3.1. Specific analysis of non-spoofed case and spoofed case

The single-difference carrier phase model for the non-spoofed case is:

(1)$$\eqalign{\Delta \varphi _{BA}^{j} &=\varphi _B^j -\varphi _A^j \cr &=-\lambda ^{-1}(\vec{r}^{j})^TA\vec{b}_{BA} +\Delta N_{BA}^j+n_{{mul\_BA}}^j +n_{{ther\_BA}}^j}$$

where φ_B^j and φ_A^j respectively represent the beat carrier phases of the signal from satellite j received by Antenna A and Antenna B. The single-difference carrier phase is denoted as Δφ_BA^j, the nominal carrier wavelength is λ, the transfer matrix from body coordinates to reference coordinates is A ($\vec{r}^{j}$ is defined in the reference coordinates and $\vec{b}_{BA}$ is defined in the local antenna body coordinates), the single-difference integer ambiguity term is ΔN _BA^j, the single-difference multipath noise term is $n_{{mul\_BA}}^{j}$ (zero-mean Gaussian noise, standard deviation is σ_mul) and the single-difference thermal noise term is $n_{{ther\_BA}}^{j}$ (zero-mean Gaussian noise, standard deviation is σ_ther).

The receiver thermal noise standard deviation σ_t can be estimated according to the following formula (Betz, Reference Betz2000).

(2)$$\sigma_t = \displaystyle{1 \over 2\pi} \sqrt{\displaystyle{B_L \over C/N_0} \left[1+ \displaystyle{1 \over 2T_{{\rm coh}} C/N_0} \right]}$$

where B _L is the noise bandwidth of the phase-lock loop. As B _L decreases, the filtering effect gets better, and the performance of tracking high dynamic signals gets worse. That is to say, the value of B _L cannot be extremely high or extremely low. As for an on board user, the reasonable range of B _L is 1 Hz ~25 Hz. In this paper, B _L=20 Hz is taken as an average example. σ_t denotes the standard deviation of receiver thermal noise from φ_B^j (or φ_A^j) and σ_ther refers to the standard deviation of the single-difference thermal noise term $n_{ther\_BA}^{j}$ from (φ_B^j−φ_A^j). According to signal processing theory, σ_ther is $\sqrt{2}$ times as much as σ_t in the single-difference process. When the received carrier-to-noise ratio for each branch of signals is 35 dB-Hz, and T _coh=1 ms is the integration time, we can get $\sigma_{ther} = \sqrt{2} \sigma_{t} \approx 0{\cdot}0193\hbox{(cycles)}$. The single-difference multipath error standard deviation is σ_mul=0·33(rad)≈0·0525(cycles) (Psiaki et al., Reference Psiaki, O'Hanlon, Powel, Wesson and Humphreys2014). The multipath sigma formula is simplified in order to simulate an average multipath environment. Considering the flexibility of multipath signals, such as in complex urban conditions, further research is needed to improve the model.

The double-difference carrier phase in the non-spoofed case can be expressed as:

(3)$$\eqalign{\Delta \varphi _{BA}^{ij} &=\Delta \varphi _{BA}^i -\Delta \varphi _{BA}^j \cr &=-\lambda ^{-1}(\vec{r}^i-\vec{r}^{j})^TA\vec{b}_{BA}+(\Delta N_{BA}^i -\Delta N_{BA}^j ) \cr &\quad +(n_{{mul\_BA}}^i -n_{{mul\_BA}}^j )+(n_{{ther\_BA}}^i-n_{{ther\_BA}}^j)\cr &=-\lambda ^{-1}(\vec{r}^i-\vec{r}^{j})^TA\vec{b}_{BA} +\Delta N_{BA}^{ij} +n_{{mul\_BA}}^{ij} +n_{{ther\_BA}}^{ij}}$$

where Δφ_BA^ij denotes the double-difference carrier phase, ΔN _BA^ij is the double-difference integer-ambiguity term, $n_{{mul\_BA}}^{ij}$ (zero-mean Gaussian noise, standard deviation is $\sqrt 2 \sigma_{mul})$ is the double-difference multipath noise term and $n_{{ther\_BA}}^{ij}$ (zero-mean Gaussian noise, standard deviation is $\sqrt 2 \sigma_{ther})$ the double-difference thermal noise term. σ_mul represents the standard deviation of $n_{{ther\_BA}}^{i}$, and $n_{{ther\_BA}}^{ij}$ equals $(n_{{ther\_BA}}^{i} -n_{{ther\_BA}}^{j})$. Obviously, the standard deviation of $n_{{ther\_BA}}^{ij}$ is $\sqrt{2} \sigma_{ther}$, according to signal processing theory. Similarly, the standard deviation of $n_{{mul\_BA}}^{ij}$ is $\sqrt 2 \sigma_{mul}$.

The single-difference carrier phase model in the spoofed case can be expressed as:

(4)$$\eqalign{\Delta \varphi _{BA}^j&=\varphi _B^j -\varphi _A^j \cr &=-\lambda ^{-1}(\vec{r}^{sp})^TA\vec{b}_{BA} +\Delta N_{BA}^j+n_{mul\_BA} +n_{{ther\_BA}}^j}$$

where $n_{mul\_BA}$ represents the single-difference multipath noise term. As all the false signals have the same propagation, all the spoofing signals have the same multipath noise term and the same single-difference multipath noise term.

The double-difference carrier phase in the spoofed case is:

(5)$$\eqalign{\Delta \varphi_{BA}^{ij}&=\Delta \varphi _{BA}^i -\Delta \varphi _{BA}^j \cr &=(\Delta N_{BA}^i -\Delta N_{BA}^j )+(n_{{ther\_BA}}^i -n_{{ther\_BA}}^j)\cr &=\Delta N_{BA}^{ij} +n_{{ther\_BA}}^{ij}}$$

In Equation (5), the double-difference carrier phase in the spoofed case only includes the double-difference integer-ambiguity term and the single-difference thermal noise term, since the $-\lambda ^{-1}(\vec{r}^{sp})^{T}A\vec{b}_{BA}$ term and the $n_{mul\_BA}$ term are eliminated through double difference. If ΔN _BA^ij can be removed, Δφ_BA^ij should only include $n_{ther\_BA}^{ij}$.

3.2. Algorithm to obtain the fraction parts of double-difference carrier phase

In order to obtain Δφ_BA^ij, $\vec{r}^{j}$, A and ΔN _BA^ij must be known accurately. However, there is much difficulty in doing so. Here, a practical way is proposed to obtain Δφ_BA^ij while $\vec{r}^{j}$, A, and ΔN _BA^ij can be ignored.

(6)$$\eqalign{\phi _{BA}^{ij} &=\Delta \varphi _{BA}^{ij} -{\lt }\Delta \varphi_{BA}^{ij}{\gt}\cr & = f(\Delta \phi _{BA}^{ij})}$$

where <Δφ_BA^ij> means taking the Rounding Numbers (omitting decimal fractions smaller than 0·5 and counting all others) of Δφ_BA^ij; φ_BA^ij ranging from −0·5 cycles to 0·5 cycles denotes the normalised result of Δφ_BA^ij. f(x)=x−<x> is a user-defined function.

For example, Δφ_BA^ij

$$-1{\cdot}22, 0{\cdot}51, 3{\cdot}42, 5$$

After normalisation, ϕ_BA^ij

$$-0{\cdot}22, -0{\cdot}49, 0{\cdot}42, 0$$

In the spoofed case, the normalised result is equivalent to that of eliminating the double-difference integer-ambiguity term ΔN _BA^ij. In the non-spoofed case, $-\lambda^{-1} (\vec{r}^{i} - \vec{r}^{j})^{T} A \vec{b}_{BA}$ will not always be an integer, so ϕ_BA^ij will not always be close to a value of zero, which is different from that in the spoofed case.

4.1. Spoofing detection hypothesis test for decision scheme

Through the normalisation mentioned above, ϕ_BA^ij is obtained which ranges from −0.5 cycles to 0.5 cycles. In the spoofed case, $\phi_{BA\_sp}^{ij}$ (referring to ϕ_BA^ij, in the spoofed case) is approximately equal to $n_{ther\_BA}^{ij}$ (zero-mean Gaussian noise, standard deviation is $\sqrt{2} \sigma_{ther})$.

(7)$$\phi _{BA\_sp}^{ij} =f(n_{{ther\_BA}}^{ij} )\approx n_{{ther\_BA}}^{ij} ,\sigma_{sp} =\sqrt 2 \sigma_{ther}$$

In the non-spoofed case, a new parameter γ^ij is introduced, which ranges from −0·5 cycles to 0·5 cycles.

(8)$$-\lambda ^{-1}(\vec{r}^i-\vec{r}^{j})^{TA} \vec{b}_{BA} =N^{ij}+\gamma ^{ij}$$

Then $\Delta \varphi_{BA\_au}^{ij}$ is obtained as follows:

(9)$$\Delta \varphi _{BA\_au}^{ij} =N^{ij}+\Delta N_{BA}^{ij} +\gamma ^{ij}+n_{{mul\_BA}}^{ij} +n_{{ther\_BA}}^{ij}$$

Then we can get $\phi _{BA\_au}^{ij}$ as:

(10)$$\phi _{BA\_au}^{ij} = f(\Delta \varphi_{BA\_au}^{ij} ) = f(\gamma^{ij} + n_{mul\_BA}^{ij} + n_{ther\_BA}^{ij}), \sigma_{au} = \sqrt{2\sigma_{mul}^2 + 2\sigma_{ther}^2}$$

Herein, a detection test is designed to discriminate between the following two hypotheses. Under the hypothesis H ₀, spoofing is absent and under the hypothesis H ₁, spoofing is present.

(11)$$\left\{\matrix{H_0 : p(z\vert H_0), \hbox{spoofing is absent} \hfill \cr H_1 : p(z\vert H_1), \hbox{spoofing is present}\hfill} \right.$$

where z refers to ϕ_BA^ij and m refers to γ^ij. A generalised likelihood ratio test can be designed. Let T _h be the threshold. When |z| is less than T _h, H ₀ is trustworthy and when |z| is no less than T _h, H ₁ is trustworthy.

As for the non-spoofed case, $(\gamma ^{ij}+n_{{mul\_BA}}^{ij} +n_{{ther\_BA}}^{ij})$ obeys a Gaussian distribution with the mean m, shown in Equation (12).

(12)$$\left\{\matrix{x = m+n_{{mul\_BA}}^{ij} +n_{{ther\_BA}}^{ij}\hfill \cr p(x)= \displaystyle{1 \over \sqrt{2\pi } \sigma_{au}} \exp \left({- \displaystyle{(x-m)^2 \over 2\sigma_{au}^2}} \right)\hfill} \right.$$

Based on the normalised mechanism discussed above, we can get the possible values of x, as shown in Equation (13).

(13)$$z=f(x)=f(N+z),N=\cdots , -2, -1, 0, 1, 2, \cdots$$

As z ranges from −0·5 cycles to 0·5 cycles, p(N+z) is far less than min (p(z), p(1+z), p(−1+z)), when N is bigger than 1, according to Equation (12). Through approximate processing, we can get the following expression:

(14)$$p(z\vert H_0 ) =\sum_{N=-\infty }^\infty {p(N+z)} \approx p(z)+p(1+z)+p(-1+z)$$

Combining Equations (12) and (13), we can obtain p(z|H ₀), as shown in Equation (14).

(15)$$p(z\vert H_0) \approx \displaystyle{1 \over \sqrt{2\pi} \sigma_{au}}\left\{\matrix{\exp \left(-\displaystyle{(z-m)^2 \over 2\sigma_{au}^2} \right) + \exp \left(- \displaystyle{(1+z-m)^2 \over 2\sigma_{au}^2} \right)\hfill \cr + \,\exp \left(- \displaystyle{(-1+z-m)^2 \over 2\sigma_{au}^2} \right)\hfill} \right\}$$

According to Equation (15), the false alarm probability P _fam can be expressed as:

(16)$$\eqalign{P_{fam} &=\int_{-T_h}^{T_h} {p(z\vert H_0)} dz \cr & \approx \displaystyle{1 \over 2}\left[\matrix{erf\left(\displaystyle{m + T_h \over \sqrt 2 \sigma_{au}} \right) - erf\left(\displaystyle{m - T_h \over \sqrt 2 \sigma_{au}} \right) + erf \left(\displaystyle{1 + T_h - m \over \sqrt 2 \sigma_{au}} \right)\hfill \cr -erf\left(\displaystyle{1-T_h -m \over \sqrt 2 \sigma_{au}} \right) + erf\left(\displaystyle{1 + T_h + m \over \sqrt 2 \sigma_{au}} \right) - erf \left(\displaystyle{1 - T_h + m \over \sqrt 2 \sigma_{au}} \right)\hfill} \right]}$$

In the spoofed case, it is easy to get the following expression according to Equation (7)

(17)$$p(z\vert H_1) = \displaystyle{1 \over \sqrt{2\pi} \sigma_{sp}} \exp \left(-\displaystyle{z^2 \over 2\sigma_{sp}^2} \right)$$

Then the detection probability is

(18)$$P_d = \int_{-T_h}^{T_h} p(z\vert H_1) dz = 2 \int_0^{T_h} p(z\vert H_1) dz = erf \left(\displaystyle{T_h \over \sqrt{2} \sigma_{sp}} \right)$$

Herein, the variation tendency of P _fam with the rise of T _h leads to different values of |m| as shown in Figure 4.

Figure 4. Probability of false alarm for different | m| values.

Figure 4 shows that when |m| is constant, the false alarm probability P _fam increases as the threshold T _h rises; when T _h is constant, P _fam decreases as | m| rises. Therefore, in order to make P _fam lower, the threshold must be lowered since it is infeasible to raise |m|. However, γ^ij can hardly be known in advance but it varies with time. The larger |m| is, the better the performance of spoofing detection will be (see Figure 5). If | m| is unknown, it is impossible to obtain P _fam. Accordingly, suppose that γ^ij obeys a uniform distribution ranging from −0·5 cycles to 0·5 cycles. The new definition of false alarm probability P _fa can be defined as:

Figure 5. ROC curves for different | m| values.

(19)$$P_{fa} = \displaystyle{1 \over Q} \sum_{k=1}^Q P_{fam} \left(z \left\vert \gamma^{ij} = \displaystyle{k \over Q} -0{\cdot}5 \right. \right)$$

The detailed derivation process is as follows. According to the theorem of total probability,

(20)$$P(B) = \sum\limits_{k=1}^Q {P(B\vert A_k)} P(A_k )$$

where P(B) refers to P _fa, A _k refers to $\gamma ^{ij}= \displaystyle{k \over Q}\ {-}0{\cdot}5$ and $P(A_{k} )= \displaystyle{1 \over Q}$. Thus, the detailed derivation process is expressed as:

(21)$$\eqalign{P_{fa} &=P(B) \cr &=\sum\limits_{k=1}^Q {P(B\vert A_k)} P(A_k ) \cr &= \displaystyle{1 \over Q}\sum\limits_{k=1}^Q {P(B\vert A_k )} \cr &= \displaystyle{1 \over Q}\sum\limits_{k=1}^Q {P_{fam} \left( {z\left\vert {\gamma^{ij}= \displaystyle{k \over Q}-0{\cdot}5} \right.} \right)}}$$

At this point, we obtain the calculation method of P _fa, which is a significant step for spoofing detection.

4.2. M of N algorithm for decision scheme

When there is a single set of double-difference carrier phase observations available, the threshold is set as T _h. In this case, the decision scheme for spoofing detection will work, as shown in Figure 6. When ϕ_BA^ij is less than T _h, it gives a warning that spoofing is present.

Figure 6. Flow chart of decision scheme with one single set of double-difference carrier phase.

According to Equation (21), Q should be large enough to make P _fa close to the real value. Here Q is set as 10,000, and then an ROC curve connecting (P _fa, P _d) pairs for different thresholds T _h can be obtained, as shown in Figure 7. For example, if P _d=99·99%, then T _h=0.106 (cycles) and P _fa=21·19%, which indicates that the false alarm probability is high. If so, a multi-set of double-difference carrier phase observations should be taken into account.

Figure 7. ROC curve of pairwise check connecting (P _fa, P _d) pairs.

As shown in Figure 8, when the same N satellites are available to both of the GNSS receivers, (N-1)-set of double-difference carrier phase observations can be obtained. At a given time, if M-set values surpass the pre-set threshold, the spoofing detection unit gives a warning about the existence of a spoofing attack. Then the probability of false alarm P _FA and the probability of detection P _D can be derived from Equations (22) and (23).

Figure 8. Flow chart of M of (N−1) algorithm.

(22)$$\eqalign{P_{FA} &=\Pr ob(Sp\ge M\vert H_1 ) \cr & =\sum\limits_{x=M}^{N-1} \left(\matrix{N-1 \cr x} \right) P_{fa}^x (1 - P_{fa})^{N - 1 - x}}$$

(23)$$\eqalign{P_D &= \Pr ob(Sp \ge M\vert H_0) \cr & =\sum\limits_{x=M}^{N-1} \left(\matrix{N-1 \cr x} \right) P_d^x (1-P_d )^{N-1-x}}$$

When the threshold is fixed at T _h=0·106 cycles, P _fa=21·19% and P _d=99·99% can be obtained. Figures 9 and 10 show that for the established M, P _FA increases with N, while P _D decreases with N. When M always chooses the maximal value, namely (N−1), P _FA decreases as N increases, as is shown in Figure 9. Similarly, when M always chooses the maximal value, P _D decreases as N increases, as shown in Figure 10. With M=N−1=7 as an example, it is easy to obtain P _FA≈1·918×10⁻⁵ and P _D≈99·93%.

Figure 9. Variation tendency of P _FA with M.

Figure 10. Variation tendency of P _D with M.

Without loss of generality, we set N=8 (M=1, 2, 3,…,7) as an example to analyse the detection performance theoretically. Figure 11 shows the detection probability of different M values, with the increase of T _h. Figure 12 shows the probability of false alarm for different M values, with the increase of T _h. The detection probability P _D and the probability of false alarm P _FA increase with T _h. Furthermore, P _D and P _FA decrease as M increases. ROC curves of pairwise checks connecting (P _FA, P _D) pairs are shown in Figure 13. Obviously, the bigger M is, the better the spoofing detection performance.

Figure 11. Probability of detection for different M.

Figure 12. Probability of false alarm for different M.

Figure 13. ROC curves of pairwise check connecting (P _FA, P _D) pairs.

5.1. Experiment in the non-spoofed case

The experiment time was 10:14–10:44 on 9 February 2018. We put the two receivers on a high iron frame located at the roof of No. 113 building of College of Electrical Engineering, Naval University of Engineering, as shown in Figure 14.

Figure 14. Experiment scene in the non-spoofed case.

Through post-processing of the static data, the distribution of available GPS satellites in the non-spoofed case was obtained, as shown in Figures 15 and 16. We found that over 30 minutes, there were eight satellites (PRN 2, PRN 5, PRN 13, PRN 15, PRN 20, PRN 21, PRN 24 and PRN 29) which were always available.

Figure 15. Visibility of GPS satellites in the non-spoofed case.

Figure 16. Number of available GPS satellites in the non-spoofed case.

The seven groups of the double-difference carrier phase observations can be obtained based on the carrier phase observations of the eight available satellites. By normalisation, ϕ_BA^ij can be obtained as shown in Figure 17. When the threshold is fixed at T _h=0·106 cycles, the test parameter sp can be obtained as shown in Figure 18.

Figure 17. Variation tendency of φ_BA^ij in the non-spoofed case.

Figure 18. Variation tendency of Sp in the non-spoofed case.

As shown in Figure 17, the normalised carrier differences in the non-spoofed case change considerably between −0·5~0·5. Taking the blue curve as an example, when the normalised carrier differences are around the −0·5 or 0·5 values, a constant phase cycle slip appears among the adjacent values. That is consistent with theoretical analysis based on Equation (6): −3·49, −3·51−>−0·49, 0·49. As shown in Figure 18, all the values of sp are not more than 2, which means as the threshold of sp is set as 3~7, there will be no false alarms for the spoofing detection unit, in the non-spoofed case.

5.2. Experiment in the spoofed case

Experiment Time was 10:14–10:44 on 10 February 2018. The outdoor antenna of the GNSS signal transponder was placed on the high iron frame located at the roof of No. 113 building of College of Electrical Engineering and the indoor antenna of GNSS signal transponder was placed in the corner of the laboratory, as shown in Figure 19.

Figure 19. Experiment scene in the spoofed case.

Through post-processing of the static data, the distribution of available GPS satellites in the spoofed case is exactly the same as that in the non-spoofed case, since the motion period of GPS satellites is about 24 hours.

The seven groups of the double-difference carrier phase observations can be obtained based on the carrier phase observations of the eight available satellites. After normalisation, can be obtained as shown in Figure 20. When the threshold is fixed at =0·106 cycles, the test parameter sp can be obtained as shown in Figure 21.

Figure 20. Variation tendency of ϕ_BA^ij in the spoofed case.

Figure 21. Variation tendency of Sp in the spoofed case.

As shown in Figure 20, the normalised carrier differences in the spoofed case fluctuate slightly between −0·05~0·05. As is shown in Figure 21, all the values of sp are 7, which means as the threshold of sp is set as 7, the spoofing detection can effectively alert the user to the spoofing attacks.