2.1. Classification of spoofing attack

Spoofing attacks through the generation of satellite signals can be classified as simplistic, intermediate or sophisticated based on the complexity of the spoofer (Humphreys et al., Reference Humphreys, Ledvina, Psiaki, O'Hanlon and Kintner2008). A simplistic attack is conducted through a satellite simulator that is not synchronised to the current user environment. The intermediate and sophisticated spoofer uses a receiver to obtain the current satellite signal state and produce an output in synchronisation to the situation at the user receiver. An intermediate attack is launched through a single transmitter and can be detected through the angle of arrival discrimination methods. A sophisticated attack can be launched through multiple transmitters to overcome the victim's defences using the angle of arrival discrimination (Humphreys et al., Reference Humphreys, Ledvina, Psiaki, O'Hanlon and Kintner2008).

2.2. Details of the intermediate attack

An intermediate spoofing attack uses a GNSS receiver to estimate the critical parameters, such as frequency, code phase and amplitude, during the alignment phase. These parameters are required in order to match the counterfeit and genuine signal, so that both signals appear as one in the target receiver correlation function. Separate parameters for each satellite are estimated to generate the data stream for each satellite. All data streams are combined and adjusted for power and then transmitted (Humphreys et al., Reference Humphreys, Bhatti, Shepard and Wesson2012). After the alignment phase, the counterfeit signal power is increased to control the tracking loops of the target receiver. The counterfeit signal is then steered away from the authentic signal by changing the code phase (Humphreys et al., Reference Humphreys, Bhatti, Shepard and Wesson2012). This process is called pull-off, and generates ACF distortion. When the pull-off phase is complete and the receiver is locked on the spoofed signal, away from the genuine signal, the phase is known as the capture phase. The spoofer now has complete control over the target receiver (Humphreys et al., Reference Humphreys, Ledvina, Psiaki, O'Hanlon and Kintner2008). Table 1 provides an overview of the spoofing sequence of each phase in the TEXBAT data (Humphreys et al., Reference Humphreys, Bhatti, Shepard and Wesson2012).

Table 1. Phases of intermediate spoofing sequence and spoofing status.

2.3. Dataset

To evaluate the slope metric publicly available datasets and independent field recordings were used.

2.3.1. Spoofing dataset

The spoofing dataset was comprised of the TEXBAT dataset and the synthetic spoofing data (Khan et al., Reference Khan, Iqbal and Khan2018). TEXBAT is the battery of recorded spoofing cases compiled by researchers at the University of Texas, Austin. It includes clean static and dynamic cases and eight spoofing attack cases datasets. Table 2 provides a description of the spoofing cases and the spoofer power advantage. Spoofer power advantage is the ratio of the power of the spoofing signal to the authentic signal as seen by the target receiver. In order to generate spoofing cases, corresponding clean cases have been replayed using a vector signal generator (VSG). The output of the VSG has been split and one part is given to the receiver inside the spoofer to extract the required parameter and the other part is combined with the output of the spoofer to make the spoofing signal. The combined signal is recorded using vector signal analyser (VSA), with a bandwidth of 20 MHz, and digitised as complex 16-bit samples at a rate of 25 MSps (Humphreys et al., Reference Humphreys, Ledvina, Psiaki, O'Hanlon and Kintner2008).

Table 2. Summary of TEXBAT cases.

3.1. Mathematical model of ACF

After passing through the front-end and baseband section, a signal from a satellite, its reflection and the spoofing signal are accumulated for integration time, T. The accumulated value is an instantaneous measured ACF, given by

(1)$$\left[ {{\begin{array}{@{}c@{}} {I_{\tau_i } } \\ {Q_{\tau_i } } \end{array} }} \right]=\sum _{n=0}^{N-1} \left[ {\sum_{\rm s} \mbox{a}_{\rm s} d( {n+\tau_s } )c( {n+\tau_s } )e^{j( {2\pi f_{IF} n+\phi_s } )}+\mbox{N}_{\rm o} ( \mbox{n})} \right]c( {n+\tau _i } )e^{-j( {2\pi f_{IF} n} )},$$

where subscript ‘s’ is used for different delayed versions due to spoofing or multipath and subscript ‘i’ is used for different correlators. a_s is amplitude of sth form of signal, c(n) is locally generated replica PRN code and $e^{-j( {2\pi f_{IF} n} ) }$ is the locally generated replica carrier, τ _i is the delay between locally generated code sequence and the received code for the ith correlator. τ _i = 0 for the prompt correlator. N is the number of samples in integration time T and is defined as N = f _c. T, where f _c is the analog-to-digital conversion sampling rate. $e^{j( {2\pi f_{IF} n} ) }$ is transmitted carrier, ϕ _s is transmitted carrier phase for sth version of signal, τ _s is the delay of sth signal from the direct signal.

After rearranging and simplification, the accumulated value in the in-phase branch of the correlator becomes

(2)$$I_{\tau _i } =\sum _{s=0}^{M+1} \mbox{a}_{\rm s} \cos( {\phi _s } )R( {\tau _i -\tau _s })+N_{\tau _i },$$

where there are M multipath signals, a direct and a spoofing signal are assumed to be present, $N_{\tau _{i} } $ is the noise components after accumulation, R() is an ideal ACF of GPS C/A code that is defined as

(3)$$R( \tau )=\sum_{n=0}^{N-1} c( n)c( {n-\tau }),$$

The ideal ACF is approximately equal to the following (Kaplan and Hegarty, Reference Kaplan and Hegarty2005)

(4)$$R( \tau )=\left\{ {{\begin{array}{@{}l@{\quad}l@{}} {\mbox{N}\left[ {1-\displaystyle\frac{\left| \tau \right|}{\mbox{T}_{\rm c} }} \right]}& {\mbox{for }| \tau |\le \mbox{T}_{\rm c} } \\ 0 & {\mbox{otherwise}} \\ \end{array} }} \right\},$$

The ideal ACF has the shape of a triangle as given in Figure 1.

3.1.1. Slope calculation

Using the method given in Phelts et al. (Reference Phelts, Walter and Enge2003), the slope of an ACF can be calculated using the least square method by solving the following equation, which estimates the slope (M _s) and y-intercept (I _y) in the least square sense

(5)$$\left[ \begin{matrix} \tau_0 & 1 \\ \tau_1 & 1 \\ \tau_2 & 1 \\ \end{matrix} \right]\left[ \begin{matrix} M_S \\ I_y \\ \end{matrix} \right]=\left[ \begin{matrix} \tilde{\rm I}_{\tau_{0}} \\ \tilde{\rm I}_{\tau_{1}} \\ \tilde{\rm I}_{\tau_{2}} \end{matrix} \right]$$

where $ \tilde{\rm I}_{\tau_{i}} = {\rm I}_{\tau_{i}}, \; \tau _{0} , \; \tau _{1}$ and τ ₂ are selected delays for calculating the slope.

However, if τ ₁ is at the centre point between τ ₀ and τ ₂, it can be shown from Equation (5) that the slope can be calculated by the following equation

(6)$$M_S ( \tau _0 ,\tau _2 )=\frac{\tilde{\rm I}_{\tau_{2}}-\tilde{\rm I}_{\tau_{0}}}{\tau_2-\tau_0}=\frac{{\rm I}_{\tau_{2}}-{\rm I}_{\tau_{0}}} {{\rm I}_{0}[\tau_2-\tau_0]}$$

where τ ₀ and τ ₂ can have any values and the τ ₁ is the mean value of τ ₀ and τ ₂.

In order to understand the effect of multipath or spoofing, a direct and counterfeit signal is simulated with fixed spoofer power advantage and different time delays between the spoofing and authentic signal. The slope on the early and late side of the prompt tracking point is calculated using Equation (6). Figure 2 depicts the constituent signals ACF, the combined signal ACF, the tracking points and monitoring points at 25% and 75% of chip period (0·25T _c and 0·75T _c) on the ACF. The spoofer power advantage considered here is 0·8 dB corresponding to the matched power case. The tracking results are shown for delays of 0·2, 0·8 and 1·3 chips between the two signals. It can be observed that the slope value changes as the delay between the signal changes.

Figure 2. Slope of ACF at 25% and 75% of the tracked chips on both sides of the prompt tracking point, for spoofer power advantage of 0·8 dB: (a) the distortion in ACF is very low when the spoofing signal is 0·2 chip away from the authentic signal and slope values are not affected significantly, (b) spoofing signal is 0·8 chip away from the authentic signal due to which slope value has changed significantly, and (c) shows the spoofing signal as 1·3 chips away from the authentic signal due to which the slope value has changed drastically.

Figure 3 shows the same receiver parameters as shown in Figure 2, for the spoofer power advantage of 9 dB that corresponds to overpowered cases. It can be observed here that with such high spoofer advantage, there is little change in slope value of the measured ACF.

Figure 3. Slope of ACF between 25% and 75% of the tracked chips on both sides of the prompt tracking point, for spoofer power advantage of 9 dB and spoofing signal as 0·8 chips away from the authentic signal.

3.2. Metric formulation

The choice of placement of monitoring correlators is a critical factor in metric formulation. Noise will be enhanced if the monitoring correlators are very close to each other, because of the factor of τ ₂ − τ ₀ in the denominator of the Equation (6). To make a reasonable separation, the monitoring correlators used in this study are at 10%–90% and 25%–75% of the chip period.

Equation (6) can be used to calculate early and late side slopes, where M _s( − τ ₁, − τ ₀) produces early slope value and M _s(τ ₁, τ ₀) produces late slope value for (τ ₀, τ ₁) monitoring correlators. In order to find an effective metric for spoofing detection, several metrics have been formulated consisting of slope metrics and the symmetric and asymmetric difference of slope metrics. The slope metrics are

(7)$$\begin{align} M_{S1} &=M_S ( {0{\cdot} 1,0{\cdot} 9} ) \\ M_{S2} &=M_S ( {{-}0{\cdot} 1,{-}0{\cdot} 9}) \\ M_{S3} &=M_S ( {0{\cdot} 25,0{\cdot} 75}) \\ M_{S4} &=M_S ( {{-}0{\cdot} 25,{-}0{\cdot} 75}) \\ \end{align}$$

In order to create symmetric difference metrics from early and late pairs of slope measurement, their values are added in the following metric,

(8)$$\begin{align} M_{D1} &=M_{S3} +M_{S4} \\ M_{D2} &=M_{S1} +M_{S2} \end{align}$$

where the M _S1–M _S4 values are defined in Equation (7) and the M _D1 and M _D2 are symmetric differential slope metrics. The asymmetrical one-sided differential metrics can be formed by taking the difference of metrics on early or late sides as follows,

(9)$$\begin{align} M_{D3} &=M_{S3} -M_{S1} \\ M_{D4} &=M_{S4} -M_{S2} \end{align}$$

where M _D3 and M _D4 are early and late side differential metrics. Considering the structure, the M _D1 and M _D2metrics are similar to the double delta metric as described in Pirsiavash et al., (Reference Pirsiavash, Broumandan and Lachapelle2017), except for the choice of monitoring correlators. However, M _D3 and M _D4 are novel in the sense that they use the one-sided monitoring correlators in metric formulation. The double delta metric is defined as follows:

$$M_{{\rm DT}} =\frac{(I_{-0\cdot 1} -I_{+0\cdot 1} )-(I_{-0\cdot 05} -I_{+0\cdot 05} )}{I_0 }.$$

Next, we calculate the nominal variation of the metrics that occurs due to the influence of thermal noise, as given in Irsigler (Reference Irsigler2008) for the slope metrics, given in Equations (7–9). Details of variance calculation are given in Appendix A.

Table 3 summarises the metrics and their variance for different C/N₀ values.

Table 3. Summary of slope based metrics, calculated statistics including expected value and variance formulas and values at different C/N ₀.

The variance calculated and presented in Table 3 is based on only the C/N₀ value of the signal. The values have been calculated here for the purposes of having a reference to the clean signal. The calculated variance may also be used as a sanity check on the calculated threshold.

In order to develop a metric suitable for the detection of a spoofing attack, we have simulated the spoofing attack scenario for a different power ratio between authentic and spoofer signal power. Slope metric values for different delays between authentic and spoofing signals are shown in Figures 4–6. Figure 4 contains the slope metrics (M _S1–M _S4) values. It can be noted here that the slope metric values change from their typical un-spoofed position (when Δ τ = 0) for even a very small change in the spoofing and authentic signal delay. Figure 5 contains the symmetrical differential slope metrics (M _D1, M _D2). The metrics have a low sensitivity (metric value does not change from the typical value) for small delays in the authentic and spoofing signals; however, they also have low sensitivity for the matched power cases. Figure 6 contains the asymmetrical one-sided differential slope metrics (M _D3, M _D4). It shows that there is very little change in the slope values for the small delay between the authentic and spoofing signal, even if the power ratio varies. For the larger delays, however, the value of the slope changes considerably. This makes the choice of the asymmetrical one-sided difference slope metric more suitable for spoofing detection, as spoofing eventually has a large delay when the spoofer drags the signal away from the authentic signal (Humphreys et al., Reference Humphreys, Ledvina, Psiaki, O'Hanlon and Kintner2008).

Figure 4. Slope value for monitoring correlators at (a) 25%–75% location at early and late side and (b) 10%–90% location at early and late side. Authentic and spoofing signals are simulated for different delay profiles and Spoofer Power Advantage.

Figure 5. Symmetric differential slope metric values for monitoring correlators at (a) 25%–75% locations and (b) 10%–90% locations. Authentic and spoofing signals are simulated for different delay profile and spoofer power advantage.

Figure 6. Non-symmetrical one-sided differential slope value for monitoring correlators at 10%–90% and 25%–75% location for (a) early correlators and (b) late correlators. Authentic and spoofing signals are simulated for different delay profiles and spoofer power advantage.

3.3. Threshold calculation

A threshold for every metric is necessary for the detection process (Phelts et al., Reference Phelts, Walter and Enge2003). In order to calculate a reasonable threshold, statistical analysis has been performed to implement a Neyman Pearson (NP) detector. Here, we consider two hypotheses: the null hypothesis, H₀, which is considered when there is no spoofer present, and the alternate hypothesis, H₁, which is considered when the spoofer is present.

• H₀: When the spoofer is not present, the correlation results contain power from an authentic signal, thermal noise, the multipath components, and other variations. Under the null hypothesis

• (10)$$H_0 :M_x \cong \mu _m$$

• where M _x is any slope metric value and μ _m is its mean value.

• H₁: When the spoofer is present, the correlation results contain the power from spoofing signal too. The expected value of the metric is changed under the spoofing, hence

• (11)$$H_1 :M_x \ne \mu _m$$

In order to build an NP detector in the absence of completely defined distribution of alternate hypothesis, the likelihood function can be defined from Equations (10) and (11), as

(12)$${\mathcal L}( {M_x } )=| {M_x -\mu _m } |$$

Using the likelihood function, the P _FA for a given threshold γ can be calculated from the following,

(13)$$P_{{\rm FA}} ( \gamma )=\rho (| {M_x -\mu _m }|>\gamma \vert H_0 )$$

where γ is the detection threshold, ρ (·) is the probability function and M _x is the desired slope based metric.

If P _FA is given, the detection threshold γ can be determined by inverting the probability function. As the slope based metrics are linear combinations of the accumulator outputs which are Gaussian (Huang et al., Reference Huang, Lo Presti, Motella and Pini2016; Pirsiavash et al., Reference Pirsiavash, Broumandan and Lachapelle2017), they are considered Gaussian with theoretical statistics given in Table 3, the threshold can be calculated using,

(14)$$\gamma =\sqrt 2 \sigma _m erfc^{-1}(2\cdot P_{{\rm FA}} )$$

where erfc ⁻¹ is the inverse Gaussian function.

The probability of detection (P _D) or detection rate can be theoretically calculated by

(15)$$P_D ( \gamma )=\rho (| {M_x -\mu _m } |>\gamma \vert H_1 )$$

As the statistical distribution of the disturbance due to the spoofing cannot be determined, however, an empirical solution for finding the detection rate has therefore been chosen in the results section, below.

3.4. Spoofing detector

Using the threshold, a statistical detector can be built from Equations (13) and (15)

(16)$${\begin{array}{@{}c@{}}\hspace*{3pc} {H_0 } \\ | {M_x -\mu _m } |\lessgtr\gamma\\ \hspace*{3pc} {H_1 } \\ \end{array} }$$

A combination of metrics can also be used to form a detector. In this case Equation (16) can be used for detection using individual metrics and their detection results can be combined to achieve the final results, as below,

(17)$$\begin{array}{@{}l@{\quad}l@{}} {| {M_{x_1 } -\mu _{m_1 } } |>\gamma _1 \hbox{ or } |{M_{x_2 } -\mu _{m_2 } } |>\gamma _2 } & {\mbox{decide }H_1 }\\ {\mbox{otherwise}} & {\mbox{decide }H_0 } \\\end{array}$$

where the subscripted values correspond to two different metric values and threshold.