1
A Testbed for Developing and Evaluating GNSS
Signal Authentication Techniques
Todd Humphreys, Jahsh an Bhatti, Daniel Shepard, and Kyle Wesson
Abstract—An experimental testbed has been created for devel-
oping and evaluating Global Navigation Satellite System (GNSS)
signal authentication techniques. The testbed advances th e state
of the art in GNSS signal authentication by subjecting candid ate
techniques to the strongest publicly-acknowledged GNSS spoofing
attacks. The testbed consists of a real-time phase-coherent GNSS
signal simulator that acts as spoofer, a real-time software-
defined GNSS receiver that plays the role of defender, and
post-processing versions of both the spoofer and defender. Two
recently-proposed authentication techniques are analytically and
experimentally evaluated: (1) a defense b ased on anomalous
received power in a GNSS band, and (2) a cryptographic
defense against estimation-and-replay-type spoofing attacks. The
evaluation reveals weaknesses in both techniques; nonetheless,
both significantly complicate a successful GNSS spoofing attack.
Keywords: Crypto graphic signal a uthentication, GNSS se-
curity, GNSS spoofing detection.
I. INTRODUCTION
Authentication of civil Global Navigation Satellite System
(GNSS) signals is increasin gly a conc e rn. Spoofing attacks, in
which counterfeit GNSS signals are generated fo r the p urpose
of manipulating a target receiver’s reported position or time,
have been demonstrated w ith low-cost commercial equip ment
against a wide variety of civil Global Po sitioning System
(GPS) receivers [1]–[3]. Such attacks threaten the security
of financial transactions, communications, power d istribution,
and transportation, which all depend on GNSS signals for
accurate positioning and timing [4]–[8].
Whereas the military GPS waveform is by design unpre-
dictable and therefore resistant to spoofing [9], civil GPS
waveforms—and those of other civil GNSS—are unencry pted,
unauthe nticated, and openly specified in publicly-available
docume nts [10 ], [1 1]. Also, althoug h not entirely constrained
by the signal specifications, the navigation data messages
modulating these civil waveforms are highly pred ic table. The
combination of known signal structure and data bit p redictabil-
ity ma kes civil GNSS signals an easy target for spoofing
attacks.
A nu mber of promising methods are currently being devel-
oped to d efend against civil GNSS spoofing attacks. These can
be categorized as (1) receiver-autonomous signal-processing-
based techniques, which require no antenna motion or special-
ized hardware apa rt from the GNSS receiver itself [12]–[18];
Authors’ addresses: Todd Humphreys, Jahshan Bhatti, and Daniel Shep-
ard, Department of Aerospace Engineering, The University of Texas
(jahshan@utexas.edu), (dshepard.ut@gmail.com). Kyle Wesson Department
of Electrical and Computer Engineering, The University of Texas at Austin,
Austin T X , 78712, Email: (kyle.wesson@utexas.edu).
(2) receiver-autonomous antenna-based tec hniques, which re-
quire antenna motion or specialized antenna hardware [19]–
[25]; ( 3) receiver-autonomo us techniques based on fusing
GNSS observables with measurements from non-GNSS sen-
sors such as inertial sensors [26]; (4) cryptographic techniques
that require signal specification modifications to overlay un-
predictable but verifiable modulation on existing or future civil
GNSS signals [27]–[29] ; a nd (5) techniques th at exploit the
existing encrypted military signals to offer c ivil GPS signal
authenticatio n for networked GPS receivers [ 30]–[33]. The
best protection against GNSS spoofing will likely involve a
combination of these.
Existing and proposed GNSS signal authentication schemes
are all premised on hy pothesis te sts involving statistical mod-
els for the authentic and counter feit GNSS signals. In general,
the statistics of the null hypothesis (only authentic signals
present) are we ll known and readily verified by la boratory
experiment, but the statistics of the alternative hypothesis
(spoofing attack underway) are poorly cha racterized, for two
reasons. First, the exact parameters of a spoofing attack (e.g.,
spoofing signal power, number of spoofing signal transmitters,
initial spoofing signal code and carrier phase alignment with
authentic signals, etc.) are typically unknown to a defender; at
best a defender can assume only an approxima te probability
distribution for such parameters. Second, in constructing a
model to describe the alternative hyp othesis, one often makes
simplifying assumptions to facilitate analytical treatment of
the detection problem. Thus, even if the spoofing parameters
were perfectly known, the modeled distribution an d the true
distribution may differ in important ways.
The unc ertainty involved in characterizing the alternative
hypothesis points to the need for model validation via ex-
periment. Unfortunately, GNSS signal gen eration hardware
capable of the most sophisticated spoofing a ttac ks is neither
commercia lly available nor straightforward to construct. Thus,
for example, experimental validation of the authentication
technique proposed in [30] was limited to the null hypothesis,
and validation of the technique proposed in [15] was limited to
an unsophisticated repeate r-spoofer attack scenario, which, as
will be shown he rein, led to an overly optimistic performance
assessment. A testbed cap able of simulating sophisticated
and realistic spoofing attacks is needed so th at the efficacy
of proposed GNSS signa l authentication techniques can be
experimentally evaluated.
This paper makes two primary contributions. First, it de-
scribes a n experimental testbed that has been created for
developing and evaluating GNSS sig nal authen tica tion tech-
niques. The testbed consists of a software-defined real-time
2
phase-coherent GNSS signal simulator capable of carrying
out sophisticated spoofing attacks, a real-time software-defined
GNSS receiver that plays th e role of defend er, and post-
processing versions of bo th the spo ofer and defender. Previous
work has exercised the testbed or its spoofer component [2],
[3], [29], [32], [34]–[36], but th is paper is the first to describe
the testbed as such and to offer a comprehensive view of
its capabilities. The paper’s second primary contribution is
an analytica l and experimental evaluation of two recently-
proposed civil GNSS signal authentication techniques, the
received powe r spoofing detector proposed in [15] and the
security code estimation and r eplay (SCER) attack defense
proposed in [29]. In the course of evaluating the SCER attack
defense, the paper details how the defense can be implemented
in practice with in a GN SS receiver. This will be useful for
receiver ma nufacturers in the event that pro posed technique s
for modulating cryptographic sig natures on bro a dcast civil
GNSS signals get implemented [28], [ 37].
The following section describe s the testbed. Thereafter,
the two signal authentication schem e s are introduced and
evaluated.
II. TESTBED DESCRIPTION
The real-time version of the signal authentication testbed
consists of an advanced version of th e GPS L1 C/A spoofer
originally presented in [1] and a real-tim e software-defined
GNSS receiver that plays the role of defender. A post-
processing version of the testbed h a s also been developed to
allow more flexibility in itera te d testing of various spoofe r and
defend e r strategies. Schematics of both versions are shown in
Fig. 1.
In the real-time testbed, the sp oofer ingests authentic GPS
L1 radio-fre quency (RF) signals and outputs a counterfeit
GPS L1 C/A RF signal ensemble. T he c ounterfeit ensemble is
combined with the original authentic signal e nsemble in an RF
combiner, and the composite authentic-counterfeit ensemble
is directed to a software-defined GPS receiver. The spoofer
can operate using its internal temperature-compensated crystal
oscillator, but is most often driven by a higher-quality external
oscillator to ensure minimal apparent variation in the time
solution imp lied by the counterfeit signal e nsemble.
In the p ost-processing testb ed all signal processing down-
stream of the RF front-en d operates on digital samples instead
of analog RF signals. T he end-to-end processing sequence is
as follows: (1) the incoming authentic GPS L1 sign als are
digitized and stored, (2) th e spoofer ingests the stored digital
signals and outputs signals in a digital form, (3) the spoofer’s
output signals are combined with the digitized authentic sign al
stream via sample-wise digital multiplexing, (4) the receiver
operates dire ctly on the multip lexed digital data.
A. Spoofer
The University of Texas GPS spoofing device, shown in Fig.
2, is an advanced version of the original spoofer intr oduced
in [1]. To the authors’ knowledge, it is the most sophisticated
publicly-acknowledged spoofing device. The latest versio n is
capable of simultaneously tracking and spoofing up to 14
External
Oscillator
GPS Spoofer
Splitter
Combiner
Software-Defined
GPS Receiver
Antenna
Real-Time Testbed
External
Oscillator
Combiner
Software-Defined
GPS Receiver
Antenna
Post-Processing Testbed
RF Front-End
and Digitizer
Digital
RF
RF
Digital
Storage
Digital I/O
GPS
Spoofer
Digital-Input
Fig. 1. Schematics depicting the real-time and post-processing versions of the
signal authentication testbed. Thin lines in both schematics represent coaxial
cables conveying analog signals, whereas thick lines in the lower schematic
represent digital data streams.
GPS L1 C/A signals while continuously attemptin g to acquire
emerging GPS satellite signals. Other key features of the
spoofer relevant to the testbed are phase alignm e nt, navigation
data bit prediction, variable output attenuation, noise padding,
arbitrary gen eration of parity-correct navigation data streams,
and SCER attack capability.
Fig. 2. The University of Texas real-time GPS spoofing device. The device
as shown here is configured for over-the-air transmission but is only used as
such in authorized tests [2], [3], [38]. More commonly, the spoofer’s output
signals are conveyed to the target receiver by coaxial cable or digital data. The
computer shown atop the spoofing device runs a client application that allows
a user to monitor and control a spoofing attack over a wireless or wireline
network. The client-spoofer network connection is insensitive to latencies of
hundreds of milliseconds, which permits a spoofing attack to be controlled
remotely over the Internet.
1) Phase Alignme nt: T he spoofer receives authentic civil
GPS L1 C/A and GPS L2C signals and generates co unterfeit
GPS L1 C/A signals that are code-phase aligned with their
authentic cou nterpart sign a ls to with in a few nanoseconds.
In the real-time te stb ed, code-phase align ment is achieved
by signal feedbac k. During a post-turn- on calibration phase,
the spoofer acquires and achieves phase and data lock on all
available authentic GPS L1 C/A signals. It then generates a
simulated RF GPS signal whose spreading code is different
from those modulating each of the authentic signals. It fe eds
3
this un ique signal back from its RF output to its RF input via
an internal RF switch. At this point, the spoofer is able to
acquire and track its own feedback signal in addition to the
available authentic signals. By measuring the average offset
between the feedback signal’s received and transmitted code
phase over an interval of time, the spo ofer is able to precisely
determine its own digital and a nalog latency. The latency,
which amounts to approximately 5 ms, varies from turn-on
to turn- on but remains constant to within the measurement
precision ther eafter, as c an be verified by repeated calibration.
In the po st-processing testbed, there is no n eed to com-
pensate for p rocessing latency, but the output of the digital
input/output (I/O) spoofer must n onetheless be nanosecond-
aligned with the digitized authentic signal stream. This is
effected by sample-level adju stment in the digital combiner
and sub-sample-level adjustme nt in the digital I/O spoofer.
As the spoofer attempts to induce a po sition or timing
deviation in the target receiver by shifting the code phase of
its counterfeit signals, it can adopt either of two strategies with
respect to carrier phase generation. In the default mode, the
rate of change of its signals’ carrier pha se is proportio nal to the
rate of change of the corresponding code phase. L e t ˙τ and
˙
θ
represent the rate of chang e of code phase and carrier phase,
in seconds per second and radians per second, respectively.
Then in the spoofer ’s default mode th ese ar e related by
˙
θ = 2πf
c
˙τ (1)
where f
c
is the GPS L1 fre quency in Hz.
In an alternative mode, the so-ca lled frequency lock mode,
the spoofer maintains approximately fixed whatever initial
carrier phase offset arises between its counterfeit signals and
the authentic signals even as it shifts the code phase of its
counterfeit signals to induce a position or timing deviation in
the target receiver. This ability to approximately lock the rela -
tive (counte rfeit-to-authentic) carrier phase even w hile shifting
the relative (co unterfeit-to -authentic) code phase enables the
spoofer to evade some spoofing detection strategies that are
designed to watch for the rapid amplitude variations caused
by interacting auth e ntic and counterfeit phasors of comparab le
magnitude when the authentic and counterfeit
˙
θ values differ.
However, whe n operating in the frequency-lock mode, the
spoofer is limited to a code phase pulloff ra te that lies within
the target receiver’s code tracking loop bandwidth, which
can be as low as 0.05 Hz for c a rrier-aided code tracking
[39]; otherwise, the target receiver will lose code lock o n the
counterfeit signals and the attack will be unsuccessful.
The spoofer makes no attempt to align its signals’ carrier
phases to those of the authentic signals. Nonetheless, b y
virtue of its c arrier phase tracking and phase-locked signal
generation, the rea l-time spoofer achieves nearly perfect phase
coherence with the authentic signals during initial alignment
(before tracking loop p ulloff is attempted). More precisely, the
differential Doppler frequency between each cou nterfeit signal
and its authentic counterpart, as seen by the target receiver, is
less than 0.01 Hz, a small offset that arises due to a linear
approximation of th e carrier phase tra je c tory over the ∼ 5-
ms latency interval. In the post-processing testbed, differential
Doppler is insignificant.
Precise carrier phase alignment would allow for more potent
spoofing attacks, as it would enable genera tion of anti-pha se
signals that, if properly amplitude-match ed, could annihilate
each authentic signal. The spoofer could th en generate a
secondary ensemble of spoofing signals, in addition to the
first anti-phase signal ensemble, which would be free of the
telltale phase and amplitude variations caused by interac-
tion with the authentic signals. However, such carrier phase
alignment may only be practically possible under controlled
laboratory conditions, as it would require spoofer-to-target
relative position knowledge to within a small fraction of the
carrier wavelength, which is approximately 19 cm for GPS
L1. Indeed, the practical difficulty o f carrier phase alignment
in the field is the premise of the spo ofing defense in [36].
2) Navigation Data Bit Prediction: To initialize an attack
with an induced position, velocity, an d timing solution that is
indistinguishable from the authe ntic solution, it is not enough
for the spoofer to achieve code-phase alignment w ith the
authentic signals, it must also align its simulated navigation
data bits with those of the authentic sign als. However, due to
processing, geometrical, and cable delays, it is impossible for
the real-time spoofer to read the value of the navigation data
bits off the air and re play th em accu rately and without delay.
Indeed , this impossibility is precisely what m akes navigation
message authentication effective for GPS signal authentication,
as discussed in [28] and [2 9].
Rather than read the navigation data bits off the air for
immediate rep lay, the real-time spoofer takes advantage of the
near perfect predictability of the navigation data that m odulate
the GPS L1 C/A signals. Over the co urse of a 12.5-minute
superframe, the spo ofer collects the data bits corresponding
to each tracked GPS satellite. Alternatively, the spoofer can
obtain the 12.5-min ute superframe for eac h satellite from its
control computer, which has access to a network of software-
defined receivers of the type descr ibed in [40] and [41] that
continuously generate intact su perframes. Thereafter, the real-
time spoofer compensates for its ∼5-ms pro cessing delay, and
for geometrical and cable delays, by predicting the value of
the navigation data stream slightly more than 5 ms in advance.
In this way, the spoofer can achieve meter-level alignme nt
between its signals and the authentic ones at the location of a
target receiver.
3) Variable Output Attenuation: Before exiting the real-
time spoofe r, c ounterfeit signals pass through an attenua tor
with a 31.5 -dB range whose attenuation value can be set dy-
namically by the spoofer’s control comp uter. Th is enables the
spoofer to finely adjust the so-called spoofer power advantage,
or the ratio of the power of the counterfeit signal ensemble
to the power of the authentic signal ensemb le as seen by the
target receiver.
In the post-processing testbed, spoofer power advantage is
adjusted by the digital combiner, which multiplexes blo cks of
n
s
spoofing and n
a
authentic samples, where n
s
and n
a
are
user-defined integers. By properly adjusting the ratio n
s
/n
a
, a
user can approx imately achieve any reasonable spoofer power
advantage.
4) Noise Padding: The signal ensemble generated by the
testbed’s spoofer contains o nly a modest amoun t of noise.
4
In other words, the native noise floor of the output signal
ensemble is low—much lower than the noise floor present at
the output of a high-qua lity GPS receiver’s low- noise amplifier
(LNA) . To appreciate the consequence of this low native noise
floor, consider that if the spoofer is configured to generate
only a sing le output GPS L1 C/A signal, corresponding to a
single pseudo-random numbe r (PRN) code, the native C/N
0
of the output sign al exceeds 60 dB-Hz. Of course, when m ore
simulated GPS signals are added to the en semble, the C/N
0
associated with any one o f the signals drops due to multiple-
access interfe rence.
A low native noise floor would not be a problem for the
spoofer if it were always configured to match the power of
each counterfeit sign al to that of the corresponding authentic
signal at the RF input to the target receiver. In this case,
the noise floor observed by the target receiver is essentially
determined by the LNA in the receiver’s own front-end.
But in some cases it may be advantageous for the spoofer
to significantly overpower the authentic signals; for example,
to eliminate interaction with them. In these cases, if the
spoofer is generating a small number of simulated signals,
the C/N
0
values registered by the target receiver fo r each
received GPS signal become unnaturally high, owing to the
low native noise floo r of the spoofer’s o utput ensemble. When
generating a large numbe r of signals—approximately 13 or
more—the signals’ mutual inte rference is sufficient to establish
an appropriate noise floor for any particu lar spoofed signal.
To prevent unnaturally h igh C/N
0
values, the sp oofer can
be configured to add a variable level of “noise padding”—
broadband interference—to its own output ensemble. In this
way, the spoofer can dic tate a maximum C/N
0
value for each
of its output signals even while transmitting at high power.
5) Arbitrary Navigation Message Generation: In its default
mode, the spoofer attempts to exactly match the data it
modulates onto its counterfeit signals with the true navigation
data on the corresponding authentic signa ls. This data-bit
matching fails only in three cir cumstances: (1) durin g the
first 18 seconds after a 2-hour GPS time boundary, whe n the
GPS satellites begin broadcasting new ephemeris parameters
in frames 1-3; (2) during a 12.5-minute superframe in which
one or more satellites begin broadcasting new almanac data
in frames 4-5, whic h occurs rough ly once per da y for each
satellite; and (3) when th e GPS satellites cha nge reserved
bits, which they occasionally do for reasons related to militar y
receiver security. Other than in these situations, the spoofer’s
data bit matching is exact.
In some situations it may be advantageous for the spoo fer
to modulate its counterfeit signals with arbitrary data instead
of matching the true navigation data streams bit-for-bit. This
may b e desirable, for example, to supp ort a data manipulation
attack, as in [42]. The testbed’s spoofing device is capable
of generating such arbitrary modulating data. For stealth and
convenience, it doe s impose some structure on the data: (1)
it maintains the legacy GPS subframe, frame, and supe rframe
data format, (2) it populates th e Handover Word (HOW) and
the Telemetry Word (TLM) to match the au thentic signals,
(3) it respe cts data bits that are fixed in the GPS interface
specification, and (4) it ensures that the data streams satisfy
standard GPS L1 C/A parity checking.
6) SCER Attack Capability: The spoofer is capable of
executing a so-called security code estimation and replay
(SCER) attack. This attac k targets cryptographic spoofing
defenses in which an unpredictable (to the spo ofer) security
code modulates the transm itted GPS signal, whether a s a
component of the navigation d ata stream (navigation message
authenticatio n) or as higher-rate modulation.
When c onfigured for a SCER attack, the spoofer seek s
to estimate as best it can each security code chip value of
each GPS signal that it intends to sp oof. Its estimate for
any particular chip is no better than a random guess at the
beginning of the chip but improves rapidly thereafter. For a
signal with received carrier-to-noise of C/N
0
= 54 dB-Hz,
which is the highest that can be expected from a standard
single-element hemispherical-gain-p attern GNSS ante nna [43],
the spoofer’s chip estimation error becomes negligible after
only 8 µs of averaging [29]; for more modest C /N
0
, a few
tens of µs is sufficient. As the sp oofer o btains an estimate
of ea c h successive security code chip, it immediately injects
this estimate into its signal replica generator, which is primed
with up-to-date spre ading cod e and carrier replicas. Thus the
spoofer can approximately replicate even security-enhanced
GNSS signals.
B. Defender
Opposite the spoofer in the real-time and post-processing
testbeds sits a software-defined GNSS receiver that plays the
role of defender. All digital signal processing downstream o f
the defender ’s RF fron t end is implemented in software on a
(possibly multi-core) general-p urpose processor. A software-
defined receiver is well- suited for the r ole of defender because
it is flexible enough to su pport rapid implementatio n and
testing of a wide range of propo sed defense strategies.
The particular software-defined receiver incorporated in the
testbed, called GRID, is the result of nearly a decad e of
collaboration between the University of Texas at Austin a nd
Cornell University [40], [41], [44], [4 5]. It has bee n designed
for single- or multi-cor e platf orms and has been implemented
on Intel x86, Texas Instrum ents, and ARM proce ssors. For
efficient processing, key features of the receiver are its bit-wise
parallel cor relation strategy [46]–[48], its parallel architecture
for m ulti-core implementatio n [45], and its use of SIMD
instructions. Individually, and in combination, these features
enable efficient signal processing despite the receiver being
implemented on a general- purpose processor. On a 6-core
processor, for example, GRID is capable of trac king 1150
parallel 5.7 Msps-sampled (real) GPS L1 C/A signals in real
time.
Other key features of GRID useful for evaluating candidate
signal authentication strategies are
1) access to raw 12-to-16 bit quantized digital samples prior
to automatic gain control, which makes it possible to
accurately measure c hanges in received in-band power;
2) a multi-tap correlation architecture, which allows exami-
nation of the correlation profile at arbitr ary tap locations
and with arbitrary density; and
5
3) sample-wise access to the product of the incoming signal
and the local sig nal replica, which allows form ulation
of the detection statistic required in the SCER attack
defense.
Details of these fe a tures will be introduced as needed in
subsequen t sections.
III. EVALUATION OF THE RECEIVED POWER DEFENSE
For an important class of spoofing attacks, an admixture
of authentic and spoofed GNSS RF signals is incident on
the defender’s an te nna, which incre a ses the total received
power P
T
in a GNSS band of interest beyond levels typically
measured in the absence of spoofing. This observation suggests
a low-complexity signal authentication strategy in which the
defend e r chooses the null hypothesis H
0
(no spoofing attack
underway) when P
T
is within a n ominal range, and the
alternative hypothesis H
1
(spoofing attack underway) when
P
T
falls outside the nom inal range. Indeed, this de fense is
proposed in [15] as “an extremely powerful means to detect
spoofing, making spoofing no more of a threat than the much
less sophisticated radio inter ference/jamm ing.” This section
evaluates the received power defense to determine whether
it is indeed as poten t as advertised.
A. Underlying Assumption s
Signal authentication based on P
T
depends crucially on two
assumptions, discussed below.
1) The Admixture Assumptio n: The received power defense
assumes th a t a full admixture of coun te rfeit and authentic
GNSS signals is present in the r eceived band. If instead the at-
tacker is able to partially or completely eliminate the a uthentic
signals received by the defender, whether by annihilating these
with an ti-phase spoofing signals or, mor e simply, by covering
the target a ntenna with a n RF shield, then the attacker can
prevent the defender’s P
T
from changing significantly during
an attack.
The admixture assumption is reasonable in cases where (1)
physical security prevents the attacker from gaining physical
access to the defender’s antenna, and (2) the attacker does not
know the location of the defender’s antenna to centimeter-level
accuracy and so cannot mount an authentic-sig nal-annihilation
attack. It is worth noting that some GNSS applications of
practical interest violate these conditions: p hysical security
obviously cannot be ensured when the attacker is in possession
of the target receiver, as with a GPS ankle monitor or a vessel
monitoring system [6], and the usual pra c tice of mounting a
GNSS antenna with open-sky access may enable an attacker to
estimate its precise location, especially in the case of a static
antenna.
Ref. [15] argues that, with proper calibration, “it should
be p ossible to detec t if the receiver is operating in open sky
conditions or is blo cked.” But this is not the case, as one
can appreciate with a simple thought experiment. Recall that
the testbed’s spoofer can adjust its output power over a 31.5
dB range in increments of 0.5 dB, and can artificially adjust
the noise floor of its outp ut signal ensemble. Moreover, the
spoofer can independently measure the contribution to P
T
due to ambient RF signals and background temperature and
can accurate ly measure the relative C/N
0
of available GNSS
signals. It follows that the spoofer can m atch both the absolute
power of the au thentic signal ensemble and the absolute C/N
0
value of each received GNSS signal. Thus, an attacker with
physical access to a target rec e iver’s antenn a cou ld slip a metal
enclosure with an interior transmit antenna over the target
antenna without causing significant variation in the defender’s
measured P
T
and C/N
0
values. Incidentally, this “tin bucket”
attack is also problematic for the pincer defense introduced in
[36] and for defenses based solely on C/N
0
monitoring, as in
[14].
2) The Small Unpredictable Variations Assumption: The
received power defense also assumes that unpredictable vari-
ations in P
T
, owing, for example, to solar radiation or to
man-made but non-spoofing RF signal interference, a re either
small compare d to th e variations caused by spoofing, or rare.
Otherwise, the false alarm rate for the sp oofing detection test
will be unacceptably high. This assumption is tested in [15]
by monitoring variations in the automatic gain control (AGC)
voltage, a proxy for 1/P
T
, over several days in quiescent (non-
spoofing) conditions, and by comparing these with variations
in AGC voltage observed during a live spoofing attack. In
all cases tested, the AGC values during the spoofing attack
stand ou t clearly against th e quiescent AGC values w hen-
ever the target receiver’s navigation solution is significantly
affected. However, the attack executed in [15] does not per mit
determination of the minimum increa se in P
T
for a successful
spoofing attack because the target receiver is always moving
toward or away from the spoofer, so the spoofer c a nnot attempt
a slow-pulloff low-transmit power attack. M oreover, [15] does
not attempt to characterize common but u npredictab le varia-
tions in P
T
introdu ced by non-spoofin g p henomena.
B. Detection Test
Signal authentication based on received signal power
amounts to a bina ry hypothesis test in which the measurement
P
T
can b e modeled as
H
0
: P
T
= P
A
+ P
I
+ P
N
, (2a)
H
1
: P
T
= P
C
+ P
I
+ P
N
(2b)
where P
A
=
P
i
P
A,i
is the received signal power from an
ensemble o f n authentic GNSS signals in the absence of
spoofing, P
A,i
being the power of the ith authentic signal;
P
I
is the received power from all man-made non-spoofing RF
interference sources; P
N
= N
0
B is the received power from
spectrally-flat receiver noise with density N
0
passing through a
one-sided RF front-end bandwidth B; and P
C
is the comb ined
received power of the authentic and spoofing signals. The
density N
0
is primar ily determined by the n oise figure of the
receiver’s first-stage LNA but a lso includes broadband noise
due to solar and black-body radiation.
1) Effect of Coherenc e: Because of possible coherence
between the received counterfeit and authentic signals, the
combined sig nal power P
C
is not simply a sum of the authentic
and counterfeit signa l powers. Let the total spoofing signal
power that would be received in the absence of authentic
6
signals be P
S
=
P
i
P
S,i
, with P
S,i
being the spoofing signal
power corresponding to the ith authentic signal. Further, let
each P
S,i
be decom posed as P
S,i
= P
Sc,i
+P
Sn,i
, where P
Sc,i
is the compone nt of spoofing power that is c oherent with th e
ith authentic signal a nd P
Sn,i
is the non-coherent component.
The cohe rent component is assumed to have phase offset ϕ
i
with respect to the ith authentic signal. One can now write
P
C
as
P
C
=
n
X
i=1
h
p
P
A,i
+ cos(ϕ
i
)
p
P
Sc,i
i
2
(3)
+ sin
2
(ϕ
i
)P
Sc,i
+ P
Sn,i
This expression indicates that, for each i, the noncoh erent
component P
Sn,i
adds directly to P
C
, as does sin
2
(ϕ
i
)P
Sc,i
,
which is the power in the cohe rent component that lies in ph ase
quadra ture to the authen tic signal. By contrast, cos
2
(ϕ
i
)P
Sc,i
,
which is the spoofing power component tha t is phase aligned
with the authentic signal, does not add directly to P
C
but
instead interacts with the authentic signal as shown. For k ∈ Z,
the ith spoofing signal contributes maximally to P
C
when
ϕ
i
= k2π ( phase alignmen t), minimally when ϕ
i
= (1 + 2k)π
(anti-ph ase alignment), and power-additively—as if a purely
nonco herent signal—when ϕ
i
= (1/2 + k)π (orthogonal
alignment).
It is interesting to note that if the phase offsets ϕ
i
are
treated as independent random variables uniform ly distributed
on [0, 2π], the n the expected value of P
C
is equivalent to
the P
C
that arises in th e c ase of pu rely n oncoher ent spoofing
signals; i.e.,
E[P
C
] = P
A
+ P
S
Moreover, because the variance of P
C
goes inversely with the
number of signals n, it follows that for large n and ϕ
i
∼
U[0, 2π], P
C
can be approximated as
P
C
= P
A
+ P
S
(4)
However, the independence condition on the ϕ
i
can be violated
in p ractice by a spoofer with wavelength-level knowledge
of the defender’s antenna position, bec ause in this case the
spoofer can generate an ensem ble of counterfeit sign a ls at least
some of whose ϕ
i
will be similar. This has been demonstrated
in the laboratory with this paper’s testbed, as shown in Fig. 3.
Outside the laboratory, however, violating (4) is only slightly
less challenging for the spoofer than nulling the authentic
signals.
2) Spoofing Power Advantage: For convenience, define
η , P
S
/P
A
(5)
as the spoofing power advantage. Then P
C
becomes a function
of η, with P
C
(η = 0) = P
A
, and P
T
can be rewritten as
P
T
= P
C
(η) + P
I
+ P
N
(6)
which, under the a ssumptions behind (4), becomes
P
T
= (1 + η)P
A
+ P
I
+ P
N
(7)
0 50 100 150 200 250 300 350 400 450
-1
0
1
2
3
Time (sec)
P
T
(dB)
Fig. 3. Received power in a 2-MHz band centered at the GPS L1 frequency
showing the onset of a spoofing attack using this paper’s testbed, normalized
by the average value of P
T
prior to the attack. The attack begins with a sudden
increase in P
T
just before 100 seconds. Thereafter, the authentic power P
A
and spoofing power P
S
were maintained constant; thus, the oscillations in
P
T
can only be due to strong coherence between the spoofing and authentic
signals with similar values of ϕ
i
.
The hypotheses can now be written
H
0
: η = 0, (8a)
H
1
: η ≥ η
m
(8b)
where η
m
≥ 0 is the minimum power ad vantage applied by a
spoofer in an attack.
3) Simplifying the Compo site Test: In view of (3), (6), and
(8), decidin g between H
0
and H
1
amounts to a composite
hypothesis test in which the parameters η and ϕ
i
, i = 1, . . . , n
are simple under H
0
but can take on a range of values under
H
1
. The test can be reduced to a simple (non-composite)
hypothesis test in two steps. First, since this paper’s inter est
is in evalua ting the strongest embodiment of the received
power d efense, let it be assumed that the defender knows
the exact value of η. Second, assum e the attacker does not
have wavelength-level knowledge of the defend e r’s antenna
position, in which case it is reasonable to model the offsets
ϕ
i
as independent random variables uniformly d istributed on
[0, 2π]. Stacking these as ϕ = [ϕ
1
, ϕ
2
, ..., ϕ
n
]
T
and denot-
ing the distribution of P
T
under H
j
by p
P
T
|H
j
,ϕ
(ξ|H
j
, θ),
j = 0, 1, one ca n integrate out ϕ-dep endence by
p
P
T
|H
j
(ξ|H
j
) =
1
(2π)
n
Z
p
P
T
|H
j
,ϕ
(ξ|H
j
, φ) dφ j = 1, 2
where the multi-dimensional integral is taken over the range
of ϕ. T he likelihood ratio can now be formed as
Λ ,
p
P
T
|H
1
(ξ|H
1
)
p
P
T
|H
0
(ξ|H
0
)
The optimal detection test compares Λ against a threshold
[49]:
Λ
H
1
≷
H
0
˜γ (9)
This notation is interpreted as “choose H
1
if Λ exceeds ˜γ;
otherwise choose H
0
.” If the distribution of Λ is de noted
p
Λ|H
j
(λ|H
j
), j = 0, 1, then, for a chosen false alarm
probability P
F
, on e sets ˜γ to satisfy
P
F
=
Z
∞
˜γ
p
Λ|H
0
(λ|H
0
) dλ (10)
7
The resulting detection probability is
P
D
=
Z
∞
˜γ
p
Λ|H
1
(λ|H
1
) dλ (11)
In many cases the test in (9) can be reduced to a simpler,
equivalent test, e.g., by taking the log of both sides. Whatever
quantity is ultimately comp ared against th e final threshold,
denoted γ, is called the de te c tion statistic. For the specia l case
where P
C
, P
I
, and P
N
are modeled as Gaussian distributed,
the problem becomes a simple location test in which the
detection statistic reduces to P
T
, whic h is itself Gaussian
distributed [50]. Moreover, for small variations in P
T
, the
transformation to dB units via P
T
(dBW) = 10 log
10
(P
T
)
is approximately linear. Hence, for P
C
, P
I
, and P
N
Gaussian,
P
T
(dBW) can also be m odeled as Gaussian.
C. Minimum Spoofing Power Advantage
Performance of signal a uthentication based on P
T
depends
crucially on η, P
A
, P
I
, and P
N
, with the detection test
becoming more powerful as η increa ses o r as th e variance
in P
A
, P
I
, and P
N
decreases. Th is section seeks to define
η
m
, a lower bou nd on η; th e followin g section will examine
P
A
, P
I
, and P
N
.
1) Signa l Mod el: By way of relating the parameters in
(3), (5), and (6) to a signal model, consider an attack in
which th e received spoo fing power is entirely cohe rent so that
P
S
=
P
i
P
Sc,i
. No te that this im plies the spoofer’s output
consists only of clean sign al replicas with no quantiza tion
noise or noise padding. The defender’s rec eived sig nal at
sampling instant t can then be represented by a complex
baseband model a s
r(t) =
X
i
{D
i
(t)C
i
[t − τ
ai
(t)] exp [jθ
ai
(t)] (12)
+
√
ηD
i
(t)C
i
[t − τ
si
(t)] exp [jθ
si
(t)]} + I(t) + n (t)
where, for the ith authentic signal, wh ic h is tracked in th e
receiver’s ith channel, D
i
(t) is the navigation data, C
i
(t)
is th e spr eading code, τ
ai
(t) is th e authentic signal’s code
phase, θ
ai
(t) is the authentic signal’s carrier phase, τ
si
(t) is
the spoofing signal’s code p hase, θ
si
(t) is spoofin g signal’s
carrier phase, I(t) is a zero-mean complex p rocess that models
non-spoofing interference associated with P
I
, and n(t) is a
zero-mea n complex white Gaussian noise process that models
the noise associated with N
0
. This model remains a useful
approximation even when mild quantization effects are present
in the spoofing signals; it will be assumed to hold in the
following analysis.
2) Successful Cap ture: A spoofer seeking to capture the
defend e r’s code and carrier tracking loops on eac h tra cking
channel while minimizing the likelihood of detection will
operate with η near unity. Suppo se that η = 1 and th at, for
the ith signal, τ
si
(t) = τ
ai
(t) and θ
si
(t) = θ
ai
(t) + ϕ
i
(t).
In this case, the received counterfeit and authentic GNSS
signals are matched in amplitude and structu re, differing only
in carrier phase offset. If the spoofer now attempts pulloff of
the d efender’s code phase tracking points in the default mode
where code and carrier phase ra te s are related by (1), and if the
spoofer maintains its carrier phase pulloff rate ˙ϕ
i
well below
the defender’s carrier phase tracking loop bandwidth B
L
, then
symmetry dictates that the spoofer’s probability of successfully
capturing the ith channel’s code and carrier tracking loops is
p
ci
= 0.5.
In the absen c e of interference and noise [I(t) = n(t) = 0],
η > 1 would be sufficient to guarantee captu re of every
channel’s loops provided | ˙ϕ
i
/2π| ≪ B
L
, i = 1, . . . , n. But
in the presence of interference and noise, η > 1 c a nnot
guaran tee capture even in the limit as ˙ϕ
i
→ 0. Th is is
because during pulloff ther e will be intervals du ring which
ϕ
i
(t) ≈ (1+2k)π, k ∈ Z, so that the counterfeit and authentic
phasors will nearly annihilate each other. This p henomenon,
which is redolent of severe ionospheric scintillation [51], can
result in frequency un lock of the defender’s carrier tra cking
loop, which for this paper’s purposes is considered a failed
capture.
For the ith signa l, and for η > 1, the carrier-to-noise
ratio during anti-phase align ment o f counterfeit and authentic
signals is
P
A,i
(η − 1)
N
0
To prevent frequency unlock, η must be chosen such th a t
P
A,i
(η − 1)/N
0
> β, where β is the threshold value of
C/N
0
required f or frequency-unlock-free c arrier tracking. This
implies that, for all i, η must satisfy
η > 10 log
10
h
10
(β−P
A,i
/N
0
)/10
+ 1
i
dB
in which η, β, and P
A,i
/N
0
are expressed in dB. For a standard
second- o r third-order Costas-type G NSS carrier tracking loop
with an update in te rval of 20 ms and B
L
= 5 Hz, phase unlock
begins below approximately C/N
0
= 2 4 dB-Hz [39], so o ne
may take β ≈ 24 dB-Hz as a conservative approximation for
the fr equency unlock threshold (the frequency unlock thresh-
old is always below the phase unlock threshold). Thus, for a
weak GNSS signal with P
A,i
/N
0
> 35 dB-Hz, η ≥ η
u
= 1.08
(0.33 dB) would be required to preven t unlock.
3) Num erical Simulation and Testbed Experimentation: If
η ≥ η
u
, then averaging within the trackin g loops will ensure
p
ci
→ 1 as ˙ϕ
i
→ 0. But a pulloff rate of zero is hardly
useful for the spoofer. Within the more interesting interval
0 < | ˙ϕ
i
/2π| ≪ B
L
, the relationsh ip between p
ci
, η, and
˙ϕ
i
cannot be determined by a simple limiting case analysis.
Moreover,a more co mprehensive analytical examination of
the code and carrier track ing lo ops is complicated by their
stochastic, discrete, and nonlinea r nature and by the c ounterfeit
and authe ntic signal interaction. On the othe r hand, the closed-
loop tracking be havior can be readily analyzed via Monte-
Carlo simulation. Such a simulation has been car ried out and
has confirmed the general trends one might have expected: (1)
for a fixed | ˙ϕ
i
/2π| ≪ B
L
, p
ci
quickly approaches unity as η
increases b eyo nd η
u
, and (2) increasing η a llows the sp oofer
to increase | ˙ϕ
i
/2π| ≪ B
L
while maintaining a fixed p
ci
.
Apart from numerical simulation, the min imum value of η
required fo r reliable capture has been determined expe rimen-
tally via the testbed. On 34 independent trial attacks, each with
8
n ≥ 8 authentic signals, it was found that p
ci
= 1 whenever
η > 1.1 (0.41 dB), provided | ˙ϕ
i
/2π| ≪ B
L
[52].
For purposes of this paper, it will be assumed that the
spoofer a lways operates with η ≥ η
m
= 1 a nd that η = η
m
is enough to re liably captur e the defender’s tra cking loops.
This assumption is conservative as regards reliable capture
because, as discussed above, captur e only becomes reliable
for η & 1.1 ; yet it is optimistic a s regards preventing adverse
effects because a spoo fer can cause a target receiver to output
hazardously misleadin g d ata even when η is slightly less than
unity. Nonetheless, for this paper it will be assumed that the
attacker is no t interested in uncontrolled adverse effects but in
reliable capture requiring η ≥ η
m
= 1.
4) An Illustrative Scenario: It is instructive to roughly
approximate the amount by which P
T
changes between H
0
and H
1
given η = 1. Recall that P
T
actually bec omes the
optimal detection statistic only when P
A
, P
I
, and P
N
are
modeled as Gaussian random variables, but in any case P
T
closely approximates the optimal statistic. It follows that the
detection test is powerful only if the increase in P
T
from H
0
to H
1
is large compared to its ra ndom deviations under H
0
and H
1
.
A typical outside-the-laborato ry spoofing attac k in which
the assumptions be hind (7) hold will yield the ratio
P
T,1
P
T,0
=
P
A
(1 + η) + P
I
+ P
N
P
A
+ P
I
+ P
N
(13)
of P
T
under the two hypotheses. Consider an op timistic
(for th e defender) scenario in w hich N
0
= −204 dBW/Hz
(a moderately low no ise floor), P
I
= 0 (no non -spoofing
interference), B = 2 M H z (a narrow receiver bandwid th),
and P
A
= −146 dBW (consistent with an ensemble of
typical-strength authentic GPS L1 C/A signals received in
a B = 2 MHz band [9]). Despite the advantages to the
defend e r in this scenario, P
T,1
/P
T,0
is only 0.9 3 dB when
η = 1. For N
0
= −201 dBW/Hz, whic h is more realistic for
a commercial-grade GNSS receiver, P
T,1
/P
T,0
falls to 0.5 6
dB. Rough ly speaking, then, powerful received-power-based
signal authentication re quires that random fluctuations in P
T
be substantially smaller than 1 dB. This is a restatement of
the small unpredictable variations assumption.
D. Characterization of P
A
, P
I
, and P
N
The ca uses of variatio ns ar e different for each of P
A
, P
I
,
and P
N
. Some variations can be accurately predicted by the
defend e r, and so can be treated a s deterministic, whereas
others are not practically predictable and must be modeled as
random. An analytical treatment of these random variations is
not possible, as they are highly device-, site-, and time-specific.
Therefore, this section appeals to empirical study.
Fig. 4 shows the RF sp ectrum cen te red at the GPS L1
frequency as seen by a high-quality static antenna a nd wide-
bandwidth RF front end combination. The p ower spectral
density is e stimated by ge nerating periodograms using Welch’s
method on 100-ms intervals of raw complex samples and then
aver aging over 100 of these. The characte ristic peak resulting
from the no ncoherent combination of approximately 12 GPS
L1 C/A signals is visible above the noise floor. Two ban ds are
shown centered at L1, a 2-MHz band, which contains 90% of
the L1 C/A signal power, and a 10-MHz ba nd, which contains
98%. No spurious signa ls are visible in either band, whic h
implies that P
I
≈ 0.
-8
5
10
-5
-10
Density (dBW/Hz)
Frequency (MHz)
10 MHz
2 MHz
0
-6 -4 -2 0 2 4 6 8
Fig. 4. Power spectrum centered at the GPS L1 frequency as estimated
from data captured via a high-quality static antenna and RF front end
combination in a moderately quiet outdoor RF environment on the rooftop
of the WRW building on the UT Austin campus. Bands for 2- and 10-MHz
power measurements are shown. The power density scale has been centered
just above the GPS L1 C/A peak for ease of viewing. In absolute units, the
noise floor sits at approximately -204 dBW/Hz.
Summing the 100-ms perio dograms over the bands indi-
cated results in a time series of power measurements. Fig.
5 shows a two-day interval of P
T
in the 2-MHz band, which
reveals marked diurnal variations, the result of diurnal patterns
in temperature, solar radiation, and the overhead satellite
constellation. Even thou gh the record’s diurnal repeatability
is evidently only good to roughly 0.3 dB, its predictability
given knowledge of local temperature and satellite orbital
ephemer ides is better than this. Fig. 6 offers an expanded
view of a 5-minute inter val, showing both the 2- and 10-MHz
traces. The different size of the variations in the two traces at
time scales less than about 150 seconds indicates that these
originate in P
A
, not P
N
. They are likely due to multipath
effects at the carrier phase level cau sed b y r eflections off
nearby surfaces and b y atmospheric diffraction and refraction.
Close examination of multi-day reco rds such as those in Fig.
5 reveals that these variations do not repeat appreciably a t the
solar or sidereal day. Data from two other static sites were
examined, with similar be havior noted. Thus, it appears that
the practically unpredictable variations in P
T
about L1 have
root-me an-squared deviations of at least 0 .1 dB for a 2-MHz
band and 0.05 dB for a 10-MHz band.
0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 2.2 2.4
-1
-0.5
0
0.5
1
Time in days since 10-Sep-2012 00:00:00
P
T
(dB)
Fig. 5. A two-day record of received power in the 2-MHz band shown in
Fig. 4, normalized by the average value of P
T
over the interval.
Suppose that P
T
, in dB units and with its mean under H
0
9
0 50 100 150 200 250 300
0
0.1
-0.1
-0.2
P
T
(dB)
Time (sec)
10 MHz
2 MHz
Fig. 6. A five-minute record of received power in the 2- and 10-MHz bands
shown in Fig. 4, normalized by the initial values of P
T
in each band.
removed, is taken as the detection statistic and modeled as
H
0
: P
T
(dBW) ∼ N(0, 0.1), (14a)
H
1
: P
T
(dBW) ∼ N(0.56, 0.1), (14b)
where the mean value under H
1
, 0.56, is taken from the
discussion of P
T,1
/P
T,0
in Section III-C4. Choice of an
acceptable P
F
depends on the cost of a false alarm, which
may ra nge from a site visit to th e grounding of an aircraft. As
a reasonable value, assume only one false alarm per year is
acceptable. Then if, due to the time correlation evident in Fig.
6, an ind ependent test occurs every 150 seconds, a once -per-
year alarm corresponds to P
F
= 4.75 × 10
−6
. For this P
F
,
the de cision thre shold calculated via (10) is γ = 0.44 dBW,
and the dete c tion prob a bility is P
D
= 0.88.
This value of P
D
gives reason to be optimistic abo ut signal
authenticatio n based on P
T
for static GNSS receivers. Su c h
performance depends, however, on the distribution of P
T
having exp onentially decaying ta ils. In practice, there are at
least two phenomena that can cause P
T
to routinely take o n
values that would be exceedingly improbable under a Gaussian
distribution: solar radio bursts and non- spoofing interference.
1) Solar Radio Bursts: Recall that P
N
represents the con-
tribution to P
T
due to spectrally-flat receiver noise. It can be
related to the receiver and a ntenna noise temperatures T
R
and
T
A
(in degrees Kelvin) by
P
N
= BN
0
= k
B
B(T
R
+ T
A
) (15)
where k
B
is Boltzma nn’s constant.
Unpredicta ble variations in T
R
arise due to ran dom fluctua-
tions in noise sources internal to the receiver, primarily those
in the first-stage LNA. These are small enough they do not
contribute significantly to the ∼ 0.1 dB variations in P
T
noted
previously for static antennas.
Variations in T
A
arise due to antenna motion (as more or
less warm earth radiation is visible), antenna blockage (e.g.,
an increase in T
A
due snow ac cumulation [15 ]), and variable
solar radiation. All these would be difficult or impossible
for a stand-alone (non-networked) GNSS receiver to predict.
Focus here will be o n solar rad ia tion a s its effect is least site-
specific: all GNSS r eceivers in the sunlit por tion of the earth
are similarly aff ected.
Solar radio bursts can cause large and sudden variations in
P
N
, as exemplified by the December 2006 storm, which led
to 10-17 dB increases in P
N
[53]. The relevan t question as
regards P
T
-based GNSS signal authentication is how often a
burst event would cause P
T
to exceed the detection threshold,
causing a false alarm. This que stion is answered in Table I for
three different values of the threshold γ.
TABLE I
TI ME BETWEEN THRESHOLD-EXCEEDING SOLAR RADI O BURST EVENTS
FOR VARIOUS VALUES OF THE DETECTION LEVEL γ
Threshold Value T
e
(days)
γ (dB) T
As
(K) S
1
(SFU) Solar max. All years
0.44 40.9 1560 9.2 22
0.93 91.3 3488 17.3 42.9
1.5 157.7 6022 26.5 67.4
Table I is interpreted as follows. Assume P
I
= 0 and let
T
A
= T
A0
+ T
As
, where T
As
is the portion of T
A
due to solar
radiation. Ea ch γ value can then be related to a thre shold T
As
by
γ (dB) = 10 log
10
P
A
+ k
B
B(T
R
+ T
A0
+ T
As
)
P
A
+ k
B
B(T
R
+ T
A0
)
assuming the fo llowing re a sonable parameter values: P
A
=
−146 dBW, B = 2 MHz, T
R
= 188 K, T
A0
= 100 K. Each
T
As
, in turn, is related to a threshold solar flux density S
1
by
S
1
(SFU) =
2k
B
T
As
A
e
10
−22
where the effective antenna a rea is taken to be A
e
= 7 .23 ×
10
−3
m
2
, which is a good approximation for a single-element
GNSS antenna, and the additio nal factor of 2 in the numerator
reflects the assumption that only half the total-polarization
solar radiation contributes to T
As
through a GNSS antenna,
which is designed to received right-hand circularly polarized
signals [54]. The factor 10
−22
conver ts W/m
2
/Hz to solar flux
units (SFU). The resulting S
1
values listed in Table I are those
above which a spoofing detector based on P
T
would dec lare
H
1
for the co rresponding γ. As a final step, the model
N(S > S
1
, ν
1
, ν
2
)
from [55] is invoked (with the correction factor C
geo
) to
approximate the total number of bursts exceeding S
1
in the
frequency range [ν
1
= 1 GHz, ν
2
= 1.7 GHz] over a 40-year
historical period. This is used to estimate T
e
, the time between
triggering events, for solar maximum years and for all years.
Table I makes clear that solar radio bursts are problematic
for sig nal a uthentication based solely on P
T
. U nder the model
in (14), the threshold γ = 0.44 dB leads to a respectable
P
D
= 0.88 for a once -per-year false ala rm. Accounting for
solar radio bursts, the P
D
remains app roximately unchanged,
but the false alarm rate rises to once every 9 days during solar
maximum, or once every 22 days on average across the full
solar cycle. This rate would be unacceptably high for many
applications. Worse yet, there is little refu ge in higher γ values
as there would be for a P
T
distribution having exponentially
decaying tails. At γ = 0.93 dB, which would only y ie ld P
D
=
0.5 even under the higher-sensitivity spoofing attac k scenario
in Section III-C4, the false alar m rate is still greater than once
ever y two months. Even for γ = 1.5 dB, which would offer
no detection power a gainst a spoofing attack with η = 1, and
only P
D
= 0.5 for η = 1.7, the long high-side tail of the true
10
P
T
distribution prevents the false alarm rate from dropping to
less than one event in three months.
If these false alarm rates are unacceptable, as they would b e
for many applications, then a spoofer could operate without
fear of detection so long as it set η near unity. One may object
to this conclusion by pointing out that spoofing alarms could
be dismissed during known solar radio burst events, which can
be independently monitored—even predicted (see http://www.
swpc.noaa. gov/). But this offers little protection, for a clever
attacker could time his attack to coincide with the arrival of a
sizable burst.
2) Non-Sp oofing Interference: Laying aside concerns due
to solar r adio bursts, one must also consider the effect of
non-spoofing interference on P
T
-based signal authentication.
Such interfere nce, whose received power is rep resented by
P
I
, ranges from unintentional in-band harmonics to intentional
jamming [56]. It can affect both stationary and moving GNSS
receivers, th ough the variance of P
I
will generally be higher
for moving receivers.
The mean and variance of P
I
are context specific, but
both tend to increase with populatio n density [57]. In recent
years, interfere nce due to so-called personal privacy d evices
has bec ome an increasing concern [58], [59]. Current use of
these jammers along major highways results in P
T
spikes
that, for nearby receivers, would violate any of th e thresh olds
considered in Table I. Moreover, as shown in Fig. 7, the
jamming profiles seen at c losely-spaced sites are different
enoug h that there will remain a substantial unpredictable P
I
component even if local monitoring is in place.
0 0.5 1 1.5 2 2.5 3 3.5 4 4.5
-5
0
5
10
15
20
25
P
T
(dB)
0 0.5 1 1.5 2 2.5 3 3.5 4 4.5
-5
0
5
10
15
20
25
P
T
(dB)
Time in days since 09-Sep-2012 00:00:00
Fig. 7. Received power in the 10-MHz band centered at GPS L1 at two sites
1 km apart that straddle State Highway 1, west of Austin, TX. Top panel: Data
from site located at the Center for Space Research. Bottom panel: Data from
site located at Applied Research Laboratories. Both traces are normalized by
the average value of P
T
over the interval.
One might argue that it is perfectly appropriate fo r a
spoofing detec tor to alarm in the presence of an intentional
jammer, but the consequences of spoofing can be much more
malign than those of jamming, and so it behooves a defen der
to distinguish the two.
Note that non-spoofing interference is not only a problem
for P
T
-based signal authen tica tion but for all GNSS signal a u-
thentication methods that depend on constraining the spoofer
to low values o f η, such as the p incer defense [36]. This
defense is less sensitive to solar radio bursts than P
T
-based
signal authentication, but equally likely to declare a false alarm
in the face of strong non-spoofing interf e rence.
E. Evaluation Summary
Even granting the full signal admixture assumption, it
appears that, contrary to the claim made in [15], spoofing
detection based solely on received power P
T
is inadequate for
GNSS signal authentication, for two reasons: (1) the increa se
in P
T
due to spoofing can be small (less than 1 dB), and (2)
a long tail in the distribution o f P
N
due to solar radiation
causes high P
F
for any reasonable P
D
and, for receivers in
urban areas, the same can be true for P
I
due to non-spoofing
interference. These conditions amount to a violation of the
small unpredictable variations assumption.
Despite its we a kness, a P
T
-based defense remains a useful
component of GNSS signal authentication, as it prevents an
attacker from employing an arb itrary η. It is best thought of
as a necessary, but no t sufficient, test for GNSS signal authen-
tication. For increased potency, P
T
testing can b e combined
with a correlation d isto rtion test, as in [36], a cryptographic
test, as in [28], [2 9], or another substantially independent and
compleme ntary test. Note that join tly testing for unusual P
T
and C/N
0
values is only slightly better than testing P
T
alone:
at the expense of a slightly higher η, a spoofe r can inject noise
padding to ensure that its signals’ C/N
0
values match those
of the authentic sig nals.
IV. EVALUATION OF THE SCER ATTACK DEFENSE
The SCER attack defe nse, originally developed in [29],
assumes that the authentic broadcast GNSS sig nals have been
modulated with a signal-specific binary secur ity code that is
unpredictable to the spoofer but verifiable by the def ender
(possibly afte r a delay). Unable to predict the security code,
the spoofer resor ts to modulating its counterfeit signal re pli-
cas with security code chips estimated on-the-fly. Th e key
to de fending against a SCER attack is a detection statistic
sensitive to the high error variance of the spoofer’s security
code chip estimates in the moments immedia tely following
each unpredictable chip transition. Ref. [29] develops suc h a
statistic, describes its d istribution under H
0
and H
1
, and offers
preliminar y results using this paper’s testbed. This section
explains how the detection statistic is generated in practice
within a GNSS receiver and offers a more extensive empiric a l
evaluation of th e SCER attack defense.
A. Detection Test
A single-signal SCER attack c a n be modeled by the follow-
ing hypothesis pair for the samp les Y
k
output by the defender’s
RF fr ont en d during the interval spanned by the lth security
code chip :
H
0
: Y
k
= W
l
s
k
+ N
k
, (16a)
H
1
: Y
k
= g
h
α
ˆ
W
l
(n
lk
)s
k
+ N
k
i
(16b)
11
Under hypothesis H
0
, the received sign al is an authentic GNSS
signal with security code chip value W
l
and underlying signal
s
k
= c
k
cos(2πf
IF
t
k
+ θ
k
), where c
k
is the signal’s binary
spreading code, f
IF
is the intermediate frequency in Hz, and θ
k
is the beat carrier phase. The noise samples N
k
are modeled as
indepen dent and Gaussian. Under hypothe sis H
1
, the received
signal is a spoofer-generated exact counterfeit of s
k
modulated
by an estimate
ˆ
W
l
(n
lk
) of the lth security code chip. The
index n
lk
represents the number of samples th at contribute to
the spoofer’s estimate of W
l
. The coefficient α is the spoofing
amplitude factor, which is prop ortional to
√
η, and g is the
automatic gain control factor imposed by the RF fron t end to
maintain constant power in Y
k
.
Ref. [29] offers furth er details on the model in (16) and for-
mulates a detection statistic appropriate for defending against a
SCER a ttac k. The cu rrent paper illustrates how this statistic is
generated within a GNSS receiver. For clarity of presentation,
assume the security c ode is carried in the navigation data
stream so that each unpredictable security code chip W
l
is also
a navigation data symbol. In other words, assume a navigation
message authentication security scheme [28]. Further assume
that the receiver’s accumulation (pre-detection) interval is
equivalent to the length of W
l
. Then the de tection statistic
L can be generated as sh own in Fig. 8.
r
k
k
l+1
−1
X
k=k
l
(·)
t
k
l+1
−1
I
l
+ jQ
l
to tracking
loops
β(n
lk
)
R(·)
Y
k
S
l
a
l
m
+N −1
X
l=l
m
(·)
b
2a
(·)
2
L
k
l+1
−1
X
k=k
l
(·)
t
k
l+1
−1
Fig. 8. Block diagram illustrating how generation of the SCER attack statistic
L relates to standard GNSS signal correlation. Thick lines denote complex
signals, whereas thin lines denote real-valued signals.
By way of further explanation, consider the two signal paths
shown in Fig. 8. The lower path is the standard matched-filter-
type correlation operation commonly implemented in GNSS
receivers. The product of the incoming samples Y
k
and a
complex local signal replica r
k
= W
l
ˆc
k
exp[−j(2πf
IF
t
k
+
ˆ
θ
k
)]
is accumulated over the in te rval spanned by W
l
to produce
the p rompt complex co rrelation products I
l
+ jQ
l
that get
fed to code and carrier tracking loops. The code tracking
loop also ingests correlation products from identical paths—
not shown—having early and late versions of ˆc
k
.
The upper path in Fig. 8 produces the SCER attack detection
statistic L. The real part of the product Y
k
r
k
is multiplied
by a smooth weighting function β(n
lk
), defined in [29],
that gives full weight to the k
l
th sample but decays rapidly
toward zero for subsequent samples. This weighting has the
effect of suppr essing those samples over which the error
variance in the spoofer’s security code chip estimate
ˆ
W
l
has
become small bec ause the spoofer has had sufficient time
to obtain an accurate estimate of W
l
; only the early high-
variance samples are useful in distinguishing H
1
from H
0
.
The weighted product β(n
lk
)R(Y
k
r
k
) is accumulated over th e
interval spanned by W
l
to produc e the sin gle-chip detection
statistic S
l
, N of which are biased, squared, and accumulated
as shown to produce the final statistic L. The constants a and
b are related to the theoretical mean µ
j
and variance σ
2
j
of S
l
under H
j
, j = 0, 1 by
a =
1
σ
2
0
−
1
σ
2
1
, b = 2
µ
1
σ
2
1
−
µ
0
σ
2
0
B. Test Setup
Due to its ∼ 5-ms processing latency, the real-time spoofe r,
in its curre nt form, is not capable of a near-zero-latency
SCER attack in which the spoofer’s output security co de
chip estimates are approximately aligned with those of the
authentic security-cod e -enhanced signals when received by the
defend e r. Note that although a zero-latency attack is physically
impossible for a real-time system, a near-zero-latency attack
(e.g., less than 50 ns latency) could be achieved in real
time with an FPGA- based real-time spoofer. For the SCER
attack results presented in this paper, the post-processing
testbed’s digital I/O spoofer was used, which can be configured
to mount a SCER attack with arbitrary latency. To permit
evaluation of the most-poten t limiting case, the digital I/O
spoofer was config ured to mount a zero-latency attack.
The attack proceeded as follows. The digital I /O spoofer
ingested au thentic recorded GPS L1 C/A data and, treating
the ±1- valued 20-ms navigation data bits as if they were
unpredictable security code chips, generated a ma ximum a
posteriori (hard-decision) estimate for each chip. Near the
beginning of each chip, when the spoofer had few signal
samples on which to base its estimate, these chip values would
switch wildly be tween − 1 and 1 . But with each successive
sample received, the err or variance of the spoofer’s chip
estimate would diminish until, after about 100 µs, the estimate
would become virtua lly certain. The spoofer continuously
modulated each o f 8 constituent spoofing signals in its output
ensemble with the corresponding chip estimate tr a ins.
The spoofer began its attack with its counterfeit signals
approximately co de-phase-aligned and data-aligned to the au-
thentic signals. After maintaining this alignment for several
hundred seconds, it attempted pulloff of the defender’s track-
ing loops, stop ping once it had attaine d an offset of 175 µs
with respect to the authentic signals. Due to the orthogonality
of the GPS C/A codes, there was no significant interplay
between the authentic and counte rfeit signa ls at this offset.
The digital I/O spoofer’s output data were sample-wise mul-
tiplexed with the original authentic data to produce a digital
data stream containing the composite spoofin g and authe ntic
signal ensembles. The multiplexing ratio was adjusted so that
η ≈ 1.2. A preliminary segment of the data was left free of
spoofing to allow testing of the defender’s ability to detect the
onset of attack.
The combine d data stream was routed to the testbed’s
digital-input software-d efined receiver, acting as def e nder,
which tracked the signals present and produced samples
equivalent to the product Y
k
r
k
in Fig. 8. The real parts of
these samples were weighted by an appropriate β(n) and
accumulated to generate a sequence of chip-level statistics S
l
.
Batches of N = 400 S
l
were combined to produce a full
12
detection statistic L every 8 seconds during the course of the
experiment.
All signals tracked by the spoofer had spoofer-measured
carrier-to-noise ratios (C/N
0
)
s
≥ 46 dB-Hz wherea s, due
to the way multiplexing was effected, the authentic signals
tracked by the defender prior to attack had defender-measured
carrier-to-noise ratios 4 0 < (C/N
0
)
r
< 42 dB-Hz. Thus, the
spoofer enjoyed at least a 4 dB carrier-to-noise advantage over
the d efender in the attack, wh ic h, for the defender, represents
a challenging attack scenario. In the formulation of L, the
defend e r’s assum e d values for (C/N
0
)
s
and (C/N
0
)
r
, which
influence µ
j
and σ
j
, j = 1, 2, and, by extension, the theo-
retical distributions p
L|H
j
(ξ|H
j
), j = 1, 2, were taken to be
approximately the true values of (C/N
0
)
s
and (C/N
0
)
r
. The
defend e r’s assumed value of η was taken to be η = η
m
= 1,
not far from the true η = 1.2. Thus, the defender’s model
for the distribution of L , upon which its decision th reshold
for each signal was based, was approximately equal to the
true distribution of L for th at signal, except during the initial
aligned stage of the attack over wh ic h interactio n of the
spoofing and authentic signa ls unavoidably violated the model
in (16). The defender’s detec tion threshold was set such that
P
F
= 10
−4
.
C. Test Re sults
The following test results are expressed in terms of the
empirical distribution of L at various stages of a SCER attack.
Typical results will be presented first, fo llowed by discussion
of less typical results.
250 300 350 400 450 500 550
Authentic signal only
Initial aligned attack
After carry−off
p
L|H
1
(ξ|H
1
)
ξ
experimental L
Histogram of
p
L|H
0
(ξ|H
0
)
Fig. 9. Histograms of experimentally-generated detection statistics L (bar
plots) compared with the detection threshold (thick vertical line) and the
theoretical distributions p
L|H
j
(ξ|H
j
), j = 0, 1 at various stages of a zero-
delay SCER attack on the signal corresponding to PRN 17.
1) Typical Results: The top panel in Fig. 9 shows the
attack pre lude during which only the authentic signal was
present. At th is stage, the histogram of L values exhibits good
correspo ndence with the theoretical null-hypothesis probability
distribution p
L|H
0
(ξ|H
0
). The center panel shows the situation
during the initial stage of the attack when the authentic and
spoofing signals were aligned to within a sma ll fraction of the
∼ 1-µs spreading code chip interval. Because the cou nterfeit
and authentic signals in this test were so ne a rly matched in
power, th is stage saw strong interaction between them in the
defend e r’s complex-valued prom pt correlator. Such interaction
violates the either/or assumption of (16); nonetheless, the
detection statistic exceeds the threshold more than half the
time. However, instead of clustering within p
L|H
1
(ξ|H
1
), the
histogram exhibits spreading. Fig. 10 shows a time history
of L during this stage of the attack. The slow changes in L
are driven by variations in the relative carrier phase of the
interacting authentic and spoofing signals.
0 5 10 15 20 25 30
340
360
380
400
420
440
Trial
Detection statistic value
Detection statistic
Threshold
Fig. 10. A time history of the defender-measured value of the decision
statistic L during the aligned stage of the attack on PRN 17. Each trial
represents an 8-second interval.
After the spoofer has successfully carried off the defender’s
tracking points and the authentic and spoof ed corre la tion peaks
are separated by more than two spreading code chip s, the
model in (16) again becomes valid. The bottom panel of
Fig. 9 shows that at this stage the detection statistic clearly
clusters beyond the detection threshold and roughly with in the
theoretical p
L|H
1
(ξ|H
1
) d istribution. It should be noted that in
the experiment the post-pulloff C/N
0
value measured by the
defend e r did not change significantly re la tive to the measured
C/N
0
prior to the attack. Thus, a naive spoofing detection
strategy that triggers on cha nges in C/N
0
would have failed
to detect this attack.
The favorable results shown in Fig. 9, together with those
originally pre sented in [ 29], are fairly typical—they are rep-
resentative of 2/3 of the results from similar experiments
condu c te d on the testbe d at various value s of (C/N
0
)
r
and
(C/N
0
)
s
.
2) Atypical Results: Figs. 11 and 12 show resu lts repre-
sentative of the remaining 1/3 of the cases studied. As with
the previous results, the e mpirical histogr ams of L und er H
0
exhibit good agreement with the theoretical p
L|H
0
(ξ|H
0
) (top
panels). The histograms during the initial aligne d attack (center
panels) are to the left of the threshold [Fig. 1 1] or spread
widely [Fig. 12], yet not a typical given the various ways that
the counterfeit and authentic signals can interact at this stage.
However, und er H
1
(bottom panels), the empirical histograms
are unusu al: they are wider than the theoretical p
L|H
1
(ξ|H
1
),
and, in the case of Fig. 12, lower in mean value. This mismatch
has th e effect of reducing P
D
to 0.87 for the case in Fig. 11 and
to 0.46 for Fig. 12. The reason for this mismatch is un c le ar,
13
as there was no significant interaction betwe en auth entic and
counterfeit signals at this stage of the attack.
250 300 350 400 450 500 550
Authentic signal only
Initial aligned attack
After carry−off
ξ
Fig. 11. As Fig. 9 except for P RN 27.
250 300 350 400 450 500 550
Authentic signal only
Initial aligned attack
After carry−off
ξ
Fig. 12. As Fig. 9 except for P RN 4.
D. Evaluation Su m m ary
Experimental results indicate close agreement between the
empirical and theoretica l distributions of L under H
0
. This
implies that the false alarm rate f or the SCER attack d efense
is consistent with the value of P
F
used to set the detection
threshold. If the value P
F
= 0.0001 chosen in the experiments
is unacceptably high for a given application, P
F
can be
lowered while maintaining a useful P
D
: for a low-rate security
code, P
F
= 10
−6
results in P
D
> 0.85 [29]. Similarly,
in 2 /3 of cases studied there was close agree ment between
the empirical and theoretica l distributions of L under H
1
,
which implies that the theoretical value of P
D
, which was
near unity for all the experimental scenarios studied, can
be approximately reached in practice. Even in atypical cases
of disagreement, P
D
remained above 0.46. Thus, compared
to the received power defense, the SCER attack defense is
significantly more p owerful.
Nonetheless, the SCER attack defense has three weaknesses.
First, during the initial stage of a signal-aligned attack, L can
remain below the detection threshold over an extended interval
due to interaction between the authentic and counterfeit signals
[cf. Fig. 11, center pa nel]. One might think that poo r P
D
is irrelevant at this stage given that the spoofer has not
yet attempted pulloff, but it turns out that if a majority
of signa ls are being spoofed the multipath-like effects of
aligned co unterfeit and authentic signal interaction can cause
navigation errors of several tens of m e te rs. Of course, in this
case the likelihood that at least one channel’s L rises above the
detection threshold remains quite high, so one may consider
this a minor weakness.
The second w eakness of the SCER attack defense concerns
the spoofing power advantage η. It is shown in [29] that a
defend e r can maintain P
D
above 0.9 even under a challenging
SCER attack scenario so long as η is known. When the
defend e r sign ifica ntly underestimates η, however, P
D
can fall
precipitously for low (C/N
0
)
r
. The de fender could address
this weakness by estimating η v ia observation of P
T
, using
(13) and taking η
m
= 1 as a lower bound on th e estimate.
This amounts to a generalized likelihood ratio test with η as
the composite parameter to be estimated [49]. Note that, under
this strategy, an incre a se in P
T
due to a solar radio burst or
non-spoofing interfer e nce would not significantly affect P
F
.
The third and mo st significant weakness of the SCER attack
defense is that it fails in the case of a near-zero-latency pure
replay (meaconing) attack because in this case
ˆ
W
l
= W
l
.
While one should not expect a defense designed for SCER
attacks to also detect a pure re play attac k, it nonetheless
remains true that a pure replay attack is easy to mount—much
easier than a SCER attack —a nd, while not enjoying the same
flexibility as a SCER attack to dictate an erroneous navigation
and timing solution, is dangerously effective. To address this
weakness, the SCER a ttac k defense could be combined with
the pincer defense [36], wh ic h is effective against a pure replay
attack. However, like the received power defense, the pincer
defense is prone to false alarms in the face of a large increase
in P
T
not related to spoofing .
V. CONCLUSIONS
An experimental testbed for developing and evaluating
GNSS signal authentication techniques has been described
and used to evaluate two candidate signal authentication
techniques. It was shown that the first tech nique, the received
power defense proposed in [ 15], fails to detect a spoo fing
attack when the spoofing power advantage η ≈ 1 and when the
false alarm proba bility P
F
< 1 0
−6
. Even when P
F
= 1 0
−4
,
which would result in appr oximately one false alarm every
14
17 days during so la r maximum, the detection probab ility P
D
remains below 0.5. Nonetheless, the received power d e fense
remains useful for detecting unsophisticated spoofers that
resort to η ≫ 1.
The SCER attack defense proposed in [29] was also evalu-
ated, assuming a low-rate security code consistent with navi-
gation message authentication. In most cases, the empirical P
F
and P
D
matched the modeled values, which ensured P
D
≈ 1
for P
F
= 10
−4
and P
D
> 0.85 for P
F
= 10
−6
. However,
in some cases the empirical P
D
dropped below the theoretical
P
D
, sometimes as low as 0.5 for P
F
= 10
−4
. The SCER attack
defense may also suffer fro m low P
D
during the initial stage
of an aligned attack, though if several signals are spoofed the
chance of at least one channel alarming remains high. For g ood
performance, the SCER attack defense should continuously
estimate η from measurements of the received power P
T
.
The most significant weakness of the SCER attack defense
is its inability to detect a pure replay (meaconing) attack,
which, while not as flexible as a SCER attack, is nonetheless
potent and da ngerous. However, it sho uld be noted that all
cryptographic GNSS signal authentication schemes, even those
based on high-rate military-style security codes, are vulnerable
to pure replay attacks.
REFERENCES
[1] T. E. Humphreys, B. M. Ledvina, M. L. Psiaki, B. W. O’Hanlon,
and P. M. Kintner, Jr., “Assessing the spoofing threat: Development
of a portable GPS civilian spoofer,” in P roceedings of the ION GNSS
Meeting. Savannah, GA: Institute of Navigation, 2008.
[2] D. P. Shepard, T. E. Humphreys, and A. A. Fansler, “Evaluation of the
vulnerability of phasor measurement units to GPS spoofing attacks,”
International Journal of Critical Infrastructure Protection, vol. 5, no.
3-4, pp. 146–153, 2012.
[3] A. J. Kerns, D. P. Shepard, J. A. Bhatti, and T. E. Humphreys,
“Unmanned aircraft capture and control via GPS spoofing,” Journal of
Field Robotics, 2014, http://dx.doi.org/10.1002/rob.21513.
[4] John A. Volpe National Transportation Systems Center, “Vulnerability
assessment of the transportation infrastructure relying on the Global
Positioning System,” 2001.
[5] N. S. W. Center, “Global positioning system impact to critical civil
infrastructure (GICCI),” Mission Assurance Division, Naval Surface
Warfare Center, Tech. Rep., 2009.
[6] U. Kroener and F. Dimc, “Hardening of civilian GNSS trackers,” in
Proceedings of the 3rd GNSS Vulnerabilities and Solutions Conference.
Krk Island, Croatia: Royal Institute of Navigation, Sept. 2010.
[7] Department of Homeland Security, “National risk estimate: Risks to
U.S. critical infrastructure from Global Positioning System disruptions,”
November 2012, FOUO: No Public Version Available.
[8] U.S. Government Accountability Office, “Unmanned Aircraft Systems:
Measuring progress and addressing potential privacy concerns would
facilitate integration into the national airspace system,” GAO-12-981,
September 18, 2012, http://www.gao.gov/products/GAO-12-981.
[9] J. J. Spilker, Jr., Global Positioning System: Theory and Applications.
Washington, D.C.: American Institute of Aeronautics and Astronautics,
1996, ch. 3: GPS Signal Structure and Theoretical Performance, pp.
57–119.
[10] GPS Directorate, “Systems engineering and integration Interface S pec-
ification IS-GPS-200G,” 2012, http://www.gps .gov/technical/icwg/.
[11] European Union, “European GNSS (Galileo) open service signal in
space interface control document,” 2010, http://ec.europa.eu/enterprise/
policies/satnav/galileo/open-service/.
[12] B. M. Ledvina, W. J. Bencze, B. Galusha, and I. Miller, “An in-line
anti-spoofing module for legacy civil GPS receivers,” in Proceedings of
the ION Internation Technical Meeting, San Diego, CA, Jan. 2010.
[13] K. D. Wesson, D. P. Shepard, J. A. Bhatti, and T. E. Humphreys, “An
evaluation of the vestigial signal defense for civil GPS anti-spoofing,”
in Proceedings of the ION GNSS Meeting, Portland, OR, 2011.
[14] V. Dehghanian, J. Nielsen, and G. Lachapelle, “GNSS spoofing detection
based on receiver C/N
0
estimates,” in Proceedings of the ION GNSS
Meeting. Nashville, Tennessee: Institute of N avigation, 2012.
[15] D. M. Akos, “Who’s afraid of the spoofer? GPS /GNSS spoofing
detection via automatic gain control (AGC),” Navigation, Journal of
the Institute of Navigation, vol. 59, no. 4, pp. 281–290, 2012.
[16] A. Cavaleri, B. Motella, M. Pini, and M. Fantino, “Detection of spoofed
GPS signals at code and carrier tracking level,” in 5th ESA Workshop
on Satellite Navigation Technologies and European Workshop on GNSS
Signals and Signal Processing, Dec. 2010.
[17] K. D. Wesson, B. L. Evans, and T. E. Humphreys, “A combined symmet-
ric difference and power monitoring GNSS anti-spoofing technique,” in
IEEE Global Conference on Signal and Information Processing, 2013.
[18] A. J. Jafarnia, GNSS Signal Authenticity Verification in the Presence of
Structural Interference. University of Calgary, 2013.
[19] D. S. D. Lorenzo, J. Gautier, J. Rife, P. Enge, and D. Akos, “Adaptive
array processing for GPS interference rejection,” in Proceedings of the
ION GNSS Meeting. Long Beach, CA: Institute of Navigation, Sept.
2005.
[20] P. Y. Montgomery, T. E. Humphreys, and B. M. Ledvina, “A multi-
antenna defense: Receiver-autonomous GPS spoofing detection,” Inside
GNSS, vol. 4, no. 2, pp. 40–46, April 2009.
[21] A. Broumandan, A. Jafarnia-Jahromi, V. Dehgahanian, J. Nielsen, and
G. Lachapelle, “GNSS spoofing detection in handheld receivers based
on signal spatial correlation,” in Proceedings of the IEEE/ION PLANS
Meeting. Myrtle Beach, SC: Institute of Navigation, April 2012.
[22] D. Borio, “PA NOVA tests and their application to GNSS spoofing
detection,” IEEE Transactions on Aerospace and Electronic Systems,
vol. 49, no. 1, pp. 381–394, Jan. 2013.
[23] S. Daneshmand, A. Jafarnia, A. Broumandan, and G. Lachapelle,
“GNSS spoofing mitigation in multipath environments using space-time
processing,” in European navigation conference (ENC) 2013, 2013, pp.
23–25.
[24] A. Konovaltsev, M. Cuntz, C. Haettich, and M. Meurer, “Performance
analysis of joint multi-antenna spoofing detection and attitude estima-
tion,” in Proceedings of the ION Internation Technical Meeting, 2013.
[25] M. Psiaki, S. P. Powell, and B. W. O’Hanlon, “GNSS spoofing detec-
tion using high-frequency antenna motion and carrier-phase data,” in
Proceedings of the ION GNSS+ Meeting, 2013, pp. 2949–2991.
[26] S. Khanafseh, N. Roshan, S. Langel, F. Cheng-Chan, M. Joerger, and
B. Pervan, “GPS spoofing detection using RAIM with INS coupling,”
in Proceedings of the IEEE/ION PLANS Meeting, May 2014.
[27] L. Scott, “Anti-spoofing and authenticated signal architectures for civil
navigation systems,” in Proceedings of the ION GNSS Meeting, 2003,
pp. 1542–1552.
[28] K. D . Wesson, M. P. Rothlisberger, and T. E. Humphreys, “Practical
cryptographic civil GPS signal authentication,” Navigation, Journal of
the Institute of Navigation, vol. 59, no. 3, pp. 177–193, 2012.
[29] T. E. Humphreys, “Detection strategy for cryptographic GNSS anti-
spoofing,” IEEE Transactions on Aerospace and Electronic Systems,
vol. 49, no. 2, pp. 1073–1090, 2013.
[30] S. Lo, D. DeLorenzo, P. Enge, D. Akos, and P. Bradley, “Signal
authentication,” Inside GNSS, vol. 0, no. 0, pp. 30–39, Sept. 2009.
[31] M. L. Psiaki, B. W. O’Hanlon, J. A. Bhatti, and T. E. Humphreys,
“Civilian GPS spoofing detection based on dual-receiver correlation of
military signals,” in Proceedings of the ION GNSS Meeting. Portland,
Oregon: Institute of Navigation, 2011.
[32] M. Psiaki, B. O’Hanlon, J. Bhatti, D. S hepard, and T. Humphreys, “GPS
spoofing detection via dual-receiver correlation of military signals,”
IEEE Transactions on Aerospace and Electronic Systems, vol. 49, no. 4,
pp. 2250–2267, 2013.
[33] B. O’Hanlon, M. Psiaki, J. Bhatti, and T. Humphreys, “Real-time
spoofing detection using correlation between two civil GPS receiver,” in
Proceedings of the ION GNSS Meeting. Nashville, Tennessee: Institute
of Navigation, 2012.
[34] B. W. OHanlon, M. L. Psiaki, T. E. Humphreys, J. A. Bhatti, and D. P.
Shepard, “Real-time GPS spoofing detection via correlation of encrypted
signals,” Navigation, Journal of the Institute of Navigation, vol. 60,
no. 4, pp. 267–278, 2013.
[35] T. E. Humphreys, J. A. Bhatti, D. P. Shepard, and K. D. Wesson, “The
Texas Spoofing Test Battery: Toward a standard for evaluating GNSS
signal authentication techniques,” in Proceedings of the ION GNSS
Meeting, 2012, http://radionavlab.ae.utexas.edu/texbat.
[36] K. D. Wesson, T. E. Humphreys, and B. L. Evans, “Receiver-autonomous
GPS signal authentication based on joint detection of correlation profile
distortion and anomalous received power,” 2014, (in preparation).
15
[37] A. J. Kerns, K. D. Wesson, and T. E. Humphreys, “A blueprint for
civil GPS navigation message authentication,” in Proceedings of the
IEEE/ION PLANS Meeting, May 2014.
[38] J. A. Bhatti and T. E. Humphreys, “Covert control of surface vessels
via counterfeit civil GPS signals,” 2014, (in preparation).
[39] A. J. Van Dierendonck, Global Positioning System: Theory and Ap-
plications. Washington, D.C.: American Institute of Aeronautics and
Astronautics, 1996, ch. 8: GPS Receivers, pp. 329–407.
[40] B. O’Hanlon, M. Psiaki, S. Powell, J. Bhatti, T. E. Hum phreys, G . Crow-
ley, and G. Bust, “CASES: A smart, compact GPS software receiver for
space weather monitoring,” in Proceedings of the ION GNSS Meeting.
Portland, Oregon: Institute of Navigation, 2011, pp. 2745–2753.
[41] E. G. Lightsey, T. E. Humphreys, J. A. Bhatti, A. J. Joplin, B. W.
OHanlon, and S. P. Powell, “Demonstration of a space capable miniature
dual frequency GNSS receiver,” Navigation, Journal of the Institute of
Navigation, vol. 61, no. 1, pp. 53–64, 2014.
[42] T. Nighswander, B. Ledvina, J. Diamond, R. Brumley, and D. Brumley,
“GPS software attacks,” in Proceedings of the 2012 ACM conference on
Computer and communications security. ACM, 2012, pp. 450–461.
[43] O. Montenbruck, A. Hauschild, and U. Hessels, “Characterization of
GPS/GIOVE sensor stations in the CONGO network,” GPS Solutions,
vol. 14, no. 3, pp. 193–205, 2011.
[44] T. E. Humphreys, B. M. Ledvina, M. L. Psiaki, and P. M. Kintner,
Jr., “GNSS receiver implementation on a DSP: Status, challenges, and
prospects,” in Proceedings of the ION GNSS Meeting. Fort Worth, TX:
Institute of Navigation, 2006, pp. 2370–2382.
[45] T. E. Humphreys, J. Bhatti, T. Pany, B. Ledvina, and B. O’Hanlon,
“Exploiting multicore technology in software-defined GNSS receivers,”
in Proceedings of the ION GNSS Meeting. Savannah, GA: Institute of
Navigation, 2009, pp. 326–338.
[46] B. M. Ledvina, M. L. Psiaki, S. P. Powell, and P. M. Kintner, Jr., “Bit-
wise parallel algorithms for efficient software correlation applied to a
GPS software receiver,” IEEE Transactions on Wireless Communica-
tions, vol. 3, no. 5, Sept. 2004.
[47] M. L. Psiaki, “Real-time generation of bit-wise parallel representations
of over-sampled prn codes,” IEEE Transactions on Wireless Communi-
cations, vol. 5, no. 3, pp. 487–491, March 2006.
[48] B. L edvina, “Efficient real-time generation of bit-wise parallel repre-
sentations of oversampled carrier replicas,” Aerospace and Electronic
Systems, IEEE Transactions on, vol. 47, no. 4, pp. 2921–2933, OCTO-
BER 2011.
[49] H. L. V. Trees, Detection, Estimation, and Modulation Theory. Wiley,
2001.
[50] H. V. Poor, An Introduction to Signal Detection and Estimation, 2nd
Edition. Springer, 1994.
[51] T. E. Humphreys, M. L . Psiaki, and P. M. Kintner, Jr., “Modeling the
effects of ionospheric scintillation on G P S carrier phase tracking,” IEEE
Transactions on Aerospace and Electronic Systems, vol. 46, no. 4, pp.
1624–1637, Oct. 2010.
[52] D. Shepard and T. E. Humphreys, “Characterization of receiver response
to a spoofing attack,” in P roceedings of the ION GNSS Meeting.
Portland, Oregon: Institute of Navigation, 2011.
[53] A. P. Cerruti, P. M. Kintner, D. E. Gary, A. J. Mannucci, R. F. Meyer,
P. Doherty, and A. J. Coster, “Effect of intense December 2006 solar
radio bursts on GPS receivers,” Space Weather, vol. 6, no. 10, 2008.
[54] A. P. Cerruti, P. M. Kintner, D. E. Gary, L. J. Lanzerotti, E. R. de Paula,
and H. B. Vo, “Observed solar radio burst effects on GPS/Wide Area
Augmentation System carrier-to-noise ratio,” Space Weather, vol. 4, no.
S10006, Oct. 2006.
[55] G. Nita, D. Gary, L. Lanzerotti, and D. Thomson, “The peak flux
distribution of solar radio bursts,” The Astrophysical Journal, vol. 570,
p. 423, 2002.
[56] T. E. Humphreys, The GNSS Handbook. Springer, 2014, ch. Interfer-
ence, (in preparation).
[57] J. Do, D. M. Akos, and P. K. Enge, “L and S bands spectrum survey in
the San Francisco Bay area,” in Proceedings of the IEEE/ION PLANS
Meeting. IEEE, 2004, pp. 566–572.
[58] T. E. Humphreys, “The GPS dot and its discontents: Privacy vs. GNSS
integrity,” Inside GNSS, vol. 7, no. 2, Mar./Apr. 2012.
[59] R. Mitch, R. Dougherty, M. Psiaki, S. Powell, B. O’Hanlon, J. Bhatti,
and T. Humphreys, “Signal characteristics of civil GPS jammers,” in
Proceedings of the ION GNSS Meeting, 2011.
