I

INTRODUCTION

An In-Line Anti-Spoong Device for Legacy Civil GPS Receivers

Brent M. Ledvina1 , William J. Bencze, Bryan Galusha, and Isaac Miller, Coherent Navigation, Inc. BIOGRAPHIES Brent M. Ledvina is the Director of New Business and Technology at Coherent Navigation, Inc. He also holds an adjunct faculty position at Virginia Tech in the Bradley Department of Electrical and Computer Engineering. He received a B.S. in Electrical and Computer Engineering from the University of Wisconsin at Madison in 1999 and a Ph.D. in Electrical and Computer Engineering from Cornell University in 2003. His research interests are in the areas of ionospheric physics, space weather, estimation and ltering, software-dened radios, and GNSS security. William J. Bencze is the COO of Coherent Navigation, Inc. He received both a B.S. and Ph.D. in Electrical Engineering from Stanford University. His research interests include satellite navigation, inertial instrumentation, spaceight hardware, precision analog electronics, digital signal processing, estimation and automatic control systems. Bryan Galusha is a Senior Development Engineer at Coherent Navigation, Inc. He received his Masters in Electrical and Computer Engineering from Cornell University in 2004, and B.S. in Electrical and Computer Engineering from Cornell University in 2003. His research interests are in military GPS, location-based user interfaces, and model-based design. Isaac Miller is a Senior Research and Development Engineer at Coherent Navigation, Inc. He received his Ph.D. in Mechanical Engineering from Cornell University in 2009. He received his M.S. in Mechanical Engineering from Cornell University in 2006 and his B.S. in Mechanical Engineering from Caltech in 2003. Isaacs research interests include robotic perception and planning in the context of Bayesian estimation and probabilistic representation, sensor fusion and Bayesian estimation, attitude and position estimation, real-time algorithmic implementation for robotic eld deployment, controls, and dynamic model1 Adjunct Professor in the Bradley Department of Electrical and Computer Engineering at Virginia Tech e-mail: ledvina@coherentnavigation.com Prepared: 8 Feb. 2010 Presented: Institute of Navigation ITM, 26 Jan. 2010, San Deigo, CA

ing and simulation. Isaacs past work includes design and implementation of localization and perception algorithms for Cornell Universitys 2007 DARPA Urban Challenge robot and 2005 DARPA Grand Challenge robot. ABSTRACT An in-line anti-spoong device, which provides spoong protection to legacy civil GPS receivers, has been developed. The device is an in-line RF device that connects between a GPS antenna and a legacy civil GPS receiver, thereby providing spoong protection without requiring software or hardware upgrades to the legacy receiver. Additionally, this paper investigates how GPS signal quality monitoring and receiver-autonomous integrity monitoring (RAIM) can be applied to GPS spoong detection and mitigation. I. INTRODUCTION The U.S. Department of Transportation assessed the vulnerability of the U.S. transportation infrastructure to GPS disruption in 2001. Their report, denoted here as simply the Volpe Report [1], concluded that the reliance on GPS within civil infrastructure is a security vulnerability. Individuals, groups, or nations interested in causing harm to the U.S. can target GPS, thereby disrupting or disabling swaths of civil infrastructure including cellular communication systems and automated teller machines (ATMs). In particular, they spelled out concern over civil GPS spoofing, an insidious form of intentional interference whereby a spoofer transmits counterfeit GPS signals to an unsuspecting receiver. Spoong is more malignant than jamming, because current civil receivers trust all GPS signals to be true, and therefore cannot warn the user, much less take evasive action, when confronted with counterfeit signals. In 2009, a second report on U.S. critical civil infrastructure reliant on GPS and the vulnerabilities of such infrastructure to GPS interference, was issued by the U.S. Naval Warfare Center [2]. This report elevated concern about the threat of GPS spoong to critical civil infrastructure. Research into GPS spoong has been conducted and reported in the open literature during the past decade. The Volpe Report [1] cites an internal MITRE Corporation

II memorandum [3] which details six techniques to counteract spoong:

SPOOFING THREAT ASSESSMENT

1. Amplitude discrimination 2. Time-of-arrival discrimination 3. Consistency of navigation inertial measurement unit (IMU) cross-check 4. Polarization discrimination 5. Angle-of-arrival discrimination 6. Cryptographic authentication Techniques 1 and 2 could be implemented in software within a GPS receiver, although they are most effective against simplistic spoofers. Techniques 35 provide considerable spoong protection, but they require additional hardware beyond a stand-alone GPS receiver. Ref. [4] details testing and evaluation of technique 5. Technique 6 provides the most protection, but requires modications to civil GPS receivers and either modications to the GPS signal structure [5], delivery of encrypted W bits from a trusted source [6], or cross-correlation with encrypted navigation signals [7]. Ref. [8] took a closer look at these techniques and pointed out that techniques 13 can be defeated with the spoofer they developed. Additionally, Ref. [8] described two additional spoong defenses, which are revisited in Section IV. The goals of this present work are threefold. The rst goal is to describe the in-line anti-spoong device, which is designed to protect legacy civil GPS receivers against spoofing without requiring the software or hardware upgrades to the legacy receivers. This device is addresses the fact that for certain applications, it is more cost-effective, logistically easier, or more convenient to add an in-line RF device between a GPS antenna and a legacy receiver than it is to upgrade or replace the legacy receiver. The second goal is to investigate the ner timing and amplitude characteristics of spoong attacks. The third goal is to provide an initial assessment of the applicability of GPS integrity monitoring to spoong detection and mitigation. The two candidate integrity monitoring techniques are signal quality monitoring and receiver-autonomous integrity monitoring (RAIM). The remainder of this paper is organized in the following way. Section II provides background on the spoong threat based on spoong hardware implementations. Section III describes the in-line anti-spoong device. Section IV details the data bit latency defense, the vestigial signal 2

defense, and a new technique for spoong detection based on signal quality monitoring . Section V discusses the use of receiver autonomous integrity monitoring (RAIM) for spoong mitigation, and Section VI gives concluding remarks. II. SPOOFING THREAT ASSESSMENT Spoong threats can be classied into three main groups: simplistic spoofers, intermediate spoofers, and sophisticated spoofers. The rst group encompasses a spoofer that can generate GPS signals, but does not attempt to make them consistent with the current broadcast GPS signals. The second group synchronizes its counterfeit GPS signals with the current broadcast GPS signals, such that the counterfeit signals can more-easily masquerade as authentic signals. The third group synchronizes not only its signals with the current broadcast signals, but also with the counterfeit GPS signals of other nearby spoofers. A. Simplistic Attack via GPS Signal Generator Ref. [8] outlined the spoong threat imposed by a GPS signal simulator. A recapitulation is provided here, and, in addition, an extension to this mode of attack is considered. A commercial GPS signal simulator provides the means to spoof a civil GPS receiver. One simply attaches a power amplier and a GPS antenna to the signal simulator and radiates the RF signal toward a target receiver. A successful experiment using this type of attack is described in Ref. [9]. The ease of mounting such an attack is offset by three factors. The rst factor is cost: the price of a modern GPS simulator is roughly USD $100,000 and up. Playback RF signal generators, such as the National Instruments RF Record and Playback System [http://sine.ni.com/nips/cds/ view/p/lang/en/nid/206806] could also be used, but, again they tend to be expensive. The second factor is these systems are somewhat large and cumbersome, weighing up to tens of kilograms and packaged in relatively large enclosures. In addition, they typically require a separate personal computer to operate. The third factor is that these devices can be difcult to procure if a potential buyer raises the suspicion of the vendor [personal communication, Spirent Federal, 2010]. An extension to the traditional GPS signal simulator or RF playback system is a signal generator that transmits many more GPS signals than a GPS receiver is expecting to see. A typical GPS receiver is designed to track 1224 GPS signals. It may also contain an acquisition engine that is capable of independently acquiring a signal and then handing off the task of tracking to one of the

II

SPOOFING THREAT ASSESSMENT

type of attack attractive to those whom wish to cause mischief or harm. B. Intermediate Spoong Attacks via Portable ReceiverSpoofer The type of spoofer described in Ref. [8] is more sophisticated and more sinister than the simplistic spoofer. This spoofer contains a GPS receiver providing it knowledge of GPS time and position along with satellite-specic information such as the navigation data bits, carrier Doppler shift frequencies, and signal amplitudes. This capability allows for a stingingly precise attack on a single target receiver. Knowledge of GPS time and position and the 3-D vector between the spoofers antenna and the target receivers antenna (or alternately, the position of the target receivers antenna) provides the necessary information to generate counterfeit GPS signals that are codephase-aligned with the authentic signals. Code-phase alignment requires meter-level knowledge of this vector. The receiver-spoofer simultaneously attacks each tracking channel of the target GPS receiver by rst performing code-phase alignment and then signal lift-off. Lift-off occurs when the counterfeit signal is signicantly larger in amplitude than the authentic one. Lift-off is successful when the target receivers DLL (or equivalent codetracking loop) is commandeered by the counterfeit signal. The receiver-spoofer is signicantly harder to defend against than the simplistic spoofer. This is primarily due to its surreptitious attack capabilities. Agile control over signal amplitude, GPS timing, navigation data bits, and code-phase alignment makes attacks by the receiverspoofer difcult to the detect. In addition, the electromagnetic radiation emitted from the spoofers antenna can be targeted in a narrow beam, further complicating detection. The primary difculties in carrying out a such a spoong attack are: 1) determining the (time-varying) 3-D vector to the target receivers antenna, 2) calibrating the incident signal power at the target receivers antenna precisely, as it is a function of the distance between the spoofer and target receivers antennas, and the antenna gain patterns of both systems, and 3) minimizing the effect of selfspoong which happens when the spoofers output RF signals are unintentionally acquired and tracked by the spoofer. One strong spoong defense against the receiver-spoofer is the angle-of-arrival defense mentioned in the Volpe Report, patented by Honeywell [US #5,557,284], described in a MITRE Corporation memorandum [3], and empirically investigated in Ref. [4]. The angle-of-arrival defense 3

Fig. 1. Photograph of the Spirent GSS8000 signal simulator.

Capability, flexibility & fidelity in GNSS simulation

GSS8000 Series GNSS Constellation Simulator

tracking channels. The presence of 100s of counterfeit GPS signals may confuse the receivers acquisition and handoff-to-track logic or may deny the receiver navigation entirely. Thus, this mode of attack can be described as one that generates navigation confusion or denial of navigation, depending on how the receiver deals with the multiplicity of signals. The impact of the presence of 100s of counterfeit GPS signals is likely to be receiver dependent, as it depends on the logic implemented in a particular receiver. GPS signal simulators are decreasing in cost and becoming more available. An example GPS signal simulator is the Spirent Federal GSS8000 GPS Signal Simulator [http://www.spirentfederal.com/GPS/Products/GSS 8000/Overview/] shown in Figure 1. This simulator is capable of generating 8 channels of GPS L1 C/A- and P-code signals simultaneously and costs around USD $100,000. A decade ago, this device cost upwards of USD $150,000. Additionally, several academic research groups around the world are working on software-dened radios implemented as GNSS signal simulators. These groups publish their results in academic papers and some even post source code for software-dened simulators on the internet. Over time, the cost of simulators with the GSS8000s capabilities will decrease, and the availability of open-source software-dened GPS signal simulators will increase. Contrary to the claimed low likelihood of attacks that use simplistic spoofers [8], the ease of mounting such an attack, the abundance of information on GPS hardware and software signal simulators, along with the potential for navigation confusion or denial of navigation make this

III

IN-LINE ANTI-SPOOFING DEVICE ARCHITECTURE

is based on the fact that the carrier-phase difference at two closely-spaced antennas is a function of the receivers position, its attitude, the antenna baseline, and the satellites position. The measured phase difference of each received signal can be cross-checked with the calculated phase difference, assuming these quantities are known or estimated. A single receiver-spoofer with a single transmit antenna generates a measured phase difference at the target receiver that is the same for each satellite signal and is constant over time, assuming the spoofer-receiver and target receiver are stationary relative to one another. Thus, the receiver-spoofer attack is easily detected by the angle-of-arrival defense. A GPS time and frequency reference receiver (e.g., Hewlett-Packard Z3801A) that incorporates a highquality crystal oscillator or an atomic clock is difcult to attack, because it contains control logic that monitors GPS time rate of change and the oscillators known noise characteristics (position could, of course, be spoofed independently of time). Additionally, a receiver with a coupled inertial measurement unit (IMU) provides protection by effectively cross-checking the receivers velocity estimates with the IMUs accelerator measurements. This cross-checking can naturally be implemented with a Bayesian estimator such as a Kalman lter. In either of these situations, a receiver-spoofer has to extend the time in which the spoong attack occurs to stay within the noise characteristics of either the oscillator or the IMU. C. Sophisticated Spoong Attacks via Coordinated Phase-Locked Portable Receiver-Spoofers Multiple coordinated phase-locked portable receiverspoofers are by far the most sophisticated spoong devices [8]. These coordinated spoofers, with sub-cm-level 3-D position information of their antennas phase-centers and the target antennas phase center, can readily defeat the angle-of-arrival defense by relying on the constructive properties of their radio frequency signals. Furthermore, these spoofers can suppress authentic signals at the target receivers antenna. Thus, the only strong defense against this type of spoofer is a cryptographic defense. Unsurprisingly, development and elding of such a sophisticated device is challenging. This fact along with the need for sub-cm-level knowledge of the target receivers antenna location make the likelihood of coordinated attacks with such a device relatively low. D. Considering Spoong Threats Regardless of the downsides to the simplistic spoong attack, the accessibility of commercially-available systems 4

capable of such an attack and the ease of carrying out an attack suggest this mode cannot be ignored. To this end, this paper provides an investigation into spoong defenses and countermeasures that can provide the most protection against a simplistic attack. It is important to understand relatively simple, low-cost spoong defenses and their effectiveness at detecting and mitigating a simplistic spoong attack. Once well-understood, their applicability to more sophisticated attacks can be investigated. III. IN-LINE ANTI-SPOOFING DEVICE ARCHITECTURE This in-line anti-spoong device is a device that takes as input GPS and other RF signals and outputs a set of GPS signals that are spoong-free to a protected receiver. This device addresses the fact that for certain applications, it is more cost-effective, logistically easier, or more convenient to add an in-line RF device between a GPS antenna and a legacy receiver than it is to upgrade or replace the legacy receiver. The in-line anti-spoong device that has been developed is an extension of the spoofer described in Ref. [8]. The receiver-spoofer, implemented as a software-dened radio, has been recommissioned to perform protective spoong by generating spoong-free GPS RF signals to a protected GPS receiver. The only signicant modication to the receiver-spoofer has been the integration of anti-spoong software. Figure 2 shows a top-level block diagram of the in-line anti-spoong device. The remainder of this section describes the modules shown in this gure. A. Multi-System Receiver Module The envisioned multi-system receiver module in Figure 2 would implement multi-system signal processing that allows the in-line anti-spoong device to acquire and track all available position- and time-bearing RF signals. The rationale for tracking all available signals is that it provides additional protection against spoong of a single constellation, e.g. GPS, or a subset of all GNSS signals. A secondary benet of tracking all available signals is that this increases the requirements of the spoofer. For the spoofer to be effective, it would have to spoof all of these signals, dramatically increasing its cost and complexity. Ideally, the multi-system receiver would be connected to an RF front end bank that can down-convert and digitize signals from GPS, Galileo, GLONASS, Beidou/Compass, SBAS (e.g., WAAS), Loran, eLoran, Iridium, digital TV, cellular (mobile) basestations, Wi-Fi and Wi-Max basestations, NIST timing signals (WWV, WWVH, WWVB),

III

IN-LINE ANTI-SPOOFING DEVICE ARCHITECTURE

GPS GLONASS Galileo

Digital Signal Processor

MultiSystem Receiver Module

...
GPS, LORAN, Iridium, GLONASS, Galileo, Compass, HDTV, cell signals, etc.

RF Front-End Bank

AntiSpoofing Module

Nav. & Timing Fusion Module

PhaseCoherent Synthesized GNSS RF Signals Signal Simulator

Protected GPS Receiver

Direct external PVT sources (e.g., INS, keyboard, time source)

Fig. 2. Block diagram of the in-line anti-spoong device.

etc. The output digital signals from the RF front end bank are fed into the multi-signal receiver module that performs signal acquisition, tracking, and data bit decoding for each and every signal that is present. The current prototype in-line anti-spoong device implements a modest RF front end and software-dened receiver module. The receiver hardware of the receiverspoofer consists of a Zarlink/Plessey GP2015 RF front end capable of down-converting GPS L1 C/A code signals, a CPLD for signal multiplexing (not shown), and a Texas Instruments TMS320C6455 DSP. The receiver software that runs on the DSP performs FFT-based acquisition, code and carrier tracking, data decoding, and computation of the navigation solution. The software is similar to that described in Ref. [8]. B. Anti-Spoong Module The anti-spoong module is shown as being contained within the multi-system receiver module in Figure 2. The anti-spoong module continuously analyzes the input IF data stream to detect spoong signatures. The antispoong module employs statistical hypothesis testing for determining when to trigger an indicator that signals the presence of spoong. Statistical hypothesis testing indicates the presence of spoong with a pre-dened probability of false alarm. To determine whether any particular GNSS signal is being spoofed, the hypothesis test takes into account the carrier-to-noise ratio (C/N0 ) time history for all GNSS signals being considered for the presence of spoong. In addition to C/N0 , the anti-spoong module employs one or more of the following techniques to detect the presence of spoong:

phase of the measured GNSS navigation data bit sequence. For example, the data bit latency defense 2. Detection of the presence of multiple sustained correlation peaks for a particular GNSS signal. For example, the vestigial signal defense 3. Comparison with all other GNSS signals code phase, carrier phase, or carrier Doppler shift frequency, navigation data bit sequence phase, and correlation function prole observables 4. Comparison with non-GNSS navigation and timebearing signals code phase, carrier phase, or carrier Doppler shift frequency, and data bit sequence phase observables 5. Comparison with other radio frequency signals (not expressly designed for navigation or timing) time of arrival, carrier frequency and data bit sequence observables 6. Comparison with position, velocity, and acceleration observables from a local inertial measurement unit. 7. Comparison with time from a local reference clock The current prototype in-line anti-spoong device implements the data bit latency defense and comparison with the time from a local reference clock. C. Navigation and Timing Fusion Module The navigation and timing fusion module takes as input time- and position-bearing observables. This includes, but is not limited to, code phase, carrier phase, carrier Doppler shift frequency, and timing data. The input measurements are assumed to be free of spoong. The navigation and timing fusion module employs optimal estimation techniques to combine the PVT (position, velocity, and time) data from the external PVT input (e.g., an IMU) with the observables extracted from the signals to produce a robust PVT solution that serves as an input to the phase-coherent GNSS signal simulator. 5

1. Detection of the occurrence of sudden shifts in the

IV

SPOOFING DETECTION

The current prototype in-line anti-spoong device implements a navigation and timing fusion module that only works with GPS L1 C/A code signals. D. Phase-Coherent Signal Simulator The phase-coherent GNSS signal simulator is a GNSS signal generator whose digital signal processing component can be implemented along with the multi-system receiver module and the navigation and timing fusion module on a single digital signal processing platform. The simulator generates multiple GNSS signals whose implied navigation and timing solution is consistent with a commanded position, velocity, and time and, furthermore, the synthesized RF signals are carrier-phase-coherent with the authentic broadcast signals. The current prototype in-line anti-spoong device implements a code-phase-coherent GPS signal simulator for the GPS L1 C/A code signals. This simulator is the exact same software module as the spoofer module described in Ref. [8]. For brevity, it is not described in detail here. The salient difference between the phase-coherent GPS signal simulator and the spoofer module in Ref. [8] is the intention; the phase-coherent GPS signal simulator generates GPS signals to protect a receiver, whereas the spoofer module generates GPS signals to attack a receiver. In a simplied version of the phase-coherent signal simulator, it is possible to eliminate the input of the observables from the multi-system receiver module and solely rely on the PVT solution output by the navigation and timing fusion module. This simplied signal simulator still provides full spoong protection to the protected receiver, but does not output GNSS signals that are carrier-phasecoherent with the authentic broadcast signals. IV. SPOOFING DETECTION Spoong detection is the act of detecting one or more spoong signals by a GPS receiver. The act of detection requires a decision to be made to determine if a signal is counterfeit or not. One possible implementation of the decision making process is the use of statistical hypothesis testing, such as Neymen-Pearson statistical hypothesis testing. Spoong detection involves only the decision and reporting process of the presence of a spoong signal; it does not entail the removal of the spoong signal or the mitigation of its effect on the receiver. The Volpe Report [1] described the past research into spoong detection defenses. The defenses listed in Section I are these detection techniques. Note that the spoof6

ing literature tends to use defenses and countermeasures somewhat interchangeably. In this paper defenses are techniques that can be used for detection, whereas countermeasures, dened as an action or device designed to negate or offset another in Merriam-Websters dictionary, are techniques that can be used for mitigation. The following sub-sections describe additional spoong detection techniques, two of which were rst detailed in Ref. [8], and investigates them in greater detail. A. Data Bit Latency Defense The data bit latency defense is based on the difculty a spoofer has in re-transmitting the GPS data bits in real time. This defense was rst described in Ref. [8]. The defense in Ref. [8] has been implemented in the receivers phase-locked-loop (PLL) as a check to see if all the 1-ms accumulations within the 20-ms navigation data bit interval have the same phase. An alternate method to implement the data bit latency defense is described in Section IV-C. B. Vestigial Signal Defense Recall that the intermediate spoofer is capable of codephase aligning counterfeit signals with authentic signals. After code-phase alignment and an increase in the counterfeit signals power, lift-off occurs. The vestigial signal defense is based on the fact that at least one counterfeit and one authentic signal with the same PRN are present during or after lift-off. This defense was rst described in Ref. [8] and is elaborated here. The vestigial signal defense is based on the assumption that the spoofer does not have the ability to suppress the authentic signal. Suppression of the authentic signal by 10 dB requires carrierphase alignment of a spoofers output signal to within 1/20th of a cycle of the authentic signal. Alignment to this precision requires sub-cm-level knowledge of the 3-D vector between the phase center of the spoofers antenna and the phase center of the target receivers antenna. This is challenging, except for the case where the spoofers antenna is next to the receivers antenna. The perfect suppressing signal is identical to the authentic signal in amplitude, PRN code, code phase, carrier Doppler shift frequency, navigation data bit values, and spectrum, but has a carrier-phase difference of 180 . This requirement of carrier-phase alignment with a difference of 180 is relaxed and its effect is illustrated in Figure 3. Figure 3 shows the signal power decrease of the authentic signal as a function of alignment of the suppressing signal and the authentic signal. This gure shows that greater than 10 dB of suppression occurs when the carrier-phase

IV

SPOOFING DETECTION

Signal Power Decrease of Authentic Signal 0

Power Decrease (dB)

10

20

30

shift frequency space and 10 chips in code phase space 3. Perform weak-signal acquisition within the search space. For signals detected above the acquisition threshold, go to Step 4, otherwise go to Step 1 4. Track the acquired signals. For signals that can be successfully tracked for a threshold amount of time (e.g., 100s of milliseconds), raise the ag that a vestigial signal is present, and go to Step 5, otherwise go to Step 1 5. Decode the navigation data bits. Decoded data bits can be used in other defenses, such as the data bit latency defense

40

50 0

10 20 30 40 50 Carrier Phase Alignment (degrees)

60

Fig. 3. Power decrease of the authentic signal based on suppression by a spoong signal of equal amplitude as a function of phase alignment.

If the detection algorithm reaches Step 4 and raises the ag that a vestigial signal is present, the vestigial signal defense has been successful. Determination if the vestigial signal is authentic or counterfeit, however, is dependent on a separate algorithm. One such algorithm, based on an extension to receiver-autonomous integrity monitoring (RAIM), is described in Section V.

alignment of these two signals is less than or equal to 18 . Barring a suppression-capable spoofer, at least one vestigial signal will be present. A vestigial signal will be present before a successful lift-off, if the spoofers signal amplitude is large enough, and after lift-off has occurred. This assumes, in the latter case, that the spoofer does not employ jamming to hide the authentic signal. Ref. [8] describes a method to detect the vestigial signal that requires digital removal of signal being tracked by the receivers DLL. This is only required in the case where the vestigial signal is more than 23.9 dB (for GPS C/A code signals) below the current tracking signal [10]. This is because the side-lobes of the 1023-chip PRN codes are -23.9 relative to the nominal peak. To reliably determine the presence of a vestigial signal, one has to dene the search space about the current tracking signal, attempt to acquire signals in the search space preferably using weak-signal acquisition techniques, e.g. Ref. [11], track the signals using standard techniques, e.g. those described in Ref. [12], and decode the navigation data bits. The following ve-step approach is recommended for application of the vestigial signal defense: C. Signal Quality Monitorring Signal quality monitoring is the implementation of algorithms within GPS receivers to monitor the quality of the broadcast GPS signals [1315]. The reliance on GPS for positioning and navigation in safety-of-life scenarios, such as civil aviation, dictates the need for monitoring the quality of the GPS signals. The GPS satellites contain analog and digital components that can experience equipment failures. These failures can lead to degraded or incorrect broadcast GPS signals, which, in turn, can lead to receiver navigation solution errors. Signal quality monitoring has been developed to detect the occurrence of degraded or incorrect broadcast GPS signals, and to report this information to users in a timely fashion. This detection and reporting procedure provides additional integrity to the GPS user. The primary operational systems in the U.S. that require this integrity information are the wide-area augmentation system (WAAS) and local-area augmentation system (LAAS). These systems require additional integrity beyond the intrinsic integrity in the GPS system, because they are used for civil and commercial aviation where strict and quantiable requirements on positioning and navigation are required. In essence, GPS signal quality monitoring and spoong detection have similar goals. In both cases, atypical signal characteristics need to be identied and reported to the user. Thus, this section investigates the application of signal quality monitoring to spoong detection. 7

1. Remove the current tracking signal from a buffered IF data stream if one wants to detect a vestigial signal more than 23.9 dB below the current tracking signal 2. Allocate a search space in carrier Doppler shift frequency and code phase around the current tracking signal. A reasonable search space is 1000 Hz in carrier Doppler

IV

SPOOFING DETECTION

C.1 Detection Test Discriminators One part of signal quality monitoring is the implementation of signal monitoring algorithms in reference station receivers to look for asymmetries in the correlation peaks. These algorithms take, as input, measurements of the broadcast GPS signals, perform signal analysis on these measurements, and then decide if each test passes or fails. This decision process is commonly implemented as one or more statistical hypothesis tests. For example, the Neyman-Pearson criterion can be used to decide if a particular signal quality test passes of fails. Two common signal quality monitoring detection tests are the delta test and the ratio test. These are investigated here, because of their theoretical and practical simplicity. For the interested reader, an abundance of information on signal quality monitoring and its subtleties can be found in Ref. [14] and references cited therein. Ref. [14] discusses, among other aspects, the natural asymmetries in the pre-correlation ltered correlation peak, detection test thresholds, and the effects of multipath and thermal noise on the correlation peaks. The delta test (-test) is a signal quality monitoring detection test that is designed to identify asymmetric correlation peaks [14]. The discriminator for the test is: m = Iearly,m Ilate,m 2Iprompt (1)

Code-Phase-Aligned and Growing In Amplitude Authentic Signal

Counterfeit Signal
Fig. 5. Illustration showing code-phase-aligned counterfeit signal growing in amplitude.

where phase-locked carrier tracking is also assumed here. The nominal value for this discriminator is 1. Multi-correlator receivers generate m pairs of discriminators per channel. When correctly normalized to take into account the effects of multipath and thermal noise, these sets of discriminator values comprise two test statistics, one for the delta test and one for the ratio test [14]. D. Two Cases of Counterfeit and Authentic Signal Interaction An intermediate spoofer implemented as a receiverspoofer is capable of code-phase alignment of its counterfeit signals with the authentic ones. The interaction of an authentic and a counterfeit signal during the process of code-phase alignment can result in constructive or deconstructive interference based on a variety of factors. This section investigates this signal interaction. Note that the term interaction is used here in lieu of interference to distinguish the constructive and deconstructive interference of two electromagnetic waves from GPS interference sources such as jamming and spoong. The code-phase alignment can occur in two different ways. In the rst case, depicted in Figure 4, the counterfeit signal marches into code-phase alignment with the authentic signal. The amplitude of the counterfeit signal is held at a constant value above the authentic signal during the period of interaction. In the second case, illustrated in Figure 5, the counterfeit signal is pre-aligned with the authentic signal and grows in amplitude to a value larger than the authentic signals amplitude. E. Simulation of Signal Interaction

where Iearly,m , Iprompt , and Ilate,m are the respective in-phase early, prompt, and late accumulations, m is the early-late correlator pair number, and the tilde indicates a ltered measurement. The division by 2Iprompt normalizes the ideal correlator peak to a maximum value of 1. The factor of 2 is the slope of the discriminator function for the ideal correlation function with a correlator spacing of d = Tc , where Tc is the chip duration in seconds. This discriminator assumes that a carrier PLL is tracking the signal and thereby minimizing the power in the quadrature arm, i.e. Qearly,m 0, Qprompt 0, and Qlate,m 0. The nominal value of this discriminator is 0. The ratio test is a signal quality monitoring detection test that is designed to identify at correlation peaks or abnormally sharp or elevated correlation peaks [14]. The discriminator for the detection test is: Rm Iearly,m + Ilate,m = 2Iprompt (2)

The introduction on the delta and ratio tests along with the two cases of signal interaction provides the necessary 8

IV
Marching Into Code-Phase Alignment

SPOOFING DETECTION

Counterfeit Signal

Authentic Signal

Fig. 4. Illustration showing counterfeit signal marching into code-phase alignment.

means to investigate spoongs effects during signal interaction. The two cases of signal interaction have been tested in off-line simulations. The simulations include a software-dened GPS signal generator capable of generating spoong scenarios and a software-dened GPS receiver that implements standard acquisition and tracking algorithms [12]. The GPS signal generator produces the IF data stream that contains the two signals interacting. The signal generator produces authentic and counterfeit signals with the parameters given in Table I. Two sub-cases for each case of signal interaction have been investigated. The GPS receiver acquires the authentic signal via an FFT-based acquisition algorithm and passes the results of acquisition to code and carrier tracking loops. The code tracking loop is a DLL with a 1-Hz bandwidth that uses the dot-product discriminator and the carrier tracking loop is a 2nd -order Costas PLL with a 10-Hz bandwidth that uses the arctangent discriminator. The correlator earlylate spacing is set to d = Tc seconds (1 chip). E.1 Marching Into Code-Phase Alignment Two sub-cases (Cases 1A and 1B in Table I) of the marching-into-code-phase-alignment case are investigated. The rst sub-case simulates the authentic and counterfeit signals in ideal carrier-phase alignment at the moment of code-phase alignment. The initial code phase of the counterfeit signal is offset 2 C/A-code chips from the authentic signal. At a rate of 0.133 chips/sec, the two signals begin to overlap at t = 0 seconds, but the d = 1 chip correlator spacing means the early correlator for the authentic signal until t = 11.25 seconds. Figure 6 shows the results of this simulation. The top panel shows the C/N0 estimated by the receiver, the 9
Fig. 6. Case 1A: Marching into code-phase alignment for for two signals 0 out of phase.

second-from-top panel shows the term atan(QP /IP ), which is a common carrier phase angle discriminator for the Costas PLL, the second-from-bottom panel shows the discriminator used in the delta test, Eq. 1, and the bottom panel shows the discriminator used in the ratio test, Eq. 2. The vertical dashed red line indicates the time in which the counterfeit and authentic signals are codephase aligned.

IV
TABLE I S IGNAL PARAMETERS USED IN INTERACTION SIMULATIONS .

SPOOFING DETECTION

Case 1A Authentic Signal Amplitude Code phase rate (chips/sec) Carrier Doppler shift frequency Carrier phase Counterfeit Signal Amplitude Code phase rate (chips/sec) Carrier Doppler shift frequency Carrier phase 1.0 0 1000 Hz 0 1.414 0.133 1000 Hz 0

Case 1B 1.0 0 1000 Hz 0 1.414 0.133 1000 Hz 180

Case 2A 1.0 0 1000 Hz 0 0.0011.414 0 1000 Hz 0

Case 2B 1.0 0 1000 Hz 0 0.0011.414 0 1000 Hz 180

Starting with the C/N0 estimate, it is clear that the receiver is tracking the counterfeit signal at the end of the attack. This is because the estimated C/N0 at the end of the attack (t = 30 seconds) is 3 dB higher than at the beginning of the attack (t = 5 seconds). The rise in C/N0 during t = 722 seconds is due to the constructive interference of the counterfeit and authentic signals. This produces a maximum value in the C/N0 estimate at t = 15 seconds equal to 6 dB higher than the authentic signals estimate. The second-from-top panel shows a nominally small value for the atan(QP /IP ) time history, which suggests the PLL transitioned from the authentic to counterfeit signal seamlessly. The second-from-bottom panel shows the delta-test discriminator near its nominal value of 0. This illustrates that the interaction of the two signals is undetectable via the delta test. Note that this also indicates that a DLL, with its early-late discriminator, would seamlessly transition from tracking the authentic signal to the counterfeit signal. The bottom panel shows the ratiotest discriminator near its nominal value of 1. This also illustrates that the interaction of the two signals is undetectable by the ratio test. The second sub-case (Case 1B) simulates the interaction of authentic and counterfeit signals with their carriers 180 out of phase. Figure 7 shows the results of this simulation, which are starkly different than those shown for the previous case. The C/N0 estimate shows uctuations from t = 10 15 seconds due to the deconstructive interference of the counterfeit and authentic signals. Additionally, it is clear that after the period of interaction, the receiver is tracking the counterfeit signal, because the C/N0 is 3 dB higher than at t = 0 seconds. The second-from-top panel shows uctuations in atan(QP /IP ) from 1215 sec10

Fig. 7. Case 1B: Marching into code-phase alignment for two signals 180 out of phase.

onds, which suggests the PLL is experiencing stress from the presence of the both the authentic and the counterfeit signals. The second-from-bottom panel shows the delta-test discriminator near its nominal value of 0, except from t=1214.5 seconds, in which the discriminator is much larger in an absolute sense than 0. The bottom panel shows the ratio-test discriminator near its nominal value of 1, except from t=1214.5 seconds, in which the

IV

SPOOFING DETECTION

Fig. 8. Case 2A: Code-phase-aligned and growing up in amplitude for two signals 0 out of phase.

Fig. 9. Case 2B: Code-phase-aligned and growing up in amplitude for two signals 180 out of phase.

discriminator is much larger in an absolute sense than 1. E.2 Code-Phase-Aligned and Growing in Amplitude Two sub-cases of code-phase-aligned-and-growing-inamplitude case are investigated. The rst sub-case (Case 2A) simulates the authentic and counterfeit signals in perfect carrier-phase alignment. The parameters for the authentic and counterfeit signals are given in Table I. Throughout the simulation, the counterfeit and authentic signals are code-phase aligned. At t=0, the amplitude of the counterfeit signal is 0.001 and increases linearly (power is increasing quadratically) to 1.414 at t = 30 seconds. Figure 8 shows the results of this simulation. The top panel shows C/N0 estimated by the receiver, the second-from-top panel shows the term atan(QP /IP ), the second-from-bottom panel shows the discriminator used in the delta test, Eq. 1, and the bottom panel shows the discriminator used in the ratio test, Eq. 2. Starting with the C/N0 estimate, it is unclear which signal is being tracked at the end of the attack. Because of the 11

perfect carrier-phase alignment of the signals, they add constructively to produce a composite signal. Since there is no relative motion between the authentic and counterfeit signals, the composite signal is the one being tracked. At t = 30, the estimated C/N0 is 6 dB higher than the authentic signal, which is expected for tracking the composite signal. The second-from-top panel shows a nominally small value for the atan(QP /IP ) time history. The second-from-bottom panel shows the delta-test discriminator near its nominal value of 0. This illustrates that the interaction of the two signals is undetectable by the delta test. The bottom panel shows the ratio-test discriminator near its nominal value of 1. This also illustrates that the interaction of the two signals is undetectable by the ratio test. The second sub-case (Case 2B) simulates the authentic and counterfeit signals interacting with carrier signals 180 out of phase. Figure 9 shows the results of this simulation, which, again, are starkly different than those shown for Case 2A. The C/N0 estimate shows uctuations from t = 12

IV

SPOOFING DETECTION

Authentic Signal

a c

Counterfeit Signal

I
Fig. 10. Baseband phasors representing the authentic and counterfeit signals.

This gure shows a counterfeit signal with an amplitude that is roughly 3 dB larger than the authentic signals amplitude. The gure also illustrates that the baseband phasors may rotate at different angular rates and that there is nominally a non-zero carrier phase angle error between them. Note that an intermediate-type spoofer can generate a counterfeit signal with a angular rate c that is equivalent to the authentic signals angular rate a . The degree of constructive interference in simply related to the angle between the phasors. Assuming c = a , perfect constructive interference occurs when the two phasors are aligned and perfect deconstructive interference occurs when they are 180 out of phase. Additional simulations investigating variations on the above demonstrate the following: 1) a counterfeit signal with an amplitude 1 dB stronger the authentic signal is adequate for signal lift-off, 2) the regime in which deconstructive effects are detectable by the delta and ratio tests discriminators is 30 from perfectly destructive interference for a counterfeit signal that is 3 dB stronger than the authentic signal. This observation is a function of the amplitudes of both signals and the length of coherent and non-coherent accumulations used for signal tracking, 3) for the case of carrier-phase alignment equal to 180 , the rate of attack determines the duration of the non-nominal values for the delta and ratio test discriminators. A rapid attack that exceeds both the PLL and DLL bandwidths within the target receiver is undetectable using these two tests, 4) times when entire or fractional data bits (e.g., data bit latency) are different between the authentic and counterfeit signals, produces both constructive and deconstructive interference that be detected. Figure 11 depicts the last observation, where the rst 1 ms of each 20-ms data bit takes on the value of the previous data bit. The spoong simulation performs the same marching-into-code-phase alignment as Case 1A, where the carrier phase is perfectly aligned at the moment of code-phase-alignment. The deconstructive effects are pronounced in this case, primarily due to the 1-ms accumulation time of the receiver. Signicant power loss occurs in one out of 20 accumulations for the case when the previous data bit is different that the current data bit. Thus, the probability of seeing a signicant power loss on any 1-ms accumulation is 0.025. In summary, evidence has been presented that suggests the delta and ratio tests, and, in general, GPS signal quality monitoring, can be applied to spoong detection. The overall goal would be to develop, test, and eld spoong

30 seconds due to the deconstructive interference of the counterfeit and authentic signals. At t = 30 seconds, the composite signal is 7.66 dB lower than the authentic signal. Thus, the carrier-to-noise ratio is 40.3 dB-Hz, which is near the threshold tracking performance for a PLL that uses 1-ms accumulations The second-from-top panel shows uctuations in atan(QP /IP ) during the same interval, which suggests the PLL is experiencing stress from the presence of the both the authentic and the counterfeit signals. The second-from-bottom panel shows the delta-test discriminator near its nominal value of 0, except from t = 1428 seconds, in which the discriminator is much larger in an absolute sense than 0. The bottom panel shows the ratio-test discriminator near its nominal value of 1, except from t = 1428 seconds, in which the discriminator is much larger in an absolute sense than 1 . In summary, for both Cases 1A and 2A, the perfect carrier-phase alignment of the authentic and counterfeit signal produces perfect constructive interference during signal interaction causing no discernible problems with the code and carrier tracking loops. Furthermore, the delta and ratio test discriminators maintain their nominal values during the entire duration of signal interaction. Conversely, for both Case 1B and Case 2B, when the authentic and counterfeit signals are 180 out of phase, deconstructive interference occurs, causing stress on the code and carrier tracking loops and relatively large values in the delta and ratio test discriminators. A method to visualize the degree of constructive or deconstructive interference between the authentic and counterfeit signals was rst presented in Ref. [8]. Figure 10 shows the baseband phasors in the complex plane for both an authentic signal and a counterfeit signal. 12

SPOOFING MITIGATION

signals from GLONASS or Galileo, provides the best means to protect against GPS spoong. Of course, relying on GPS-independent information for spoong mitigation presumes the independent information itself is authentic. Receiver-autonomous spoong mitigation, which does not rely on external time- and position-bearing information, is challenging. Determining if a single GPS signal is being spoofed and excluding it from the navigation solution is reasonably straightforward, as will be shown in this section. Nevertheless, reliably protecting against more than a single spoong signal is difcult. Consider the case where there are two sets of GPS signals available to a receiver; one set is authentic and the other is counterfeit. Both sets are self-consistent in that they provide valid navigation solutions. However, the counterfeit set corresponds to a position solution that is 300 m north of the authentic set. Given this case, it is impossible for a GPS receiver to autonomously assess which set is authentic without independent information. A. Receiver-Autonomous Integrity Monitoring Receiver-autonomous integrity monitoring (RAIM) is a practical implementation of a standalone GPS receiver defense against faulty pseudorange measurements [16]. It provides the means via statistical hypothesis testing to: 1) detect a single faulty pseudorange measurement and 2) exclude the faulty measurement from the navigation solution. A great degree of theoretical and empirical work has gone into the development, testing, and elding of RAIM systems. Additionally, the statistical hypothesis testing used in RAIM relies on the standard technique of setting a probability of false alarm and computing a threshold based on the probability of detection. Leveraging on the rigor underpinning RAIM and, in particular, its reliance on statistical hypothesis testing, the following extends RAIM-like algorithms to GPS spoong detection and mitigation. A.1 Extended RAIM for Spoong Detection and Mitigation An extension to standard RAIM has been developed whose goal is to detect a faulty carrier Doppler shift frequency measurement or a faulty pseudorange measurement or both. A candidate application for extended RAIM is spoong detection and mitigation where these measurements may be intentionally false or misleading. The development of the extension to RAIM assumes implementation of a weighted least-squares method and begins with the basic linearized pseudorange measurement 13

Fig. 11. Results of signal quality monitoring during spoong attack with 1 ms data bit latency.

detection algorithms based on the tenets of signal quality monitoring. Three main challenges need to be overcome. The rst is isolation of the effects of satellite equipment failures, multipath, and receiver noise from spoong attacks. The second is determining the types of spoong attacks that can be reliably detected. The third is testing with live signals under spoong conditions and statistical analyses to validate the detection tests. V. SPOOFING MITIGATION Spoong mitigation can be dened as minimization of the harm caused by a spoong signal or the severity of a spoong attack. As one might expect, spoong mitigation rst requires some form of spoong detection in order to carry out the task of mitigating the effects of the spoong signal(s) or the attack. A simple example of spoong mitigation would be the digital removal of a spoong signal from the digitized IF data stream output from an RF front end. GPS spoong mitigation performs best with a maximum amount of GPS-independent time- and position-bearing information. Independent information, such as ranging

VI

CONCLUSIONS

equation, which is assumed to be an overdetermined system of equations: y = Hx + (3)

the assumption that the elements of x and xD are uncorrelated. An appropriate detection threshold must be computed in order to implement the extended RAIM detection test. Since Eq. 8 is normalized by the measurement error covariances and its distribution is known, it is straightforward to compute a detection threshold for a chosen probability of false alarm using inverse chi-square look-up tables. For a conservative approach applying this RAIM technique to spoong detection and mitigation, detection and exclusion of a single counterfeit signal with a faulty pseudorange or carrier Doppler shift frequency is possible. It may be possible to extend this algorithm to detection and exclusion of more than one counterfeit signal, but investigation is beyond the scope of this current work. In summary, an extended version of RAIM has been developed in order to detect and exclude at least one satellite signal with a faulty carrier Doppler shift frequency measurement or pseudorange measurement. Further investigation into this form of RAIM and simulations or experimental results would be benecial. VI. CONCLUSIONS The current and growing reliance on GPS within critical civil infrastructure presents an opportunity for those whom wish to cause mischief or engage in nefarious activities to disrupt or disable this infrastructure. As has been demonstrated in Ref. [8] (and references cited therein) and described in two government reports, the threat of GPS spoong continues to gain momentum. To help counteract this threat, an in-line anti-spoong device has been developed and described in this paper. This device provides the ability to protect legacy GPS receivers against spoong without requiring hardware or software upgrades. Spoong detection algorithms have also been investigated in this paper. Both the data bit latency defense and the vestigial signal defense, which originally were presented in Ref. [8], have been further investigated. In particular, the use of the vestigial signal defense in conjunction with extended RAIM provides spoong detection and mitigation for at least one counterfeit signal without the need for external independent information. Further investigations into the application of extended RAIM and RAIM-like algorithms to spoong detection and mitigation should be undertaken. More so, the application of GPS signal quality monitoring to spoong detection has been investigated. This tech14

where y is the N x 1 vector of pseudorange measurements, H is the N x 4 linearized measurement equation transformation matrix, and x is the unknown 4 x 1 state vector, and is the N x 1 measurement noise vector with covariance P . It is assumed that the elements of are zero-mean Gaussian and uncorrelated. The weighted least-squares estimate is:
1 x = H T P H 1 1 H T P y

(4)

For the carrier Doppler shift frequency measurements, the linearized measurement equation is also assumed to consist of an overdetermined system of equations: y D = HD x D + D (5)

where the number of elements in yD is assumed to be equal to the number of elements in y, HD is the linearized measurement equation transformation matrix for the carrier Doppler shift frequency measurement equation [10], xD = [x; y; z; cR ] is the state vector, and D is the measurement noise vector with covariance P,D . It is assumed that the elements of D are zero-mean Gaussian and uncorrelated. Additionally, it is assumed that the elements of are uncorrelated with those of D . The residual error for the pseudorange measurements is:
1 w = I H T P H 1 1 H T P y

(6)

where I is the identity matrix. The residual error for the carrier Doppler shift frequency measurements is:
T 1 wD = I HD P,D HD 1 T 1 HD P,D yD

(7)

The suggested test statistic is the normalized sum of the squared measurement residual errors for both the pseudorange and the carrier Doppler shift frequency measurements:
1 T 1 SSEP D = wT P w + wD P,D wD

(8)

where SSEP D is the sum of squared residual errors for the pseudorange and the carrier Doppler shift frequency measurements. The test statistic, SSEP D , in Eq. 8 has a normalized chisquare distribution with 2N 8 degrees of freedom where N is the number of pseudorange or carrier Doppler shift frequency measurements. This is based on Ref. [17] and

VI

CONCLUSIONS

nique also shows promise, indicating multiple algorithms exist to detect spoong signatures for all but the most sophisticated spoofers. ACKNOWLEDGEMENTS We would like to acknowledge Todd E. Humphreys for his valuable input during the preparation of this paper. REFERENCES
[1] [2] [3] [4] [5] [6] Vulnerability assessment of the transportation infrastructure relying on the Global Positioning System, John A. Volpe National Transportation Systems Center, Tech. Rep., 2001. Anonymous, Global Positioning System impact to critical civil infrastructure (GICCI), Mission Assurance Division, Naval Surface Warfare Center, Tech. Rep., 2009. E. L. Key, Techniques to counter GPS spoong, MITRE Corporation, Internal memorandum, Feb. 1995. P. Y. Montgomery, T. E. Humphreys, and B. M. Ledvina, A multiantenna defense: Receiver-autonomous GPS spoong detection, Inside GNSS, vol. 4, no. 2, pp. 4046, April 2009. L. Scott, Anti-spoong and authenticated signal architectures for civil navigation systems, in Proc. ION GPS/GNSS 2003. Portland, Oregon: Institute of Navigation, 2003, pp. 15421552. M. L. Psiaki, Spoong detection for civilian GNSS signals via aiding from encrypted signals, in Accepted as an alternate paper at ION/GNSS 2009. Savannah, GA: Institute of Navigation, Sep. 2225 2009. S. Lo, D. D. Lorenzo, P. Enge, D. Akos, and P. Bradley, Signal authentication: A secure civil GNSS for today, Inside GNSS, vol. 4, no. 5, pp. 3039, Sep./Oct. 2009.

[8]

[9] [10] [11] [12] [13] [14] [15] [16] [17]

[7]

T. E. Humphreys, B. M. Ledvina, M. L. Psiaki, B. W. OHanlon, and P. M. Kintner, Jr., Assessing the spoong threat: development of a portable GPS civilian spoofer, in Proceedings of ION GNSS 2008. Savannah, GA: Institute of Navigation, 2008. J. S. Warner and R. G. Johnston, GPS spoong countermeasures, Dec. 2003, http://www.homelandsecurity.org/bulletin /DualBenet/warner gps spoong.html. P. Misra and P. Enge, Global Positioning System, Signals, Measurements, and Performance. Lincoln, Massachusetts: GangaJumana Press, 2006. M. L. Psiaki, Smoother-based GPS signal tracking in a software receiver, in Proceedings of ION GPS 2001. Salt Lake City, Utah: Institute of Navigation, 2001, pp. 29002913. A. J. Van Dierendonck, Global Positioning System: Theory and Applications. Washington, D.C.: American Institute of Aeronautics and Astronautics, 1996, ch. 8: GPS Receivers, pp. 329407. R. E. Phelts, D. M. Akos, and P. Enge, Robust signal quality monitoring and detection of evil waveforms, in Proceedings of ION GPS 2000. Salt Lake City, Utah: Institute of Navigation, 2000. R. E. Phelts, Multicorrelator techniques for robust mitigation of threats to GPS signal quality, Ph.D. dissertation, Standford University, Palo Alto, California, 2001. A. Mitelman, Signal quality monitoring for GPS augmentation systems, Ph.D. dissertation, Standford University, Palo Alto, California, 2004. Y. C. Lee, Two new RAIM methods based on the optimally weighted average solution (OWAS) concept, Navigation, vol. 54, no. 4, pp. 333345, Jan. 2007. B. W. Parkinson and P. Axelrad, Autonomous GPS integrity monitoring using the pseudorange residual, Navigation, vol. 35, no. 2, pp. 255274, Jan. 1988.

15