2.1. Doppler positioning in GNSS

The Doppler positioning technique was first applied in Transit, the first-generation GNSS (Guier and Weiffenbach, Reference Guier and Weiffenbach1960). The Doppler measurement used in the system is known as integrated Doppler, since it should be integrated over a period of time. However, the second-generation GNSS, the Global Positioning System (GPS), exploits pseudorange measurements instead of Doppler to determine a position. The term “traditional positioning method” refers to the pseudorange measurements-based positioning method in this paper. It has a better positioning accuracy and better generality of dynamics compared with the Doppler positioning technique. Recently, researchers have modified the Doppler method to be reapplied in GNSS to improve robustness (Lehtinen, Reference Lehtinen2002; Othieno, Reference Othieno2012), accuracy (Chen et al., Reference Chen, Wang, Chiang and Chang2014; Li et al., Reference Li, Zhong and Zhao2011; Wang and Xu, Reference Wang and Xu2011), and positioning speed (Jing et al., Reference Jing, Xu, Yong and Sun2015) of the system. The difference between the Doppler positioning done by Transit and that used by more modern GNSSs is that the former positioning method utilises one satellite's Doppler information at different times, while the latter utilises the Doppler shifts of different satellites at the same time.

The principle of Doppler positioning in a modern GNSS is that the measured pseudorange rates are theoretically quite close to the estimated pseudorange rates (Lehtinen, Reference Lehtinen2002). The pseudorange rate is defined as the change of the pseudorange from satellite to receiver within a unit of time. To determine the measured pseudorange rates, carrier Doppler shifts need to be extracted from carrier tracking loops; to calculate the estimated pseudorange rates, satellite positions/velocities and an estimated initial receiver's position/velocity (usually set to zero) are needed. Then, an iterative least squares method can update the estimated receiver's position/velocity by making the residuals of the measured pseudorange rates and the estimated ones sufficiently small. When the estimated position is equal to the actual position of the receiver, in an ideal situation, residuals converge to zero. For the detailed mathematical model of GNSS based Doppler positioning, readers can refer to Equations (1) to (9) of our previous paper (Chu et al., Reference Chu, Li, Wen, Wu and Lu2017).

The architecture of a Doppler positioning-based receiver is illustrated in Figure 1. As shown in the block diagram, Doppler measurements and satellite positions and velocities are the inputs of a Doppler positioning algorithm. Unlike the traditional positioning method, the Doppler positioning method cannot offer local time information. On the plus side, the demodulation module can be simplified provided that an ephemeris with the current time is accessible from other sources (for example, internet or cellular network), and this is known as assisted GNSS (Othieno, Reference Othieno2012). Figure 1 indicates that a Doppler-based receiver or a dual-function (Doppler and traditional methods-based) receiver could be easily achieved by simply modifying the software level of a traditional receiver, because the acquisition, tracking, and demodulation modules of a Doppler-based receiver are almost the same as the traditional ones, and only the positioning algorithm module is different. Therefore, a Doppler-based receiver could be achieved by simple transformation of an off-the-shelf product.

Figure 1. The architecture of a Doppler positioning-based receiver.

2.2. Consistency check approach

A spoofing detection method based on a consistency check of the Doppler positioning fixes and the traditional ones was proposed in our earlier work (Chu et al., Reference Chu, Li, Wen, Wu and Lu2017). The viability of the method lies in the fact that an actual spoofer will find it exceptionally difficult to coordinate the pseudorange measurements and the Doppler ones so that a victim receiver derives the spoofed position by the two methods at the same location. By checking the consistency of the Doppler positioning fixes and the traditional ones, a receiver could detect spoofing threats.

Figure 2 illustrates the consistency check scheme in a modified dual-function receiver. In non-spoofing scenarios, only authentic GNSS signals are received and hence pseudoranges and Doppler shifts are consistent. Therefore, position fix 1 and position fix 2 would be theoretically the same. Then the consistency check module would normally output the position fix 1 as the reported receiver's position for its higher accuracy compared with position fix 2. However, the two kinds of measurements are probably no longer consistent with the presence of spoofing attacks. Thus, a false position fix 1 is likely to be distant from a false position fix 2. In this case, the consistency check module would detect such an abnormality and alarm the user that spoofing has been detected.

Figure 2. The consistency check approach based on a dual-function receiver.

The feasibility of the spoofing detection method has been validated by replay spoofing tests on both software-defined and hardware-based receivers (Chu et al., Reference Chu, Li, Wen, Wu and Lu2017). However, a detailed model for a real consistency check module and a theoretical performance evaluation for such a detection method are still to be completed. In the next section, a GLRT-based statistical detection model is employed to achieve this.

3.1. GLRT-based statistical detection model

An intuitive test metric of a detection model is the Euclidean distance between the Doppler positioning fixes and the traditional ones which is formulated as:

(1)$$s=\vert {\bf s}^d-{\bf s}^t\vert$$

where s is the Euclidean distance between the Doppler and the traditional positioning fixes, s^d is the Doppler positioning result vector, s^t is the traditional positioning result vector and |•| is the two-norm for the vector.

The test model is formulated as:

(2)$$\eqalign{{\rm {\cal H}}_0:s[k] & = n[k],k = 0,1, \cdots ,N - 1 \cr {\rm {\cal H}}_1:s[k] &= d + n[k],k = 0,1, \cdots ,N - 1}$$

where ${\rm {\cal H}}_{0}$ is the hypothesis on the absence of spoofing signals, ${\rm {\cal H}}_{1}$ is the hypothesis on the existence of spoofing signals, s[k] is the distance between the Doppler and the traditional positioning fixes at the sampled time k, N is the total number of test points, d is the spoofing-caused distance which is non-negative and n[k] is assumed to be Additive White Gaussian Noise (AGWN), that is, $n\lsqb k\rsqb \sim {\rm {\cal N}}\lpar \mu\comma \; \sigma^{2}\rpar $.

Three noteworthy points need to be declared for the test model. First, positioning fixes s^d and s^t are normally considered as Gaussian distributed variables. So, the strict assumption for n[k], as the two-norm of the Gaussian distribution, should be a Rayleigh distribution in normal situations and a Rice distribution under spoofing (Simon, Reference Simon2006). However, in practice, this noise is caused by many factors which could be approximated as Gaussian noise. The rationality of this approximation will be verified in the simulation in Section 3.3. Secondly, μ denotes the distance between the Doppler and the traditional positioning fixes in a non-spoofing scenario, which is regarded as prior information in this paper. Thirdly, premised on a short total test time, d could be regarded as constant during testing.

Based on the Neyman-Pearson (NP) lemma and generalised likelihood ratio criterion, when GLRT L _G(bf s) satisfies:

(3)$$L_G({\bi s}) = \displaystyle{{p({\bi s};\hat d,\hat \sigma _1^2 ,{\rm {\cal H}}_1)} \over {p({\bi s};\hat \sigma _0^2 ,{\rm {\cal H}}_0)}} > \gamma$$

the hypothesis ${\rm {\cal H}}_{1}$ is accepted, where $p\lpar {\bf s}\semicolon \; {\rm {\cal H}}_{i}\rpar $ is the Probability Density Function (PDF) of data vector s under the hypothesis ${\rm {\cal H}}_{i}$, d̂ is the Maximum Likelihood Estimate (MLE) of d under ${\rm {\cal H}}_{1}$, $\hat{\sigma}_{i}^{2}$ is the MLE of σ² under ${\rm {\cal H}}_{i}$ and γ is the threshold for the test.

The MLEs of d̂ and $\hat{\sigma}_{i}^{2}$ are solved and applied to the inequality Equation (3). After identical transformation, the explicit form of the new test statistic T(s) can be obtained as:

(4)$$T({\bi s}) = (N - 1)\cdot \displaystyle{{{\left( {\displaystyle{{\sum\nolimits_{i = 0}^{N - 1} {s[i]} } \over N} - \mu } \right)}^2} \over {\displaystyle{{{\sum\nolimits_{k = 0}^{N - 1} {\left( {s[k] - \displaystyle{{\sum\nolimits_{i = 0}^{N - 1} {s[i]} } \over N}} \right)} }^2} \over N}}} > {\gamma }^{\prime}$$

where μ is the distance between the Doppler and the traditional positioning fixes in a non-spoofing scenario.

Thus the receiver would believe that spoofing attacks exist when the test statistic T(s) is larger than the threshold γ′. According to Kay (Reference Kay1998), T(s) conforms to an F-distribution:

(5)$$\eqalign{& {\rm {\cal H}}_0:T({\bi s})\sim F_{1,\,N - 1} \cr & {\rm {\cal H}}_1:T({\bi s})\sim{F^{\prime}}_{1,\,N - 1}(\lambda )}$$

where λ = Nd ²/σ ² is the non-central parameter.

False alarm probability P _FA is determined by:

(6)$$P_{FA} = \vint_{T({\bi s}) > {\gamma }^{\prime}} p ({\bi s};{\rm {\cal H}}_0)d{\bi s}$$

With Equations (5) and (6), γ′ then can be expressed explicitly as:

(7)$${\gamma }^{\prime} = Q_{F_{1,\;N - 1}}^{ - 1} (P_{FA})$$

where Q(·) is the right tail probability function. The benefit of the GLRT method is that the threshold γ ′ can be easily pre-calculated with only the knowledge of the false alarm probability P _FA and the test points N. This feature guarantees the practicability and brevity of the proposed detection method.

Furthermore, the detection probability P _D is defined as:

(8)$$P_D = \vint_{T({\bi s}) > {\gamma }^{\prime}} {p({\bi s};{\rm {\cal H}}_1)} d{\bi s}$$

which can be derived as a function of P _FA by:

(9)$$P_D = Q_{{{F}^{\prime}}_{1,\;N - 1}(\lambda )}(Q_{F_{1,\;N - 1}}^{ - 1} (P_{FA}))$$

From Equation (9), we can draw the theoretical curves of Receiver Operating Characteristics (ROC) and evaluate the theoretical performance of the detection model.

3.2. Theoretical performance analysis of GLRT-based statistical detection model

A theoretical simulation based on the proposed detection model was conducted to visualise the performance. Figure 3 shows the theoretical ROC. Parameter settings are shown within Figure 3: N is the total number of test points; σ is the standard deviation of the distance between the traditional and Doppler positioning fixes and d is the spoofing-caused distance between these two methods. The parameter σ is set to 100 metres. This is because simulations and experiments in Figures 8, 10 and 14 demonstrate that σ is mainly determined by Doppler positioning accuracy and after the Doppler smoothing technique, the standard deviation of Doppler positioning results can be improved by up to 100 metres. Therefore, the parameter σ is set to a 100 metre scale.

Figure 3. Theoretical receiver operating characteristic curves.

As can be seen, the detection probability of the proposed spoofing detection method can reach to close to 0.9, given that the false alarm probability is 0.1. This implies that, in theory, a typical dual-function receiver could reliably detect a spoofing in this particular scenario.

The effects of the standard deviation and the spoofing-caused distance d on the spoofing detection performance are demonstrated in Figure 4. On one hand, for a certain standard deviation, the spoofing is more likely to be detected when the distance between two positioning methods is great. On the other hand, if the spoofing-caused distance is fixed in a certain spoofing scenario, the dual-function receiver with a smaller σ can perform better in a spoofing detection test. The standard deviation σ is related to the positioning accuracy of the traditional and the Doppler positioning methods. Considering that the Doppler positioning method generally has a worse positioning accuracy, usually deviated from hundreds of metres to thousands of metres, the standard deviation of Doppler positioning fixes is the dominant factor of the parameter σ. Therefore, a higher positioning accuracy of the Doppler method means a better detection performance. This conclusion will be further verified in the next simulation. Meanwhile, a higher positioning accuracy of the Doppler method leads to concerns about a Doppler smoothing technique.

Figure 4. The theoretical effects of the standard deviation σ and the spoofing-caused distance d on the spoofing detection performance (P _FA = 0.01, N = 10).

3.3. Simulated performance analysis of GLRT-based statistical detection model

To validate the GLRT-based statistical detection model in Section 3.1 and the theoretical performance figure mentioned in Section 3.2, a 1,000 repetition Monte Carlo simulation was conducted. We generated Gaussian distributed positioning fixes with σ_d for the Doppler positioning method and with σ_t for the traditional positioning method. We suggest that the standard deviation σ mainly depends on σ_d instead of σ_t. Figure 5 proves this inference. Here the standard deviation σ of the theory curve is 200 metres (that is, σ = 200). In the simulation, the Doppler positioning standard deviation is set to 200 metres (σ _d = 200), while the traditional positioning standard deviations are set to 1, 5 and 10 metres, respectively. As Figure 5 shows, the traditional positioning standard deviation barely affects the detection performance and the standard deviation σ can be approximated by Doppler positioning accuracy σ_d. In the next simulations, σ_t is set to 10 metres by default and simulated σ represents the Doppler positioning standard deviation.

Figure 5. The simulated effects of the traditional positioning standard deviation σ _t on the spoofing detection performance (P _FA = 0.01, N = 10, σ _d = 200).

In this simulation, three parameters which influence the detection performance are specifically considered: test point number N, spoofing-caused distance d and positioning standard deviation σ. Simulated results of the ROC are shown in Figure 6, where the step is 0.01. We can draw two conclusions from the results. One is that the simulated ROC curve generally fits the theory, which validates that the proposed GLRT-based statistical detection model generally applies to actual situations and the Gaussian noise assumption is reasonable. The other is that the simulated ROC curve is worse than the theoretical curve especially when the ROC curve moves to the diagonal, which means that there is performance regression in the simulation and it becomes worse in harsh detection environments. Additionally, Figure 6 shows that a better detection performance depends on larger test point number N, more significant spoofing caused distance d and smaller positioning standard deviation σ.

Figure 6. Simulated ROC under three varying parameters.

In practice, the false alarm probability P _FA and test point number N are usually pre-set. Considering detection performance and time cost, P _FA is set to 0.01 and N is 10. Under these settings, Figure 7 shows how the Doppler positioning standard deviation and the spoofing-caused distance determine the spoofing detection performance in detail. In practical circumstances, defenders cannot control the spoofing-caused distance; so, decreasing the Doppler positioning standard deviation is an important approach in improving the detection performance.

Figure 7. The simulated effects of the standard deviation σ and the spoofing-caused distance d on the spoofing detection performance (P _FA = 0.01, N = 10).

5.1. Spoofing detection on dual-function software defined GNSS receiver

By applying the test statistic in Equation (4) and the derived threshold in Equation (7), a practical and effective consistency check module of the dual-function software-defined GNSS receiver can be realised. Meanwhile, the Doppler smoothing technique is also applied. In order to test the performance of the proposed detection model, a replay spoofing is presented. Briefly speaking, replay spoofing attacks a GNSS receiver by retransmitting delayed GNSS signals. These counterfeit signals would mislead the victim receiver to derive fake transmitting times, calculating false pseudoranges, and finally reporting deviated positions. Such a spoofing technique is common due to its simplicity and effectiveness.

This simulation is based on real GPS Coarse/Acquisition (C/A) code signals on the L1 frequency, which were recorded by a Data Acquisition Card (DAC) with a down converter at 19:35 in Tsinghua University, Beijing on 11 December 2016. The Intermediate carrier Frequency (IF) of the signal was at 46.42 MHz and the sampling rate was 62 MHz. Five available GPS satellite signals were used in positioning. The constellation is plotted in Figure 9 and the experimental environment of the replay-spoofing test is listed in Table 3. As shown in the table, the PRN 3 signal is delayed by 2 μs from the tenth second, which is a typical part-channel spoofing scenario. For various spoofing scenarios to verify the difference of the positioning fixes between Doppler and traditional method, readers can refer to our previous work (Figures 8, 10 and 11, in Chu et al., Reference Chu, Li, Wen, Wu and Lu2017).

Figure 9. Distribution of used satellites in view.

Figure 10. Positioning fixes by Doppler method and traditional method under replay spoofing test (“doppPos” refers to Doppler positioning fixes; “tradPos” refers to traditional positioning fixes).

Figure 11. Distance between Doppler positioning fixes and Traditional fixes under replay spoofing test.

Table 3. Parameters in the replay spoofing test.

Positioning results of both methods are shown in Figure 10 and the distances are shown in Figure 11. From the beginning, the Doppler positioning fixes are consistent with the traditional ones, despite their lower accuracies. At the onset of a replay attack, the traditional positioning fixes are spoofed hundreds of metres away from the authentic position. Doppler positioning fixes are also spoofed but are still near the genuine position. This phenomenon has been modelled and analysed in our earlier work (Chu et al., Reference Chu, Li, Wen, Wu and Lu2017). In fact, due to the small distance between the spoofer and the victim receiver and the stability of Doppler over a short period, the replayed signal of PRN 3 has almost the same Doppler as the authentic one. Therefore, the Doppler positioning results with spoofing are almost identical to the ones without spoofing influence in this case. From Figure 11, it is clear that the distance jumps at the 100th positioning time, namely the tenth second, which is the start of the spoofing.

Figure 12 shows the GLRT-based detection results of the dual-function software-defined receiver. Test statistics are lower than the threshold before spoofing and higher than the threshold after spoofing. The proposed test statistic and threshold are functioning well, thus validating the effectiveness of the GLRT-based statistical detection model on a software-defined receiver.

Figure 12. Detection results of the software-defined receiver.

5.2. Field test of spoofing detection on dual-function real-time GNSS receiver

Experiments based on a dual-function real-time GNSS receiver were conducted. The Doppler positioning and the traditional method were both available in the receiver. The basic functions of the receiver are described in Chu et al. (Reference Chu, Li, Wen, Wu and Lu2017). As an extension, the modified α -filter-based Doppler smoothing technique was applied in the real-time receiver. Meanwhile, the statistical detection model was also employed for the receiver.

The flow chart of the field test is illustrated in Figure 13. The inherent processing delay of the spoofer was approximately 800 ns to 1,000 ns and the RF module error of the spoofer was around 200 Hz. The antennae of the spoofer and the receiver were both static at Tsinghua University and the distance between them was around 30 metres. In spoofing scenarios, the authentic Radio Frequency (RF) GNSS signals were received by the spoofer's receiving antenna, and then down- converted to IF signals. The IF signals were delayed by the spoofer's processor and then up-converted to RF signals. After power adjustment, the RF false signals were propagated toward a victim receiver via the transmitting antenna of the spoofer. In such a condition, the victim receiver would simultaneously receive both authentic GNSS and spoofing signals and capture the GNSS signals with higher powers. For different satellites, the power of the authentic signals varies, while the power of the false signals was the same when all counterfeit signals were transmitted via one antenna. Owing to a reasonable power of spoofing signals by power adjustment, a part-channel spoofing scenario was likely to happen.

Figure 13. The field test procedure.

Field tests were conducted in two scenarios. In field test 1, the RF error of the spoofer (which was around 200 Hz) was not calibrated; in field test 2, the RF error of the spoofer was calibrated to within 1 Hz. The detailed experimental environments of field tests 1 and 2 are provided in Tables 4 and 5, respectively. As suggested, they are both typical part-channel spoofing scenarios and the replaying delays are around 10 μs in total (inherent delay plus controllable delay). The parameters of the detector are set as follows: the number of test points is ten and the false alarm probability is 0.01. The distribution of used satellites in view can be seen from the Graphical User Interface (GUI) of the real-time receiver in Figures 14 and 16, respectively.

Figure 14. Positioning results of the real-time receiver (field test 1).

Figure 15. Detection results of the real-time receiver (field test 1).

Figure 16. Positioning results of the real-time receiver (field test 2).

Table 4. Environment for field test 1.

Table 5. Environment for field test 2.

Experimental results of field test 1 are shown in Figures 14 and 15. Figure 14 shows the positioning results of the two methods. In the non-spoofing scenario, the real-time distance between the Doppler positioning and the traditional fixes is under 300 metres, and they are both around the true reference position. However, under the spoofing scenario, the target receiver re-captures the four satellites' signals among which PRN 5 and 13 are successfully controlled by the spoofer. As scene 2 of Figure 14 shows, the positions of traditional methods are reasonably spoofed away by around several kilometres under a 10 μs delay, while the spoofed Doppler positioning results are deviated by hundreds of kilometres. This is because the RF module error of the spoofer is around 200 Hz, which leads to false Doppler shifts of PRN 5 and 13. Thus by adopting these false Doppler shifts, the Doppler positioning fixes are dramatically changed.

Figure 15 demonstrates the detection results. In the non-spoofing scenario, the Test Statistic shown in scene 1 of Figure 15 is below the threshold during all six tests. Then, in the presence of a spoofing signal, the Test Statistic is remarkably above the threshold at every test time as shown in scene 2 of Figure 15. Compared with Figure 12 and Figure 17, this actual part-channel spoofing attack results in more significant changes of the test statistic because of the spoofer's RF error.

Figure 17. Detection results of the real-time receiver (field test 2).

Experimental results of field test 2 (the RF error-calibrated test) are shown in Figures 16 and 17. Figure 16 shows the positioning results of the two methods. In the non-spoofing scenario, they are both around the true reference position, while they are inconsistent under the spoofing scenario. The traditional positioning fixes are spoofed around 14 kilometres away from the authentic position. Doppler positioning fixes are also spoofed but still near the genuine position. This is because the RF error of the spoofer is calibrated and Doppler shifts changed little during the short time delay, so the replayed signals have almost the same Doppler shifts as the authentic ones. Therefore, the Doppler positioning results are still near the authentic position in this case. Figure 17 demonstrates the detection results. In the non-spoofing scenario, the Test Statistic is below the threshold as shown in scene 1 of Figure 17 and above the threshold under the spoofing scenario as shown in scene 2 of Figure 17. All in all, the feasibility and effectiveness of the statistical detection model for a real-time receiver are validated through field tests 1 and 2.