New Approach for Jamming and Spoofing Detection Mechanisms for High Accuracy Solutions ^†

Abstract

It is well-known that GNSS high accuracy solutions are increasingly vulnerable to jamming and spoofing attacks, posing significant challenges to their reliability, security, and accuracy. In the past years, GNSS communities have witnessed an increase in the frequency and sophistication of these attacks, driven, among other factors, by the widespread availability of low-cost, off-the-shelf equipment capable of denying or even totally misleading GNSS-based positioning systems. On the one hand, jamming attacks aim at inhibiting signal reception by introducing high-power noise or interference, leading to degraded performance or complete failure in determining position. Jamming detection mechanisms need to be traced to GNSS receiver mitigation measures at signal processing level to analyze the radio frequency (RF) environment or receiver behavior. Signal-to-noise ratio (SNR) monitoring, power spectrum analysis, and signal power monitoring are commonly used to detect anomalies in signal characteristics. Jamming is often indicated with the presence of a combination of one or more dedicated indicators, opening space to characterize different levels of jamming attack allowing to optimize a response at user level. On the other hand, detecting spoofing attacks requires different advanced techniques to identify anomalies in satellite signals, receiver behavior, or consistency of computed position data. Indicators regarding internal consistency checks, as well as unexpected evolutions of GNSS signals, are typically suspicious behaviors to be analyzed as possible attacks. Additionally, ensuring trust in the received navigation information by including cryptographic authentication mechanisms is key to quickly detecting some kinds of spoofing. This paper presents the latest enhancements on jamming and spoofing detection and mitigation mechanisms for GMV GSharp^® high accuracy and safe positioning solution. This new method, based on fuzzy logic systems, allows us to distinguish between different levels of attack and adapt the reactions to reduce the impact on the final user as much as possible. Additionally, test results obtained from real GNSS attacks datasets will be shown.

1. Introduction

The importance of resilient algorithms that detect jamming and spoofing attacks has significantly increased in recent years, especially for applications where the integrity and quality of Global Navigation Satellite System (GNSS) play a key role in safety-critical applications, such as autonomous driving.

To overcome these attacks, there has been a huge effort in the development of robust methods to detect these intentional interferences [1]. At receiver level, the more popular methods are signal-processing algorithms, which include correlation peak monitoring [2,3], power-based [4], and antenna array [5,6] processing methods. Techniques based on computing the time of arrival (ToA) [5] can also be used if the receiver has information from other reference signals. If the application allows the user to set multiple antennas, more expensive methods focused on the direction of arrival (DoA) can be used [6]. Power-based methods, which leverage signal strength indicators, are easy to implement; however, they lack the ability to discriminate between jamming and unintentional interference and have limited capabilities to detect more sophisticated spoofing attacks. On the other hand, state-of-the-art algorithms based on machine learning have proven to be very accurate, at the expense of a higher computational cost. However, there are not several techniques which are able to optimize processing overhead, offering affordable optimized real-time detection capabilities.

This paper presents and evaluates a new algorithm to detect jamming and spoofing at PPP level, using only the raw data provided by mass-market receivers and aimed for real-time and integrity-ensured PPP–RTK applications. Thus, this method aims to detect the attacks at an early stage, prevent the propagation of the error to the PPP sequential filters, and contribute to the overall solution integrity. Section 2 provides an explanation of the methodology used for the computation of the detection models. The evaluation of these models under various scenarios with different attack conditions is presented in Section 3.

2. Methodology

2.1. Jamming and Spoofing Attacks

In a jamming attack, the jammer transmits a high-power radio frequency signal that overloads the receiver and prevents it from collecting and tracking authentic signals in the frequency bands used by the jammer. Jamming attacks can be implemented with varying characteristics, targeting either a specific frequency or a range of frequencies. These attacks may also operate in different modes, such as continuous, pulsed, or sweeps.

On the other hand, spoofing attacks consist of transmitting fake signals that resemble authentic ones, deceiving the receiver and manipulating the computed position or time. There are different types of attacks depending on the complexity of the device used, going from replaying recorded authentic signals (meaconing) to multi-device attacks, where all appliances track the authentic satellite signal and generate synchronized fake signals, changing the PVT solution of the attacked receiver without discontinuities.

Additionally, the attacks may not affect all the available signals used by the receiver and PPP–RTK solution; thus, the detection methods shall be evaluated individually for every single band used.

2.2. Metrics Monitored

As mentioned in Section 1, this paper focused on the detection of jamming and spoofing attacks in the context of an on-board element which integrates the information provided by a mass-market receiver and several additional sensors, such as IMU and wheel speed sensors. Hence, the metrics proposed are available at user level and are enumerated in

Table 1. Summary of the main metrics used for the detection monitors.

Monitored Data	Metrics	Attack Detection
AGC	Value and sudden jumps	Jamming and spoofing
CW suppression level	Value and sudden jumps	Jamming and spoofing
CN/0	Value and sudden jumps	Jamming and spoofing
Raw GNSS measurements	Noise, ramps, sudden jumps, and consistency between measurements	Jamming and spoofing
PPP-estimated parameters	Evolution consistency vs. integrated sensors data	Spoofing
Raw navigation data	Consistency against authenticated PPP corrections	Spoofing

.

2.3. Monitor Integration via Fuzzy Logic

In the presence of a jamming or spoofing attack, several of these metrics can be affected, though it is not usual that one of them acts as a clear indicator of discrimination. Moreover, some of the recognizable patterns shown by these attacks can also be spotted in degraded conditions, such as deep urban environments. When taking this into consideration in the design of the detection trigger, it soon becomes clear that establishing very rigid thresholds may not be the optimal solution. On the contrary, it is quite evident that all metrics shall be considered altogether and not independently. Thus, fuzzy logic systems arise as a very promising solution.

Fuzzy logic translates expert knowledge (formulated as human reasoning) into mathematical rules that model the expected behavior, providing a balanced tradeoff between precision and significance [7]. These systems allow flexible conditions and thresholds that can be evaluated with noisy or imprecise data and can also overcome the unavailability of part of the input data. Even though the overall conditions that trigger alerts from these attacks can be difficult to express, fuzzy logic allows to define a set of “simpler” situations that are aggregated to compose a more complex relationship between all the metrics involved, so one single metric is not decisive for the outcome.

As an added advantage, integrating the detection monitors into a fuzzy logic system provides a percentage of the jamming/spoofing conditions, allowing the user to distinguish different levels of attack.

As the goal of this algorithm is to determine the presence of jamming and/or spoofing attacks in real-time, using mass-market receivers with presumable demanding requirements in terms of resource usage for the host processors, selected membership functions should involve low computational functions to be evaluated. Hence, the membership functions chosen to represent the fuzzy sets are trapezoids, for which every value, the sum of the membership of the sets, adds up to one. Figure 1 shows an example of the member function, composed of four different sets.

For the same reason, the method followed in this approach is the Sugeno fuzzy inference [8]. Even though other methods like the Mamdani [9] capture the expert knowledge better, due to its computational cost and the complexity of the system, Sugeno has been considered as the optimal tradeoff. This process is performed in the following four steps:

• Fuzzification of the input variables: all crisp metrics are evaluated to determine the degree of membership in the defined fuzzy sets.
• Inference: In this step, all the rules are evaluated, using the operators AND and OR following the antecedents. Once they have been applied, a single number that represents the result is obtained and applied to a single spike membership function.
• Composition (aggregation of the rules): all membership functions are combined into a single fuzzy set.
• Defuzzification: The output fuzzy set is aggregated to output a single number. As all the sets are spikes, it is computed using a weighted average:

$$Y={\displaystyle \frac{{\sum }_{i=1}^n\left(h_i{Y}_i\right)}{{\sum }_{i=1}^n{\mathrm{h}}_{\mathrm{i}}}}$$

(1)

2.4. Jamming and Spoofing Fuzzy Systems

Even with using fuzzy logic, constructing a single system which includes all the metrics described in Section 2.2 may be too ambitious. Hence, the proposed fuzzy logic is based on dividing all the metrics into the following four different subsystems:

• Signal power level (jamming and spoofing detection);
• Raw input measurement consistency (jamming and spoofing detection);
• PPP–RTK estimation evolution (spoofing detection);
• Raw navigation consistency (spoofing detection).

Each system is individually designed, including all the data available to reflect the expert knowledge of these attributes during an attack. As Figure 2 shows, for all the subsystems, the following three different sets are defined: nominal behavior, off-nominal behavior, and anomaly.

For example, the signal power level subsystem summarizes the characterization of the AGC, CW, and CN/0 behavior during an attack. For every metric, six different linguistic variables are analyzed based on their value (LOW, NOMINAL, and HIGH) and their evolution (DROP, STABLE, and RISE). Then, the expert knowledge of the behavior during an attack is translated as a series of rules; for jamming detection, they could be expressed as follows:

IF (AGC is DROP AND CN/0 is RISE AND CW is RISE)
OR (AGC is LOW AND mean CN/0 is HIGH AND CW is HIGH)
THEN behavior is ANOMALY

(2)

IF (AGC is DROP AND mean CN/0 is STABLE AND CW is STABLE)
OR (AGC is STABLE AND mean CN/0 is RISE AND CW is STABLE)
OR (AGC is STABLE AND mean CN/0 is STABLE AND CW is RISE)
THEN behavior is OFF-NOMINAL

(3)

IF (AGC is LOW AND mean CN/0 is NOMINAL AND CW is NOMINAL)
OR (AGC is NOMINAL AND mean CN/0 is HIGH AND CW is NOMINAL)
OR (AGC is NOMINAL AND mean CN/0 is NOMINAL AND CW is HIGH)
THEN behavior is OFF-NOMINAL

(4)

IF (AGC is RISE OR mean CN/0 is DROP OR CW is DROP)
OR (AGC is HIGH OR mean CN/0 is LOW OR CW is LOW)
OR (AGC is STABLE AND mean CN/0 is STABLE AND CW is STABLE)
OR (AGC is NOMINAL AND mean CN/0 is NOMINAL AND CW is NOMINAL)
THEN behavior is NOMINAL

(5)

Once all the subsystems are evaluated, another system is designed to include the previous results. For the jamming detection model, the rules are as follows:

IF (Signal power level is ANOMALY OR Raw GNSS measurements are ANOMALY)
THEN behavior is ATTACK DETECTED

(6)

IF (Signal power level is OFF-NOMINAL OR Raw GNSS measurements are OFF-NOMINAL)
THEN behavior is POTENTIAL ATTACK

(7)

IF (Signal power level is NOMINAL OR Raw GNSS measurements are NOMINAL)
THEN behavior is NO ATTACK

(8)

While for the spoofing detection model, the rules are as follows:

IF (Signal power level is ANOMALY OR Raw GNSS measurements are ANOMALY OR PPP-estimated parameters are ANOMALY OR Raw navigation data are ANOMALY)
THEN behavior is ATTACK DETECTED

(9)

IF (Signal power level is OFF- NOMINAL OR Raw GNSS measurements are OFF-NOMINAL OR PPP-estimated parameters are OFF-NOMINAL OR Raw navigation data are OFF-NOMINAL)
THEN behavior is POTENTIAL ATTACK

(10)

IF (Signal power level is NOMINAL OR Raw GNSS measurements are NOMINAL OR PPP-estimated parameters are NOMINAL OR Raw navigation data are NOMINAL)
THEN behavior is NO ATTACK

(11)

Even though the rules are very simple, in practice, this system behaves surprisingly well during the cases tested, as Section 3 will show.

2.5. Detection and Countermeasures

For safety critical applications, the detection of these attacks is crucial, as it must be ensured that the computed integrity solution is not misled, leading to possible hazardous situations. In these cases, the user shall be advised and the solution discarded. However, for products focused both on high accuracy and safety as well as availability (GMV GSharp^® [10]), jamming and spoofing detection algorithms can lead to a drastic loss of availability, especially in deep urban areas, where the conditions are driven by multipath, signal blockage and unintentional interference, leading to some unavoidable false alarms. To overcome these situations and minimize the impact, the attacks are evaluated as a metric per used band, and the usage of the measurements from channels that shows detection above a certain level is disabled in the PPP–RTK, preventing them from contaminating the solution. This may only be achieved when an extent system of sensors is available to bridge the gap of GNSS data during the attack.

3. Results

All the metrics described in Section 2.2 have been analyzed using a set of scenarios recorded during Jammertest 2024 [11], as well as in nominal conditions. Jammertest is an annual event held in Bleik, Norway, in which a variety of jamming and spoofing signals are broadcasted to evaluate the performance and resilience of GNSSs.

All the data used for the following performances have been recorded using a mass-market receiver (u-Blox F9K) synchronized with an IMU (BMI160). The receiver is configured at a 10 Hz rate, providing the following signals: GPS L1C and L5Q, Galileo E1C and E5A, and Beidou B1I and B2Ap. In addition, the information from GSharp^® corrections service is also available for the computation of the PPP–RTK solution [10].

The following subsections show the percentage of jamming and spoofing detection levels for each of the bands, as well as the accumulative level of anomaly of their subsystems. Please note that the anomaly value for each subsystem is computed by defuzzification, using the spikes given in

Table 2. Spikes used for the defuzzification of the subsystems.

Set	Spike for Jamming	Spike for Spoofing
NOMINAL	0%	0%
OFF-NOMINAL	25%	12.5%
ANOMALY	50%	25%

, and the sum of their contributions may not correspond with the jamming level computed using the fuzzy logic system.

3.1. Stationary Pyramid Jamming Case

In this test case, pyramid jamming was performed, using PRN modulation and a constant power level (50 W). The pyramid steps consist of three minutes of active jamming and two minutes off. The jamming starts on E6 band only, and on each step, the bands E5b, L5, G2, L2, B1I, G1, and L1 are consecutively added and then removed in reverse order.

Figure 3 shows the percentage of jamming detection level for each of the bands, as well as the accumulative level of anomaly of the two fuzzy subsystems. The algorithm captures successfully all the steps, identifying the affected bands. However, the detection of some bands is stronger than others. For example, for both Galileo E1C and E5A, the detection peaks stay around 80%, while for GPS L1 and L5Q, they greatly oscillate between 40% and 80%.

3.2. Stationary Spoofing Using Actual Broadcasted Ephemerides Case

The next test performs three different spoofing attacks using the actual navigation data broadcasted on the bands GPS L1, L2, and L5 and Galileo E1, E5a, and E5b. The first attack is an incoherent jump (the transmitted spoofing signals do not align with those received from actual satellites). The second attack starts with five minutes of jamming (2 W) prior to spoofing transmission (and continuous on non-spoofed bands) and introduces a small coherent position jump. The last one introduces another small coherent jump without jamming.

Figure 4 shows the percentage of spoofing detection level for each of the configured bands, as well as the accumulative level of anomaly of the four fuzzy subsystems. As this test used actual navigation data, the subsystem indicating spoofing ephemeris remains at nominal behavior.

The algorithm captures successfully all the spoofing attacks; however, it does not identify the affected bands, as both Beidou bands show a high percentage of anomaly even though the bands were not affected. This behavior shows that the parameters estimated at the PPP–RTK are intimately coupled, and an anomaly in one of the bands affects the rest of them, propagating the discontinuities. Another highlight is that the last coherent jump shows lower detection levels, demonstrating the complexity of detecting more sophisticated attacks.

3.3. False Alarms

To assess the suitability of the method, it is also important to study the prevalence of false alarms during nominal conditions.

Table 3. Summary of the false alarms for the jamming and spoofing detection algorithms.

Frequency Band	Total Sampled Data	False Alarms with Potential Detection (Anomaly [40%, 60%])		False Alarms with Detection (Anomaly > 60%)
		Jamming	Spoofing	Jamming	Spoofing
L1	24 h	~1 min	~15 min	<3 min	<3 min
E1	24 h	~4 min	~17 min	<3 min	<1 min
B1I	24 h	~1 min	~15 min	<3 min	<1 min
L5	24 h	~132 min	~26 min	<3 min	<1 min
E5a	24 h	~51 min	~26 min	<3 min	<1 min
B2Ap	24 h	~282 min	~26 min	<3 min	<1 min

shows the number of false alarms detected during 24 h of recorded data, including open sky conditions, as well as degraded deep urban surroundings.

The ratio of false alarms labeled with detection (anomaly > 60%) remains at a satisfactory level (<1%) for both detection methods. For spoofing, the ratio of misdetection tagged as potential detection (anomaly [40%, 60%]) is similar for each band, fluctuating between 1 and 2%. On the contrary, the potential detection levels for the jamming method significantly vary between the L1 (L1, E1, and B1I), whose ratio is less than 1%, and L5 (L5, E5a, and B2Ap) bands. The latest levels show worse results, especially for B2Ap frequency, which remains at potential detection around 20% of the time analyzed. This ratio may be unacceptable for applications in need of higher availability. Nevertheless, it should be noted that for the detection countermeasure proposed, the loss of availability of one signal does not imply the complete loss of the PPP–RTK solution.

4. Conclusions

This paper has assessed the performance of a novel jamming and spoofing detection method, based on fuzzy logic, which integrates several techniques to provide different levels of interference. Also, the fuzzy logic inference method lightens the computational cost, making it suitable for a real-time embedded software.

The algorithm has been tested with real data recorded at Jammertest, showing accurate results across different jamming and spoofing attacks. The results demonstrate a notable capacity of detection when employing mass-market receivers.

For the analyzed jamming attacks, this method successfully identifies the affected bands. However, at this stage, the algorithm fails to determine the actual spoofed bands; thus, a refinement of the algorithm is needed to take advantage of the actual signals received and improve the availability and accuracy of the sensor fusion algorithm along the duration of the attacks. Another potential area for future improvement is the occurrence of false alarms in nominal conditions, which remains high for the L5 band.