Tuning-Free, Low Memory Robust Estimator to Mitigate GPS Spoofing Attacks
Junhwan Lee, Ahmad F. Taha, Nikolaos Gatsis, and David Akopian

TL;DR
This paper introduces a tuning-free, low memory robust estimator designed to detect and mitigate GPS spoofing attacks, ensuring accurate timing for critical infrastructure without complex parameter tuning or heavy computation.
Contribution
The paper presents a novel observer-based estimator that operates without parameter tuning, suitable for real-time GPS spoofing attack mitigation using real data.
Findings
Effective in real GPS data scenarios
Maintains accurate timing under spoofing attacks
Reduces computational and tuning requirements
Abstract
The operation of critical infrastructures such as the electrical power grid, cellphone towers, and financial institutions relies on precise timing provided by stationary GPS receivers. These GPS devices are vulnerable to a type of spoofing called Time Synchronization Attack (TSA), whose objective is to maliciously alter the timing provided by the GPS receiver. The objective of this paper is to design a tuning-free, low memory robust estimator to mitigate such spoofing attacks. The contribution is that the proposed method dispenses with several limitations found in the existing state-of-the-art methods in the literature that require parameter tuning, availability of the statistical distributions of noise, real-time optimization, or heavy computations. Specifically, we (i) utilize an observer design for linear systems under unknown inputs, (ii) adjust it to include a state-correction…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Tuning-Free, Low Memory Robust Estimator
to Mitigate GPS Spoofing Attacks
Junhwan Lee, Ahmad F. Taha, Nikolaos Gatsis, and David Akopian
The authors are all with the Department of Electrical and Computer Engineering at the University of Texas, San Antonio. {junhwan.lee,ahmad.taha,nikolaos.gatsis,david.akopian}@utsa.edu. We acknowledge the financial support by the National Science Foundation under Grant ECCS-1719043, and the suggestions made by the editor and reviewers.
Abstract
The operation of critical infrastructures such as the electrical power grid, cellphone towers, and financial institutions relies on precise timing provided by stationary GPS receivers. These GPS devices are vulnerable to a type of spoofing called Time Synchronization Attack (TSA), whose objective is to maliciously alter the timing provided by the GPS receiver. The objective of this paper is to design a tuning-free, low memory robust estimator to mitigate such spoofing attacks. The contribution is that the proposed method dispenses with several limitations found in the existing state-of-the-art methods in the literature that require parameter tuning, availability of the statistical distributions of noise, real-time optimization, or heavy computations. Specifically, we (i) utilize an observer design for linear systems under unknown inputs, (ii) adjust it to include a state-correction algorithm, (iii) design a realistic experimental setup with real GPS data and sensible spoofing attacks, and (iv) showcase how the proposed tuning-free, low memory robust estimator can combat TSAs. Numerical tests with real GPS data demonstrate that accurate time can be provided to the user under various attack conditions.
Index Terms:
Robust state estimation, observer design, GPS spoofing, time synchronization attacks, low memory estimation.
I Introduction and Motivation
The Global Positioning System (GPS) is widely utilized in an abundance of applications. The study [1] in particular emphasizes how critical infrastructures such as communications, the power grid, transportation, and even financial services can be disrupted if the integrity of the GPS is compromised.
Since most systems rely on non-encrypted civilian GPS signals [2], the GPS is vulnerable to intentional attacks. There are two types of deliberate attacks on GPS: jamming and spoofing [3]. While jamming completely blocks signal reception by transmitting high power noise, spoofing changes the transmitted signal or data to deceive the GPS receiver. Various experiments have shown that different types of spoofing attacks such as data level spoofing, signal level spoofing, delaying, and record-and-reply attacks [4, 5, 6] could affect off-the-shelf GPS receivers.
A Time Synchronization Attack (TSA) is a particular class of spoofing attacks on stationary GPS receivers that provide precise timing in various applications, including phasor measurement units (PMUs), cellphone towers, and financial institutions [7, 8]. The objective of the attack is to mislead the time estimated by the receiver which, in the case of the power grid for example, can disrupt the reliable monitoring of the grid’s cyber-physical status.
Countermeasures against spoofing attacks have been proposed in [9, 10, 11] and include techniques that rely on multiple GPS receivers [12, 13] or check the magnitude of error in the GPS data [9]; see [5] for a review of anti-spoofing techniques. Another approach to mitigate and detect spoofing TSAs is through robust, dynamic state estimation routines that are designed to deal with outliers and malicious attacks.
The robust state estimation literature is indeed rich with two main classes of methods. The first class is based on robust observers and Lyapunov theory which often does not assume any statistical distribution for unknown inputs or noise [14, 15]. The second class is based on Kalman filter and its derivatives, that often assume statistical distribution of noise [16, 17, 18]. Relevant to the robust estimation problem under TSAs, a novel anti-spoofing particle filter is devised to find the receiver position even under spoofing interference [10]. In our recent work [11], we develop a real-time optimization method to detect and mitigate TSAs using weighted minimization. The aforementioned methods all require either tuning of some parameters, real-time optimization, or availability of the statistical distribution of noise.
The objective of this paper is to design a robust state estimator that combats TSAs while being endowed with the following properties: (i) It is a tuning-free method that does not require any training; (ii) it has low memory requirement in the sense no heavy computations are needed in real-time; and (iii) the designed tuning-free, low-memory robust estimator can correctly reconstruct the actual physical state of the receiver using a realistic testbed. We note here that our objective is not to develop a generalized theory for robust estimation, but rather to build on the recent theoretical advancement in this field and adapt it to the GPS spoofing problem through a realistic testbed. The robust state estimation method presented in this paper is an adaptation of the method in [19]. The motivation for using this estimator is provided in great detail in the next sections; the paper’s organization is given next.
Section II presents the dynamic modeling of bias and drift in GPS receivers and showcases how TSA attacks can be modeled and designed to mislead standard state estimators. Section III presents a robust state estimator in addition to a state correction and TSA reconstruction routine. Section IV concludes the paper with realistic numerical tests on real GPS data. For reproducibility, the data used in the numerical tests and the results are all provided through a Github link.
II Dynamic Modeling Under GPS Spoofing
The primary goal of GPS localization is to accurately estimate the position, velocity, clock bias, and clock drift of the receiver in every time step—conventionally referred to as the position, velocity, and time (PVT) solution.
The position of the GPS receiver (user) in Earth Centered Earth Fixed coordinates is denoted by . To estimate the receiver’s location and velocity, the GPS exploits the known location of satellites and the distance from each satellite to the receiver. Let denote the number of fixed satellites visible by the receiver, then for is the satellite position at the time of transmission . Also, we consider that models the arrival time of transmitted signal at the receiver. The approximate distance between each satellite and the receiver can be written as , where is the speed of light and is commonly known as the pseudorange [20]. The pseudoranges differ from the true distances because and are offset by clock biases denoted by and . This relationship is established as
[TABLE]
where defines the reception time in the absolute GPS time, while is the signal transmission time in GPS time. Then, if represents the true distance from the receiver to each satellite, it holds that using the unbiased transmission and reception times. Alternatively, can be expressed by taking the 2-norm of position difference between the satellite and the receiver, given by . The following pseudorange equation is generated by combining the previous two equations for [20]
[TABLE]
where captures atmospheric effects and receiver noise.
In addition to the pseudoranges, the GPS receiver can also measure the rate at which the pseudoranges vary over time, denoted by , and called pseudorange rate. The pseudorange rates are expressed in terms of the satellite velocities and the user (GPS receiver) velocity as
[TABLE]
where represents the GPS receiver clock drift and is the noise. In (2) and (3), the unknown PVT variables ()user position (), user velocity (), clock bias (), and clock drift ()] are usually computed using nonlinear weighted least squares.
The random walk model captures the dynamics relating variables in (2) and (3) for stationary applications [20]. The following is the stationary random walk model:
[TABLE]
where is the time index; is the time resolution; and is noise in the system. Generally, stand-alone receivers like those present in PMUs, use the Extended Kalman Filter (EKF) to estimate the PVT solution [20].
Since the receiver is stationary, the position () can be treated as known constant while the receiver velocity () is known to be zero. Thus, the only variables to be estimated are in fact the clock bias and drift, and . Based on (2), (3) and the dynamic model in (4), the fundamental plant model is constructed as follows using and :
[TABLE]
[TABLE]
where
= , =
=
and and represent process/measurement noise; vector is based on the known satellite position, velocity and clock characteristics—a time-varying, known quantity. Equations (5) and (6) can be written as
[TABLE]
The state space model (7), however, does not model potential spoofing attacks. While many different physical spoofing mechanisms are devised to deceive the victim receiver [6], time synchronization attack (TSA) is applied on the stationary GPS receiver. In practical sense, TSA alters the timestamp estimate by inserting the spoofing signal into the authentic pseudorange signals:
[TABLE]
where and denote the spoofing attacks, and and are the spoofed measurements.
Specifically, there are two different types of TSAs according to the shape of . While Type I attack injects an abrupt signal, e.g., where indicates the initial time of attack, Type II attack modifies the clock bias in gradual manner manipulated by ; see [21]. The actual effect of each type of attack on the clock state is thoroughly reviewed in [22].
As an example, in order for the spoofing signal to be considered as intentional attack on a PMU, it has to satisfy certain conditions. According to the IEEE C37.118 Standard, the attack has to result in 1% total variation error, which is equivalent to 26.65 s clock bias error, or 7989 of distance equivalent bias error in order for the attack to be considered infringing [23]. These types of spoofing attacks—regardless of their physical mechanism—impact the state dynamics as
[TABLE]
where models and lumps TSAs and any process noise. Concrete examples of TSAs are given in Section III. In our previous work [11, Section III], we show how specific forms of can mislead the receiver.
III Robust State Estimator
In this section, we present a state estimation algorithm that is endowed with the following properties: (i) It is a tuning-free method that does not require any knowledge of noise distribution, initial parameters or states, or other coefficients; (ii) it has low memory requirements in the sense no heavy computations are needed which is befitting to devices with limited computational power and limited internet connectivity; (iii) it is robust to GPS spoofing, time-synchronization attacks.
III-A GPS Clock Model and Estimator Dynamics
The plant model under the spoofing attack based on the previous can be written as
[TABLE]
where represents the state vector of clock bias and drift at time ; represents a single column vector of pseudoranges and pseudorange rates where indicates the fixed number of visible satellites at every time index; is the unknown spoofing attack applied to the bias and drift which also includes process noise; state-space matrices , , are discussed in the previous section.
Consider now a new modified state vector which represents the state vector without spoofing attack and follows the following dynamics:
[TABLE]
The left-hand side of (9) essentially represents the original state vector considering that the spoofing attack is removed. The modified state vector propagates through to . This yields:
[TABLE]
The presented state estimator in this paper is an adaptation of the observer from [19] and follows the difference equation:
[TABLE]
where is a state estimate of corrected state vector at time ; is the estimate vector of observation ; is an estimate of the spoofing attack . We note here that , and should be initialized before iteration starts at with arbitrary initial conditions. Matrices and are optimization variables where is akin, in principle, to a Luenberger gain that is designed here to ensure robustness of the state estimation to spoofing attacks.
III-B Design of Robust Gains
The design of the robust estimator gains is based on linear matrix inequalities (LMIs). Simply put, the objective of the designed observer is to guarantee asymptotically stable estimation error dynamics. That is, matrices and are designed to guarantee that under non-zero spoofing attack and bounded estimation error under spoofing attacks. The RobustEstimator variables are designed via solving this low-dimensional feasibility problem with one linear matrix inequality (LMI), given as follows:
[TABLE]
where the symbol is used to represent symmetric components in symmetric block matrices. After solving (12) for positive definite matrix variables and , and real matrix variable , the observer gains are computed as follows
[TABLE]
As mentioned earlier, the state estimator design is derived from [19]; the reader is referred to that paper for the derivation of the above LMIs. Note that no tuning is required to solve EstimatorDesign, and this LMI can be solved analytically via evaluating the Karush-Kuhn-Tucker conditions for feasibility [24]. Furthermore, any convex optimization toolbox or LMI solver can be used to solve (12). These include Matlab’s LMI solver, CVX [25], and Yalmip [26].
We note the following. First, the necessary conditions for existence of are standard. These conditions are (a) the detectability of ; (b) the classical rank matching condition stating that where is the matrix coefficient of in (8); and (c) bounded variations of the unknown spoofing signal . Second, this robust estimator not only estimates , but also the spoofing attack . This is instrumental in mitigating and correcting the attack. The next section showcases the design of the gain matrices.
III-C State Correction Algorithm under Spoofing
Upon solving the LMIs and running the RobustEstimator from any arbitrary initial conditions, the estimator is guaranteed theoretically to produce bounded estimation error , thereby estimating the then-spoofed bias and drift, and reconstructing the spoofing attack . With that in mind, this does not indicate that the bias and drift are correctly estimated seeing that spoofing attack had already changed the state through the state propagation and difference equation. To that end, this section develops a state correction algorithm to recover the authentic bias and drift values in real-time.
To that end, the dynamics (9) can be written as
[TABLE]
This relationship reveals that current spoofing during one time instant comprises the cumulative attacks from the previous time steps. Consequently, the disturbance estimate is not sufficient enough to correct the attacked states. Rather, a new disturbance estimate vector is formulated to account for the accumulated disturbances. Considering the estimate of spoofing attacks computed by (11), we propose estimating the new disturbance estimate vector via
[TABLE]
This equation acknowledges the fact that estimated state is still contaminated by the attack from the past time step. Therefore, the corrected state and authentic observation state could be retrieved by subtracting from and as follows:
[TABLE]
Algorithm 1 showcases the overall problem design, robust state estimation, and the reconstruction of the corrected bias and drift of the GPS receiver. The algorithm takes as inputs: the fixed number of satellites , and , and satellites data which is encoded through . The algorithm is divided into two stages—an offline stage and an online one. In the offline stage, the RobustEstimator gains and are computed via solving (11) and evaluating (13). The online stage includes running the RobustEstimator (11) and the cumulative corrections for the states and spoofing attacks. The algorithm returns the attack-free, yet still slightly noisy estimates of the bias and drift and an estimate of the actual spoofing attack .
It is noteworthy to mention the following. First, the offline component of the algorithm—albeit offline—can be solved analytically seeing that the problem dimension is very small, when considering that only few satellite measurements are needed. Second, the algorithm and the LMI feasibility problem both only require a fixed number of satellites, rather than a fixed satellite combination. This is important considering that different satellites are visible each time. In short, the proposed algorithm in this paper only assumes a minimum fixed number of satellites , where these satellites can be changing in real time without impacting the algorithm or the design of the robust estimator.
Third, Algorithm 1 works for any reasonable initial conditions, that is, the estimation should converge regardless of the initial conditions choice. Fourth, this method is truly tuning-free: no prior knowledge of the statistical distribution of noise, or prior knowledge or tuning of any parameters is needed. The algorithm is also low-memory, as the only computation needed to be performed online is running the RobustEstimator and the correction models—both require a small number of matrix-vector multiplications. This implies that the proposed algorithm can be implemented in low-memory devices without the need for any intensive computational effort or internet connectivity. Finally, we note that the proposed algorithm has no stopping criterion seeing that it runs in real time.
IV Case Studies: A Realistic Testbed
This section discusses the detection and mitigation of TSAs via various approaches. First, the experimental procedure is discussed. Then, we compare the performance of the extended Kalman filter (EKF)—which has long been used in the literature [20] as a ground truth for estimating the bias and drift—and the classical Luenberger observer under spoofing attacks. Then, the performance of the proposed robust estimator under TSAs is showcased, followed by thorough comparison of the performance of the approaches. The following link includes all codes and data used to generate the results, including the acquired GPS data: github.com/junhwanlee95/Robust-Estimator. Table I summarizes the important vector nomenclature.
IV-A Setup: Model Simulation & Obtaining Raw GPS Data
A Google Nexus 9 tablet, which has an embedded GPS chipset, is used to collect real GPS signals, which are recorded on November 4, 2018 at the University of Texas at San Antonio main campus. The data are available for the reader through the aforementioned Github link. While the receiver acquires the signal, the device remained still to simulate the stationary scenario. Raw GPS data is post-processed to obtain pseudorange and pseudorange rate data by GNSS Logger, the Android application released by the Google Android location team [27]. Then, Type I and II attacks are injected into the pseudorange and pseudorange rate data to simulate spoofing as discussed in Section II and shown in [11, Section III]. The initial conditions for the robust estimator are chosen to be different than the actual, ground truth conditions.
IV-B EKF and Luenberger Performances Under Attacks
Here, we are interested in testing whether the EKF and the classical Luenberger observer [28] can withstand TSAs of Type I and II. After Type I and II attacks are applied from to , the performance of the EKF and Luenberger observer—which does not assume any statistical distribution about the noise—are shown in Fig. 1 and 2.
While the ground truth clock bias and drift, , are acquired through EKF by processing the authentic pseudorange data, the bias and drift are generated by applying the EKF to the spoofed pseudoranges. Another comparison to is offered by the Luenberger observer estimate produced after designing the observer gain such that the closed loop system eigenvalues are at and . The performances of EKF and Luenberger observer are shown respectively in Fig. 1 and Fig. 2. It is evident that both approaches fail to estimate the correct states in the presence of the attack.
IV-C *Robust Estimator Performance under Type I/II TSAs *
In this section, we test the proposed robust estimator and run Algorithm 1 which contains an offline stage and an online one. First, we set , i.e., we choose to sample data from only four satellites. We solve the LMIs (12) for the estimator gains. Using these estimator gains, the online portion of Algorithm 1 is run. Pertaining to Type I attack, Fig. 3 showcases the performance of RobustEstimator. Due to the attack at s, the clock estimates are initially not correct, but the clock bias and drift approach the respective ground truth values within approximately 3 and 11 seconds (cf. Fig. 3(a) and 3(b) respectively).
Under the same condition and procedure, Algorithm 1 is applied on Type II attack to detect and correct the spoofed states. The results of obtaining the corrected state are shown in Fig. 4. In order to accurately depict the performance of RobustEstimator, the relative estimation error is calculated as for each of the two states in over time. The resulting graphs are shown in Fig. 5. Comparison between and the reveals that the maximum error between the two biases is or . It is thus demonstrated that the Robust Estimator of Algorithm 1 successfully detects and corrects the Type II attack.
In the interest of gauging the performance of each approach, the root mean square error () of the estimated clock bias is calculated under both attack types. Let denote the total length of observation time ( in this experiment). The RMSE is defined as where is the ground truth clock bias under normal conditions, and equals to the estimated clock bias value from each approach. Under Type II attack, the RMSE for EKF and the Luenberger observer are and respectively, while that of the robust estimator is . As for Type I attack, the RMSEs are as follows: , , and . This illustrates the performance of this tuning-free, low-memory robust estimator in detecting spoofing attacks, while correctly reconstructing the bias and drift states of the GPS receiver.
V Paper Summary and Future Work
In this paper, the design and realistic application of a low-memory, real-time RobustEstimator is studied. Utilizing the GPS receiver on a Google Nexus 9, real GPS data are collected and post-processed by injecting time-synchronization attacks to spoof the clock bias and drift of the device. Two types of attacks are introduced, and tested by the designed estimator. The estimator successfully detects and estimates the spoofing attacks on each state, and mitigates the spoofing on both types of attack by furnishing the corrected clock states to the user. Future work will focus on developing robust estimators under spoofing attacks for non-stationary GPS receivers, which involve nonlinearities in the GPS measurement model.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] U.S. Government Accountability Office, “GPS disruptions: Efforts to assess risks to critical infrastructure and coordinate agency actions should be enhanced,” GAO-14-15, Nov. 2014. [Online]. Available: https://www.gao.gov/products/GAO-14-15
- 2[2] X. Li and Q. Xu, “A reliable fusion positioning strategy for land vehicles in GPS-denied environments based on low-cost sensors,” IEEE Trans. Ind. Electron. , vol. 64, no. 4, pp. 3205–3215, Apr. 2017.
- 3[3] D. Schmidt, K. Radke, S. Camtepe, E. Foo, and M. Ren, “A survey and analysis of the GNSS spoofing threat and countermeasures,” ACM Computing Surveys , vol. 48, no. 4, pp. 1–31, May 2016.
- 4[4] T. Nighswander, B. Ledvina, J. Diamond, R. Brumley, and D. Brumley, “GPS software attacks,” in Proc. of the ACM Conf. on Comput. and Commun. Security , Raleigh, NC, Oct. 2012, pp. 450–461.
- 5[5] M. L. Psiaki and T. E. Humphreys, “GNSS spoofing and detection,” Proceedings of the IEEE , vol. 104, no. 6, pp. 1258–1270, June 2016.
- 6[6] L. Heng, J. J. Makela, A. D. Domínguez-García, R. B. Bobba, W. H. Sanders, and G. X. Gao, “Reliable gps-based timing for power systems: A multi-layered multi-receiver architecture,” in Proc. Power and Energy Conference at Illinois (PECI) , Champaign, IL, Feb.-Mar. 2014, pp. 1–7.
- 7[7] T. E. Humphreys, B. M. Ledvina, M. Psiaki, B. W. O’Hanlon, and J. P. M. Kintner, “Assessing the spoofing threat: Development of a portable GPS civilian spoofer,” in Proc. 21st Int. Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS) , Savanna, GA, Sept. 2008, pp. 2314–2325.
- 8[8] B. Moussa, M. Debbabi, and C. Assi, “Security assessment of time synchronization mechanisms for the smart grid,” IEEE Commun. Surveys Tut. , vol. 18, no. 3, pp. 1952–1973, thirdquarter 2016.
