Spoofing Detection by Distortion of the Correlation Function
Michael Turner, Steve Wimbush, Airbus Defence and Space, UK; Christoph Enneking, Andriy Konovaltsev, German Aerospace Center (DLR), Germany
Date/Time: Friday, Sep. 25, 4:04 p.m.
Open service GNSS signals are vulnerable to a spoofing attack where counterfeit signals are transmitted to deliberately mislead a user receiver, this is known as spoofing. A spoofer can capture a receiver’s tracking loops by aligning the time of arrival and Doppler frequency of its counterfeit signals with the real ones but with a higher SNR. The user receiver will then track the counterfeit signals in preference to the genuine signals allowing the attacker to pull the target receiver position or time as they wish. If the spoofer has significantly more power than the genuine signals this is easily detected in the SNR estimates and the user can be alerted however the spoofing power can be set such that it is similar to the genuine signals hence the SNR estimates alone are not a robust indicator of spoofing. In many applications the user receiver has access to the genuine line of sight signals. This means that when the spoofer tries to capture the tracking loops or pull them away from the genuine signals the correlation function becomes distorted or multiple correlation peaks are present.
There is a class of GNSS receiver that uses block processing with FFT correlation to track each satellite. This type of receiver has the full correlation function available. The Airbus Multiple Tracking Locked Loop (MTLL) is an implementation of this type of receiver. It has thousands correlator points spaced over both time and frequency for every tracked satellite. With this configuration, distortions and multiple peaks are easily seen, allowing a spoofer to be detected even before it has captured the tracking loops.
This paper proposes a method of decomposing the correlation function to estimate the parameters of the radio propagation channel experienced by a GNSS satellite signal. This method is defined for data sets that have either delay only and delay-Doppler correlation functions available. The propagation channel is modelled as a tap-delay line with some fixed tap-spacing in the delay and, if applicable, Doppler frequency dimensions. Once the channel parameters have been established a maximum likelihood ratio test is performed to identify anomalous channel conditions and raise a spoofing alarm.
A set of scenarios have been defined where this method can be deployed. These scenarios are then used to define a simulation test case. The method has been then tested against these simulations. In addition the University of Texas Spoofing Battery data sets and data from a live signal testing at the Sennybridge range have been included. From the test results an evaluation is made of the false alarm and missed detection probabilities along with the time to alert. The paper will draw conclusions about the potential of the proposed methods as an anti-spoofing countermeasure in safety-critical GNSS applications.