Session A1: Navigation Security and Authentication

Towards a Comprehensive Clustering-Aided Cross-Ambiguity Function Monitoring for GNSS Spoofing Detection
Jan M. Becker and Ole Roggenbuck, Department of Geodesy, Federal Agency for Cartography and Geodesy
Location: Holiday 1 (Second Floor)
Alternate Number 1

Reliable and accurate GNSS-based positioning, navigation and timing (PNT) is crucial for numerous fields of existing and developing applications as well as for critical infrastructure, such as aviation, telecommunications, power grids and autonomous driving. All the more important is the timely detection of corrupted PNT caused by GNSS spoofing.

In previous work [1] a method assisted by unsupervised machine learning was proposed for an early detection of coherent, power-matched GNSS spoofing attacks. It is based on the application of a mean shift clustering algorithm in a software-defined acquisition block of a GNSS receiver: The clustering algorithm is applied to data obtained from the Cross Ambiguity Function (CAF) by a particular preprocessing, which involves a threshold filter in the Code-Doppler search space with a fixed threshold level for the observed squared absolute value of the normalized CAF. The formation of multiple clusters can trigger a spoofing warning. An evaluation of this method for GPS L1 C/A for a coherent spoofing attack contained in the Texas Spoofing Test Battery (TEXBAT) data set [2] as well as for simulated coherent attacks for Galileo E1-B showed that the approach performs well within the intended scope, i.e. as long as the received power of the spoofing signal more or less equals that of the authentic signal. Otherwise this method is prone to missed detections.

The present work focuses on an enhancement of the aforementioned clustering-based spoofing detection algorithm by increasing its sensitvity in situations where the received power of authentic and spoofing signal differ more or less significantly. To this end, the preprocessing of CAF data is extended with an additional, adaptive threshold level for the squared absolute value of the CAF derived from a statistical analysis of the associated noise. The new method with the enhanced preprocessing of CAF data is introduced and evaluated with real-world spoofing scenarios recorded at the Jammertest held in Bleik/Norway in September 2024. The evaluation of the recorded digital in-phase and quadrature (IQ) baseband signal snapshots is focused on the Galileo E1-B signal. It demonstrates the algorithm's ability to detect the spoofing attacks and points out the associated increase in sensitivity. Moreover, the evaluation adresses the algorithm's capability to suppress false alarms in case of correlation peak splits induced by a data bit sign transition in the coherent integration time interval [3]. In order to allow for a thorough assessment of the radio frequency interference (RFI) conditions at the Jammertest, the results obtained for the enhanced spoofing detection algorithm are complemented by further RFI monitoring results obtained with the IQ snapshot recordings on the pre-, post-correlation as well as PNT level (in-band power, power spectral density, signal-to-noise ratio, number of acquired satellites, position). The aforementioned evaluation demonstrates that the enhanced algorithm allows for a comprehensive automated monitoring of the absolute value of the CAF in a threefold sense: First, an early detection of perturbations of an authentic correlation peak is possible, which provides an effective countermeasure against coherent power-matched spoofing attacks. Second, the presence of multiple correlation peaks is detectable across the whole Code-Doppler search space as long as the peaks are statistically distinguishable from noise. Third, the presence of a non-authentic correlation peak can be detected also in case if it appears too clear, i.e. the noise floor is unnaturally low and higher-order side lobes in the squared absolute value of the CAF stemming from the Doppler shift dependent cardinal sine term in the CAF stick out of the noise floor, as can be the case for high power spoofing. In particular, this also holds for the case that only a single, non-authentic correlation peak is visible above the noise floor. In the end, the power range of the received spoofing signal for which an attack remains undetected is reduced significantly.

[1] Becker, J.M. Early Detection of Coherent GNSS Spoofing Attacks with Cluster Analysis at Receiver Acquisition Stage. In Proceedings of the European Navigation Conference 2024, Noordwijk, The Netherlands, May 2024; forthcoming.
[2] Humphreys, T.; Bhatti, J.; Shepard, D.; Wesson, K. The Texas Spoofing Test Battery: Toward a Standard for Evaluating GPS Signal Authentication Techniques. In Proceedings of the 25th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS 2012), Nashville, TN, September 2012; pp. 3569 – 3583.
[3] Sun, K.; Lo Presti, L. Bit Sign Transition Cancellation Method for GNSS Signal Acquisition. Journal of Navigation 2012, 65, 73–97. https://doi.org/10.1017/S0373463311000543.