GPS Spoofer Countermeasure Effectiveness

Seediscussions,stats,andauthorprofilesforthispublicationat:http://www.researchgate.net/publication/264376812

GPSspoofercountermeasureeffectivenessbasedonsignalstrength,noisepower,andC/N0measurements

ARTICLEinINTERNATIONALJOURNALOFSATELLITECOMMUNICATIONSANDNETWORKING·JULY2012

ImpactFactor:0.74·DOI:10.1002/sat.1012

CITATIONS

3

READS

43

4AUTHORS,INCLUDING:

AliBroumandan

TheUniversityofCalgary

48PUBLICATIONS162CITATIONS

SEEPROFILE

J.Nielsen


75PUBLICATIONS274CITATIONS

SEEPROFILE

GérardLachapelle


278PUBLICATIONS2,398CITATIONS

SEEPROFILE

Availablefrom:J.Nielsen

Retrievedon:20December2015

http://www.researchgate.net/publication/264376812_GPS_spoofer_countermeasure_effectiveness_based_on_signal_strength_noise_power_and_CN0_measurements?enrichId=rgreq-13984130-e948-4f58-a523-a5fc29ee5249&enrichSource=Y292ZXJQYWdlOzI2NDM3NjgxMjtBUzoxOTMxODM1MDcwNjI3ODVAMTQyMzA2OTk0NTExMg%3D%3D&el=1_x_2

http://www.researchgate.net/publication/264376812_GPS_spoofer_countermeasure_effectiveness_based_on_signal_strength_noise_power_and_CN0_measurements?enrichId=rgreq-13984130-e948-4f58-a523-a5fc29ee5249&enrichSource=Y292ZXJQYWdlOzI2NDM3NjgxMjtBUzoxOTMxODM1MDcwNjI3ODVAMTQyMzA2OTk0NTExMg%3D%3D&el=1_x_3

http://www.researchgate.net/?enrichId=rgreq-13984130-e948-4f58-a523-a5fc29ee5249&enrichSource=Y292ZXJQYWdlOzI2NDM3NjgxMjtBUzoxOTMxODM1MDcwNjI3ODVAMTQyMzA2OTk0NTExMg%3D%3D&el=1_x_1

http://www.researchgate.net/profile/Ali_Broumandan?enrichId=rgreq-13984130-e948-4f58-a523-a5fc29ee5249&enrichSource=Y292ZXJQYWdlOzI2NDM3NjgxMjtBUzoxOTMxODM1MDcwNjI3ODVAMTQyMzA2OTk0NTExMg%3D%3D&el=1_x_4


http://www.researchgate.net/institution/The_University_of_Calgary?enrichId=rgreq-13984130-e948-4f58-a523-a5fc29ee5249&enrichSource=Y292ZXJQYWdlOzI2NDM3NjgxMjtBUzoxOTMxODM1MDcwNjI3ODVAMTQyMzA2OTk0NTExMg%3D%3D&el=1_x_6


http://www.researchgate.net/profile/J_Nielsen?enrichId=rgreq-13984130-e948-4f58-a523-a5fc29ee5249&enrichSource=Y292ZXJQYWdlOzI2NDM3NjgxMjtBUzoxOTMxODM1MDcwNjI3ODVAMTQyMzA2OTk0NTExMg%3D%3D&el=1_x_4




http://www.researchgate.net/profile/Gerard_Lachapelle2?enrichId=rgreq-13984130-e948-4f58-a523-a5fc29ee5249&enrichSource=Y292ZXJQYWdlOzI2NDM3NjgxMjtBUzoxOTMxODM1MDcwNjI3ODVAMTQyMzA2OTk0NTExMg%3D%3D&el=1_x_4




INTERNATIONAL JOURNAL OF SATELLITE COMMUNICATIONS AND NETWORKINGInt. J. Satell. Commun. Network. 2012; 30:181–191Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sat.1012

GPS spoofer countermeasure effectiveness based on signal strength,noise power, and C/N0 measurements

Ali Jafarnia Jahromi1,*,†, Ali Broumandan1, John Nielsen2 and Gérard Lachapelle1

1University of Calgary, Geomatics Engineering, Calgary, Alberta, Canada2University of Calgary, Electrical and Computer Engineering, Calgary, Alberta, Canada

SUMMARY

Spoofing sources can effectively disrupt a GPS receiver during the acquisition phase by generating multiple falsecorrelation peaks and increasing the noise floor. Such deceptive correlation peaks can mislead the GPS receiverinto acquiring the spoofer generated signals rather than the authentic signals. Also, the spoofer can increase thereceiver noise floor to bury the authentic signals in the noise and at the same time generate correlation peaks withamplitudes commensurate with reasonable C/N0 expectations. The main focus of this paper is on assessment ofthe reduced effectiveness of the GPS spoofer countermeasure during acquisition where the GPS receiver utilizesC/N0 discrimination. As shown, whereas the C/N0 discrimination is of limited effectiveness, with a modest circuitmodification, the receiver can measure the absolute power of the correlation peaks, which is an effective meansof detecting and discriminating spoofer sources. It will be shown that employing absolute power monitoringtechnique considerably reduces the vulnerability region of the receiver compared with the C/N0 monitoringtechniques. Copyright © 2012 John Wiley & Sons, Ltd.

Received 22 July 2011; Accepted 1 May 2012

KEY WORDS: GPS, anti-spoofing, C/N0 analysis, noise power analysis, absolute power analysis

1. INTRODUCTION

GPS signal is vulnerable to the in-band interferences because of being an extremely weak signal.Therefore, even low-power interference can easily jam or spoof the consumer handheld GPS receiverswithin a radius of several kilometers [1]. Spoofing is a deliberate interference that aims to coerce globalnavigation satellite system receivers into generating false position/navigation solutions [2]. The spoof-ing attack is potentially significantly more menacing than jamming because the target receiver is notaware of this threat. Because the GPS signal structure is in the public domain, the implementation ofa spoofer of disruptive capability is not prohibitively complex. Spoofing and related countermeasuresare emerging issues for GPS and are consequently attracting significant interest [3–5]. In recent years,several spoofing detection and mitigation techniques have been proposed in the articles [6–11].

During the acquisition procedure, a generic GPS receiver correlates the received signal with alocally generated one to provide a rough estimate of the code delay and the Doppler frequency. Herein,it is assumed that the receiver searches over all in range Doppler and code cells and estimates the signalparameters commensurate to the maximum peak of the correlation function that is above a predetermineddetection threshold. The spoofing threat can affect the acquisition process of a GPS receiver from twodifferent perspectives. First, the spoofer can generate one or more fake correlation peaks whose ampli-tude is larger than the authentic signals and as such, present the acquisition processing of the receiver

*Correspondence to: Ali Jafarnia Jahromi, University of Calgary, Geomatics Engineering, Calgary, Alberta, Canada.†E-mail: [email protected]

Copyright © 2012 John Wiley & Sons, Ltd.

182 A. JAFARNIA JAHROMI ET AL.

with seemingly legitimate correlation peaks from which a false navigation solution is generated. Second,the spoofer can generate a component of uncorrelated noise in the GPS band that can arbitrarilymanipulate the noise floor observed by the receiver. Additionally, as the Pseudorandom Noise (PRN)codes are not orthogonal relative to the dwell time interval used by the GPS acquisition, there is a mutualnonzero cross-correlation of the PRN codes that further increases the noise floor.

To be effective, the spoofer should generate a correlation peak that has more power than the authen-tic signal peak to mislead the target receiver. Hence, it would initially seem desirable to generate apowerful spoofing signal whose power is significantly larger than the corresponding authentic signal.However, as the maximum GPS signal strength at the receiver antenna is known approximately, thereceiver can detect the spoofing source if it is too large. Therefore, the receiver has effective meansof detecting a spoofing source and hence can take the appropriate action. This may be that the receivermerely informs the user of a potential spoofing attack such that less reliability is placed on the eventualnavigation solution. A more sophisticated response would be for the receiver to attempt to discriminateand sort the spoofer and authentic correlation peaks. By monitoring the power levels of the noise andcorrelation peaks, it becomes much more difficult for the spoofer to be effective.

Hence, the spoofer to be effectivemust present the receiver with an accurate signal power level within thiswindow. This is significantly further exasperated by multipath as the spoofing signal level is then essentiallyrandom. Also, the distance between the spoofer and the receiver is not known to the spoofer. As will beshown in this paper, application of these simple power thresholds virtually assures the receiver that if thespoofer signal is strong enough to be effective, then it is also detectable with reasonable probability.

Some recent articles have heuristically discussed the amplitude discrimination techniques to detectthe spoofing threat [2,10]; however, no considerable analytical discussion has been provided in this re-gard in the open literature. This paper considers an analytical approach to investigate the effect of thespoofing signals on the receiver noise floor. It has been shown that the distribution of spoofing inter-ference can be approximated by a circularly symmetric Gaussian distribution that is added to the am-bient additive white Gaussian noise. After that, the receiver acquisition process has been analyzed onthe basis of the received signal-to-interference-and-noise ratio (SINR). It is shown that the spoofing in-terference can decrease the SINR of authentic signal and cause it to fall under the detection thresholdthat results in deterioration of receiver acquisition performance. In addition, the spoofing power incre-ment increases the SINR of the spoofing PRNs that can mislead the receiver toward acquiring the spoo-fer-sourced correlation peaks.

The rest of this paper is organized as follows: In Section 2, the received signal model and theacquisition technique have been discussed. Section 3 discusses the spoofing effect on increasing thenoise floor estimate. The effect of spoofing threat on the receiver SINR and consequently deterioratingits acquisition performance has been discussed in Section 4. Section 5 presents spoofing discriminationon the absolute power monitoring, and finally, the concluding notes will be discussed in Section 6.

2. SYSTEM MODEL

Herein, it is assumed that the spoofing signal is transmitted from a single source located on the earthsurface and is received at the receiver antenna as shown in Figure 1. The spoofing signal is a terrestrialsignal that is subjected to multipath fading on route to the GPS receiver. It is assumed that the structureof the spoofing signal is similar to that of the authentic GPS signals; however, the spoofer is not limitedto generate signals at the same power level, code delay, Doppler frequency, and PRN set as the presentauthentic signals. The GPS receiver is assumed to operate in the acquisition stage and aim to correctlydetect the presence of the authentic signal and provide a rough estimate of the code delay and Dopplerfrequency. Therefore, if the spoofing signal has totally aligned its signal with the authentic signal interms of Doppler frequency and code delay, it does not mislead the acquisition procedure.

The baseband section of a generic GPS receiver consists of a complex correlator whose structure has beenshown in Figure 2. This procedure includes Doppler removal, signal despreading, and low-pass filtering.

In Figure 2, cl is the lth locally generated spreading sequence, ol and tl are the Doppler and codedelay of the locally generated signal, respectively, and Ts is the sampling interval. During the acquisitionprocess, the receiver correlates the received signal with the locally generated PRN codes with different

Copyright © 2012 John Wiley & Sons, Ltd. Int. J. Satell. Commun. Network. 2012; 30:181–191DOI: 10.1002/sat

Figure 1. Spoofing scenario illustration.

Figure 2. The correlator structure in the baseband section of the GPS receiver.

EFFECTIVENESS OF GPS SPOOFING DETECTION BASED ON C/N0 MEASUREMENT 183

delays that are modulated by different Doppler frequencies. Then the resulting signal is integrated overN consecutive samples. When the Doppler frequency and the code delay of the locally generated signalmatch to that of the received signal parameters, a correlation peak will be observed at the output of theintegrator. Here, it is assumed that the phase of the locally generated carrier is not necessarily synchronizedto the target PRN, but its Doppler frequency as well as the spreading code delay perfectly matches to thedesired signal’s parameters. Also, the integration time has been considered to be much shorter than thedata bit duration; therefore, it can be assumed that there is no data bit transition during the acquisitionprocess. Therefore, the output signal from integrator and dump block can be written as follows [12]:

yl ol; tl;K½ � ¼ ffiffiffiffiffiPl

pexp jflð Þ|fflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflffl}

I: Desired Signal

þXi ¼ 1i 6¼ l

NAuth�SV ffiffiffiffiffiPi

pFil ol; tl;K½ �

|fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl}II: Interference caused by

other authentic PRNs

þXNSpoof�SV

k¼1

ffiffiffiffiffiPk

pFkl ol; tl;K½ �|fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl}

III: Interference caused by

spoofer generated PRNs

þ � K½ �|ffl{zffl}IV: Gaussian Noise

(1)

where

Fil ol; tl;K½ � ¼ 1N

XKNn¼ K�1ð ÞNþ1

ci n� tilKð Þcl nð Þ exp jΔoilKnþ jΔfilKð Þ (2)

where Pi and ci are respectively the received power and the spreading code of the ith satellite. ΔoilK,ΔfilK, and tilK are respectively the Doppler difference, the carrier phase difference, and the code

(1)



delay difference between ith received PRN code and lth locally generated PRN code at the Kth integrationinterval. yl[ol, tl,K] is the integrator output at the Kth interval and is actually composed of four terms. Thefirst term is the desired signal that is the term of interest during acquisition process. The second term isthe interference caused by other authentic PRN codes; the third term is actually the interference caused bythe spoofing PRN codes. These two terms are generated because of the cross-correlation between differentGold sequences. �[K] is the circularly symmetric complex Gaussian noise process with variance of ~s2=Nwhere ~s2 is the variance of input ambient white Gaussian noise. The conventional GPS receivers considerall the last three terms as the noise term and perform the acquisition and tracking operations just on thefirst term.

3. EFFECT OF SPOOFING SIGNAL ON RECEIVER NOISE FLOOR ESTIMATE

Consider the case where the spoofing signal received at the GPS receiver antenna is stronger than theauthentic GPS signals. The interference caused by the spoofer can elevate the noise floor of the receiverprocessing. The receiver noise floor can be estimated by correlating the received signal with a fictitiousPRN code that is not present in the current GPS constellation. The noise floor is actually the variance ofyf[of, tf,K], which is the complex correlator output at time interval K.

s2Yf K½ � ¼ var

XNAuth�SV

i¼1

ffiffiffiffiffiPai

pFif of ; tf ;K� �

|fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl}II: Interference induced by

authentic PRNs

þXNSpoof�SV

k¼1

ffiffiffiffiffiPsk

pFkf of ; tf ;K� �

|fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl}III: Interference induced by

spoofer generated PRNs

þ � K½ �|ffl{zffl}IV: Gaussian Noise

26666664

37777775 (3)

where it is assumed that the fth PRN code is a fictitious code that is not present in neither of the authenticnor the spoofing PRN sets. Therefore, the correlator output is made up of three major terms, namelyinterference terms induced by authentic PRN codes, interference terms induced by the spoofing PRNcodes, and finally the Gaussian channel noise.

It is assumed that the delay and Doppler frequency of authentic and spoofing PRN codes areindependent of each other and randomly distributed. Therefore, (3) can be rewritten as follows:

s2Yf K½ � ¼XNAuth�SV

i¼1

Pai var Fif of ; tf ;K

� �� þ XNSpoof�SV

k¼1

Psk var Fkf of ; tf ;K

� �� þ var � K½ �½ � (4)

The first and second terms in (4) consist of var[Fif[of, tf,K]]. This term is actually the crosscorrelation of ith and fth PRN codes modulated by the random Doppler shift and phase differencebetween these two signals. The distribution of Fif[of, tf,K] has been calculated numerically and canbe well approximated by a zero mean Gaussian distribution in either of the I and Q branches. The simu-lations have been performed for normalized power spreading Gold codes, and the cross correlationvariance in either of in-phase or quadrature branches has been extracted to be s2I;Fif

¼ s2Q;Fif¼ 0:00033.

On the basis of the simulation results, the covariance between the I and Q branches is negligible.Therefore, it can be written as

Fif of ; tf ;K� �eΝc

00

� �;

s2I;Fif0

0 s2Q;Fif

" # !(5)

where the Nc(a,b) is the circularly symmetric complex Gaussian distribution with the mean vector of aand the covariance matrix of b. In consequence, the correlator output yf[of, tf,K] is the summation ofcircularly symmetric Gaussian random variables, which in turn is a complex Gaussian random variablewith the following distribution:

yf of ; tf ;K� �eΝc

00

� �;N0

2NTs

1 00 1

� �þ

XNAuth�SV

i¼1

Pai þ

XNSpoof�SV

k¼1

Psk

!s2I;Fif

0

0 s2Q;Fif

" # !(6)



Equation (6) shows that the variance of the interference term is directly affected by the transmittedpower of the authentic and spoofing PRN codes. The GPS system has been designed such that theinterference level of authentic PRN codes does not exceed the ambient noise floor [13]. However,spoofing signals can be much more powerful than the authentic GPS signals. Therefore, theircorresponding interference level can overtake the ambient Gaussian noise floor and therefore decreasethe authentic SINR at the correlator output of conventional single-user GPS receivers. To investigatethe effect of spoofing interference on the noise floor variance of the GPS receiver, the total receivedspoofing power (TSP) has been considered and is defined as follows:

TSP½ �dBW ¼ 10 log10XNSpoof�SV

k¼1

Psk

!(7)

In Figure 3, the estimated noise floor is depicted versus the TSP for the integration time of 1ms. Itis observed that when the TSP is very low, the ambient Gaussian noise is the dominant term thatdetermines the noise floor of the receiver. However, increasing the TSP will increase the noise floorand causes it to overtake the authentic satellites’ received signal power.

4. VULNERABILITY OF GPS ACQUISITION IN THE PRESENCE OF SPOOFING ATTACK

The acquisition process of the GPS receiver is aimed to detect the authentic signal correlation peak andestimate the Doppler frequency and code delay. However, the interference caused by a spoofing signalcan considerably increase the observed noise floor of a GPS receiver.

On the basis of the discussions in the previous sections, the correlator output can be written underH0 (signal absent), H1

a (authentic signal present), and H1s (spoofing signal present) hypotheses as

follows:

H0 signal absentð Þ : yl ol; tl;K½ � ¼ Νc 0; s2I2ð ÞHa

1 authentic signal presentð Þ : yl ol; tl;K½ � ¼ Νc ma; s2aI2�

Hs1 spoofing signal presentð Þ : yl ol; tl;K½ � ¼ Νc ms; s2s I2

� (8)

-165 -160 -155 -150 -145 -140 -135 -130 -125 -120

-170

-165

-160

-155

-150

Total Spoofing Power (TSP) [dBW]

Noi

se fl

oor

estim

ate

[dB

W]

Theoritical noise floor

GPS L1 Typical Received Power

Coherent Integration Time (Tc) = 1ms

Figure 3. Noise floor estimate versus total spoofing power.



where

majs ¼ffiffiffiffiffiffiffiffiPajsl

qexp jflð Þ

s2 ¼ N0

2NTsþ s2I;Fif

XNAuth�SV

i¼1

Pai þ

XNSpoof�SV

k¼1

Psk

!

s2a ¼N0

2NTsþ s2I;Fif

Xi ¼ 1i 6¼ l

NAuth�SV

Pai þ

XNSpoof�SV

k¼1

Psk

0B@1CA

s2s ¼N0

2NTsþ s2I;Fif

XNAuth�SV

i¼1

Pai þ

Xk ¼ 1k 6¼ l

NSpoof�SV

Psk

0B@1CA

(9)

where the superscript ‘a|s’ is a compact reference to either of the authentic or spoofing hypotheses. Asdiscussed before, the interference level of an authentic signal is very small compared with the interfer-ence level of Gaussian noise process. Therefore, it can be considered that s2 � s2a. Also, if the numberof spoofing signals is large enough (around 10 or more), it can be assumed that a single spoofing PRNsignal does not considerably change the noise floor. Hence, all the three variance terms are very closeto each other (s2 � s2a � s2s ).

For most of the GPS receivers, it is more convenient to work with squared value of correlator outputamplitude. Therefore, the distribution of D = |yl[ol, tl,K]|

2 under H0 and H1a|s can be respectively

written as central and noncentral Chi-squared distributions with two degrees of freedom as follows:

p DjH0ð Þ ¼ 12s2

exp�D

2s2

�

p DjHajs1

� ¼ 1

2s2ajsexp �Dþ Pajs

l

2s2ajs

!I0

ffiffiffiffiffiffiffiffiffiffiffiDPajs

l

qs2ajs

0@ 1A (10)

whereH1a|s refers to either of the authentic or spoofing hypotheses. If the detection threshold is defined as

Dth, then the probability of detection (PD) and probability of false alarm (PFA) can be defined as follows:

PajsD ¼

Z1Dth

p DjHajs1

� dD ¼

Z1Dth

1

2s2ajsexp �Dþ Pajs

l

2s2ajs

!I0

ffiffiffiffiffiffiffiffiffiffiffiDPajs

l

qs2ajs

0@ 1AdD

PFA ¼Z1Dth

p DjH0ð ÞdD ¼Z1Dth

12s2

exp�D

2s2

�dD

(11)

where I0(x) is the modified zero-order Bessel function of the first kind. The generalized likelihood ratiotest (GLRT) [14] suggests that the GPS receiver evaluates the correlator output corresponding to allpossible range of Doppler and code delay and picks the cell with highest squared amplitude. If theamplitude is above the threshold, the signal presence is flagged and the Doppler and code delay ofcorresponding cell is reported as the rough estimate of detected signal parameters. Therefore, for thecorrect detection, only one of the cross ambiguity function (CAF) cells should be above the detectionthreshold, and for given noise floor estimate and the probability of false alarm, the detection thresholdcan be determined as follows (The proof has been provided in Appendix A):

Dth ¼ �2s2 ln 1� 1� PFAð Þ 1Nc

h i(12)

where the Nc is the number of cells in the search space. Under theH1a orH1

s hypotheses, the SINR of theith PRN can be calculated using the following equation:

SINRajsi ¼ Pajs

i

2s2ajs(13)

Also, a SINR threshold can be defined by modifying (12) as follows:



SINRð Þth ¼Dth

2s2¼ � ln 1� 1� PFAð Þ 1

Nc

h i(14)

On the basis of (14), it can be deduced that for a given probability of false alarm, the acquisitionprocedure is able to detect those signals whose SINR is above the detection SINR threshold.

Figure 4 shows the authentic and spoofing SINR values versus the TSP for the case of 10 equal powerauthentic PRNs and of 10, 20, 30, and 40 equal power spoofing PRNs. The power of each authenticPRN is �158 dBW, and the integration time is Tc = 1ms. The threshold SINR has been calculated forPFA= 10�3 as a typical probability of false alarm. The search space consists of 15 Doppler bins and2046 code delay bins; therefore, the size of search space is defined as Nc= 15� 2046= 30,690. It isobserved that the SINR of authentic signals decreases as the TSP increases, whereas on the contrary, the SINRof spoofing PRNs increases up to a certain level as the TSP increases. The maximum spoofing SINR leveldepends on the number of transmitted spoofing PRNs and the distribution of TSP among them. The receivernoise floor estimate at 1ms integration time has been also depicted on the right-hand Y-axis. This curve is usefulfor analyzing the noise floor increase at a certain TSP level. The spoofer can add some additive white Gaussiannoise to the transmitted signal to shift down the SINR curves and equivalently shift up the receiver noise floorestimate. However, this noise does not move the junction point of the authentic/spoofing SINR curves.

The analysis of Figure 4 is based on the following assumptions:

(i) The power of spoofing PRN signals should be higher than the authentic PRN signal’s powerto mislead the previously discussed GLRT detector. However, this power should not beconsiderably higher than the maximum authentic signal’s power level anticipated by thereceiver as it can be easily detected.

(ii) The spoofing interference should not considerably increase the receiver noise floor because itmight be detected as an unwanted interference by a spoofing-aware GPS receiver.

(iii) The number of spoofing PRNs should be selected from a plausible list of visible space vehi-cles. Furthermore, the C/N0 of spoofing PRNs should not exceed the typical C/N0 level of au-thentic signals because the unusual C/N0 levels might be detected by the GPS receiver.

(iv) If the spoofer knows the detection threshold of the receiver, it is better to choose a TSP biaspoint such that the authentic SINR falls under the detection threshold. In this case, only thespoofing peak can be found above the detection threshold.

On the basis of the aforementioned discussion, a possible TSP bias point can be TSP=�143 dBW for10 equal power spoofing PRNs. In this case, all the first three conditions mentioned previously have beenmet while the absolute power of each spoofing PRN is around�153 dBW,which is equal to the maximumpossible power level of the L1C/A GPS signals [15]. Also, the noise floor increase is around 2 dB.

0

10

20


SIN

R [d

B]

-160 -155 -150 -145 -140 -135 -130 -125

-170

-160

Noi

se F

loor

Est

imat

e [d

BW

] (@

Tc=

1ms)

Authentic Signal SINR (Nauth

=10)

Spoofing Signal SINR (Nspoof

=10)


=20)


=30)


=40)

SINR Threshold for Detection (PFa

=10-3)

Noise Floor Estimate

(II) Only Spoofing Peak Above Detection Threshold

(I) Only Authentic Peak Above Detection Threshold

(III) Two Correlation Peaks Above Detection Threshold

2 dB

Figure 4. Received signal-to-interference-and-noise ratio (SINR) versus TSP for authentic and spoofing correla-tion peaks.



The following two subsections investigate the effect of spoofing attack on the basis of the analysisof the curves in Figure 4. This analysis shows that the acquisition process of the GPS receivers isvulnerable to the spoofing attack even if the spoofing signal is not much more powerful compared withthe authentic signals.

4.1. Acquisition vulnerability analysis for uncommon authentic/spoofing PRN signals

In this case, it is assumed that the receiver is trying to acquire an authentic PRN signal that is not commonbetween authentic and spoofing PRN signals. Therefore, as shown by the green plot in Figure 4, thespoofing signal decreases the SINRof the authentic signal and finallymakes it fall under the detection SINRthreshold. In this scenario, the spoofer performs more like a wideband interference that deteriorates thedetection performance of the receiver by decreasing the received SINR (increasing the noise plusinterference floor). Figure 5 shows the ROC for different values of TSP. It is observed that the detectionperformance of the receiver substantially decreases as the TSP increases. Pa

D has been defined in (11).Another case also can be defined where the receiver is acquiring a PRN signal that is only transmitted

by the spoofer. In this case, as shown by the red curves in Figure 4, the receiver mistakenly acquires thespoofing correlation peak if the spoofing power is enough to overtake the detection SINR threshold.

4.2. Acquisition vulnerability analysis for common authentic/spoofing PRN signal

In this case, it is supposed that the receiver is acquiring a PRN signal that is common between authentic andspoofing signals. Therefore, both green and red curves in Figure 4 should be considered while the receiverdetection performance analysis. Three different zones can be observed in Figure 4 for the case of 10 authen-tic and 10 spoofing PRN signals. The first area happens when the TSP is less than�150 dBW; therefore, thespoofing SINR is under the detection threshold. Here, the only harmful effect of the spoofer is a slightreduction in the authentic signal SINR, but the authentic correlation peak is still acquired by the receiver.The second area happens for the TSPs greater than �139 dBW where the authentic SINR falls under thedetection SINR threshold and only spoofing generated correlation peak can be detected by the acquisitionprocedure. In this case, the spoofing interference has a major contribution on the receiver noise floor.

Third area happens when the TSP is higher than �150 dBW and lower than �139 dBW. Inthis case, the SINR of both authentic and spoofing signals are above the detection threshold thatimplies the presence of two correlation peaks above the detection threshold. Hence, the receiver mightmistakenly acquire the spoofing correlation peak when its SINR is higher than the authentic signal’sSINR. In this area, especially for the region where the noise floor increase is less than 2 dB, the receivermight not be able to detect the spoofing interference on the basis of the noise floor increment analysis. Itseems that in this TSP window, the GPS receiver has the maximum vulnerability to the spoofing attack.

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

PFA

PDa

No spoofing [TAP=-147 dBW][TSP=-137 dBW][TSP=-132 dBW][TSP=-127 dBW]

Spoofing Power Increase

Figure 5. Receiver operating characteristic for different spoofing powers.



In Figure 4, it is also observed that if the number of PRN signals among which the spoofer is dividingits transmit power increases, each individual PRN will receive a smaller portion of spoofing power thatleads to a lower SINR at the same TSP value. For instance, for the case of 30 equal power spoofing PRNsignals, it is observed that the maximum SINR is less than 19 dB, which is not unusually high to bedetected by C/N0 monitoring techniques. In addition, in this case, for the region where both authenticand spoofing correlation peaks are above the threshold, their SINR difference is so smaller than the caseof 10 spoofing PRNs, and this makes it more difficult for the receiver to discriminate the spoofing attack.

5. SPOOFING DISCRIMINATION BASED ON ABSOLUTE POWER MONITORING

As mentioned in the previous section, the C/N0 (equivalently SINR) measurements are vulnerable tothe spoofing attack. This is because the spoofer can set up its TSP such that the C/N0 does not changeconsiderably at the receiver side. However, if the receiver is capable to analyze the absolute receivedpower within a certain accuracy level, the receiver vulnerability against the spoofing attack can be reducedsignificantly. A spoofing-aware receiver should be able to monitor the noise floor to detect any unusualnoise level increase due to the spoofing interference. In addition, the ability of the receiver to monitorthe absolute received power of each individual PRN signal, increases its resistance against the spoofingsignals whose power is considerably higher than the typical power level of the authentic GPS signals.

The incremental receiver hardware required to facilitate an absolute power measurement within an uncer-tainty of about 2dB is trivial especially in the context of monolithic application-specific integrated circuit(ASIC) integration. However, an additional factory calibration step will be required. On the basis of this, itis very reasonable to consider absolute power measurements as a readily available spoofer countermeasure.

Figure 6 compares the spoofing vulnerability region for a C/N0 monitoring receiver versus anabsolute power monitoring receiver. It has been assumed that the absolute power monitoring receiveris able to discriminate the elevated noise floor as well as higher power PRN signals within a 2 dB accuracyrange. In other words, this receiver is able to discriminate those signals whose absolute power is 2 dBor more, higher than the maximum possible received power of GPS L1C/A signal, which is �153dBW [15]. Also, this receiver is capable to detect 2 dB increase in noise floor from its desired value.However, the C/N0 monitoring receiver is only able to discriminate the signals whose SINR is higherthan the maximum possible SINR of the GPS L1C/A signal (This value is assumed to be 21.8 dB forTc = 1ms and temperature = 300�K).

Therefore, the C/N0 monitoring receiver is vulnerable to those signals whose SINR is higher than thedetection SINR threshold and lower than the maximum SINR level of authentic GPS signals. This vulner-ability region has been depicted in Figure 6. It is shown that for a spoofer whose TSP is equally dividedamong 16 PRNs, the C/N0 monitoring is vulnerable to the TSPs higher than �145 dBW. However, thevulnerability region of the absolute power monitoring receiver is limited to those signals whose SINR is

-160 - - - -135 -130 -0

10

20

30


SIN

R [d

B]

-155 -150 -145 -140 -125

-170

-160

Noi

se F

loor

Est

imat

e [d

BW

] (@

Tc=

1ms)

Maximum SINR of GPS signal at Tc=1msSpoofing Signal SINR (N-spoof=16)Boundary for Maximum Absolute Power (-151 dBW)

SINR Threshold for Detection (P-Fa=10-3)Noise Floor Estimate (right side Y axis)

2 dB Noise Floor Increase

Vulnerability Region forSpoofing Detection based on

Absolute Power Analysis

Vulnerability Region forSpoofing Detection based on C/N0

Figure 6. Vulnerability region comparison of C/N0 versus absolute power monitoring techniques.



above the detection threshold, and their absolute power is below the maximum allowable GPS L1 powerlevel. In this case, the vulnerability region is limited to the TSP value above which the receiver noise floorincreases more than 2 dB. Hence, as it is depicted in Figure 6, the vulnerability region of the absolutepower monitoring receiver is much smaller than the vulnerability region of C/N0 monitoring receiver. Fur-thermore, if the receiver is able to detect the absolute receiver power more accurately, it can considerablyreduce the size of its vulnerability window in presence of spoofing attack.

6. CONCLUSION

Analysis of the vulnerability of GPS receivers to spoofing signals during the acquisition phase has beengiven. It has been shown that the C/N0 measurement alone is not an effective means of spoofingdiscrimination. As shown, spoofer is capable to transmit higher power signals and/or additional noiseto elevate the noise floor estimate in the receiver processing. In this case, because of the noise floorincrease, the C/N0 of the authentic signals reduces, which leads to the deterioration of the receiverdetection performance. It was shown that the absolute power monitoring techniques enable the receiverto analyze the absolute noise floor as well as the absolute power of the correlation peaks. It has beenshown that observations of the absolute power can be used to considerably reduce the effectivenessof the spoofing attack. This effectiveness comes about from the spoofer having to operate in a verysmall range of received power at the GPS receiver.

APPENDIX A: DETECTION THRESHOLD CALCULATION BASED ON PROBABILITY OFFALSE ALARM

On the basis of (11), the false alarm probability for a given Doppler and code phase can be calculatedusing the following equation:

PFA�cell ¼Z1Dth

p DjH0ð ÞdD ¼Z1Dth

12s2

exp�D

2s2

�dD ¼ exp

�Dth

2s2

�(A1)

For the correct detection, the false alarm should not occur in none of the CAF cells. Therefore, con-sidering the independent CAF cells, the false alarm probability of total CAF can be defined as follows:

PFA�system ¼ 1� 1� PFA�cellð ÞNc (A2)

and therefore,

PFA�cell ¼ 1� 1� PFA�system� 1

Nc (A3)

On the basis of the aforementioned calculations, the detection threshold can be defined as follows:

Dth ¼ �2s2 ln PFA�cell½ � ¼ �2s2 ln 1� 1� PFA�system� 1

Nc

h i(A4)

REFERENCES

1. Hwang S, Shynk JJ. A null despreader for interference suppression in GPS. International Journal of Satellite Communicationsand Networking 2011; 29(4):315–332, John Wiley Publications.

2. Montgomery PY, Humphreys TE, Ledvina BM. Receiver-autonomous spoofing detection: experimental results of a multi-antenna receiver defense against a portable civil GPS spoofer. ION 2009 International Technical Meeting, Anaheim, CA,26–28 January 2009.

3. Forssell B. The dangers of GPS/GNSS. Coordinates magazine 2009; V(2):6–8.4. Humphreys TE, Ledvina BM, Psiaki ML, O’Hanlon BW, Kintner PM. Assessing the spoofing threat: development of a

portable GPS civilian spoofer. ION GNSS 21st International Technical Meeting of the Satellite Division, Savannah, GA,16–19 September 2008.

5. Shepard D, Humphreys T. Characterization of Receiver Response to a Spoofing Attack. Proceedings of. ION GNSS 2011,Portland, OR, September 2011; 2608.

6. Ledvina BM, Bencze WJ, Galusha B, Miller I. An In-line Anti-spoofing Device for Legacy Civil GPS Receivers. Institute ofNavigation ITM: San Deigo, CA, 2010.

7. Nielsen J, Broumandan A, Lachapelle G. GNSS Spoofing Detection for Single Antenna Handheld Receivers. Journal of theInstitute of Navigation 2011; 58(4):335–344.



8. Scott L. Anti-spoofing & authenticated signal architecture for civil navigation systems. 16th International Technical Meetingof the Satellite Division of the Institute of Navigation (ION GPS/GNSS 2003), Portland, OR, 9–12 September 2003.

9. McDowell CE. GPS Spoofer and Repeater Mitigation System using Digital Spatial Nulling. US Patent 7250903 B1, 2007.10. Wen H, Huang PY, Dyer J, Archinal A, Fagan J. Countermeasures for GPS signal spoofing. ION GNSS 18th International

Technical Meeting of the Satellite Division, Long Beach, CA, 13–16 September 2005.11. Jafarnia-Jahromi A, Lin T, Broumandan A, Nielsen J, Lachapelle G. Detection and Mitigation of Spoofing Attack on

a Vector Based Tracking GPS Receiver. In The International Technical Meeting ITM 2012, Institute of Navigation:Newport Beach, CA, 30 Jan – 1 Feb; 790–800.

12. Van Dierendonck AJ. Determination of C/A code self-interference using cross-correlation simulations and receiver benchtests. ION GPS 2002, Portland, OR, 24–27 September 2002.

13. O’Driscoll C. Performance analysis of the parallel acquisition of weak GPS signals. Ph.D. Thesis, Department of Electricaland Electronic Engineering, National University of Ireland, Cork, 2007.

14. Kay SM. Fundamentals of Statistical Signal Processing, Volume II: Detection Theory. Prentice Hall Signal ProcessingSeries, Upper Saddle River, New Jersey 07458, 1998; 187–189.

15. Kaplan ED,Hegarty CJ.UnderstandingGPS Principles andApplications (2nd edn). ArtechHouse: Boston, London, 2006; 113–153.

AUTHORS’ BIOGRAPHIES

Copyright © 2012 John W

Ali Jafarnia Jahromi is a Ph.D. student in the Position, Location and Navigation(PLAN) group of Geomatics Engineering Department of University of Calgary. He re-ceived his B.Sc. and M.Sc. degrees in Telecommunications Engineering from AmirkabirUniversity of Technology, in 2006 and 2009 respectively. His research interests includesignal processing in GNSS applications, statistical signal processing, array processingand GNSS software receiver design.

Dr. Ali Broumandan received his Ph.D. from the Department of Geomatics Engineering,the University of Calgary (2009). He holds a MSc. degree from the Department of Elec-trical and Computer Engineering, University of Tehran (2006). His current research fo-cuses on GNSS software receiver, array processing and detection and estimation theory.

iley & Sons, Ltd. Int. J. Satell. Commun. Network. 2012; 30:181–191DOI: 10.1002/sa

Dr. John Nielsen is an Associate Professor in the Department of Electrical and ComputerEngineering of University of Calgary. Two main areas of his research are Ultra-Widebandtechnology that is applicable for high rate data communications and short-range imagingradar. The other area is mobile positioning based on TOA/AOA using CDMA and GPSsignals.

Professor Gérard Lachapelle is a Professor and Canada Research Chair in Wireless Lo-cation in the PLAN Group. He has been involved with GPS developments and applicationssince 1980. His research ranges from precise positioning to GNSS signal processing.

t

Documents

GPS Spoofer Countermeasure Effectiveness