Advanced GNSS Spoofing Detection: Aggregated Correlation Residue Likelihood Analysis

Abstract

Compared to conventional spoofing, emerging spoofing attacks pose a heightened threat to security applications within the global navigation satellite system (GNSS) due to their subtly designed signal structures. In response, a novel spoofing detection method entitled aggregated correlation residue likelihood analysis (A-CoRLiAn) is proposed in this study. Requiring only the addition of a pair of supplementary correlators, A-CoRLiAn harnesses correlation residues to formulate a likelihood metric, subsequently aggregating weighted decisions from all tracked satellites to ascertain the presence of spoofing. Evaluated under six diverse spoofing scenarios (including emerging challenges) in the Texas Spoofing Test Battery (TEXBAT) via Monte Carlo simulations, A-CoRLiAn yields a detection rate of 99.71%, demonstrating sensitivity, robustness, autonomy, and a lightweight architecture conducive to real-time implementation against spoofing threats.

1. Introduction

The global navigation satellite system (GNSS) plays an important role in critical systems, such as military and civilian communications, securities trading, financial systems, and smart grids [1]. Thus, their position, navigation, and timing (PNT) security should be guaranteed. Nowadays, information and navigation warfare are trending in modern warfare, and spoof jamming has become a major threat that cannot be ignored. The spoofing signal has the same structure as that of a genuine signal. It can invade an enemy receiver that has no corresponding defensive measures and change or control its positioning and timing results, without destroying the tracking loop or being detected. To avoid critical consequences, user terminals must be equipped with spoofing detection methods. Therefore, spoofing detection has gradually become popular for GNSS anti-jamming.

Generally, spoofing attacks can be classified into the three following categories [2]: simplistic, intermediate, and sophisticated. Simplistic spoofing directly simulates GNSS signals, which are then amplified and transmitted. This type of spoofing is out of sync with genuine signals, making it easier to detect, but it can still pose a threat to undefended receivers when the power is sufficiently high. Intermediate spoofing captures and modifies genuine signals for transmission, requiring the precise control of the delay and power. Sophisticated spoofing uses a closed-loop system to continuously monitor the target and simulate genuine signals, potentially employing multiple antennas to create a deceptive array pattern, making it the most covert and difficult to detect. Currently, there are no successful public instances of sophisticated spoofing attacks; therefore, studies have focused on the detection methods for intermediate spoofing attacks. Nonetheless, some emerging spoofing techniques [3,4] have devised subtle signal structures to achieve greater stealth, thereby posing more formidable challenges for detection methodologies.

GNSS authentication techniques are classified into three principal categories [5]: (1) cryptographic techniques [6,7] that exploit unpredictable but verifiable signal modulation in the GNSS spreading code or navigation data, (2) geometric techniques [8,9] that exploit the angle-of-arrival (AOA) diversity of authentic GNSS signals, and (3) GNSS signal processing techniques that do not fall into categories (1) and (2).

However, cryptographic signal authentication requires continuous systematic planning and upgrading in the future to integrate encryption modulation into various GNSS signals. Using AOA information, the receiver can perform spatial filtering through adaptive null steering, enhancing the genuine signal while suppressing the spoofing interference. However, AOA detection imposes significant demands on antennas, requiring multiple antennas or antenna mobility, which leads to high implementation costs. It is only effective when the spoofing signals are transmitted from a single antenna, making it challenging to cope with distributed spoofing. Moreover, AOA detection operates under a particular assumption regarding the direction of spoofing signal propagation, which may not always hold true in practice. Many detection methods rely on supplementary equipment, such as high-precision accelerometers [10,11], vision sensors [12,13], odometers [14,15], and navigation-grade inertial measurement units (IMUs) [16,17], which are not suitable for low-cost and portable devices. Thus, it is crucial to conduct further research into independent detection methods.

Currently, in the field of GNSS signal processing technologies, several independent detection methodologies exist, including the observation mutation [18], correlation distortion [19,20], and power [2,21] detection methods. Researchers [22] refer to observation mutation and correlation distortion detection as time of arrival (TOA) detection. This paper primarily focuses on correlation distortion detection.

Signal quality monitoring (SQM) technology, categorized under correlation distortion detection, was originally designed for multipath detection [23,24,25]. Classical SQM detection theory is widely used owing to its simple structure and high feasibility, but its assumptions are not universal, resulting in limited robustness.

Since the distribution of the correlator output can be predetermined in the absence of interference, it enables the detection of spoofing by examining its statistical properties. A chi-squared goodness-of-fit (GoF) test is conducted on the correlator outputs, accompanied by the proposition of a spoofing mitigation scheme on a vector-based tracking receiver [2]. Building upon the GoF test of Jahromi, the Pini group introduced a novel chi-squared statistic based on paired correlators [26], employing both GoF and sign tests as statistical evaluation methods. The efficacy of their detection approach was validated using the publicly available TEXBAT dataset. However, neither work provides explicit statistical probabilities of detection, and the GoF test necessitates continuous recalibration.

Moreover, correlation distortion analysis can be integrated with power detection techniques to facilitate a joint approach for spoofing detection [27,28]. A PD detector based on power and distortion features has been introduced [29], yet it necessitates an additional power monitoring module and yielded a non-negligible missed detection rate in practical experiments. Building upon this, a PD-ML detector has been proposed, and it enhances the detection performance by substituting a new distortion metric for the symmetric difference [30]. Nevertheless, the incorporation of the grid search methodology increases the computational complexity.

Consequently, the design of a sensitive, convenient, real-time, and robust spoofing detection method is crucial for GNSS anti-spoofing. In this study, we propose a novel spoofing detection methodology entitled aggregated correlation residue likelihood analysis (A-CoRLiAn). This approach introduces a pair of extra correlators into the tracking loop, leveraging the linear properties of the residual correlation function model to conduct multi-tap maximum likelihood estimations. The estimated outcomes are then scrutinized through hypothesis testing to reveal potential spoofing activities. A-CoRLiAn exhibits promising aptitude for the identification of spoofing attacks, especially when aggregating decisions across the detection outcomes of all tracked satellites. Its detection robustness persists in all scenarios, including emerging challenges.

2. Materials and Methods

2.1. Spoofing Attack Pattern and Signal Model

A spoofing signal is generated by using a signal simulator based on the premise that the geographical location of the target is known. Figure 1 shows the changing process of the correlation function over time in the presence of spoofing. The spoofing signal is aligned with the genuine signal by adjusting the code phase, and the power advantage is used to control the tracking loop of the target receiver [19].

This study is based on a binary phase shift keying (BPSK) signal system. When spoofing occurs, the received signal is the sum of the genuine signal, spoofing signals, and additive white Gaussian noise $n\left(t\right)$ with variance ${\sigma }^2$, and it can be modeled as follows:

$$s\left(t\right)=A{\displaystyle \sum }_{i=0}^M{\alpha }_{i}c\left(\tau -{\tau }_i\right)\cos {\varphi }_i+n\left(t\right),$$

(1)

where $M$ is the number of spoofing signals, and $A$ denotes the amplitude of the genuine signal. $\tau$ and $\varphi$ denote the time delay and phase, and $c\left(t\right)$ is a pseudorandom code. In addition, ${\alpha }_i$ denotes the amplitude attenuation relative to the genuine signal and ${\alpha }_0=1$.

The satellite navigation receiver employs a three-branch configuration within the delay-locked loop (DLL), comprising early, prompt, and late branches, to execute correlation operations essential for tracking. The normalized correlation function of the prompt branch can be expressed as

$$R\left(\tau \right)={\displaystyle \sum }_{i=0}^M{\alpha }_i{\mathrm{e}}^{j{\varphi }_i}\Lambda \left(\tau -{\tau }_i\right)+R_n,$$

(2)

where $R_n$ signifies the portion of the correlation result attributed to the noise $n\left(t\right)$,$T_c$ denotes the chip duration, and $\Lambda \left(\tau \right)$ is the normalized ideal correlation function:

$$\Lambda \left(\tau \right)=\{\begin{array}{c}1-\left|\tau \right|/T_c \left|\tau \right|\le T_c\\ 0 else\end{array}.$$

(3)

2.2. A-CoRLiAn Method

In this study, the CoRLiAn method is proposed, which uses the outputs of the detection correlators to superimpose a stable correlation function and then establishes a metric for the detection of spoofing by using maximum likelihood estimation (MLE) and generalized likelihood ratio tests (GLRT). Based on the CoRLiAn results, we can implement the aggregated decision to finalize the A-CoRLiAn method. This section describes the steps of the proposed method. Figure 2 illustrates the scheme of the A-CoRLiAn method, which comprises four principal steps.

Step 1.

Channel estimation;

Step 2.

Metric computation;

Step 3.

Single-satellite decision-making;

Step 4.

Multi-satellite decision aggregation.

Notably, the first three steps collectively constitute the CoRLiAn approach, dedicated to spoofing detection on individual satellites.

The tap-delay line (TDL) system identification model, demonstrated in Figure 3, is a widely utilized approach in channel estimation, comprising a structure of finite impulse response (FIR) filters. In this model, each filter tap is characterized by its own weight and delay, typically employing uniform delay intervals between taps [31]. Assuming that there are $\left(2P+1\right)$ correlators and $\left(2p+1\right)$ taps, with the correlator spacing set as ${\delta }_{\tau }$ and the tap spacing as ${\mathsf{\Delta }}_{\tau }$, we can obtain the correlator location vector ${\mathit{\delta }}_{\mathit{c}}={\left[-P{\delta }_{\tau },\dots ,-{\delta }_{\tau },0,{\delta }_{\tau },P{\delta }_{\tau }\right]}^T$ and the tap location vector ${\Delta }_{\mathit{t}}={\left[-p{\mathsf{\Delta }}_{\tau },\dots ,-{\mathsf{\Delta }}_{\tau },0,{\mathsf{\Delta }}_{\tau },p{\mathsf{\Delta }}_{\tau }\right]}^T$. Consequently, the linear model of the correlation outputs is

$$\mathit{R}={\mathit{P}}_{\mathit{\Lambda }}\mathit{\theta }+{\mathit{R}}_{\mathit{n}}+{\mathit{\epsilon }}_{\mathit{R}}.$$

(4)

Here, $\mathit{\theta }$ is the $\left(2p+1\right)\times 1$ tap weight vector corresponding to ${\Delta }_{\mathit{t}}$. In the presence of spoofing, $\mathit{\theta }={\mathit{\theta }}_{\mathit{s}}+{\mathit{\theta }}_{\mathit{a}}$, where ${\mathit{\theta }}_{\mathit{s}}$ represents the tap weight vector associated with the spoofing signal and ${\mathit{\theta }}_{\mathit{a}}$ represents the tap weight vector associated with the authentic signal. Each element of $\mathit{\theta }$, denoted as ${\theta }^{\left(i\right)}$, has the form ${\alpha }_i{\mathrm{e}}^{j{\varphi }_i}$, while ${\mathit{P}}_{\mathit{\Lambda }}$ represents the known observation matrix $\left(2P+1\right)\times \left(2p+1\right)$. The term ${\mathit{\epsilon }}_{\mathit{R}}$ signifies systemic errors present in the measurements. There is a correlation between the outputs of correlators $\mathit{R}$, and ${\mathit{R}}_{\mathit{n}}$ is colored noise.

Typically, we take $P=p$ and ${\delta }_{\tau }={\mathsf{\Delta }}_{\tau }=\mathsf{\Delta }$, in which case ${\mathit{P}}_{\mathit{\Lambda }}$ becomes a Toeplitz matrix, expressed as follows:

$${\mathit{P}}_{\mathit{\Lambda }}=\left[\begin{array}{ccc}\Lambda \left(0\right)& \cdots & \Lambda \left(2P\mathsf{\Delta }\right)\\ ⋮& \ddots & ⋮\\ \Lambda \left(2P\mathsf{\Delta }\right)& \cdots & \Lambda \left(0\right)\end{array}\right].$$

(5)

Before any alert occurs, we need to statistically average the signal power to derive ${\mathit{\theta }}_{\mathit{a}}$, which, except for ${\theta }^{\left(0\right)}$, should have all other weights set to zero. By mean-centering $\mathit{R}$, systematic errors ${\mathit{\epsilon }}_{\mathit{R}}$ can also be removed. After removing the genuine peak ${\mathit{P}}_{\mathit{\Lambda }}{\mathit{\theta }}_{\mathit{a}}$ and systemic errors ${\mathit{\epsilon }}_{\mathit{R}}$ from $\mathit{R}$, the residual correlation function ${\mathit{R}}^{\prime }$ is obtained. If spoofing is present, the linear model of ${\mathit{R}}^{\prime }$ can be expressed as

$${\mathit{R}}^{\prime }={\mathit{P}}_{\mathit{\Lambda }}{\mathit{\theta }}_{\mathit{s}}+{\mathit{R}}_{\mathit{n}},$$

(6)

and the mean, denoted as ${\mathit{\mu }}_{{\mathit{R}}^{\prime }}$, of ${\mathit{R}}^{\prime }$ is

$${\mathit{\mu }}_{{\mathit{R}}^{\prime }}={\mathit{P}}_{\mathit{\Lambda }}{\mathit{\theta }}_{\mathit{s}},$$

(7)

while the covariance matrix of colored noise ${\mathit{R}}_{\mathit{n}}$ is

$${\mathit{C}}_{\mathit{n}}={\sigma }^2{\mathit{P}}_{\mathit{\Lambda }}.$$

(8)

Consequently, ${\mathit{R}}^{\prime }$ follows a complex Gaussian distribution ${\mathit{N}}_{ℂ}\left({\mathit{P}}_{\mathit{\Lambda }}{\mathit{\theta }}_{\mathit{s}},{\sigma }^2{\mathit{P}}_{\mathit{\Lambda }}\right)$.

When the normal equation $\mathit{N}={{\mathit{P}}_{\mathit{\Lambda }}}^{\mathit{H}}{{\mathit{C}}_{\mathit{n}}}^{-\mathbf{1}}{\mathit{P}}_{\mathit{\Lambda }}$ is invertible, maximum likelihood estimation ${\widehat{\mathit{\theta }}}_{\mathit{s}}$ is [32]

$${\widehat{\mathit{\theta }}}_{\mathit{s}}={\left({{\mathit{P}}_{\mathit{\Lambda }}}^{\mathit{H}}{{\mathit{C}}_{\mathit{n}}}^{-\mathbf{1}}{\mathit{P}}_{\mathit{\Lambda }}\right)}^{-\mathbf{1}}{{\mathit{P}}_{\mathit{\Lambda }}}^{\mathit{H}}{{\mathit{C}}_{\mathit{n}}}^{-\mathbf{1}}{\mathit{R}}^{\prime }.$$

(9)

According to the $\mathrm{N}$-$\mathrm{P}$ criterion, the verification analysis of spoofing detection can be regarded as a problem for hypothesis testing. Assuming that ${\mathit{\Theta }}_{\mathbf{0}}$ represents the nominal channel condition, spoofing attack detection is divided into two hypotheses: (1) the null hypothesis $H_0$ corresponds to no spoofing signal, where $\mathit{\theta }={\mathit{\theta }}_{\mathit{a}}\in {\mathit{\Theta }}_{\mathbf{0}}$; (2) the alternative hypothesis $H_1$ corresponds to the existence of both spoofing and genuine signals, where $\mathit{\theta }={\mathit{\theta }}_{\mathit{s}}+{\mathit{\theta }}_{\mathit{a}}\notin {\mathit{\Theta }}_{\mathbf{0}}$:

$$H_0:\mathit{A}{\widehat{\mathit{\theta }}}_{\mathit{s}}=\mathit{b},$$

(10)

$$H_1:\mathit{A}{\widehat{\mathit{\theta }}}_{\mathit{s}}\ne \mathit{b}.$$

(11)

Here, $\mathit{A}$ can be set as a $\left(2p+1\right)\times \left(2p+1\right)$ identity matrix, and $\mathit{b}$ can be set as a $\left(2p+1\right)\times 1$ zero vector.

Subsequently, we perform the GLRT [33] for ${\widehat{\mathit{\theta }}}_s$, and the detection metric $T\left(\widehat{\mathit{\theta }}\right)$ is used to quantify the difference between the actual and nominal correlation residues:

$$T\left({\widehat{\mathit{\theta }}}_{\mathit{s}}\right)={\displaystyle \frac{{\left(\mathit{A}{\widehat{\mathit{\theta }}}_{\mathit{s}}-\mathit{b}\right)}^H{\left[\mathit{A}{\left({{\mathit{P}}_{\mathit{\Lambda }}}^{\mathit{H}}{{\mathit{C}}_{\mathit{n}}}^{-1}{\mathit{P}}_{\mathit{\Lambda }}\right)}^{-1}{\mathit{A}}^H\right]}^{-1}\left(\mathit{A}{\widehat{\mathit{\theta }}}_{\mathit{s}}-\mathit{b}\right)}{{\sigma }^2/2}}.$$

(12)

Under $H_0$, $T\left({\widehat{\mathit{\theta }}}_{\mathit{s}}\right)~{\chi }^2\left(2p+1\right)$, thus allowing us to determine the original threshold $\gamma$ based on the significance level $\alpha$. Due to the input being smoothed correlation values, the noise fluctuation is reduced; thus, the threshold needs to be adjusted downward to some extent to accommodate the changes in the distribution that $T\left({\widehat{\mathit{\theta }}}_{\mathit{s}}\right)$ follows. This can be accomplished by introducing the threshold scaling factor $\mathsf{\beta }$, which enables us to derive the revised threshold ${\gamma }^{\prime }={\displaystyle \frac{\gamma }{\beta }}$. The introduction of $\beta$ allows the flexible adjustment of the detector sensitivity without altering the basic structure of the detection algorithm, optimizing the performance. For each time unit of tracked satellites, we compare $T\left(\widehat{\mathit{\theta }}\right)$ with ${\gamma }^{\prime }$, resulting in a decision $d$:

$$d=\{\begin{array}{c}0, T<{\gamma }^{\prime }\left(H_0 accepted\right)\\ 1, T\ge {\gamma }^{\prime }\left(H_1 accepted\right)\end{array}.$$

(13)

Up to this point, we have completed the spoofing detection for an individual satellite. To give the host a final judgment on whether there is spoofing, we could integrate the decisions of the tracked satellites by using the majority rule to further improve the flexibility of the proposed method.

At the time instant $i$, we define the aggregated test

$$h_i={\displaystyle \sum }_{s=1}^{N_i}{d}_i^s,$$

(14)

where $N_i$ indicates the number of satellites tracked, and $\mathrm{s}$ stands for the satellite ID. Then, we determine the aggregated decision $D$ as follows:

$$D_i=\{\begin{array}{c}0, h_i<{\eta }_{i,q} \left(H_0 accepted\right)\\ 1, h_i\ge {\eta }_{i,q} \left(H_0 rejected\right)\end{array},$$

(15)

and the threshold of the aggregated decision is set as

$${\eta }_{i,q}={\displaystyle \frac{N_i}{q}}\left(e.g., q=2,3,4\cdots \right),$$

(16)

where $q$ indicates the maximum proportion of abnormal satellites that we can accept.

2.3. Theoretical Performance Analysis

2.3.1. Performance Analysis of Estimation

A.

Influence of Correlator Spacing

The noise and the discrete tap delay introduce performance constraints on the estimation results $\widehat{\mathit{\theta }}$, introducing estimation errors ${\mathit{\theta }}_{\mathit{n}}$ and a limited resolution $\rho$.

Firstly, the perturbation form of the linear model can be expressed as

$${{\mathit{P}}_{\mathit{\Lambda }}}^{\mathit{T}}{{\mathit{C}}_{\mathit{n}}}^{-\mathbf{1}}\left({\mathit{R}}_{\mathit{s}}+{\mathit{R}}_{\mathit{n}}\right)=\mathit{N}\left({\mathit{\theta }}_{\mathit{s}}+{\mathit{\theta }}_{\mathit{n}}\right);$$

(17)

consequently, the upper bound $\varpi$ on the relative error of $\widehat{\mathit{\theta }}$ is given by

$${\displaystyle \frac{\Vert {\mathit{\theta }}_{\mathit{n}}\Vert }{\Vert {\mathit{\theta }}_{\mathit{s}}\Vert }}\le \varpi =\kappa \left(\mathit{N}\right){\displaystyle \frac{\Vert {{\mathit{P}}_{\mathit{\Lambda }}}^{\mathit{T}}{\mathit{D}}^{\mathit{T}}\left(\mathit{D}{\mathit{R}}_{\mathit{n}}\right)\Vert }{\Vert {{\mathit{P}}_{\mathit{\Lambda }}}^{\mathit{T}}{\mathit{D}}^{\mathit{T}}\left(\mathit{D}{\mathit{R}}_{\mathit{s}}\right)\Vert }},$$

(18)

where $\kappa \left(\mathit{N}\right)$ is the condition number of $\mathit{N}$.

To examine the impact of the delay spacing $\mathsf{\Delta }$ on $\varpi$, we employ the whitening matrix $\mathit{D}$, enabling us to derive $\varpi$ via $\mathit{D}{\mathit{R}}_{\mathit{n}}$ and $\mathit{D}{\mathit{R}}_{\mathit{s}}$. Assuming a signal-to-noise ratio (SNR) of 20 dB, the variations in $\kappa \left(\mathit{N}\right)$ and $\varpi$ with $\mathsf{\Delta }$ are as depicted in Figure 4, illustrating that both increase as $\mathsf{\Delta }$ decreases. This phenomenon arises because smaller delay intervals $\mathsf{\Delta }$ render $\mathit{N}$ nearly singular, thereby inducing ill-conditioned equations.

On the other hand, the estimation method restricts the estimated delays to a set of discrete points defined by tap interval $\mathsf{\Delta }$, consequently yielding a delay resolution $\rho$ that is half of $\mathsf{\Delta }$ [34].

In summary, within a given observation span, narrower tap spacing $\mathsf{\Delta }$ enhances the delay resolution $\rho$ of the estimation method, albeit requiring a larger number of correlators. Conversely, an excessively small $\mathsf{\Delta }$ inflates the estimation errors. Consequently, the estimation errors and resolution emerge as competing performance metrics. Given this study’s focus on spoofing detection without stringent requirements on the resolution of the estimated time delay, a larger $\mathsf{\Delta }$ and fewer detection correlators can be adopted.

B.

Necessity of Additional Correlators

We set the minimum spacing between the tracking correlators to ${\delta }_{tra}$. Assuming that three detection correlators (including the prompt correlator) are fixed with $\mathsf{\Delta }=0.5chips$, CoRLiAn is applied under varying ${\delta }_{tra}$, yielding detection rate $P_d$, depicted in Figure 5. It is evident that as ${\delta }_{tra}$ approaches $\mathsf{\Delta }$, $P_d$ decreases; conversely, it rises again when ${\delta }_{tra}$ moves away from $\mathsf{\Delta }$. This behavior arises from the tracking loop’s ability to enhance the symmetry in the correlation outputs, thereby improving their match with the nominal correlation function. However, in the presence of spoofing, this process contradicts CoRLiAn’s goal of measuring the deformation in the correlation function’s shape. To achieve superior performance, CoRLiAn should avoid employing the same set of correlators as the tracking loop. A recommendation is to increase the spacing to at least 0.5 chips or more, as this significantly enhances the detection efficacy.

2.3.2. Performance Analysis of Aggregated Decision

At any given moment, the CoRLiAn detections for individual satellites are mutually independent. Assuming that the average false alarm rate is $e$, the aggregated decision process can be modeled as a repeated Bernoulli experiment performed $n$ times, represented as $h~B\left(n,e\right)$. The probability of the cumulative quantity $h$ exceeding $\eta$ can be calculated via its cumulative distribution function, denoted as $F_{\alpha }(·)$. Consequently, the theoretical false alarm probability of the aggregated approach is derived as follows:

$$P_{fa}=1-F_{\alpha }\left(\eta -1;N;e\right),$$

(19)

where

$$F_{\alpha }\left(\eta -1;N;e\right)={\displaystyle \sum }_{k=0}^{\eta -1}\left(\begin{array}{c}N\\ k\end{array}\right)e^k{\left(1-e\right)}^{N-k}.$$

(20)

Given the unknown distribution of $T\left(\widehat{\mathit{\theta }}\right)$ under $H_1$, the detection probability of CoRLiAn cannot be directly derived. To illustrate the efficacy improvement of aggregated detection, we may simply assume that the detection probability for each satellite’s CoRLiAn is identical, denoted as $p$. Consequently, the aggregated detection probability can be derived as

$$P_d=1-F_p\left(\eta -1;N;p\right),$$

(21)

where

$$F_p\left(\eta -1;N;p\right)={\displaystyle \sum }_{k=0}^{\eta -1}\left(\begin{array}{c}N\\ k\end{array}\right)p^k{\left(1-p\right)}^{N-k}.$$

(22)

Assuming $N=8$, $\eta =2$ and $e=0.03$, Equation (19) yields a false alarm probability $P_{fa}\left(h\ge 2|H_0\right)=0.0223$, representing a 25.67% reduction compared to $e$. The relationship between $p$ and $P_d$ as per Equation (21) is depicted in Figure 6, illustrating that when $p>40\%$, A-CoRLiAn elevates $P_d$ above 90%. This highlights A-CoRLiAn’s capability to simultaneously enhance the detection probability while reducing the false alarms, underscoring inter-satellite information fusion as a potent strategy to further boost the detection performance.

2.4. Preparation for Performance Evaluation: Dataset and Analytical Methods

Based on the content discussed in Section 2.3, the A-CoRLiAn method in this paper uses a pair of additional detection correlators. Herein, the tracking correlator spacing ${\delta }_{tra}$ is set to $0.5\mathrm{chips}$, while the observation spacing $\mathsf{\Delta }$ is configured to $1\mathrm{chip}$. The integration time is set equal to 1 millisecond, and the correlator output yields an A-CoRLiAn detection decision every cumulative 1 s. In this study, the significance level is uniformly set as $\alpha =0.05$.

The Texas Spoofing Test Battery (TEXBAT), a publicly available dataset from the University of Texas in Austin, Texas, is an industry-recognized dataset for the effective validation of anti-spoofing technologies and has been widely used for spoofing and anti-spoofing research. TEXBAT targets GPS L1C/A signals with eight attack scenarios, among which ds2–ds7 are six non-repeated spoofing attack scenarios [3,35,36], as shown in

Table 1. Overview of the TEXBAT spoofing scenarios.

No.	Spoofing Type	Platform Mobility	Power Adv.	Frequency Lock	Entry Time (s)
ds2	Time	Static	Overpowered	Unlocked	110.1
ds3	Time		Matched	Locked	118.9
ds4	Position		Matched	Locked	113.8
ds5	Time	Dynamic	Overpowered	Unlocked	100
ds6	Position		Matched	Locked	100
ds7	Time	Static	Matched	Locked	110

. “Spoofing Type” indicates the dimension of the spoofing, which is divided into 600 m positional spoofing and 2 μs time spoofing. “Platform Mobility” indicates whether the spoofing platform is static or dynamic. “Power Adv.” indicates the power advantage of the spoofer. “Entry Time” indicates the time at which the spoofing signals are added. “Frequency Lock” indicates whether the spoofing signal maintains carrier phase alignment with the genuine signal. The “Locked” mode breaks the consistency between the code and carrier of the spoofing signal, whereas the “Unlocked” mode maintains this consistency.

ds2–ds6 belong to traditional spoofing, where the structure of the spoofing signal is identical to that of the genuine signal, whereas ds7 represents a novel spoofing type where the combined signal structure matches that of the authentic signal. Owing to the novelty and uniqueness of the ds7 structure, numerous approaches discussed in the literature have either not been validated against ds7 data [25,26,27,28,37,38,39] or have demonstrated inadequate detection performance [40,41,42,43].

To verify the effectiveness of A-CoRLiAn and facilitate a comparison of its performance with that of other spoofing detection methods, ds2–ds7 of TEXBAT were retrieved using the GPS software receiver (V2.0.0.20240123) embedded in the proposed A-CoRLiAn method. All tracked satellites contribute to an aggregated decision-making process for each record.

After processing the data, tallying the occurrences of $H_1$ decisions within distinct states yields the detection and false alarm probabilities for the A-CoRLiAn method.

$$P_{fa}={{\displaystyle \frac{{\sum }_{i=1}^N{D}_i}{N}}|}_{H_0},$$

(23)

$$P_d={{\displaystyle \frac{{\sum }_{i=1}^N{D}_i}{N}}|}_{H_1},$$

(24)

where $N$ is the number of decisions made during the specified period.

3. Detection Results of A-CoRLiAn Method

3.1. Performance of A-CoRLiAn Method

This section will demonstrate the performance of the A-CoRLiAn method using the emerging spoofing case ds7 from TEXBAT, with the threshold scaling factor $\beta$ set to 24.1.

A.

Decisions of CoRLiAn

Due to space constraints, this section demonstrates the detection performance of the proposed CoRLiAn method using tracked satellites from ds7.

As per Table 1, the interval from 110 s to 400 s denotes the period of deception presence in ds7. Considering ds7 SVN 13 as an example, the CoRLiAn method was performed from 238 s to 239 s to detect spoofing. The residual components of the actual propagation channel parameter ${\widehat{\mathit{\theta }}}_{\mathit{s}}$ can be calculated according to Equation (9) in Section 2.3. As shown in Figure 7, the actual residual correlation functions ${\mathit{R}}^{\prime }$ and ${\widehat{\mathit{\theta }}}_{\mathit{s}}$ are indicated by orange lines, and the expected nominal correlation function ${\mathit{R}}_{\mathit{b}}$ and the expected channel parameter $\mathit{b}$ under $H_0$ are indicated by blue lines.

These are the results of a single test. We continuously performed CoRLiAn on the tracked satellites of ds7 within 400 s. The change in the metrics over time is shown in Figure 8, and the value of the threshold ${\gamma }^{\prime }$ is 0.32, which is marked using the orange dashed line.

According to the metrics in Figure 8, the corresponding decisions of the tracked satellites are shown in in Figure 9, and the statistical results of the detection and false alarm probabilities within the 400 s range are marked.

B.

Decisions of Aggregated CoRLiAn

This section presents the performance of the aggregated CoRLiAn method in making aggregated decisions for all of the tracked satellites.

Based on the decisions of the tracked satellites in Figure 9, Figure 10 illustrates the aggregated metrics and decisions for ds7.

3.2. Influence of Threshold Scaling Factor

Adjusting the threshold scaling factor ($\beta$) from 1 to 100, the detection performance in six non-repeated spoofing attack scenarios (TEXBAT ds2–7) is depicted in Figure 11. In addition, the six records can be combined to form 2400 Monte Carlo simulations. Figure 12 shows the Monte Carlo detection performance of the proposed method under varied threshold scaling factors $\beta$.

Based on A-CoRLiAn’s varying detection capabilities across the scenarios, two detection modes can be configured: a low-sensitivity mode with $\beta =4$ and a high-sensitivity mode with $\beta =24.1$. These two values are considered optimal to address traditional and emerging spoofing, respectively. The A-CoRLiAn algorithm is reapplied to ds2–ds7 under both modes.

Table 2. Detection performance of A-CoRLiAn on ds2–ds7 under both modes.

Mode	Prob.	ds2	ds3	ds4	ds5	ds6	ds7	Monte Carlo (ds2–ds7)
Low Sensitivity $\left(\beta =4\right)$	$P_{fa}$	0%	0%	0%	0%	0%	0%	0%
	$P_d$	100.0%	99.65%	99.65%	99.67%	99.67%	82.07%	96.78%
High Sensitivity $\left(\beta =24.1\right)$	$P_{fa}$	1.82%	1.69%	2.65%	1%	1%	1.82%	1.66%
	$P_d$	100.0%	99.65%	99.65%	99.67%	99.67%	99.66%	99.71%

shows the final false alarm rates and detection probabilities of the A-CoRLiAn method under both modes.

4. Discussion

4.1. Performance Analysis

First, the sensitivity and robustness of the A-CoRLiAn method are discussed. As shown in Figure 7, the residual correlation function ${\mathit{R}}^{\prime }$ and the residual components of channel parameter ${\widehat{\mathit{\theta }}}_{\mathit{s}}$ have significant amplitude changes and asymmetries. Currently, the detection metric $T$ is 27.69 and the threshold ${\gamma }^{\prime }$ is 0.32; thus, CoRLiAn correctly identifies the existence of spoofing. This process demonstrates that the CoRLiAn method utilizes the deformities of the correlation function generated by spoofing to quantify the anomalies of the propagation channel. Figure 8 demonstrates a sequential decrease in the satellite signal quality, accompanied by a corresponding decline in the CoRLiAn metric $T$. Notably, during spoofing episodes, these metrics distinctively diverge from normal operational levels, enabling detection through thresholding. As evidenced in Figure 9, under the proposed CoRLiAn method, $P_{fa}$ stays within 5% across all tracked satellites for ds7, while $P_d$ ranges from 77.59% to 98.28%. Despite the absence of information fusion from multiple satellites, CoRLiAn still achieves commendable performance.

Figure 10 reveals that the proposed A-CoRLiAn method provides a sustained warning for ds7 over 289 s, achieving a lower false alarm rate and a 99.66% detection rate. This outcome surpasses the individual satellite detection probabilities depicted in Figure 9, illustrating that the aggregated strategy enhances the detection performance by consolidating the satellite decisions, thereby highlighting the superiority of information fusion.

Figure 11 illustrates that for static scenarios (ds2–ds4), the impact trend of the threshold scaling factor $\beta$ on A-CoRLiAn’s detection performance is generally consistent. Moreover, for dynamic scenarios (ds5–ds6), the influence of $\beta$ is notably less significant. When $4\le \beta \le 27$, A-CoRLiAn for traditional spoofing (ds2–6) can achieve a detection probability of over 99.65% with a false alarm rate lower than 5%. For many values of $\beta$, the detection probabilities are the same as when $\beta =27$; among these values, A-CoRLiAn has the smallest false alarm rate when $\beta =4$. For the emerging spoofing scenario ds7, A-CoRLiAn requires heightened sensitivity, necessitating a narrower optimal range for $\beta$. When $12\le \beta \le 28,$ A-CoRLiAn for emerging spoofing (ds7) can achieve a detection probability ranging from 90.34% to 99.65% with a false alarm rate lower than 5%. For many values of $\beta$, the detection probability is 99.65%; among these values, A-CoRLiAn has the smallest false alarm rate when $\beta =24.1$. Figure 12 shows that the Monte Carlo performance simulation based on the TEXBAT dataset can achieve a detection probability greater than 96.78% with a false alarm rate lower than 5% when $4\le \beta \le 29$.

In summary, A-CoRLiAn’s performance is not overly sensitive to $\beta$, which has a relatively wide range of viable values. Considering the different spoofing detection sensitivity requirements, the recommended range of $\beta$ can be subdivided into two: a lower-sensitivity range of $4\le \beta \le 12$ and a higher-sensitivity range of $12\le \beta \le 27$.

As evident in Table 2, the A-CoRLiAn method demonstrates robust detection performance across all six scenarios. Under the low-sensitivity mode, it achieves detection probabilities exceeding 99.65% against conventional spoofing threats (ds2–ds6) that mimic genuine signals, with no false alarms. To address the emerging challenge posed by ds7, we switch to the high-sensitivity mode, elevating the detection rate to 99.66% while maintaining an acceptably low $P_{fa}$ of 1.82%. Some of the false alarms are attributed to instability in the tracking initialization data, hence inflating $P_{fa}$. In both modes, extensive Monte Carlo simulations—2400 runs—yielded detection rates of 96.78% and 99.71%, respectively, further validating its effectiveness.

A-CoRLiAn exhibits comparatively lower detection capabilities against ds7 due to the unique spoofing methodology employed in this scenario. Specifically, ds7 employs a traction strategy where the authentic and false peaks are subtracted, with the deceptive peak designed to have dynamically varying power. This introduces subtler distortions to the composite peak, causing the CoRLiAn metric $T$ to rise more gradually.

Furthermore, the A-CoRLiAn method is distinguished by its lightweight structure and real-time performance, achieved with the addition of just a pair of correlators, thereby avoiding the substantial computational demands and noticeable latency associated with large matrices and facilitating straightforward implementation. Data processing within the A-CoRLiAn method is also devoid of computationally intensive modules, such as the grid search procedure [31,35]. It also features a standalone design, free from reliance on external information sources. Compared to AOA, A-CoRLiAn does not restrict the direction of spoofing arrival and is suitable for detecting distributed spoofing. This gives the method broader applicability.

The GoF test, which is likewise based on correlator outputs, shares the advantage of being lightweight. Its validity has also been demonstrated using TEXBAT ds2–ds6 [27]. It does not provide precise test probability values or validate against the emerging challenge, ds7. The time sequences that it presents reveal that GoF only offers respectable probabilities for ds6, and notably worse probabilities are observed in other scenarios (ds2–ds5). Under the Monte Carlo simulations, the detection probability for ds2–ds6 using GoF is approximately 57.66%, whereas the A-CoRLiAn method boosts this figure by approximately 42%, reaching 99.66%, manifesting significantly enhanced robustness and superior detection performance.

4.2. Limitations and Prospects

The A-CoRLiAn methodology has already achieved remarkable detection efficacy, with the Monte Carlo simulation detection rates exceeding 96.78% under low-sensitivity mode and surpassing 99.71% under high-sensitivity mode, while maintaining a satisfactorily low $P_{fa}$. While these results denote strong performance, we believe that there remains room for the further enhancement of its detection capabilities.

First, the detection correlators are uniformly distributed and may not align with potential anomalies in the correlation peaks. This is not conducive to the detection metric capturing as much abnormal information as possible. Second, the threshold, fixed under a given $\beta$, is constant and determined by the number of detection correlators, without further dynamic adjustment based on noise variance. Third, A-CoRLiAn is limited to the correlation delay domain, which is likely to be ineffective for the new spoofing traction method without the drastic deformation of the correlation peak morphology.

Consequently, the proposed A-CoRLiAn method merits deeper exploration. Investigating intelligently adaptive, unevenly spaced detector correlators can enhance the focus on anomalous regions. Refining the thresholding strategy by incorporating noise variance as a reference for dynamic threshold adjustments holds potential for further inquiry. In addition, A-CoRLiAn can be extended to the delay Doppler two-dimensional domain for detection. Moreover, A-CoRLiAn has thus far been validated solely for BPSK signals, and its applicability to other signals requires further investigation. Under favorable conditions, the A-CoRLiAn method can be integrated with external information sources to elevate the detection performance to even greater heights.

5. Conclusions

This paper introduces a spoofing detection method called aggregated correlation residue likelihood analysis (A-CoRLiAn) and provides a recommended range for the key parameter—the threshold scaling factor. A-CoRLiAn effectively addresses both conventional threats and emerging challenges in the TEXBAT dataset and is easy to implement physically. Since A-CoRLiAn places no requirements on the direction of spoofing arrival, it is also suitable for distributed spoofing scenarios. The method can be made more intelligent through threshold adjustment, which may require further research using longer spoofing datasets. Overall, A-CoRLiAn provides a low-cost, efficient, accurate, and robust spoofing detection solution for the GNSS anti-spoofing domain.