Detection and Mitigation of GPS Spoofing Based on Antenna Array Processing

Detecton and Mtgaton of GPS Spoofng Based on Antenna Array Processng J. Magera* and R. Katulsk Department of Rado Communcatons Systems and Networks Gdansk Unversty of Technology Gdansk, Poland *radokom@et.pg.gda.pl ABSTRACT In ths artcle authors present an applcaton of spatal processng methods for GPS spoofng detecton and mtgaton. In the frst part of ths artcle, a spoofng detecton method, based on phase delay measurements, s proposed. Accuracy and precson of phase delay estmaton s assessed for varous qualtes of receved sgnal. Spoofng detecton thresholds are determned. Effcency of ths method s evaluated n terms of probablty of false alarm and probablty of detecton when 4 to 8 GPS sgnals are receved. It s shown that the probablty of spoofng detecton s greater than 99 percent f carrer-to-nose rato s at least 46 dbhz. The second part of the artcle presents a GPS spoofng mtgaton method whch uses spatal flterng (null-steerng) for excson of undesred sgnals. Performance of ths method s analyzed n varous condtons. Attenuaton of undesred sgnals s estmated to be at least 60 db when ther sgnal-tonose rato s hgh. Furthermore, statstcal analyss of the spatal flterng nfluence on the avalablty of true sgnals s provded. Eventually, a concept of practcal ant-spoofng system mplementaton s proposed. Keywords: Antenna array, detecton, GPS, null-steerng, spoofng. 1. Introducton Global Postonng System recevers are present n many devces, startng from chps nstalled n smple trackers and smartphones [1], through professonal geodetc devces, to hgh-dynamcs recevers used n avaton and space vehcles. Apart from t, GPS s used to provde accurate synchronzaton to telecommuncaton networks and power grds. For a large number of these applcatons ntegrty of GPS sgnals and correctness of navgaton data s crtcal, n order to compute accurate poston, velocty and tme (PVT) nformaton. However, t must be remembered that GPS sgnals may be easly jammed even by sgnals of power equal to several Watts, dependng on the dstance from jammer [2]. GPS spoofng s a more sophstcated technque than jammng, snce n ths case the nterference mtates the true navgaton sgnals arrvng from GPS satelltes. Wthout any protectve features, a GPS recever s vulnerable to spoofng. The sgnals emtted by spoofer (spoofng devce) not only jam the true sgnals but also cause the estmaton of ncorrect PVT values. Advanced recevers perform the Recever Autonomous Integrty Montorng (RAIM) algorthm. However, f the parameters and navgaton data of spoofng sgnals comply wth the current orbtal parameters, RAIM may not detect the lack of ntegrty. It s especally probable n scenaros when spoofer ntally smulates the true poston of recever and gradually devates t to the wrong one. It s clear that addtonal features are requred to detect and mtgate GPS spoofng. Many methods of spoofng detecton are proposed [3], such as: - detectng unusual values or changes of powerrelated parameters: carrer-to-nose densty rato, absolute receved sgnal power, power varatons, L1/L2 band power rato, - montorng tme-related parameters: length of nterval between phase transtons, delay between sgnals transmtted on dfferent frequences, - analyss of sample values at correlator output, Journal of Appled Research and Technology 45

- spatal processng detectng multple sgnals wth the same drecton of arrval usng a mult-antenna recever or a moble sngle-antenna recever, - cryptographc protecton, - usng hybrd navgaton systems (GNSS+INS) [4], and many others. Nevertheless each of them has some drawbacks, concernng ether ncreased complexty and cost or effectveness lmted to a certan set of spoofng scenaros. For example, one of suggested methods s based on checkng whether the receved sgnals are modulated wth mltary P(Y) code, whch s usually absent n spoofng sgnals [5]. Despte beng effectve, ths soluton uses two recevers and requres that one of them s protected from spoofng, whch s not always possble. In general, effectveness of spoofng detecton methods depends on the sophstcaton level of spoofer. For example, carrer-to-nose densty detecton algorthms may be defeated through addng an artfcal whte nose and changng the relatve nstantaneous ampltudes of fake sgnals. The most sophstcated spoofers adjust the PRN code phase and carrer phase to match those of true sgnals arrvng to a target recever [6]. The usage of such devce s lmted, snce t requres the knowledge of precse dstance between the spoofer and the attacked recever. Whle t may seem to be possble n certan stuatons, then usng multple scattered antennas to transmt synchronzed sgnals, n order to mtate spatal separaton of satelltes, s very unlkely. Ths s the reason why the spoofng detecton methods based on spatal processng are hghly robust. The relatve drectons of arrval of sgnals from dfferent space vehcles (SVs) are lkely to be the most relable factors durng dstncton between genune and fake GPS sgnals. The undsputed advantage of such solutons s the nherent drecton of arrval (DoA) estmaton, results of whch may be used to flter out the spoofng sgnal through beamformng or null steerng. To restore the correct operaton of a spoofed GPS recever, spoofng mtgaton procedures are appled. Varous approaches to solve ths problem may be found n the lterature [3]. Vestgal Sgnal Detecton method, used for spoofng mtgaton, subtracts the local code and carrer replcas from buffered samples of composte receved sgnal and then repeats the acquston n order to detect and acqure suppressed sgnals from GPS satelltes. When usng ths method, an assumpton s made that the power of false sgnal s sgnfcantly hgher than the power of true sgnal. It may not be fulflled when the recever s far from the spoofer. In such case, the true sgnals may be dscarded n favor of the ones used for spoofng. Moreover, f spoofer s sgnals have consderably hgher power than desred sgnals, the latter may not be detected, due to quantzaton error. Another countermeasure, Recever Autonomous Integrty Montorng (RAIM), compares pseudorange measurements and dscards the outlers resultng from presence of false sgnals. Ths approach may fal n scenaros, where spoofer s synchronzed wth true sgnals or when all the true sgnals are jammed, makng t mpossble to compare the measurements. The most robust methods of GPS spoofng detecton and mtgaton seems to be the ones whch use spatal processng. The necessty of antenna array usage results n ncreased complexty of the recever, but t may be acceptable when robustness s the man crteron. Spatal processng methods whch use multple antennas for recepton of GNSS sgnals have already been proposed n varous approaches n the last few years [7], [8]. Ther applcatons are mostly related to jammng and nterference mtgaton. However, the performance of these spatal algorthms n varous condtons s usually nsuffcently nvestgated. In subsequent chapters of ths artcle authors present an example soluton whch apples the antenna array processng for GPS spoofng detecton and mtgaton. Effectveness of ths method s also assessed. 2. Spatal processng There are varous ways of obtanng the drecton of arrval or angle of arrval estmate. They nclude: mechancally or electroncally controlledrecepton pattern antennas, phase nterferometry, subspacebased methods such as MUSIC or ESPRIT and others. Most of these possbltes requre addtonal sgnal processng blocks. In GNSS recevers avalable on the market, sgnal processng blocks 46 Vol. 13, February 2015

are usually ntegrated nto one chp wthout any external access to samples of receved sgnals. That s why the best way to assess the performance of DoA estmaton s to use a software recever wth an analog front-end. Off-the-shelf chp-scale GPS front ends are avalable, yet they usually provde only one or two bt output sample resoluton, whch s suffcent for GPS sgnal recepton, but t may be too low for DoA applcaton. It s better to use a separate preamplfer and an analog down converter followed by a hgh-resoluton mult-channel dgtzer. Subspace-based methods of DoA estmaton are computatonally effcent and accurate, however they requre relatvely hgh Sgnal-to-Nose Rato, whch s not the case of GPS sgnals hdden almost 20dB below nose floor. Nevertheless, they may be appled to the post-correlaton sgnals [9]. The other approach, selected by authors of ths artcle, s to measure the receved sgnals phase shfts whch may be used to estmate thedoa through phase nterferometry. Drecton of arrval corresponds to the phase delay dfferences of sgnals at the outputs of recevng antenna array elements. The level of ambguty n resolvng DoA s hghly dependent on array geometry and characterstcs of array elements (sensors). Snce spoofng sgnals are practcally always radated from a sngle source, they arrve to the recever from the same drecton, no matter f t s a lne-of-sght or a reflected sgnal. On the other hand, genune sgnals from GPS satelltes arrve from dfferent drectons wthn the whole hemsphere, assumng the clear vew of the sky. Basng on ths assumpton, GPS spoofng s detected when multple receved sgnals have the same or very smlar DoAs. Azmuth and elevaton, whch represent twodmensonal DOAs, are non-lnear functons of phase delays. That s why a relaton between the phase delay estmaton error and the DoA estmaton error depends on relatve orentaton between source of sgnal and recevng antenna. Thus for GPS spoofng detecton t s more relable to compare the phase delays than to compare the actual DoAs. 3. Smulaton model In ths paragraph the model of receved GPS sgnals as well as the model of the antenna array are descrbed. They are necessary assumptons to assess the performance of proposed counterspoofng methods. 3.1 Sgnal model In order to determne the effectveness of proposed spoofng detecton method, a smulaton model was developed. Ths model assumes that transmtted sgnals are only subject to the addtve whte Gaussan nose (AWGN) and ther delays are proportonal to the dstances between the source of sgnal and partcular elements of the antenna array. Sgnals receved by multple antenna elements may be descrbed as follows: s t P ct dt cos2 f t n t 2 (1) where =1,...,M s the array element number, P s the receved power of -th sgnal, τ s the total delay of transmsson from the sgnal source to the-th element, c s the pseudorandom C/A code sequence, d s the navgaton message data sequence, f c s carrer frequency and n s the addtve nose at -th element. One of the antenna array elements s selected to be the reference. Only the sgnals receved through ths element pass the full sgnal processng path of GPS recever, that s acquston and trackng phase, ncludng C/A code phase and carrer phase estmaton. Acquston procedure, as well as code and carrer trackng loops are mplemented n software, accordng to algorthms presented n [10]. The remanng blocks of GPS recever,.e. pseudorange estmaton, navgaton message decodng etc. are not nvolved n spoofng detecton procedure. Sgnals from the rest of the outputs of antenna array are correlated wth the same local replca whch s used for correlaton wth the reference sgnal. Snce the relatve delays between sgnals are less than one L1 carrer perod, whch s over c Journal of Appled Research and Technology 47

1500 tmes shorter than duraton of one C/A code chp, the code phases of correspondng sgnals at all antenna elements are practcally the same. Multplyng the receved sgnal wth a C/A code replca provdes the carrer modulated wth navgaton data. The next operaton s correlaton wth complex carrer whch provdes the nformaton about the phase shft: Im Z arctan Re Z (2) planar arrays may be benefcal for 2D DoA estmaton [12]. Four-sensor unform crcular array was selected for purpose of descrbed smulaton research. Confguraton of elements s presented n Fg. 1. Spacng d between neghborng elements s equal to 0.45 wavelength. It s less than half wavelength n order to decrease the level of phase ambguty when the nosy sgnal mpnges on the array from drecton parallel to any of the array s baselnes. where Z s the complex sample at correlator output. Phase of carrer replca s adjusted to match the phase of the reference sgnal from the frst sensor. Thus, the rest of computed phase shfts are the DoA-related phase delays between the frst and the other array elements. 3.2 Antenna array model Whle selectng an antenna array confguraton for DoA estmaton, many factors have to be taken nto consderaton. Frst, the number of sensors. Two sensors may be used for phase delay dscrmnaton [7] and for lmted estmaton of the angle of arrval. However, when usng such an array, the same phase shfts are possble for baselne-symmetrcal azmuths. Addng the thrd non-n-lne element to the array elmnates the ambguty of the azmuth. Even more elements are necessary for unambguous two-dmensonal DoA estmaton. On the other hand the number of sensors must not be too hgh. There are lmtatons on the sze of the antenna array. When the dstance between sensors s larger than half of the wavelength, phase ambguty occurs. A large number of closely-spaced sensors ncreases mutual couplng. Also more sgnal processng paths are requred n ths case, whch ncreases hardware and computatonal complexty. Besdes the number of elements, ther arrangement s mportant. The most popular are planar arrangements: unform lnear/rectangular array (ULA,URA) [11], as well as crcular array or crcular array wth addtonal central sensor. Non- Fgure 1. Proposed confguraton of the antenna array elements. As all of the elements are located on a plane whch s parallel to the ground, there exsts an uncertanty whether the elevaton s postve or negatve. However, n case of GPS antennas, sgnals are receved only from drectons wth postve elevatons, so estmated elevaton angles may be mapped to range from 0 to 90 degrees. Couplng between sensors, whch depends on specfc types of antenna elements, s not taken nto consderaton n ths model. It may have a sgnfcant nfluence on ampltude and phase of receved sgnals, thus should be nvestgated n practcal mplementatons. 4. Smulaton results Prelmnary performance assessment of the descrbed spoofng detecton and mtgaton methods was made basng on the results of the followng smulatons. 48 Vol. 13, February 2015

4.1 Mean and RMS value of phase delay estmaton error A seres of smulatons were conducted n order to assess the accuracy and precson of phase delay estmaton wth varous sgnal-to-nose ratos. In each scenaro two parameters were measured for phase delays: mean value offset and root-meansquare error (RMSE). Snce the power spectral densty of GPS sgnals s below the nose floor and all the sgnals share the same frequency band, t s dffcult to estmate the wdeband SNR value. In ths case, carrer to nose densty rato (C/N 0 ) s used to assess the receved sgnal qualty. It s calculated after correlaton, when the pseudorandom C/A code and the navgaton data are removed from carrer. The relaton between sgnal-to-nose rato and C/N 0 n cvlan GPS s: C N 0 S dbhz [ db] 10 log( B[ Hz]) N S [ db] 63.1[ dbhz] N (3) where B s the GPS C/A sgnal bandwdth equal to 2.046 MHz. Smulatons were performed for C/N 0 from 35dBHz to 60dBHz, as t s a range of values mostly occurrng durng recepton of real GPS sgnals. Four uncorrelated realzatons of AWGN were added to relatvely delayed GPS waveforms to obtan desred SNR. To check whether t s the only source of sgnal dstorton, C/N 0 was estmated usng three dfferent procedures descrbed n [13],[14]: Varance Summng method, Beauleu s method and Moments method. For each method, the dfference between theoretcal and measured value n range from 40 dbhz to 60 dbhz was less than 0.5 db. Measured C/N 0 error values are presented n Fg. 2. Phase delay measurements are calculated after correlaton wth 1ms ntegraton tme. They are contaned n-π to π range by default. If the nomnal phase delays are close to the borders of ths range, phase wrappng may cause the ncrease n RMS error and mean value offset. That s why the computed phase delays are addtonally mapped nto -2π to 0 and 0 to 2π ranges. For each par of array elements the range wth the lowest varance wthn last 100ms s selected to provde the samples used to assess accuracy and precson. C/N 0 [db] 0.5 0-0.5-1 -1.5-2 Varance Summng Beauleu's Moments -2.5 35 40 45 50 55 60 C/N 0 [dbhz] Fgure 2. Carrer-to-nose rato estmaton error. The charts presentng mean value offset and RMS error as a functon of C/N 0 are shown n Fgs. 3 and 4respectvely. For each C/N 0 value, 10 teratons were executed and the average value was taken. In each teraton 5 seconds of sgnal were analyzed. Smulatons were conducted for varous drectons of arrval and each tme the results were very smlar, whch means that phase delay error s ndependentfrom nomnal phase delay. As may be seen, the offset of mean value oscllates around zero value n entre C/N0 range. It proves that AWGN does not decrease the accuracy of phase estmaton. Fgure 3. Mean phase delay offset from nomnal value. Journal of Appled Research and Technology 49

Frst, the obtaned phase delay estmaton error values were plotted on a normal test plot. The dstrbuton s assumed to be normal, f the samples concde wth the dagonal lne. As may be seen n Fg. 6, the concdence s very good. Normal Probablty Plot 0.99 0.98 0.95 0.90 0.75 Fgure 4. Root mean square error of phase delay. The RMS error s the same for all three pars of array elements. Eq. 4 descrbes the least squares approxmaton of RMSE φ as a functon of C/N 0. Probablty 0.50 0.25 0.10 0.05 0.02 0.01-0.08-0.06-0.04-0.02 0 0.02 0.04 0.06 0.08 Estmaton error [rad] C / N0 3.037 10.083 C / N0 7.093 4.508 RMSE rad 10 10 (4) 4.2 Phase delay error dstrbuton Dstrbuton of phase delay dfference error must be known n order to evaluate the probablty of spoofng detecton, as well as the probablty of false alarm. Statstcal analyss was conducted on the samples of phase delay error to decde whether t follows a normal dstrbuton. A sample hstogram of phase delay estmaton error s presented n Fg. 5. As may be seen, t resembles the Gaussan bell curve. However, to make sure that t s n fact normal, another two tests were carred out. Fgure 6. Normal test plot of phase delay error. Another test was the calculaton of the Anderson- Darlng statstc n order to numercally assess the goodness of ft. For sgnfcance level α=0.05, t s sad that the dstrbuton s normal f the statstc value s less than 0.752. Calculatons were done for nteger values of C/N 0 n range from 40 dbhz to 60 dbhz. The results are shown n Fg. 7. All of the values do not exceed the threshold, so t may be assumed that the phase delay error s dstrbuted normally. Fgure 7. Anderson-Darlng statstc of phase delay error. 4.3 Probablty of spoofng detecton Fgure 5. Sample hstogram of phase delay estmaton error (C/N0 = 60 dbhz). In deal condtons, all spoofng sgnals would cause the same phase delays. In the nosy 50 Vol. 13, February 2015

channel they are not exactly the same. Presence of spoofng mght be detected by checkng whether the phase delay dfferences of multple GPS sgnals are below the specfc threshold. Knowledge about possble phase delay error s mportant for selecton of such threshold levels whch would maxmze the probablty of detecton. Incorrect GPS spoofng detecton, called false alarm, may occur n stuatons when multple true satellte sgnals are receved from smlar drectons and all phase delay dfferences are below predefned threshold. In order to determne how large these dfferences may be, the postons of all GPS satelltes wthn 24 hours perod were computed wth 1 mnute nterval. For each tme nterval, a number (from four to eght) of vsble satelltes, wth most smlar drectons of arrval, were selected and nomnal values of phase delay dfferences were calculated. Assumng that probablty of false alarm P fa s not greater than 10-4, threshold level Φ th may be evaluated from: M N P fa P 2 j1 j th (5) where Φ j s the j-th dfference of phase delays between frst and -th element of antenna array, N=(K-1) K/2 and K s the consdered number of spoofng sgnals (fake satelltes). If phase delays are normal random varables wth varance σ 2 RMSE φ 2, then: numbers of satelltes nvolved n spoofng, are shown n Fg. 8. th [rad] 4 3.5 3 2.5 2 1.5 1 0.5 4 SVs 5 SVs 6 SVs 7 SVs 8 SVs 0 35 40 45 50 55 60 C/N 0 [dbhz] Fgure 8. Threshold levels for phase delay dfference. After determnaton of the detecton thresholds, probablty of spoofng detecton P d was estmated usng expresson smlar to Eq. 6: M N th P d 0.51 erf 2 j1 2 (7) Probabltes of detecton, as functons of C/N 0 and number of satelltes, are presented n Fg. 9. For C/N 0 greater than 47 dbhz practcally every presence of spoofng wll be detected, rrespectve to the number of fake satelltes. To provde at least 99% probablty of detecton wth 4 to 8 satelltes, carrer-to-nose rato must not be less than 46, 41 and 39, 38 and 36 dbhz respectvely. M N th j0 P fa 0.5 1 erf 2 j 1 2 (6) where Φ j0 are the true dfferences of phase delays,.e. wthout error caused by nose. Threshold levels were calculated for C/N 0 range from 35dBHz to 60dBHz. Recevng antenna postons were set to 0, 15, 30, 45, 60, 75, 90 degrees north and 0 degrees of longtude, accordng to WGS84 coordnates. Fnal threshold level was selected for each case as the mnmum from values obtaned for dfferent postons of the recever. Results, for varous Fgure 9. Probablty of spoofng detecton. Journal of Appled Research and Technology 51

4.4 Performance of null-steerng for spoofng mtgaton After nformaton about relatve phase delays of spoofng sgnal s obtaned, null-steerng s appled to suppress all the sgnals arrvng from partcular drecton. The optmum complex weght vector w for null-steerng usng M-element antenna array s: 1 1 w 1, exp( 1,2),... exp( 1, M ) M 1 M 1 T (8) where Δφ 1,m s the unwanted sgnal phase delay between the frst (reference) and m-th element of array [16]. Flterng process s performed accordng to the followng expresson: s t s t s t Re 1 w (9) flt... M the dmensons of antenna array are related to a partcular wavelength, the attenuaton vares for dfferent frequency components of receved sgnals. In addton, ths varaton s a functon of DoA. For example, f elevaton angle s equal to 90, all relatve phase delays are zero and hgh attenuaton s constant n whole frequency range. Largest dfferences of attenuaton occur for low elevaton angles and azmuth angles close to 0 and 180. Fg. 10.shows the example frequency characterstcs of the selected array n 2.046 MHz band around L1 frequency, at 0 DoA azmuth. As may be seen, center frequency component s completely elmnated from output sgnal. Attenuaton on the borders of analyzed frequency range s much lower. Assumng that spectrum of nosy spoofer s sgnal s flat, total attenuaton G GPS n 2.046 MHz band, at 0 elevaton of arrval and 0 or 180 azmuth of arrval, s equal to about 60 db. where s flt (t) s the antenna array output sgnal and s m (t) s the sgnal receved through m-th sensor of array. Complex sgnal y(t) at the output of proposed antenna array may evaluated usng Eq, 10, assumng untary power of arrvng sgnal: y 4,, w, t 2 exp( c ( t)) 2 wm exp m m2 (10) 2 d, 1 m m c t cos 3 m cos (11) 4 where ψ s the DoA azmuth angle, θ s the DoA elevaton angle, φ c (t) s carrer phase at reference sensor, w m s the m-th element of weght vector, d 1,m s dstance between frst and m-th array element and λ s wavelength. Elements of array are assumed to be sotropc. Array gan s calculated n the followng way: T 1 2,, w Rey,, w, t G dt (12) T 0 where T s equal to one carrer perod. Pattern descrbed by Eq. 12 refers to the sgnal component located exactly at L1 frequency. Snce Fgure 10. Frequency characterstcs of proposed antenna array. Phase estmaton error causes changes n shape of antenna array recepton pattern. Erroneous phase delays are not connected wth specfc DoA, so the pattern does not have a dstnct null. In other words, presence of nose and nterference decreases the attenuaton of all sgnals arrvng from the drecton of spoofng source. To constran a null n drecton close to DoA of spoofng sgnal, the best-ft DoA s calculated for naccurate phase delays. Error functon s selected to be the meansquare dfference of phase delays: 1 E, (13) M 1 M * 2 1, m, 1, m m2 52 Vol. 13, February 2015

where Δφ(ψ,θ) s a phase delay connected wth specfc DoA whle Δφ* s the phase delay estmated n presence of nose. Gradent optmzaton s used to evaluate the best-ft DoA. It nvolves an teratve procedure whch may be descrbed n the followng way: k k 1 1 E k, k k E k k, k (14) where k s teraton ndex and β s a real constant coeffcent whch affects the convergence of the procedure and the number of teratons requred to acheve acceptable error value. Intal null drecton s set to {ψ 0,θ 0 }=[0, 45 ]. Eventually, new set of phase delays s calculated, based on resultng DoA. These phase delays, nstead of those prmarly estmated, are used to form the array weght vector as n Eq. 8. Average attenuaton of spoofng sgnals, arrvng from 0 azmuth and 0 elevaton, before and after optmzaton of weght vectors, s presented n Fg. 11. Results, for each C/N 0 value, were obtaned by averagng 1000 attenuaton values calculated for normally dstrbuted random phase delays. It may be seen that the optmzaton sgnfcantly ncreases the attenuaton of undesred sgnals. As C/N 0 ncreases, attenuaton approaches the 60 db value, whch s the lmt for sgnals mpngng on array of proposed confguraton from mentoned DoA. On the other hand, f no optmzaton s performed, the attenuaton of spoofng sgnals s not satsfactory, especally for low C/N 0. Fgure 11. Mean attenuaton of spoofer s sgnals n presence of nose. 4.5 Influence of null-steerng on recepton of true GPS sgnals Null-steerng towards source of spoofng sgnal results not only n excson of ths unwanted sgnal, but may also have negatve nfluence on qualty of desred, true sgnals, arrvng from GPS satelltes. A ttenuaton of satellte sgnals may be estmated from Eq. 10, consderng wde bandwdth. Relatve nose power between nput and output of the array must be also taken nto account to calculate changes n sgnal-to-nose rato caused by spatal flterng. Snce the ambent nose does not have a one specfc source n space, ts attenuaton G n depends only on the weghts vector and s expressed n the followng way: 2 M G n w w m (15) m1 2 Smulaton research was conducted to estmate the probablty that SNR decrease exceeds acceptable level for gven number of vsble satelltes. Ths level depends on expected SNR n recever s locaton wthout spoofng actvty. Postons of all operatng satelltes were computed, basng on GPS almanac, wthn 24-hour perod wth 1 mnute nterval. GPS recever s postons were set to 0, 15, 30, 45, 60, 75 and 90 North, 0 of longtude wth 0 m heght, accordng to WGS-84 coordnates. DoAs and correspondng changes of SNR were computed for all of satelltes and recever s postons. DoAs of spoofer s sgnals, represented by pars of azmuth and elevaton angles, were selected respectvely n ranges from 0 to 360 and from 0 to 90, wth 5 step. For each of analyzed acceptable SNR decrease levels, a cumulatve dstrbuton functon (CDF) was calculated as the mnmum of CDFs estmated for all recever s postons. Resultant probablty dstrbuton was evaluated through dfferentaton of ths CDF. Statstcal representaton of obtaned results s shown n Fg. 12. If 12 db SNR decreases acceptable, full satellte vsblty s most lkely. On the other hand, when qualty of true sgnals s poor and only 3 db SNR decrease s tolerated, number of excsed sgnals s larger, wth 2 beng the most probable value. From practcal pont of vew, nformaton about the number of sgnals possble to receve s more mportant than about the absolute number of excsed sgnals, snce the total number of Journal of Appled Research and Technology 53

vsble satelltes vares wth tme and recever s poston. Thus, another nvestgaton was performed n order to evaluate the probabltes that certan number of satellte sgnals are possble to be receved when null-steerng s enabled. Results of ths analyss are presented n Fg. 13. Probablty that at least 4 satelltes are vsble s over 95 %, f acceptable SNR decrease s less than 1 db. To provde over 95 % probablty of at least 5, 6 and 7 vsble satelltes ΔSNR thresholds must be set to 2 db, 4 db and 7 db, respectvely. Sgnals from the outputs of a four-element antenna array are amplfed and downconverted from RF to IF n an analogue front-end whch also performs automatc gan control. IF sgnals at 2.5 MHz are sampled n the data acquston board nstalled n a hgh-end PC. The followng stages of sgnal processng are performed n dedcated software. Amplfed and bandpass fltered RF sgnals are transmtted form the front end to a null-steerng board whch conssts of four sgnal paths, eachncludng a wdeband phase shfter and a voltage controlled attenuator. Values of attenuaton and phase shft are set accordng to spoofng sgnals phase delays estmated n software. Next, the sgnal whch s a sum of four phase shfted component sgnals s provded to a commercal GPS recever, so that the result of spoofng mtgaton may be assessed. Fgure 12. Probablty of true sgnals excson due to null steerng. Fgure 14. Block scheme of the ant-spoofng system. Fgure 13. Probablty that not less than gven number of satelltes are vsble. 5. Concept of the ant-spoofng system In order to verfy the results obtaned from smulatons, a proof-of-concept of the proposed ant-spoofng system s gong to be mplemented. The general concept s presented n Fg. 14. The functons whch are realzed n software are depcted n form of a block dagram n Fg. 15. Frst, four sgnals whch are sampled n DAQ board wth 8.192MHz samplng frequency are wrtten to a long buffer n random access memory. Ths buffer can contan 60 seconds of sgnal and after that perod the oldest data are replaced wth currently acqured samples. The samples from buffer may be wrtten to a fle as a reference sgnal for post-processng. Next, GPS sgnals acquston procedure s realzed based on samples acqured n the frst sgnal path. Acquston functon returns the number of receved sgnals, satellte dentfcaton numbers, coarse carrer Doppler shfts and C/A code phase shfts. These parameters, along wth sgnal samples, are passed to GPS sgnal trackng loop, whch follows the changes of Doppler frequency and phase of C/A code. Carrer phase s also estmated so the coherent carrer replca may be generated locally. 54 Vol. 13, February 2015

Fgure 15. Block scheme of the software part of the system. Carrer phase shfts n the second, thrd and fourth sgnal paths are estmated through multplcaton of samples wth ths replca and C/A code. Next step s the calculaton of phase delays between the sgnals from the frst and the other sgnal paths. After that, dfferences of respectve phase delays are calculated for all of the vsble satelltes. Spoofng detecton procedure s executed basng on these data. If all of the phase delay dfferences are below the threshold, t s decded that multple sgnals arrve from the same drecton, whch means that spoofng s present. In case of spoofng detecton, estmated phase delays are passed to the null-steerng board whch flters out the unwanted sgnals. In addton, software null steerng may be performed usng the same phase delays. The samples of fltered sgnals are stored n a fle for post-processng. Samples of sgnals before and after null-steerng may be fed to a software GPS recever n order to verfy the effectveness of spoofng mtgaton. The presented block dagrams descrbe a new concept whch s currently beng practcally mplemented. 6. Concluson GPS spoofng s a serous threat and, n fact, t s not very dffcult to realze such an attack. It s clear that robust countermeasures, composed of detecton and mtgaton algorthms, are requred. Spatal sgnal processng, whch takes advantage of mult-antenna recepton s one of the most effectve ways of dstngushng between true and fake GPS sgnals. Results of smulatons presented n ths artcle show that comparson of phase delays may be used for GPS spoofng detecton. It provdes low probablty of false alarm and hgh probablty of detecton, unless only four sgnals wth low sgnalto-nose ratos are receved. Addtve whte Gaussan nose was assumed n smulaton as the only nterference wth receved GPS sgnals. Other types of dsturbance, such as narrowband sgnals or selectve fadng are spread durng correlaton and result n rased nose spectral densty. Probablty of detecton n presence of nterference of any type may be estmated f C/N 0 s known. There s a possblty to extend the presented method of spoofng detecton to create a combned detecton and mtgaton soluton. Estmated phase delays of spoofng sgnals may be used to calculate complex weght vector. Ths vector shapes the antenna array pattern n a way that a null s ponted towards source of spoofng sgnal, wthout rejectng true sgnals from satelltes. Ths artcle proves that spatal flterng may be used as a robust way of GPS spoofng mtgaton. Proposed optmzaton of array weghts provdes hgh attenuaton of undesred sgnals. Furthermore, large probablty of at least four useful satellte vsblty s sustaned, unless ther nomnal sgnalto-nose rato s low n recever s locaton. Spatal processng s also benefcal, as t may be Journal of Appled Research and Technology 55

successfully used n combned spoofng detecton and mtgaton soluton. It s also worth mentonng that proposed approach does not requre any addtonal nformaton about the antenna s atttude, snce the reference frame s array-fxed. Durng ths research authors assumed that false sgnals arrve only from one drecton at a tme. Some addtonal nvestgatons should be done to evaluate the performance of proposed methods n a multpath envronment, where replcas of undesred sgnals may arrve from dfferent drectons. References [1] L. C. Chen, Y. C. La, Y. H. Yeh, J. W. Ln, C. N. La, H. C. Weng, Enhanced Mechansms for Navgaton and Trackng Servces n Smart Phones, Journal of Appled Research and Technology, vol. 11, no. 2, pp. 272-283, Aprl 2013. [2] R. Katulsk, J. Magera, J. Stefansk, A. Studanska, Research Study on Recepton of GNSS Sgnals n Presence of Intentonal Interference, Proc. of the 34th Int. Conf. on Telecommuncatons and Sgnal Processng, 2011, pp. 452-456. [3] A. Jafarna-Jahrom, A. Broumandan, J. Nelsen, G. Lachapelle, GPS Vulnerablty to Spoofng Threats and a Revew of Antspoofng Technques, Internatonal Journal of Navgaton and Observaton, vol. 2012, 16 pages, 2012. [4] D. J. Jwo, F. C. Chung, K. L. Yu, GPS/INS Integraton Accuracy Enhancement Usng the Interactng Multple Model Nonlnear Flters, Journal of Appled Research and Technology, vol. 11, no. 4, pp. 496-509, August 2013. [5] M. Psak, B. O'Hanlon, J. Bhatt, D. Shepard, T. Humphreys, "Cvlan GPS Spoofng Detecton based on Dual-Recever Correlaton of Mltary Sgnals", Proc. of ION GNSS, Portland, Oregon, 2011. [6] B. Ledvna, W. Bencze, B. Galusha, I. Mller, "An In- Lne Ant-Spoofng Devce for Legacy Cvl GPS Recevers," Proceedngs of the 2010 Int. Techncal Meetng of The Insttute of Navgaton, San Dego, CA, January 2010, pp. 698-712. [7] B. Ledvna, P. Montgomery, T. Humphreys, A Mult- Antenna Defense: Recever Autonomous GPS Spoofng Detecton, Insde GNSS, vol. March/Aprl 2009, pp. 40-46, 2009. [8] M. Meurer, A. Konovaltsev, M. Cuntz, C. Hättch, "Robust Jont Mult-Antenna Spoofng Detecton and Atttude Estmaton usng Drecton Asssted Multple Hypotheses RAIM," Proc. of the 25th Int. Techncal Meetng of The Satellte Dvson of the Insttute of Navgaton (ION GNSS 2012), Nashvlle, TN, September 2012. [9] G. Kappen, C. Haettch, M. Meurer, "Towards a robust mult-antenna mass market GNSS recever," Proc. of Poston Locaton and Navgaton Symposum (PLANS), 2012 IEEE/ION, vol., no., pp.291-300, 23-26 Aprl 2012. [10] J. Bao-Yen Tsu, Fundamentals of Global Postonng Recevers: A Software Approach, Wley & Sons, 2000, pp. 133-192. 56 Vol. 13, February 2015

[11] Z. Chen, G. Gokeda, Y. Yu, Introducton to Drecton-of-Arrval Estmaton, Artech House, 2010, pp. 33-37, 41-45. [12] A. Brown, B. Mathews, GPS Multpath Mtgaton Usng a Three Dmensonal Phased Array, Proc. of the Int. Techncal Meetng of the Satellte Dvson of The Insttute of Navgaton (ION GNSS 05), Long Beach, CA, 2005, pp. 659-666. [13] M. Sharaw, D. Akos, D. Alo, GPS C/N0 Estmaton n the presence of Interference and Lmted Quantzaton Levels, IEEE Trans. Aerospace and Electronc Systems, vol. 43, No. 1/2007, pp. 227-238. [14] E. Falett, M. Pn, L. Lo Prest, Low Complexty Carrer-to-Nose Rato Estmators for GNSS Dgtal Recevers, IEEE Trans. Aerospace and Electronc Systems, vol. 47, No. 1/2011, pp. 420-437. [15] Vulnerablty assessment of the transportaton nfrastructure relyng on the Global Postonng System, JohnA.Volpe Natonal Trasportaton Systems Center, 2001. [16] M. L, A. G. Dempster, A.T. Balae, C. Rzos and F. Wang, "Swtchable beam steerng/null steerng algorthm for CW nterference mtgaton n GPS C/A code recevers.", Aerospace and Electronc Systems, IEEE Transactons on, vol.47, no.3, pp.1564-1579, July 2011. Journal of Appled Research and Technology 57