GNSS Spoofing Detection and Mitigation in Multireceiver Configuration via Tracklets and Spoofer Localization

Global navigation satellite systems (GNSS) sensors estimate its position, velocity, and time (PVT) using pseudorange measurements. When there is no interference, the pseudoranges are due to authentic satellites, and the bearings is distinguishable. Whereas, in the presence of any intentional interference source like spoofer, the pseudorange measurements owing to spurious signals and all the bearings from the same direction. These spurious attacks yield either no position or falsified position to the GNSS receiver. This paper proposes to install multiple GNSS receivers on a vehicle (assumed to be cooperative) to detect and mitigate the spoofing attack. While installing multiple GNSS receivers, we assume that each GNSS receiver’s relative position vector (RPV) is assumed to be known to other GNSS receivers. The installed GNSS receivers use the extended Kalman filter (EKF) framework to estimate their PVT. We proposed to calculate the equivalent-measurement and equivalent-measurement covariance of each GNSS receiver in the Cartesian coordinates in the tracklet framework. These tracklets are translated to the vehicle center using RPV to obtain translated-tracklets. The translated tracklet based generalized likelihood ratio test (GLRT) is derived to detect the spoofing attack at a given epoch. In addition to that, these translated-tracklets are processed in a batch least square (LS) framework to obtain the vehicle position. Once the attack is detected at a specific epoch, it quantifies that the position information is false. Moreover, another spoofing test is also formulated using DOA of signals. Once both the tests confirm the spoofing attack, the spoofer localization is performed using pseudo-updated states of GNSS receivers and acquired bearings in the iterative least-squares (ILS) framework. Mitigation of spoofing attack can be achieved either by projecting a null beam in the direction of the spoofer or by launching a counter-attack on the spoofer. The simulation results demonstrate that the proposed algorithm detects spoofing attacks and ensures continuity in the navigation track. As the number of satellite signals increases, the algorithms provide better position root mean square error (PRMSE) for GNSS receivers track, vehicle track, and spoofer localization.


I. INTRODUCTION
Global navigation satellite systems (GNSS) are known for providing the position, velocity, and time (PVT) information across the globe for various civilian and military applications [1]. The GNSS received power is very low, making The associate editor coordinating the review of this manuscript and approving it for publication was Derek Abbott . the receivers susceptible to various intentional and nonintentional interferences. The GNSS standards and blueprints are readily available in the market, making a wide range of attacks on the GNSS sensors [2]. The intensional interference sources are typically jammer, meaconer, and spoofer. Jammer is a device that transmits noise in the same frequency and makes the GNSS receiver fail to acquire the measurements [3]. Whereas, meaconer is a trans-receiver device that stores the received authentic satellite signals and then transmits them onto the GNSS receiver at another time or place [4]. Moreover, the spoofer is a receive-analyzetransmit device that analyzes the time-varying dynamics of the GNSS receiver to alter the received authentic signals before re-transmission. The mimic GNSS signals produced by the spoofer yield to false positioning [5].
The direction of arrivals (DOAs) received by a GNSS receiver from the satellites is distinguishable for a clean environment. On the other hand, in an intentional interference case, either the spoofer or a jammer transmits the fake signals towards the GNSS receiver. Hence, all the DOAs are in the same direction of the spurious source [6], [7]. Adaptive complex-EKF-based DOA estimation is presented in [6] to detect the spoofing attack based on the fact that all spurious signals are in the same direction. Robust spoofing detection is proposed by estimating the DOA of signals, and a spatial null carries out mitigation in the array reception pattern [7]. During the spoofing attack and mitigation process, the GNSS receivers lack the PVT solution. Similar to the above contributions, multiple GNSS receivers-based spoofing detection is suggested in [8]- [10]. Multiple mobile COTS receivers are used to detect the spoofing effect is introduced in [8], where the optimal genie detector is derived based on the assumption that the true positions are perfectly known, and the observation errors are Gaussian. The differential pseudoranges are considered from multiple receivers to detect the spoofing [9] by exploiting the time difference of arrival (TDOA) properties between spoofing and authentic signals. In [9], it is assumed that the TDOAs of spoofing signals from a spoofer is identical. However, this assumption fails in the case of stealthy GPS spoofing by employing multiple spoofers to spoof multiple GNSS receivers [11]. In another communication, a differential pseudorange and carrier frequency measurements are used in a double antenna configuration to detect the spoofing attack [10]. Moreover, GNSS receivers with external range sensors are explored in [12] and detected the spoofing attack assuming only one GNSS receiver is in spoof attack and the rest are not being affected by spoofing. The spoofing attack detection is a primary mechanism to know whether the navigation is based on the authentic satellite signals or spurious signals [6]- [10], [12]. Even though the above literature successfully detect the spoofing attack, it lacks in estimating its PVT. Therefore, the navigation of GNSS is a significant research area of interest.
The spurious attack mitigation can be carryout by localizing the source or projecting the null beam in the direction of spurious signals. The TDOA method is explored in [9] to detect the spoofing effect and localize the source based on the fact that signals are coming from the same source possess exact time. Similarly, the localization of jammer is also addressed with the TDOA in [13]. The jamming localization problem is solved by rotating the un-manned air vehicle (UAV) at multiple fixed positions to get the antenna gain pattern and estimate the strength and bearings [14]. In addition, the received signal strength (RSS) measurements are used in networked receivers to localize the jammers [15]. Simultaneous localization of jammer and target with power difference of arrival (PDOA) and graph theory is jointly applied to accomplish desired performance [16]. Moreover, the meaconer localization problem is addressed with the help of space-time double-difference models [17]. Furthermore, the localization of spoofer using a large-scale air traffic surveillance system is presented in [18]. The localization of spoofer is also explored by using a vehicle-to-vehicle communication in [19]. While solving the spoofer localization in [13], [16], it was assumed that the GNSS receiver location was known and was not being influenced by the attack. However, in reality, the spoofing process implicates the fake position to the GNSS receiver, and hence the closed-form solution using the GNSS fake position results in false localization. Interestingly, the received bearings measurement depends on the estimated GNSS receiver location due to the arctan function.
In the above-cited papers [6]- [10], [12], a detection test is derived to distinguish the spoofing and non-spoofing activity. Further, all the earlier contributions were focused on spoofing detection. Hardly any research works are focused on navigation in the presence of spoofing. Therefore, we propose to install multiple GNSS receivers to detect and securely navigate the vehicle in a spoofing environment. Each GNSS receiver's relative position vector (RPV) pertaining to the vehicle center is assumed to be known precisely. The GNSS receivers estimate their state using the acquired pseudoranges in an extended Kalman filter framework. To calculate the vehicle position, we computed tracklets from the state estimates, such that its errors are not cross-correlated with the errors of any other data in the system. The tracklets are translated to a vehicle center using the RPV of each GNSS receiver, and the position is calculated using a batch leastsquares solution. The estimated position of the vehicle is validated using a tracklets-based generalized likelihood ratio test (GLRT). Once the spoofing attack is detected, the mitigation of the effect should be followed. Hence, we propose to discard the updated state of the EKF at a given epoch and replace it with the pseudo-update state. This ensures the navigation of the vehicle in the spoofing environment.
The key contributions of the paper are • This paper derived a compact mathematical model to generate the pseudorange measurements (true and false) for multiple GNSS receivers installed on a vehicle. This assumption is valid and implementable; for example, a vehicle like a car can accommodate four installations of GNSS receivers.
• We derived a tracklet framework for calculating each GNSS receiver's equivalent-measurement and equivalent-measurement covariance in the cartesian coordinate using the estimated GNSS states. This tracklet computation is based on the inverse Kalman filter approach and can be easily implemented in either hardware or firmware update. This method is more feasible in the cooperative model, and it does not require any modifications to the existing GNSS receiver infrastructure.
• The vehicle's position is calculated based on the batch least squares using the translated-tracklets. The estimated position using Batch LS is validated using tracklets based generalized likelihood ratio test (GLRT). This test confirms whether the spoofing attack is carried out or not.
• Once the attack is detected at a given epoch, the updated state of the EKF at a given epoch is discarded and replaced with the pseudo-update state. This ensures the navigation solution of the GNSS in the spoofing environment. This pseudo-update state method is equally adaptable for the outlier pseudorange measurements, no-pseudorange measurements, and intentional pseudorange measurements case.
• Furthermore, the localization is also performed on the intentional interference source to mitigate the attack. The rest of the paper is organized as follows. Section II states the problem formulation. In Section III, a generalized mathematical framework for multiple GNSS receivers in a spoofing environment is derived along with filtering and tracklets. Section IV explains the proposed methodology for spoofer attack detection and localization. Finally, results and conclusions are presented in Section V and Section VI.

II. PROBLEM FORMULATION
In a clean environment, a GNSS receiver located at x estimates its location asx, by using the authentic satellite set Minimum of four visible satellites are required out of twenty four satellites present in constellation to estimate any unknown 3D location on the earth (example GPS). Let the problem be in 2D scenario, i.e., x = [x, y] and The bearings from M satellites is given by θ t i M i=1 as shown in Fig. 1, where In a spoofing scenario, a spoofer is located at x s and transmits spurious signals with higher power onto the GNSS receiver to create a fake location of x f . Once the GNSS receiver locked onto the spurious signals originated from the spoofer, the GNSS receiver estimates its location as x f even though physically located at x, as shown in Fig. 1.
The bearings corresponding to the spurious signals is θ , and all spurious signals arrive in the same direction. The bearing measurements are given by From (1) and (2), we can observe that the bearings is dependent on the physical state x and the source location x i or x s . In a non-intentional interference case, in (1), the satellite locations are known since the received signal by the GPS receiver consists of the timestamp of signal transmission and satellite location information. Using multiple satellite signals, the GNSS receiver estimates its location asx. However, in (2), both the physical location of the GNSS receiver x and the spoofer location x s are unknowns in the received bearings measurement. Interestingly, in spoofing activity, the position information related to the GNSS receiver is appeared to be x f rather than x. Hence, solving the bearings-only localization problem with multiple wrong positions of GNSS receivers results in an incorrect estimate of the source. Therefore, the following observations can be made.
• A generalized mathematical framework for spoofing effect on multiple GNSS receivers is to be derived.
• Once the spoofer attacks the GNSS receivers in the vicinity, there should be a mechanism to detect the spoofing attack using the estimated position from multiple GNSS receivers.
• Soon after the spoofing attack is detected, the false position x f reported by the GNSS receiver at that discrete instant should be discarded, and need to establish an approximate physical location concerning to x.
• Localization of the spoofer needs to be achieved using bearings information from multiple GNSS receivers and counter-attack the intentional interference source.

III. GNSS POSITIONING AND SPOOFING ATTACK DETECTION
This section provides the mathematical model for repeaterbased spoofer and its influence on multiple GNSS receivers. Further, the equivalent-measurements calculation for the multiple GNSS receivers using tracklets is presented. After that, a GLRT is derived to detect the spoofing attack.

A. REPEATER BASED SPOOFER MEASUREMENTS
The GPS spoofing considered here is a repeater, in which the spoofer consists of a receiver, process unit, and transmitter module. The receiver module receives signals from the authentic satellites, separated into different channels based on the satellite ID. A repeater-based spoofer system with analyzing capabilities is proposed in [20], in which the processing unit calculates the external delays for each satellite signal before re-transmission. Once the delays are added to the received authentic signals, the transmitter module transmits the spurious satellite signals S onto the targeted GNSS. The spoofer analyzes the vehicle's actual location (physical location), spoof location (wrong location intended to create) and accordingly calculates the delays to be incorporated. The spoofer is operating in escort/ stand-in mode to the vehicle to carry out stealthy spoofing. The spoofer intends to create a fake-position x f j for the vehicle j which is being physically located at x j as shown in Fig. 2.
Here, N GNSS receivers are installed on the vehicle at {x r } N j=1 positions. In this process, not only GNSS receiver j gets into spoofed activity, but also all the GNSS receivers in the vicinity get into spoofing attack as stated in [21]. In Fig. 2, the dark lines from satellite-to-spoofer represent the reception of the original signal by the spoofer. These authentic satellite signals are captured by the spoofer located at x s , process and re-transmits onto GNSS receiver j located at x r j to create a fake location of x f j . Since the spoofer is omnidirectional, the transmitted signal is receiving by all GNSS receivers within the vicinity of the spoofer. The spoofers use boosted power compared to the authentic satellite signals. Hence all the GNSS receivers get into spoof activity. Therefore, we can observe that three spoof locations corresponding to three GNSS receivers are as depicted in Fig. 2.
The spoofer located at x s receives the authentic combined signal from all satellites in the range as where A i is signal attenuation due to transmission from x i to x s . Whereas t is the global satellite time or system time, δ s i is the time-delay corresponding to the pseudorange measurement z s i . Spoofer modifies the time delays of individual satellite signals, then re-transmitted signal onto GNSS receiver j is represented as The external time delay offered to the i th satellite signal by the spoofer for GNSS receiver j is given by δ i,j . The external delay calculation [22], [23] is given by The spoofer-to-GNSS receiver distance for j is d j . In practice, range measuring devices and trackers are employed for the distance calculation [23]. To simplify the problem, we assumed that the distance between the spoofer and GNSS receiver was known precisely to the spoofer. The re-transmitted signals propagate with velocity of light (c) in open space and are then received by the GNSS receiver. As shown in Fig. 2, the GNSS receiver located at x l receives the combined signal as Here, l ∈ {1, . . . , N }. For l = j, the above equation defines that all the signals transmitted by the spoofer are locking onto the GNSS receiver j. Whereas for l = j, the signals transmitted by spoofer are locking onto l th GNSS receiver even though the spurious signals are generated for GNSS receiver j. After processing the received signals, the pseudorange measurements obtained are given by Substituting δ s i = z s i c and (5) in (7) yields On simplifying the (8), we get The representation in (9) is the compact form to generate GPS measurements for single-spoofer multiple GNSS receivers spoofing case. In spoofing process, the pseudorange measurement set obtained at the GNSS receiver l due to spoofer Here, we are ignoring the index of the GNSS receiver j to avoid the ambiguity in equations. Whereas in non-spoofing case, the pseudorange measurement set obtained for the GNSS receiver j is z r

B. EKF FOR GNSS RECEIVER POSITIONING
The pseudo measurement for GNSS receiver j is given by where ρ i,j is the true range or geometrical range from satellite x i to GNSS receiver located at x j , which is equal to Where c t and w i,j are bias due to offset and pseudorange measurement error for satellite i respectively. The measurement noise follows the white Gaussian noise with mean zero and variance σ . The stacking of M pseudorange measurements gives where and H (k) is the linearized measurement transition matrix represented as and the state is Here The filter relaying on pseudo measurements at k and its last updates(x i (k |k ) andP i (k |k )) to estimate state and covariance update at k. Here k is the last epoch or last updated time.
Hence, the vehicle state dynamics is where F j (k ) is the state transition matrix and p j (k ) is process noise, follows zero mean additive WGN with covariance Q j (k ). The predicted state and its associated covariance of the Kalman filter arê andP respectively. The measurement prediction is given bŷ The residual and residual covariance are and respectively. Here R j (k) is the measurement covariance matrix corresponding to the z j (k). The filter gain is given by The updated state and its associated covariance are designated asX andP respectively. Here, the measurements fed to the filter are pseudoranges. The state is a stacked vector of position and velocity. We are constructing the equivalent measurements in Cartesian space using the updated and predicted states of the filter.

C. TRACKLET COMPUTATION
A tracklet is a track computed so that its errors are not cross-correlated with the errors of any other data in the system for the same target [24]. A tracklet is like a large measurement (considers the position and velocity of the GNSS receiver). The tracklet based method provides approximate equivalent measurements of the reported tracks without additional assumptions. Moreover, it is not mandatory to have synchronous updates from all the filters. Tracklets can be computed between any two updates from the same GNSS receiver using inverse information filter, inverse Kalman filter, and measurement matrix [24]. Out of them, the inverse Kalman filter is easy to realize, and it only requires data from any two timestamps to compute tracklet at the required time stamp [25]. Here, the inverse Kalman filter-based tracklet computation method is applied. Inverse filtering is to infer the parameters of a filtering system by observing its output. This inverse filtering gained popularity in system identification, fault detection, image deblurring, and signal deconvolution. Based on this method, the equivalent measurement for GNSS receiver j using the filtered output at k and k is m j (k, k ). The timestamp information at these two instants should be available to compute equivalent measurements at a given epoch. Therefore, the equivalent measurement is as given in [25] where and where E[·] is an expectation operator. Here Z k represents the measurements upto k time instant, that is Here, I is the identity matrix, and Only the final equation of the equivalent measurement covariance is presented in (25), the detailed derivation is presented in APPENDIX. To compute tracklet at any discrete time instant k, one should haveX j (k|k), P j (k, k),X j (k |k ) and P j (k , k ). The tracklets can be computed for any number of lags. Because of this feasibility, if the filter update rate is different, it will not create any issues in the algorithm. However, to compute tracklet at k, the matrix P j (k, k ) − P j (k, k) has to be non-singular. The detailed derivation of the tracklet, its sub-optimality conditions, and non-singularity issues are presented in [26]. The equivalent measurement corresponding to the position of the GNSS receiver is represented as where F = diag {1, 0, 1, 0, 0}. Similar to that of state, the equivalent measurement covariance is given by Here, F is to extract the position information from the equivalent measurement vector. It is worth noting that the state vector and the equivalent measurement vector are of the same dimensions.

D. VEHICLE POSITIONING
We consider N GNSS receivers spatially deployed at x j N j=1 on a given vehicle as shown in Fig. 3. The location of the vehicle's centre is x, which can be any arbitrary location (GNSS receiver is not necessarily present in that location).
Since the installation of GNSS receivers is predefined, one can define the location of the GNSS receivers relative to the centre of the vehicle as illustrated in Fig. 3. Here, δ x j and δ y j are the relative distances of x j with respect to x. The relation between relative distance-vector, installed GNSS receivers location, and centre of the vehicle is given by The equivalent measurement obtained for the GNSS receivers j is where H j = 1 0 0 1 and w j follows zero mean white Gaussian noise with covariance equal to R x j . The measurements are translated with respect to the centre of the vehicle using the relative position vector, which is readily available. The modified measurements are designated as The (32) is obtained by substituting the (29) in (31). Considering all the N measurements, a batch least squares solution is formed to estimate the x. The measurement transition matrix and the measurement noise covariance matrix for batch LS is given by The LS estimate is given by [27] aŝ Substituting the (33) in (34) The above result in (35) using batch LS is equal to the sample mean of all the N observations. In the given environment, a spoofer is located at x s and trying to spoof any one of the GNSS receivers installed on the vehicle. In a crowded GNSS receivers case, the influence of spoofing is not limited to one receiver, and it corrupts all the position information of GNSS receivers in the vicinity [21]. Besides, due to the spoofing activity of the spoofer, GNSS receiver j is spoofed by a distance of x j . Where x j = [ x, y] . The relation between relative distancevector, installed GNSS receiver location, and spoofed distance is given by The translated measurement for the GNSS receiver j using the relative distance vector is represented as Here, the (37) contain two unknown vectors x j and x j . The (37) is subjected to the batch LS framework as shown in the clean environment, and the estimate is given bŷ By observing the (35) and (38), we can infer that the objectives of the proposed investigation is to detect the spoofing attack.

E. DETECTION OF A SPOOFING ATTACK WITH TRACKLETS
To detect the spoofing effect, we are establishing a binary hypothesis test using the obtained translated-tracklets. In no spoofing case, the hypothesis H 0 is assuming that estimated positions of the GNSS receivers are owing to authentic measurements. Whereas, the hypothesis H 1 is for the spoofing case, in which the estimated position estimates are false due to the spoofing. That is The observations in (39) Similarly, the pdf of likelihood of observations under the given hypothesis H 1 is The generalized likelihood ratio test (GLRT) of the above two hypothesis is given by At time index k, the GLRT [28] is evaluated to distinguish between a spoofing attack is present or not. If the GLRT is greater than the threshold γ , the flag signal ζ = 1, then it indicates the presence of spoofing attack; else ζ = 0, there is no spoofing attack. Therefore are in-distinguishable since all the bearings from same direction of the spoofer [6]. Therefore at time k, the detector gives Here, η is a flag signal to distinguish the spoofing attack or not.

IV. PSEUDO-TRACK AND SPOOFER LOCALIZATION
Once the spoofing attack is confirmed using the GLRT and bearings test, the spoofer localization is essential to mitigate the spoofing effect. However, during the spoofing attack, the position integrity of the GNSS receivers is not preserving. Hence, we propose a pseudo-track updation [29] technique to approximately calculate the vehicle and GNSS sensors position.

A. PSEUDO TRACK OF THE VEHICLE
At discrete time index k, the spoofer attack is detected by using the GLRT and bearings. Hence, the estimated position at k using batch LS results inx f (k) rather thanx(k). Therefore, an approximate position of the GNSS location is required to perform localization using bearings-only information. The updated position can be approximated by using the pseudo-position method given in [29]. At k, the failure of measurement (spoofing) or unavailability of measurement (jamming) results in a lack of updated state at k th instant. However, one can assume the updated state as predicted state in the intentional interference case as suggested in [27], [29]

B. SOURCE LOCALIZATION WITH BEARINGS
The source localization is performed at a given k using the pseudo-position of GNSS receivers and observed bearings. The spoofer is located at x s and transmitting the spurious signals onto the vehicle. The localization problem can be formulated as LS, ILS, and newtons methods [30]. However, the ILS outperforms other methods. Hence, we are formulating the ILS to localize the spoofing source; since this method iteratively improves the current estimate using the measurements until accomplishes the desired accuracy. The measurement model for the bearings corresponding to the GNSS receiver j is where v j is the zero mean white Gaussian measurement noise with variance σ 2 θ . In (47), x j and y j are the pseudo-positions obtained by using the prediction of the previous state. It is worth to look at the difference between (2) and (47). Where, (2) involves with the false position of the GNSS receiver, and (47) is function of pseudo-update position of the GNSS receiver. The stacked vector of all the available bearings is given by Using the estimatex s n at the end of iteration n, one can update the ILS estimate asx s n+1 using [27] x s n+1 =x s n + J n R −1 J n −1 where J n is the Jacobian matrix represented as Convergence criteria is decided with the number of iterations or the achievable accuracy. Moreover, the initialization of the position is done by taking any two intersections from the given bearings only measurements.

C. SPOOFING MITIGATION
In spoofing activity, all the spoof signals are arriving in the same direction. Hence, by placing a null beam in the direction of source mitigates the spoofing [31]. However, to steer the null beam in that direction, one need to calculate the spoofer location and which is being carried out by using bearings information. When ever the flags ζ and η sets to one, it confirms spoofing activity and it enables the flag f , which is given by However, the flag f (k) sometimes can be a false positive. Hence, we formulated a management module to study the flags over the time, which is similar to track management in target tracking applications [32]. We adopted m/n rule to make a decision about spoofing. In a given n scans of data, if flags are unity for m scans, it confirms spoofing activity. The quantifying metric to launch counter-measure against the spoofing activity is given from a decision metric whenever this metric f n > m, then the counter measure launches. This mitigation is possible by launching a counter-attack like null beam projection in the direction of spoofer or shooting the spoofer as a anti-spoofing measure as in defense applications. The overall algorithm flow corresponding to spoofing detection and mitigation is given in Algorithm 1.

V. RESULTS AND DISCUSSIONS A. SIMULATION SCENARIO
WGS-84 with circular orbit assumption is used to simulate the satellite trajectories in both spoofing and non-spoofing cases. The positions of the satellite are given by

) sin (t) + sin (t) cos (t) cos 55 •
Here, D = 26, 560 Km is the radius of the earth. whereas, is the angular phase, and is the right ascension in the circular orbit given by The satellites initial positions t(0) are given in Table 1.
Superyachts to mega yachts usually vary from 24 m long to 100 m long. Hence we consider a yacht in our simulation for k = 1 : scans do 3: for j = 1 : M do 4: Compute updated stateX j (k|k) and updated covarianceP j (k|k) by using pseudorange measurements . EKF framework 5: Compute equivalent measurement z x j (k) and equivalent measurement covariance R x j by using predic-tionX j (k|k ),P j (k|k ) and updated informationX j (k|k), P j (k|k).
Pseudo track updation 13: end for 14: Compute centre of the vehiclex(k) by using pseudo track updates X p j (k|k) are deployed at different locations rather than installing the GNSS receiver at the center of the yacht. The RPV of the GNSS receivers concerning the vehicle center is tabulated in Table 2. The spoofer location from the center of the yacht is also presented in Table 2, and is shown in Fig. 3. We consider a false trajectory walking test bench [20] to evaluate the proposed algorithm. That is, consistently, the receiver is misled by constant distance, and the trajectory follows the constant velocity (CV) model as shown in Fig. 3. The spoofing process is carried out using a repeater-based spoofer. As given in [33], it is always advisable to maintain a constant distance between the spoofer and GNSS receiver to avoid anti-spoofing algorithms like power thresholding [34]. Therefore, the spoofer is 300 m away from the vehicle's center and travels parallel to the yacht throughout the simulation scenario.
The yacht turbulence modeled as a process noise. The state propagation is given by The process noise components along the east and north follows the white Gaussian with standard deviations of 1m and 1m respectively. The state vector is [x yẋẏ] and the state transition is given by The δt is the sampling time equal to 1 s. The GNSS receivers are synchronous for the given sampling time and report the updated state by processing the received pseudorange measurements. The spoofing process starts at discrete time index k = 20; the simulation scenario of GNSS receivers and spoofer is as shown in Fig. 4. The true pseudorange measurements are corrupted with WGN noise with mean zero and standard deviation of 3 m. Due to the ideal spoofer assumption, the repeater-based spoofer also processes with the same noise statistics [23], i.e., the spoofed pseudorange measurements are also corrupted with WGN noise with zero mean and standard deviation of 3 m.

B. GNSS TRACKS ACCURACY
The position estimate of each GNSS receiver is obtained by using pseudorange measurements in the EKF framework. The tunable parameters of the filter are its process noise covariance Q and measurement noise covariance R. All the GNSS receivers are given with Two point initialization method [32] is adopted to initialize the GNSS tracks at k = 1. The two point initialization uses the position estimates provided at t(0) and t(1) as Till k = 20, the GNSS receivers estimate the PVT correctly due to the reception of authentic measurements. At k = 20, spurious signals are locking onto the receiver, and the GNSS receiver estimates a false position owing to false pseudoranges. So in the absence of anti-spoofing algorithms, the position root mean square error (PRMSE) increases during the attack. Even though the spoofer intended to spoof the GNSS-1, all the four GNSS receivers are spoofed to different locations. Here, all the four GNSS receivers are involved in spoofing attacks due to the Omni-directional behavior of the spoofer [21]. Hence, in the spoofing activity, the PRMSE of the GNSS receivers is different under spoofer-to-receiver distance as given in (9). Therefore, throughout the spoofing attack, the PRMSE raises in the absence of anti-spoofing algorithms. The EKF estimation accuracy for all the GNSS receivers are depicted in Fig. 5a-Fig. 5d with four spoofed measurements.
In Fig. 5a, we can see that the spoofing attack leads to a rise in PRMSE to 16 m since the spoofer is intended to spoof GNSS-1 by 10 m along east and north. This implication of position spoofing does not imply equality on all the GNSS receivers. Because the spatial distance of GNSS receivers is different, hence we can observe that the GNSS-2, GNSS-3, GNSS-4 receivers are getting spoofed to different locations, and PRMSE is 40 m, 100 m, 100 m, respectively. In the initial phase of spoofing attack, i.e., at k ∈ [21 − 23], the PRMSE rises because the filter gives more weight to measurement rather than prediction. In this process, the gain changes and tunes to the spoofed measurements. The sudden deflection in the measurement is considered as the outliers, and the filter cannot mitigate such outliers. The filter estimates the updated state based on the prediction and the available measurement at that time instant. In this process, the filter took four samples to reach the worst spoofing case (max value of spoofing deflection). We adopted the 1/3 rule to make pseudo track updation and the 4/7 rule to mitigate the effect. Therefore, as given in (46), the pseudo track is considered for the GNSS during the period of k ∈ [21 − 24]. After four data samples, i.e., at k = 25, the signals coming from the spoofers direction are not considered. Once this mitigation is performed, the actual measurements are getting locked onto the receivers. Therefore, the actual measurements are considered from k = 25 to perform the position estimate.
In the Fig. 5a-Fig. 5d, it is worth noting that the PRMSE raises during the interval of k ∈ [21 − 24]. This is due to the predicted state rather than the updated state. Hence, if a filter runs with the prediction, it cannot accommodate the turbulence, and an error is observed. The rise in PRMSE during this interval is around 2 − 4 m. Since the vehicle is moving with the CV model, this error is less, and else we can see more error for turn and acceleration models. Therefore, this pseudo track updation is a suitable candidate for navigation in an intentional interference case for a lesser duration. Once the attack is detected, the vehicle can rely on the prediction of the track or inertial measurement units. Soon after the attack is mitigated, the filter again acquires the authentic measurements and computes the GNSS state. After mitigation, the filter again tunes to these measurements, and PRMSE decreases. This can be seen in the results that the PRMSE comes down from k = 24 and again settles.

C. VEHICLE POSITIONING
The vehicle positioning is the resultant of constructed equivalent measurements. Here, the equivalent measurements are translated and processed in batch LS framework to get the vehicle position. The vehicle position PRMSE is depicted in Fig. 6 with four GNSS receivers, and each receiver gets four pseudoranges. Here, we observe that in the spoofing case, the PRMSE increases, and the proposed method can maintain the track continuity with the help of a pseudo-track update. In the absence of anti-spoofing, the PRMSE vale is around 15 − 20 m. Whereas, with the proposed method, the vehicle maintains the PRMSE value in the range of 2 − 4m, VOLUME 10, 2022  agreeing with the civilian GNSS receiver estimate. Moreover, this batch LS gives an enhanced estimate, and it is evident from Fig. 7. The individual GNSS receivers offer the PRMSE  to process the multiple GNSS receiver's data to obtain the overall estimate of the vehicle.

D. IMPACT OF NUMBER OF SATELLITES
The number of available satellites is an essential parameter in pseudorange to position estimation. Here, the state of the GNSS consists of three parameters of interest. Hence, to estimate a position in 2D, one needs at least three pseudorange measurements. In this simulation, we varied the number of satellites from four to six. By varying the number of satellites, the PRMSE of the GNSS receiver-1 is depicted in Fig. 8, where we can see that the increase in satellite number increases the position estimate. The other GNSS receivers (GNSS receiver-2, 3, and 4) provide the same performance as shown in Fig. 8. Further, the vehicle PRMSE is also computed and visualized in Fig. 9. It is noticed that, as the satellite number increases, the vehicle position estimation accuracy improves.

E. ACCURACY OF LOCALIZATION AND MITIGATION
The localization of the spoofer helps to mitigate the spoofing attack. The localization of the spoofer is achieved by using bearings to position estimates in the ILS framework. Here, the bearings are corrupted with WGN with mean zero and standard deviation of 1 m rad. While performing the spoofer localization, the initial estimate of the spoofer's location is an intersection of two bearings. After that, we performed the ILS with the obtained bearings information. The number of iterations is limited based on the required accuracy over the time frames and is limited to 3 m. In another case, the maximum number of iterations is 20. Even though the position information of the GNSS receivers is calculated using the pseudo-update, we accomplished a good performance. The PRMSE of the spoofer is depicted in Fig 10. The decision of spoofer mitigation is carried out by observing the spoofing attack detection over time. The m/n rule is adapted to make a decision. Here, for larger m, the vehicle  tracking performance can be improved, but in the same duration, the GNSS track may attain higher PRMSE due to pseudo track update. Hence, to demonstrate the effect of the decision on several scans, we carried out the simulations for m = 4, 6, and 8. The PRMSE corresponding to GNSS-1 for the variable number of scans is presented in Fig. 11. This analogy is equally adapted for all the other GNSS receivers. We can observe a rise in PRMSE after k = 20 and before applying the mitigation. The PRMSE only increases because of the predicted state rather than the updated state during the duration of spoofing mitigation. Here, it is essential to note that this algorithm provides lower performance while mitigating the spoofing effect for a higher value of scan number. In Fig. 11, as the number of scans increases, the PRMSE increases. In addition, the same impact of scans has also been observed in vehicle positioning. In Fig. 12, the vehicle position accuracy can be observed, and it is also in  agreement with the GNSS receiver's accuracy. This rise in the PRMSE is owing to the batch estimate of the installed GNSS receivers. Even though the PRMSE increases, it is lower than the accuracy of installed GNSS receivers. Hence, this algorithm is equally deployable for larger scans to decide to spoof mitigation.
Furthermore, it is worth mentioning that this algorithm works for any number of GNSS receivers. As the number of installed GNSS receivers increases, the position estimate of the vehicle increases. This algorithm is evaluated on a vehicle, but this can be equally applied in the given surveillance, and it is easy to know the RPV while installing.

VI. CONCLUSION
This paper proposes the installation of multiple GNSS receivers on a vehicle to detect the spurious attacks and secure navigation. It assumes that the installed GNSS receiver's relative position vector (RPV) from the vehicle's center is known precisely. The generalized mathematical framework is derived for the multiple GNSS receivers in a spoofing environment. The pseudorange measurements of either authentic satellites or the spoofer are considered to estimate the receiver's state using the extended Kalman filter (EKF) framework. Once the states are available, an equivalent measurement in the cartesian domain is derived with the help of tracklets, and these tracklets are then translated using RPV. Besides, the vehicle location is calculated using the translated equivalent measurements in the batch least square (LS) framework. This paper considered two different spoofing attack detection tests: bearings-based detection and tracklets based detection. A generalized likelihood ratio test is developed using the translated equivalent measurements to distinguish the spoofing and non-spoofing cases. Soon after the threat is detected, an iterative least square (ILS) based localization framework is employed to localize the spoofer, using the bearings-only information. However, the estimated GNSS location is falsified due to the spoofed location at that specific epoch. Hence, this paper employed a pseudo track update to calculate the receiver's position at that epoch. The simulation results reveal that installing a number of GNSS receivers not only detects the spoofing attack but also enhances the vehicle position estimate. Further, it is observed from the results that, as the number of satellite signals increases, the proposed algorithm provides improved PRMSE for all GNSS receivers, location accuracy of vehicle, and spoofer location. This paper can be further extended to the specific surveillance area, as RPV calculation for a static node is feasible. This tracklet based equivalent measurement re-creation approach is a generalized technique, which is sensor measurement independent and can be applied for all other sensors. Furthermore, we limited this work to the static installation of the node; however, one can look into the problem of dynamic nodes and develop novel algorithms as future work.

APPENDIX
The section provides the detailed derivation of the equivalent measurement covariance in (25).
By using the properties and In the above, it is to be noted that, the term E [X j (k) −X j (k|k)] | Z k j is zero. The M j (k, k ) can be expanded as Now, by using the property Therefore, the M j (k, k ) can be further simplified as M j (k, k ) = A j (k|k ) P j (k | k ) A j (k|k ) − I T − A j (k|k )P j (k | k)A j (k|k ) T + A j (k|k )P j (k | k) which yields (25). It is important to note that (62) and (63) are transpose of each other. However, since M j (k, k ) is symmetric, (62) and (63) are equal to each other.