Skip to main content

Module security

Module security 

Source
Expand description

Spoofing-detection security figure of merit.

A time-spoofing attack feeds the receiver a false GNSS timing signal that slowly drags its clock solution. The classical defence is a clock-aided integrity monitor: the receiver predicts time forward from its own clock and cross-checks the GNSS-derived time against that prediction, flagging a fault when the two disagree by more than a few sigma.

This is a single-clock consistency monitor, NOT a multi-satellite RAIM detector: there are no pseudorange residuals across several satellites, no protection level, and no probability of hazardously misleading information. The innovation-vs-sigma test is mathematically the same shape as the fault detection in Brown, “A baseline GPS RAIM scheme” (and Groves, Principles of GNSS, Inertial, and Multisensor Integrated Navigation Systems, integrity chapter), but the score it produces is an analytic spoof-detectability bound for a given clock — not an implementation of RAIM. Real multi-SV RAIM/ARAIM with HPL/VPL is a roadmap item; see docs/INTEGRITY.md.

Over a coherent monitoring window of length tau, the comparison uncertainty has two independent contributions:

  sigma_mon^2(tau) = r / m  +  q_wf * tau  +  q_rw * tau^3 / 3
  • r / m — the GNSS phase-measurement noise (variance r) beaten down by averaging the m samples taken within the window.
  • q_wf * tau + q_rw * tau^3 / 3 — the clock’s own coast uncertainty over the window, exactly the holdover error growth (white-FM plus random-walk-FM, NIST SP 1065). A better clock makes this term smaller.

With enough averaging the measurement term shrinks and the clock stability sets the floor — the regime in which a superior clock detects a smaller, slower spoof. The smallest spoof offset the monitor flags is k * sigma_mon(tau) for a detection multiplier k (sigmas, chosen for a low false-alarm rate).

The security score is this detection floor expressed relative to the operational timing spec: a spoof only matters if it can move the solution by about the spec threshold, so

  security = clamp(1 - min_detectable_offset_ns / threshold_ns, 0, 1).

1 means a harmful (spec-threshold) spoof sits far above the detection floor and is always caught; 0 means a spoof can reach the operational threshold while staying under the detection floor — undetectable and harmful.

All functions are pure and deterministic.

Constants§

SPOOF_DETECT_K
Detection multiplier (sigmas) for a low false-alarm-rate spoof monitor (~5σ).
SPOOF_MONITOR_S
Coherent spoof-monitoring window (s): the interval over which the GNSS-derived time is cross-checked against the clock’s own coasted prediction.

Functions§

min_detectable_offset_ns
Smallest time-spoof offset (ns) the monitor flags over the window: the detection multiplier k times the monitor’s 1-sigma floor.
monitor_sigma_s
1-sigma floor (s) of the clock-aided spoof monitor over a window tau (s), with per-sample phase-measurement variance r (s^2) averaged over samples observations and the clock’s white-FM / random-walk-FM PSDs q_wf, q_rw:
spoof_detection_score
Spoof-detection security score in [0, 1] relative to the timing spec.