on log ΛD is run on N comparison with [23]. An alarm is raised if the measurements
satellites simultaneously, the PF A is split accordingly. One can lie outside the area encircled by the threshold, or above the
show that the GLRT on P is now equivalent to the Uniformly threshold if the P − P0 > 0 constraint is enforced.
Most Powerful (UMP) test [32]. At the beginning of each of the four scenarios, conditions
2) The joint monitor: All metrics in Eq. (54) belong to are nominal. The respective measurements can be observed to
scenario 3 of Table I. log ΛP,D = log ΛP + log ΛD (following lie within the threshold lines for either detection threshold,
Eq. (22)) of the joint GLRT is of the form of Equation (16). no alarm is raised. During pull-off, the distortion value is
An alarm is raised if increased temporarily. This effect is significantly stronger for

1 2 the attacks with smaller power advantage. We observe this
δjoint = log ΛP,D < − C3 (1 − PF A )
2 N (56) phenomena in Figure 5: the values of the low power advantage
∧ (P − P0 > 0) scenarios ds3 and ds4 are distributed much further along the
D axis than those of ds2. threshold.

We easily detect all four attacks due to the drastic change Such a constraint can easily be added to the framework
in received power. Only when the (P − P0 > 0) constraint presented here. It is implemented with an additional monitor
is enforced the attack of scenario ds1 remains undetected as connected through an AND gate. An alarm is raised, if the
the static switch comes with a decrease in power. This attack metric combination presented in this paper alerts, AND if
scenario is not foreseen in this monitor. the linear combination of ∆AGC and ∆C/N 0 is beyond the
A closer observation of the different detection thresholds threshold of [46]. As the linear combination is not statistically
underlines aspects already observed in Figure 2. The semi- independent of the received power used in the original monitor,
ellipse defined by γjoint for the most part draws a tighter we cannot increase the PF A budget for the original monitor
bound around nominal conditions than the rectangle defined as described in Eq. (7) but instead simply keep it constant.
by γOR , resulting in a smaller PM D . For D or P close to
0 however the rectangle draws a tighter bound and results in
more detections. The ideal defense depends once again on the V. C ONCLUSION
expected attack scenario. We can further observe the slightly This paper presents a mathematical framework to combine
tighter threshold obtained with including the (P − P0 > 0) any number of metrics for GNSS spoofing detection. We
constraint. define criteria for metrics to be used within this framework
From Figure 5, no detection strategy shows any obvious and demonstrate compatibility with a range of commonly
advantage. The spoofed data is well separated from the nomi- used approaches. The decision is cast by a single GLRT
nal data, and the precisely calibrated measurement models let and guarantees compliance with a maximum false alert prob-
us cast a tight threshold. Under more realistic conditions, we ability. We show examples combining DoA measurements
would likely have to work with larger model covariances re- with pseudorange residuals and combining received power and
flecting time-varying power levels, potentially light multipath autocorrelation function distortion metrics, achieving an up to
or scintillation effects. This would result in inflated detection 72% reduction in worst-case PM D compared to the traditional
thresholds, significantly inflating the rectangle and semi-ellipse approach to process metrics in separate hypothesis tests.
in Figure 5 and causing varying alert performance between The presented work further underlines that each metric
monitors. works well under different attack scenarios, and shows how
Figure 5 hints at another aspect. To avoid almost certain combinations of metrics can recover each other’s weaknesses.
detection, a stealthy attacker likely has to minimize the power The ideal combination depends not only on the particular
increase by lowering his/her own broadcasting power. This application’s cost budget but also on its threat space. A smart
creates for the attacker the risk to take over only a subset phone might be considered well protected with a combination
of satellite signals, resulting in a disagreement of authentic of the low-cost metrics received power, C/N 0, SQM and
and spoofed pseudoranges. This was already observed during pseudorange residuals. A transport aircraft on the other hand
scenario ds4 in [30]. A combined defense of received power, might require additionally spatial processing techniques.
autocorrelation distortion and pseudorange residuals thereby
To facilitate and encourage the reader to experiment with
becomes attractive. The residuals complement the presented
metric combinations for their specific application, relevant
defense for an attack scenario with small power increase where
code is published on GitHub.
a pull-off does not happen at the same time for all satellite
signals.
4) Practical Considerations: The values of P0 , σP and σd A PPENDIX A
are calibrated during nominal conditions at the beginning of
each scenario. Especially on a moving platform like an aircraft, We are looking for the pdf of the random variable Z defined
these reference values would likely have to be re-calibrated as
as e.g. the average received power varies over time [46]. The Z =X +Y (57)
defense mechanism only works if the last calibration happened
under nominal conditions. The autocorrelation metric further where X ∼ N (µ, σ 2 ) and −2Y ∼ χ2k .
only shows elevated values during pull-off, when the com- The pdf of Z is given by the convolution product
bination of nominal and spoofed signal distorts the peak. If
the attacker would lower the power after successful capture fZ (z) = pX (z) ∗ pY (z) (58)
and pull-off, the attack would be difficult to detect by either
where pX and pY denote the pdfs of X and Y respectively.
power or distortion monitoring. These two aspects underline
We follow the standard procedure to solve the convolution
the transient nature of these metrics.
integral and first formulate the cdf as
[46] has shown that a monitor based on power and
Z ∞Z z
distortion metrics can cause an elevated number of false alerts
under multipath. The authors show promising data that this FZ (z) = pX (t)pY (z − t)dzdt (59)
−∞ −∞
effect can be mitigated by considering C/N 0 along with
a change in received power expressed through a change in We switch the integrals and differentiate with respect to z
automatic gain control ∆AGC. An alarm is only issued if to get the pdf fZ . We further substitute u = t − z. pY (z) = 0
a linear combination of ∆AGC and ∆C/N 0 is beyond a for z > 0, we can therefore adjust the integration boundary.
before it gets ”overpowered” by the factorial function in

Z ∞ the denominator for large l and converges. This can lead to
fZ (z) = pX (t)pY (z − t)dt numerical instabilities when working with standard floating
Z−∞
∞ point precision. We therefore offer a numerically√more stable
= pX (u + z)pY (−u)du (60) formulation, leveraging the alternating sign of (− 2)l and the
Z−∞
∞
fact that log Γ(x) is readily available in standard computation
= pX (u + z)pY (−u)du packages. Note that the simplification in the given form is only
0 valid for z̃ 6= −σ. To simplify the notation we collect all terms
We now substitute in the pdfs and pull terms out of the before the infinite sum in c̃σ,k (z̃).
integral. ∞
X
fZ (z̃) = c̃σ,k (z̃) (1 − Uσ,k,m (z̃)) exp Vσ,k,m (z̃) (65)
1 1 m=0
fZ (z) = √
2πσ Γ( k2 ) where
Z ∞
(u + z − µ)2

k
√
exp − u 2 −1 exp (−u)du 2π z̃ + σ
0 2σ 2 Uσ,k,m (z̃) =
2m + 1 B(k/4 + m, 1/2)
1 1 (z − µ)2
=√ exp − Vσ,k,m (z̃) = m log(2) + 2m log(|z̃ + σ|) − log Γ(2m + 1)
k σ2
2πσ Γ( 2 )
Z ∞ + log Γ(k/4 + m)
u2

k z−µ (66)
u 2 −1 exp − 2 exp −u + 1 du
0 2σ σ2
(61) with the beta function B(x, y) and employing the equality
x! = Γ(x + 1).
where Γ is the gamma function. We now employ the power
P∞ l
series definition of the exponential function exp x = l=0 xl!
on the second exponential term in the integral. For notational A PPENDIX B
simplicity we collapse the normalization constants into the We want to show that the summation in Equation (28) and
constant cσ,k . We further work with a normalized z̃ = (z − (64) converges. We can prove its convergence over the entire
µ)/σ. range of z̃+σ by demonstrating that it is absolutely convergent
[56]. Formally we show that ∃ r ∈ R such that
z̃ 2 ∞ √ ∞
fZ (z̃) = cσ,k exp − X ( 2 |z̃ + σ|)l X
2 Γ(k/4 + l/2) = a(l) = r (67)
Z ∞ ∞
u2 X (−1)l z̃
l l!
k l=0 l=0
u 2 −1 exp − 2 + 1 ul du
0 2σ l! σ In this formulation
l=0
∞ l
z̃ 2 X (−1)l z̃

= cσ,k exp − +1 a(l) ≥ 0 ∀l = 0, 1, . . . (68)
2 l! σ
l=0
Z ∞
k u2
u 2 −1+l exp − 2 du We prove the absolute convergence through the ratio test:
0 2σ
(62) a(l + 1)
L = lim <1
Now we can finally solve the integral and get l→∞ a(l)
√
∞ l ( 2 |z̃ + σ|)l+1 Γ( k4 + l+1
2 )l!
z̃ 2 X (−1)l z̃

= lim √ (69)
fZ (z̃) = cσ,k exp − +1 l→∞ l!(l + 1)( 2 |z̃ + σ|) Γ( + l )
l k
2 l! σ 4 2
l=0 (63)
√ 1 Γ( k4 + 2l + 12 )
k l k k l = 2 |z̃ + σ| lim
2 4 + 2 −1 σ 2 +l Γ + l→∞ l + 1 Γ( k4 + 2l )
4 2
As |z̃ + σ| can take any positive real number, we need to show
Simplifying and collecting constants leads to our formula-
that the limit converges to 0 for l → ∞. We employ Stirling’s
tion of the pdf.
approximation [57] that describes the asymptotic behavior
k k 1 1 z̃ 2
fZ (z̃) = 2 4 −1 σ 2 −1 √ exp − Γ(x + y)
2π Γ(k/2) 2 ∼ xy (70)
∞ √ l l
(64) Γ(x)
X (− 2) (z̃ + σ) k l
Γ +
l! 4 2
l=0 for x y and get
In Appendix B we give a proof that the infinite sum converges.
12
Inspecting it in more detail we observe that the product √

1 k l
of power and gamma function assumes very large numbers L = 2 |z̃ + σ| lim + (71)
l→∞ l + 1 4 2
L’Hopital’s rule finally gets us the result [15] M. L. Psiaki, B. W. O’Hanlon, S. P. Powell, J. A. Bhatti, T. E.
√ Humphreys, and A. Schofield, “GNSS Spoofing Detection using Two-
− 12 Antenna Differential Carrier Phase,” in Proceedings of the 27th Inter-
2 k l
L= |z̃ + σ| lim + ∼0 (72) national Technical Meeting of The Satellite Division of the Institute of
4 l→∞ 4 2 Navigation, 2014, pp. 2776–2800.
[16] D. Borio and C. Gioia, “A sum-of-squares approach to GNSS spoofing
L asymptotically approaches 0, the series is absolutely detection,” IEEE Transactions on Aerospace and Electronic Systems,
convergent. vol. 52, no. 4, pp. 1756–1768, 2016.
[17] F. Rothmaier, Y.-h. Chen, S. Lo, and T. Walter, “GNSS Spoofing
Detection through Spatial Processing,” Accepted for publication in
ACKNOWLEDGMENT NAVIGATION, Journal of the Institute of Navigation, 2021.
[18] L. Scott, “Anti-Spoofing and Authenticated Signal Architectures for
The authors thank the Federal Aviation Administration Civil Navigation Systems,” Proceedings of the 16th International Tech-
(FAA) and the Stanford Center for Position Navigation and nical Meeting of the Satellite Division of The Institute of Navigation
Time (SCPNT) for sponsoring this research. The authors thank (ION GPS/GNSS 2003), 2003.
[19] Ç. Tanıl, S. Khanafseh, M. Joerger, and B. Pervan, “An INS Monitor
Prof. J. David Powell for his invaluable advice and guidance to Detect GNSS Spoofers Capable of Tracking Vehicle Position,” IEEE
during this research. Transactions on Aerospace and Electronic Systems, vol. 54, no. 1, pp.
131–143, 2018.
[20] K. Ali, E. G. Manfredini, and F. Dovis, “Vestigial signal defense through
R EFERENCES signal quality monitoring techniques based on joint use of two metrics,”
in IEEE PLANS, Position Location and Navigation Symposium. IEEE,
[1] RASG-MID, “RASG-MID SAFETY ADVISORY – 14 April 2014, pp. 1240–1247.
2019 GUIDANCE MATERIAL RELATED TO GNSS VUL- [21] A. Pirsiavash, A. Broumandan, and G. Lachapelle, “Two-Dimensional
NERATBILITIES,” ICAO, Tech. Rep. April, 2019. [Online]. Signal Quality Monitoring For Spoofing Detection,” in Navitec 2016.
Available: https://www.icao.int/MID/Documents/2017/RASG-MID6/ Noordwijk, Netherlands: ESA/ESTEC, 2016.
RSA14-GNSSVulnerabilities.pdf
[22] C. Sun, J. W. Cheong, A. G. Dempster, H. Zhao, and W. Feng, “GNSS
[2] I. Fernández-Hernández, T. Walter, K. Alexander, C. Hegarty, M. Appel,
spoofing detection by means of signal quality monitoring (SQM) metric
and M. Meurer, “Increasing International Civil Aviation Resilience :
combinations,” IEEE Access, vol. 6, pp. 66 428–66 441, 2018.
A Proposal for Nomenclature , Categorization and Treatment of New
[23] K. D. Wesson, J. N. Gross, T. E. Humphreys, and B. L. Evans, “GNSS
Interference Threats,” in Proceedings of the 2019 International Technical
Signal Authentication Via Power and Distortion Monitoring,” IEEE
Meeting of The Institute of Navigation, 2018, pp. 1–19.
Transactions on Aerospace and Electronic Systems, vol. 54, no. 2, pp.
[3] T. E. Humphreys, B. M. Ledvina, M. L. Psiaki, B. W. O. Hanlon,
739–754, 2017.
and P. M. Kintner, “Assessing the Spoofing Threat : Development of a
Portable GPS Civilian Spoofer,” in Proceedings of the 21st International [24] J. N. Gross, C. Kilic, and T. E. Humphreys, “Maximum-likelihood
Technical Meeting of the Satellite Division of The Institute of Navigation power-distortion monitoring for GNSS-Signal authentication,” IEEE
(ION GNSS 2008), Savannah, GA, 2009, pp. 2314–2325. Transactions on Aerospace and Electronic Systems, vol. 55, no. 1, pp.
[4] A. Jafarnia-Jahromi, A. Broumandan, J. Nielsen, and G. Lachapelle, 469–475, 2019.
“GPS vulnerability to spoofing threats and a review of antispoofing [25] T. Zhang, X. Chen, D. He, and Y. Jin, “Performance Analysis and
techniques,” International Journal of Navigation and Observation, 2012. Tests for GNSS Spoofing Detection Based on the Monitoring of Cross
[5] C. Günther, “A Survey of Spoofing and Counter-Measures,” Navigation, Ambiguity Function and Automatic Gain Control,” in Proceedings of
Journal of the Institute of Navigation, 2014. the 2021 International Technical Meeting of The Institute of Navigation,
[6] M. L. Psiaki and T. E. Humphreys, “GNSS Spoofing and Detection,” 2021, pp. 98 – 110.
Proceedings of the IEEE, vol. 104, no. 6, pp. 1258–1270, 2016. [26] M. C. Esswein and M. L. Psiaki, “GNSS Anti-Spoofing for a Multi-
[7] R. E. Phelts, “Multicorrelator Techniques for Robust Mitigation of Element Antenna Array,” in Proceedings of the 2019 International
Threats To GPS Signal Quality,” Ph.D. dissertation, Stanford University, Technical Meeting of The Institute of Navigation, Miami, Florida, 2019.
2001. [27] H. Tao, H. Li, and M. Lu, “A method of detections’ fusion for GNSS
[8] E. G. Manfredini, F. Dovis, and B. Motella, “Validation of a signal anti-spoofing,” Sensors (Switzerland), vol. 16, no. 12, p. 18, 2016.
quality monitoring technique over a set of spoofed scenarios,” in 2014 [28] A. Molina-Markham and J. J. Rushanan, “Positioning, Navigation, and
7th ESA Workshop on Satellite Navigation Technologies and European Timing Trust Inference Engine,” in Proceedings of the 2020 Interna-
Workshop on GNSS Signals and Signal Processing, NAVITEC 2014 - tional Technical Meeting (ITM) of The Institute of Navigation ION. San
Proceedings. Noordwijk, Netherlands: IEEE, 2015, pp. 1–7. Diego, CA: The Institute of Navigation, 2020, p. 15.
[9] M. Troglia Gamba, M. D. Truong, B. Motella, E. Falletti, and T. H. Ta, [29] C. Hegarty, A. Odeh, K. Shallberg, K. D. Wesson, T. Walter, and
“Hypothesis testing methods to detect spoofing attacks: a test against the K. Alexander, “Spoofing Detection for Airborne GNSS Equipment,” in
TEXBAT datasets,” GPS Solutions, vol. 21, no. 2, pp. 577–589, 2017. Proceedings of the 31st International Technical Meeting of The Satellite
[10] A. Broumandan, R. Siddakatte, and G. Lachapelle, “Feature article: An Division of the Institute of Navigation (ION GNSS+ 2018), Miami,
approach to detect GNSS spoofing,” IEEE Aerospace and Electronic Florida, 2018, pp. 1350–1368.
Systems Magazine, pp. 64–75, 2017. [30] T. Humphreys, J. Bhatti, D. Shepard, and K. Wesson, “The Texas
[11] Dennis M. Akos, “Who’s Afraid of the Spoofer? GPS/GNSS Spoofing spoofing test battery: Toward a standard for evaluating GPS signal
Detection via Automatic Gain Control (AGC),” NAVIGATION, Journal authentication techniques,” in 25th International Technical Meeting of
of the Institute of Navigation, vol. 59, no. 4, pp. 281–290, the Satellite Division of the Institute of Navigation 2012, ION GNSS
2012. [Online]. Available: https://www.ion.org/publications/abstract. 2012, Nashville, TN, 2012, pp. 3569–3583.
cfm?articleID=102583 [31] F. Rothmaier, S. Lo, R. E. Phelts, and T. Walter, “GNSS Spoofing
[12] A. Jafarnia-Jahromi, A. Broumandan, J. Nielsen, and G. Lachapelle, Detection through Metric Combinations: Calibration and Application
“Pre-despreading authenticity verification for GPS L1 C/A signals,” of a General Framework,” in Proceedings of the 34th International
NAVIGATION, Journal of the Institute of Navigation, vol. 61, no. 1, Technical Meeting of the Satellite Division of the Institute of Navigation,
2014. ION GNSS+ 2021, St. Louis, Missouri, 2021.
[13] P. Montgomery, T. E. Humphreys, and B. Ledvina, “Receiver- [32] H. L. Van Trees, Detection, Estimation, and Modulation Theory, Part I.
autonomous spoofing detection: Experimental results of a multi-antenna New York: John Wiley & Sons, Inc., 2001.
receiver defense against a portable civil GPS spoofer,” in Proceedings of [33] A. Jovanovic, C. Botteron, and P. A. Fariné, “Multi-test detection and
the international Technical Meeting of the Institute of Navigation 2009, protection algorithm against spoofing attacks on GNSS receivers,” in
vol. 1, Anaheim, CA, 2009, pp. 124–130. Record - IEEE PLANS, Position Location and Navigation Symposium,
[14] A. Konovaltsev, S. Caizzone, M. Cuntz, and M. Meurer, “Autonomous 2014, pp. 1258–1271.
Spoofing Detection and Mitigation with a Miniaturized Adaptive An- [34] A. M. Khan, N. Iqbal, A. A. Khan, M. F. Khan, and A. Ahmad, “De-
tenna Array,” in Proceedings of the 27th International Technical Meeting tection of Intermediate Spoofing Attack on Global Navigation Satellite
of the Satellite Division of The Institute of Navigation, ION GNSS+ System Receiver through Slope Based Metrics,” Journal of Navigation,
2014. Tampa, Florida: Institute of Navigation, 2014, pp. 2937–2948. pp. 1–17, 2020.
[35] J. Blanch, T. Walter, P. Enge, Y. Lee, B. Pervan, M. Rippl, A. Spletter, Fabian Rothmaier is a PhD candidate at the GPS
and V. Kropp, “Baseline advanced RAIM user algorithm and possible Laboratory at Stanford University. He received his
improvements,” IEEE Transactions on Aerospace and Electronic Sys- B. Engr. degree from the University of Applied
tems, vol. 51, no. 1, pp. 713–732, 2014. Sciences Bremen, Germany in 2015 and his M. Sc.
[36] S. Lo, L. Boyce, T. Walter, P. Enge, B. Peterson, B. Wenzel, and degree from Stanford University in 2017.
K. Carroll, “Loran Fault Trees for Required Navigation Performance
0 . 3,” in ION NTM, Anaheim, CA, 2003, pp. 352–361.
[37] J. Fernow and D. O’Laughlin, “Estimating continuity of GNSS,” in
Proceedings of the 17th International Technical Meeting of the Satellite
Division of the Institute of Navigation, ION GNSS 2004, 2004, pp. 2113–
2123.
[38] M. Joerger, Y. Zhai, I. Martini, J. Blanch, and B. Pervan, “ARAIM
continuity and availability assertions, assumptions, and evaluation meth-
ods,” in ION 2020 International Technical Meeting. The Institute of
Navigation, 2020, pp. 404–420.
[39] A. Broumandan, A. Jafarnia-Jahromi, S. Daneshmand, and
G. Lachapelle, “A network-based GNSS structural interference
detection, classification and source localization,” in 28th International
Technical Meeting of the Satellite Division of the Institute of Navigation,
ION GNSS 2015. Tampa, Florida: Institute of Navigation, 2015, pp.
3358–3369. Yu-Hsuan Chen is a research associate at the
[40] D. Borio, “PANOVA tests and their application to GNSS spoofing Stanford GPS Laboratory. He received his Ph.D. in
detection,” IEEE Transactions on Aerospace and Electronic Systems, electrical engineering from National Cheng Kung
vol. 49, no. 1, pp. 381–394, 2013. University, Taiwan.
[41] M. Meurer, A. Konovaltsev, M. Cuntz, and C. Hättich, “Robust joint
multi-Antenna spoofing detection and attitude estimation using Direction
assisted multiple hypothese RAIM,” in Proceedings of the 25th Meeting
of the Satellite Division of the Institute of Navigation (ION GNSS+
2012), no. May 2016, 2012.
[42] F. Rothmaier, Y.-h. Chen, and S. Lo, “Improvements to Steady State
Spoof Detection with Experimental Validation using a Dual Polarization
Antenna,” in Proceedings of the 2019 International Technical Meeting
of The Institute of Navigation ION GNSS+, Miami, Florida, 2019.
[43] F. Rothmaier, “Optimal Sequential Spoof Detection based on Direction
of Arrival Measurements,” in Proceedings of the 2020 International
Technical Meeting of The Institute of Navigation ION GNSS+, St. Louis,
MO, 2020.
[44] A. Das and W. S. Geisler, “A method to integrate and classify normal
distributions,” 2020.
[45] M. J. Kochenderfer and T. A. Wheeler, Algorithms for Optimization,
1st ed. Cambridge, Massachusetts: The MIT Press, 2018. Sherman Lo is a senior research engineer at the
[46] D. Miralles, A. Bornot, P. Rouquette, N. Levigne, D. M. Akos, Y. H. Stanford GPS Laboratory. He received his Ph.D. in
Chen, S. Lo, and T. Walter, “An Assessment of GPS Spoofing Detection Aeronautics and Astronautics from Stanford Uni-
Via Radio Power and Signal Quality Monitoring for Aviation Safety versity in 2002. He has and continues to work on
Operations,” IEEE Intelligent Transportation Systems Magazine, vol. 12, navigation robustness and safety, often supporting
no. 3, pp. 136–146, 2020. the FAA. He has conducted research on Loran,
[47] S. Lo, Y.-H. Chen, F. Rothmaier, G. Zhang, and C. Lee, “Developing a alternative navigation, SBAS, ARAIM, GNSS for
Dual Polarization Antenna ( DPA ) for High Dynamic Applications,” in railways and automobile. He also works on spoof
Proceedings of the International Technical Meeting (ITM) of the Institute and interference mitigation for navigation. He has
of Navigation (ION) 2020, San Diego, CA, 2020. published over 100 research papers and articles.
[48] J. Blanch, T. Walter, and P. Enge, “Theoretical Results on the Optimal
Detection Statistics for Autonomous Integrity Monitoring,” Navigation,
Journal of the Institute of Navigation, vol. 64, no. 1, pp. 123–137, 2017.
[49] M. Joerger, F. C. Chan, and B. Pervan, “Solution separation versus
residual-based RAIM,” Navigation, Journal of the Institute of Naviga-
tion, vol. 61, no. 4, pp. 273–291, 2014.
[50] J. E. Angus, “RAIM with multiple faults,” Navigation, Journal of the
Institute of Navigation, 2006.
[51] P. Misra and P. Enge, Global Positioning System: Signals, Measure-
ments, and Performance; Revised Second Edition, 2nd ed. Lincoln,
Massachusetts: Ganga-Jamuna Press, 2011.
[52] S. Boyd and L. Vandenberghe, Introduction to Applied Linear Algebra. Todd Walter received his Ph.D. in Applied Physics
New York: Cambridge University Press, 2018. from Stanford University in 1993. He is a Research
[53] S. Russell and P. Norvig, Artificial Intelligence A Modern Approach Professor in the Department of Aeronautics and
Third Edition, 3rd ed. Prentice Hall, 2010. Astronautics at Stanford University. His research
[54] T. E. Humphreys, “Detection strategy for cryptographic gnss anti- focuses on implementing high-integrity air naviga-
spoofing,” IEEE Transactions on Aerospace and Electronic Systems, tion systems. He has received the ION Thurlow and
vol. 49, no. 2, pp. 1073–1090, 2013. Kepler awards. He is also a fellow of the ION and
[55] E. G. Manfredini, D. M. Akos, Y.-H. Chen, S. Lo, T. Walter, and P. Enge, has served as its president.
“Effective GPS Spoofing Detection Utilizing Metrics from Commercial
Receivers,” in Proceedings of the 2018 International Technical Meeting
of The Institute of Navigation, 2018, pp. 672–689.
[56] T. J. Bromwich, An Introduction To The Theory of Infinite Series, 1st ed.
London: Macmillan and Co., 1908.
[57] N. De Bruijn, Asymptotic Methods in Analysis. Courier Corporation,
1981.

Rothmaier 2021

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Rothmaier 2021

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in a future issue of this journal, but has not been

A Framework for GNSS Spoofing Detection

Equation (9), it describes the goal underlying all of the ensuing

min P (log Λ(y) ≥ γ|H1 )

γ is the detection threshold, Λ is the test’s decision variable

Similar to the first case, the GLRT now represents a χ2 -test of

We can expand the original optimization problem from

for µ, σ and k given by µSS,0 , σSS and kSC in Eq. (26).

= yb Wss yb − xTb GT W Gxb

yb depends on the attack scenario. We consider a spoofer

min ybT Wss yb

relation distortion metrics. The benefit of this combination of

where P0 is the expected power value obtained by calibration

D axis than those of ds2. threshold.

before it gets ”overpowered” by the factorial function in

You might also like