A Network-based GNSS Structural Interference Detection,

Classification and Source Localization

Ali Broumandan, Ali Jafarnia-Jahromi, Saeed Daneshmand, Grard Lachapelle
Position, Location and Navigation (PLAN) Group
http://plan.geomatics.ucalgary.ca
Department of Geomatics Engineering
Schulich School of Engineering
University of Calgary
[email protected]

BIOGRAPHY process. This paper proposes a network-based anti-

Ali Broumandan received his Ph.D. degree in the
Geomatics Engineering from the University of Calgary.
Since November 2013, he is working in the PLAN Group
as a senior research associate where his research focuses
on GNSS interference mitigation utilizing single and
multiple antenna processing. He has been involved in
several industrial research projects focusing on
spatial/temporal GNSS signal processing.
Ali Jafarnia Jahromi received his Ph.D. in Geomatics
Engineering from the University of Calgary in 2013. He
holds B.Sc. and M.Sc. degrees in Telecommunications
Engineering. He is currently working as a Senior
Research Associate/Post-Doctoral Fellow in the PLAN
Group. His research interests include signal processing in
GNSS applications, statistical signal processing and
receiver design.
Saeed Daneshmand holds a Ph.D. degree in Geomatics
Engineering from the University of Calgary. Since May
2013 he has been a senior research associate/post-doctoral
fellow in the PLAN Group. His research interests are in
the area of software receivers and signal processing for
GNSS.
Grard Lachapelle, Professor Emeritus, has been
involved in a multitude of GNSS R&D projects since
1980, ranging from RTK positioning to indoor location
and signal processing enhancements, first in industry and
since 1988, at the University of Calgary
ABSTRACT
GNSS receivers are highly susceptible to structural
interference sources such as spoofing and meaconing.
Recent spoofing detection and mitigation methods are
mainly designed to detect and neutralize a spoofing attack
based on a stand-alone GNSS receiver processing.
However, in many applications a communication link
might exist among different receivers operating in the
vicinity of each other that can help the countermeasure
spoofing receiver architecture that uses spatially
distributed receivers (operating within a radius of few
kms) connected to a Central Authenticity Verification
(CAV) unit. The essence of this method is that the CAV
unit receives simultaneous measurements from adjacent
receivers and detects a spoofing attack, classifies
authentic and spoofing signals based on the measurements
received and then localizes the spoofer source. Practical
consideration and limitation factors have been discussed.
Some experimental results are provided to demonstrate
the applicability of the proposed method.
INTRODUCTION
A spoofing attack utilizing a set of synthesized GNSS
signals is an effective way to provide fake position
estimates to a target receiver (Humphreys et al 2008).
Work on anti-spoofing methods has mainly focused on
specific features of spoofing signals that can separate
them from the authentic ones. In many practical spoofing
attacks, a spoofer generates multiple fake GNSS signals
that provide a consistent navigation solution. Spoofing
signals are usually transmitted from a single antenna,
therefore they all experience the same distortion (e.g.
attenuation, and multipath) due to the propagation channel
and thus are spatially correlated. This feature is used in
some research work to discriminate spoofing from the
spatially distributed authentic signals. McDowell (2007)
and Montgomery et al (2009) have taken advantage of
multiple GNSS antennas to detect spoofing PRNs based
on monitoring the phase difference between different
antenna elements. Nielsen et al (2011) have used the
pairwise correlation between different PRNs received by
a moving receiver as a mean of detecting the spoofing
signals being transmitted from a common direction.
Jafarnia et al (2013) have proposed a method based on
monitoring the clock bias variations of a moving GNSS
receiver in order to discriminate between the authentic
and spoofed position solutions. Psiaki et al (2013) have
taken advantage of rapid oscillations of a receiver antenna
to discriminate spoofing signals based on their phase
variations; they have extended their spoofing detection

ION GNSS + 2015 Conference, Session F2, Tampa, FL, Sept 14-18 2015 1/12
technique to the case of two closely spaced antenna
elements in Psiaki et al (2014). Spatial null-steering using
antenna arrays is another countermeasure method against
spoofing signals and it can effectively discard spoofing
and other types of interference (Daneshmand et al 2011,
2012).
Although the aforementioned methods can effectively
counter specific spoofing scenarios, limited work has
been reported toward proposing an anti-spoofing receiver
structure that detects spoofing attacks, neutralizes them
and provides a reliable position and navigation solution.
Broumandan et al (2014) have proposed a robust anti-
spoofing receiver architecture for moving GNSS
receivers. The proposed architecture enables a stand-alone
receiver to detect a spoofing attack, discriminate and
classify the spoofing PRNs from the authentic ones and
eventually remove the spoofing signals from the digitized
samples. Jafarnia et al (2015) has proposed a method
using two spatially separated commercial receivers to
classify the spoofing and authentic signals. It has been
shown that spoofing/authentic signal classification is a
function of the antenna separation (baseline) length and
ordination.
Work on spoofing detection and mitigation methods is
mainly designed to cancel out a spoofing attack based on
a stand-alone GNSS receiver. However, in many
applications there may be a communication link between
different receivers operating in the vicinity of each other,
or a GNSS receiver may communicate with one or several
receiver base stations. This is similar to the network RTK
system architecture or Internet of things concept. The idea
of alleviation of spoofing attacks based on processing
several GNSS receiver observations has discussed in
some recent research work; Swaszek and Hartnett (2014)
have proposed a spoofing detection method utilizing
commercial off the shelf GNSS receivers, by comparing
the position solutions from multiple receivers located on
the same platform. The spoofing detection metric works
based on the fact that the existence of a spoofer would
make the statistical relationship of the observed positions
different than it is during normal, non-spoofed operation.
Heng et al (2014) introduces a signal authentication
architecture based on a network of cooperative GNSS
receivers. A receiver in the network correlates its received
military code with those received by other receivers so as
to detect spoofing attacks. Scott (2010) has proposed a
jammer source localization based on crowdsourcing
approaches using a multitude of opportunistic cell phone
based Automatic Gain Control (AGC) gain observations.
This paper proposes a network-based anti-spoofing
receiver architecture that uses spatially distributed
receivers connected to a Central Authenticity Verification
(CAV) unit. This might be the case of driverless car
navigation systems where each car transmits navigation
measurements to the CAV unit; or a network of
distributed high precision receivers communicating with
ION GNSS + 2015 Conference, Session F2, Tampa, FL, Sept 14-18 2015
one or several base stations. The essence of this method is
that CAV receives simultaneous measurements from
nearby receivers and detects a spoofing attack, classifies
authentic and spoofing signals and localizes the spoofer
source. After spoofing detection, the proposed anti-
spoofing architecture commences to classify the spoofing
and authentic signals. It should be noted that in contrary
to the jammer case, the spoofing signal power is more or
less in the same range as that of the authentic signals. This
is justified as the spoofer can be easily recognized if the
spoofing signal power exceeds a certain threshold.
Therefore, in many cases, spoofing and authentic signals
should be detectable by a target receiver. However, in the
case of high power spoofing signals where the spoofing
signals mask the authentic ones, if a target receiver is
equipped with enough digital-to-analog bit resolution, the
proposed method of Broumandan et al (2014) can be used
to mitigate the high-power spoofing signals and retrieve
the authentic PRNs. Almost all of the proposed
spoofing/authentic signal classification methods rely on
the single-source spoofing assumption. This means that
all of the spoofing PRNs are transmitted from a single
direction. Thus the spoofing signals are highly correlated
in the spatial domain whereas authentic signals arrive
from different angles. Montgomery et al (2009),
McDowell (2007), Broumandan et al (2012) and Jafarnia
et al (2014) have proposed different methods relying on
spatial processing to discriminate authentic and spoofing
signals. Herein, an approach based on the carrier phase
variation proposed by Jafarnia et al (2014) is used to
classify the signals. It can be shown that the double
difference carrier phase observations in the spoofing case
for a short baseline (about a km) are time-invariant,
whereas in the case of authentic signals due to satellites
motion the relative phase difference between antennas
varies with time. This is regardless of user or spoofer
motion. Hence, double difference carrier phase
observations over time is a mean to discriminate between
spoofing and authentic signals. Thus, the CAV unit
monitors the phase difference among different receivers
for different PRNs to detect and classify the
spoofing/authentic signals.
After authentic/spoofing signal classification, CAV
places the measurements in two groups, namely authentic
and spoofing. The genuine location and time of each
receiver can be determined using the measurements in the
authentic group. Hence, the receivers position, time as
well as the receiver clock biases can be extracted. The
position solution of the spoofing signals provides fake
position results that are almost the same for all receivers
affected by the spoofing propagation. This is due to the
fact that all PRNs received by a receiver are sharing the
same propagation channel, hence the distance of a
receiver from the spoofer source does not change the
spoofing position solution. However, the clock bias
estimate extracted from the spoofing signals is a function
of the receiver-spoofer Euclidean distance and is used to
2/12
localize the spoofer source. In the following, different
components of the proposed authenticity verification and
spoofer localization unit is provided.
SPOOFING DETECTION
The spoofing detection procedure can be performed at
the receiver level where a stand-alone receiver detects a
spoofing attack, or in the network level where a CAV unit
detects the spoofing occurrence based on observations
from different receivers. Among different receiver-based
spoofing detection techniques, Automatic Gain Control
(AGC) gain level or Analog-to-Digital Converter (ADC)
samples variance monitoring (Akos 2012), and
acquisition level spoofing detection can be named.
Jafarnia et al (2014) introduced a low complexity and
efficient spoofing detection technique based on a
structural power analysis of digitized samples. This
method monitors the total structural signal power content
of the received signals and detects the spoofing attack if
the total signal content exceeds a pre-defined threshold. In
the single-antenna spoofing attack, since the propagation
distances from a spoofer to target receivers are common
among all the PRNs, different spoofed receivers placed at
different locations provide almost the same position and
velocity solutions. This can be a mean to detect a
spoofing attack at the network level. A network-based
spoofing detection method may be implemented based on
monitoring the position and velocity solutions of several
receivers and detect a spoofing attack based on the
correlation among the position and velocity solutions of
different receivers.
Among many receiver-based spoofing detection
methods, three low computational complexity and
effective techniques including ADC samples variance
monitoring, pre-correlation based structural power
analysis and acquisition level detection are implemented
and characterized in the spoofing detection module. The
ADC-based spoofing detection method monitors the
variance of the digitized samples. In a case of an
abnormal variation of the digital samples variance, the
method flags the presence of a possible interference
source. This is a simple and effective way to detect high
power spoofing attacks. The structure of spoofing signals
is very similar to that of authentic GNSS signals. The
presence of additional spoofing PRNs increases the power
content of structural signals in the GNSS frequency band.
This excessive amount of power can be detected prior to
the despreading process using the authenticity verification
method proposed by Jafarnia et al (2014). This method is
specifically useful for the cases when AGC gain
information is not available. The acquisition level
spoofing detection method searches all possible code
phases and carrier Doppler frequencies and detects all the
signals which are above the acquisition threshold.
Occurrence of two or more detectable signals associated
with a single PRN may indicate that the receiver is under
ION GNSS + 2015 Conference, Session F2, Tampa, FL, Sept 14-18 2015
a spoofing attack in which case the spoofing detection
method sets a spoofing flag. In the proposed architecture
after detecting a spoofing attack the receiver reports it to
the CAV unit. It is also possible that CAV detects a
spoofing attack based on analyzing the received
measurements from different receivers. In the case of a
spoofing attack, the CAV unit notifies other receivers
operating in the affected area. Spoofing detection
reliability can be increased by incorporating several
reports from different receivers. After detecting all visible
signals (both spoofing and authentic) which are above the
acquisition threshold, all the detected authentic and
spoofing signals are tracked and the measurements are
sent to the CAV unit.
SPOOFING/AUTHENTIC CLASSIFICATION
After spoofing detection and reception of all
measurements (including the authentic and spoofing
signals) from spatially distributed receivers, the CAV unit
classifies authentic and spoofing PRNs. This part of the
research focuses on measurement classification for
multiple carrier phase GNSS receivers operating in a
limited region. Here it is assumed that the spoofer
transmits all the PRNs from a single source. Hence, all of
the transmitted signals have the same spatial signature.
The carrier phase observation at the ith antenna for the lth
PRN signal can be written as (Misra & Enge 2006)
il k li k c tl k T i k
(1)
Nli I li k Trli k wi k
l
where il[k] is the actual range between the lth satellite and
ith receiver antenna. tl(k) and Ti(k) are the clock errors
corresponding to the lth satellite and ith receiver. Iil[k] and
Tril[k] are ionospheric and tropospheric delays. w[k] is the
noise term including range errors, receiver noise and
multipath. c and are the light velocity in vacuum and the
carrier wavelength of GNSS signal. Nil is an integer
number which corresponds to cycle ambiguity of the lth
PRN at ith antenna. k represents the measurement index.
Assuming a short antenna baseline (about one km) and
based on Equation 1, the carrier phase difference of ith and
jth receivers can be written as
il , j il lj li, j c T i, j Nli, j wi, j (2)
l
where Ti,j gives the temporal variations of the relative
clock bias between the two receivers. Nli,j is the
difference between integer carrier cycle ambiguities of
two receivers and this value is assumed to be constant
within the observation interval. The effects of ionospheric
and tropospheric delays have been neglected due to short
baseline assumption. li,j can be written as
3/12
 mi , j t d aTi , j c m t
cos m t sin m t
c m cos m t cos m t . T x m,l
sin m t
ai,j represents the pointing vector from the i to the j
receiver in the ENU coordinate system, and cm is the
pointing vector towards the source of the mth PRN signal.
m(t) and m(t) refer to the elevation and azimuth angles
of the mth PRN source. d is the spacing between these two
receivers. The double difference of the carrier phase
measurements can be written as
im, ,jl im, j li , j mi , ,jl Nmi , ,jl wi , j
It is assumed that spoofing PRNs are all transmitted from
a single terrestrial antenna and therefore they all have the
same azimuth and elevation angles with respect to the
antenna baseline. As such, for the case that m and l are
both spoofing signals, it can be written that
mi , ,jl k mi , j k li , j k 0 (5)
Therefore, Equation 4 in the spoofing scenarios becomes
time invariant and this does not depend on the receiver
dynamics or relative clock drifts of receivers. However,
for the case of authentic signals, Equation 5 does not hold
since these signals are transmitted from different angles
and their angles of arrival vary independently from each
other. Therefore, spoofed PRNs can be distinguished from
authentic ones based on the double difference of the
carrier phase measurements of two or more spatially
separated antennas. The carrier phase double differences
of spoofed PRNs have a zero-slope temporal variation
whereas for the case of authentic signals a non-zero slope
is visible in the carrier phase double differences. This fact
is the basis for authentic and spoofing PRN classification.
The proposed classification method is an extension of that
proposed by Jafarnia et al (2015). Considering carrier
phase observations of two receivers, the authenticity
verification problem can be written as the following
hypotheses:
H0 : xm,l n im, ,jl nTs Bm,l wm,l n
H1 : xm,l n im, ,jl nTs Am,l n Bm,l wm,l n
where H 0 and H1 correspond to the absence and
presence of authentic signals respectively. Ts is
observation interval and n represents the sample index.
Am,l and Bm,l represent the slope and bias of
im, ,jl nTs . w n is the discrete noise component.
Herein, Am,l and Bm,l are the unknown parameters of the
ION GNSS + 2015 Conference, Session F2, Tampa, FL, Sept 14-18 2015
linear model where Bm,l is considered as a nuisance
parameter. A Generalized Likelihood Ratio Test (GLRT)
(3) detector selects H1 if (Kay 1998)
A A
1
A HT H 1 AT
T
b b (7)
th th
m ,l
m ,l
2
where m,l HT H HT xm,l is the maximum likelihood
1
estimate (MLE) of m ,l under H1 and is the detection
threshold. 2 is the variance of the noise process vector
which is assumed to be constant during the observation
interval. The asymptotic detection performance of this
m ,l (4) detector can be written as
q
PD Q 2 Q21 PFA
q
(8)
which is an approximation where PD is the probability of
detection and PFA is the probability of false alarm.
Q 2 is the tail probability of the non-central chi-
q
squared distribution with non-centrality parameter of
and q degrees of freedom. Q21 represents the inverse
q
of the tail probability of a central chi-squared distribution
with q degrees of freedom. Herein, q=1 which is equal to
the number of rows in the matrix A. In this process, in
case that T xm,l exceeds the detection threshold at least
one of the mth or lth PRN signals can be considered as
authentic. If the test statistic does not exceed the detection
threshold within the observation interval, both PRNs
could be considered as potential spoofing signals.
Considering observations of several receivers are
available, the spoofing and authentic classification
procedure can be modified to enhance the detection
procedure. Considering M carrier phase measurements
from M spatially separated receivers, there will be
K M ! (M 2)!2! double difference observations and
test statistics to perform classification. This K
observations can be combined in different ways to make
the final decision. For instance one can weigh the
(6) individual double difference measurements based on the
length of the baseline between the two antennas.
Considering a weighting vector W [w1 , w2 ,..., wK ] , the
final test statistics to be compared with a defined
threshold can be shown as
1 K
T xm,l wk Tk xm,l (9)
K k 1
4/12
 Authentic
SV.3
Authentic
SV.2 Authentic
SV.4
Authentic
SV.1

Central
Authenticity
Verification RX5
RX4
su5
Communication
P5
Link P4 su4

Ps
su3 Spoofer

su2 su1
RX3

P3

P2 RX2
P1 RX1

FIGURE 1- BLOCK DIAGRAM OF THE PROPOSED SYSTEM

In this paper, an equal gain combiner with W [1,1,...,1] ith receiver, a simplified model can be written as (Jafarnia
is used to provide a final decision. et al 2013)

SPOOFING SOURCE LOCALIZATION

One of the main differences between the spoofing and
other types of wideband interference is that spoofing
signals contain range information that can be utilized to
localize the spoofing source. In the spoofing source
localization, contrary to GNSS where there are several
synchronized transmitters and only one receiver, there is
only one transmitter and several synchronized receivers.
Figure 1 shows a spoofing scenario where the spoofer
affects several receivers. The spoofer is located at P s
which is the desired parameter to be estimated. The ith
GNSS receiver is located at Pi . After authentic/spoofing
signal classification, the CAV unit classifies the received
signals in two groups, namely authentic and spoofing. The
actual location and time of each receiver can be estimated
using the authentic measurements. Hence, the receivers
positions are known with a certain level of accuracy and
they are all synchronized with GPS time. The PVT
solution of the spoofing signals provides a fake position
and velocity results that are almost the same for all
receivers. This is due to the fact that all spoofed PRNs
received by any of those receivers share the same
propagation channel, hence the distance of a receiver from
the spoofer source does not significantly change the PVT
solutions. However, the clock bias of the spoofing
measurements is a function of the receiver-spoofer
Euclidean distance and can be used to localize the spoofer
source. For the case of the lth spoofed pseudorange at the
(10)
where l is the fake range between the spoofer generated
counterfeit position and the lth GNSS satellite, dt is the l
timing error corresponding to the lth counterfeit satellite,
dTui is the user clock error and su
i
is the physical range
between the spoofer transmit and the ith receiver antennas.
dTs shows a deliberate time advance that might be added
to the spoofers transmit signal in order to compensate for
the propagation delay between the spoofer antenna and
the target receivers antenna plus the spoofer clock bias.
This term should be either constant or follow a predefined
clock state model in order to be consistent with expected
features of GNSS receiver clock variations. c is the speed
of light in vacuum and li represents the other error
sources such as ambient noise and multipath.
Ci c dTui sui c. dTs defined in Equation 10 is
common among all PRNs received by the ith receiver,
hence it will be resolved in the clock bias of the PVT
solution of the spoofing signals at the ith receiver. It is
observed that clock bias measurements of the spoofed
PVT solutions contain the range information from the
spoofer to the target receivers. The term dTui represents

ION GNSS + 2015 Conference, Session F2, Tampa, FL, Sept 14-18 2015 5/12
the clock bias of the ith receiver and it can be observed
from the authentic position solution corresponding to this
receiver. Therefore, having access to the clock bias
measurements from the spoofing group provides the
possibility to observe the geometric range between the
spoofing source and the ith receiver with an uncertainty
term ( dTs ) which is common for all the receivers in the
network. In other words, the difference between clock
bias terms for authentic and spoofed PRNs can provide a
user-spoofer pseudorange measurement. Having this
information along with a good geometry of different
receivers in the network, the position of the spoofing
source can be determined. Figure 2 shows the flow
diagram of the proposed spoofing detection, classification
and source localization. Initially GNSS receivers (Rxn
shown in Figure 2) start operating in the normal mode
which means providing PVT solutions for a specific
application. The receiver-based spoofing detection unit in
a pre-defined interval checks for a spoofing attack.
If the attack is detected, the receiver halts normal
operation and then synchronizes measurements with a
trusted time such as a network time and transmits all the
measurements to the CAV unit.
Synchronization with a trusted time source is required
since the spoofing attack may manipulate the receiver
timing and disrupt the classification procedure. Herein, it
is assumed that the network time is accurate within a few
microseconds, otherwise dTs which can be generally a
time varying term, might not be the same for all receivers
in the network. Upon reception of different measurements
from affected receivers, CAV classifies spoofing and
authentic signals based on several carrier phase
observations. After successful authentication process, the
CAV unit sends the authentic and spoofing classification
results to each receiver. In this case each affected receiver
can detect the spoofing PRNs, mitigate them and start
normal operation. Then, as discussed before, the CAV
unit estimates the location of the spoofer based on the
authentic and spoofing PVT solutions.

Rx2 RxN PRACTICAL CHALLENGES

Rx1
Several factors may affect the performance of the
Acquire and Track all Detectable proposed spoofing source localization. In general, the
Correlation Peaks error sources which disturb the proposed spoofing source
localization can be categorized into two groups. The first
Check the Spoofing Detection Metrics (AGC practical limitations consist of those errors which limit
level, Pre-despreading, Acquisition level ) any satellite based positioning systems such as
atmospheric errors, multipath propagation and visibility of
No
satellites. These error sources affect the position and
Is Spoofing Detected? timing solutions of the PRNs in the authentic group that
will be used to localize the spoofing source. These error
Yes types and their characteristics are extensively discussed in
Switch to network time
the literature (e.g. Kaplan 2006, Misra & Enge 2001). The
send all the measurements second sources of errors are those affecting the
to CAV pseudorange measurements from the spoofer to the
receivers. These error sources are discussed in the
following paragraphs.
Central Authenticity Verification (CAV)

Spoofing Detection Receiver position accuracy

Herein it is assumed that the actual position of each
MSR Classification receiver in a network is not available a priori and should
Authentic Spoofing
be estimated. Hence, the accuracy of the receiver position
MSR MSR will affect the performance of the spoofing source
localization. This has been done via position estimation of
PVT PVT the measurements in the authentic group. The accuracy of
the receiver position depends on the receiver type and
available corrections and may range from few tens of cm
Spoofing source to several metres (e.g. NovAtel 2015).
localization
Multipath
Multipath propagation poses significant challenges to
wireless based navigation systems. It remains a dominant
Figure 2: Flow diagram of the proposed spoofing source of accuracy degradation and is a major issue for
localization method GNSS applications. Multipath propagation can result in
biased GNSS measurements, which can lead to inaccurate
position estimates for both authentic and spoofing

ION GNSS + 2015 Conference, Session F2, Tampa, FL, Sept 14-18 2015 6/12
solutions. Multipath propagation affects the proposed
spoofing localization method in two ways. First, it
degrades the authentic position solution of each receiver.
This issue has been extensively discussed and
characterized in the literature (e.g. Irsigler & Eissfeller
2003, Townsend et al 1995). Secondly, multipath
propagation affects the spoofing source localization
problem through distorting the pseudorange
measurements from the spoofer source to individual
receivers. The multipath error in the first part is a function
of the wireless channel between the authentic satellites
and individual receivers. However, the multipath error in
the second part is a function of the spoofer and each
receiver propagation environment and it is independent of
the first part. It should be noted that the position and
velocity solutions of the spoofed measurements are not
severely affected by multipath propagation. This is due to
the fact that multipath affects all the PRNs almost the
same way and hence the multipath error will be observed
in the spoofed clock bias. Therefore, the multipath
propagation only affects the clock bias estimate, which is
a function of the spoofer to each receiver distance and is
the desired measurement to localize the spoofer source.
Utilizing different multipath reduction techniques such as
Sokhandan et als (2015) can help to reduce the multipath
effect as well. It is important to note that for a terrestrial
spoofing source the wireless channel will follow the
terrestrial channel model which is prone to be more
affected by multipath and fading as compared to the
satellite-receiver propagation channel (Parsons 2000).
Receivers time synchronization
Another important factor affecting the performance of the
spoofer source localization is the synchronization
accuracy among different receivers. Here, it is assumed
that each receiver after the PVT solution is synchronized
with GPS time. The synchronization accuracy is a
function of the receiver hardware and software
components such as oscillator, tracking and navigation
architecture. The timing accuracy of a GNSS receiver
performing clock steering can be as good as 20 ns
assuming continuous tracking (e.g. NovAtel 2015).
Geometry of the receivers
Another important factor affecting the spoofing source
localization is the geometry of the receivers with respect
to the spoofer source. This indeed depends on the
application. The effect of geometry on the accuracy of the
navigation solution is discussed broadly in the literature
(e.g. Kaplan 2006) and hence will not be considered here.
ION GNSS + 2015 Conference, Session F2, Tampa, FL, Sept 14-18 2015
EXPERIMENTAL RESULTS
Testing an anti-spoofing algorithm in a real case is
challenging since outdoor radio transmission in the GNSS
frequency bands is not allowed. Therefore, considerations
to avoid this limitation have to be taken into account. The
experimental measurements are based on the reception of
GPS L1 C/A signals. This section provides experimental
results of spoofing detection, authentic/spoofing
classification and spoofing source localization.
Data collection setup
This section describes the test method used to evaluate the
performance of the proposed method. Real data was
collected in the presence of authentic and spoofing
signals. To this end a three channel front-end was used to
capture IF samples with a 10 MHz sampling rate. Three
NovAtel 702 GG antennas were used to collect authentic
GPS signals. Figure 3 shows the data collection scenario
and the environment where three spatially separated
rooftop antennas were used to collect the authentic signals
which were then combined with spoofing signals. The
accurate locations of the antennas were known. Rodhe &
Schwarz SMBV100A hardware simulator signals were
used as a spoofing source. The signals were fed to a
splitter with different cables (L1, L2 and L3 shown in
Figure 3) connected to the antennas and then combined
with the authentic signals. The main difference between
this collection setup and an actual spoofing attack is that
in the latter case, the signals propagated from the spoofer
to each antenna would be subject to wireless channel
distortions such as multipath, blockage and refraction.
Hence, the channel model in the present case can be
considered as an additive white Gaussian noise (AWGN).
Herein, the distance (range) from the spoofer to each
antenna is equivalent to the cable lengths. Hence, the
pseudorange estimation problem in this case reduces to
cable length estimation.
The combined spoofing and authentic signals after down-
conversion from the L1 centre frequency to an
intermediate frequency were sampled by the front-end.
The digitized samples were then passed to a software
receiver to provide measurements and PVT solutions. In
all tests the hardware simulator generated 8 PRNs. A non-
aligned spoofing scenario was considered in these tests
where the correlation peaks of the spoofing and authentic
signals do not overlap. This assumption is justified since
if a spoofing source causes an aligned spoofing attack for
one receiver, its signals will be non-aligned for other
receivers (this depends on the distance among receivers
and on the GNSS signal structure). Figure 4 shows the sky
plot of available GPS signals during the test. In the
dataset, PRNs 4, 7, 11, 13, 17, 19, 28, and 30 correspond
to the authentic signals and PRNs 1, 12, 16, 23, 25, 29,
31, 32 correspond to the spoofing signals.
7/12
 The lengths of the cables (L1, L2 and L3 in Figure 2) are
designed such that the estimated ranges between the
spoofer and receivers converge to a valid virtual position
solution. As discussed before, it is important for an
effective spoofer to slightly overpower the authentic
L3 Combiner Ch3 signals power level and at the same time not to
significantly affect the input AGC gain of the target
receiver. To this end, two data sets were collected. The
L2 Combiner Ch2 Frontend first data set was intended to adjust the spoofing and
authentic signals power levels to provide a realistic
spoofing scenario and to evaluate the performance of
Combiner Ch1 different spoofing detection metrics. In this data set the
power of the simulator was changed to find the proper
power level for spoofing transmission. In the second data
Hardware L1 set, the performance of the spoofing/authentic
Simulator classification and spoofing source localization was
evaluated. In all the test scenarios the receiver tracked all
the authentic and spoofing signals in PLL assisted DLL
Authentic signals mode where the DLL bandwidth was reduced to 0.1 Hz.

Combiner Ant 2 Ant 1 Spoofing detection

To evaluate the performance of the spoofing detection
techniques and adjust the spoofing and authentic signals
power levels, the spoofing signals power was changed in
a 30 dB range in 1 dB steps every 5 s. Figure 5 shows the
performance of the implemented spoofing detection
To front-end metrics. The top plot is the post processing noise variance
as a function of Spoofer-to-Authentic Power Ratio (SAR)
Spoofing signals
By increasing SAR, the post-despreading noise variances
increase gradually.

10
Noise Floor [dB]

Figure 3: Data collection setup

Detection Threshold
5

0
-20 -15 -10 -5 0 5 10

15
SPA Metric

10

5
-20 -15 -10 -5 0 5 10
# of Detected PRNs

20
18
16
14
12
10
-20 -15 -10 -5 0 5 10
Spoofing to Authentic Average Power Ratio [dB]

Figure 5: Comparison of different spoofing

detection metrics
Figure 4: Sky plot of the available authentic signals
during the test

ION GNSS + 2015 Conference, Session F2, Tampa, FL, Sept 14-18 2015 8/12
 This is due to the fact that the power of the received
spoofing signal is less than that of the authentic ones. 55
PN4
When the spoofing power becomes comparable with that 50 PN5

CN (dB-Hz)
of the authentic signal the noise floor increases rapidly. PN11
The middle plot in Figure 5 is the SPA metric as a 45 PN13
PN17

0
function of the SAR. It is observed that the SPA metric 40 PN19
gradually increases after about 100 s (20 dB gain in SAR) PN28
from the start of the data set. This metric exceeds the 35 PN30
0 50 100 150 200 250 300 350
detection threshold after the SPA exceeds 3 dB, which Time (s)
shows the excessive amount of structural signal power in 55
the received data set. The SPA metric does not use any PN1
knowledge of the AGC gain, therefore this metric is 50 PN12

CN (dB-Hz)
PN16
useful in cases when only digital samples are available. PN23
45
As described before, one can detect a spoofing attack by PN25

0
monitoring the total number of detectable signals and set a 40 PN29
PN31
spoofing flag. The bottom plot of Figure 5 is the total PN32
35
number of acquired signals as a function of the spoofing 0 50 100 150 200 250 300
to authentic signal power. In this experiment the Time (s)

acquisition sensitivity was 38 dB-Hz for a 5 ms coherent
integration time. Here the spoofing detection threshold is
14 detectable peaks, which means that if there are more
than 14 detectable signals the spoofing flag will be set.
This method can detect the spoofing attack much faster
than the earlier methods and when the SAR value exceeds
-8 dB spoofing flag is set. As shown in the lower plot, by
increasing the spoofing power, the total number of
detectable signals is reduced. This is due to the fact that as
the spoofing propagation power increases, it jams the
authentic signals and affects their detectability. As shown
in Figure 5 up and middle plots, spoofing detection
methods detect a spoofing event when the spoofer power
is a bit higher than that of the authentic signals. The noise
floor monitoring method requires a calibration data (clean
data) to set the threshold value. On the contrary, the SPA
and the acquisition based spoofing detection methods do
not need any calibration data and can detect both low
power and high power spoofing scenarios. Thus,
incorporating several spoofing detection techniques in the
spoofing detection block, the spoofing detection reliability
will be increased and a wide range of spoofing signals
power levels can be detected.
Authentic/Spoofing classification
This part describes the practical results of
authentic/spoofing classification based on carrier phase
observations In the second data set, the power level of
spoofing signals is adjusted such that both the authentic
and spoofing signals are detectable after combining.
Hence, the software receiver could track both the
authentic and spoofing signals. Figure 6 shows the C/N0
variations of the authentic and spoofing signals over time
for the first antenna.
Figure 6: C/N0 values of the authentic and spoofing
signals
As mentioned before the carrier phase double difference
observations over a time period has a slope for authentic
PRNs whereas this observations has a zero slope for the
spoofing signals. The test statistics for spoofing
classification was given in Equation 7. In the case of more
than two receivers providing these observations the
proposed method of Jafarnia et al (2014) has been
modified to accommodate all the observations as shown
in Equation 9. Figure 7 and Figure 8 show the carrier
phase single and double differences for different authentic
signals over 150 seconds of observation. Figure 8 also
shows the spoofing signals double difference plots. In
these figures the mean value of single and double
difference measurements are removed in order to provide
an easier comparison. Since both spoofer and authentic
signals were stationary during the observation intervals, a
single difference test can be used to classify spoofing and
authentic signals utilizing a single clock source. As shown
in Figure 7 the single difference magnitude is higher for
single differences between Ant 1 and Ant 3 ( 1,3 ) as
compared to 1,2 and 2,3 cases. This is due to the
fact that the baseline between Ant1 and Ant3 is longer
than the other cases. As discussed before and shown in
Equation 3, a longer baseline facilitates and enhances the
classification performance. Another important observation
from Figure 7 is that the single difference observations for
different pairs, namely Ant1-Ant2, Ant1-Ant3 and Ant2-
Ant3 do not follow the same pattern. For instance, the
single difference of PRNs 7, 13, 30 in the 1,2 case
(shown in Figure 7a) are almost overlaid and have the
same variation during the observation interval. This
makes the double difference test statistics between these
PRNs almost zero mean, which results in false
classification. However, considering the single difference

ION GNSS + 2015 Conference, Session F2, Tampa, FL, Sept 14-18 2015 9/12
curves of PRNs 7, 13, 30 for the 1,3 ,
2,3 configurations shown in Figure 7b and Figure 7c, a) Single Difference An1-Ant 2
0.5
one can observe that the plots corresponding to these

1,2 (cycles)
PRNs are not overlaid and thus their carrier phase double
differences are not zero mean. Hence, incorporating
0
various double difference pairs will significantly reduce
the time and enhance the performance of the
spoofing/authentic classification. Figure 8 shows double -0.5
difference plots for the authentic and spoofing cases. 0 50 100 150
b) Single Difference An1-Ant 3
Curves in green correspond to the authentic signals while 0.5
spoofing double difference observations are shown in PRN-07

1,3 (cycles)
black. The green curves demonstrate a linear temporal PRN-11
variation while the black curves are constant as a function PRN-13
0
of time. This trend is the main feature that is used for the PRN-19
authentic and spoofing PRNs classification. Considering PRN-28
the results of Figure 8 it seems that some of the green PRN-30
lines have very small linear temporal variations. This is -0.5
0 50 100 150
because the single difference of those PRNs, for instance c) Single Difference An2-Ant 3
0.5
PRNs 7, 13, 30 in the Ant1-Ant2 case are highly

2,3 (cycles)
correlated in time. However, utilizing spatial diversity and
considering more double difference pairs in the
0
classification problem, the performance of the proposed
method can be significantly improved. After incorporating
all the pairs in the decision metric the combined test
-0.5
statistics for all pairs enter in the final stage of signal 0 50 Time (s) 100 150
classification. This stage employs graph theory to enhance
the performance of the spoofing/authentic classification Figure 7: Single difference carrier phase
module (Jafarnia et al 2015). Table 1 shows the authentic measurements for different antenna pairs
spoofing classification after 30 s of observation. The false a) Double Difference An1-Ant 2
alarm probability for authenticity verification was set to 1
1,2 (cycles)

PFA=10-6. Signal type in Table 1 shows the actual status of

each PRN in terms of belonging to the authentic (A) or 0
spoofing (S) groups. Classification results show the
i,j

outputs of the classification unit based on considering

different antennas double differences and the combined -1
0 50 100 150
method proposed in Equation 9. Considering 30 s of
observation for the data sets, all the PRNs are successfully b) Double Difference Ant1-Ant3
1
authenticated utilizing the proposed method. Spoofing
(cycles)

Spoofing localization 0.5 Authentic

In this section, the problem of spoofing source 0

1,3
i,j

localization is considered. After authentic/spoofing

-0.5
classification the signals in the authentic group were
tracked utilizing a modified software receiver to estimate -1
0 50 100 150
the actual location of each receiver and synchronize the Time (s)
receivers with GPS time. The position solutions of the c) Double Difference Ant2-Ant3
authentic signals for various receivers in the horizontal 1
2,3 (cycles)

plane are shown in Figure 9. Estimated Ant1 shows the 0.5

horizontal position solutions of the first receiver. The
0
actual position of each receiver is also shown in Figure 9.
i,j

Since the spoofing signals are combined with the -0.5

authentic signals through various cables as shown in
-1
Figure 3 and Figure 4, the pseudorange measurements for 0 50 100 150
the spoofing case results in estimating the cable length Time (s)

from the spoofer to the victim receivers. The cable lengths

Figure 8: Double difference carrier phase
have been chosen so as to result in a valid 2-D virtual
measurements for different antenna pairs
position solution of the spoofing source.

ION GNSS + 2015 Conference, Session F2, Tampa, FL, Sept 14-18 2015 10/12
 Horizontal position of the antennas
10
Table 1: Spoofing authentic classification results
Classification Result in 30 s
Signal
PRN Ant1- Ant1- Ant2- Combined
type
Ant2 Ant3 Ant3
1 S S S S S
5
4 A A A A A
7 A A A A A

North (m)
11 A S A A A Estimated Ant1
12 S S S S S Estimated Ant2
13 A A A A A Estimated Ant3
0
16 S S S S S Actual Ant1
17 A A A A A Actual Ant2
19 A A A A A Actual Ant3
23 S S S S S Estimated Spoofer
25 S S S S S True spoofer
28 A S A S A -5
-15 -10 -5 0 5
29 S S S S S East (m)
30 A A A A A Figure 9: Receivers position solution
31 S S S S S
32 S S A S S

The position estimate rms errors for the three receivers are
tabulated in Table 2.
Table 2: Estimated position rms error
East (m) North (m) Up (m)
Ant1 0.7 0.6 1.5
Ant2 0.5 0.3 2.4
Ant3 0.7 0.6 2 detect the presence of a spoofing attack in matched power
Spoofer 2.6 1.2 - spoofing propagation whereas the AGC level analysis and
The position and velocity solutions of the signals in the
spoofing group result in the same estimates for all the
three receivers. However, the clock bias measurements of
the signals in the spoofing group include the clock bias of
the spoofer plus the cable lengths. Since the clock bias of
the spoofing source is common among all the clock bias
measurements, the single difference between clock bias
measurements cancels the spoofer clock bias
contributions and the remaining term is the cable length
difference between receivers. Herein, since all receivers
are in the same plane, the 2-D spoofer position was
considered. Figure 9 also shows the position solution of
the spoofing source based on the measured cable lengths
and estimated position of each receiver at given time. The
rms error values of the positions of the spoofer source are
tabulated in Table 2. It should be noted that the
pseudorange measurement results for spoofing source
localization in this specific test scenario are not affected
by multipath propagation since signals from the spoofer
source travelled in the cables. In real cases, the multipath
propagated from a terrestrial source could affect the
measurements accuracy and consequently affect the
spoofing source localization performance.
CONCLUSIONS
The network based GNSS anti-spoofing architecture
introduced herein has shown that spoofing signals
generated from a single point source can be effectively
detected using different metrics, namely AGC level,
structural power content and acquisition level analyses.
The acquisition level spoofing detection can effectively
SPA methods are more reliable in overpowered spoofing
propagation. Spoofing and authentic signals classification
was implemented by utilizing a test statistics based on
carrier phase double-differences between two receivers.
The experimental results show that the reliability and
performance of the classification module can be enhanced
by incorporating several double-difference observations
corresponding to the different receivers in the network.
The solution of the spoofing source location problem was
based on measuring the clock bias measurements of
signals in the spoofing group. The experimental results
demonstrated the applicability of the proposed method in
a real-world test scenario.
REFERENCES
Akos, D. M. (2012) Whos Afraid of the Spoofer?
GPS/GNSS Spoofing Detection via Automatic Gain
Control (AGC), in Jounral of Navigation, vol. 59, No. 4,
Winter, Institute of Navigation, pp. 281-290
Broumandan, A., A. Jafarnia and G. Lachapelle
(2014) Spoofing Detection, Classification and
Cancellation (SDCC) Receiver Architecture for a Moving
GNSS Receiver, GPS Solutions, published online 23
September, DOI 10.1007/s10291-014-0407-3, 13 pages.

ION GNSS + 2015 Conference, Session F2, Tampa, FL, Sept 14-18 2015 11/12
 Broumandan, A., A. Jafarnia, V. Dehghanian, J.
Nielsen, and G. Lachapelle (2012) GNSS Spoofing
Detection in Handheld Receivers Based on Signal Spatial
Correlation, in Proceedings of IEEE/ION PLANS 2012,
April 24-26, Myrtle Beach, South Carolina , pp. 479-487
Daneshmand, S., A. Jafarnia, A. Broumandan and G.
Lachapelle (2011) A Low Complexity GNSS Spoofing
Mitigation Technique Using a Double Antenna Array
GPS World magazine, December, vol 22, no 12, pp. 44-
46
Daneshmand, S., A. Jafarnia, A. Broumandan and G.
Lachapelle (2012) A Low-Complexity GPS Anti-
Spoofing Method Using a Multi-Antenna Array in
Proceedings of the 25th International Technical Meeting
of The Satellite Division of the Institute of Navigation
(ION GNSS 2012), 17-21 September, Nashville TN, 11
pages
Heng, L., D. B. Work, G. X. Gao (2014) GPS
Signal Authentication From Cooperative Peers IEEE
TRANSACTIONS ON INTELLIGENT
TRANSPORTATION SYSTEMS,
0.1109/TITS.2014.2372000, 12 pages
Humphreys, T. E., B. M. Ledvina, M. L. Psiaki, B.
W. O'Hanlon, and P. M. Kintner (2008) Assessing the
Spoofing Threat: Development of a Portable GPS Civilian
Spoofer,in Proceedings of ION GNSS 21st. International
Technical Meeting of the Satellite Division, September
16-19, Savannah, GA, pp. 2314-2325
Irsigler, M. and B. Eissfeller (2003) Comparison of
multipath mitigation techniques with consideration of
future signal structures, in Proceedings of the 16th
International Technical Meeting of the Satellite Division
of the Institute of Navigation, 9-12 September, Portland
OR, USA
Jafarnia, A., S. Daneshmand, A. Broumandan, J.
Nielsen and G. Lachapelle (2013) PVT Solution
Authentication Based on Monitoring the Clock State for a
Moving GNSS Receiver in the European Navigation
Conference (ENC2013), April 23-25, Vienna, Austria, 11
pages
Jafarnia, A., A. Broumandan, S. Daneshmand, N.
Sokhandan and G. Lachapelle (2014) A Double Antenna
Approach toward Detection, Classification and Mitigation
of GNSS Structural Interference, Proceedings of
NAVITEC 2014, Noordwijk, Netherlands, 3-5 Dec, 8
pages.
Kaplan, E. D. and C. J. Hegarty (2006),
Understanding GPS Principles and Applications, Artech
House, Boston, London, 2nd edition
ION GNSS + 2015 Conference, Session F2, Tampa, FL, Sept 14-18 2015
Kay, S. M. (1998) Fundamentals of Statistical Signal
Processing: Detection Theory, Prentice-Hall Inc.
McDowell, C.E. (2007) GPS Spoofer and Repeater
Mitigation System using Digital Spatial Nulling US
Patent 7250903 B1, 7 pages
Misra, P., and P. Enge (2006) Global Positioning
System: Signals, Measurments, and Performance, Ganga-
Jamuna Press, 2nd Edition
Montgomery, P.Y., T.E. Humphreys, and B.M.
Ledvina (2009) Receiver-Autonomous Spoofing
Detection: Experimental Results of a Multi-antenna
Receiver Defense Against a Portable Civil GPS Spoofer
in Proceedings of ION ITM 2009, Jan 26-28, Anaheim,
CA, pp. 124-130
Nielsen, J., A. Broumandan, and G. Lachapelle
(2011) GNSS Spoofing Detection for Single Antenna
Handheld Receivers in Journal of Navigation, vol 58, no
4, Winter, pp. 335-344
NovAtel Inc (2015) OEM638 receivers
http://www.novatel.com/assets/Documents/Papers/OEM6
38-PS-D17916.pdf, last accessed May 28, 2015
Psiaki, M. L., S. P. Powell, and B. W. OHanlon
(2013) GNSS Spoofing Detection using High-Frequency
Antenna Motion and Carrier-Phase Data in Proceedings
of the 26th International Technical Meeting of The
Satellite Division of the Institute of Navigation (ION
GNSS+ 2013), 16-20 September, Nashville, TN, pp. 2949
2991.
Psiaki, M.L., B.W. O'Hanlon, S.P. Powell, J.A.
Bhatti, K.D. Wesson, T.E. Humphreys, and A. Schofield
(2014) GNSS Spoofing Detection using Two-Antenna
Differential Carrier Phase, Proc. ION GNSS+ 2014,
Sept. 9-12, Tampa, FL, pp. 2776-2800.
Parsons, J. D. (2000) The Mobile Radio Propagation
Channel, John Wiley & Sons LTD, 2nd ed.
Scott, L. (2010) J911:Fast Jammer Detection and
Location Using Cell-phone Crowd-Sourcing GPS World
November.
Swaszek, P. F. and R. J. Hartnett (2014) A Multiple
COTS Receiver GNSS Spoof Detector Extensions
Proceedings of the 2014 International Technical Meeting
of The Institute of Navigation, January 27-29, 2014, San
Diego, CA.
Townsend, B., D. J. R. van Nee, P. Fenton, and K.
Van Dierendonck (1995) Performance evaluation of the
multipath estimating delay lock loop, Navigation Journal
of the Institute of Navigation, 42(3), 503-514
12/12