Nghiên cứu phương pháp phát hiện và xác định vị trí nguồn can nhiễu lên tín hiệu định vị sử dụng vệ tinh

Nghiên cứu phương pháp phát hiện và xác định vị trí nguồn can nhiễu lên tín hiệu định vị sử dụng vệ tinh.Nghiên cứu phương pháp phát hiện và xác định vị trí nguồn can nhiễu lên tín hiệu định vị sử dụng vệ tinh.Nghiên cứu phương pháp phát hiện và xác định vị trí nguồn can nhiễu lên tín hiệu định vị sử dụng vệ tinh.Nghiên cứu phương pháp phát hiện và xác định vị trí nguồn can nhiễu lên tín hiệu định vị sử dụng vệ tinh.Nghiên cứu phương pháp phát hiện và xác định vị trí nguồn can nhiễu lên tín hiệu định vị sử dụng vệ tinh.Nghiên cứu phương pháp phát hiện và xác định vị trí nguồn can nhiễu lên tín hiệu định vị sử dụng vệ tinh.Nghiên cứu phương pháp phát hiện và xác định vị trí nguồn can nhiễu lên tín hiệu định vị sử dụng vệ tinh.Nghiên cứu phương pháp phát hiện và xác định vị trí nguồn can nhiễu lên tín hiệu định vị sử dụng vệ tinh.

INTRODUCTION

Overview

Global Navigation Satellite Systems (GNSS) play a crucial role in various civil applications requiring accurate and secure positioning services, including vehicle tracking, unmanned aircraft operations, precision agriculture, pay-as-you-drive insurance models, and financial transactions.

Hackers pose significant risks to various services that depend on GNSS civil signals, which are vulnerable to both unintentional and intentional interference The rise of intentional Radio Frequency Interference (RFI), particularly through jamming and spoofing attacks, presents a growing threat A critical concern arises when receivers are unaware of being misled, leading to a failure to alert the hosting system Consequently, this can result in erroneous and potentially dangerous decisions based on manipulated position, velocity, and time (PVT) information, a tactic commonly referred to as ‘spoofing’.

Figure 1.1 Applications of GNSS (source: [64])

In the past ten years, spoofing has emerged as a significant threat, driven by technological advancements and the accessibility of sophisticated software-defined radio (SDR) platforms, which have made the creation of GNSS spoofers both practical and cost-effective.

Furthermore, many public channels are active source of information and awareness, as for example web sites, social platforms and online magazines [39] - [42].

Spoofing attacks can be defeated by exploiting specific features which are difficult to be counterfeited at the signal, measurement, and position level [4], [5], [9],[11]-

In the last decade, various promising techniques for spoofing detection in civil signals have been developed, as detailed in a comprehensive survey Among these methods, spatial processing utilizing Angle of Arrival (AoA) defense stands out as one of the most robust and effective solutions for detecting and potentially mitigating counterfeit signals However, the implementation of AoA-based methods faces challenges in cost-constrained mass-market applications due to the high costs of equipment, processing complexity, and installation size.

The authors in [16] and [17] introduced an innovative method for spoofing detection that utilizes differential carrier phase measurements from two receivers and antennas This approach is advantageous as it does not necessitate specialized hardware or specific geometric constraints, requiring only the baseline knowledge of the relative positions of the receiving antennas While this technique has demonstrated simplicity and effectiveness in identifying spoofing attacks, it does have certain limitations that will be addressed in the subsequent sections.

Spoofed attacks are categorized into three main types: simple, intermediated, and sophisticated spoofing attacks While existing techniques can easily detect simple spoofing attacks, they often struggle to identify intermediated and sophisticated variants Recent studies indicate that these more advanced spoofing attacks are becoming increasingly prevalent.

Therefore, the thesis focuses to study the detection of spoofing in the intermediated and sophisticated cases to ensure the reliability and accuracy of services usingGNSS.

Motivation

Ensuring the safety and reliability of GNSS applications is becoming increasingly urgent, as current detection methods are often impractical and costly, requiring direct interference with system signals or additional equipment While affordable Angle of Arrival (AoA) approaches exist, they fall short in complex attack scenarios This work aims to enhance the effectiveness of low-cost AoA-based methods for detecting intermediate and sophisticated spoofing attacks, where spoofed signals originate from multiple directions.

Most GNSS simulators, such as IFEN, Spirent, SkyDel, and Teleorbit, primarily produce uni-directional signals or necessitate expensive licenses for multi-directional signals Consequently, this thesis aims to develop a method for generating fake signals from various directions to effectively validate complex spoofing detection techniques.

Problem statement

Angle of Arrival (AoA) spoofing detection is recognized as a highly effective method for identifying and reducing false signals Despite its potential, the application of this technology in commercial settings is constrained by factors such as high costs, complex processing requirements, and the size of the receiver.

The authors of references [16] and [17] propose a straightforward spoofing detection method utilizing differential carrier phase measurements from two synchronized receivers and antennas, without the need for specialized hardware or specific geometric configurations This technique, known as the sum of squared (SoS) detector, differs from previous studies by treating the integer ambiguity component of carrier phase measurements as random variables within a set of integer ambiguities These variables are determined using the general likelihood ratio test (GLRT) approach, as highlighted in references [10] and [16].

While this method reduces computational complexity by utilizing carrier phase measurements, it is essential to detect and mitigate potential cycle slips before calculating double difference carrier phase measures Additionally, the SoS approach only addresses scenarios where the entire signal ensemble is either genuine or counterfeit, neglecting situations where the victim's receiver may be locked onto a mix of spoofed and authentic satellites, referred to as 'mixed tracking' in the literature.

This article presents innovative AoA-based spoofing detection methods that overcome the limitations of traditional approaches, particularly the SoS method We aim to validate our techniques in complex spoofing scenarios where signals originate from multiple directions Recognizing the high costs associated with generating multi-directional spoofed signals using specialized equipment, we propose a cost-effective solution by employing a software-based receiver to adjust the signal phase and simulate the angle of arrival.

This article explores techniques for detecting spoofed Global Navigation Satellite System (GNSS) signals The first methodology involves a mixed spoofing signal detection approach utilizing commercial receivers paired with dual antennas, maintaining a fixed distance of approximately two meters to minimize noise during differential calculations The second method employs a Gaussian Mixture Model (GMM) machine learning model to identify spoofing signals originating from multiple directions To effectively counter spoofing from various angles, synchronization of the spoofing signal generators is essential, which requires high-precision and costly clocks Consequently, the strategy involves transmitting a single spoof satellite to deceive the receiver.

This study addresses the challenge of spoofing detection using the Angle of Arrival (AoA) approach To tackle the issue of insufficient datasets for testing spoofing detectors, we introduce a method for simulating unauthentic signals in two common scenarios: pure spoofing and mixed signals from various directions Our research presents significant contributions to the field of spoofing detection.

First, we propose AoA-based methods for spoof detection, in our proposal we utilize D 3 measurement to overcome the limitation of the existing SoS methods.

V.H Nguyen, G Falco, M Nicola, and E Falletti (2018) “A dual antenna GNSS spoofing detector based on the dispersion of double difference measurements”, in Proc Int 9th ESA Workshop on Satellite Navigation

Technologies and European Workshop on GNSS Signals and Signal Processing (NAVITEC), Noordwijk, Netherlands, Dec 2018, 5-7, DOI: 10.1109/NAVITEC.2018.8642705.

Van Hien Nguyen, Gianluca Falco, Emanuela Falletti, Mario Nicola, The Vinh

La (2021), “A Linear Regression Model of the Phase Double Differences to

Improve the D 3 Spoofing Detection Algorithm” European Navigation

E Falletti, G Falco, Van Hien Nguyen, M Nicola (2021) “Performance

Analysis of the Dispersion of Double Differences Algorithm to Detect GNSS Spoofing” IEEE Transactions on Aerospace and Electronic Systems Early

Access Print ISSN: 0018-9251 Online ISSN: 1557-9603 DOI: 10.1109/TAES.2021.3061822.

This thesis presents an innovative method for classifying genuine and counterfeit GNSS signals by utilizing Gaussian Mixture Models (GMMs) It enhances detection accuracy without requiring parameter tuning, thanks to an automated learning process based on the Expectation Maximization algorithm This approach significantly boosts the algorithm's effectiveness in identifying spoofed signals, even in complex scenarios.

Nguyen Van Hien, Nguyen Dinh Thuan, Hoang Van Hiep, La The Vinh (2020)

“A Gaussian Mixture Model Based GNSS Spoofing Detector using DoubleDifference of Carrier Phase” Journal of Science and Technology of Technical

Third, we develop a method to simulate signals coming from different directions which are used to validate the detection algorithm in multi-direction attack scenarios.

Nguyễn Văn Hiên, Cao Văn Toàn, Nguyễn Đình Thuận, Hoàng Văn Hiệp (2020),

"Phương pháp sinh dữ liệu mô phỏng GNSS đa hướng sử dụng công nghệ vô tuyến điều khiển bằng phần mềm" 178-185, số Đặc san Viện Điện tử, 9 - 2020,

Tạp chí Nghiên cứu Khoa học Công nghệ quân sự.

The dissertation is composed of five chapters as follows:

Chapter 1 Introduction This chapter briefly introduces the research area The importance of the topic, the definitions and the existing approaches are clearly addressed Then the thesis focuses on the contributions are also presented clear.

Chapter 2 Related Work This chapter first summarizes the importance of services using GNSS Then, a comprehensive survey of the previous algorithms, existing work relating to interference detector are presented The limitations of the previous algorithms are clearly analysed and resolved.

Chapter 3 Intermediated GNSS Spoofing detector based on angle of arrive The development of a dual-antenna GNSS spoofing detection technique based on the dispersion of the double differences of carrier phase measurements created by two GNSS receivers is presented in this chapter.

Chapter 4 Sophisticated GNSS spoofing detector based on angle of arrive The chapter present an algorithm that using an automated learning process, this approach can improve detection accuracy and detect GNSS spoofing in the sophisticated scenario while obviating the need for any parameter tuning procedures (Expectation Maximization algorithm).

Chapter 5 Conclusion and future works A conclusion is given in this chapter.Furthermore, some limitations of the work are presented, along with possible solutions, which may need additional study.

Thesis outline

This chapter explores the vulnerabilities of civil GNSS, emphasizing various spoofing techniques It also provides an overview of advanced methods for detecting GNSS spoofing, assessing their strengths and weaknesses Based on this analysis, we propose our own approach to address the limitations identified in current methodologies.

2.1 Civil GNSS vulnerabilities to intentional interference

GNSS receivers face significant vulnerabilities due to low Signal-In-Space (SIS) signal strength, with GPS L1 C/A code at -158.5 dBW and Galileo E1 at -157 dBW The physical environment further complicates signal transmission from satellites to receivers Even a minor interference, only slightly stronger than the minimum GNSS signal intensity, can lead to a loss of satellite lock Additionally, navigation receivers are susceptible to various strong interfering signals, including jamming, ionospheric and tropospheric effects, as well as other radio frequency emitters.

Figure 2.1 The enviroment for transmitting signals from satellites to receivers

Modern Global Navigation Satellite Systems (GNSS) utilize Code Division Multiple Access (CDMA), while traditional GLONASS signals employ Frequency Division Multiple Access (FDMA) However, recent advancements have seen the introduction of CDMA signals in modernized GLONASS satellites, including the GLONASS-K1 (launched in 2011), GLONASS-M (which began transmitting CDMA signals on the L3 band in 2014), and GLONASS-K2 (launched in 2018 with CDMA signals on L1 and L2 bands) In scenarios with interfering signals, the receiver's dispreading process effectively distributes the power of the interference across a broader bandwidth.

RELATED WORK

Civil GNSS vulnerabilities to intentional interference

GNSS receivers are highly susceptible to interference due to low signal strength, with GPS L1 C/A code at -158.5 dBW and Galileo E1 at -157 dBW The physical environment further complicates signal transmission from satellites to receivers Even a slight increase in signal strength from interference can lead to a loss of satellite lock Additionally, navigation receivers face threats from jamming, ionospheric and tropospheric disturbances, and various RF emitters.

Figure 2.1 The enviroment for transmitting signals from satellites to receivers

Modern GNSS systems utilize Code Division Multiple Access (CDMA), while traditional GLONASS signals relied on Frequency Division Multiple Access (FDMA) However, recent advancements have seen the introduction of CDMA signals in GLONASS satellites, including the GLONASS-K1 (launched in 2011), GLONASS-M (which adopted CDMA signals on the L3-band in 2014), and GLONASS-K2 satellites (launched in 2018 with CDMA signals on L1 and L2 bands) In scenarios with interfering signals, the receiver's dispreading process effectively disperses the power of the interference across a broader bandwidth.

7 show in Figure 2.2 Other radio frequency signals can also cause problems such as DVBT, which is used as an incentive signal, has harmonics in the GNSS bandwidth.

The open structure of GNSS signals makes them susceptible to counterfeit transmissions, posing a risk to unprotected receivers One of the most concerning threats is spoofing, where false GNSS signals are used to mislead a receiver's location or time information without interrupting its normal operations.

Figure 2.2 The low SIS signal power of GNSS (source: [75])

Figure 2.3 GNSS frequency bands (source:[69])

Radio Frequency Interference

With low power signal, GNSS can be attacked by RFI, both unintentional and intentional as shown in Figure 2.4.

Radio frequency systems, including radar, DVTB, VHFs, mobile satellite services, and high-power personal electronics, can unintentionally disrupt GNSS signals Nevertheless, effective radio frequency band management policies implemented by governments help mitigate this interference.

Jamming is a form of intentional Radio Frequency Interference (RFI) where attackers deploy devices that emit strong signals within the GNSS band, leading to potential malfunctions in GNSS receivers Handheld GNSS jammers can disrupt signals within a radius of several tens of meters by utilizing chirp signals to interfere with the operating frequency of GNSS signals Currently, there are no known effective strategies to mitigate the effects of jamming attacks.

Spoofing is a highly dangerous form of intentional interference that involves broadcasting counterfeit GNSS signals This technique misleads the victim's GNSS receiver by providing false position, velocity, and time information, all while allowing the receiver to continue its operations without complete disruption.

11 information produced by the attacked receiver may result in even more serious problems if they are used in other important systems like: financial transaction synchronization, energy transmission, etc.

Figure 2.6 Cheap jammers are widely sold online (source: [96])

GNSS Interference detection techniques

In the [8], [62]-[65], the authors list some GNSS interference detection methods (as shown in Figure 2.7).

Figure 2.7 Techniques for Detecting GNSS Interference

The variation in Automatic Gain Control (AGC) can serve as an indicator of interference, as it responds more to ambient noise than to the power of GNSS satellite signals However, this method has limitations, as it struggles to differentiate between interference, environmental changes, and background noise.

All GNSS receivers utilize the C/N0 parameter, which is crucial for assessing signal quality Interference in GNSS signals can be represented as an increase in noise variance However, this method may prove ineffective if the jammer's effects are obscured or mitigated by an estimation algorithm.

In [65], non-stationary interference is typically concentrated in a small region of the time-frequency (TF) plane The general procedure is to compare the peak magnitude

This method focuses on spoofing detection by analyzing the time-frequency distribution of received signals against a predefined threshold However, its high computational complexity poses challenges for implementation on commercial receivers that have limited processing capabilities.

The Chi-square Goodness of Fit test, utilized within a software receiver, effectively analyzes two live spoofing datasets to assess its capability in detecting fake signals across both static and dynamic scenarios Despite its effectiveness, this method faces challenges due to high computational complexity and its reliance on software receivers, limiting its availability for use in existing commercial receivers.

Spoofing detection techniques

Figure 2.8 Three continuum of spoofing threat: simplistic, intermediate, and sophisticated attacks (source:[19])

According to [19], [5], [15], spoofing attacks can be divided into three main categories (see Figure 2.8):

The spoofer's construction features a GNSS signal simulator paired with an RF terminal to replicate genuine GNSS signals, which are not synchronized with real signals As a result, the spoofing signals appear as noise to receivers in monitor mode, even when their broadcast power exceeds that of authentic signals This device can effectively mislead commercial receivers, particularly when the spoofing signal's power surpasses that of the legitimate signal However, various anti-spoofing detection methods can easily identify this signal simulator.

15 splitting techniques such as amplitude tracking, checking consistency between different measurements and checking for consistency with inertial measurement units (IMU).

This advanced spoofing system integrates a GNSS receiver with a spoofed transmitter, first synchronizing with GNSS signals to extract satellite position, time, and calendar data It then generates and emits fake signals toward the target receiver, posing challenges such as accurately referencing spoofed signals with the correct delay and signal strength The spoofing power must exceed that of the authentic signal to effectively deceive the GNSS receiver By achieving carrier phase alignment with genuine signals, this type of spoofer can evade many conventional spoofing detection techniques, allowing it to synchronize with the authentication signal while spoofing the receiver in tracking mode Additionally, the use of a transmitting antenna enables detection of incoming signals through angle of arrival (AoA) estimation.

The most complex and dangerous type of spoofer requires precise knowledge of the receiver's antenna-phase center position to synchronize the spoofing signal with the authentic one This sophisticated device utilizes special antennas that can evade direction-based detection techniques by creating a matching array manifold Its complexity and high operational costs surpass those of simpler spoofers, while physical limitations exist concerning the locations of both the transmitting and receiving antennas Detecting such spoofing attempts is challenging, but integrated inertial measurement systems can identify the fake signals Data encryption serves as an effective defense against these sophisticated attacks.

Figure 2.9 depicts a high-level overview of various antispoofing approaches.

According to [17], the most effective defense is cryptographic defense, but it necessitates that GNSS signals be designed to support cryptographic functions.

Cryptographic defenses for GNSS signals are categorized into two main types: encryption-based and authentication-based approaches Encryption-based methods necessitate the use of fully or partially encrypted signals, while authentication-based defenses rely on specific signal features for validation Signal encryption encompasses both code and navigation message encryptions, enhancing the security of GNSS communications.

GSM/UTMS Any system providing PVT-related information

 AGC gain, noise floor, clock bias, jumps

Figure 2.9 A summary of the various spoofing detection methods available in the literature (source: [17])

Spoofing detection can be achieved by comparing Global Navigation Satellite System (GNSS) Position, Velocity, and Time (PVT) data with alternative location sources such as inertial units, enhanced long-range navigation (eLORAN), Wi-Fi, and cellular-based systems A comprehensive survey of the most effective spoofing detection techniques developed over the past decade for civil signals is detailed in [13], where various methods are evaluated based on their complexity and effectiveness.

Several spoofing detector techniques rely on signal characteristics that are difficult to be faked as shown Table 2.1:

Vestigial signal defense: In [11], to detect spoofing attacks, this technique monitors

19 distortions in the complex correlation domain The ‘vestigial signal defense’ is based on the assumption that original GNSS signals are present also during a spoofing attack

The VSD is a cost-effective, stand-alone software-defined defense system that enhances receiver capabilities without adding size or weight However, it is not suitable for implementation in commercial receivers Additionally, the presence of residual signal components can be verified using an ad-hoc receiver.

Table 2.1 Techniques of GNSS spoofing detector based on signal features

Spoofing Detector based on Signal Features

Angle of Arrival Vestigial signal defense Amplitude correlation AGC gain

AOA defense takes advantage of the fact that genuine GNSS signals come from multiple directions, whereas counterfeit signals come from a single source [17].

Pros: It does not necessitate the use of external infrastructures that provide complementary

PVT information or cryptographic signal features.

This technique can implement in the software receiver or commercial receiver

Cons: this technique cannot detect sophisticated case.

To detect spoofing attacks, this technique monitors distortions in the complex correlation domain [11].

Pros: this technique is a low implementation cost and does not increase receiver size or weight.

Cons: a stand- alone software- defined defence It is constrained by the difficulty of distinguishing spoofing from multipathing.

A spoofing detection method utilizes the correlation of amplitudes from various received signals to differentiate between authentic and spoofing signals This technique involves employing a moving antenna to analyze the spatial signatures of these signals by monitoring the amplitude and Doppler correlation of visible satellite signals.

Pros: it is not affected by spatial multipath fading that the GNSS signals.

Cons: complexity of implementation because of moving receiver

A monitor in the RF front end that employs the automatic gain control (AGC) mechanism [29].

Pros: low computational complexity and is an extremely powerful

Cons: a stand- alone software- defined defence.

It cannot implement in the commercial receiver

In a study, researchers explored the use of a moving antenna to differentiate between the spatial signatures of genuine and spoofed signals by analyzing the amplitude and Doppler correlation of visible satellite signals This method remains unaffected by the spatial multipath fading that typically impacts GNSS signals, showcasing its potential for enhancing signal authenticity detection.

21 complexity of implementation because of moving receiver.

In [9], the authors introduced two spoofing detection methods: the Chi-square Goodness of Fit (GoF) test and a signature test based on paired correlation differences for each satellite tracked by the receiver These algorithms demonstrate effectiveness in identifying spoofing attacks, with the GoF test proving reliable even under dynamic conditions and significant energy disparities between spoofed and authentic signals However, both methods are designed for soft receivers with complex algorithms, making them challenging to implement in commercial receivers.

The article discusses a Radio Frequency (RF) front end monitor that utilizes an automatic gain control (AGC) mechanism to enhance signal reception It highlights that the GNSS simulator broadcasts a signal with a power level exceeding that of the genuine GNSS signal While this technique boasts low computational complexity, it is limited to stand-alone software-defined defense applications and cannot be integrated into commercial receivers Additionally, it may pose challenges in differentiating between interference, environmental variations, and noise.

The angle of arrival (AoA) of GNSS signals refers to the direction from which these signals are received Various techniques for analyzing AoA are evaluated based on their complexity, cost, performance, and resilience to spoofing attacks Most existing methods focus on single-antenna receivers, which are prevalent in practical applications However, while authentic GNSS signals are transmitted from multiple satellites located in different directions, spoofing transmitters typically emit counterfeit signals from a single antenna This disparity allows the AoA defense strategy to effectively differentiate between genuine and fake signals, leveraging the directional nature of authentic GNSS transmissions.

Figure 2.10 Angle of arrival of GNSS satellite

Figure 2.11 Angle of arrival defense Spoofing

Spatial processing utilizing Angle of Arrival (AOA) defense is recognized as one of the most effective methods for detecting and mitigating counterfeit signals This technique encompasses two approaches, as illustrated in Figure 2.11 The first approach involves estimating direction-of-arrival characteristics through a multi-antenna receiver that operates with a common oscillator and is implemented on a software receiver Despite its robustness, the application of this method in cost-sensitive mass-market scenarios faces challenges related to equipment costs, processing complexity, and installation size.

The authors in references [10] and [16] introduced a straightforward spoofing detection method that utilizes differential carrier phase measurements from two receivers and antennas, known as the sum-of-squares (SoS) detector This approach does not require specialized hardware or strict geometric constraints, only necessitating basic synchronization of the receivers and knowledge of the baseline, or the relative positions of the antennas Unlike other methods, the SoS detector treats carrier phase cycle ambiguities as random variables within an arbitrary integer set, eliminating the need for estimation This innovative formulation, based on the generalized likelihood ratio test (GLRT), defines the decision variable as the sum of squared carrier phase single differences, adjusted for a pseudo mean and their integer components.

While the SoS approach effectively detects spoofing attacks, it has notable limitations It only assesses whether the entire signal ensemble is either counterfeit or authentic, neglecting scenarios where a victim's receiver may be locked onto a subset of spoofed satellites while still tracking authentic signals from others This condition, known as 'mixed tracking,' has been observed frequently in laboratory tests, especially at the onset of an attack.

The original SoS detector struggles to identify spoofed signals, prompting modifications to enhance its robustness Spoofed signals exhibit spatial correlation due to their common direction of arrival, resulting in similar magnitudes in differential measurements that persist over time In contrast, true satellite signals yield independent magnitudes, reflecting their lack of spatial correlation This correlation serves as an additional indicator of a common transmitting source, which we leverage to strengthen the SoS detector's ability to detect counterfeit signals Our approach introduces a robust enhancement to the original SoS method, utilizing a test metric based on the dispersion of double difference measurements from paired antennas.

Conclusions

Chapter 2 provides a comprehensive overview of techniques for detecting interference signals in Global Navigation Satellite Systems (GNSS) It highlights the inherent vulnerabilities of GNSS, primarily due to low signal power and challenging transmission environments This susceptibility makes GNSS prone to both intentional and unintentional interference, with spoofing attacks being the most critical threat The chapter thoroughly analyzes existing algorithms for detecting spoofed signals, emphasizing that methods utilizing Angle of Arrival (AoA) are the most effective among these algorithms The focus of this thesis is on techniques for detecting spoofed signals based on AoA.

INTERMEDIATED GNSS SPOOFING DETECTOR BASED ON ANGLE OF ARRIVAL

Fundamental background of GNSS and Spoofing

Global Navigation Satellite Systems (GNSS) utilize a network of synchronized satellites to achieve near-complete coverage of the Earth's surface By employing a spherical positioning system, GNSS receivers calculate the Time of Arrival (TOA) of signals, which is directly related to the distance from the satellites Accurate timestamping of these signals is essential for precise location determination To pinpoint a location, the intersection of signals from at least three satellites is required, forming spheres with the satellites at their centers This thesis primarily focuses on the GPS system, while also encompassing broader satellite navigation signals and algorithms based on GPS technology.

Figure 3.1 Spherical positioning system of GNSS

In GNSS, the time measurement can be done as: receiver only receive the signal in one direction; satellites must be synchronized with high precision (within few ns).

A pulse transmitted by a satellite at time 𝑡 0 is received at time 𝑡 0 + 𝜏 The (3.1) is an approximation of the distance between TX and RX:

Where 𝑐 is the speed of light (≈3.10^8 m/s) The measure of 𝑡 0 + 𝜏 allows for R

In GNSS systems, achieving synchronization between the satellite time scale and the receiver's clocks can be challenging due to cost and complexity constraints As a result, the signals received from satellites often exhibit a bias, stemming from the discrepancies between GNSS time and the receiver's clock time These measurements, referred to as pseudo-ranges, are essential for determining location and typically require data from at least four satellites to ensure accurate positioning.

𝜌 = 𝑐 𝜏 + 𝑐 𝛿𝑡 𝑢 (3.2) Where ρ is pseudo-range, δtu is user clock bias.

The user will calculate four unknowns by measuring four pseudo-ranges as (3.3) with respect to four satellites with known coordinates:

(𝑥 𝑗 , 𝑦 𝑗 , 𝑧 𝑗 ) is satellite position (center of the pseudo-sphere)

𝜌 𝑗 is pseudo-range (radius of the pseudo-sphere), can be

The (3.3) can be solved by using linearization process [72].

The GPS Signal in Space (SIS) received at the antenna can be described as [69], [73]:

𝑃 𝑠,𝑘 is the received signal power of the 𝑘th satellite

𝜏 𝑘 is the propagation delay of the 𝑘th satellite

𝑓 𝑑,𝑘 is the Doppler frequency of the 𝑘th satellite Φ 𝑘 is the initial carrier phase of the 𝑘th satellite

𝐶 𝑘 is the Coarse/Acquisition (C/A) code of the 𝑘th satellite

𝐷 𝑘 is the navigation data bits of the 𝑘th satellite

Figure 3.2 A fundamental GNSS receiver architecture (source: [72])

Figure 3.2 illustrates the fundamental architecture of a GNSS receiver, where the antenna captures signals from GPS satellites These signals are then amplified to the appropriate amplitude, and their frequency is converted to the desired output frequency via the RF front-end chain This RF front-end may be affected by thermal noise, random electrical fluctuations, and electromagnetic interference, whether random or deterministic The output signal is digitized using Automatic Gain Control (AGC), which optimizes gain based on the dynamic range of the Analog-to-Digital Converter (ADC) The key components of the receiver's hardware encompass the antenna, RF chain, and ADC.

The acquisition stage involves finding a satellite's signal, while the tracking stage identifies the phase transition of navigation data This phase transformation allows access to subframes and navigation data, which are essential for acquiring ephemeris data and pseudo-ranges Using the ephemeris data, satellite positions are calculated, enabling the determination of the user's location based on these positions and pseudo-ranges.

In the forward direction, the receiver acquires vital information from the satellites, including the satellite number (Coarse/Acquisition (C/A) code), satellite positions, and the transmission time of the signals (navigation data bits) Using this data, the receiver estimates the distance to each satellite Once signals from at least four satellites are received, the receiver applies the necessary calculations to determine its precise position (𝑥 𝑢 , 𝑦 𝑢 , 𝑧 𝑢 ).

In the opposite direction, to generate spurious signals: user position, based on satellite orbit information, the ephemeris is widely published on websites such as

[74] Then we can simulate the navigation data bits.

RF Front- end ADC/AGC Acquisition stage

User position PVT calculation Tracking stage

Figure 3.3 Principles of GPS simulator

Figure 3.4 Blocks scheme of GPS simulator

To generate spoofing signals, specific parameters are essential, including C/N0 for calculating output signal power, Ephemeris, and Almanac data available on the IGS website Additionally, the user's location is needed to determine the satellite number and pseudo-range, while clock bias and ionospheric and tropospheric parameters must be estimated to closely resemble authentic signals.

Detection of a subset of counterfeit GNSS signals based on the Dispersion

The dual-antenna GNSS spoofing detection technique, illustrated in Figure 3.6, utilizes the dispersion of double differences in carrier phase measurements (D 3) from two GNSS receivers This method operates effectively without the need for receiver synchronization It is founded on the Sum of Squares (SoS) detector, depicted in Figure 3.5, which is recognized as a straightforward and efficient solution for detecting a common angle of arrival.

Filter Multipath of SV1, SV2, … quantizing signal Continuous waves, narrow band, pules …

C/N0Ephemeris Almanac TimeLocation of user Clock bias Noise Ionospheric error

Carrier frequencyPower of signal Data

The detection of spoofed GNSS signals can be indicated by a common angle observed at a pair of antennas However, the SoS algorithm has notable flaws, particularly the assumption that all signals come from a single source, which overlooks the possibility that the receiver may only detect a portion of the counterfeit signals This article proposes a revised approach to SoS detection that focuses on identifying subsets of spoofed signals The effectiveness of this new strategy is validated through multiple simulation experiments, showcasing its performance in both genuine and spoofed signal environments.

Figure 3.5 Block diagram of SoS Detector

Figure 3.6 Block diagram of D 3 Detector

3.2.1 Differential Carrier-Phase Model and SoS Detector

The carrier phase measurements for a stand-alone GNSS receiver can be written, according to [16], [17], as

 𝜙 𝑖 is the carrier phase measurement for the 𝑖th satellite (𝑖 = 1,2, … 𝐼), expressed in meters;

 𝑟 𝑖 is the geometric range between the receiver and the ith

 c is the speed of the light;

 𝛿𝑡 𝑖 is the ith satellite clock error;

 𝛿𝑇 is the receiver clock error;

 𝜀 𝑇,𝑖 is the tropospheric error; satellite;

 𝜀 𝑖 is a noise term accounting for residual un-modeled errors, including thermal noise and multipath.

When two receivers simultaneously observe the same satellites, their output data can be utilized to calculate the single carrier phase differences for each satellite in common view The equation Δ𝜙 = 𝜙 (1) − 𝜙 (2) = (𝑟 (1) − 𝑟 (2)) + Δ𝑁 𝜆 + 𝑐(𝛿𝑇 (2) − 𝛿𝑇 (1)) + Δ𝜀 illustrates this relationship, where superscripts (1) and (2) refer to measurements from the respective receivers In cases of short baselines, the ionospheric and tropospheric errors are effectively canceled out, allowing for a clearer analysis of the range difference between the satellite and the receivers, represented as (𝑟 (1) − 𝑟 (2)).

𝑖 𝑖 𝑖 (3.7) where D is the distance between the two antennas and 𝛼 𝑖 is the angle of arrival (AoA) of the ith satellite signal, as depicted in Figure 3.7 The Double carrier phase

Difference (DD) between the 𝑖-th satellite single difference and the reference satellite single difference, here indicated with the subscript ‘r’, removes the difference clock bias term (𝛿𝑇 (2) − 𝛿𝑇 (1) ) from (3.6):

The detector's construction utilizes double difference measurements, denoted as 𝛥𝛻𝜑 𝑖, which aligns with the approach outlined in [16] -equation (10) and further elaborated in [17] -equation (39).

Figure 3.7 Reference geometry for the dual-antenna system

3.2.2 Sum of Squares Detector Based on Double Differences

In equation (3.8), the expression (cos(𝛼 𝑖 ) − cos(𝛼 𝑟 )) is solely influenced by the angle of arrival (AoA) of the i-th and reference received signals Under typical conditions, GNSS signals are transmitted from various satellites, arriving at the receiver from distinct directions, ensuring that cos(𝛼 𝑖 ) ≠ cos(𝛼 𝑗 ) for all (𝑖, 𝑗) Conversely, when counterfeit signals are transmitted from a single source, the received signals exhibit a shared AoA, resulting in cos(𝛼 𝑖 ) − cos(𝛼 𝑗 ) = 0 for all (𝑖, 𝑗) Consequently, the double differences outlined in (3.8) can be employed to formulate a statistical test based on two hypotheses, as demonstrated in [16]-equation (10) and [17]-equation (39).

In the context of signal authenticity, the hypothesis testing framework involves two scenarios: the null hypothesis \( H_0 \), which suggests the presence of counterfeit signals, and the alternative hypothesis \( H_1 \), indicating that the signals are genuine The condition \( \exists i, j : \cos(\alpha_i) - \cos(\alpha_j) \neq 0 \) is used to differentiate between these hypotheses To effectively assess the validity of the signals at each observation epoch, the Generalized Likelihood Ratio Test (GLRT) method is utilized, as proposed in prior research.

In the context of satellite observation, the SoS detector, denoted as Λ SoS (Δ∇𝜑), processes measurements from I satellites observed by both receivers Each measurement is assigned a weight, represented by 𝜔 𝑖 The use of a round operator effectively eliminates the influence of integer ambiguities, allowing for a focus solely on the fractional component of the double difference (DD) measurements.

𝜇 𝑖 = Δ∇𝜑 𝑖 − 𝑟𝑜𝑢𝑛𝑑(Δ∇𝜑 𝑖 ) (3.11) so that (3.10) can be rewritten as

Under the null hypothesis (𝐻 0), the noise term Δ∇𝜂 𝑖 dominates the behavior of Δ∇𝜑 𝑖 and Λ SoS Conversely, under the alternative hypothesis (𝐻 1), the geometrical term cos(𝛼 𝑖 ) − cos(𝛼 𝑟 ) becomes the primary influence The selection between these hypotheses is determined by comparing the test statistic (3.12) against an appropriate detection threshold As noted in [16], the formulation of the test statistic in equations (3.10)-(3.12) serves as a measure of the dispersion of the DD measurements.

The SoS detector, illustrated in Figures 3.8 and 3.9, demonstrates its effectiveness in distinguishing between counterfeit signals (𝐻 0) and authentic satellite signals (𝐻 1) through the associated fractional DDs (3.11) The SoS metric, Λ SoS, shows a significant difference in values; it is orders of magnitude lower for counterfeit signals compared to authentic ones, highlighting its ability to detect the origin of the signals based on their directional arrival.

Figure 3.8 Fractional DDs and SoS detector results under simulated spoofing attack (H 0 )

Figure 3.9 Fractional DDs and SoS detector results in normal conditions (H 1 )

3.2.3 Some Limitations of the SoS Detector

Under specific operational conditions, the SoS detector may struggle to identify counterfeit signals, as it primarily focuses on scenarios where a victim receiver exclusively tracks counterfeit GNSS signals, completely disregarding authentic signals during the tracking process.

In this case the SoS is a valid and powerful method to detect the presence of a spoofing attack.

In scenarios where a receiver is exposed to both authentic and counterfeit signals, particularly when the power difference between them is minimal, it may not fully lock onto a single ensemble Instead, it can track a mix of authentic signals alongside some counterfeit ones Laboratory tests indicate that this 'mixed tracking' phenomenon is quite prevalent, especially at the onset of an attack For instance, as illustrated in Figure 3.10, a receiver may simultaneously track three counterfeit and five authentic GPS L1 C/A signals, with the reference signal being one of the authentic ones, resulting in only three fractional differential measurements sharing the same geometrical term.

(cos(𝛼 𝑐𝑛𝑡 ) − co s(𝛼 𝑟 )) ≠ 0, where 𝛼 𝑐𝑛𝑡 indicates the common AoA of the counterfeit signals, resulting in a SoS metric (3.12) higher than the detection threshold Therefore, the hypothesis 𝐻 1 is incorrectly chosen.

Figure 3.10 Fractional DD measurements and SoS detection metric in mixed tracking conditions under spoofing attack Only three signals out of nine are counterfeit The reference signal is authentic

One significant limitation of the SoS detector is the occurrence of cycle slips in carrier phase measurements, which result from temporary loss of lock in the receiver's tracking loop due to signal blockage or other disturbances These cycle slips can significantly affect the SoS detector's performance, as illustrated in Figure 3.11 for a single source scenario When a cycle slip occurs, the corresponding fractional differential measurement 𝜇 𝑖 experiences a sudden jump, leading the SoS detector to increase in order to identify a normal condition (𝐻 1).

Figure 3.11 Example of cycle slips effect on the SoS metric in the presence of single source The detector is not able to reveal a spoofing attack when cycle slips occur

3.2.4 Detection Of A Subset Of Counterfeit Signals Based On The

Dispersion Of The Double Differences (D 3 )

To address the limitations of the SoS approach, a strategy is required to identify a subset of counterfeit signals alongside an authentic subset, even in the presence of cycle slips This section presents the implementation of a spoofing detector that utilizes the Dispersion of the Double Differences (D3) method, effectively detecting spoofing in mixed tracking conditions Additionally, this detector is integrated with a Doppler shift monitor to identify cycle slips, enhancing its overall effectiveness.

In the context of mixed tracking, we define the subset of spoofed signals monitored by the receiver as 𝑆 and the subset of authentic signals as 𝐴 By establishing the differential carrier phase measurements relative to the reference satellite 𝑟, we can differentiate between the fractional differential measurements (3.11) linked to the spoofer and those associated with the genuine satellites.

(3.13) where |𝛽| < 0.5 due to (3.11) and 𝛼 𝑐𝑛𝑡 is the AoA common to all the counterfeit signals.

From (3.13) it is evident that all the DDs in 𝑆 are centred around a common geometrical term

𝑀 𝑐𝑛𝑡 = 𝛽(cos(𝛼 𝑐𝑛𝑡 ) − cos(𝛼 𝑟 )), ∀𝑖 ∈ 𝑆 (3.14) while for the DDs in 𝐴

Of course, 𝑀 𝑐𝑛𝑡 = 0 if 𝑟 ∈ 𝑆, i.e the signal taken as reference is transmitted by the spoofing source Thus, we can define a region of similarity Σ 𝑗 , ∀𝑗 ∈ (𝑆 ∪ 𝐴) as Σ 𝑗 = (𝑚 𝑗 − 𝜉 𝑗 , 𝑚 𝑗 + 𝜉 𝑗 ), ∀𝑗 ∈ (𝑆

In equation (3.16), the variable 𝜉 𝑗 accounts for the noise in the double-difference (DD) carrier phase measurement and is influenced by the C/N0 ratio of the received signal Since 𝑚 𝑗 is both unknown and time-variant, it is operationally defined as Σ 𝑜 = (𝜇 𝑗 − 𝜉 𝑗 , 𝜇 𝑗 + 𝜉 𝑗 ) for all 𝑗 within the set (𝑆).

∪ 𝐴) 𝑗 (3.17) which is necessary in the following procedure Then, based on (3.14) and (3.15) and using (3.17), we can state that we detect a spoofing attack when the number of

43 fractional DDs within one of the regions Σ 𝑜 is at least 3 More formally, we set the test hypotheses as

Performance Analysis of the Dispersion of Double Differences Algorithm

Algorithm to Detect Single-Source GNSS Spoofing

3.3.1 Theoretical analysis of performance and decision threshold

The test metric (3.19) represents the squared difference of fractional degree deviations (DDs) between signal pairs (𝑗, 𝑘), which follow a Gaussian distribution as outlined in (3.13) Consequently, the normalized metric Λ 3 (𝑗, 𝑘)/(𝜎 2 + 𝜎the 2 ) can be characterized as a random variable.

𝜒 2 distribution with one degree of freedom, because it is written, in any instant, as the square of the Gaussian random variable (𝜇 𝑗 − 𝜇 𝑘 ) having variance 𝜎 2 + 𝜎 2 :

𝑗 𝑘 Λ𝜎 𝐷 𝑗 3 2 (𝑗, 𝑘)+ 𝜎 𝑘 ~𝜒 2 1 2 (𝜆) (3.22) where 𝜆 is the non-centrality parameter of the distribution, which depends on the mean value of (𝜇 𝑗 − 𝜇 𝑘 ):

It is worth noticing explicitly that 𝜆 can be time-variant, following the variations of

𝜇 𝑗 , 𝜇 𝑘 along the time However, the relationship (3.22) does not change Since the test hypotheses (3.18) are formulated for a single epoch, then the following discussion is

57 independent from the temporal variation of the non-centrality parameter 𝜆.

If we define the pairwise hypotheses as

ℎ 0 (null pairwise hypothesis): the two signals are counterfeit;

ℎ 1 (alternative pairwise hypothesis): at least one of the two signals is genuine; then the 𝜒 2 (𝜆) distribution (3.22) is central under ℎ 0 , i.e.:

Notice that (3.25) expresses the fact that 𝜇 𝑗 , 𝜇 𝑘 cluster around the same mean value, which is not necessarily 0, neither necessarily constant in time On the other hand, the

𝜒 2 (𝜆) distribution (3.22) is non-central under ℎ 1 , i.e.:

The theoretical 𝜒² distribution with one degree of freedom is utilized to represent the ℎ₀ and ℎ₁ hypotheses, as detailed in equation (3.28) In this context, 𝐼ₙ(𝑡) refers to the modified Bessel function of the first kind, characterized by the order 𝜈.

To validate our assumptions through numerical analysis, we simulate three time series of DD measurements based on models (3.5) and (3.8) Two of these series share the same geometrical term, aligning with the null hypothesis \( h_0 \), while the third series features a different geometrical term, corresponding to the alternative hypothesis \( h_1 \) All series maintain the same variance \( \sigma^2 \) We then compute the numerical distribution of the normalized decision metric \( \Lambda_D^3(j,k)/(2\sigma^2) \) and present the results as a normalized histogram of occurrences, which we compare against the theoretical distributions outlined in (3.28).

1 sample and theoretical distributions is shown in Figure 3.22 for the ℎ 1 condition and in Figure

3.23 for the ℎ 0 one, confirming in both cases the correct matching It is worth noticing that in the ℎ 1 hypothesis, the slopes of DD time series generated by authentic signals

The geometrical terms \( m_j \) and \( m_k \) in equation (3.15) exhibit variability over time, leading to differences among the 59 samples (see Figure 3.21) Consequently, the non-centrality parameter of the \( \chi^2 \) distribution becomes time-varying, complicating the estimation of the sample distribution from the time series data To address this issue, it is essential to apply a de-trending process to the DD measurements prior to forming the decision metrics, allowing for accurate estimation of the sample distribution.

𝑓 𝜒 2 (𝑥; 1, 𝜆) function can represent on a two-dimensional plot, as in Figure 3.22.

(2) Hypothesis ℎ 0 : Determination of the pairwise detection threshold and missed detections

This subsection establishes the pairwise detection threshold 𝜉 2, which is derived from a target pairwise probability of missed detection, following a theoretical framework The methodology aligns with the guidelines outlined in reference [35].

Under the ℎ 0 hypothesis, consider two fractional DDs 𝜇 𝑗 , 𝜇 𝑘 ∈ 𝒮 According to (3.19), we can define the pairwise probability of detection 𝑃 𝑑 as:

The corresponding pairwise probability of missed-detection 𝑃 𝑚𝑑 can be stated then as:

By exploiting (3.22) and (3.28), the 𝑃 𝑚𝑑 can be formulated as:

(3.31) where 𝐹 𝜒 2 (⋅) is the Cumulative Distribution Function (CDF) of the 𝜒 2 function and

𝜉 2 is the threshold value Notice that the normalization (3.22) implies:

Figure 3.21 Fractional DD measurements in mixed tracking conditions under spoofing attack Five signals of eight are counterfeit The reference signal is counterfeit, so that M cnt = 0

The expression (3.30) cannot be solved analytically but can be approximated numerically using a quantile function To determine the threshold 𝜉 2 for a specific target pairwise probability 𝑃 𝑚𝑑, one can invert equation (3.30) Figure 3.24 illustrates the values of 𝜉 2 for various pairwise 𝑃 𝑚𝑑 values, displaying the curves of the cumulative distribution function (CDF) 𝐹 𝜒 2 (⋅) in blue dash-dotted lines and the inverted CDF in red continuous lines For example, the black dotted line indicates a target pairwise 𝑃 𝑚𝑑 of 0.01, which corresponds to a detection threshold of 𝜉 2 = 6.26.

Figure 3.22 Normalized distribution under the h 1 condition: comparison between theoretical and sample distribution

Figure 3.23 Normalized distribution under the h 0 condition: comparison between theoretical and sample distribution

The relationship between detection threshold and the probability of missed detection can be validated through numerical simulations We utilize two hours of carrier phase measurement time series obtained from two software receivers analyzing RF simulated signals, based on the assumption of a single transmitting source with a uniform C/N0 ratio Subsequently, the DD measurements 𝜇𝑗 are analyzed to confirm these findings.

𝜇𝑘 ∈ 𝒮 are generated at 1 Hz (with 𝜎 2 = 𝜎 2 = 𝜎 2 ), the test metric (3.19) is computed at each

𝑗 𝑘 epoch, normalized to 2𝜎 2 and it is compared with the threshold 𝜉 2 In this way, a good estimator of 𝑃 𝑚𝑑 is the missed-detection rate 𝑅 𝑚𝑑 , defined as:

Figure 3.24 Relationship between ξ 2 and pairwise P md , under the h 0 condition

(logarithmic scale on the Y axis)

When the detection threshold is set to 𝜉 2 = 6.26, the resulting root mean square deviation (𝑅 𝑚𝑑) is 0.0114, which is close to the desired target of 𝑃 𝑚𝑑 = 0.01 This estimate's confidence is approximately 𝑃 𝑚𝑑 /10 based on the available simulation length Additionally, the spoofing detection test is conducted using the same simulated dataset with various target values.

The comparison between the estimated \( R_{md} \) (3.33) and the target \( P_{md} \) demonstrates a satisfactory correlation, as illustrated in Figure 3.25 This figure presents the target \( P_{md} \) (blue line) plotted against the corresponding threshold \( \xi_2 \), alongside the estimated \( R_{md} \) (red dotted line) Additionally, the confidence intervals for each estimate are represented by black segments It is important to note that for \( P_{md} < 0.005 \), the simulation length is insufficient for a reliable estimate using (3.33).

Figure 3.25 Comparison between the theoretical P md and the computed missed- detection rate R md for various values of detection threshold ξ 2

(3) Hypothesis ℎ 1 : Analysis of the false alarms

Under the ℎ 1 hypothesis, for two measurements 𝜇 𝑗 , 𝜇 𝑘 such that 𝜇 𝑗 or 𝜇 𝑘 ∈ 𝒜 , the

| 2 2 event 𝜇 𝑗 − 𝜇 𝑘 | ≤ 𝜉 𝑗𝑘 is a wrong detection, i.e., a false alarm Then, we define the pairwise probability of false alarms 𝑃 𝑓𝑎 as

𝑃 𝑓𝑎 = Prob (|𝜇 𝑗 − 𝜇2 𝑘 | ≤ 𝜉 𝑗𝑘 2 |ℎ 1 ) (3.34) which is a function of 𝑃 through the threshold 𝜉 2 (3.32) and of (𝑚 − 𝑚 ) 2

𝑚𝑑 𝑗𝑘 𝑗 𝑘 through the non-centrality parameter (3.26) Using the theoretical expression of the cumulative density function related to the distribution function (3.28), the pairwise probability of false alarm (3.24) can be written as

(3.35) whose numerical integration is reported in Figure 3.26 for various possible values of 𝜆| ℎ 1

Notice that the range of feasible values for the non-centrality parameter 𝜆| ℎ 1 can be computed looking at the possible values of the differential geometrical term

|𝑚 𝑗 − 𝑚 𝑘 | and of the standard deviation of the measurement noise variance; such an analysis is reported in Figure 3.27 where it appears that 𝜆| ℎ 1 is small (i.e., say, 𝜆| ℎ 1