Embed Size (px)
Citation preview
NAVITEC2016, ESA/ESTEC, Noordwijk, 14-16 Dec. 2016 Page 1 of 12
Two-Dimensional Signal Quality Monitoring For Spoofing Detection
NAVITEC 2016
14-16 December 2016
ESA/ESTEC, Noordwijk, The Netherlands
Ali Pirsiavash (1)
, Ali Broumandan (1)
and Gérard Lachapelle (1)
(1) PLAN group
Schulich School of Engineering, University of Calgary, 2500 University Dr, NW, Calgary, Canada
Email: {ali.pirsiavash, abrouman, lachapel}@ucalgary.ca
Abstract: Signal quality monitoring (SQM) techniques are investigated to detect spoofing attacks on GNSS signals. Two-
dimensional (2D) time-frequency analyses have been implemented to enhance spoofing detection performance and reliability.
After modeling the SQM test metrics in the two domains, statistical analysis is performed to set up a proper detection
threshold for a reliable false alarm probability. Various test scenarios are then investigated to evaluate the proposed method
performance. Results show the advantage and effectiveness of the proposed method in improving the performance of reliable
spoofing detection under various conditions.
INTRODUCTION
Signal Quality Monitoring (SQM) methods are used to detect distortions and anomalies in GNSS signals by utilizing
additional monitoring correlators to recognize abnormally sharp, flat or asymmetric correlation peaks in the tracking
output. References [1-3] performed SQM in real-time reception of GPS signals to detect distorted PRN code waveforms
(evil wave forms - EWF) resulting from a failure of signal generation procedure at the satellites. By exploiting early and
late correlators, SQM metrics such as “Delta” and “Ratio” metrics were defined and investigated to monitor EWF
distortions on the correlation peak. Reference [4] and [5] exploited the concept of combining early-late correlators to
define symmetric and asymmetric criteria in detecting distortion caused by multipath. Recently, SQM methods are
applied to spoofing detection arguing that spoofing signal cause similar anomalies in receiver tracking loops [2]. By
monitoring the outputs of early, late and prompt correlators, [6] applied ratio test metric to detect spoofing attacks. In
this work, after an analysis on the correlation peak distortions, the ratio metric was defined as early plus late divided by
prompt correlator. This metric was then used to identify flat or abnormally sharp correlation peaks resulting from
spoofing attacks. The methodology was based on alerting the target receiver when the test metric exceeds a pre-defined
threshold. Using the phase and magnitude of early and late correlators, [7] used early late phase (ELP) and magnitude
difference (MD) SQM metrics, besides the Delta and Ratio metrics for spoofing detection. Different metrics
performance were compared to detect spoofing attacks in the presence of other sources of errors such as multipath.
Reference [8] employed the ratio test combined with some extra pairs of correlators located 2 and 4 chips forward and
backward of the prompt correlator. These extra correlators, called extra early and extra late correlators, were used to
distinguish spoofing attacks from other irregular interference by detecting unexpected peaks coming in or out of the
authentic correlation peak. Reference [9] investigated spoofing detection techniques based on amplitude analysis of
early, late and prompt correlators as well as extra early and late ones in a vector based tracking receiver. The
distribution of each correlator output in the code delay domain was continuously monitored and an alarm was sent to
the receiver when the distribution considerably differed from that of the authentic signal. Reference [10] and [11] then
developed the concept of using extra early-late test metrics for SQM-based spoofing detection on a tracking receiver.
Reference [12] investigated the effect of different factors on spoofing detection performance using SQM metrics such
as the number of correlators in multi-correlator mode, SNR, etc. Reference [13] worked on evaluating the effect of
interaction between authentic and spoofing signals on correlator outputs of a typical Galileo receiver. Different code
domain based SQM metrics were used to detect a distorted correlation peak during a spoofing attack.
In the literature, all spoofing detection methods have focused on the code-delay (CD) domain. However, as will be seen
in this paper, monitoring in the Doppler frequency (DF) domain improves spoofing detection performance and
reliability. Moreover, it is possible for a spoofer to interfere with the authentic correlation peak in the code or Doppler
domains. Nevertheless, there has not been promising research on spoofing detection using correlator outputs in the
Doppler domain. Motivated by this concept, this paper investigates two-dimensional (2D) spoofing detection on GNSS
signals by incorporating correlator metrics in both the code delay and Doppler frequency domains. The detection
process for each domain has similar complexity since both use an equal number of correlators in their definitions.
Detection performance depends on the spoofing scenario and how the interfering signal disturbs the symmetry of the
NAVITEC2016, ESA/ESTEC, Noordwijk, 14-16 Dec. 2016 Page 2 of 12
authentic correlation peak. Therefore, to improve the performance of reliable spoofing detection under various
scenarios, a 2D-SQM metric is proposed. Simulation results show improved detection reliability at the expense of
doubling complexity for a given probability of false alarm. Following a discussion of different spoofing scenarios, basic
formulations are provided to model correlation properties in both code and Doppler domain. A code-based early-minus-
late metric is defined; the slow-minus-fast metric is introduced for Doppler domain monitoring. A statistical analysis is
also performed to set up a proper detection threshold for a reliable false alarm probability. Various test scenarios are
then investigated to illustrate the necessity and effectiveness of the proposed method to improve the reliability of
correct detection under various conditions.
SPOOFING SCENARIOS
From a receiver point of view, spoofing attacks can be categorized as overlapped and non-overlapped scenarios. A non-
overlapped spoofing attack is not an effective way to mislead a receiver since it can be easily detected by several
detection metrics at the pre-despreading and post-despreading level. These techniques include variance analysis and
monitoring the number of correlator peaks above a pre-defined threshold. A non-overlapped spoofing signal can be
distinguished and removed using successive spoofing cancelation approach developed for spoofing classification and
mitigation [14]. In an overlapped scenario, the correlation peaks of the spoofer and authentic signals interfere with each
other, resulting in distorted correlation peaks. A clear example of this scenario is a receiver-based spoofing attack where
the spoofer can track satellite signals and mimic them to mislead a target receiver. Such a spoofer can generate a low
power fake correlation peak (for each PRN) with more and less aligned code delay and Doppler frequency with respect
to the authentic peak; the power of the spoofing signal is increase to overcome the GNSS signal and the fake correlation
peak is then dragged to mislead the target receiver [15, 16]. However, when the fake peak comes out of the authentic
one the symmetry of the correlation peak is disturbed. Moreover, due to practical limitations, there are misalignments
between spoofer and receiver in terms of phase, frequency and power resulting in distortions and fluctuations in
overlapped correlation peaks. These fluctuations can be monitored in both code-delay (CD) and Doppler frequency
(DF) domains, which is the main subject discussed herein. In the literature all spoofing detection methods have focused
on code domain. However, as will be shown in this research a spoofer is able to interfere with the authentic correlation
peak in both domains. Therefore, to improve the reliability of spoofing detection in all spoofing cases, a 2D-SQM
approach is investigated herein.
SIGNAL MODEL
The received GNSS signal can be modeled as a combination of digitized signals corresponding to different PRNs as
,(2 ( ) )
1
( ) ( ) ( ) ( )IF d l s l
Lj f f nT
s l l s l l s l fe s
l
r nT C d nT c nT e nT
(1)
where l is the PRN code index, L is the number of satellites, lC is the power of the received signal from the
thl
satellite, ld is the navigation data and
lc is the spreading code used to modulate the navigation data; l , ,d lf and
l
are code delay, Doppler frequency and carrier phase introduced by the communication channel; IFf is the IF frequency
and 1/s sf T is sampling frequency. ( )fe snT is front-end complex zero mean Gaussian noise. For each PRN a
reference tracking correlator multiplies the received signal by a corresponding PRN replica and the samples are
integrated over a coherent integration time period. The output of the thl channel at the
thk coherent integration epoch
(time instant skNT ) is given by [17]
1ˆ ˆ(2 ( ) )
( 1)
1ˆ[ ] ( ) ( ) ( ) IF l s l
kNj f f nT
l l s s l s l
n k N
y k y kNT r nT c nT eN
(2)
where N is the number of samples in the coherent integration process. Using the sum of geometric series, (2) can be
rewritten as [17]
0 02 1 10
0
0
sin( )( ) ( ) ( )
sin( )
sj f k N Ts
s s
s
f NTy kNT CdR e kNT
N f T
(3)
NAVITEC2016, ESA/ESTEC, Noordwijk, 14-16 Dec. 2016 Page 3 of 12
where the index l , which refers to the thl PRN, is omitted for simplicity. For BPSK signaling [17],
0
0
0
0
1 ,
( )
0,
c
c
c
for TTR
for T
(4)
0ˆ,
0ˆ
df f f and 0
ˆ are code, frequency and phase offsets between the received and the replica
signal generated by the reference tracking correlator. cT is the chip duration and
sNT is the coherent integration time
which is also noted byIT . consists of noise and residual cross correlation terms with approximately zero-mean
Gaussian in-phase (I) and quadrature-phase (Q) components. The in-phase component of the tracking correlator output
is
0
0 0 0 0 0 0
0
sin( , ) Re ( ) cos 1
sin
s I I I
s s k f
s
f NTI f y kNT CR f N T CR R f
N f T
(5)
where 0 02 1k sf k NT . I is the in-phase zero-mean Gaussian noise whose variance is approximately
2
0 0 / 2 IN T (see Appendix A). The effect of binary data is neglected for the sake of simplicity. Neglecting the effect
of phase offset, (5) shows that the correlation output in the code domain (where the frequency offset0f is assumed to
be constant) is a symmetric triangular function of code offset 0 whose width is 2
cT . In the DF domain, (where the
code offset 0 is considered constant), the envelope of the correlation output is a symmetric Sinc function of
frequency offset 0f whose main lobe has a 2 / IT bandwidth. These two domains and their corresponding symmetric
properties is used in the discussion in the sequel.
SQM METRICS
Two types of correlators are taken into account to define SQM metrics. First is the reference or tracking correlators
whose corresponding code, Doppler and phase offsets at the thk integration epoch, noted by
0 , 0f and k . These
parameters are a function of the receiver tracking performance. Second is the monitoring correlators whose outputs are
defined based on their code and Doppler distance from the reference tracking correlators. The in-phase output of the thi
monitoring correlator can be defined as
, 0 0,i i
ic b i c
I
bI I c T f
T
(6)
where i cc T and /i Ib T denotes the spacing of the monitoring correlator from the reference prompt (determined by
tracking correlators). Moreover, as a part of monitoring definition, in the case of a non-zero relative frequency offset
between the monitoring and prompt correlators (for example when 0ib is assumed to create the so-called fast or slow
correlators), the phase of each monitoring correlator is aligned with the reference prompt at each integration epoch. This
consideration prevents the relative phase (between prompt and the monitoring correlator) from being accumulated over
time, required for robust monitoring.
SQM Metrics in Code Delay Domain
These algorithms monitor the correlation peak in the code delay domain. Amongst all, a conventional Delta metric is
usually considered in SQM techniques due to its theoretical and practical simplicity [1-4]. The Delta metric is a
symmetric indicator designed to detect asymmetric correlation peaks. This SQM test statistic is defined based on the
difference of either in-phase or absolute value of early minus late correlator outputs which could be normalized by the
prompt correlator or not. In a non-coherent receiver, combination of two I and Q branches (i.e. absolute term) can be
exploited for signal monitoring [8, 18]. However, combining the I and Q correlators by summing their squared values
NAVITEC2016, ESA/ESTEC, Noordwijk, 14-16 Dec. 2016 Page 4 of 12
introduces a squaring loss which makes it noisier and less sensitive [19]. Herein, the I branch is considered and the
performance of the detection system is evaluated over coherent intervals when the receiver is in the PLL state. The in-
phase Delta metric in code delay domain is defined as
,0 ,0 0 0 0 0, ,i i
cd
i c c i c i cm I I I c T f I c T f (7)
Under clean data, when tracking loops are locked and the received signal is tracked in PLL mode, the code, frequency
and phase offsets between received signal and the replica, generated by the reference tracking correlator, can be
approximated around zero (0 0, , 0kf ). Therefore, (7) is rewritten as
,0 ,0,0 ,0i i
cd I I
i i c i c i c i c c cm I c T I c T C R c T R c T (8)
Since .R is symmetric under clean data assumption, (8) reduces to
,0 ,0i i
cd I I
i c cm (9)
which is a zero-mean random variable whose variance is a function of 2
0 ( 2
0 0 / 2 IN T ) and the correlator spacing.
In this work, different correlator spacings are considered for distancesid between symmetric early and late correlators of
0.4, 1.4, 2, 4 chips. 2id and 4 are considered as too early/late correlators to distinguish spoofing signal from other
sources of correlation distortion such as multipath [8-10].
SQM in Doppler Frequency Domain
As discussed before, a spoofing signal can also impose distorting effects on Doppler frequency, which is not effectively
detectable using CD-SQM metrics. In this case, test metrics can be defined and performed on the DF domain to
improve the reliability and probability of spoofing detection. To this end, correlators can be considered with faster and
slower Doppler shifts with respect to the reference prompt correlator. By the same methodology introduced in CD-
SQM, the DF-SQM metric can be defined as the difference of slow-minus-fast correlator outputs as
0 0 0 00, 0,, / , /
i i
df
i i I i Ib bm I I I f b T I f b T
(10)
Under clean data when the received signal is tracked by locked delay and frequency loops (0 0, , 0kf ), one
obtains
0, 0,0, / 0, / / /i i
df I I I I
i i I i I f i I f i I b bm I b T I b T C R b T R b T (11)
Assuming tracking a clean data set, the monitoring slow and fast correlators 0k , .I
fR constitutes a symmetric
function resulting in
0, 0,i i
df I I
i b bm (12)
which is a zero-mean random variable whose variance is a function of 2
0 and the correlator spacing. Exploiting the
absolute terms of correlator outputs instead of the real values is another approach to monitor the quality of the
correlation peak. Table 1 summarizes the test metrics considered here for both domains.
Table 1. CD and DF-SQM Metrics
Code Delay (CD) Domain Doppler Frequency (DF) Domain
1 0.2,0 0.2,0
cdm I I 3 1,0 1,0
cdm I I 1 0, 0.2 0, 0.2
dfm I I 3 0, 1 0, 1
dfm I I
2 0.7,0 0.7,0
cdm I I 4 2,0 2,0
cdm I I 2 0, 0.7 0, 0.7
dfm I I 4 0, 2 0, 2
dfm I I
NAVITEC2016, ESA/ESTEC, Noordwijk, 14-16 Dec. 2016 Page 5 of 12
STATISTICAL ANALYSIS OF SQM METRICS
GNSS spoofing detection can be considered as a general maximizing procedure of likelihood ratio by setting an
appropriate threshold for each PRN [13]. In order to set an appropriate detection threshold statistical behavior of
detection metrics under clean data should be analyzed. According to (5), the first and second order statistics of in-phase
outputs for the thi correlator are defined as follows:
,c bi i
I
i c f ijICR c T R f
(13)
,
2 2
0 0 / 2c bi i
IIN T (14)
The covariance between two in-phase outputs of monitoring correlator thi and
thj is also calculated as
, ,
2 0
0,
sin( )( ) ( ) cos( ( 1) )
2 sin( )c b c bi i j j
ij sI
ij f ij ij ij sI II ij s
f NTNR R f R f N T
T N f T
(15)
where ij and ijf are the delay and Doppler difference between the two in-phase correlators (Proof in Appendix A).
According to (7) and (10), CD and DF-SQM metrics are the differences between two correlated normal random
variables. Therefore, in both domains, the SQM metrics are normally distributed as [20]
,0 ,0 ,0 ,0 ,0 ,0
2 2 2 2 2
0,( , ), 0, 2 2 1 2cd cd cd cd
i i i c c i c c c ci i i i i i
cd
i i cm m m I I m I I I Im N R c T
(16)
With the same methodology the SQM metrics statistics in the DF domain become
0, 0, 0, 0, 0, 0,
2 2 2 2 2
0,( , ), 0, 2 2 1 2cd cd cd df
i i i ib b b b b bi i i i i i
df i
i fm m m I I I I I ImI
bm N R
T
(17)
Having the mean and variance of SQM, the appropriate threshold can be calculated for a given probability of false
alarm. However, the statistical moments are calculated here based on theoretical analysis with simplifying
approximations and assumptions. Therefore, the metric statistics and consequently detection threshold should be
calibrated based on practical observations. By setting the appropriate threshold, the SQM metrics can be exploited to
detect distorted correlation peaks caused by the spoofer. In practical applications, there are other factors that may affect
the variance of SQM metrics. For instance, if the receiver tracking procedure is distorted for any reason (e.g. high
acceleration), it may affect the performance of the SQM metrics and cause false alarms. In addition, when SQM is used
as a spoofing detector, multipath may affect performance. Therefore, in monitoring the quality of GNSS signals, in
addition to the theoretical analysis, the expected values and detection thresholds should be tuned based on the quality of
tracking operation, the purpose of detection and site-dependent factors and environmental conditions.
TEST SCENARIO AND DATA ANALYSIS
The effectiveness of the proposed method was examined by performing SQM tests on different spoofing scenarios. In
order to generate a spoofing signal, authentic data was collected with a LOS antenna, down-converted and sampled
using a National Instrument (NI) sampling front-end. The authentic signals were then acquired and tracked in a software
receiver and the spoofing signals were generated mimicking collected authentic Doppler frequency, code delay,
amplitude of authentic signals and other parameters. The block diagram of data collection and spoofing generation is
shown in Fig. 1. A spoofing attack was generated on the PRN 3 L1 C/A signal. For the first seven seconds, only the
authentic signal was acquired and tracked by the receiver. The coherent integration time was 20 ms. Fig. 2 shows the
probability of false alarms for CD, DF and 2D-SQM metrics. The theoretical variances for the SQM metrics were
extracted based on estimated noise variance using (16) and (17). These parameters were then calibrated by the observed
clean data set (first 7 s). The detection threshold for each case was set to twice that of the clean data standard deviation.
The probability of false alarm was then calculated as the number of epochs by which the metric outputs exceeds the
threshold, divided by their total number in the clean data set. 2D-SQM was also considered as the combination of two
approaches. As seen in Fig. 2, the false alarm probabilities for CD and DF-SQM metrics are close to the theoretical
NAVITEC2016, ESA/ESTEC, Noordwijk, 14-16 Dec. 2016 Page 6 of 12
false alarm probability for a normal distribution, which is about 0.05. The false alarm probability of 2D-SQM is slightly
higher than that of other SQM metrics based on the inclusion-exclusion principle [20]. At t = 7 s, a spoofing signal with
a 3 dB power advantage and almost aligned code delay, Doppler frequency and phase offset was added to the authentic
signal. The spoofing signal deviated from the authentic correlation peak in three different scenarios as discussed below.
Fixed Code Spoofing Scenario
In this scenario, the spoofer deviated from the Doppler domain by changing the relative Doppler frequency linearly
from 0 to 154 Hz over 60 s according to Fig. 3. During the spoofing attack, the relative code delay remained
approximately zero to evaluate the effect of spoofing on DF-SQM metrics. Fig. 4 shows C/N0 and Doppler
measurements values for epochs when the receiver operated in PLL mode. Before the spoofing attack, the receiver was
tracking authentic signals with a C/N0 value of about 48 dB-Hz. When the spoofer interfered with the authentic
correlation peak at 7 s, the receiver lost its carrier tracking lock. The spoofer took control of tracking loops due to its
dominant power and increased C/N0 values by about 3 dB. During the spoofing attack, the C/N0 metric had also some
fluctuations due to interaction of the spoofing and authentic signals. Doppler measurements, shown in Fig. 4b, also
show that the receiver was spoofed where its trend was changed after the spoofing attack from a downward tendency to
an upward one. During the spoofing attack, the symmetry of the correlation peak was disturbed by the spoofer and
resulted in fluctuations in monitoring metrics. Because the deviation occurred in the Doppler domain, more fluctuations
were expected in the DF metrics rather than the CD ones. To test this, the SQM metric outputs were evaluated in both
domains. For better comparison, each metric output was normalized by its standard deviation extracted from the
corresponding clean data set. Fig. 5 shows the SQM metric outputs for the epochs where the receiver was in PLL mode.
During the spoofing attack, the DF-SQM metrics fluctuated while the CD-SQM metrics were not affected. One general
observation is that for DF-SQM metrics with monitoring correlators located on the main lobe of the Sinc function,
wider correlator spacing results in larger SQM variation envelopes. One reason for this is that the correlator with larger
spacing has a steeper slope that is more sensitive to correlation peak distortion (Compare Fig. 5a, 5b and 5c for different
correlator spacings). For the correlators located on the nulls of the Sinc function (Fig. 5c and 5d), the magnitude of the
variation envelopes for CD and DF metrics is almost the same due to the equal correlator slopes.
Fig. 1. Spoofing generation procedure Fig. 2. Probability of False Alarm for SQM metrics
Fig. 3. Relative code delay and Doppler Frequency over spoofing time period – fixed code spoofing scenario
NAVITEC2016, ESA/ESTEC, Noordwijk, 14-16 Dec. 2016 Page 7 of 12
Fig. 4. C/N0 and Doppler measurements for fixed code spoofing scenario
Fig. 5. Comparison between CD and DF-SQM metrics for the fixed code spoofing scenario for various SQM metrics
Fixed Doppler Spoofing Scenario
In this scenario, the spoofer deviated from the code domain by changing the relative delay linearly from 0 to 3.7 chips
during 60 s according to Fig. 6. During the spoofing attack, the relative phase and Doppler values of spoofing and
authentic signals were zero to evaluate the effect of spoofing on CD-SQM metrics. During the spoofing attack, the
receiver remained in PLL mode for almost all epochs. Fig. 7 shows estimated C/N0 values for this scenario. Before the
spoofing attack, the C/N0 values were about 48 dB-Hz. As shown, the maximum C/N0 variation occurred at 7 s from
the beginning of the data set; then, C/N0 value variations and means decreased as the spoofer and authentic signals
separated from each other. In this spoofing scenario as shown in Fig. 8, the CD-SQM metric outputs have deviated from
their nominal values while the DF-SQM metric outputs were not affected significantly. In general, spoofing signals
affect tracking correlators, which in turn affect the SQM metric outputs. In other words, the monitoring correlators are
defined based on their distance from the prompt determined by tracking correlators in the DLL structure, which can be
biased due to the spoofing attack. Therefore, the variation profile of SMQ metrics depends on both monitoring and
tracking correlator spacing.
NAVITEC2016, ESA/ESTEC, Noordwijk, 14-16 Dec. 2016 Page 8 of 12
Fig. 6. Relative code delay and Doppler Frequency over
the spoofing time period, fixed Doppler spoofing
scenario
Fig. 7. C/N0 Metric for fixed Doppler spoofing scenario
Fig. 8. Comparison between CD and DF-SQM metrics for fixed Doppler spoofing scenario
Consistent Spoofing Scenario
In this scenario, the spoofer changed the relative Doppler frequency linearly from 0 to 154 Hz during the spoofing
attack. The relative code Doppler was then generated consistent with the corresponding carrier Doppler using a second
order polynomial according to Fig. 9. Fig. 10 shows C/N0 and Doppler measurements verifying the fact that the receiver
was spoofed. When the spoofer was added to the authentic correlation peak at 7 s, the receiver lost phase lock for about
10 s. At 17 s, the receiver started to operate in PLL mode tracking spoofing signals and the C/N0 values increased by 3
dB (Fig. 10a). During the spoofing attack, the C/N0 metric had also some variations due to the interaction of authentic
and spoofing signals. Doppler measurements also show that the receiver was spoofed where its trend changed after the
spoofing attack. Fig. 11 shows the CD and DF-SQM metric outputs over time. Since the deviation occurred in both
domains, fluctuations are observable in both. Note that all figures only show the epochs where the receiver operated in
PLL mode. Herein, in addition to the location of the monitoring correlators and tracking parameters, the variation
magnitude and profile of the SQM metric outputs were affected by relative spoofer-authentic signals parameters. For
instance, consider the SQM metric 4 with 2 chips spacing between monitoring correlators and prompt on each side of
the CD domain and a 100 Hz Doppler distance on each side of the DF domain. When the relative code delay and
Doppler frequency between spoofer and authentic signal reached the aforementioned spacing values, two correlation
peaks were fairly separated from each other in two domains and consequently the SQM metrics were less affected by
deviating signals (Fig. 11d).
NAVITEC2016, ESA/ESTEC, Noordwijk, 14-16 Dec. 2016 Page 9 of 12
Fig. 9. Relative code delay and Doppler Frequency over spoofing time period – consistent spoofing scenario
Fig. 10. C/N0 and Doppler measurement for consistent spoofing scenario
Fig. 11. Comparison between CD and DF-SQM metrics for consistent spoofing scenario
The probability of threshold excess was considered as a metric to quantify and evaluate the detection performance. To
this end, the number of epochs the metric outputs exceeded a pre-defined threshold was counted and divided by the total
number of epochs during the spoofing interval. For the sake of simplicity, the entire 60 s of spoofing attack (7 s < t < 67
s) was considered as the effective spoofing interval. The probability of false alarm was also calculated during a clean
data set. The receiver operating characteristic (ROC) was plotted in Fig. 12 as the probability of threshold excess versus
the false alarm probability. This figure compares different SQM metric ROC in the CD and DF domain for all three
spoofing scenarios. As expected, for a defined false alarm probability, in the fixed code spoofing scenario and for all
metrics, the DF-SQM exceeded the detection threshold with a higher probability compared to CD-SQM (Fig. 12a). In
the fixed Doppler scenario, CD-SQM resulted in a higher performance compared to the other approach (Fig. 12b) while
in the consistent scenario; both approaches had similar and complementary performance (Fig. 12c). 2D-SQM was also
considered in Fig. 12. Comparing all scenarios, it can be concluded that to improve the reliability of correct detection,
2D-SQM can be used effectively in all cases at the cost of twice the complexity.
NAVITEC2016, ESA/ESTEC, Noordwijk, 14-16 Dec. 2016 Page 10 of 12
Fig. 12. Receiver operating characteristic (ROC) for different SQM metrics and different spoofing scenarios
Note that in Fig. 12, the numbers have been calculated based on a rough assumption of the effective spoofing interval.
Although this figure provides an illustrative comparison of CD and DF-SQM approaches, to compare different metrics,
the probability of detection should be investigated based on Monte Carlo analysis of different definitions of detector
(alternate hypothesis) and effective spoofing intervals. Moreover, the variation profile could be analyzed as a function
of different factors like correlator spacing, receiver tracking parameters and spoofing speed and patterns. These topics
will be investigated in future.
CONCLUSIONS AND FUTURE WORKS
A two-dimensional (2D) signal quality monitoring (SQM) method was developed. The conventional code-delay (CD)
SQM was compared with the proposed DF-SQM performed in the Doppler frequency domain. Both methods have
similar complexity since both use an equal number of correlators in their definitions. Three different spoofing scenarios,
namely fixed code, fixed Doppler and consistent scenarios were considered. The outcomes show that the spoofing
detection performance is different for the CD and DF SQM approaches depending on the spoofing scenario. Therefore,
to improve the performance of reliable correct detection in all cases, a 2D-SQM as the combination of two approaches
can be implemented. Data analysis shows a higher probability of threshold excess for 2D-SQM at the cost of twice the
complexity and a slightly higher false alarm probability. The performance of the proposed 2D-SQM can be further
investigated as a function of correlator spacing, receiver tracking parameters and other parameters. This technique is
also applicable to other sources of correlation distortion such as multipath.
REFERENCES
[1] A. Mitelman, R. E. Phelts, D. Akos, S. Pullen, and P. Enge, “A Real-time Signal Quality Monitor for GPS Augmentation Systems,” In Proceedings of ION GPS 2000, Salt Lake City, UT, 19-22 September 2000, pp. 862-871.
[2] R. E. Phelts, D. M. Akos, and P. Enge, “Robust Signal Quality Monitoring and Detection of Evil Waveforms,” In Proceedings of ION GPS 2000, Salt Lake City, UT, 19-22 September 2000, pp. 1180-1190.
[3] R. E. Phelts, T. Walter, and P. Enge, “Toward Real-time SQM for WAAS: Improved Detection Techniques,” In Proceedings of ION GPS/GNSS 2003, Portland, OR, 9-12 September, 2003, pp. 2739-2749.
[4] M. Irsigler, Multipath Propagation, Mitigation and Monitoring in the Light of Galileo and the Modernized GPS, PhD Thesis, Bundeswehr University Munich, Germany, 2008.
NAVITEC2016, ESA/ESTEC, Noordwijk, 14-16 Dec. 2016 Page 11 of 12
[5] M. Fantino, A. Molino, P. Mulassano, M. Nicola, and M. Rao, “Signal Quality Monitoring: Correlation Mask Based on Ratio Test Metrics for Multipath Detection,” In the Proc. of International Global Navigation Satellite Systems Society, IGNSS Symposium, Surfers Paradise, Australia, December 2009, paper 79.
[6] A. Cavaleri, B. Motella, M. Pini, and M. Fantino, “Detection of Spoofed GPS Signals at Code and Carrier Tracking Level,” In Proceedings of Satellite Navigation Technologies and European Workshop on GNSS Signals and Signal Processing, Noordwijk, Netherlands, 8-10 December 2010, 6 pages.
[7] K. Wesson, D. Shepard, J. Bhatti, and T. Humphreys, “An Evaluation of the Vestigial Signal Defence for Civil GPS Anti-spoofing,” In Proceedings of the ION GNSS 2011, Portland, OR, 21–23 September 2011, 11 pages.
[8] M. Pini, M. Fantino, A. Cavaleri, S. Ugazio, and L. Presti, “Signal Quality Monitoring Applied to Spoofing Detection,” In Proceedings ION GNSS 2011, Portland, OR, 20-23 September 2011, pp. 1888–1896.
[9] A. Jafarnia-Jahromi, T. Lin, A. Broumandan, J. Nielsen, and G. Lachapelle, “Detection and Mitigation of Spoofing Attacks on a Vector-Based Tracking GPS Receiver,” ION ITM 2012, Newport Beach, CA, 30 January - 1 February 2012, pp. 790–800.
[10] M. T. Gamba, B. Motella, and M. Pini, “Statistical Test Applied to Detect Distortions of GNSS Signals” In International Conference on Localization and GNSS (ICL-GNSS), Turin, Italy, 25-27 June 2013, pp. 1-6.
[11] E. G. Manfredini, F. Dovis, and B. Motella, “Validation of a Signal Quality Monitoring Technique over a Set of Spoofed Scenarios” NAVITEC 2014, Noordwijk, The Netherlands, December 2014, pp. 1-7.
[12] Y. Yang, H. Li, and M. Lu, “Performance Assessment of Signal Quality Monitoring Based GNSS Spoofing Detection Techniques,” In China Satellite Navigation Conference (CSNC) 2015 Proceedings, Springer Berlin Heidelberg, 2015. vol. 1, pp. 783-793.
[13] A. Jafarnia-Jahromi, A. Broumandan, S. Daneshmand, G. Lachapelle, and Rigas T. Ioannides, “Galileo Signal Authenticity Verification Using Signal Quality Monitoring Methods,” International Conference on Localization and GNSS (ICL-GNSS), Barcelona, Spain, 28-30 June 2016, 8 pages.
[14] A. Broumandan, A. Jafarnia-Jahromi, S. Daneshmand, and G. Lachapelle, “Overview of Spatial Processing Approaches for GNSS Structural Interference Detection and Mitigation,” In Proceedings of the IEEE104, 2016, no. 6, pp. 1246-1257.
[15] P. Y. Montgomery, T. E. Humphreysand, and B. M. Ledvina, “Receiver-autonomous Spoofing Detection: Experimental Results of a Multi-antenna Receiver Defense against a Portable Civil GPS Spoofer,” In Proceedings of the ION International Technical Meeting, Anaheim, CA, 26-28 January 2009, pp. 124-130.
[16] M. L. Psiaki and T. E. Humphreys, “GNSS spoofing and detection,” In Proceedings of the IEEE, 2016, vol. 104, issue: 6, pp 1258-1270,.
[17] A. Jafarnia-Jahromi, GNSS Signal Authenticity Verification in the Presence of Structural Interference, PhD Thesis, September 2013, Department of Geomatics Engineering, University of Calgary, Calgary, Canada.
[18] J. Huang, L. Lo Presti, B. Motella, and M. Pini, “GNSS Spoofing Detection: Theoretical Analysis and Performance of the Ratio Test Metric in Open Sky,” ICT Express 2, no. 1, pp. 37-40, 2016.
[19] M. A. Fortin, Robustness Techniques For Global Navigation Satellite Systems (GNSS) Receivers, PhD Thesis, , November 2015, École de technologie supérieure (ÉTS), Montreal, Quebec, Canada.
[20] A. Papoulis and S. U. Pillai, Probability, random variables, and stochastic processes, Tata McGraw-Hill Europe, 4
th edition, 2002.
APPENDIX A: COVARIANCE BETWEEN MONITORING CORRELATOR OUTPUTS
The complex noise component of a typical correlator before summation operation (accumulator) can be considered
as a discrete random variable/process ,i ic b as
, , , , ,( ) (0), ( ), ..., (( 1) )i i i i i i i i i i
T
c b s c b c b c b c bnT Ts n Ts η (A.1)
Based on the definition of the monitoring correlator, if the phase of each monitoring correlator is aligned with the
reference prompt correlator at each integration epoch, the noise output after accumulator can be modeled as follows:
, , , , ,
1 1 1 1(0) ( ) ... (( 1) ) , [ , , ..., ]
i i i i i i i i i ic b c b c b c b c bTs n TsN N N N
Aη A (A.2)
Therefore, the covariance between correlator thi and thj can be calculated based on the law of error propagation as
, , , ,
, , , , , ,, ,I Ii i j j i i j j i i j jc b c bj c b c bi i j i i j j
T T TT T T
c b c b c b c b c b c bc E E E
η η
Aη η A A η η A AC A (A.3)
NAVITEC2016, ESA/ESTEC, Noordwijk, 14-16 Dec. 2016 Page 12 of 12
, ,
, ,
, ,
,
, ,
(0) (0) 0 0
0 (1) (1) 0
0 0 ( 1) ( 1)
i i j j
i i j j
c b c bi i j j
i i j j
c b c b
c b c b
c b c b
E
E
E N N
η ηC (A.4)
, ,
1
, ,2,0
1( ) ( )
i i j jc b c bji i j
N
c b c b
n
c E n nN
(A.5)
Since the accumulator is a low pass filter, it passes the low frequency components. The covariance of two correlator
outputs can be rewritten as
, ,
1( )2
, ,2,0
1ˆ ˆ( ) ( ) ( ) ij s
c b c bji i j
Nj f nT
fe s k s k i k s k j
n
c E nT c nT c nT eN
(A.6)
where , ,ˆ ˆ
ij k i k jf f f is the frequency difference correlators thi and
thj . Because
( )
, ,ˆ ˆ( ) ( ) ij sj f nT
k s k i k s k jc nT c nT e
is deterministic, (A.6) can be rewritten as
, ,
1( )2
, ,2,0
1ˆ ˆ( ) ( ) ( ) ij s
c b c bji i j
Nj f nT
fe s k s k i k s k j
n
c E nT c nT c nT eN
(A.7)
2( )fe sE nT is the variance of sampled front-end noise equal to 0 / 2 sN T :
, ,
1( )0
, ,2,0
ˆ ˆ( ) ( )2
ij s
c b c bji i j
Nj f nT
k s k i k s k j
ns
Nc c nT c nT e
T N
(A.8)
Using the sum of geometric series, (A.8) can be calculated as
, ,
( 1)0
,
sin( )( )
2 sin( )
ij s
c b c bji i j
j f N Tij s
ij
I ij s
f NTNc R e
T N f T
(A.9)
where , ,ˆ ˆ
ij k i k j . Note that in (A.9), the in-phase component relates to the covariance of two I (or Q) branches
and the quadrature phase component means the covariance between I and Q branches of correlators thi and
thj as
follows:
, , , ,
0
, ,
sin( )( ) cos( ( 1) )
2 sin( )I I Q Qc b c bj c b c bji i j i i j
ij s
ij ij s
I ij s
f NTNc c R f N T
T N f T
(A.10)
, ,
0
,
sin( )( ) sin( ( 1) )
2 sin( )QI
c b c bji i j
ij s
ij ij s
I ij s
f NTNc R f N T
T N f T
(A.11)
From the above equations, the variance of each in-phase or quadrature phase output (noise) can be calculated by setting
0ii and 0iif :
, ,
2 2 200
2I Qc b c bi i i i
I
N
T (A.12)
