Worst-Case Spoofing Attack and Robust Countermeasure in Satellite Navigation Systems

The threat of signal spoofing attacks against global navigation satellite system (GNSS) has grown in recent years and has motivated the study of anti-spoofing techniques. However, defense methods have been designed only against specific attacks. This paper introduces a general model of the spoofing attack framework in GNSS, from which optimal attack and defense strategies are derived. We consider a scenario with a legitimate receiver (Bob) testing if the received signals come from multiple legitimate space vehicles (Alice) or from an attack device (Eve). We first derive the optimal attack strategy against a Gaussian transmission from Alice, by minimizing an outer bound on the achievable error probability region of the spoofing detection test. Then, framing the spoofing and its detection as an adversarial game, we show that the Gaussian transmission and the corresponding optimal attack constitute a Nash equilibrium. Lastly, we consider the case of practical modulation schemes for Alice and derive the generalized likelihood ratio test. Numerical results validate the analytical derivations and show that the bound on the achievable error region is representative of the actual performance.


I. INTRODUCTION
A growing number of location based services rely on global navigation satellite systems (GNSSs) for positioning and timing, but the widespread adoption of GNSSs has also increased the incentive to mount attacks against them [1].In particular, the spoofing attack refers to the transmission of counterfeit GNSS-like signals with the intent to produce a wrong position computation at the receiver [1]- [3].One of the simplest spoofing techniques is meaconing, i.e., the retransmission of the signal received by the spoofer towards the victim, so that the latter computes the ranging estimate based on the signals seen from the spoofer location.Advanced versions of this attack selectively forge delayed versions of the ranging signals, allowing the spoofer to induce an arbitrary position estimate at the victim.When dealing with ranging signals protected by cryptography, the secure code estimation and replay (SCER) attack [4], [5] can be used to estimate the message signature and then reconstruct the signal in realtime based on the estimation.Another replay attack type, called distance-decreasing attack [6], modifies the receiver's position by decreasing the pseudo-range estimation, attempting to decode a received symbol before the end of its duration.
In the last decade, the GNSS community has investigated anti-spoofing techniques both operating at data level and at ranging code level.Securing the range estimation means authenticating the source and protecting the integrity of the received signal, which requires to act at the physical layer.Therefore, in this paper, we focus on physical-layer authentication, which exploits the communication medium and does not rely on a higher layer encryption.
Spreading code encryption (SCE) is the most reliable option to limit access to GNSS signals as it makes the spreading code fully unpredictable for the attacker, therefore limiting its capabilities to perform a successful signal generation attack [7].Moreover, when using SCE, a SCER attack has limited success in estimating each spreading code chip from the noisy received signal, since the chip period is typically several orders of magnitude lower than the message symbol period [8].Some SCE solutions are the P(Y) code for GPS and the commercial authentication service (CAS) for Galileo.CAS is currently under development, but is expected to be established by 2024: in particular, a proposal known as assisted CAS (ACAS), recently presented in [9], [10], provides a SCE method where the encryption key is derived from the unpredictable signature in the Galileo open service navigation message authentication (OS-NMA) [11], [12].
A modification of the SCE approach for civilian signals is proposed in [13], where a spreading code authentication (SCA) technique, which makes use of signal watermarking, is outlined.A similar SCA technique was also presented in [14], where short sequences of spread spectrum security codes (SSSCs) are used to modify the spreading code.This design approach has evolved in [15], and has been applied in [16], [17], where the scheme called chips-message robust authentication (CHIMERA) is introduced, aiming at jointly authenticating both the navigation data and the spreading code of GPS signals for civil usage.Another solution for the joint authentication of navigation data and spreading code chips, referred to as spreading code and navigation data based authentication proposal (SNAP), can be found in [18] and a similar approach was also proposed in [7].Other examples of SCA techniques for open GNSS signals, each employing different methods for generating and placing the watermarked chips, were introduced in [19]- [21].However, existing antispoofing mechanisms in the literature are designed as a particular solution without any optimality criterion and their performance is evaluated against some specific attacks, which may not represent the worst case scenario for the design mechanism.
A first unified general model for the design, description, evaluation, and comparison of SCA techniques was presented in [22], where an optimal compromise is achieved between security and the number of random bits in the watermark.However, the security is only evaluated in terms of conditional guessing probability for the watermarked code given the public one, thereby neglecting the effects of channel transmission, noise, and possible SCER attacks.On the other hand, in [23] a signal authentication method based on physical layer secrecy is presented, in which the navigation signal is transmitted along with a synchronous and orthogonal authentication signal, which is in turn encoded for secrecy and corrupted by artificial noise (AN).A general security result follows from the impossibility for a spoofer to decode the authentication signal without knowledge of the AN, which is later disclosed for verification.

Legitimate receiver
However, a totally general framework for deriving a wide class of solutions, optimizing their parameters, and evaluating their security against a broad set of attacks is still lacking, to the best of our knowledge, and is the aim of the present work.This paper makes the following contributions.First, we describe a general model to characterize the spoofing attack in GNSS, considering the presence of multiple space vehicles (SVs), a victim receiver, and an attacker.We describe the optimal attack strategy that minimizes the Kullback-Leibler (K-L) divergence between the received signal distribution in nominal and attack conditions, while still introducing the desired shifts on the satellites' signals.Indeed, the K-L divergence gives an outer bound to the detection error tradeoff (DET) curve (determined by false alarm and missed detection probabilities), which in turn is the appropriate metric to assess the capabilities of the victim receiver in detecting the attack.Therefore, the proposed optimization procedure provides an optimal attack abstracting from the particular detection process and whose efficacy can be assessed beforehand.
For a general class of attack strategies, we derive a closed form expression for the K-L divergence, and a lower bound that only depends on the GNSS scenario and channel physical parameters, regardless of the specific detection strategy adopted by the victim.Then, framing the spoofing and its detection as an adversarial game, we prove that the set of strategies comprised of a Gaussian transmission and the optimal attack is a Nash equilibrium for the game.Moreover, we discuss the K-L divergence obtained at the equilibrium points.Lastly, we consider the case of practical modulation schemes for Alice and derive the generalized likelihood ratio test.Finally, simulation results for the attack-defense scheme are presented, considering both likelihood ratio test (LRT) and generalized likelihood ratio test (GLRT) attack detection mechanisms, to validate the analytical derivations and show that the bound on the achievable error region given by the K-L divergence is representative of the actual performance.
The rest of this paper is organized as follows.Section II presents the general GNSS spoofing model in details, together with performance metrics.In Section III the optimal attack strategy is derived, then analytical results are presented.Defense strategies at both the transmitter and the receiver are discussed in Section IV.Then, numerical results are presented in Section V, employing two transmission modulations: Gaussian signaling and finite-cardinality signaling.Lastly, Section VI draws the conclusions of the paper.
Notation: Vectors and matrices are denoted by lower and upper case boldface letters, respectively.Symbol A H denotes the complex conjugate transpose of matrix A, while A † denotes the Moore-Penrose pseudo inverse of A. Symbol I n , denotes the identity matrix of size n × n, |A| and A F stand for the determinant and the Frobenius norm of A, respectively.Given two random variables x and y, p x represents the probability density function (pdf) of x, p x|y represents the conditional pdf of x given y, and p xy represents the joint pdf of x and y.If a ∈ C n and b ∈ C m are random vectors, K ab = E[ab H ] denotes their n × m covariance matrix.Finally, log denotes the natural logarithm.

II. SYSTEM MODEL
We consider a constellation of m SVs (Alice, block A in Fig. 1) transmitting signals to a receiver (Bob, block B in Fig. 1).By estimating the relative delay among signals received from the m SVs and by knowing the position of the SVs, Bob estimates its position through ranging techniques [24].A third device (Eve, block E in Fig. 1) both receives the signals from the SVs and transmits them to Bob.The aim of Bob is to authenticate the received signal, i.e., to determine whether it comes from the constellation of SVs or from Eve.In turn, Eve aims at transmitting a signal that can be confused as authentic by Bob but has different delays among SV signals, to induce a different position estimation.A reliable and asynchronous side communication channel (which cannot be used for position estimation) enables the transmission of authenticated data from Alice to Bob for the verification of the GNSS signal, while Eve cannot access it to build the attack.A possible way to implement this channel is through delayed authentication techniques [25].In this paper, we investigate how Alice can transmit its signals (on both the main and the side channel) and how Bob can perform the verification step of the authentication procedure.Also, we study possible attack strategies by Eve.

A. Transmission Procedure
The i-th SV, i ∈ {1, 2, ..., m}, broadcasts a radio signal represented by its discrete-time complex baseband equivalent vector xi ∈ C n , with xi independent from xj if i = j.We define the transmitted word x as the concatenation of the signals transmitted by all SVs: x = [ x1 , x2 , ..., xm ] ∈ C mn ; word x is also delivered to Bob over the side channel.It is important to note that the side information provided to the receiver can also be a compressed lossless version of the transmitted word x.Two delays are associated to each signal xi , namely τ B,i and τ E,i , indicating the propagation time of xi from the i-th SV to Bob and to Eve, respectively.Without loss of generality we assume τ E,m ] collect the relative delays between the signals coming from the m satellites.Moreover, we define δ B = max i {τ B,i } and δ E = max i {τ E,i }.
Signal xi , i ∈ {1, 2, ..., m}, is transmitted through two linear channels y i = Āi xi and z i = Fi xi , providing the useful signals received by Bob and Eve, respectively.Matrices Āi and Fi are determined by relative delays between signals, the fading environment, fluctuations in atmospheric parameters, signal distortion, and channel gains.Moreover, Āi and Fi include proper padding to guarantee that each channel output vector has the same size.We denote the concatenation of matrices Āi and Fi , for i = 1, ..., m, as In nominal conditions, Bob receives the sum of the signals coming from the m satellites, The same holds for Eve, who obtains Furthermore, y 0 and z 0 are corrupted by additive white Gaussian noise (AWGN), represented by two circularly symmetric complex Gaussian random vectors with independent entries ω B ∼ CN (0, K B ) and ω E ∼ CN (0, K E ), where E are the variances of each component (real or imaginary) of the complex noise at Bob's and Eve's receiver, respectively.Then, the signals received in nominal conditions by Bob and Eve are, respectively,

B. Attack Strategy
The goal of Eve is to falsify the propagation times thus introducing the forged relative delays corresponding to a possibly different position than the actual receiver location.We assume that: (i) Eve does not know x but only knows z, which is a noisy and reduced-size version of x; (ii) Eve knows the joint distributions of x, y, and z; (iii) Eve knows the channels matrices of links A → B, A → E, and E → B, and the corresponding noise statistics.We remark that the attacker cannot process each satellite signal separately: such processing would in fact require the knowledge of each word xi , i = 1, . . ., m.
We assume that Eve can directly design the vector v 0 received by Bob when under attack, apart from the receiver noise.Thus, when under attack the signal received by Bob is where v, v 0 ∈ C n+δ f , with δ f = max τ f .Eve's spoofing strategy can exploit the information carried by her observations z and, for the sake of generality, we consider that Eve adopts a probabilistic strategy, characterized by the conditional pdf p v 0 |z .Moreover, we assume that Eve knows the statistics of the noise at Bob, so that the attack strategy can be described by the pdf p v|z .Since the observation z encloses all the information Eve can exploit to deceive Bob, we conclude that the forging strategy v is conditionally independent of the transmitted word x, given z.
Let the received signal by Bob be where the binary variable b in (5) indicates the legitimate/attack state.We assume that Eve is able to completely cancel the signal y 0 at Bob, thus considering the worst case scenario where Bob acquires and locks onto the spoofed signal v [26].Therefore, Eve aims at preventing Bob from distinguishing between v and the legitimate y that would be obtained with τ B = τ f .

C. Authentication Procedure
The goal of the legitimate receiver Bob is to figure out if the signal r he receives corresponds to the authentic signal y, or to a signal v that has been forged by Eve.In making this decision, Bob can make use of his knowledge of x, which has been disclosed by Alice through the side channel.We remark that the message transmitted through the side channel can be a lossless compressed version of x.To detect the spoofing attack, Bob performs an authentication test, wherein, given x and the observation r, Bob chooses between the two hypotheses: H 0 : r = y , the message is from Alice, (6) H 1 : r = v , the message was forged.
In Fig. 1, the correct verification is achieved when b = b.The authentication procedure is summarized in block D, which has the received signal r as input and outputs the Boolean value b.
It is worth noting that the model in Fig. 1 includes previous models from the literature, as particular cases.In the scheme proposed in [15]- [17], only one satellite has been considered, which can be cast into our model by taking m = 1.In these solutions, a small part of the spreading code is superimposed with a secret, cryptographically generated sequence, which can be subsequently reproduced by the receivers when they become aware of the key, while navigation message data are protected by digitally signing most or all the data.So, word x is the signal obtained by the superposition of the signed navigation data with the signed version of the spreading code, followed by a binary phase-shift keying (BPSK) modulation.Then, with a delay with respect to x, the key is broadcast as side information, so that the receiver is able to reconstruct x.A similar approach can be adopted to describe Galileo OS-NMA [11], [12], possibly combined with CAS [10] or ACAS features [9].The model in [22] can be cast into this frame by restricting x to be a binary watermarking sequence, and the attacker to have complete ignorance on it, thus, removing his observation z.In the authentication scheme of [23], x is the superposition of the transmitted authentication message and the AN component.Then, the authentication message and the AN are transmitted to the legitimate receiver through an authenticated channel.
All the parameters presented in this Section are summarized in Table I.

D. Performance Metric
The performance of an authentication system is assessed by: a) the type-I (false alarm) error probability p FA , i.e., the probability that Bob discards a message as forged by Eve while it is coming from Alice; b) the type-II (missed detection) error probability p MD , i.e., the probability that Bob accepts a message coming from Eve as legitimate.The LRT is the optimal detection method that minimizes the false alarm probability for a fixed missed detection given p x , and p v|z [27].However, in general, the analytical derivation of these pdf is hardly feasible.Therefore, theoretical bounds on the achievable error probability region are useful to establish the effectiveness of practical schemes.A first bound on the achievable error region, which is the set of achievable points in the (p FA , p MD ) plane, for a given attack strategy is given by the K-L divergence.In fact, from [28] and [29] we have In (8) we have considered the joint pdf p rx since we suppose that, at the time of verification, the legitimate receiver knows x, and the decision b is taken based on both inputs.Therefore, defining the function with p FA , p MD ∈ [0, 1], and observing that p b|H 0 (1) = p FA , 8) can be rewritten as with fixed channels p y|x and p z|x .So, the task that we will address in this paper from the point of view of the defense can be defined as the following maximin problem: An important difference that distinguishes attack and defense strategies is that Eve knows the value of τ E and the victim position exactly, whereas Alice's defense strategy must be robust and symmetrical with respect to all potential receiver and channel realizations, described by matrices A and F.
In Section III we will first address the inner minimization in (13), considering the model presented in Section II and assuming that x is Gaussian distributed.Then, after discussing the achievable K-L divergence values, the maximization task in (13) will be finally investigated in Section IV.

III. ATTACK STRATEGY
We now focus on the attack strategy optimization, i.e., from (13), we aim at deriving the conditional pdf p v|z such that We assume that x is a zero mean Gaussian random vector, so p x ∼ N (0, K x ) and the optimality of this choice will be proven in Section IV-A.Under this assumption, as proved in [30], there exists an optimal attack p v|z minimizing the divergence in (12).Theorem 1.Given the zero mean, jointly Gaussian random vectors x,y, and z, the optimal attack p v|z minimizing the divergence in (12), with fixed channels p y|x and p z|x , under the constraint that the random vectors v and x are conditionally independent given z, belongs to the class and can therefore be written as a linear transformation of z, plus independent additive white complex Gaussian noise, i.e., where In particular, the pdf p v|z that solves ( 14) is computed by optimizing over G and C, so ( 14) becomes The variance and covariance matrices of the signals defined so far are given by Considering (18) and following the derivations of [30], the optimal matrices are and C ∈ C (n+δ f )×(n+δ f ) is the square root of the covariance matrix K v 0 |z of the signal v 0 given z.As outlined in [30], C is obtained is obtained either with a closed form expression or through an iterative process.

A. K-L Divergence for Attacks in C
In this Section, we will derive an analytical expression for f (p x , p v|z ) when p x is a generic pdf with covariance matrix K x .Under the assumption that p v|z ∈ C, defining B GF and η Gω E + Cω c + ω B , v can be written as (see (16)) with Considering the definition of v given in (20), the metric f (p x , p v|z ) can be computed for a generic distribution p x and p v|z ∈ C as where λ i , i ∈ {1, 2, ..., n + δ f }, are the eigenvalues of K η .We remark that ( 22) holds for any distribution p x , as long as the attack pdf p v|z is taken from C.
For convenience, we analyze the two terms of ( 22) separately Since c − 1 ≥ log c, ∀c ∈ R + , we can state that each term of the sum in t 1 is non-negative.Moreover, t 1 = 0 if and only if λ i /σ 2 B = 1, ∀i ∈ {1, 2, ..., n + δ f }, i.e., if and only if the attacker manages to construct K η = K B .On the other hand, the term t 2 in ( 22) is independent of the attacker noise ω E , because it does not depend on K η , while it depends on the covariance matrix K x , the legitimate receiver noise power σ 2 B in the nominal case, and the difference A − B, where A and B are the authentic and the forged channel matrix, respectively.Therefore, the following inequality holds

B. K-L Divergence Under Optimal Attack
From ( 22) and ( 25), we observe that, for a generic p x with covariance matrix K x , once the values of A, K x , and σ 2 B are fixed, the lower bound for the K-L divergence can be expressed as a function of B as In particular.when the attacker succeeds in constructing K η = K B , then t 1 = 0, and A worth noting consideration is that, for a fixed K x , p v|z achieves the minimum K-L divergence among all the possible attack strategies p v|z ∈ C, regardless of the shape of p x , thus In particular, when K x = M x I mn (as further discussed in Section IV-A), D min (B) can be written as where represents a diversity index between A and B, and represents the average received signal to noise ratio (SNR) at Bob.It is worth noting that the attacker can always choose G in such a way that k ≤ 1 (trivially setting G = 0 we have k = 1).Moreover, in (31), the term represents the average energy of the m impulsive responses of the legitimate channels.Therefore, (29) describes D min (B) in terms of the total length of the m transmitted signals (mn), a measure of the difference between the channel matrices (k), where A is the matrix of the legitimate channel and B is the matrix of the forged channel, the SNR of the legitimate channel A → B (Λ AB ).

C. Limiting Scenarios
We now discuss some limiting scenarios, in which the considered spoofing attack achieves complete indistinguishability from the legitimate signal and hence cannot be detected: S1: A = F, that is the case wherein Eve performs a meaconing attack, inducing her own position onto Bob; S2: m = 1, so both Eve and Bob receive the signal from only one satellite, and there is not sufficient diversity; S3: the channel A → B is stochastically degraded with respect to the channel A → E. In the following analysis, we assume that the attacker Eve makes use of the optimal attacking strategy p v|z .
In scenario S1, where A = F, we have that 19), Eve gets G = I n+δ so that B = G F = F, and B = F = A, which implies D min (B ) = 0. Thus, the meaconing attack cannot be detected in this model.
In scenario S2 we are supposing m = 1.This implies that δ E = δ B = δ f = 0, so A and F are left invertible.Therefore, when G is computed as in (19), Eve will get B = G F = A, which implies D min (B ) = 0. Therefore, to have D min (B ) > 0, Bob has to combine signals from m > 1 satellites.However, this is also a necessary condition for the GNSS receiver to calculate the position, velocity, and time (PVT) solution.
In scenario S3 we have that the channel A → B, represented by the conditional pdf p y|x , can be decomposed as the cascade of p z|x and some properly chosen p y|z .Therefore, in this case Eve can choose p v|z = p y|z to obtain p y|x = p v|x .Moreover, we have y = G z + C ω c , and Eve chooses G = G and C = C , so that B = A and D min (B ) = 0. Therefore, in this case, the attack goes undetected.
The more general, and more realistic, spoofing scenario occurs when m > 1, A = F and σ 2 E > 0.Moreover, the hypothesis in scenario S3 is very pessimistic.Therefore, in a realistic scenario, with the additional assumption that ker(A) ker(F), it is always assured that D min (B) > 0.

IV. DEFENSE STRATEGY DESIGN
The transmission and the attack detection strategies together determine the defense strategy.Therefore, in this Section, we investigate how Alice designs the transmitted signal and how Bob performs the verification step of the authentication procedure.

A. Gaussian Transmission
The optimal transmission strategy p x , is given by the maximin solution of (13).We start by identifying the optimal distribution for a constrained covariance matrix, introducing the following theorem.
Theorem 2. Given a covariance matrix K x , let us define p x ∼ N (0, K x ).If the transmission distribution p x is to be chosen among all those with zero mean and covariance K x , the pair of strategies (p x , p v|z ) constitutes a saddle point of the function f (p x , p v|z ).
Proof.For any attack strategy p v|z ∈ C, we can compute f (p x , p v|z ) for a generic distribution p x from (22).We note that, when p v|z ∈ C, the K-L divergence depends on p x only through the covariance matrix K x .Consequently, if p v|z ∈ C, once matrices A, B, and K x are set, then f (p x , p v|z ) is constant for each probability distribution p x chosen by Alice.Therefore, we conclude that the set of strategies (p x , p v|z ) constitutes a saddle point for f (p x , p v|z ), since neither the attacker nor the defender can gain by an unilateral change of strategy if the strategy of the other remains unchanged.In particular where (33) follows from (22), when the covariance matrix K x is fixed, while (34) holds for the optimality of p v|z when the transmission distribution is p x , as stated in Theorem 1.
The maximin problem in (13) can be seen as a zerosum game with two players, where p x and p v|z are mixed strategies, while f (p x , p v|z ) and − f (p x , p v|z ) are the average payoffs 2 for the defender and the attacker, respectively.In this case, the set of strategies (p x , p v|z ), constitutes one Nash equilibrium of the game.We remark that there may be many Nash equilibria, however, for the properties of zero-sum games, they all have the same average payoff [31].
From Theorem 2, we conclude that the optimal defense strategy p x solving (13) must be a zero mean Gaussian distribution.Furthermore, Alice can choose the covariance matrix K x of p x so that f (p x , p v|z ) is maximized while ensuring the constraint on the transmitted power M x : tr(K x ) ≤ mn M x .Given the symmetry of the problem and the transmitter's lack of knowledge of the channel and, consequently, of the matrices A and F, a reasonable choice for K x is K x = M x I mn .
From the theory of binary hypothesis testing, we know that if both the statistics of the legitimate and spoofed signal are known (i.e., if the victim is aware of the particular attack strategy adopted by the spoofer) the test yielding the minimum p MD for any given constraint on p FA , is the LRT, also known as Neyman-Pearson criterion [27], [28].Under the assumption 2 Player's payoffs are averaged over the mixed players' strategies and the that the attack strategy belongs to class C, the detection problem reduces to the test When both Eve and Alice play the Nash equilibrium strategies derived in Sections III and IV-A, Bob will use the LRT since it is aware of the attack strategy distribution.

B. Transmission Strategies With Practical Modulation Schemes
In Section IV-A we derived that the optimal defense strategy solving (13) must be a zero mean Gaussian distribution.However, in practice this is not feasible and hence we analyze the case wherein x has symbols from a finite-set, e.g., a QAM constellation.
In (22) we showed that, when p v|z ∈ C, the value of f (p x , p v|z ) depends on p x only through the covariance matrix K x .This implies that where p x is a generic distribution of the signal x, with the same covariance matrix K x of p x ∼ N (0, K x ).Therefore, when the attack belongs to the class C, we may conclude that the performance in terms of divergence is the same with either Gaussian or finite-cardinality modulation.Moreover, from (33) and (34) we have On the other hand, p v|z is the optimal attack strategy only when the transmitted signal x is a Gaussian codeword of length mn.This implies that, for a non Gaussian p x , an attack strategy p o v|z / ∈ C may exist, that achieves Therefore, from (36)-(38) we can derive the following relation When the signal x has symbols from a finite set, the transmission strategy differs from p x , and the optimal attack strategy distribution p o v|z is not known.Hence, the receiver only knows the statistics of the authentic signal, and cannot make assumptions on the attack strategy chosen by E nor has information on the channels A → E and E → B. In this case, the LRT detection method no longer applies, and a possible solution is to use the GLRT [27], [32], i.e., the detection problem is given by

V. NUMERICAL RESULTS
In this Section we will illustrate the performance obtained for both LRT and GLRT, when either Gaussian or finitecardinality signaling are used, under the following scenario: • channel matrices A and F take into account only the delays, that is the propagation times of each signal xi from the i-th SV to Eve and Bob, therefore we neglect other possible channel phenomena; • the attack strategy p v|z is that described in Section III.Moreover, in a typical GNSS spoofing scenario, the power of the spoofing signal v 0 at the receiver is typically larger than that of the legitimate signal; thus, the SNR on the attack signal will be significantly larger than with the authentic one.Assuming that an automatic gain control (AGC) at Bob's frontend can scale the received signal to nearly constant amplitude, the receiver noise variance will be correspondingly reduced, in the attack case, allowing the spoofer some margin to shape K η = K B .Similarly to (31), we define the received spoofer SNR as In the analyzed scenarios, we will take into account the delay vector τ f associated with the position of our department   II outlines each considered position with their coordinates, while Table III summarizes the distances between target and Eve's positions.

A. Gaussian Signaling
In this Section performance is evaluated when the transmitted signal x is a Gaussian codeword of length n, considering a LRT detection method.
Fig. 3 shows the DET curves for the LRT detection method (solid lines) and the performance bounds (dashed lines) derived from the K-L divergence for different values of n, considering the signals coming from m = 5 SVs, M x = 1, Λ AB = −25 dB, Λ AE = −10 dB, when τ E and τ f collect the delays associated to P1 and P2, respectively.The bound follows the same trend of (29), thus it is representative of the actual performance.The bound is tight for n = 400, while the gap between it and the actual performance grows as the value of n rises.Indeed, as n decreases, the DET curves move quickly towards the gray dashed line, which represents the trivial limit case, in which the decision is taken without looking at the signal but tossing a biased coin.Thus, the obtained value of p MD for given values of p FA can be reduced by increasing the value of n, as Fig. 3 shows.When n = 1200, the value of p MD decreases by approximately one order of magnitude with respect to the case with n = 400.Moreover, we note that the bounds given by the K-L divergence are symmetric, as proven in Appendix A. the delays associated to P1 and P2, respectively.It can be seen that the curves follow the behavior of (29); in fact, the curves rise when Λ AB decreases, while remaining unchanged for different values of Λ AE .As a result, the performance of the LRT verification mechanism is independent of the attacker's SNR, as long as Λ AE > Λ AB .Fig. 5 shows the DET curves for the LRT detection method for different values of n and position pairs, illustrated in Fig. 2, when M x = 1, m = 5, Λ AB = −25 dB, and Λ AE = −10 dB.In each tested scenario, the delays vector τ f is associated to P1, while the vector τ E is associated with three different positions, i.e., (from the closest to P1 to furthest): P2, P3, and P4.We can see that the curves move away from perfect distinguishability (the lower left corner) when the distance between the position associated with τ E and τ f decreases.Therefore, the attack performance degrades as the attack's target position moves farther away from the attacker's actual position.Finally, we note that, as for Fig. 3, the defense performance improves (i.e., the curves move towards the bottom left corner) as n increases.

B. Practical Modulation Schemes
As discussed in Section IV-B, switching from Gaussian signaling to finite-cardinality signaling does not affect the performance of the verification mechanism, when the attack strategy belongs to C. This behavior will be demonstrated in this paragraph through simulation results.In the following, a BPSK modulation will be considered (i.e., having cardinality M = 2).
Fig. 6 shows the DET curves for the GLRT detection method for different values of n, when p x is Gaussian distributed (solid lines) and p x is a Binary distribution (dashed lines), M x = 1, m = 9, τ f and τ E collect the delays associated to P1 and P4, respectively.These results have been obtained for Λ AB = −20 dB and Λ AE = −10 dB, so we are in the low-SNR regime.As can be seen, the curves obtained with Gaussian and binary signaling are very close, confirming the results of Section IV-B.Moreover, it is seen that GLRT is effective in detecting spoofing, even without any prior knowledge of the spoofer strategy.For practically meaningful values for p FA and p MD , we should consider longer signals, so a higher value of n with respect to the LRT case.Clearly, by observing more samples before taking a decision, the decision will be more accurate, but this requires to buffer and process more data.Furthermore, this leads to a longer time to authenticate (TTA).Thus, the observation period must be chosen as a trade-off between the computational resources of the device, the desired TTA, and the desired performance in terms of DET.Fig. 7 shows the DET curves for the GLRT detection method for different values of n and position pairs, when p x is Gaussian distributed, M x = 1, m = 9, Λ AB = dB, and Λ AE = −10 dB.In each tested the delay vector f is associated to P1, while vector τ E is associated with P2, P3, and As the LRT case, the attack performance improves when the distance between position associated with τ E and τ f decreases.Therefore, also for the GLRT, the missed detection probability decreases, for a fixed false alarm as the attack's target position moves farther away from the attacker's actual position.

VI. CONCLUSION
In this paper we have proposed a general model to characterize the spoofing detection problem in GNSSs when the spoofer can observe the legitimate signal, abstracting from the specific modulation formats and cryptographic mechanisms.We have shown that effective detection can be achieved by relying only on the combination of signals from multiple SVs and on the diversity between the attacker position and the intended forged position.We have also investigated a class of attack strategies based on the statistics of the transmitted and received signals, which are shown to be optimal to minimize the K-L divergence metric.The optimal attack strategy turned out to be a proper linear transformation of the signal received at the attacker position, combined with an appropriately tuned independent additive white Gaussian noise.We have derived a lower bound on the K-L divergence, which depends only on the total length of the transmitted signals, on the SNR of the legitimate channel, and on the difference between the forged and the legitimate channel matrices.Moreover, we have discussed the results obtained in relation to different modulation schemes; we have shown that when the attack strategy is the optimal one, with Gaussian or finite-cardinality signaling we get the same performance in terms of K-L divergence.Then, we found a Nash equilibrium of the attack-defense scheme deriving the optimal defense strategy against the above-mentioned attack, which, in turn, is described by a Gaussian distribution.Finally, the performance of the detection schemes against the proposed attack has been analyzed through numerical simulations considering two verification mechanisms: LRT and GLRT.

APPENDIX A SYMMETRY OF THE K-L DIVERGENCE
In this Appendix we provide a proof of the symmetry of the K-L divergence when the attacker uses the optimal attack strategy p v|z , presented in Section III, and (42)

Fig. 3 .
Fig.3.DET curves for the LRT detection method (solid lines) and K-L divergence bounds (dashed lines) for different values of n, when p x is Gaussian distributed, M x = 1, m = 5, τ f associated to P1, τ E associated to P2, Λ AB = −25 dB, and Λ AE = −10 dB.The gray dashed line represents the trivial limit case in which the decision is taken tossing a biased coin.

Fig. 6 .
Fig.6.DET curves for the GLRT detection method for different values of n, when p x is Gaussian distributed (solid lines) and when p x is a Binary distribution (dashed lines), M x = 1, m = 9, τ f associated to P1, τ E associated to P4, Λ AB = −20 dB, and Λ AE = −10 dB.

Fig. 7 .
Fig. 7. DET curves for the GLRT detection method for different values of n and position pairs, when p x is Gaussian distributed, M x = 1, m = 9, Λ AB = −20 dB, and Λ AE = −10 dB.
that is D(p xv p xy ) = D(p xy p xv ) .

TABLE I SYSTEM
PARAMETERS, i ∈ 1, 2, ..., m This limits the region of achievable (p FA , p MD ) values, depending on D(p xv p xy ), for any decision mechanism choice.1Ononehand, the aim of the attacker Eve is to narrow the achievable region, by making the value of D(p xv p xy ) as small as possible, operating on the attack strategy p v|z .On the other hand, Alice aims at enlarging the achievable region, by properly choosing the distribution of the transmitted word x in order to increase D(p xv p xy ).Therefore, the defense strategy is defined by the pdf p x .The metric D(p xv p xy ) can be expressed in terms of attack and defense strategies as D(p xv p xy ) = p x (a)p v|x (b|a) log p v|x (b|a) f (p x , p v|z ) D(p xv p xy ) ,

TABLE III DISTANCES
BETWEEN EVE AND TARGET POSITION