The Use of Bearing Measurements for Detecting GNSS Spoofing The Use of Bearing Measurements for Detecting GNSS Spoofing

GNSS are well known to be accurate providers of position information across the globe. Because of high signal avail-abilities, robust receivers, and well-populated constellations, operators typically believe that the location information provided by their GNSS receiver is correct. More sophisticated users are concerned with the integrity of the derived location information; for example, employ RAIM algorithms to address possible satellite failure modes. The most common attacks on GNSS availability and integrity are known as jamming and spooﬁng. Jamming involves the transmission of signals that interfere with GNSS reception so that the receiver is unable to provide a position or time solution. Various methods to detect jamming, and possibly overcome it, have been considered in the literature. Spooﬁng is the transmission of counterfeit GNSS signals so as to mislead a GNSS receiver into reporting an inaccurate position or time. If undetected, spooﬁng might be much more dangerous than a jamming attack. A typical maritime concern is a spoofer convincing a tanker traveling up a channel to a harbor that it is oﬀ track of the channel. A variety of approaches have been proposed in the literature to recognize spooﬁng; many of these are based on the RF signal alone as, in some sense, they are the simplest to implement. Of interest here are methods which compare GNSS


INTRODUCTION
GNSS are well known to be accurate providers of position information across the globe.Because of high signal availabilities, capable/robust receivers, and well-populated satellite constellations, operators typically believe that the location information provided by their GNSS receiver is correct.More sophisticated users are concerned with the integrity of the derived location information; for example, RAIM algorithms were developed to address possible satellite failure modes.
The most common attacks on GNSS are known as jamming and spoofing; both are based on the creation of radio signals in the GNSS band.Jamming involves the transmission of signals that interfere with GNSS reception so that the receiver is unable to provide a position or time solution.Various methods to detect jamming, and possibly overcome it, have been considered in the literature.Spoofing is the transmission of counterfeit GNSS signals so as to mislead a GNSS receiver into reporting an inaccurate position or time.If undetected, spoofing might be much more dangerous than a jamming attack.While spoofing might be benign (e.g. a reradiator leaking GNSS signals outside of a airplane hanger), a typical maritime concern is malicious spoofing that convinces a tanker traveling up a channel to a harbor that it is off track of the channel.
A variety of approaches have been proposed in the literature to recognize spoofing and can vary widely based upon the assumed capabilities and a priori knowledge of the spoofer.Many of these are based on the RF signal alone as, in some sense, they are the simplest to implement.Of interest here are methods which compare GNSS information to measurements available from other, non-GNSS sensors.In 2003 Warner and Johnston [1] suggested such methods, calling them sanity checks; they did not further develop the idea.More recently there have been a several examinations of using different non-GNSS signals.In all cases the data from these others sensors is compared to the position information from the GNSS receiver to assess its integrity: • In 2014 these authors considered the use of IMU data to detect spoofing of a Coast Guard ship [2].Specifically, the pitch and roll measurements from the ship's gyrocompass were used to predict the relative spatial trajectory of a GPS antenna mounted high up on the ship.This movement was then correlated to the GPS measurements (with the linear motion of the ship being removed) to detect spoofing.The concept was that the spoofer would not correctly generate the "wiggle" due to the sea state and, hence, be identifiable.It was seen that even low sea-state yielded good detectability.
• In 2014 and 2015 Khanafseh and Pervan employed RAIM residuals from a tightly coupled aircraft GPS/INS to detect spoofing [3].In this case, the tightly coupled INS and GPS system tracked the aircraft's motion due to winds.As above, if the spoofer does not generate this "wiggle" correctly, it could be detected.
• In 2015 Carson and Bevly discussed the use of range and bearing (radar) information to detect GPS spoofing for a platoon of vehicles [4].They assumed the availability of Relative Position Vectors (RPVs) between pairs of vehicles from a radar sensor.To detect spoofing of a single vehicle they compared the RPV to the corresponding GPS difference vector, declaring spoofing if the difference was too great.Their focus was on a pair of vehicles only.
• In 2016 these authors presented methods to detect GNSS spoofing for a single vehicle employing a range measurement from one or more fixed beacons [5] (in avionics applications this sensor could be a DME or barometric altimeter).This work included a full description of the statistical hypothesis tests (Neyman-Pearson criterion) with details on performance analysis and Monte Carlo examples.It was observed that a single range measurement could not detect all spoofing events (e.g.position variation along a circle centered at the ranging source was undetectable), but that two or more ranges could detect position spoofing with high accuracy.
• Later in 2016 these authors extended the range-based concept of GNSS spoof detection to pseudorange measurements allowing the inclusion of RF signals such as eLoran or R-Mode [6].As such signals are typically linked to UTC in some fashion, these methods would also allow for the detection of time spoofing.
• In 2017 these authors extended these same range/pseudorange concepts to spoof detection for platoons of vehicles [7].This approach of the problem of spoof detection is especially effective against localized spoofers that do not impact all users.
• In 2017 these authors considered the application of the position output of an independent PNT (position, navigation, time) system as the source of non-GNSS data for spoof detection [8].Triangulation of position from bearing measurements is a well-known localization technique [9,10], especially for the mariner.This paper considers the use of bearing information to detect GNSS spoofing in a 2-D environment.A typical marine application is a ship entering a harbor and using an alidade to sight landmarks (see Figure 1); for mobile, autonomous vehicles the sensor might be a camera taking a bearing to a nearby vehicle or to a signpost.As in our previous works [5][6][7][8], this paper presents a mathematical formulation of the problem and the sensor data, develops a statistical model of the measurements relative to the GNSS position output, constructs a generalized likelihood ratio test detection algorithm based on the Neyman-Pearson performance criterion (maximizing probability of detection while bounding probability of false alarm), and examines performance of the test, both through analysis and experimentation.A comparison to using both range and bearing is included to show the utility and limitations of bearing data to spoof detection.

THE SETUP
Imagine a two dimensional positioning problem as depicted in Figure 2. The red square represents a mobile vehicle whose location is of interest; the variables e and n represent its true east and north coordinates (horizontal and vertical in this diagram), respectively, in some local coordinate frame.The blue diamonds represent bearing targets at known locations (e k , n k ), k = 1, 2, . . .m.The true bearings are (reversing the east and north components in the standard atan2 notation yields a 4 quadrant inverse tangent in which due north is zero degrees and the angle increases clockwise).We assume that a GNSS measurement of the 2-D position is available, denote it as ( e, n), as are bearing measurements, the φ k , k = 1, 2 . . .m.
The goal here is to test for spoofing which is defined as the existence of radio signals that would result in an erroneous position solution at the GNSS receiver.It is assumed that spoofing does not impact the bearing measurements in any way.(More generally, the scenario is that the GNSS results might be faulty and our interest is in employing the bearing measurements as an integrity check.)Define the null hypothesis, H 0 , as the case in which no spoofer is present and the alternative hypothesis, H 1 , for when a spoofer is present.
Under both hypotheses the GNSS measurement is assumed to be a pair of Gaussian random variables (This notation includes the mean vector and covariance matrix of this length two vector; hence, as parameterized these are independent east and north measurements with equal variances.The extension to correlated variables appears later.).Under H 0 the means are the true location, µ e = e and µ n = n and let the variance be σ 2 = σ 2 0 ; ... under H 1 the means are some other location, say µ e = u and µ n = v, and the spoofer creates some other variance, say σ 2 s .Meanwhile the bearing measurements are assumed to be unaffected by the spoofer.We assume a Gaussian model for each providing for different levels of accuracy on the different bearing measurements.While this model is not perfect, that the bearings only fall in the interval (−180 • , 180 • ] (with wraparound), we assume that the range accuracy is on the order of degrees, or less, and ignore the slight difference in the model.Further, all of the measurements are assumed to be statistically independent.A more significant issue is potential bias in the bearings, possibly equal across the bearing measurements, and could be the basis for future research.

HYPOTHESIS TESTING
Hypothesis testing between a pair of hypotheses, H 0 and H 1 , is usually implemented by computing a scalar function of the observed data, T (data), called the test statistic, and comparing this value to a constant called the threshold.
If the test statistic exceeds the threshold, the test result is a decision for H 1 ; if not, H 0 .Symbolically, this can be written as λ in which λ represents the threshold (yet to be selected).
The goal here is to detect the occurrence of spoofing.Under the Neyman-Pearson approach the probability of false alarm (the probability of deciding for H 1 when H 0 is true) is limited (upper bounded) to some preselected value (often close to zero) and the test is constructed to maximize the probability of detection (the probability of correctly deciding H 1 when H 1 is true).For this criterion the optimum test statistic is well known to be the likelihood ratio [11].
Recognizing that the data consists of both the GNSS location measurement and the range measurements, the test is the ratio of the conditional probability density functions (pdfs) of the measurements under the two hypotheses.
Exploiting the assumed mutual independence of the measurements we have Since the spoofer is assumed to not impact the bearing measurements the product term in this expression is equal to one and the likelihood ratio reduces to the first term.While this cancellation of the bearing measurements seems anti-intuitive, that one expects to exploit those measurements as part of the test, they will reappear in the estimation of the parameters of this resulting likelihood ratio test.
Substituting the pdfs, taking the natural logarithm, and dropping any additive and multiplicative constants, the test statistic is equivalent to Unfortunately, most of the variables in this expression are unknown: specifically, u, v, and σ s under H 1 and e and n under H 0 .A common approach, the generalized likelihood ratio test (GLRT) replaces each of these with its maximum likelihood estimate (MLE) [11].To consider those MLEs, start with the simpler case of H 1 : in which each φ k is not a function of u or v.Note that only the first exponential term contains u and v; hence, the expression is trivially maximized at the MLEs With this result the test statistic simplifies to which, we note, does not depend upon σ s .We can also drop the denominator constant yielding the equivalent test (More generally we could assume a general pdf under spoofing, f s ( e, n), so that the second term in Eq. ( 2) is log f s ( e, n).Under quite general assumptions the MLEs of the parameters under H 1 would result in that term being a constant -zero for the Gaussian case -and the resulting test would still be of the form in Eq. ( 3).) H 0 : Under H 0 the likelihood function is in which the φ k are now implicitly functions of both e and n.Let e MLE and n MLE represent the MLE of location.then the GLRT is equivalent to the test the square of the distance between the MLE under H 0 , (e MLE , n MLE ), and the GNSS measurement, ( e, n) (we can, of course, take the square root of this result and test the distance itself).This is a satisfying solution -if the GNSS location measurement is close to the location estimate including the bearing information then declare no spoofing, if it's far off then declare spoofing.
Below we consider the case of m = 1 first as the mathematics simplifies dramatically; we then consider a linearized version for m > 1.

ONE BEARING MEASUREMENT
When m = 1 it is possible to make significant headway in solving for the MLE under H 0 and in estimating the performance of the hypothesis test.

Development of the MLE
Consider the likelihood function under H 0 for m = 1 with variables e and n (with the single bearing φ being a function of e, n, e 1 , and n 1 )

constant on radials
The first term in this product is constant on circles on the (e, n) plane centered about the GNSS location ( e, n ) with higher values on the smaller circles; these contours are shown in black in Figure 3 with the red dot denoting the GNSS location, ( e, n).The second term in L 0 is constant along radials emanating from the bearing target's location (e 1 , n 1 ); the blue diamond is this location in the figure.Since the MLE, (e MLE , n MLE ), is a point on this plane it falls along some radial line (for example, the center one in the figure); let φ MLE represent the value of the bearing to the MLE.Since the value of the second term of L 0 is constant all along this radial, the location of the MLE will be the point at which the first term in the product is maximized; equivalently, at that point which touches (is tangent to) the smallest possible of the circles (shown in the figure as the black square).
The radial at angle φ MLE has slope equal to tan(φ MLE ); hence, the possible values for e MLE and n MLE along that radial are related by To be tangent to a circle this radial line must be perpendicular to the line connecting the MLE location to the center of the circle, the GNSS location; hence, the MLE's coordinates must also satisfy Substituting in the expressions for the MLE's components and manipulating yields which is independent of φ MLE (!); in other words, the MLE falls somewhere on the circle centered at the midpoint with diameter equal to the range between the GNSS and the target's locations (shown in Figure 3 as the red dashed circle).
There is a one-to-one correspondence between the MLE of the bearing and the location on this circle.Parameterizing the location by the bearing, φ MLE , the log likelihood under H 0 (ignoring constants) can be written as As φ, r, and φ are all known from the measurements and σ 0 and σ 1 are assumed known, this last expression can be optimized over the choice of φ MLE .Specifically, taking a derivative and setting it to zero, the MLE must satisfy the nonlinear condition As the functions in this expression are continuous a numerical solution is easily found.For example, Figure 4 shows a typical log-likelihood function for parameterization r = 300 meters, σ 0 = 2 meters, φ = 45 • , φ = 46 • , and σ 1 = 0.5 Bearing estimate, - Log-likelihood (the first assuming measurement in radians) and solve for an approximate MLE where γ = σ 1 /σ 0 (note that with this simplification σ 1 must be transformed to units of radians).Clearly as γ varies from zero (perfect bearing measurements) to infinity (perfect GNSS measurements) this MLE of bearing ranges from φ to φ.

The Resulting Test
It is also possible to directly write the test statistic in terms of the bearings; specifically which is equal to the off-track error of the GNSS location relative to the MLE of the bearing.Again using the small angle approximation for the sine function this becomes dependent upon the difference between the GNSS-derived and measured bearings scaled by a factor dependent upon the range.

Performance Simulation
The form of the test statistic in Eq. ( 8) does not lend itself to a theoretical analysis of performance; hence, multiple simulations were performed to assess the relative impacts of the parameterization of the scenario.For each the receiver operating characteristic (ROC -probability of detection plotted versus the probability of false alarm) curves are shown: • Spoofer offset -Figure 5, left, shows performance for different amounts of spoofer offset (defined as the "cross track" difference, the distance perpendicular to the direction to the target).The remaining parametric assumptions are a target at 1000 meters range, GNSS east/north accuracies of 2 meters (σ 0 = σ s , we set the spoofer variance to equal the nominal variance as this is, in some senses, the hardest spoofing to detect), and bearing accuracy of 0.5 degrees (σ 1 ).We observe, as expected, that larger spoofer offsets are easier to detect.Not shown, but verified separately, is that spoofer offsets along the direction to the target are essentially undetectable.• Bearing accuracy -Figure 5, right, shows performance for different levels of bearing measurement accuracy (σ 1 ).The remaining parametric assumptions are a target at 1000 meters range, GNSS east/north accuracies of 2 meters (σ 0 = σ s ), and spoofer offset of 8 meters (cross track).We observe, as expected, that higher quality bearing measurements make spoofing easier to detect.There is, of course, a point at which better bearing measurements do not appreciably improve spoofing detectability.The true value of this assessment is recognizing how good the bearing needs to be to be of any value in spoof detection.For example, that bearing measurements with standard deviation measured in degrees are of no value.
• Range to the target -Figure 6 shows performance for targets at different ranges, potentially the most interesting of these simulation results.The remaining parametric assumptions are GNSS east/north accuracies of 2 meters (σ 0 = σ s ), bearing accuracy of 0.5 degrees (σ 1 ), and a spoofer offset of 12 meters (a little larger here to separate the ROCs).The obvious geometric interpretation is that closer targets are better for spoofing detection (the variation in position is effectively r dφ in which dφ is the bearing accuracy and should be comparable in value to the GNSS variation; larger r means a wider interval for the bearing's estimate of position).

A Suboptimum Test and its Analysis
Reconsider the linearized form of the test in Eq. ( 9).If the product rγ 1 then one could argue that the coefficient is approximately a constant and that the test reduces to the square of the difference in the bearing estimates.However, as the position error for the bearing measurement on is on the order of r dφ ≈ r σ 1 then this requirement is equivalent to stating that the bearing measurement is considerably worse in quality than the GNSS location measurement surely an undesirable situation from the perspective of using the bearing as a spoof detector.For a second view, if the range is large with respect to the GNSS accuracy and the amount of spoofing is small (i.e. the spoofer is trying to only alter the position by a small distance), then the value of r will not change much between the two hypotheses and the real variation in the test statistic will be the difference in the two angles.This leads us to consider the suboptimum test The simplicity of this form allows for analysis.Specifically, consider the situation under H 0 : • As noted above the measured bearing, φ, is assumed to be Gaussian about the true bearing.
• The statistics of the GNSS-derived bearing, φ, can be developed from knowledge that the GNSS measurements, e and n, are jointly Gaussian.Let φ 1 and r 1 represent the true values of the bearing and range Using [12, p.390] the probability density function for φ is is the standard Gaussian tail probability.Note that r 1 = 0 yields the typical uniform distribution on [0, 2π).As r 1 becomes large, more of interest here, we can simplify this expression (the Q(•) term goes to zero and the first term dominates the second) to yield If we use the small angle trigonometric approximations sin x ≈ x and cos x ≈ 1 recognizing that under H 0 the GNSS bearing is approximately correct then this pdf is Gaussian with mean equal to the true bearing and standard deviation equal to σ 0 /r 1 .
Figure 7: Spoofing geometry for one bearing target.
• As the two variables, and φ, are independent Gaussian random variables their difference is also approximately Gaussian • This approximation provides an expression for the false alarm probability Equivalently, the threshold can be found as The probability of detection, the performance metric under H 1 , depends upon the action of the spoofer.Figure 7 shows the relationship with the red square and green dot representing the true and spoofed positions, respectively.Defining θ as the angular difference between truth and what the spoofer is creating then the distribution of the bearing difference under H 1 is (in which σ 2 s is the GNSS variance under spoofing, defined above, and r s is the range created by the spoofer) so Figure 8 shows an example of the results for this suboptimum test with range equal to 500 meters, GNSS east/north accuracies of 2 meters (σ 0 = σ s ), bearing accuracy of 0.25 degrees (σ 1 ), and spoofer offset of 8 meters (cross track).Included on the plot are the performance of the optimum test above (blue curve, via simulation), performance of the suboptimum (linearized) test based on the difference in the phase angles (red curve, via simulation), and the theoretical estimate of performance using the ideas above (black curve).Specifically, we note that the three curves are indistinguishable.

TWO OR MORE BEARINGS
For simplicity of the development we resort to vector-matrix notation.Let x and x G represent the true location and the GNSS measurement of it, respectively x = e n and x G = e n and y be the vector of m bearing measurements where g(•) describes the vector of nonlinear relationships relating e and n to each bearing and Γ is the covariance of the bearing measurements (recall that we assumed that the GNSS errors were uncorrelated; hence, no matrix in the first quadratic form).Since we are operating under H 0 let's assume that the MLE is close to x G and expand g(x) around that point; specifically, keeping only the linear term in a Taylor series expansion with J the matrix of partial derivatives With this approximation the log-likelihood at x is approximately and the necessary condition (setting the vector derivative to zero) to maximize the likelihood is Specifically, the MLE of the position is equal to the GNSS position plus a transformation of the vector difference between the GNSS derived bearings, g( x G ), and the measured bearings, y.Normally one might use these results to iterate to the MLE; here we assume that the ranges to the bearing targets are large enough so that J does not change and that the iteration converges in one step.
The resulting test in vector form is λ or, taking a square root, λ As an example imagine two targets due east and north of the vehicle, respectively, both 1000 meters away; assume standard deviations of σ 0 = σ s = 2 meters and σ 1 = σ 2 = 0.125 • .The three subfigures in Figure 9 show the ROCs for spoofer offset of 8 meters to three points of the compass (northeast, east, and north, respectively).We note that in each case the result is relatively insensitive to direction of the spoofing.For comparison, the dashed lines are the detector using only the east target.In one case (the third one, spoofing directly north) this single bearing result is better than the 2 bearing result due to the decrease in noise; for another (spoofing due east) the spoofing is undetectable by the single bearing; the remaining case of spoofing to the northeast shows one bearing having poorer performance than the 2 beacon test.

BEARING AND RANGE
Considering the above results in the context of our earlier results on the use of range measurements [5], a natural question to ask is what happens if one is given a radar measurement, the pair ( r, φ).
We note that the development of the MLE in Eq. ( 14) did not depend upon the form of g(•) being limited to bearings.In fact, this expression still holds for any choice of g as long as we can express J and claim that it does not change appreciably around x G .For y consisting of the range and bearing and we can implement a radar-based spoof detection algorithm. λ As an example imagine a radar target, 1000 meters away due East; assume standard deviations of σ 0 = σ s = σ r = 2 meters and σ φ = 0.115 • (the angle accuracy chosen to provide equal position accuracy for the radar's bearing and range measurements).The three subfigures in Figure 10 comparing three detectors (full use of range and bearing, use of range only, and use of bearing only) for three spoofing cases: • The first shows the result for spoofer movement in both range and bearing; the range only and bearing only detectors are effectively equivalent (the dotted curves overlap).For the chosen levels of accuracy the range and bearing measurements appear as equally accurate, but orthogonal, position estimates.
• The second is spoofing movement to the East of 8 meters.As expected this is invisible to the bearing only detector; the range only detector is slightly better than the full radar detector in that is includes less noise.
• The third is spoofing movement in bearing only (8 meters to the North).Now the movement is invisible to the range detector; the range based system is superior, again due to less noise.

CONCLUSIONS/FUTURE WORK
This paper shows how bearing measurements can be used to detect spoofing (or as an integrity check) of GNSS position measurements: • An exact development of the test was presented for the case of a single bearing measurement.While a analytical performance analysis is impossible due to the complexity of the test, a suboptimum version (based only on the bearing measurement and the GNSS-induced bearing) seems to perform equally well for small amounts of spoofing and does allow for a performance analysis (and selection of threshold).
• These single bearing results also provide insight into how the relative accuracies of the GNSS position and the bearing induced position impact spoofing detectability.Specifically, bearing measurements with an accuracy of 1 degree are ineffective unless the range to the target is measured in the hundreds of meters; for kilometer (or larger) ranges, sub-degree bearings are needed.
• A linearized spoofing test was fully developed for 2 or more bearing measurements; examples were presented showing that 2 bearings eliminate the spoofer's ability to defeat the test.
• The linearized approach was extended to a bearing/range measurement pair (e.g. a radar output); again, the results allow a discussion on the needed accuracy of the measurements.
Future work can go in a variety of directions: • Randomness in the location of the bearing targets' locations: Consider the situation in which the locations of the bearing targets themselves include some uncertainty.Perhaps the locations are just not well known, or that they can move due to some external stimulus (e.g.tide, current, or wind moving a bearing source mounted on a buoy).
• Correlated GNSS errors: All of the results above assumed uncorrelated errors on the GNSS measurement.The model in (1) can be extended, allowing a more general covariance model for e and n.Specifically, let Σ g be this covariance e ρσ e σ n ρσ e σ n σ 2 n which can be incorporated into the development leading up to Eq. ( 13).Further, the m = 1 case can be redeveloped in which the MLE is characterized by the point on an ellipse determined by Σ g tangent to the radial.
• Bias in the bearings: The development in this paper assumed that the bearing measurements were unbiased.A better model would be to include (correlated) bias for each measurement; one solution might be to use additional measurements to estimate the bias (as additional GNSS pseudoranges allow one to estimate common clock bias).

Figure 1 :
Figure 1: A typical alidade (left) and use of one on a Coast Guard vessel (right).

Figure 2 :
Figure 2: The general configuration of the vehicle and m bearing targets.

Figure 3 :
Figure 3: Contours of constant value for the two terms in L 0 for m = 1.

2 σ 2 1 2 (
Defining the GNSS-derived values of the bearing and range to the target as φ ≡ atan2 (e 1 − e, n 1 − n) and r ≡ (e 1 − e) 2 + (n 1 − n) tildes used to indicate GNSS-computed values) we have n 1 − n = r cos φ and e 1 − e = r sin φ so that log

Figure 5 :
Figure 5: Simulation results for one bearing target showing the impact of the spoofer's position offset (left) and the bearing measurement accuracy (right).

Figure 6 :
Figure 6: Simulation results for one bearing target showing the impact of the range to the bearing target.

Figure 8 :
Figure 8: Comparison of performance of the suboptimum test.

Figure 9 :
Figure 9: Comparison of performance with two beacons; the title numbers specify the spoofed location in east/north.

Figure 10 :
Figure 10: Comparison of performance with a radar target.
(6)(6)both parameterized by the, yet unknown, MLE of the bearing φ MLE .To describe the locus of possible MLE locations (for varying φ MLE ) consider the distance, d, from this solution to this midpoint between the GNSS estimate of location and the bearing target's location e MLE ) tan φ MLE Solving these two expressions yields the coordinates of the MLE as n MLE = n 1 sin 2 φ MLE + n cos 2 φ MLE + ( e − e 1 ) sin φ MLE cos φ MLE (5) and e MLE = e 1 cos 2 φ MLE + e sin 2 φ MLE + ( n − n 1 ) sin φ MLE cos φ