Vol.:(0123456789)1 3
GPS Solutions (2018) 22:83
https://doi.org/10.1007/s10291-018-0745-7
ORIGINAL ARTICLE
Moving variance-based signal quality monitoring method foruni00A0spoofing
detection
Chaouni00A0Sun
1
uni00A0· Joonuni00A0Waynuni00A0Cheong
2
uni00A0· Andrewuni00A0G.uni00A0Dempster
2
uni00A0· Laureuni00A0Demicheli
2
uni00A0· Edizuni00A0Cetin
2
uni00A0· Hongbouni00A0Zhao
1
uni00A0·
Wenquanuni00A0Feng
1
Received: 27 February 2018 / Accepted: 12 June 2018
© Springer-Verlag GmbH Germany, part of Springer Nature 2018
Abstract
Signal quality monitoring (SQM) techniques, originally designed for multipath detection, were recently found to be useful
to identify underway spoofing attacks. Conventional SQM-based methods directly employ the values of the SQM metrics to
monitor spoofing attacks. They have good feasibility with simple structures but suffer from significant performance loss for
frequency unlocked spoofing cases due to the drift of the relative carrier phase. We developed an enhanced SQM technique
for detecting an onset of spoofing. It is known that the value of the SQM metric fluctuates significantly during the interac-
tion stage between the counterfeit signal and authentic signal. As the variance of metric can better reflect this fluctuation,
we choose the moving variance (MV) of the SQM metric as a new metric to detect the occurrence of spoofing. The basic
principle of the proposed method is introduced. Its ability to detect spoofing has been validated using the Texas Spoofing
Test Battery dataset and compared with the classic SQM methods and a moving average-based method. The results show that
the proposed MV-based SQM method is advantageous in the detection of an onset of a frequency unlocked spoofing attack.
Keywords Spoofing detectionuni00A0· Signal quality monitoring (SQM)uni00A0· Moving varianceuni00A0· Frequency unlockeduni00A0· Carrier phase
alignment
Introduction
GNSS is vulnerable and easily interfered by jamming or
spoofing because of its open signal structure and low signal
power, which threatens the security and integrity of GNSS.
Recent successful implementations of spoofing trials have
further reinforced the awareness of the hazard of spoofing
attacks (Kerns etuni00A0al. 2014; Bhatti and Humphreys 2017).
Thus, most research have been focused on the development
of detection techniques against the spoofing threats.
Typically, spoofing attacks can be concluded into three
main categories (Jafarnia-Jahromi etuni00A0al. 2012a): simplistic
attack, intermediate attack, and sophisticated attack. The
simplistic attack employs a GNSS simulator along with an
RF front-end to imitate authentic GNSS signals. This tech-
nique has the low complexity and good effectiveness on the
stand-alone commercial receivers without any countermeas-
ures. But, it can be detected easily by different anti-spoof-
ing techniques. Intermediate attack utilizes a receiver on
the spoofing end to accurately manipulate the position and
velocity of the target receiver antenna. Thus, this mode of
attack would be implementable but difficult for most known
spoofing countermeasures. The sophisticated attack uses
multiple receiver-spoofers jointly to generate counterfeit
signals. It is able to defeat multi-antenna receiver technique
(Montgomery etuni00A0al. 2009a, b) but is less practical because
of its high complexity. As the intermediate attack poses the
greatest threat, we mainly concentrate on the detection of
this category.
Several studies have been launched to cope with the
spoofing threats during the last decade. The first type of
anti-spoofing techniques was built either based on crypto-
graphic modulation of the civil GNSS signal (Wesson etuni00A0al.
2012) or on receiver antenna defense techniques (Psiaki
etuni00A0al. 2011; Montgomery etuni00A0al. 2009a, b; Konovaltsev etuni00A0al.
�
Chao Sun
1
School ofuni00A0Electronic anduni00A0Information Engineering, Beihang
University, 37 Xueyuan Road, Haidian District, Beijing,
China
2
Australian Centre foruni00A0Space Engineering Research, School
ofuni00A0Electrical Engineering anduni00A0Telecommunications,
University ofuni00A0New South Wales, Sydney, Australia
GPS Solutions (2018) 22:83
1 3
83 Page 2 of 13
2013). However, massive drawbacks disable their imple-
mentation feasibility. Indeed, the cryptographic techniques
would imply a change in GPS infrastructure specification or
a secured network creation, while the economic cost and the
additional hardware of adding two or more antennas are not
affordable in many commercial applications (Broumandan
etuni00A0al. 2014). Recent studies try to avoid such needs using
methods based on the signal power monitoring or carrier to
noise ratio (C/N
0
) monitoring (Jafarnia-Jahromi etuni00A0al. 2012b;
Dehghanian etuni00A0al. 2012), distribution checks of correlator
outputs (Jafarnia-Jahromi etuni00A0al. 2012c; Gamba etuni00A0al. 2017)
and consistency checks among different measurements such
as ephemeris data, clock offset change (Jovanovic etuni00A0al.
2014) or code and carrier Dopplers (Yuan etuni00A0al. 2018).
Signal quality monitoring (SQM) techniques, origi-
nally designed for multipath detection (Phelts 2001), were
recently found to be useful to identify the deformation on the
correlation function due to an intermediate spoofing attack.
They generally have simple structures with low complexity,
showing good feasibility. Manfredini etuni00A0al. (2014) verified
the ratio test metric over a set of spoofing cases. Detailed
performance assessment has also been done (Yang etuni00A0al.
2015; Jafarnia-Jahromi etuni00A0al. 2016). To further improve the
reliability of spoofing detection, a two-dimensional SQM
method was developed by introducing a monitoring metric
in the Doppler frequency domain (Pirsiavash etuni00A0al. 2016).
Furthermore, there are recent methods that demonstrate
the viability of detecting spoofers by observing and thresh-
olding correlator values (Hu etuni00A0al. 2018). This work relies on
the post-correlation values but does not account for the fluc-
tuation in correlation values—one that will be investigated
in depth by way of SQM methods in this study.
To demonstrate the vulnerability of GNSS and test the
capability of spoofing detection techniques, a group of
researchers from the University of Texas developed six
spoofing attack cases and collected the dataset called Texas
Spoofing Test Battery (TEXBAT) (Humphreys etuni00A0al. 2012).
Humphreys etuni00A0al. (2008, 2014) detailed the implementation
of such spoofing attacks and introduced two ways to align
the carrier phase: frequency locked and unlocked modes.
However, Manfredini etuni00A0al. (2014) mentioned that these
SQM metric-based techniques suffer from performance loss
under the frequency unlocked cases of TEXBAT dataset.
That is probably because, for a frequency unlocked case,
the relative carrier phase between the authentic signal and
counterfeit signal is not constant but time-varying. As a
result, the energy of the counterfeit signal frequently trans-
fers between the I and Q channels. Thus, significant oscil-
lations can be observed on the metrics due to the drifting
carrier phase which brings unacceptable high false alarm
rate. Even worse, the oscillation on the metric is just like
the effect of system noise; the effort to average the noise
will also reduce the amplitude of the SQM metric, making
it less obvious to detect.
To handle the above problems, we developed an enhanced
SQM technique for detecting the onset of a spoofing attack.
All of the SQM-based countermeasures mentioned above
directly employ the raw values of the SQM metric to detect
spoofing attacks. During the onset stage, the value of the
SQM metric fluctuates significantly during the interaction
between the counterfeit signal and authentic signal. As the
variance by definition is the measure of variability of a
random variable, it can better reflect the fluctuation of the
SQM metrics. So, we choose the moving variance (MV) of
the SQM metric as a new metric to judge the occurrence
of spoofing. The basic principle of the proposed method
is introduced, and the effect of choosing window size is
discussed. Its ability to detect spoofing has been validated
using the Texas Spoofing Test Battery (TEXBAT) dataset
and compared with the classic SQM methods and a mov-
ing average (MA) based method. The results show that the
proposed MV-based SQM method outperforms the other
methods especially for the detection of frequency unlocked
spoofing attacks.
Spoof_ing attack pattern anduni00A0signal model
Before presenting the proposed method, this section first
recalls the behavior. of a spoofing attack. In addition, the
model for received GNSS signals in the presence of spoofing
attacks is also provided.
Spoofing attack pattern
Intermediate spoofing, identified as an efficient spoofing
attack method, can launch a spoofing attack without inter-
rupting the regular functioning of GNSS receivers. The basic
principle and attack pattern has been introduced in Wesson
etuni00A0al. (2011) and Humphreys etuni00A0al. (2014).
Figureuni00A01 shows the changing process of cross-correlation
over time in the presence of the spoofing attack. When the
authentic and the counterfeit signal reach the victim receiver,
the two signals are to some extent struggling to control the
code and carrier tracking loop for a certain amount of time.
The phase and power of the signal admixture will fluctu-
ate significantly at this moment. Such fluctuation affects the
complex correlation shape and thus causes the abnormality
of correlator output values, which allows us to develop coun-
termeasures by analyzing these correlator outputs.
GPS Solutions (2018) 22:83