1. Introduction
The global navigation satellite system (GNSS) spoofing technology has gradually become the focus of interference technology research because of its great threat and high concealment [
1,
2]. Spirent can manufacture a simple spoofing source by configuring the corresponding power amplifier and transmitting antenna on its product, GSS8000 [
3]. In 2002, Jon S. Warner et al. used a simple GPS signal simulator to spoof a GPS receiver of a freight truck, demonstrating that the civil GPS receiver is vulnerable to a simple spoofing attack [
4]. In 2012, Todd E. Humphrey’s team used a low-cost GPS spoofer to continuously lower the unmanned helicopter that should have maintained a fixed altitude [
5]. In addition, GNSS spoofing can seriously affect GNSS timing information [
6,
7,
8].
At present, there are many spoofing detection methods based on the single GNSS module [
9,
10], but any method is difficult when dealing with all spoofing methods [
11]. In GNSS and the inertial measurement unit (IMU) system, IMU constantly uses measurement information of GNSS to correct its own error. Slow spoofing can also spoof the GNSS/IMU system, for example, traction spoofing can take over the loop without destroying the tracking loop [
12]. When the difference between the position velocity and time (PVT) and real PVT is large, the user can detect spoofing by comparing with the measurement results of other sensors. Therefore, it is necessary to gradually pull PVT results to make the variation within the allowable range of the sensor error [
13].
The research on the spoofing coupled system is summarized as follows. Mi Shi’s theoretical derivation and simulation show the influence of GNSS spoofing on the positioning results of loose coupling, but the mathematical model is not consistent with the actual situation that the target will adjust the trajectory after being affected by spoofing [
14]. Yang Liu et al. studied the influence of GNSS spoofing on the Kalman filter error covariance matrix, innovation sequence and inertial sensor deviation estimation of a loosely coupled GNSS/INS system; their simulation showed that the Kalman filtering error covariance is not affected by spoofing, and innovation sequence and estimated inertial sensor deviation change [
15]. Rui Xu et al. analyzed the performance of the position fusion and position/velocity fusion loosely coupled GNSS/IMU system under forwarding spoofing and traction spoofing. Under forwarding spoofing, the error compensation of the position fusion loosely coupled system for IMU is very significant, resulting in a jump in the positioning results. Under intermediate spoofing, the compensation increment of the loosely coupled system based on position/velocity fusion is more sensitive [
16]. The navigation system adopts normalized innovation squared (NIS) detection; it is a direct, effective and feasible spoofing detection method, which is mature and has been applied to the navigation system of unmanned aerial vehicles (UAVs) and other targets [
17]. Gao Yangjun et al. analyzed the influence of spoofing on the positioning of loosely coupled GNSS/IMU. Aiming at the problem that the equation is easy to be ill conditioned when the measurement deviation is introduced, a Kalman gain matrix local regularization method is proposed to accurately calculate the measurement deviation; in order to avoid the NIS detection alarm of the target navigation system, the range of measurement deviation is calculated, so that the spoofing process has strong concealment; then a two-step trajectory guidance algorithm is proposed so that the target can be quickly induced to the spoofing trajectory [
18]. The above comprehensive literature review shows the representative research work on spoofing loosely coupled GNSS/IMU systems. After the summary, the difficulties of the current spoofing on a coupled system are described.
The background and motivation of this research work can be described as follows: using GNSS spoofing technology to control or even counter moving objects, such as unidentified aircraft, such as UAV, that may pose threats is a very effective means. However, as more and more navigation systems of unmanned aircraft are equipped with coupled GNSS/ IMU systems, which can effectively detect spoofing, it is more and more difficult for the spoofer to achieve effective spoofing. For the spoofer, the specific difficulties of spoofing are as follows: to sum up, the difficulty of spoofing the coupled system is that even if the spoofer intends to slowly change the positioning of the coupled system, they should pay close attention to whether other state parameters of the coupled system change abnormally in the process of spoofing; in addition, although the loosely coupled system itself has good anti-spoofing ability, if the coupled system is additionally equipped with other anti-spoofing techniques, the spoofer needs to consider how to introduce an appropriate amount of spoofing observation, so that the spoofing process will not raise the alarm of the coupled system.
Based on the above research background, the research motivation of this paper is to propose a spoofing algorithm that can slowly pull the positioning results of a loosely coupled GNSS/IMU system and avoid a variety of anti-spoofing techniques so as to realize successful spoofing on a loosely coupled GNSS/IMU system and further realize the effective control of the unidentified aircraft that poses threats.
The research work of this paper is briefly summarized as follows. In
Section 1, the background, current situation and significance of the research are introduced. In
Section 2, the influence mechanism of spoofing on loosely coupled GNSS/IMU is analyzed, including the loosely coupled GNSS/IMU system model and influence of spoofing on loosely coupled GNSS/IMU. In
Section 3, a slowly varying spoofing algorithm to avoid multiple anti-spoofing techniques is proposed, after the spoofing signal completely takes over the GNSS module of the coupled system, based on the analysis of the influence mechanism of spoofing on the positioning of loosely couped GNSS/IMU, a slowly varying spoofing algorithm avoiding loosely coupled GNSS/IMU with multiple anti-spoofing techniques, a measurement deviation determination method is proposed to avoid a variety of anti-spoofing techniques, which can gradually pull the positioning results of the loosely coupled system, and successfully avoid the anti-spoofing techniques’ detection of innovation sequence monitoring and parameter rationality check so as to achieve the purpose of spoofing. In
Section 4, experiments verify the effectiveness and concealment of the algorithm. In
Section 5, we give a summary and outlook on the work of the paper.
4. Simulation Analysis
Based on the MATLAB simulation software provided by [
19], we modified and upgraded the software to realize the experimental work of this paper. The experimental environment can well show the spoofing effect of spoofing signal on loosely coupled GNSS/IMU. In the experimental environment, the spoofing signal is fully controllable to the spoofer.
In the simulation experimental scenario, the real state of loosely coupled GNSS/IMU equipment always remains stationary at point O. The IMU in the loosely coupled system is tactical-grade IMU, and the device parameters are shown in
Table 1.
In the experiment, the parameter settings of the loosely coupled GNSS/IMU Kalman filter are shown in
Table 2:
At the initial time, the output positioning result of the loosely coupled system is the O point, and at this time, the loosely coupled system is taken over by the GNSS spoofing signal. The purpose of the GNSS spoofer is to offset the positioning result of the loosely coupled GNSS/IMU system to point S, which deviates from point O by 30 m to the north, 30 m to the east and 30 m down.
Figure 3,
Figure 4 and
Figure 5 show the north, east and down position offsets of the loosely coupled GNSS/IMU system without spoofing and with spoofing, respectively. The blue line indicates no spoofing, and the red line indicates spoofing.
As shown in
Figure 3,
Figure 4 and
Figure 5, when the loosely coupled system is spoofed by slowly varying spoofing, the north displacement gradually shifts by 29.8 m in the period of 0–66 s, and stabilizes around 29.8 m in the period of 66–120 s; in the 0–15 s period, eastward displacement gradually shifts by 32.3 m, and in the 15–120 s period, the eastward displacement is stable around 32.3 m; in the period of 0–66 s, down displacement gradually deviates by 43.2 m; and in the period of 66–120 s, down displacement is stable around 43.2 m. In terms of the spoofing effect, the north displacement basically achieves a spoofing effect, and the error between the north displacement and expected offset is −0.2 m; the east displacement basically achieves a spoofing effect, and the error between the east displacement and expected displacement is 2.3 m; the down ground displacement also basically achieves a spoofing effect, but the effect is slightly worse than that in the north and east directions, and the error with the expected offset is 13.2 m.
Figure 6,
Figure 7 and
Figure 8 show the north, east and down velocities of the loosely coupled GNSS/IMU system without spoofing and with spoofing, respectively. The blue line indicates no spoofing, and the red line indicates spoofing.
As shown in
Figure 6,
Figure 7 and
Figure 8, when the loosely coupled system is spoofed by slowly varying spoofing, although there is a small fluctuation in the north velocity compared with the case without spoofing, it can always remain greater than −0.02 m/s and less than 1.94 m/s; although the east velocity fluctuates slightly, it can always remain greater than −0.43 m/s and less than 1.3 m/s; although the down velocity fluctuates slightly, it can always remain greater than −0.98 m/s and less than 0.24 m/s. To sum up, the velocity change of the loosely coupled system conforms to the parameter rationality check, and is also close to the velocity change without spoofing.
Figure 9,
Figure 10 and
Figure 11 show the changes of the roll angle, pitch angle and yaw angle of the loosely coupled GNSS/IMU system without spoofing and with spoofing, respectively. The blue line indicates no spoofing, and the red line indicates spoofing.
As shown in
Figure 9,
Figure 10 and
Figure 11, when the loosely coupled system is spoofed by slowly varying spoofing, although the roll angle fluctuates slightly compared with the case without spoofing, it can always remain greater than −0.21° and less than 1.88°; although the pitch angle fluctuates slightly, it can always remain greater than −2.07° and less than 0.25°; although the yaw angle fluctuates slightly, it can always remain greater than −11.21° and less than 1.01°. To sum up, the change of the loosely coupled altitude angle is also close to the change of the altitude angle without spoofing.
Figure 12 and
Figure 13 show the changes of each test statistic
of the loosely coupled GNSS/IMU system without spoofing and with spoofing, respectively. Here, the threshold
is set to 50. Px, Py, Pz, Vx, Vy and Vz respectively represent the test statistics of the position in the X direction, Y direction and Z direction; the test statistics of the velocity in the X direction, Y direction and Z direction in the ECEF coordinate system; and the red line represents the alarm threshold line.
As shown in
Figure 12 and
Figure 13, when loosely coupled GNSS/IMU is spoofed by slowly varying spoofing, although the test statistics of the loosely coupled system increase compared with the case without spoofing, they do not exceed the alarm threshold. To sum up, when the loosely coupled system is spoofed by slowly spoofing, its test statistics will not raise an alarm.
Figure 14 and
Figure 15 show the changes of the clock offset estimation and clock drift estimation of loosely coupled GNSS/IMU without spoofing and with spoofing, respectively. The blue line indicates no spoofing, and the red line indicates spoofing.
As shown in
Figure 14 and
Figure 15, when the loosely coupled system is spoofed by slowly varying spoofing, the estimated loosely coupled clock offset is close to the same, compared with the case without spoofing; although the estimated clock drift fluctuates slightly, it can always remain greater than 99.7 m/s and less than 100.1 m/s. To sum up, the changes of the loosely coupled clock offset estimation and clock drift estimation are also close to those without spoofing.
Figure 16 and
Figure 17 show the changes of the accelerometer biases estimation and gyro biases estimation of the loosely coupled GNSS/IMU system without spoofing. The red line, green line and blue line respectively represent the X, Y and Z axis directions along the body coordinate.
Figure 18 and
Figure 19 show the changes of the accelerometer biases estimation and gyro biases estimation of the loosely coupled GNSS/IMU system with spoofing. The red line, green line and blue line respectively represent the X, Y and Z axis directions along the body coordinate.
As shown in
Figure 16,
Figure 17,
Figure 18 and
Figure 19, when the loosely coupled system is spoofed by slowly varying spoofing, compared with the case without spoofing, although the estimated acceleration biases fluctuate slightly in the X direction, it can always remain greater than
and less than
; although there is a small fluctuation in the Y direction, it can always remain greater than
and less than
; and although there is a small fluctuation in the Z direction, it can always remain greater than
and less than
. Although the estimated gyro biases fluctuate slightly in the X direction, it can always remain greater than
and less than
; although there is a small fluctuation in the Y direction, it can always remain greater than
and less than
; and although there is a small fluctuation in the Z direction, it can always remain greater than 0 and less than
. To sum up, the variation of the biases estimation of the accelerometer and gyro is also close to the variation without spoofing.
Based on the above experimental analysis, in terms of the spoofing effect, the north displacement completely achieves the spoofing effect, and errors with the expected offset are −0.2 m; the east displacement basically achieves the spoofing effect, and the error with expected offset is 2.3 m; the down displacement also basically achieves the spoofing effect, but the effect is slightly worse than that in the north and east directions, and error with the expected offset is 13.2 m. When slowly varying spoofing is applied to a loosely coupled system, the velocity change of the loosely coupled system is close to the velocity change of that without spoofing, and the change of the altitude angle is also close to the change of the altitude angle without spoofing. At the same time, its test statistics will not raise an alarm, and the changes of the accelerometer bias estimation and gyro bias estimation of a tightly coupled system are also close to the change without spoofing.
5. Conclusions and Future Work
In order to effectively counter the non-cooperative target of an assembly integrated navigation system by using spoofing technology, a new spoofing algorithm needs to be proposed. In order to effectively counter the non-cooperative target of assembling a loosely coupled GNSS/IMU by using GNSS spoofing, based on the analysis of the influence mechanism of spoofing on the positioning of loosely coupled GNSS/IMU, a slowly varying spoofing algorithm to avoid loosely coupled GNSS/IMU with multiple anti-spoofing techniques is proposed, and a measurement deviation determination method to avoid multiple anti-spoofing techniques is proposed, which can gradually pull the positioning results of coupled system and successfully avoid anti-spoofing techniques’ detection of innovation sequence monitoring and a parameter rationality check. The experimental results show that the proposed algorithm gradually changes the positioning of the loosely coupled GNSS/IMU; the north and east displacements achieve the purpose of spoofing; and the errors with the expected offset are −0.2 m and 2.3 m, respectively. The down displacement also basically achieves the purpose of spoofing, and the error with the expected offset is 13.2 m. At the same time, it avoids the detection of multiple anti-spoofing techniques, does not trigger the system alarm, and realizes the purpose of spoofing, thus the effectiveness and high concealment of the spoofing algorithm are verified. The research results provide an effective solution for the target equipped with a loosely coupled GNSS/IMU system to implement GNSS spoofing. On the other hand, it also provides reference for a loosely coupled GNSS/IMU system to detect and suppress GNSS spoofing.
The research work of this paper, which needs to be improved in the follow-up research, may be that the spoofing in the experiment is positioning spoofing, and the set spoofing destination is not very complex. Future research work will focus on, first, how to spoof the more complex coupled system of GNSS and IMU, and second, how to spoof more complex anti-spoofing techniques to deal with the threat of unknown moving objects.