This study aims to establish the performance of a multi-criteria collaborative integrity control in the presence of GNSS spoofing. The plurality of criteria means that multiple sources of information are used simultaneously to determine whether or not the position of the receivers is degraded by a GNSS attack. By using the residuals of the PVT (position, velocity, time) estimation and the /0 ratio (expressed in dB-Hz), a robust integrity control can be obtained with all the data used. The main strength of this integrity control lies in the collaboration between receivers through comparison and sharing of information. Additionally, it only adds a software layer to the system, and no additional hardware is required for this method. It works equally well with a limited number of receivers as it does with a large number of receivers.
receiver’s speed. Two monitoring statistics are formed on these two residual vectors. A third monitoring
statistic is based on the /0 ratio, which is an excellent indicator of noise level and received signal
power evolution by the receivers. This parameter provides a very efective indicator, especially for
GNSS jamming detection. This monitoring statistic informs us of any significant degradation of GNSS
signals in an area where the monitored group of receivers is evolving. A fourth monitoring can also be
added: the monitoring of the receiver clock drift. Indeed, according to [
First, we will examine the formation of monitoring statistics based on residuals and their behavior in response to common and sophisticated spoofing attacks. Then, we will analyze the reaction of /0 ratios during jamming and spoofing attacks. Finally, we will conclude on the diferent scenarios that allow for the implementation of this system.
Before presenting the CERIM methodology, it is useful to review related studies on collaborative
integrity monitoring in GNSS systems, particularly for spoofing and jamming detection. One approach,
detailed by [
CERIM is a collaborative method designed to establish a monitoring statistic that highlights position
drifts resulting from natural technical errors. The main strength of CERIM lies in the fact that it requires
no bulky infrastructure, except for a communication link between each receiver and a centralization
of information to be operational. This feature allows CERIM to provide a robust integrity control,
particularly in the presence of receivers close to each other evolving in a complex environment with
multiple reflections and obstructions [
RAIM and CERIM use calculation residuals to ensure the validity of positioning calculations. These
residuals significantly increase in case of errors, allowing a monitoring statistic to be established over
time. When calculating a position using pseudo-distances provided by the receiver, the method used
aims to determine the position that best satisfies the observed data. The uncertainties inherent in
measurements result in residuals in the solution of an overdetermined system of equations because
this solution represents the best compromise with respect to the entire set of equations. If one of the
equations presents measurements that deviate significantly from this compromise solution, it will be
reflected in the residual and, consequently, in the associated monitoring curve. When the receiver
captures signals from at least five satellites, the problem becomes overdetermined, allowing residuals to
be obtained. In this study, these residuals concern both pseudo-distances and calculated velocities.
The residuals in satellite space are interdependent because subtracting theoretical measurements based
on a common estimation of the solution introduces algebraic coupling. The residual vector r is as
long as two times the number of satellites visible by receiver . The method used is a least squares
estimation [
Δx = (︀ H H)︀ − 1 H Δ (1)
In this study, the 8 parameters constituting PVT are estimated jointly. This allows for the simultaneous estimation of the position vector [, , ], the velocity vector [, , ], the clock bias , and the clock drift ˙. The residual vector, extracted after the joint calculation of these eight parameters, has a dimension of R× 2 because the method used requires redundancy in the pseudorange data to accurately estimate the receiver’s velocity.
The global residual vector is decomposed into two sub-vectors: r = r− + r (2) These sub-vectors have dimensions equal to R .
In this study, we extend CERIM to Doppler residuals. This monitoring of Doppler frequency estimation
residuals (r) will be more precise because it is a measure of the relative velocity between the satellite
and the receiver, derived from the frequency shift of the received signal. The Doppler frequency results
from the demodulation of the signal’s carrier, which is less sensitive to the environment (noise and
multipath), thereby reducing the impact of certain errors. Errors afecting the Doppler frequency are
related to the temporal drift of pseudorange errors. Therefore, the CERIM statistic, established from
Doppler residuals, proves to be particularly sensitive, especially in cases of attacks lacking coherence in
Doppler signal estimation. Indeed, it is challenging to make a spoofing attack coherent at the Doppler
signal level. While it is theoretically possible to make such an attack coherent, it is much more complex
in practice [
These two sub-vectors of residuals are expressed in the satellite space r ∈ R . Given that the
residuals are constrained to be orthogonal to the four columns of the Jacobian matrix, the residuals
of the sub-vectors r− and r are not independent. This redundancy leads to a degenerate
non-invertible covariance matrix of the residuals. Therefore, this representation of the residual vector
has the disadvantage of introducing an algebraic dependency between the residuals by mixing the
measurements necessary for the solution calculation and the redundant measurements. It is then wise
to transform the residuals into an alternative form that eliminates redundancy by considering a space,
called the parity space [
p = N r where N is the null space matrix of the Jacobian matrix H such that N H = 0. It has a dimension of R× (− 4).
Once the two sub-vectors are in the parity space: p− and p , both with dimensions R− 4, two monitoring statistics can be formed.
− = ∑︁ p− Q−1− p− =1
= ∑︁ p Q−1 p
=1 Q− = N− R− N−
Q = N R N (3) (4) (5) (6) (7)
These statistics are derived from the Baseline algorithm [
[︁ R− = E r− r−
]︁ [︁ R = E r r ]︁ Two other statistics can be computed with the concatenated parity vectors p− and p : The statistics are then: p = [︀ p1 p 2 · · ·
p ]︀ − = p− Q−1− p−
= p Q−1 p
with the matrix Q corresponding to the covariance of the two concatenated parity sub-vectors p. The
matrix Q can be constructed in blocks, where each block is the expected value of a pair of measurement
sets, m and n. According to [
Following the explanation by [
Q[, ] = E ︀[ p p ]︀ Q[, ] = ︂{ 0
̸=
Q =
The two methods outlined for forming the CERIM Baseline monitoring statistics (sum or concatenated
vector) are equivalent; however, it is essential to note that constructing the covariance matrices correctly
is crucial to obtain a good probability distribution of false alarms (PFA). In this study, the covariance
matrices for these two CERIM monitoring statistics, pseudo-range and Doppler, are estimated via the
methods outlined in [
These Baseline monitoring statistics must have an anomaly detection threshold . An alert is triggered if: − > − →
> →
This double CERIM monitoring statistic will theoretically be more robust to inconsistencies, as we will see in section 4. 3. Carrier to noise ratio /0 surveillance When a GNSS receiver approaches the spoofer, the power of the received signal attempting to spoof increases. The area where this signal is strong can be relatively large. This results in a notable increase in the signal-to-noise ratio (SNR) of receivers located within the spoofer’s area of influence because signals from GNSS satellites are generally weak compared to those from the spoofer. To standardize these measurements, the /0 ratio, which corresponds to the signal-to-noise ratio normalized to a 1 Hz frequency, is used. This method allows for the elimination of bandwidth variations between diferent receivers, making the /0 ratio more consistent within a cooperative receiver network. Consequently, when the spoofer gets closer to a GNSS receiver, the receiver’s /0 ratio increases significantly due to the increased signal. Conversely, when a jammer is near a receiver, this /0 ratio decreases significantly due to the increased noise.
The surveillance statistic resulting from this /0 monitoring ([
1, 0 + , ...,
, ︂] 0 + ⎡ 1,⎤ = ⎢⎣ ... ⎥⎦
, S = ⎢⎢⎣ .0.
0 0 ..
0 22, ..
.. .. .. 2, 0 ⎤ 0 ⎥ .. ⎦⎥ () =
=1 1 ∑︁ () (18) (19) (20) (21) Additionally, the surveillance statistic can be adapted to pool data from multiple receivers: This yields two surveillance statistics: one can have an individual or collaborative statistic. The most interesting aspect is to observe the behavior of a single receiver to understand its performance when operating in challenging environments (vegetation cover, masking, and multipath).
This section applies theoretical principles to real data to test diferent surveillance statistics. All
experiments are based on real data; however, for obvious safety and legal reasons, spoofing is simulated.
The real data are then implemented with more or less logical bias depending on the type of attack,
inducing diferent positions for the receivers.
4.1. Test on the /0 surveillance statistic
a significant jump in the /0 surveillance statistic.
the attack becomes apparent on the surveillance statistic. According to [
The analysis of the curve in Figure 2 shows diferent PFA distributions, allowing for the definition of a robust threshold to diferentiate between natural variations and intentional jamming or spoofing 87.5
75 attacks. The diference between the distributions can be explained by the fact that, when /0 values are stable, the covariance matrix has low values, making its pseudo-inverse very large. Thus, even small variations in /0 result in significant changes, unlike in an environment with larger variations, where the pseudo-inverse is small and reduce fluctuations. These natural variations afect GNSS signals less significantly than intentional human-induced degradations.
For this test, the 4 receivers will undergo common GNSS spoofing whereby the signals are repeated. The spoofer acts as a GNSS signal repeater: it captures the received signals and then retransmits them after a delay, thus misleading the receiver about its position by positioning it at the location of the spoofer. Implementing this type of spoofing is relatively simple: it involves capturing signals at a given location and sending them back amplified. This creates an area of influence around the spoofer. However, to enhance its efectiveness, the spoofer must precisely adjust the parameters of the spoofed signal and adapt the spoofing environment to optimize the impact of the spoofing. The diference between a classic repeater and an "all-satellite" repeater lies in the number of satellites the spoofer will spoof: the classic repeater only allows partial spoofing (of a few satellites), whereas the all-satellite repeater enables full spoofing by repeating the signals of all satellites.
45°50'N
Here, we will simulate a fictitious spoofing by modifying our data to produce a repeater-type spoofing within the network of receivers to be monitored. For this, we will use a fictitious station located 2 km from the OPME receiver. Initially, the spoofer will capture only the satellites visible by the OPME station, which we will refer to as a classic repeater (see figure 3). Here, both our receivers and the spoofer are fixed. The pseudo-ranges and Doppler data are modified accordingly to avoid introducing an additional bias on the receiver’s clock bias and clock drift.
This simulation will be repeated k = 500 times, during which a repeater spoofing will be randomly introduced. The duration of this spoofing will be randomly chosen, varying between 50 and 200 seconds, and its start will occur at a random time between t = 500 and t = 3200. Several of these simulations are summarized in Table 1, and they help evaluate the impact of repeater spoofing on the joint CERIM surveillance statistics, including pseudo-ranges and Doppler measurements. The detection threshold is set to achieve a PFA of 10− 5.
In Table 1, it’s important to note that spoofing attacks that alter all the set of satellites visible to the receiver are much better detected. These attacks are more representative of a receiver behavior in presence of a repeater, since in its normal operation, an individual receiver tends to exclude the unfited satellites with RAIM. In other words, the presence of a mix of signal satellites from the sky and from the spoofer in the navigation solution does not generally last. In fact, the redundancy of information lends weight to inconsistencies detected through the residuals, making it easier to trigger an alarm. The numerous inconsistencies enhance the detection of the attack, highlighting the importance of pooling information to clear any doubt about such attacks. We also observe a decrease in performance with four spoofed receivers. This anomaly can be explained by the fact that the spoofer’s position remains ifxed, as does that of the stations. It would be relevant to conduct tests with moving stations, which would allow the surveillance statistic to detect this situation more clearly to remove this uncertainty, as the Doppler would not be consistent in such a scenario.
The same dataset as in the previous test is used, but this time we will introduce a bias in the data to gradually and significantly modify the position of one of the network’s receivers. This manipulation will consistently afect only one of the four receivers. We modified the position of the spoofer, as show in Figure 4. To strengthen the hypotheses, this simulation will be repeated k = 500 times, during which a sophisticated spoofing will be introduced. The duration of this spoofing will be randomly chosen, varying between 50 and 200 seconds, and its start will be set at a random time between t = 500 and t = 3200. This spoofing will generate a consistent position for the targeted receiver, but this position will be inconsistent with the other receivers. The results of the diferent simulations are summarized in Table 2. The detection threshold is adjusted to achieve a PFA of 10− 5. The results obtained in Table 2 are quite similar to those presented in Table 1. However, it is noticed here that the number of detections is higher than that observed during repeater spoofing. This diference is explained by the fact that, in this case, the receiver is artificially set in motion by the spoofer by slowly displacing its position, which makes the Doppler efect indispensable for evaluating the validity of the receivers’ PVT (Position, Velocity, Time) estimates. This results in a higher probability of alarm because the residues related to the Doppler efect are more sensitive to inconsistencies. In both spoofing test scenarios, it appears that performance does not substantially depend on the number of compromised receivers. Excellent detections are observed when 50% of the receivers are afected by a spoofing attack.
Diferent scenarios can be tested: the network can be tightened (receivers close to each other) or
spread out (receivers far from each other). Here, we decided to hybridize both approaches to evaluate
the impact of the distance between the receivers. However, according to [
Each criterion covers a specific variable useful for the GNSS receiver, which gives a significant advantage to this multi-criteria approach for anomaly detection. However, it is important to highlight the theoretical nature of the attack: certain biases related to the simulation can lead to degraded performance, even if the tests are conducted under conditions as realistic as possible. Also, the real data used for the various tests come from high-quality receivers (TRIMBLE: NetR9, SPECTRA: SP90M), which provide very stable data with very few errors. The performance of each monitoring statistic provides us with a detailed understanding of their behavior in the event of spoofing attacks. However, it is dificult to define scenarios that are favorable or unfavorable for attack detection. An attack will be more noticeable if all receivers detect the same threat, as it will not appear coherent to each of them. A sophisticated spoofing attack that synchronizes its attacks individually on each receiver is highly complex to implement. Indeed, the same spoofer should find a way to attack individually each of the receivers with a specific attack. Added, for the spoofer, to the necessary simultaneous knowledge of the positions of all the receivers, it appears to be something that is far from easy to carry out. Moreover, it is important to underline that this multi-criteria approach would allow for the detection of advanced spoofing cases because, in practice, a spoofer is never perfect. This method incorporates all the variables used by the receiver to localize itself. Thus, it ofers robustness against most attacks, as the combination of information can reveal inconsistencies that would go unnoticed if analyzed in isolation.
The performance of this multi-criteria solution has shown very promising results, allowing the detection of spoofing attacks on a network of GNSS receivers without much dificulty. However, additional tests are necessary to confirm these performances by varying the spoofing approaches to verify whether the conditions are applicable to other configurations and a diferent number of receivers. The full experimental validation of this solution remains to be carried out to confirm the expected theoretical and practical benefits. In the long term, this approach seems extremely promising for improving and reinforcing the detection of these attacks.
The author(s) have not employed any Generative AI tools.