Expand description
Spoofing-detection security figure of merit.
A time-spoofing attack feeds the receiver a false GNSS timing signal that slowly drags its clock solution. The classical defence is a clock-aided integrity monitor: the receiver predicts time forward from its own clock and cross-checks the GNSS-derived time against that prediction, flagging a fault when the two disagree by more than a few sigma.
This is a single-clock consistency monitor, NOT a multi-satellite RAIM
detector: there are no pseudorange residuals across several satellites, no
protection level, and no probability of hazardously misleading information.
The innovation-vs-sigma test is mathematically the same shape as the fault
detection in Brown, “A baseline GPS RAIM scheme” (and Groves, Principles of
GNSS, Inertial, and Multisensor Integrated Navigation Systems, integrity
chapter), but the score it produces is an analytic spoof-detectability
bound for a given clock — not an implementation of RAIM. Real multi-SV
RAIM/ARAIM with HPL/VPL is a roadmap item; see docs/INTEGRITY.md.
Over a coherent monitoring window of length tau, the comparison uncertainty
has two independent contributions:
sigma_mon^2(tau) = r / m + q_wf * tau + q_rw * tau^3 / 3r / m— the GNSS phase-measurement noise (variancer) beaten down by averaging themsamples taken within the window.q_wf * tau + q_rw * tau^3 / 3— the clock’s own coast uncertainty over the window, exactly the holdover error growth (white-FM plus random-walk-FM, NIST SP 1065). A better clock makes this term smaller.
With enough averaging the measurement term shrinks and the clock stability sets
the floor — the regime in which a superior clock detects a smaller, slower
spoof. The smallest spoof offset the monitor flags is k * sigma_mon(tau) for
a detection multiplier k (sigmas, chosen for a low false-alarm rate).
The security score is this detection floor expressed relative to the operational timing spec: a spoof only matters if it can move the solution by about the spec threshold, so
security = clamp(1 - min_detectable_offset_ns / threshold_ns, 0, 1).1 means a harmful (spec-threshold) spoof sits far above the detection floor
and is always caught; 0 means a spoof can reach the operational threshold
while staying under the detection floor — undetectable and harmful.
All functions are pure and deterministic.
Constants§
- SPOOF_
DETECT_ K - Detection multiplier (sigmas) for a low false-alarm-rate spoof monitor (~5σ).
- SPOOF_
MONITOR_ S - Coherent spoof-monitoring window (s): the interval over which the GNSS-derived time is cross-checked against the clock’s own coasted prediction.
Functions§
- min_
detectable_ offset_ ns - Smallest time-spoof offset (ns) the monitor flags over the window: the
detection multiplier
ktimes the monitor’s 1-sigma floor. - monitor_
sigma_ s - 1-sigma floor (s) of the clock-aided spoof monitor over a window
tau(s), with per-sample phase-measurement variancer(s^2) averaged oversamplesobservations and the clock’s white-FM / random-walk-FM PSDsq_wf,q_rw: - spoof_
detection_ score - Spoof-detection security score in
[0, 1]relative to the timing spec.