GNSS Spoofing Network Monitoring Based on Differential Pseudorange

Spoofing is becoming a serious threat to various Global Navigation Satellite System (GNSS) applications, especially for those that require high reliability and security such as power grid synchronization and applications related to first responders and aviation safety. Most current works on anti-spoofing focus on spoofing detection from the individual receiver side, which identifies spoofing when it is under an attack. This paper proposes a novel spoofing network monitoring (SNM) mechanism aiming to reveal the presence of spoofing within an area. Consisting of several receivers and one central processing component, it keeps detecting spoofing even when the network is not attacked. The mechanism is based on the different time difference of arrival (TDOA) properties between spoofing and authentic signals. Normally, TDOAs of spoofing signals from a common spoofer are identical while those of authentic signals from diverse directions are dispersed. The TDOA is measured as the differential pseudorange to carrier frequency ratio (DPF). In a spoofing case, the DPFs include those of both authentic and spoofing signals, among which the DPFs of authentic are dispersed while those of spoofing are almost overlapped. An algorithm is proposed to search for the DPFs that are within a pre-defined small range, and an alarm will be raised if several DPFs are found within such range. The proposed SNM methodology is validated by simulations and a partial field trial. Results show 99.99% detection and 0.01% false alarm probabilities are achieved. The SNM has the potential to be adopted in various applications such as (1) alerting dedicated users when spoofing is occurring, which could significantly shorten the receiver side spoofing cost; (2) in combination with GNSS performance monitoring systems, such as the Continuous Operating Reference System (CORS) and GNSS Availability, Accuracy, Reliability anD Integrity Assessment for Timing and Navigation (GAARDIAN) System, to provide more reliable monitoring services.


Introduction
The GNSS's vulnerability to spoofing was first officially identified by the U.S. government in 2001 [1]. Recently, the situation has become more critical. An experiment conducted by the research team led by Dr. Humphreys illustrates the threat of spoofing, where an unmanned aerial vehicle (UAV) was captured and then forced to crash down [2].
Although many effective spoofing detection techniques have been developed to protect individual receivers, there is little discussion in the literature focusing on spoofing monitoring that aims to monitor the presence of spoofing within an area. Actually, spoofing monitoring could be promising and valuable in various applications. For instance, when equipped with spoofing monitoring, one could alert dedicated users when spoofing is occurring. This is attractive because the users can be made aware of spoofing without having to continuously perform spoofing detection themselves. Also, it could Based on these considerations, a spoofing network monitoring (SNM) mechanism consisting of multiple (more than one) receivers and a central processing component is proposed in this paper. As opposed to the previous works on multi-receiver-based anti-spoofing [18][19][20][21][22], the SNM is able to detect the presence of spoofing signals no matter whether the PVT solutions are influenced by spoofing. The essence of the SNM is to search for the spoofing signals among all the received signals. The use of multiple receivers rather than one receiver is mainly because the SNM mechanism is based on the differing TDOA properties between spoofing and authentic signals. Like many spoofing detection techniques [9][10][11][12][17][18][19][20]22,23], the SNM assumes that the spoofing signals are transmitted from a common spoofer. Hence, the TDOAs of spoofing signals transmitted from a common spoofer are identical, while those of authentic signals from diverse directions are dispersed. The TDOA is measured as the differential pseudorange to carrier frequency ratio (DPF). In a non-spoofing case where only authentic signals are received, the DPFs of the received signals are dispersed. In a spoofing case, both authentic and spoofing signals are received and therefore the DPFs will include those of both authentic and spoofing signals. Among these, the DPFs of authentic are dispersed while those of spoofing are almost overlapped. Hence, an algorithm is designed to search for the DPFs that are within a predefined small range, and an alarm will be raised if several DPFs are found within such a range. Simulations and real-data experiments are conducted to validate spoofing monitoring performance. Results show the detection and false alarm probabilities could reach 99.99% and 0.01%, respectively.
The SNM is relatively low-cost and can be easily implemented and deployed for three reasons: (1) It consists of at least two monitoring receivers, and most commercial receivers could be adopted with only a slightly modification in software; (2) The monitoring receivers do not require either clock synchronization or the knowledge of their 3-D positions. This implies the SNM could be a 'plug and play' option; (3) The methodology is totally software-defined and is of low computational complexity.
The rest of the paper consists of 8 sections. Section 2 gives the architecture of the SNM. Section 3 gives differential pseudorange (DP) models, based on which the DPF models are given in Section 4. Section 5 introduces the spoofing monitoring methodology. Its performance is then tested based on simulations in Section 6. The real-data experiments are conducted in Section 7 to validate the proposed SNM. Section 8 provides some discussion and recommends future work. Section 9 concludes the paper.

Spoofing Network Monitoring Architecture
The architecture given by Figure 1 consists of at least two monitoring receivers and a central processing component (CPC). The monitoring receivers are used to provide pseudorange and Doppler measurements of all the received signals. These measurements are then fed into the CPC for spoofing monitoring purposes. The rest of this section introduces the 4-step spoofing network monitoring architecture, and a detailed analysis is given in the successive sections. multiple (more than one) receivers and a central processing component is proposed in this paper. As opposed to the previous works on multi-receiver-based anti-spoofing [18][19][20][21][22], the SNM is able to detect the presence of spoofing signals no matter whether the PVT solutions are influenced by spoofing. The essence of the SNM is to search for the spoofing signals among all the received signals. The use of multiple receivers rather than one receiver is mainly because the SNM mechanism is based on the differing TDOA properties between spoofing and authentic signals. Like many spoofing detection techniques [9][10][11][12][17][18][19][20]22,23], the SNM assumes that the spoofing signals are transmitted from a common spoofer. Hence, the TDOAs of spoofing signals transmitted from a common spoofer are identical, while those of authentic signals from diverse directions are dispersed. The TDOA is measured as the differential pseudorange to carrier frequency ratio (DPF). In a non-spoofing case where only authentic signals are received, the DPFs of the received signals are dispersed. In a spoofing case, both authentic and spoofing signals are received and therefore the DPFs will include those of both authentic and spoofing signals. Among these, the DPFs of authentic are dispersed while those of spoofing are almost overlapped. Hence, an algorithm is designed to search for the DPFs that are within a predefined small range, and an alarm will be raised if several DPFs are found within such a range. Simulations and real-data experiments are conducted to validate spoofing monitoring performance. Results show the detection and false alarm probabilities could reach 99.99% and 0.01%, respectively.
The SNM is relatively low-cost and can be easily implemented and deployed for three reasons: (1) It consists of at least two monitoring receivers, and most commercial receivers could be adopted with only a slightly modification in software; (2) The monitoring receivers do not require either clock synchronization or the knowledge of their 3-D positions. This implies the SNM could be a 'plug and play' option; (3) The methodology is totally software-defined and is of low computational complexity.
The rest of the paper consists of 8 sections. Section 2 gives the architecture of the SNM. Section 3 gives differential pseudorange (DP) models, based on which the DPF models are given in Section 4. Section 5 introduces the spoofing monitoring methodology. Its performance is then tested based on simulations in Section 6. The real-data experiments are conducted in Section 7 to validate the proposed SNM. Section 8 provides some discussion and recommends future work. Section 9 concludes the paper.

Spoofing Network Monitoring Architecture
The architecture given by Figure 1 consists of at least two monitoring receivers and a central processing component (CPC). The monitoring receivers are used to provide pseudorange and Doppler measurements of all the received signals. These measurements are then fed into the CPC for spoofing monitoring purposes. The rest of this section introduces the 4-step spoofing network monitoring architecture, and a detailed analysis is given in the successive sections.

Raw Measurements
Since the spoofing monitoring is based on the DPF, the first step is to estimate the pseudorange and Doppler measurements of all the received signals. This step is performed by the monitoring receivers. The receiver architecture given by Figure 2 is almost the same as the normal commercial receivers except for the acquisition block. The modified acquisition block searches for all the signals and then passes all those that are above the predetermined acquisition threshold to the tracking block. Hence, if spoofing exists, both the authentic and spoofing signals will be acquired [10][11][12]. This modified acquisition process has already been introduced and adopted by references [10][11][12] for spoofing detection purposes. The tracking block aims to estimate the Doppler and code phase measurements of these acquired signals. The Doppler measurements are fed into the CPC and the code phases are used to measure the pseudorange. It is measured as the product of the speed of light and the signal's propagation time that is the difference between its generation and received time. The generation time is determined based on the decoded navigation message and the code phase [24] while the received time is read from the receiver's clock. Though the GNSS cannot be trusted for timing as there may exist a spoofing, many other cheap ways could be adopted. For example, there is the Network Time Protocol (NTP)-based clock synchronization technology, which is widely used for internet time synchronization and can achieve a precision of tens of milliseconds [25]. This precision is sufficient for spoofing monitoring.

Raw Measurements
Since the spoofing monitoring is based on the DPF, the first step is to estimate the pseudorange and Doppler measurements of all the received signals. This step is performed by the monitoring receivers. The receiver architecture given by Figure 2 is almost the same as the normal commercial receivers except for the acquisition block. The modified acquisition block searches for all the signals and then passes all those that are above the predetermined acquisition threshold to the tracking block. Hence, if spoofing exists, both the authentic and spoofing signals will be acquired [10][11][12]. This modified acquisition process has already been introduced and adopted by references [10][11][12] for spoofing detection purposes. The tracking block aims to estimate the Doppler and code phase measurements of these acquired signals. The Doppler measurements are fed into the CPC and the code phases are used to measure the pseudorange. It is measured as the product of the speed of light and the signal's propagation time that is the difference between its generation and received time. The generation time is determined based on the decoded navigation message and the code phase [24] while the received time is read from the receiver's clock. Though the GNSS cannot be trusted for timing as there may exist a spoofing, many other cheap ways could be adopted. For example, there is the Network Time Protocol (NTP)-based clock synchronization technology, which is widely used for internet time synchronization and can achieve a precision of tens of milliseconds [25]. This precision is sufficient for spoofing monitoring.  Note the following:

Receiver
 In a spoofing case, although both authentic and spoofing signals are processed by the receiver, the receiver itself does not know the types of the signals (spoofing or authentic), and it does not even know whether there are spoofing signals or not.  The monitoring receiver does not need to perform the PVT process because its only function is to provide raw measurements. Hence, the PVT block is not given in the monitoring receiver architecture.

Differential Pseudorange Calculation
The differential pseudorange (DP) is calculated based on the pseudorange measurements from receivers. In a spoofing case, the pseudoranges of both spoofing and authentic signals are provided by each receiver, so the calculated DPs would consist of 2 or 3 DP types: (1) DP between spoofing signals; (2) DP between authentic signals; and possibly (3) the DP between spoofing and authentic signals if the two have some common PRNs. These three types are introduced in Section 3.3, where the corresponding DP models are also given.

DPF Calculation
The DPF is calculated as the ratio between the differential pseudorange and the received carrier frequency. The received carrier frequency is a combination of the signal frequency generated at the satellite (e.g., 1.57542 GHz for GPS L1) and the Doppler measurement provided by either of the two receivers. Based on the DPs given by step 2, the calculated DPFs in a spoofing case also include 2 or 3 Note the following:

•
In a spoofing case, although both authentic and spoofing signals are processed by the receiver, the receiver itself does not know the types of the signals (spoofing or authentic), and it does not even know whether there are spoofing signals or not.

•
The monitoring receiver does not need to perform the PVT process because its only function is to provide raw measurements. Hence, the PVT block is not given in the monitoring receiver architecture.

Differential Pseudorange Calculation
The differential pseudorange (DP) is calculated based on the pseudorange measurements from receivers. In a spoofing case, the pseudoranges of both spoofing and authentic signals are provided by each receiver, so the calculated DPs would consist of 2 or 3 DP types: (1) DP between spoofing signals; (2) DP between authentic signals; and possibly (3) the DP between spoofing and authentic signals if the two have some common PRNs. These three types are introduced in Section 3.3, where the corresponding DP models are also given.

DPF Calculation
The DPF is calculated as the ratio between the differential pseudorange and the received carrier frequency. The received carrier frequency is a combination of the signal frequency generated at the satellite (e.g., 1.57542 GHz for GPS L1) and the Doppler measurement provided by either of the two receivers. Based on the DPs given by step 2, the calculated DPFs in a spoofing case also include 2 or 3 types: (1) DPF between spoofing signals; (2) DPF between authentic signals; and possibly (3) the DPF between spoofing and authentic signals.
These three types are discussed in Section 4, where the corresponding DPF models are also given. It shows the DPF consists of the TDOA, multipath error difference, clock difference and estimation noise. Considering spoofing signals are from a common spoofer, the first three parts of spoofing DPFs are identical. Hence, the spoofing DPFs are almost overlapped. By contrast, the authentic DPFs are dispersed as authentic signals come from various directions.

Spoofing Monitoring
In a non-spoofing case, only dispersed authentic DPFs are present. In a spoofing case, as discussed before, besides dispersed authentic DPFs, the overlapped spoofing DPFs will also be present. Hence the monitoring algorithm is designed to search for the DPFs that are within a predefined small range, and the presence of spoofing is determined when several DPFs are found within such range. The monitoring methodology, including the hypothesis test, the determination of the pre-defined range and the algorithm, is introduced in Section 5.

Differential Pseudorange Models
This section firstly gives the spoofing scenario, based on which the pseudorange models are then given. Finally, the differential pseudorange models are formulated. Figure 3 illustrates a typical spoofing scenario consisting of two monitoring receivers, a spoofer and several GNSS satellites. It is assumed each of the two monitoring receivers, noted as rcv 1 and rcv 2 , are able to receive both spoofing and authentic signals. The clock bias for rcv x is as ∆t x . The receiver time t of rcv x is modelled as a combination of true time t x and the clock bias ∆t x :

Spoofing Scenario
Sensors 2016, 16, 1771 5 of 21 types: (1) DPF between spoofing signals; (2) DPF between authentic signals; and possibly (3) the DPF between spoofing and authentic signals. These three types are discussed in Section 4, where the corresponding DPF models are also given. It shows the DPF consists of the TDOA, multipath error difference, clock difference and estimation noise. Considering spoofing signals are from a common spoofer, the first three parts of spoofing DPFs are identical. Hence, the spoofing DPFs are almost overlapped. By contrast, the authentic DPFs are dispersed as authentic signals come from various directions.

Spoofing Monitoring
In a non-spoofing case, only dispersed authentic DPFs are present. In a spoofing case, as discussed before, besides dispersed authentic DPFs, the overlapped spoofing DPFs will also be present. Hence the monitoring algorithm is designed to search for the DPFs that are within a predefined small range, and the presence of spoofing is determined when several DPFs are found within such range. The monitoring methodology, including the hypothesis test, the determination of the pre-defined range and the algorithm, is introduced in Section 5.

Differential Pseudorange Models
This section firstly gives the spoofing scenario, based on which the pseudorange models are then given. Finally, the differential pseudorange models are formulated. Figure 3 illustrates a typical spoofing scenario consisting of two monitoring receivers, a spoofer and several GNSS satellites. It is assumed each of the two monitoring receivers, noted as rcv1 and rcv2, are able to receive both spoofing and authentic signals. The clock bias for rcvx is as ∆tx. The receiver time t' of rcvx is modelled as a combination of true time tx and the clock bias ∆tx:  The spoofer is transmitting several fake GNSS signals with faked Doppler and code phase, and the faked code phase will result in the faked pseudorange ρ s,i . Like many other spoofing detection methods assuming all spoofing signals transmitted from a common spoofer, the number of spoofing signals is assumed to be at least 4 so that victim receivers could be spoofed to a wrong location via adopting spoofing signals for PVT calculation. The PRN sets of spoofing and authentic signals are noted as PRN S and PRN A , respectively. The relationships between the two sets are as follows:  The spoofer is transmitting several fake GNSS signals with faked Doppler and code phase, and the faked code phase will result in the faked pseudorange ρ s,i . Like many other spoofing detection methods assuming all spoofing signals transmitted from a common spoofer, the number of spoofing signals is assumed to be at least 4 so that victim receivers could be spoofed to a wrong location via adopting spoofing signals for PVT calculation. The PRN sets of spoofing and authentic signals are noted as PRN S and PRN A , respectively. The relationships between the two sets are as follows:

Spoofing Scenario
where PRN A∩S is the intersection of PRN A and PRN S , PRN A−S belongs to PRN A but not PRN S , and PRN S−A belongs to PRN S but not PRN A .

Pseudorange Measurement
After all the signals are processed, the pseudorange measurements at rcv x are: wherein ρ s,i x and ρ a,i x are respectively the authentic and spoofing pseudorange measurements at rcv x . The superscript i denotes the PRN index. Note that both ρ s,i x and ρ a,i x are available for i ∈ PRN A∩S because the spoofing and authentic have the common PRN i. ρ s,i x and ρ a,i x measured at receiver time t is derived in Appendix A, and the result is: wherein λ is the carrier wavelength and c is the speed of light. f s,i ( f a,i ) is the received carrier frequency, which is a combination of the GNSS carrier frequency (e.g., 1.57542 GHz for GPS L1) and Doppler. r s x (r a,i x ) is the distance between the spoofer (satellite) and rcv x . A denotes the atmosphere induced delay, including troposphere and ionosphere. M is the multipath induced error. ρ s,i (t ) is the faked pseudorange measurements simulated at the spoofer at t . The measurement noise ξ s,i x (ξ a,i x ) is usually modelled as an identical and independently distributed (IID) Gaussian random variable with zero mean and the variance of σ 2 [24].

Differential Pseudorange
The differential pseudorange (DP) is calculated as the difference of the pseudorange measurements with the same PRN, which are respectively provided by two receivers. The result is given as below: In a spoofing case, the calculated DPs will include 3 DP types: (1) DP between authentic signals: ∆ρ a,i ; (2) DP between spoofing signals ∆ρ s,i ; (3) DP between authentic and spoofing signals: ∆ρ a−s,i and ∆ρ s−a,i . This type exists if and only if PRN A∩S is a nonempty set. By substituting Equations (3) and (4) into Equation (6), the ∆ρ s,i and ∆ρ a,i becomes: where In ∆ρ s,i (∆ρ a,i ), the ∆τ s (∆τ a,i ) is actually the TDOA of a spoofing signal (authentic signal). The difference of atmosphere delay is negligible for short baseline (e.g., <10 km) differential pseudorange [26], therefore it is neglected in both ∆ρ s,i and ∆ρ a,i as the SNM is short baseline based. Also, given that the IID Gaussian distributed measurement noise at different receivers (ξ s,i 1 and ξ s,i 2 ) are uncorrelated [26], the ∆ξ s,i (∆ξ a,i ) can be modelled as an IID Gaussian random variable with zero mean and the variance of 2σ 2 (the standard deviation of the pseudorange measurement noise σ was defined in Section 3.2): wherein N[a,b] denotes the Gaussian distribution with the mean of a and standard deviation of b.

Differential Pseudorange to Carrier Frequency Ratio
The DPF of each signal is calculated as the ratio between the differential pseudorange and the received carrier frequency. The received carrier frequency measurement is a combination of the standard GNSS frequency and the Doppler measurement. The Doppler can be provided by either of the two receivers. Note that received carrier frequency measurement includes the pure carrier frequency and the Doppler measurement error, and the Doppler measurement error is negligible as it is way smaller than the carrier frequency. Based on the calculated differential pseudoranges given by Equation (5), the calculated DPFs are given as: In a spoofing case, the calculated DPF include three DPF types: (1) DPF between the authentic signals (authentic DPF): k a,i ; (2) DPF between spoofing signals (spoofing DPF): k s,i ; and (3) DPF between authentic and spoofing signals (AS DPF): k s-a,i and k a-s,i . By substituting Equations (7) and (8), the k s,i and k a,i are given as: Various for authentic signals where The DPF noises δ s,i and δ a,i are further derived in Appendix B, and the results are: where As can be seen, both the spoofing and authentic DPFs consist of four parts: TDOA, multipath difference, clock difference and the DPF estimation noise. The first three parts are identical among spoofing DPFs as spoofing signals are transmitted from the common source. Hence, the spoofing DPFs would almost overlay each other within a small range. Note that the spoofing DPFs do not completely overlay due to the random DPF estimation noise. By contrast, the TDOAs and multipath differences of authentic signals are dispersed because they are transmitted from diverse directions. Hence, the authentic DPFs are dispersed.
Note that the AS DPFs k s-a,i and k a-s,i are not given because they are irrelevant for the spoofing monitoring methodology introduced in the following section. This is because in a non-spoofing case, these AS DPFs will not even exist. In a spoofing case, though they might be present, the spoofing monitoring technique is based on the overlapped spoofing DPFs rather than the AS DPFs.
Following gives the distribution of the k s,i , which will be used for detection probability analysis given in the following section. Since ∆ξ s,i given by Equation (9) is an IID Gaussian random variable, the spoofing DPF noise δ s,i given by Equation (14) is also IID. Hence, the spoofing DPFs k s,i consisting of identical ∆τ s , ∆M s and ∆t, and IID Gaussian random variables δ s,i , are identically and independently Gaussian distributed:

Hypothesis Test
The spoofing monitoring is based on the calculated DPFs. In a non-spoofing case, the calculated DPFs include only dispersed authentic DPFs. In a spoofing case, however, the calculated DPFs include not only authentic, but also overlapped spoofing DPFs. Furthermore, it is assumed in Section 3.1 that the number of spoofing signals is at least 4. Hence, in a spoofing case, there must present at least 4 DPFs that almost overlay each other but with different PRNs. Hence, the spoofing monitoring is designed to search for the DPFs that are within a predefined small range and the existence of spoofing can be identified if at least 4 DPFs (with different PRNs) are found within such a range. The null hypothesis H 0 stating the absence of spoofing and alternate hypothesis H 1 stating the existence of spoofing are given as: wherein N(R) represents the number of DPFs (with different PRNs) that are within the predefined range of R. A proper R is crucial to the monitoring performance. As is seen in Figure 4, the improper R would result in either low detection or high false alarm probability. Hence, Section 5.2 determines the minimum R required to achieve a desired detection probability. After the R is determined, an algorithm is developed in Section 5.3 to search for the DPFs that are within the R.
As can be seen, both the spoofing and authentic DPFs consist of four parts: TDOA, multipath difference, clock difference and the DPF estimation noise. The first three parts are identical among spoofing DPFs as spoofing signals are transmitted from the common source. Hence, the spoofing DPFs would almost overlay each other within a small range. Note that the spoofing DPFs do not completely overlay due to the random DPF estimation noise. By contrast, the TDOAs and multipath differences of authentic signals are dispersed because they are transmitted from diverse directions. Hence, the authentic DPFs are dispersed.
Note that the AS DPFs k s-a,i and k a-s,i are not given because they are irrelevant for the spoofing monitoring methodology introduced in the following section. This is because in a non-spoofing case, these AS DPFs will not even exist. In a spoofing case, though they might be present, the spoofing monitoring technique is based on the overlapped spoofing DPFs rather than the AS DPFs.
Following gives the distribution of the k s,i , which will be used for detection probability analysis given in the following section. Since given by Equation (9) is an IID Gaussian random variable, the spoofing DPF noise , s i  given by Equation (14) is also IID. Hence, the spoofing DPFs

Hypothesis Test
The spoofing monitoring is based on the calculated DPFs. In a non-spoofing case, the calculated DPFs include only dispersed authentic DPFs. In a spoofing case, however, the calculated DPFs include not only authentic, but also overlapped spoofing DPFs. Furthermore, it is assumed in Section 3.1 that the number of spoofing signals is at least 4. Hence, in a spoofing case, there must present at least 4 DPFs that almost overlay each other but with different PRNs. Hence, the spoofing monitoring is designed to search for the DPFs that are within a predefined small range and the existence of spoofing can be identified if at least 4 DPFs (with different PRNs) are found within such a range. The null hypothesis H0 stating the absence of spoofing and alternate hypothesis H1 stating the existence of spoofing are given as: wherein N(R) represents the number of DPFs (with different PRNs) that are within the predefined range of R. A proper R is crucial to the monitoring performance. As is seen in Figure 4, the improper R would result in either low detection or high false alarm probability. Hence, Section 5.2 determines the minimum R required to achieve a desired detection probability. After the R is determined, an algorithm is developed in Section 5.3 to search for the DPFs that are within the R.

Calculated DPFs
Authentic DPF Spoofing DPF Predefined R (a) R is set too small so that only 2 DPFs are within the R in a spoofing case, leading to low detection probability.

Calculated DPFs
Predefined R (b) R is set too large so that 4 DPFs are within R in the non-spoofing case, leading to a high false alarm probability.

The Lower Bound (LB) on the Detection Probability
Based on the hypothesis test, the detection probability (P d ) is defined as the probability that at least 4 spoofing DPFs are within the predefined range R.
wherein Pr{x} denotes the probability of the event x. Actually, the P d increases in the number of the received spoofing signals, m. This is because more spoofing signals results in more spoofing DPFs. Given more spoofing DPFs, more of them will be within R, leading to the higher P d . Considering that the m cannot be controlled at the monitoring side, this section focuses on the P d in the worst case, where the m achieves the minimum possible value, 4. The P d in such worst case is denoted as the lower bound (LB) detection probability, P d The second equality sign is considering the N(R) cannot be larger than 4 because the N(R) always equals or is less than the overall number of DPFs, m. Further, given that the 4 spoofing DPFs will be within R if and only if the range of the 4 DPFs is smaller than R, the P d is further written as: wherein r(x) denotes the range of the x spoofing DPFs, which is the difference between the maximum and the minimum DPF element. The cumulative distribution function (cdf) of the r(4), F r(4) , is derived in Appendix C and the result is: wherein the g and G are respectively the probability density function and the cdf of the zero mean Gaussian with unit variance. Based on Equations (20) and (21), the P d can be finally modeled as: Based on Equation (22), the minimum R can be also determined based on a required detection probability: Figure 5 gives the P d versus the predefined range R and Table 1 gives the minimum R required to achieve the typical desired detection probabilities.

The Lower Bound (LB) on the Detection Probability
Based on the hypothesis test, the detection probability (Pd) is defined as the probability that at least 4 spoofing DPFs are within the predefined range R.
wherein Pr{x} denotes the probability of the event x. Actually, the Pd increases in the number of the received spoofing signals, m. This is because more spoofing signals results in more spoofing DPFs. Given more spoofing DPFs, more of them will be within R, leading to the higher Pd. Considering that the m cannot be controlled at the monitoring side, this section focuses on the Pd in the worst case, where the m achieves the minimum possible value, 4. The Pd in such worst case is denoted as the lower bound (LB) detection probability, The second equality sign is considering the N(R) cannot be larger than 4 because the N(R) always equals or is less than the overall number of DPFs, m. Further, given that the 4 spoofing DPFs will be within R if and only if the range of the 4 DPFs is smaller than R, the d P  is further written as: wherein r(x) denotes the range of the x spoofing DPFs, which is the difference between the maximum and the minimum DPF element. The cumulative distribution function (cdf) of the r(4), Fr (4), is derived in Appendix C and the result is: wherein the g' and G' are respectively the probability density function and the cdf of the zero mean Gaussian with unit variance. Based on Equations (20) and (21), the d P  can be finally modeled as: Based on Equation (22), the minimum R can be also determined based on a required detection probability: Figure 5 gives the d P  versus the predefined range R and Table 1 gives the minimum R required to achieve the typical desired detection probabilities.   Update cnt as: cnt = cnt + 1, and goes to step 4 to test the next range. Figure 6 gives an example to illustrate the algorithm. As the counter cnt is 1, only one element (k 1 ) is in the search range [k 1 ,k 1 + R], which means the spoofing has not been found. After the cnt is updated as 2, 2 elements (k 2 and k 3 ) are within the search range [k 2 ,k 2 + R] and therefore the spoofing has not been found. But after the counter is updated as 3, the number of elements within the search range [k 3 ,k 3 + R] equals to 4. Hence, the alternate hypothesis H 1 is accepted and the presence of spoofing is identified.  Update cnt as: cnt = cnt + 1, and goes to step 4 to test the next range. Figure 6 gives an example to illustrate the algorithm. As the counter cnt is 1, only one element (k1) is in the search range [k1,k1 + R], which means the spoofing has not been found. After the cnt is updated as 2, 2 elements (k2 and k3) are within the search range [k2,k2 + R] and therefore the spoofing has not been found. But after the counter is updated as 3, the number of elements within the search range [k3,k3 + R] equals to 4. Hence, the alternate hypothesis H1 is accepted and the presence of spoofing is identified.  Figure 6. An example to illustrate the spoofing monitoring algorithm.

Performance Analysis
The performance of the SNM can be characterized by the lower bound detection probability ( d P  ) and the false alarm probability (Pfa). The d P  can be determined by the predefined range R, (see Equation (22)). However, the Pfa has not yet been tested. Hence, Monte Carlo simulations are conducted in this section to test the Pfa. The Pfa is defined as the probability that at least 4 authentic DPFs that are within the predefined range R.

Simulation Setup
The simulation setup is given by Figure 7. The two inputs are respectively the distance between two receivers (d12) and the number of authentic DPFs (la). Each DPF is generated based on the model given by Equation (12)

Performance Analysis
The performance of the SNM can be characterized by the lower bound detection probability ( P d ) and the false alarm probability (P fa ). The P d can be determined by the predefined range R, (see Equation (22)). However, the P fa has not yet been tested. Hence, Monte Carlo simulations are conducted in this section to test the P fa . The P fa is defined as the probability that at least 4 authentic DPFs that are within the predefined range R.

Simulation Setup
The simulation setup is given by Figure 7. The two inputs are respectively the distance between two receivers (d 12 ) and the number of authentic DPFs (l a ). Each DPF is generated based on the model given by Equation (12), wherein the multipath difference is sampled from a N[0,0.3/c]; the clock difference is sampled from a uniform distribution over the range of [−500 ms, 500 ms]; and the DPF estimation noise is sampled from N [0, σ δ ]. The σ δ is given by Equation (15), where the pseudorange noise σ is set as typically 0.2 m according to the GPS UERE (user equivalent range error) budget [27]. The TDOA ∆τ a,i is generated as: ∆τ a,i = H i ∆x/c (24) where, H i = [−cosθ i sinα i , −cosθ i cosα i , −sinα i ], wherein the elevation and azimuth of a GNSS satellite, θ i and a i , are randomly sampled over the range of respectively [0,π/2] and [0,2π]. The orientation vector between two receivers ∆x is sampled from a uniform distribution on the unit sphere.   Figure 8 shows the predefined range R versus Pfa for various d12 and number of authentic signals la. As shown, for a given predefined range R, the farther the two receivers are placed, the lower the Pfa would be. This is because the TDOAs of authentic signals will be more dispersed with a longer d12, resulting in the decrease of the Pfa. On the other hand, a larger number of authentic signals leads to a higher Pfa. This is because more authentic signals give more DPFs, and given more DPFs, it will be more likely that at least 4 of them are within the R, resulting in a higher Pfa. Also, it is found in Section 5.2 that the predefined range of 6   could give a d P  of 99.99%. Fortunately, the Pfa is also satisfactory for such a range. As is illustrated in Table 2, with the R of 6   (or equivalently, the d P  of 99.99%), the Pfa is no more than 2.5 × 10 −3 (for d12 = 100 m) or 1.0 × 10 −4 (for d12 = 300 m).     Figure 9 gives the receiver operating characterization (ROC). It shows that the performance is satisfactory especially for the case that the d12 is set as 300 m. It is noted that the false alarm probability shown by the x-axis ranges from 0 to 2 × 10 −3 instead of 0 to 1.  Figure 8 shows the predefined range R versus P fa for various d 12 and number of authentic signals l a . As shown, for a given predefined range R, the farther the two receivers are placed, the lower the P fa would be. This is because the TDOAs of authentic signals will be more dispersed with a longer d 12 , resulting in the decrease of the P fa . On the other hand, a larger number of authentic signals leads to a higher P fa . This is because more authentic signals give more DPFs, and given more DPFs, it will be more likely that at least 4 of them are within the R, resulting in a higher P fa . Also, it is found in Section 5.2 that the predefined range of 6σ δ could give a P d of 99.99%. Fortunately, the P fa is also satisfactory for such a range. As is illustrated in Table 2, with the R of 6σ δ (or equivalently, the P d of 99.99%), the P fa is no more than 2.5 × 10 −3 (for d 12 = 100 m) or 1.0 × 10 −4 (for d 12 = 300 m).   Figure 8 shows the predefined range R versus Pfa for various d12 and number of authentic signals la. As shown, for a given predefined range R, the farther the two receivers are placed, the lower the Pfa would be. This is because the TDOAs of authentic signals will be more dispersed with a longer d12, resulting in the decrease of the Pfa. On the other hand, a larger number of authentic signals leads to a higher Pfa. This is because more authentic signals give more DPFs, and given more DPFs, it will be more likely that at least 4 of them are within the R, resulting in a higher Pfa. Also, it is found in Section 5.2 that the predefined range of 6   could give a d P  of 99.99%. Fortunately, the Pfa is also satisfactory for such a range. As is illustrated in Table 2, with the R of 6   (or equivalently, the d P  of 99.99%), the Pfa is no more than 2.5 × 10 −3 (for d12 = 100 m) or 1.0 × 10 −4 (for d12 = 300 m).    Figure 9 gives the receiver operating characterization (ROC). It shows that the performance is satisfactory especially for the case that the d12 is set as 300 m. It is noted that the false alarm probability shown by the x-axis ranges from 0 to 2 × 10 −3 instead of 0 to 1.   Figure 9 gives the receiver operating characterization (ROC). It shows that the performance is satisfactory especially for the case that the d 12 is set as 300 m. It is noted that the false alarm probability shown by the x-axis ranges from 0 to 2 × 10 −3 instead of 0 to 1.

Signal Collection
In this experiment, a Labsat GNSS record & replay is adopted as the spoofer. Two GN3SV2 front ends (FE), FE A and B, are used to collect the Intermediate Frequency (IF) GNSS signals. Each FE is connected to a laptop to collect the signals and the local computer time is used as the receiver time. The ideal setup for the data collection is to put the spoofer and the two front ends outside under a clear view of sky, so that both the spoofing and authentic signals can be collected simultaneously. However, it is challenging to conduct such an experiment as it is illegal to transmit spoofing signals outdoors. Hence, the authentic and spoofing signals are collected separately in this experiment. As is shown in Figure 10, the spoofing signals are collected indoors while the authentic signals are collected under a clear view of the sky, and the distance between the two antennas is 100 m. The PRN set of the collected spoofing and authentic signals are given by Table 3. It shows there are three common elements (14, 25 and Figure 10. Signal collection: authetic and spoofing signals are collected seperately.  Figure 11 illustrates the workflow of the signal process. As shown, the authentic and spoofing IF signals are respectively fed into a Matlab based software defined radio receiver (SDR) and the outputs are the pseudorange and Doppler measurements. After that, the raw measurements of authentic and spoofing signals from the same FE are combined and are then fed into a spoofing monitoring block.

Signal Collection
In this experiment, a Labsat GNSS record & replay is adopted as the spoofer. Two GN3SV2 front ends (FE), FE A and B, are used to collect the Intermediate Frequency (IF) GNSS signals. Each FE is connected to a laptop to collect the signals and the local computer time is used as the receiver time. The ideal setup for the data collection is to put the spoofer and the two front ends outside under a clear view of sky, so that both the spoofing and authentic signals can be collected simultaneously. However, it is challenging to conduct such an experiment as it is illegal to transmit spoofing signals outdoors. Hence, the authentic and spoofing signals are collected separately in this experiment. As is shown in Figure 10, the spoofing signals are collected indoors while the authentic signals are collected under a clear view of the sky, and the distance between the two antennas is 100 m. The PRN set of the collected spoofing and authentic signals are given by Table 3. It shows there are three common elements (14,25 and 32) between the two sets.

Signal Collection
In this experiment, a Labsat GNSS record & replay is adopted as the spoofer. Two GN3SV2 front ends (FE), FE A and B, are used to collect the Intermediate Frequency (IF) GNSS signals. Each FE is connected to a laptop to collect the signals and the local computer time is used as the receiver time. The ideal setup for the data collection is to put the spoofer and the two front ends outside under a clear view of sky, so that both the spoofing and authentic signals can be collected simultaneously. However, it is challenging to conduct such an experiment as it is illegal to transmit spoofing signals outdoors. Hence, the authentic and spoofing signals are collected separately in this experiment. As is shown in Figure 10, the spoofing signals are collected indoors while the authentic signals are collected under a clear view of the sky, and the distance between the two antennas is 100 m. The PRN set of the collected spoofing and authentic signals are given by Table 3. It shows there are three common elements (14, 25 and

Authentic Collected Under a Clear View of Sky Spoofing Signal Collected Indoor
Spoofing IF From FE B 100m Figure 10. Signal collection: authetic and spoofing signals are collected seperately.  Figure 11 illustrates the workflow of the signal process. As shown, the authentic and spoofing IF signals are respectively fed into a Matlab based software defined radio receiver (SDR) and the outputs are the pseudorange and Doppler measurements. After that, the raw measurements of authentic and spoofing signals from the same FE are combined and are then fed into a spoofing monitoring block.   Figure 11 illustrates the workflow of the signal process. As shown, the authentic and spoofing IF signals are respectively fed into a Matlab based software defined radio receiver (SDR) and the outputs are the pseudorange and Doppler measurements. After that, the raw measurements of authentic and spoofing signals from the same FE are combined and are then fed into a spoofing monitoring block.  Figure 11. Signal process for spoofing monitoring.

The Limitations of the Adopted Experiment
The 'ideal' experiment discussed before can be expressed by Figure 12, where the spoofer is placed outside under a clear view of sky. By this, the spoofing and authentic signals can be collected and processed by the SDR simultaneously. However, considering conducting such experiment is challenging, the spoofing and authentic IF signals are actually collected and processed separately. The limitation of the adopted experiment is that the modified acquisition process introduced in Section 2 cannot be verified, which is designed to acquire all the signals (spoofing and authentic) simultaneously. Fortunately, such an acquisition process has already been introduced and verified in [10][11][12]. Besides this limitation, the adopted and the ideal experiment setups are similar. As shown, in both cases, the measurements fed into the spoofing monitoring block include both spoofing and authentic. Hence, the verification of the spoofing monitoring technique will not be influenced.

DPF
The spoofing monitoring block firstly calculates the DPFs based on the raw measurements. At each epoch, the calculated DPFs include authentic, spoofing and AS DPFs. The spoofing and authentic DPFs are given by Figure 13. It shows all the DPFs decrease over time. This is because each DPF includes clock difference t  , and it decreases over time due to the clock drift difference. It also shows the spoofing DPFs overlay each other. Note that although the authentic DPFs are actually much more dispersed, it is not obviously illustrated in the figure. This is because the range of the clock difference over the test duration is too large (around 1.5 × 10 −5 s) compared with the range of the authentic DPFs (from −d/c to d/c, where d is the distance between two antennas and c is the speed of light). Hence, the authentic DPFs seem to be slightly overlapped even though they are not. The 'ideal' experiment discussed before can be expressed by Figure 12, where the spoofer is placed outside under a clear view of sky. By this, the spoofing and authentic signals can be collected and processed by the SDR simultaneously. However, considering conducting such experiment is challenging, the spoofing and authentic IF signals are actually collected and processed separately. The limitation of the adopted experiment is that the modified acquisition process introduced in Section 2 cannot be verified, which is designed to acquire all the signals (spoofing and authentic) simultaneously. Fortunately, such an acquisition process has already been introduced and verified in [10][11][12]. Besides this limitation, the adopted and the ideal experiment setups are similar. As shown, in both cases, the measurements fed into the spoofing monitoring block include both spoofing and authentic. Hence, the verification of the spoofing monitoring technique will not be influenced.  Figure 11. Signal process for spoofing monitoring.

The Limitations of the Adopted Experiment
The 'ideal' experiment discussed before can be expressed by Figure 12, where the spoofer is placed outside under a clear view of sky. By this, the spoofing and authentic signals can be collected and processed by the SDR simultaneously. However, considering conducting such experiment is challenging, the spoofing and authentic IF signals are actually collected and processed separately. The limitation of the adopted experiment is that the modified acquisition process introduced in Section 2 cannot be verified, which is designed to acquire all the signals (spoofing and authentic) simultaneously. Fortunately, such an acquisition process has already been introduced and verified in [10][11][12]. Besides this limitation, the adopted and the ideal experiment setups are similar. As shown, in both cases, the measurements fed into the spoofing monitoring block include both spoofing and authentic. Hence, the verification of the spoofing monitoring technique will not be influenced.

DPF
The spoofing monitoring block firstly calculates the DPFs based on the raw measurements. At each epoch, the calculated DPFs include authentic, spoofing and AS DPFs. The spoofing and authentic DPFs are given by Figure 13. It shows all the DPFs decrease over time. This is because each DPF includes clock difference t  , and it decreases over time due to the clock drift difference. It also shows the spoofing DPFs overlay each other. Note that although the authentic DPFs are actually much more dispersed, it is not obviously illustrated in the figure. This is because the range of the clock difference over the test duration is too large (around 1.5 × 10 −5 s) compared with the range of the authentic DPFs (from −d/c to d/c, where d is the distance between two antennas and c is the speed of light). Hence, the authentic DPFs seem to be slightly overlapped even though they are not.

DPF
The spoofing monitoring block firstly calculates the DPFs based on the raw measurements. At each epoch, the calculated DPFs include authentic, spoofing and AS DPFs. The spoofing and authentic DPFs are given by Figure 13. It shows all the DPFs decrease over time. This is because each DPF includes clock difference ∆t, and it decreases over time due to the clock drift difference. It also shows the spoofing DPFs overlay each other. Note that although the authentic DPFs are actually much more dispersed, it is not obviously illustrated in the figure. This is because the range of the clock difference over the test duration is too large (around 1.5 × 10 −5 s) compared with the range of the authentic DPFs (from −d/c to d/c, where d is the distance between two antennas and c is the speed of light). Hence, the authentic DPFs seem to be slightly overlapped even though they are not. In order to illustrate the authentic and spoofing DPF range clearly, Figure 14 gives the DPFs at one epoch (corresponding to the 10th second). As seen, the spoofing DPFs given by Figure 14a are overlapped while authentic DPFs given by Figure 14b are much more dispersed. Further, considering the large range of t  prevents the range of DPFs from being clearly illustrated, the spoofing and authentic DPFs at each epoch are respectively subtracted by their mean values. By this, the clock difference can be removed and the DPF range over the test duration can be clearly illustrated. Note that this subtraction process only aims to show the range clearly. This process does not affect the range of the DPFs because the DPFs at each epoch are subtracted by a common mean value and therefore their range will remain the same. The results are shown in Figure 15. It shows the authentic DPFs are dispersed over a range of approximately 4 × 10 −7 while the spoofing DPFs are almost overlapped and are within a range of 3 × 10 −9 .  In order to illustrate the authentic and spoofing DPF range clearly, Figure 14 gives the DPFs at one epoch (corresponding to the 10th second). As seen, the spoofing DPFs given by Figure 14a are overlapped while authentic DPFs given by Figure 14b are much more dispersed. Further, considering the large range of ∆t prevents the range of DPFs from being clearly illustrated, the spoofing and authentic DPFs at each epoch are respectively subtracted by their mean values. By this, the clock difference can be removed and the DPF range over the test duration can be clearly illustrated. Note that this subtraction process only aims to show the range clearly. This process does not affect the range of the DPFs because the DPFs at each epoch are subtracted by a common mean value and therefore their range will remain the same. The results are shown in Figure 15. It shows the authentic DPFs are dispersed over a range of approximately 4 × 10 −7 while the spoofing DPFs are almost overlapped and are within a range of 3 × 10 −9 . In order to illustrate the authentic and spoofing DPF range clearly, Figure 14 gives the DPFs at one epoch (corresponding to the 10th second). As seen, the spoofing DPFs given by Figure 14a are overlapped while authentic DPFs given by Figure 14b are much more dispersed. Further, considering the large range of t  prevents the range of DPFs from being clearly illustrated, the spoofing and authentic DPFs at each epoch are respectively subtracted by their mean values. By this, the clock difference can be removed and the DPF range over the test duration can be clearly illustrated. Note that this subtraction process only aims to show the range clearly. This process does not affect the range of the DPFs because the DPFs at each epoch are subtracted by a common mean value and therefore their range will remain the same. The results are shown in Figure 15. It shows the authentic DPFs are dispersed over a range of approximately 4 × 10 −7 while the spoofing DPFs are almost overlapped and are within a range of 3 × 10 −9 .      In order to illustrate the authentic and spoofing DPF range clearly, Figure 14 gives the DPFs at one epoch (corresponding to the 10th second). As seen, the spoofing DPFs given by Figure 14a are overlapped while authentic DPFs given by Figure 14b are much more dispersed. Further, considering the large range of t  prevents the range of DPFs from being clearly illustrated, the spoofing and authentic DPFs at each epoch are respectively subtracted by their mean values. By this, the clock difference can be removed and the DPF range over the test duration can be clearly illustrated. Note that this subtraction process only aims to show the range clearly. This process does not affect the range of the DPFs because the DPFs at each epoch are subtracted by a common mean value and therefore their range will remain the same. The results are shown in Figure 15. It shows the authentic DPFs are dispersed over a range of approximately 4 × 10 −7 while the spoofing DPFs are almost overlapped and are within a range of 3 × 10 −9 .

Spoofing Monitoring
After the DPFs are calculated, the algorithm introduced in Section 5.3 is performed to test whether there are at least 4 DPFs being within the predefined range that is set as 6σ δ . The σ δ is calculated based on Equation (15), where the pseudorange noise is set as typically 0.2 m according to the UERE budget [27]. The results are given by Figure 16. As shown in Figure 16a, the number of DPFs that are within the predefined range at every epoch, 8, is larger than the threshold of 4. Hence, the existence of spoofing is determined. Figure 16b further gives the range of the 8 DPFs. It shows the range of the 8 DPFs is much smaller than the predefined range.  (15), where the pseudorange noise is set as typically 0.2 m according to the UERE budget [27]. The results are given by Figure 16. As shown in Figure 16a, the number of DPFs that are within the predefined range at every epoch, 8, is larger than the threshold of 4. Hence, the existence of spoofing is determined. Figure 16b further gives the range of the 8 DPFs. It shows the range of the 8 DPFs is much smaller than the predefined range.  Additionally, the monitoring methodology has also been tested in the non-spoofing case, where the spoofing measurements are removed and only the authentic measurements are fed into the spoofing monitoring block. The result shows that only 2 DPFs are found within the predefined range, which correspond to the authentic signals with PRN 12 and 24.

Discussions and Future Work
The SNM mechanism proposed in the paper are mainly based on two assumptions: (1) multiple spoofing signals are transmitted from a common spoofer/antenna; and (2) there are 4 or more spoofing signals present in the spoofing case. As is validated, the SNM can be effective under the two assumptions. However, the practicalities of the two assumptions are not clearly given in the previous discussions. Hence, this section firstly discusses the rationality of the two assumptions, based on which our future work is recommended. The proposed SNM mechanism is effective in defending against a single spoofing attack in which multiple spoofing signals are transmitted from a common antenna. Compared with single spoofing, a more advanced spoofing mode is multiple spoofing, which consists of multiple spatially distributed spoofing devices, with each device transmitting a single spoofing signal. In the case of multiple spoofing, however, the TDOA of spoofing signals from various directions will not be overlapped and therefore distinguishing spoofing from authentic signals based on their different TDOA properties becomes impractical, leading to the failure of the proposed SNM mechanism.
Although multiple spoofing could defeat the SNM, such a mode of spoofing is deemed impractical because performing this attack is very challenging [11,13]. In order to defeat the RAIM technique that is currently equipped in most commercial-off-the-shelf (COTS) receivers, the fake pseudoranges (or equivalently the code phases) at the target receiver (s) have to be self-consistent to guarantee small pseudorange residuals. To achieve this, the following three strict requirements need to be satisfied: (1) the clocks of the spatially distributed spoofers need to be synchronized; (2) the Additionally, the monitoring methodology has also been tested in the non-spoofing case, where the spoofing measurements are removed and only the authentic measurements are fed into the spoofing monitoring block. The result shows that only 2 DPFs are found within the predefined range, which correspond to the authentic signals with PRN 12 and 24.

Discussions and Future Work
The SNM mechanism proposed in the paper are mainly based on two assumptions: (1) multiple spoofing signals are transmitted from a common spoofer/antenna; and (2) there are 4 or more spoofing signals present in the spoofing case. As is validated, the SNM can be effective under the two assumptions. However, the practicalities of the two assumptions are not clearly given in the previous discussions. Hence, this section firstly discusses the rationality of the two assumptions, based on which our future work is recommended. The proposed SNM mechanism is effective in defending against a single spoofing attack in which multiple spoofing signals are transmitted from a common antenna. Compared with single spoofing, a more advanced spoofing mode is multiple spoofing, which consists of multiple spatially distributed spoofing devices, with each device transmitting a single spoofing signal. In the case of multiple spoofing, however, the TDOA of spoofing signals from various directions will not be overlapped and therefore distinguishing spoofing from authentic signals based on their different TDOA properties becomes impractical, leading to the failure of the proposed SNM mechanism.
Although multiple spoofing could defeat the SNM, such a mode of spoofing is deemed impractical because performing this attack is very challenging [11,13]. In order to defeat the RAIM technique that is currently equipped in most commercial-off-the-shelf (COTS) receivers, the fake pseudoranges (or equivalently the code phases) at the target receiver (s) have to be self-consistent to guarantee small pseudorange residuals. To achieve this, the following three strict requirements need to be satisfied: (1) the clocks of the spatially distributed spoofers need to be synchronized; (2) the processing delay within each spoofing device should be precisely estimated to achieve nano-second level; (3) the spoofing devices should have sub-meter-level knowledge of the three-dimensional position of the target's antenna phase center. This is almost impossible in the case of moving victim targets. In addition to these three requirements, there are also limitations regarding the placement of the multiple spoofing devices, the cost of the spoofing infrastructure, and the expertise of developing and performing such a spoofing attack. The proposed SNM mechanism assumes that there are 4 or more spoofing signals present in the spoofing case, and the presence of spoofing is determined when 4 or more DPFs are found within a predefined small range (or equivalently, overlapped). However, in the case that only a few (less than 4) spoofing signals are present, there will be less than 4 DPFs being overlapped and therefore the SNM mechanism will be failed.
Fortunately, the assumption that there are 4 or more spoofing signals is practical considering the following: if only a few spoofing signals are present (e.g., less than 4), the victim receivers tend to use a combination of spoofing and authentic signals to report PVT solutions. This will lead to the inconsistency among the observed pseudoranges, which can be easily detected by the RAIM [28]. Furthermore, it is not clear how sophisticated the spoofer should be to spoof only a few signals without being detected by RAIM [28]. Although the spoofing might be successful in an extreme scenario, where the signals in view are too few (no more than 4) so that the RAIM is not available (e.g., there are only 4 authentic signals in view and a subset of these signals are spoofed), this scenario is rare and cannot be controlled at the spoofer side. The scenario is highly unlikely for static victims. This is because for static applications such as smart grids, high precision surveys, etc., the receivers are usually placed under a clear view of sky where there are normally sufficient signals (e.g., >10) in view. In terms of moving victims, this scenario is possible, but it is rare and hard to control. For instance, if the targets are moving targets in urban canyons, there might be sometimes no more than 4 visible signals. However, the number of visible signals for moving targets in urban canyon tends to change rapidly. At a certain epoch there are 4 signals in view, but at the next epoch there might be more. Once more than 4 signals are visible, the RAIM becomes available and the spoofing can be detected. And what's worse, the number of visible signals cannot be controlled at spoofing side.
Hence, in order to defeat the RAIM that is equipped in most current COTS receivers, most spoofers tend to transmit 4 or more spoofing signals and induce the target receivers to use only the spoofing signals for PVT calculation.

Future Work
Although multiple spoofing is deemed impractical at present [11,13], it might become a threat in the future. In order to be more robust against a spoofing attack, further improvement of the SNM should be focused on defending against multiple spoofing attacks.

Conclusions
The proposed SNM is based on the differential pseudorange to carrier frequency ratio (DPF), which is mathematically formulated and analyzed in this paper. As shown, the spoofing DPFs are almost overlapped while authentic DPFs are dispersed. Considering both the overlapped spoofing and dispersed authentic DPFs will be present in the spoofing case, the SNM is designed to search for the DPFs that are within the predefined small range. The predefined range could be determined based on the desired detection probability. This shows that a detection probability of 99.99% can be achieved with the predefined range of 6σ δ (σ δ is the DPF estimation noise). Also, false alarm probabilities are tested based on Monte Carlo simulations. As shown, both the predefined range and the distance between two receivers have great impact on false alarm probabilities. With the predefined range of 6σ δ and the distance of 300 m, a false alarm rate of 0.01% can be achieved. The effectiveness of the spoofing monitoring technique is validated by real data experiments. It shows that the spoofing DPFs are within a much smaller range than the authentic ones, and overall 8 DPFs are found within the predefined range. This implies the existence of spoofing.