GNSS Spoof Detection Using Passive Ranging GNSS Spoof Detection Using Passive Ranging

Advances in electronics technology have enabled the creation of malicious RF interference of GNSS signals. For example jamming completely denies the GNSS user of position, navigation, and time (PNT) information. While a serious concern when we expect PNT at all times, current generation GNSS receivers often warn the user when PNT is unavailable. A second threat to GNSS integrity is spooﬁng, the creation of counterfeit GNSS signals with the potential to confuse the receiver into providing incorrect PNT information. This type of attack is considered more dangerous than a jamming attack since erroneous PNT is often worse than no solution at all. A variety of approaches have been proposed in the literature to recognize spooﬁng and can vary widely based upon the assumed capabilities and a priori knowledge of the spoofer. One method is to compare the GNSS result to data from a non-GNSS sensor. At the January 2016 ION ITM these authors developed and analyzed a spoof detection algorithm based upon


INTRODUCTION
Global Navigation Satellite Systems (GNSS) are well known to be accurate providers of position, navigation, and time (PNT) information across the globe; as such, they are commonly used to locate and navigate craft in various transportation modes.Because of high signal availabilities, capable receivers, and wellpopulated satellite constellations, many GNSS users typically believe that the PNT information provided by their GNSS receiver is perfectly accurate.More sophisticated users look beyond accuracy and are also concerned with the integrity of the PNT information; for example, RAIM algorithms were developed to ensure users that the provided information is resistant to several possible satellite failure modes.
Advances in electronics technology have enabled the creation of malicious RF interference of GNSS signals.
Inexpensive jamming devices overpower or distort the GNSS receivers input so as to completely deny the GNSS user of PNT information.While a serious concern when we expect PNT information at all times, current generation GNSS receivers warn the user when PNT is unavailable; some of the more sophisticated receiver designs can also battle jamming.A second threat to GNSS integrity is spoofing, the creation of counterfeit GNSS signals [1].This type of attack is considered more dangerous than a jamming attack since an erroneous PNT solution is often worse than no solution at all.This paper discusses a technique to detect the occurrence of spoofing.Previously developed methods can be divided into two categories: those that self check the GNSS signals themselves and those that compare the PNT information to data from other trusted sources: • GNSS RF only -This could be advanced signal processing of the combined GNSS and spoofed RF signals (e.g.looking for inconsistent or additional correlator peaks, comparing carrier phases, beamforming, etc., see, for example, [2][3][4][5][6]) or multireceiver methods that exploit the fact that the spoofing signal from a point source spoofer distorts the multiple receivers' PNT in an identical fashion (e.g.[7]).
• Other data -typically this is the comparison of the PNT output of the GNSS receiver to secure (i.e.non-spoofed) external measurements such as IMU data [8,9], radar returns [10], or range measurements [11].
In [11] these authors developed and analyzed a spoof detection algorithm based upon range measurements.For example, distance measuring equipment (DME) is a well established system that provides slant ranges to aircraft from fixed ground sites.In [11] we assumed that the data used to test for GNSS spoofing was a set of noisy range measurements from the GNSS equipped vehicle to one or more known locations.We constructed the hypothesis test (spoof versus no spoof) using a composite statistical model, combining the random errors in the GNSS and range measurements.The additional unknowns of this formation were estimated from the GNSS and range data as part of a generalized likelihood approach.We fully characterized the hypothesis test, provided expressions for the probabilities of false alarm and detection for the case of one range, and examined several interesting examples via simulation.It was seen that two or more moderate quality range measurements were quite effective at detecting spoofing (with only one range available, some spoofing events are undetectable).
That paper assumed unbiased range measurements.This current paper expands the class of signals viable for this spoofing detection approach to passive ranging; equivalently, to range measurements which depend upon knowledge of precise time (pseudoranges).
In this class we consider any RF signal that emanates from a known location (we will call them "beacons") and that can be time referenced back to UTC (socalled signals of opportunity [12]).spoof detection algorithm knows of and removes any time offsets between UTC and transmission times at the beacons.Further, to remove the residual time offset from UTC at the local receiver, we assume that the algorithm has access to the estimate of UTC from the GNSS receiver, removing this bias from the pseudorange as well.Clearly this use of the GNSS receiver's time output has an impact on performance: • Under no spoofing the error in this GNSS time estimate, then, adds to the inaccuracy of the resulting ranges and limits the resulting false alarm probability.
• When spoofing is present the GNSS time might not only be noisier, but might also be wrong!
The paper is organized as follows: (1) the results from [11] are summarized; (2) computation of the false alarm and detection probabilities for the general case of m > 1 ranges is developed (this was missing from [11]; (3) the extension to passive ranging is developed -performance with a single beacon, the meaconing case, and the general case are all considered.The paper concludes with some final thoughts.The Appendix includes details of material relevant to the review of the work in [11], but not included in that prior paper.

REVIEW OF [11] -ACTIVE RANGING
Consider a two dimensional positioning problem as depicted in Figure 1.The red dot represents a mobile vehicle whose location is of interest; the variables e and n represent its true east and north coordinates, respectively, in some local coordinate frame.We assume that a GNSS measurement of the position is available with a simple circular Gaussian error model ( e, n) ∼ N µ e , µ n , σ 2 g , σ 2 g , 0 In our notation hats are used to represent measurements, µ e and µ n represent the GNSS means (equal to the true location under no spoofing; otherwise equal to whatever the spoofer is trying to create), and σ g is the GNSS error standard deviation.
In the figure the blue dots represent ranging sources, or beacons, at known locations (e k , n k ), k = 1, 2, . . .m.The true ranges are For these beacons define the matrix of direction cosines whose rows consist of the unit vectors pointing from the GNSS position to those m ranging sources.The range measurements are assumed to be unbiased, have Gaussian errors with variances σ k , and be independent of the GNSS measurement and each other For convenience, define the covariance matrix for the vector of range measurements, r, as diagonal due to the assumption of mutual independence.
It is convenient to define the GNSS-induced ranges as or r for the length m vector of these computations.Finally, let δ r represent the vector of differences between the measured ranges and the GNSS-induced ranges δ r = r − r Assuming a Neyman-Pearson criterion, [11] showed that the generalized likelihood ratio test (GLRT) to detect spoofing is of the form in which the 2-by-m matrix A is (e, n) The situation for one range.
and λ is the test threshold (Appendix A of this paper provides some additional development of this result missing from [11]).Effectively, the test is looking for similarity in two vectors of ranges, one due to the range sensor and the other based on the GNSS receiver's output; the premultiplication by A scales these differences dependent upon the accuracies of the sensors and the directions to the beacons.
Several simulation examples appeared in [11] for m = 2 beacons showing the effectiveness of this spoof detection approach.The case of one range was analyzed in [11] in detail.It was argued that while r 1 strictly follows a Rician distribution, it could be well approximated by a Gaussian distribution.Specifically, under in which η equals the amount by which the spoofer has distorted the true position in the direction toward the ranging source (see Figure 2).With this approximation expressions for the probabilities of false alarm and detection of this test are in which Q(x) is the standard Gaussian tail probability and Finally, it was noted in [11] that if the spoofed position results in η = 0 (i.e.along the circle of constant radius from the beacon, the dotted curve in Figure 2) a single range measurement cannot detect spoofing.Additional range measurements make all spoofing events detectable.
COMPUTING PERFORMANCE, m > 1 The test statistic in Eq. ( 1) is based on δ r = r − r the vector difference between the measured range and the range due to the GNSS position.Let's first characterize this vector statistically: • By assumption the measured ranges include independent Gaussian noise variates • Writing the GNSS measurements as e = µ e + e and n = µ n + n , the means plus errors, the elements of the GNSS derived range vector are functions of the position errors.These errors are Gaussian variates • Assuming that e and n are small with respect to the actual ranges (so that d is approximately constant), expand the definition of r k in a Taylor series on these two variables and keep only the linear terms The result is that each element of the differential range vector is a Gaussian random variable; the bias represents the mean of each: -Under H 0 f k (0, 0) = r k and the bias is zero for all k.
-Under H 1 this bias is the amount that the spoofer has moved the GNSS position in the direction toward the k th ranging source; paralleling the development above define these shifts as the η k (or vector η).
Being linear functions of Gaussian variates, the vector versions of the measured ranges and the GNSS ranges are jointly Gaussian.Their difference is also Gaussian so can be characterized by its mean vector The test in Eq. ( 1) compares the magnitude of y against a threshold; squaring both sides the equivalent test is a test of a quadratic form in δ r  To facilitate doing these computations, it is convenient to rotate the data so that the major axis of the ellipses are parallel to the horizontal axis.Specifically, defining the rotated coordinates in which σ 1 , σ 2 , and ρ are the standard deviations and correlation coefficient of y (this is the negative of the angle of the major angle of the ellipse in the pdf of (y 1 , y 2 ) [13]).The pdfs for z under the two hypotheses are still both Gaussian with parameters With this change of variables the equivalent picture in terms of the random variables z is shown in Figure 4. (As intended, the ellipses are now aligned with the horizontal axis.)With this representation the false alarm probability is in which Ω is the disk about the origin of radius λ.This can be evaluated as using results in [14].Similarly, the detection probability is ) While considerably more complicated, several infinite series representations of this probability are available (see [14][15][16]).

PASSIVE RANGING
The results above assumed unbiased range measurements as might result from an active ranging system.As mentioned in the Introduction, our interest is in extending these concept to passive ranging; equivalently, pseudorange measurements.
Imagine a set of pseudoranges, ρ k , one to each beacon.The model for each is in which r k is the true range, t k is the offset of the time of transmission of the beacon signal with respect to UTC, b is the offset of the local receiver with respect to UTC, and k is the noise on the estimate.We include t k in that the beacon signal might not be directly synchronized to UTC (e.g.eLoran), but has a deterministic time relationship; we assume that t k is known.The GNSS receiver's clock offset, b, is included in that it provides a link back to UTC at the local vessel platform.Specifically, we assume that the receiver converts a specific pseudorange to a range by subtracting out both t k and the GNSS receiver's estimate of b, b.Clearly this use of the GNSS receiver's time output has an impact on performance: • Under no spoofing the error in this GNSS receiver's time offset, then, adds to the inaccuracy of the resulting ranges and must be taken into account when selecting the threshold for the desired false alarm probability.For simplicity we assume that this time estimate's error is Gaussian with zero mean and variance and is independent of the receiver's East and North errors.
• When spoofing is present the GNSS time might also be wrong!Our model in this case is also Gaussian, but with non-zero mean Algebraically, the range measurements are Including the statistical model for b, under H 0 Further, since all of the psuedoranges are corrected by this same clock estimate, the vector of ranges are correlated with covariance matrix Finally, since the pseudoranges have been converted to ranges, we conjecture that the optimum test is still of the form presented in Eq. ( 1) but with the new Γ taking into account the impact of b.

One Pseudorange
For a single pseudorange measurement the test again simplifies to the form in which η still describes the position offset toward the beacon and g represents the time offset (in units of distance) due to the spoofer.
With these characterizations the false alarm probability is just a slight modification of Eq. ( 3).The detection probability is a slight modification of Eq. ( 4).In general spoofing is detectable by one pseudorange unless the time distortion cancels the location change (g + η = 0); with more than one pseudorange this is, of course, impossible.

Meaconing
Meaconing, both innocent and malicious, is when a valid GNSS signal from one location is reradiated to nearby GNSS receivers (as has occurred at some airports with open hanger doors).In this case the "spoofed" GNSS position is the position of the source of the reradiated signal and the time offset, g, is equal to the additional propagation time from the reradiator to the receiver on the vessel of interest.Figure 5 describes the geometry.
First, we notice that the position offset is limited by the distance to the meaconer Further, when the meaconer is between the mobile and the beacon it is easiest to detect as η+g = 2g; similarly, when the meaconer is opposite to the direction to the beacon, it is undetectable (η + g = 0).

Two or More Pseudoranges
The test statistic for detecting spoofing using pseudoranges is of the same form as above in Eq. ( 1) except that the new definition of Γ in Eq. 7 includes the correlation due to the use of b; hence, the expressions for the probabilities of false alarm and detection in Eqs. ( 5) and ( 6), respectively, still hold after that modification.

CONCLUSIONS/FUTURE WORK
This paper shows how pseudorange measurements can be used to detect spoofing of GNSS position measurements: • The Neyman-Pearson detection was characterized and analyzed; this included the case of one pseudorange, meaconing, and multiple pseudoranges.
• Note that signals of opportunity whose time of transmission offsets, the t k , must be estimated can also be included in these results if the additional error of this estimate is combined with the measurement error.

Future work includes:
• Proving that correcting the pseudoranges is the best use of b toward spoof detection.
• Modify the performance expressions to allow for correlation between the error in b and the errors in e and n.

APPENDIX A
This appendix develops the MLE solution for the more general m ranges case by casting the problem as one involving the position solution from a combination of range and pseudorange measurements.The development in [11] referenced this result to an unpublished paper; hence, is included here for completeness.
For convenience we work in three dimensions, recognizing that the reduction to two dimensions is easily accomplished.
Recall that GNSS pseudorange measurements include the actual range to the satellite plus the receiver clock bias The weighted least squares solution (with typical weight matrix W = 1 σ 2 s I n ) for the correction to the assumed solution is so the actual solution is New pseudorange residuals, say δρ 1 , can be computed at this new solution and H can be recomputed in terms of the new elevations and azimuths for solution x 1 .If H has changed then a new correction can be found; if not the iteration stops and the residuals satisfy where 0 m is a column vector of m zeros.
Returning to the problem of spoof detection with range measurements, a set of range measurements to m fixed locations can be treated as additional pseudoranges, but with zero clock bias.To include this in the position solution the observation vector is augmented with the additional measurements in which r is a column vector of the measured ranges.The direction matrix also gets additional rows; in partitioned form, this is Consider the situation under H 0 in which the measured ranges r j are nearly correct for the GNSS location ( e, n ).The actual GNSS pseudoranges have yielded a solution x 0 so H is essentially correct.With the additional range measurements the perturbation in the solution that results in the MLE (the MLE matching the solution to this Gaussian problem) is where W + takes into account the unequal weighting due to the range measurements In this expression the notation 0 j,k corresponds to a jby-k matrix of zeros and the bottom right submatrix, Γ −1 , is a diagonal matrix with entries equal to the reciprocals of the range measurement variances Interestingly, while this Appendix began with the goal of computing the MLE in the range domain (imagining that the pseudoranges were available), the result only needs the direction vectors to the ranging sources and the GNSS covariance matrix.
Finally, reducing this development to the two dimensional equivalent with variables e and n instead of x and y For independent and identically distributed GNSS errors in e and n (covariance Σ en = σ 2 g I 2 ) this becomes This final result leads directly to the test statistic in Eq. ( 1).

Figure 1 :
Figure 1: The configuration of a mobile and m ranging sources.

Figure 3
Figure3portrays the situation, showing contours of constant probability for y (variables y 1 and y 2 ) under both H 0 (red) and H 1 (blue); the black dotted circle has radius λ.The false alarm probability is the volume of the red pdf outside of the circle; the detection probability is the volume under the blue pdf.

cos ψ 1 sin φ 1 cos ψ 1 cos φ 1 sin ψ 1 1 cos ψ 2
the pseudorange measurement for satellite k, b is the clock bias, and w k represents the white Gaussian measurement noise (assumed to be independent over k with zero means and common variance σ 2 s ).The unknowns in the standard 3-dimensional GNSS problem are the receiver's position and the clock's bias x = x y z b T and the observables are the n pseudoranges ρ = ρ 1 ρ 2 . . .ρ n T Starting at an assumed solution x 0 = x 0 y 0 z 0 b 0 T the nonlinear range equations can be linearized yielding a set of n linear equations in the pseudorange perturbation δρ (equal to the ranges from the satellites to (x 0 , y 0 , z 0 ) plus the clock estimate minus the measured ranges) and the solution perturbation δx (the correction to the current position and the clock term) δx = δx δy δz δb T In vector form the equations are δρ = H δx where H is the geometry matrix sin φ 2 cos ψ 2 cos φ 2 sin ψ 2 1 . . . . . . . . . . . .cos ψ n sin φ n cos ψ n cos φ n sin ψ n 1 with ψ k the elevation and φ k the azimuth of the k th satellite from the assumed solution.
in which D is the first three columns of H, d =    cos ψ r,1 sin φ r,1 cos ψ r,1 cos φ r,1 sin ψ r,1 . . . . . . . . .cos ψ r,m sin φ r,m cos ψ r,m cos φ r,m sin ψ r,m    ψ r,j and φ r,j corresponding to the additional ranging sources (the m-by-3 matrix consisting of the unit vectors pointing to the ranging sources), and 1 n is a column vector of n ones.Similarly, write the differential observations in partitioned form δρ + = δρ δr

1 B 12 = 1 22B 12 − 1 2 sB 21 D T + 1 σ 2 sB+ 2 sD 2 sD T 1 n 1 T n D − 1 ×σ 2 sD T D − 1 nσ 2 sD
To continue this development the inverse of the first matrix is needed.Consider the (n + m)-by-(n + m) partitioned matrixA = A 11 A 12 A 21 A 22Assuming that the diagonal submatrices are themselves square (A 11 being n-by-n, A 22 being m-by-m) and that their inverses exist, then there is the identifyA −1 = B 11 B 12 B 21 B 22 with B 11 = A 11 − A 12 A −1 22 A 21 −− A 11 − A 12 A −1 22 A 21 −1 A 12 A −21 = − A 22 − A 21 A −1 11 A 12 −1 A 21 A −1 11 and B 22 = A 22 − A 21 A −1 11 AUsing this result, and mixing notation for a few lines22 1 T n B 21 d T Γ −1 B 11 d T Γ −1 δrIt can be shown that the first of these terms is zero.Substituting the sub matrices, this isT D + d T Γ −1 d − 1 nσ d T Γ −1 δrFurthermore part of this expression can be related to the underlying GNSS position performance1 T 1 n 1 T n D = Σ −1 xyzin which Σ xyz is the covariance in (x, y, z) of the GNSS solution (assumed to be σ 2 g I 3 for the work above).The result, then, becomes−1 xyz + d T Γ −1 d −1 d T Γ −1 δr H 1 Note that the development of the test in Eq. (1) did not use knowledge of the covariance of the GNSS measurements.This development of the performance does; hence, we have a somewhat sub-optimum test but accept this suboptimality as we expect that the GNSS covariance is changing more quickly than does d.)We note that under H 0 this is a bivariate Gaussian random variable with zero mean and covariance Σ y ; under H 1 the mean changes.
r ) = Γ + dΣ gnss d T Next, let's consider the linear transformation of this difference vector y = Aδ r with A defined in Eq. (2).Noting that A is 2-by-m and that δr is m-by-1, then this product is 2-by-1; i.e. y is bivariate Gaussian.Since this is a linear transformation the mean of y is E {y} = 0 ; H 0 Aη ; H 1 and its covariance matrix is Cov(y) = A Cov(δr)A T = A Γ + dΣ gnss d T A T ≡ Σ y (