Muhammad Safi GNSS Timing Spoofing Detection Methods and Analysis using Jammertest data Vaasa 2025 School of Technology and Inno- vations Master’s thesis Sustainable and Autonomous Systems 2 UNIVERSITY OF VAASA School of Technology and Innovations Author: Muhammad Safi Title of the thesis: GNSS Timing Spoofing Detection: Methods and Analysis using Jam- mertest data Degree: Master of Science in Computing Sciences Discipline: Sustainable and Autonomous Systems Supervisor: Evaluator: Heidi Kuusniemi Mahmoud Elsanhoury Year: 2025 Pages: 105 ABSTRACT: This thesis investigates GNSS timing spoofing detection strategies using data collected from Jam- mertest 2024, addressing critical vulnerabilities in infrastructure systems dependent on precise timing. Following a comprehensive literature review of GNSS fundamentals and existing detec- tion methodologies, the research analyses how various parameters behave during spoofing events, including pseudoranges, carrier phase, Doppler measurements, positioning coordinates, signal quality indicators, and HDOP values. Through detailed examination of u-blox F9P receiver data during controlled spoofing events, distinct signature patterns were identified in multiple parameters. While carrier-to-noise ratio monitoring proved ineffective for detection, pseudor- ange RMS error analysis and NMEA validity flags successfully identified timing anomalies despite generating false positives. The implemented Isolation Forest algorithm demonstrated excellent performance with 100% recall and 99.96% specificity, correctly identifying all spoofing instances while producing only two false positives from 4,695 normal samples. A combined approach using validity flags as initial triggers followed by machine learning verification in the interference data emerged as an optimal strategy, providing a robust framework for protecting critical infrastruc- ture systems against timing attacks. KEYWORDS: GPS Security, Time Spoofing Detection, Isolation Forest Algorithm, Machine Learning Detection, Resilient Navigation, Critical Infrastructure Protection, GNSS Parameter Analysis, Autonomous Systems 3 Contents 1 Introduction 9 1.1 Background and Motivation 9 1.2 Problem Statement 9 1.3 Research Objectives 10 1.4 Thesis Structure 10 2 GNSS Timing Spoofing: Fundamentals and Challenges 12 2.1 Overview of GNSS and Timing Synchronization 12 2.2 Spoofing Techniques and their Impacts 21 2.3 Existing Spoofing Detection Strategies 24 2.3.1 Traditional Approaches 24 2.3.2 AI Based Approaches 31 2.4 Challenges in Spoofing Detecting and Mitigation 36 3 Jammertest Dataset and Experimental Setup 38 3.1 Description of Jammertest Data 38 3.2 Data Collection Process and Preprocessing 39 3.2.1 Receiver Details 40 3.2.2 Test Details from Log 42 3.3 Testbed Setup and Assumptions 45 4 Analysis of Timing Spoofing Event in Jammertest 48 4.1 Power and General Observations 48 4.2 Pseudoranges and Other Raw Observations 53 5 Traditional Detection 60 5.1 Signal Analysis Method 60 5.2 Positioning Method 62 5.3 Validity Flag Method 63 6 AI based Detection 66 6.1 Isolation Forest 66 6.2 Training, Testing and Validation 67 4 6.3 Results 73 7 Implementation Considerations and Practical Applications 78 7.1 Real World Integration Challenges 78 7.2 Computational Requirements and Deployment Feasibility 80 7.2.1 Computational Resource Analysis 81 7.2.2 Scalability Considerations 82 7.2.3 Power Consumption Implications 82 7.2.4 Hardware Integration Feasibility 83 7.2.5 Cost-benefit Analysis 83 7.3 Potential Use cases and Industry Applications 84 7.3.1 Telecommunications Networks 84 7.3.2 Power Grid Applications 85 7.3.3 Financial Services Infrastructure 86 7.3.4 Transportation and Navigation Systems 87 7.3.5 Scientific and Research Applications 88 8 Conclusions and Future Work 90 References 92 5 Figures Figure 1: Position estimation using four satellites .......................................................... 13 Figure 2: Current GNSS constellations ............................................................................ 16 Figure 3: First caesium atomic clock (NIST, n.d.) ............................................................ 18 Figure 4: GNSS Spoofing and Jamming (Radoš et al., 2024) ........................................... 22 Figure 5: Traditional methods to detect spoofing. ......................................................... 25 Figure 6: C/N0 during spoofing and non-spoofing windows (Radoš et al., 2024). ......... 27 Figure 7: Spoofing detection using four antennas (Mao et al., 2023) ............................ 29 Figure 8: AI methods to detect GNSS spoofing .............................................................. 32 Figure 9: Performance of difference ML models in detecting GPS spoofing (Khoei et al., 2022). .............................................................................................................................. 33 Figure 10: Different sites of Jammertest (2024-b) ......................................................... 39 Figure 11: Frequencies of the ZED receiver (u-blox, 2024) ............................................ 41 Figure 12: ZED-F9p-00b-02 with its board (ArduSimple, 2025)...................................... 41 Figure 13: Distance between receiver and spoofer. ....................................................... 47 Figure 14: Time jumps in the GNRMC messages ............................................................ 49 Figure 15: Graph showing how different spoofing power affected the receiver, clipped until 7:40 UTC. ................................................................................................................ 50 Figure 16: Location parameter change during the spoofing event. Yellow indicates when receiver experienced time jump. .................................................................................... 51 Figure 17: HDOP graph with respect to time .................................................................. 53 Figure 18: Pseudoranges of the whole ubx file showing all satellite systems. From left to right in first row it shows GPS and then Galileo. In the second row it shows GLONASS and BeiDou. ........................................................................................................................... 55 Figure 19: Pseudoranges during the 2.4.2 spoofing event ............................................. 56 Figure 20: Carrier Phase during the 2.4.2 spoofing event .............................................. 57 Figure 21: Doppler shift during the 2.4.2 spoofing event .............................................. 58 Figure 22: C/N0 during the spoofing period ................................................................... 60 Figure 23: Raw measurements sample with C/N0 highlighted. These are in dB/Hz. ..... 61 Figure 24: Averaged pseudorange RMS errors in the ubx file ........................................ 63 6 Figure 25: GNRMC message status ................................................................................. 64 Figure 26: Feature importance for training dataset. ...................................................... 72 Figure 27: Anomaly score distribution ........................................................................... 75 Figure 28: More result characteristics ............................................................................ 75 Figure 29: Enhanced detector based on combining AI and Validity flag ........................ 76 Figure 30: Illustration of potential industry applications ............................................... 84 Tables Table 1: Jammertest event details for the ubx file (Jammertest, 2024-a). 42 Table 2: Confusion matrix of results 73 Table 3: Results Parameters of implemented isolation forest 73 Abbreviations AGC Automatic Gain Control AI Artificial Intelligence AMI Advanced Metering Infrastructure ANN Artificial Neural Network C/N0 Carrier-to-Noise Density Ratio C1C Code pseudorange CART Classification And Regression Trees CDMA Code Division Multiple Access CEST Central European Summer Time D1C Doppler measurement dBm Decibel-milliwatts (power measurement) DDPG Deep Deterministic Policy Gradient DL Deep Learning 7 DOA Direction of Arrival FDMA Frequency Division Multiple Access GGA Global Positioning System Fix Data (NMEA message type) GLONASS Global Navigation Satellite System (Russian) GNB Gaussian Naive Bayes GNGGA GNSS Fix Data (NMEA message type) GNRMC GNSS Recommended Minimum Data (NMEA message type) GNSS Global Navigation Satellite System GPS Global Positioning System HDOP Horizontal Dilution of Precision IATA International Air Transport Association IEEE Institute of Electrical and Electronics Engineers K-means K-means Clustering L-SVM Linear Support Vector Machine L1C Carrier Phase LLS Lightning Location System LOS Line of Sight LR Logistic Regression MANA NMEA-based Anomaly detection MiFID Markets in Financial Instruments Directive MIMO Multiple-Input Multiple-Output ML Machine Learning MW Megawatt NavIC Navigation with Indian Constellation NCO Numerically Controlled Oscillator NMEA National Marine Electronics Association 8 OSNMA Open Service Navigation Message Authentication PCA Principal Component Analysis PNT Positioning, Navigation, and Timing PPS Pulse Per Second PSU Phasor Measurement Unit RF Random Forest RL Reinforcement Learning RMC Recommended Minimum Data (NMEA message type) RMS Root Mean Square RXM-MEASX Receiver Manager Measurement Data (UBX message) RXM-RAWX Receiver Manager Raw Data (UBX message) S1C Signal strength SAC Soft Actor-Critic SCD-MF Separate Clock Drift Matched Filter SCPC Spoofing Correlation Peak Cancellation SVM Support Vector Machine TD3 Twin Delayed Deep Deterministic Policy Gradient TESLA Timed Efficient Stream Loss-tolerant Authentication TEXBAT Texas Spoofing Battery TOA Time of Arrival TSA Time Synchronization Attack TW Terawatt UBX u-blox Proprietary Protocol UTC Coordinated Universal Time VTG Course Over Ground and Ground Speed (NMEA message type) WAMS Wide Area Monitoring System 9 1 Introduction This thesis examines GNSS timing spoofing detection methods and analyses data col- lected during Jammertest 2024, focusing on both traditional and AI-based detection ap- proaches for critical infrastructure protection. 1.1 Background and Motivation Global Navigation Satellite Systems (GNSS) provide precise timing services that are es- sential for critical infrastructure including power grids, telecommunications, financial transactions, and transportation systems. In Finland, where electricity generation is pro- jected to 15 TWh by 2035 (Fingrid, 2024), the energy sector's reliance on precise timing synchronization makes it particularly vulnerable to GNSS disruptions. Apart from grids, even the aviation industry which mostly relies on GNSS positioning is also getting af- fected by timing spoofing. Recent incidents highlight these vulnerabilities, including a commercial airliner that lost access to onboard digital communication systems due to timing spoofing (Pearson, 2024), while other documented cases show that fuel compu- tation systems and other timing-dependent technologies are similarly susceptible (SKY- brary Aviation Safety, n.d.). As GNSS timing applications continue to expand across criti- cal infrastructure, developing robust spoofing detection and mitigation strategies has become increasingly urgent to protect essential services from sophisticated timing at- tacks. 1.2 Problem Statement Despite increasing awareness of GNSS vulnerabilities, effective real-time detection and mitigation of timing spoofing attacks remain challenging. Current research primarily fo- cuses on theoretical models or laboratory settings, with limited field testing of detection methodologies under realistic conditions. This research addresses this practical 10 implementation gap by analysing empirical and real spoofing data from Jammertest 2024 to develop and validate combined traditional and machine learning approaches for timing spoofing detection, with particular attention to applications in critical infrastruc- ture environments such as Finland's rapidly expanding energy sector. 1.3 Research Objectives This research aims to achieve the following objectives: 1. To critically review existing literature on GNSS timing spoofing detection and mit- igation techniques, identifying their strengths and limitations. 2. To analyse the behaviour of various GNSS signal parameters (pseudorange, car- rier phase, Doppler measurements, position coordinates, and signal quality indi- cators) during timing spoofing attacks using data collected from Jammertest 2024. 3. To develop and evaluate both traditional detection methods (based on validity flags) and machine learning approach (using Isolation Forest algorithm) for iden- tifying timing spoofing attacks. 4. To propose practical implementation frameworks for integrating these detection methodologies into existing critical infrastructure systems. 1.4 Thesis Structure The thesis is divided into four sections, literature review, methodology, analysis and re- sults, and finally discussion. Chapter two discusses literature review and highlights the importance of GNSS timing and recent advances in detecting and mitigating spoofing. Chapter Three outlines the methodology used to collect data in the Jammertest 2024. Chapters Four, Five, and Six present the results and their explanation, discussing various measurements made and how spoofing is detected using both traditional and AI-based methods. Chapter Seven provides discussion and highlights how the obtained results 11 could benefit and be implemented in the real world. Finally, the last chapter presents conclusions and future work, followed by the references. 12 2 GNSS Timing Spoofing: Fundamentals and Challenges This chapter presents the literature review of the GNSS timing spoofing effects and ways on how to detect it. 2.1 Overview of GNSS and Timing Synchronization Global Navigation Satellite System, commonly abbreviated as GNSS, identifies the orbital satellite networks that transmit positioning and timing data from space to GNSS receiv- ers. These receiving units subsequently analyse the incoming signals to establish geo- graphical coordinates through multi-lateration procedures (Kaplan & Hegarty, 2006, p. 3). GNSS encompasses various satellite navigation systems developed by different coun- tries. These include the United States' GPS (NCO, 2021), the European Union's Galileo (EUSPA, n.d.), Russia's GLONASS (IAC, n.d.), India’s NavIC (ISRO, 2023), China's BeiDou (State Council Information Office of the People's Republic of China, 2016), and Japan's QZSS (Cabinet Office, 2025). The essential mechanism of GNSS employs one-way time of arrival (TOA) ranging, in which satellites transmit ranging codes and navigation information via specific frequen- cies using code division multiple access (CDMA) strategies (Kaplan & Hegarty, 2006, p. 3). Each satellite generates unique codes that allow receivers to distinguish between sig- nals from different satellites. The navigation data enables receivers to determine satellite locations at transmission time, while ranging codes help calculate signal transit time and thereby determine satellite-to-user range. To calculate a three-dimensional position, a receiver needs signals from at least four sat- ellites as illustrated in Figure 1. This requirement stems from the need to solve for four unknowns: latitude, longitude, altitude, and receiver clock offset from system time (Kaplan & Hegarty, 2006, p. 3). If the satellite time is known or (and) the altitude, fewer satellites are needed. 13 Figure 1: Position estimation using four satellites Explaining each constellation, the United States pioneered GNSS technology with GPS (Global Positioning System), which was the first fully operational global navigation satel- lite system. GPS employs a standard configuration of 24 satellites distributed across six orbital planes, with four satellites positioned in each plane (Kaplan & Hegarty, 2006, p. 3). These satellites travel at approximately 20,200 km above Earth's surface and com- plete one orbit roughly every 12 hours. GPS provides dual service tiers: the Standard Positioning Service (SPS) accessible to civilian users and the Precise Positioning Service (PPS) restricted to U.S. military personnel and authorized government agencies. The SPS delivers horizontal accuracy better than 13m and vertical accuracy better than 22m at 95% confidence levels, while the PPS provides at minimum 22m horizontal and 27.7m vertical accuracy (Kaplan & Hegarty, 2006, p. 4). GPS has undergone significant modernization efforts since its inception. The moderniza- tion program includes adding new civil signals (L2C and L5) and military signals (M-code) 14 to enhance accuracy, reliability, and resistance to interference (Kaplan & Hegarty, 2006, p. 5). These additional signals allow users to correct for ionospheric delays through dual- frequency measurements and increase robustness against interference. The second constellation is Galileo. Galileo is the European Union's GNSS, designed spe- cifically for civilian use worldwide. Galileo provides multiple service levels, including an open service (free of direct user charges), a commercial service, a safety-of-life service for safety-critical users, a public regulated service for government-authorized users, and support for search and rescue operations (Kaplan & Hegarty, 2006, p. 6) (NovAtel, n.d.- d). A key feature of Galileo's safety-of-life service is authentication of received satellite signals and integrity monitoring. This provides timely warnings to users when signals cannot be safely used according to specifications (Kaplan & Hegarty, 2006, p. 7). Galileo's planned constellation consists of 30 satellites and a full worldwide ground control seg- ment. One of its primary goals is full compatibility with GPS, with measures taken to ensure interoperability between the two systems. These interoperability factors include signal structure, geodetic coordinate reference frame, and time reference system (Kaplan & Hegarty, 2006, p. 7). Right now, Galileo has 24 satellites in orbit (NovAtel, n.d.- d). Russia's equivalent to GPS is GLONASS (Global Navigation Satellite System). Similar to GPS, GLONASS employs satellites in medium Earth orbit, ground control infrastructure, and user equipment. Currently, GLONASS maintains a constellation of 24 satellites (No- vAtel, n.d.-c). The system's modernization efforts include GLONASS-M satellites with en- hanced reliability and an additional civil signal, as well as GLONASS-K satellites that trans- mit all previous signals plus a third civil frequency dedicated to safety-of-life applications. GLONASS-K satellites are additionally configured to transmit integrity information and wide area differential corrections (Kaplan & Hegarty, 2006, p. 8). GLONASS, like GPS, op- erates as a dual-use system without direct fees for civilian users. Russia collaborates with both the European Union and the United States to ensure compatibility between 15 GLONASS and Galileo, and GLONASS and GPS, respectively (Kaplan & Hegarty, 2006, p. 8). BeiDou, China's navigation system, represents a multiphase satellite navigation program delivering positioning capabilities, fleet management, and precise time dissemination to Chinese military and civilian users. Unlike GPS, Galileo, and GLONASS which utilize one- way TOA measurements, BeiDou initially implemented two-way range measurements through its Radio Determination Satellite Service (RDSS) (Kaplan & Hegarty, 2006, p. 9). In the RDSS approach, a central operations facility transmits a polling signal via satellite to users, who then respond with a signal through at least two satellites. The system measures transit time as signals circulate from operations center to satellite to user and back. This process enables user position determination, which is subsequently transmit- ted back to users (Kaplan & Hegarty, 2006, p. 9). BeiDou was originally conceived to provide integrity and wide area differential correc- tions through a satellite-based augmentation system. As of 2021, the constellation com- prises 45 operational satellites (Kaplan & Hegarty, 2006, p. 10) (NovAtel, n.d.-e). Japan developed the Quasi-Zenith Satellite System (QZSS) to enhance GPS capabilities and provide mobile satellite communications for Japan and surrounding regions. The system primarily addresses GPS visibility challenges in urban environments and moun- tainous terrain, which Japan considers problematic across approximately 80% of its ter- ritory (Kaplan & Hegarty, 2006, p. 18). QZSS utilizes satellites in highly inclined, elliptical orbits ensuring at least one satellite remains near zenith (directly overhead) from Japan's perspective. This orbital configuration enhances satellite visibility in areas where build- ings or topographical features might otherwise obstruct signals from lower-elevation sat- ellites. As of 2024, QZSS operates with 7 satellites (NovAtel, n.d.-f). NavIC (Navigation with Indian Constellation) is India's regional satellite navigation system designed to provide positioning accuracy of 10 meters. It is local to India mostly since 16 some of the satellites are in geostationary orbits. As of 2022 it has eight satellites (No- vAtel, n.d.-g). By integrating these systems, users can potentially access over 100 navigation satellites globally, significantly improving position accuracy, reliability, and availability compared to using any single system alone. All the current constellations are depicted in Figure 2. Furthermore, Global GNSS systems operate across diverse L-band frequencies with dis- tinct signal structures. GPS, GLONASS, Galileo, BeiDou, QZSS, and NavIC each utilize dif- ferent frequency allocations and coding schemes. GPS operates at 1575.42 MHz (L1) and 1227.6 MHz (L2), GLONASS using Frequency Division Multiple Access (FDMA) from 1602.0 MHz, Galileo spanning 1176.45-1575.42 MHz across four bands, and BeiDou at 1207.14-1575.42 MHz, creating a complementary spectrum coverage environment that enhances positioning accuracy and service reliability worldwide (European Space Agency, 2011). Figure 2: Current GNSS constellations 17 GNSS timing is one of the fundamental aspects of global navigation, providing precise temporal synchronization that enables accurate positioning services worldwide. The sys- tem architecture revolves around highly sophisticated atomic clocks installed on orbiting satellites that maintain extremely precise time measurements (European Space Agency [ESA], n.d.). The first atomic clock was developed in 1955 as shown in Figure 3 (NIST, n.d.). These timing systems employ three primary types of atomic frequency references: ru- bidium vapor cells, caesium atomic beams, and hydrogen masers, all functioning through quantum transitions at microwave frequencies (Hollberg, 2021). The fundamental oper- ation relies on the consistent behaviour of atoms transitioning between energy states, which produces stable frequency outputs that serve as timing references. The atomic clocks aboard GNSS satellites achieve remarkable stability, with rubidium clocks losing approximately three seconds per million years and hydrogen masers losing only one second per three million years (ESA, n.d.). This precision enables GNSS satellites to broadcast time signals synchronized to Coordinated Universal Time (UTC), which they receive from ground control stations (Chandler, 2022). When these signals reach Earth- based receivers, they achieve synchronization with uncertainties as low as 5 nanosec- onds, effectively transferring atomic clock precision to users without requiring them to operate such sophisticated timekeeping equipment (NCO, 2022). 18 Figure 3: First caesium atomic clock (NIST, n.d.) GNSS timing synchronization works by receiving precisely timed signals from multiple satellites with onboard atomic clocks. GPS satellites transmit radio signals at 1575 MHz that receivers capture, calculate propagation delays based on known satellite positions, and adjust for atmospheric effects. This provides extremely accurate time references (typically within 50 nanoseconds) that power systems and other applications use for syn- chronization across wide geographic areas (Behrendt & Fodero, 2006). GNSS timing syn- chronization operates through a precise one pulse per second (1PPS) signal output from GNSS receivers. Wu et al. (2016) explains that 1PPS signals synchronize devices to UTC or GNSS system time by generating pulses using a Numeric Controlled Oscillator (NCO) and adjusting them based on time differences with GNSS signals. However, timing errors occur in "sawtooth" patterns due to discrete phase calibration steps with uncorrected frequency errors. The researchers propose a zoom technique using programmable delay line technology (electronic circuits that add precise, adjustable time delays to incoming signals) with 0.25ns precision to reduce this sawtooth error, improving timing accuracy from approximately 52ns to just 1-2ns peak-to-peak. 19 The timing mechanism operates through a continuous broadcast of precise time signals from satellites that propagate at light speed. The receivers decode the embedded timing information, calculating differences between transmission and reception times (NASA, 2019). Some advanced timing receivers also support additional synchronization proto- cols like IRIG-B, which delivers time signals in binary coded decimal format once per sec- ond (Behrendt & Fodero, 2006). The biggest application of GNSS timing is in the power grids. Time synchronization is a foundational requirement for modern power systems, enabling coordinated operation across geographically dispersed infrastructure components. Within power grids, precise timing allows for synchronized measurements, accurate event sequencing, and coordi- nated control actions (Zhang et al., 2020). GNSS, particularly GPS, has become the pri- mary means of achieving this synchronization due to its ability to provide timing accuracy within nanoseconds. According to Falletti et al. (2019), GNSS-based timing can achieve performance equiva- lent to atomic clocks but at significantly lower cost, making it an attractive solution for critical infrastructures. In power systems, GNSS receivers provide standardized timing outputs including 1-PPS signals, NMEA 0183 time telegrams, and IRIG-B signals that serve as common time references across the grid. These timing references synchronize various system components including phasor measurement units (PMUs), protective re- lays, and metering equipment. The importance of precise timing is particularly evident in applications like phasor meas- urement, where IEEE C37.118 standards specify maximum acceptable synchronization errors of 31 μs for 50 Hz systems and 26 μs for 60 Hz systems (Falletti et al., 2019). In Advanced Metering Infrastructure (AMI), timing synchronization ensures accurate timestamping of electricity usage data, which is crucial for implementing time-of-use tariffs and proper billing (Bin et al., 2020). Time synchronization in power systems typi- cally follows either hierarchical or distributed architectures. In hierarchical systems like 20 AMI, field devices synchronize to a central timing source at the head end, while in dis- tributed systems like Wide-Area Measurement Systems (WAMS), each substation main- tains its own timing source synchronized to GNSS (Zhang et al., 2020). Both approaches rely heavily on GNSS as the ultimate reference, establishing a critical dependency that, despite delivering superior timing performance, simultaneously introduces systemic vul- nerabilities susceptible to exploitation through spoofing attacks. GNSS time synchronization also plays a critical role in telecommunications systems, par- ticularly in ensuring robust and precise timing for network operations. High precision timing is required in 5G networks where nanosecond-level synchronization is required for technologies like MIMO (Multiple Input-Multiple Output) and transmit diversity (Cao et al., 2024). GNSS-based time synchronization offers exceptional accuracy, with experi- ments showing that timing accuracy can reach ±2 microseconds for individual nodes and sub-10 microseconds among multiple nodes (Hasan et al., 2023). For telecom networks requiring continuous stability, integrating caesium atomic clocks with GNSS receivers provides enhanced robustness against signal outages. This combination ensures that even during satellite signal disruptions, time synchronization can be maintained at high precision (within 50ns) for extended periods, significantly improving network reliability for critical telecommunications infrastructure (Cao et al., 2024; Ruiqiong et al., 2019). Apart from telecom and grid, GNSS timing plays a crucial role in the financial industry, where precise transaction timestamping is essential for market integrity and operational compliance. Major stock exchanges like the New York Stock Exchange, which processes approximately around $2 billion in trades just in the first two minutes after opening (In- side GNSS, 2014), rely on precise GNSS-synchronized clocks. The European Union's Mar- kets in Financial Instruments Directive II (MiFID II) mandates synchronized clocks across all trading venues to ensure transaction transparency and fraud prevention (Inside GNSS, 2014). In high-frequency trading, where microseconds can determine profitability, many trading firms place GNSS receivers directly on their server room roofs to gain timing ad- vantages (Finance Derivative, 2024). The Madrid Stock Exchange exemplifies this reliance 21 on GNSS, using sophisticated time services with atomic clocks synchronized to UTC via GNSS time-transfer (Inside GNSS, 2019). However, this dependence creates vulnerabili- ties, as spoofing attacks could potentially manipulate market timing, creating opportu- nities for fraudulent transactions or market disruptions similar to the 2010 "flash crash" (Quartz, 2017). This is why sophisticated methods are needed to make sure there are no GNSS interferences when it comes to timing. 2.2 Spoofing Techniques and their Impacts When it comes to GNSS spoofing, there are several techniques used to produce false signals, particularly for timing spoofing. According to Meng et al. (2022), GNSS spoofing can be classified into three main categories based on signal generation: production spoofing, forwarding spoofing, and gradual self-synchronization spoofing. Production spoofing directly transmits signals generated by signal generation equipment to deceive the receiver, allowing attackers to manipulate transmission time and location infor- mation. Forwarding spoofing collects real satellite signals, enhances them, and delays forwarding them to cause incorrect navigation positioning. For timing attacks specifically, the spoofer can manipulate the timestamp carried in the navigation message, affecting the receiver's clock synchronization. The most sophisticated approach is gradual self- synchronization spoofing, which deceives the receiver tracking loop by gradually modi- fying range delay and Doppler modulation according to the target receiver's dynamic performance, enabling covert control of satellite delay timing. When it comes to GNSS timing spoofing, Gao and Li (2022) propose three distinct algo- rithms that manipulate receivers in different ways. The first approach modifies pseudor- ange measurements while maintaining spatial position, creating a timing offset without position changes. The second algorithm alters satellite positions through navigation message parameter modifications, making it harder for receivers to detect spoofing since no pseudorange delay is added. The third combines both techniques, modifying both pseudorange and satellite positions simultaneously. Their experiments revealed 22 that the pseudorange modification method achieved nearly perfect timing spoofing with minimal position change, while the satellite position modification technique showed slightly reduced effectiveness but offered better concealment against detection meth- ods that monitor pseudorange delays. Furthermore, Radoš et al. (2024) describe three main spoofing attack types: simplistic (using GNSS signal simulators to create fake sig- nals), intermediate (receiver-based attacks that monitor authentic signals before gener- ating synchronized fake ones), and sophisticated (using multiple transmitters from dif- ferent angles). Simplistic attacks typically begin with jamming to force receivers to lock onto fake signals as illustrated in Figure 4, while intermediate attacks achieve more cov- ert position manipulation without triggering warnings. Figure 4: GNSS Spoofing and Jamming (Radoš et al., 2024) GPS timing spoofing attacks can have significant consequences for cyber-physical sys- tems that rely on precise timing. Wei and Sikdar (2019) demonstrated that different spoofing techniques produce varying degrees of impact. When attackers manipulate only the GPS timestamp or introduce identical delays across all satellite signals, the re- sulting location and pseudorange errors can be extremely small (under 248.6m for loca- tion error), making these attacks particularly difficult to detect. These subtle attacks can still cause substantial timing errors exceeding 36.5μs, sufficient to violate the IEEE 23 C37.118 standard for power grid operations. Such violations could potentially trigger se- rious disruptions in critical infrastructure including power grids, financial exchanges, tel- ecommunications networks, and banking systems where precise time synchronization is essential. Zhang et al. (2020) further elaborate that GPS spoofing-based time synchronization at- tacks (TSA) can severely compromise both hierarchical and distributed time synchroni- zation systems in power grids. By manipulating GPS signals, attackers can disrupt critical monitoring and control systems including Advanced Metering Infrastructure (AMI), Wide-Area Measurement System (WAMS), and Lightning Location System (LLS). For in- stance, a time deviation exceeding 5 minutes in AMI can invalidate metering data and control commands, essentially disabling both monitoring and remote-control capabili- ties. In WAMS, even millisecond-level timing errors can produce significant phase angle measurement errors, potentially leading to catastrophic blackouts through incorrect state estimation. Falletti et al. (2019) conducted experimental testing on three commercial GNSS timing receivers, revealing concerning vulnerabilities to various spoofing attacks. According to their findings, the tested receivers demonstrated vulnerability to signal spoofing, with minimal evidence indicating fake signal detection. They emphasize that timing errors in critical infrastructures like power grids could have severe consequences, particularly for synchronization-dependent applications such as phasor measurement units (PMUs), where timing errors as small as 26.5μs can again exceed IEEE C37.118 standards and potentially cause system instability. Bin et al. (2020) specifically analyzed how TSA affects AMI systems, noting that beyond operational disruption, sustained GPS spoofing attacks could cause significant revenue losses for power utilities. Their simulation demonstrated that time deviations in smart meters could result in incorrect time-of-use tariff application, with potential daily reve- nue losses of over $50,000 for a utility with 44,096 MW average power. Their research 24 introduced a precision-enhanced oven-controlled crystal oscillator incorporating cumu- lative error compensation mechanisms to identify time jitter and sustain precise timing functionality during extended spoofing incidents. Apart from power grids, GNSS timing synchronization is also needed for unmanned vehicle swarms, as precise timing enables coordinated movement, formation maintenance, and distributed decision-making across multiple units. When compromised through spoofing attacks, timing errors can disrupt swarm coordination, potentially causing incomplete coverage of surveillance ar- eas or dangerous collision scenarios (Ranganathan et al., 2023). These collective studies underscore the necessity for robust, multi-layered defense strat- egies against GPS spoofing attacks, combining both signal-level detection methods and system-level analytical approaches to protect critical power infrastructure from increas- ingly sophisticated timing attacks. 2.3 Existing Spoofing Detection Strategies GNSS spoofing can be detected by two major approaches, either by using traditional approach which involves signal processing or by using artificial intelligence which in- volves machine or deep learning. This section will highlight both and recent advance- ments made in them. 2.3.1 Traditional Approaches There are many traditional approaches to detecting spoofing in GNSS. These can be clas- sified into three major categories: signal processing methods, geometric analysis meth- ods, and positioning methods (Radoš et al., 2024) (Psiaki & Humphreys, 2021). These categories are then further subdivided into other methods as shown in Figure 5. 25 Figure 5: Traditional methods to detect spoofing. Firstly, explaining the signal processing methods, that work by processing the signal re- ceived by the receiver and performing various analysis on it in order to detect spoofing. In correlation peak monitoring, the signal quality is monitored by observing the distribu- tion and characteristics of correlation peaks. When a spoofing attack occurs, multiple correlation peaks may appear, or distortions in the peak shape might be detected. Li et al. (2020) proposed a method using the k-nearest neighbour (KNN) algorithm to detect spoofing signals with small delays during the acquisition phase. Their approach signifi- cantly improves detection capabilities, effectively identifying spoofing signals with de- lays as small as 0.6 chips with high accuracy. Moving forward, research by Yang et al. (2022) introduces a spoofing countermeasure utilizing Spoofing Correlation Peak Can- cellation (SCPC). Their methodology involves extracting spoofing signal characteristics from baseband samples and generating counteractive cancellation sequences. Evalua- tions using the Texas Spoofing Test Battery(TEXBAT) dataset demonstrated SCPC's effec- tiveness in rectifying compromised navigation signals through analysis of correlation Traditional Methods to Detect Spoofing Signal Processing Methods Correlation Peak Monitoring Power-based methods (C/N₀, AGC etc) Antenna Array processing Geometric Analysis Methods Time of Arrival (ToA) Direction of Arrival (DoA) NMEA Message Analysis Positioning Methods Pseudorange Measurements 26 peaks, carrier-to-noise ratio, and peak trajectory patterns. In related work, Wang et al. (2023) engineered an improved spoofing detection system that examines irregular en- ergy distributions within quadrature (Q) channel correlators. Their technique employs noise floor estimation as a normalization reference and exhibits enhanced capabilities compared to alternative signal quality monitoring approaches, particularly during over- powered and dynamic spoofing scenarios, as confirmed through TEXBAT dataset valida- tion. In power-based methods, the signal power, automatic gain control (AGC), and the car- rier-to-noise ratio are monitored to check for disturbances that could be caused by a potential spoofed signal. A spoofed signal typically has much higher power than the sat- ellite signal in order to overcome the authentic signals (Radoš et al., 2024). Moreover, the spoofed signals also have a relatively constant Doppler shift due to the spoofer being mounted in a fixed location. The carrier-to-noise ratio (C/N0) is a fundamental metric used in GNSS receivers to evaluate signal quality. Rustamov et al. (2020) analysed the vulnerability of consumer devices to spoofing attacks by examining C/N0 patterns. When spoofing occurs, C/N0 values often show abnormal behaviour compared to authentic signal patterns, as an example is shown in Figure 6. Psiaki and Humphreys (2016) de- scribe sophisticated spoofing techniques where attackers can gradually increase the power of fake signals until they capture the victim receiver's tracking loops, then "drag" the receiver to false position coordinates. These techniques avoid the need for jamming and reacquisition, making them harder to detect. To counter such threats, monitoring systems can establish baseline C/N0 values for normal operation and flag significant de- viations that might indicate spoofing attempts. When it comes to timing specifically, Qian et al. (2020) detects GPS timing spoofing in advanced metering infrastructure by imple- menting a time jitter detection system that identifies abnormal satellite clock behaviour. Their methodology uses an advanced oven-controlled crystal oscillator featuring cumu- lative error correction to detect timing inconsistencies. When timing jitter exceeds a 0.2μs threshold, the system automatically switches to the compensated local timing source, maintaining accurate synchronization during attacks while preserving metering 27 operations. Honkala et al. (2020) demonstrate that Automatic Gain Control (AGC) pro- vides an effective mechanism for detecting both jamming and spoofing attacks on GNSS timing receivers by monitoring significant deviations in AGC levels. Their experiments show AGC responds more reliably than carrier-to-noise ratio measurements, providing earlier detection of timing threats. Figure 6: C/N0 during spoofing and non-spoofing windows (Radoš et al., 2024). In antenna array processing, multiple antennas are used to detect spoofing by analysing spatial characteristics of incoming signals. This approach leverages the fact that authen- tic GNSS signals come from different satellites across the sky, while spoofed signals typ- ically originate from a single source (Radoš et al., 2024). Chen et al. (2024) proposed an innovative approach using three low-cost collinear antennas to detect spoofing. Their method leverages the collinearity information to improve pointing vector estimation ac- curacy and employs a binary statistical detection model for real-time spoofing detection. Remarkably, their system achieved 100% spoofing detection accuracy with just a 1-meter baseline, while reducing the standard deviation of pointing vector angle deviation by over 55% when spoofing signals were present. Yang et al. (2023) developed a six-array spoofing-interference-monitoring antenna system that combines peak monitoring with an airspace-trapping algorithm. Their approach uses long- and short-baseline algorithms to quickly search the entire circumferential ambiguity, achieving directional accuracy 28 within 2° for spoofing signals in outdoor experiments. For mobile applications, Liu et al. (2023) introduced a method using a moving array antenna for locating spoofing sources. Their technique first extracts spoofing signals using double-differenced carrier phase characteristics, then fuses carrier phase single-difference data from multiple observation points as the antenna moves to directly localize the spoofing source. This approach avoids the data correlation issues found in traditional two-step direction of arrival esti- mation methods, providing both robust performance and high accuracy. The second major category, geometric analysis, can be further divided into three key approaches: Time of Arrival (ToA), Direction of Arrival (DoA), and NMEA message analy- sis. In ToA approaches, the propagation time of signals is analysed to detect spoofing. Zhang and Zhan (2018) proposed a low-cost spoofing detection system based on Time Difference of Arrival Estimation (TDOAE) using two standard receivers. Their system lev- erages a fundamental principle: authentic satellite signals originate from various direc- tions in space, resulting in diverse TDOAE values, while spoofed signals come from a sin- gle source, producing nearly identical TDOAE measurements. Through careful mathe- matical formulation and hypothesis testing, their system achieved an impressive 99.99% detection rate with less than 0.001% false alarms in both simulations and real-world tests. DoA techniques analyse the angular information of incoming signals. Mao et al. (2023) developed a cost-effective spoofing detection system using commercial GNSS compo- nents. Their innovation addresses common challenges with low-cost antennas, including phase center instability and sampling time inconsistencies across multiple receivers. The prototype achieved 100% detection rate in open environments with 5° directional accu- racy. Their technique is shown in Figure 7. For systems with a single antenna, Chen et al. (2024) developed a novel technique leveraging the angular intersection of two arrival directions (IA-DoA) using a rotational antenna setup. Their method compares estimated and predicted IA-DoA values to identify inconsistencies that indicate spoofing, particu- larly effective against multi-agent spoofing attacks. Similarly, Chang et al. (2022) 29 proposed a rotating single-antenna detection method based on an improved probabilis- tic neural network (IPNN). Their approach analyses how carrier-phase double differences change with satellite incident angles during antenna rotation, achieving 98.84% spoofing detection accuracy. For enhanced localization of spoofing sources, Xie et al. (2022) de- veloped a dispreading direct position determination (DS-DPD) algorithm that leverages prior knowledge of satellite code sequences to improve accuracy by more than tenfold, even with low interference-to-noise ratios. Figure 7: Spoofing detection using four antennas (Mao et al., 2023) The NMEA message analysis approach examines standard navigation message data for anomalies. Spravil et al. (2023) developed the NMEA-based Anomaly detection (MANA) framework, which monitors NMEA-0183 sentences from maritime GPS receivers to de- tect spoofing without requiring hardware modifications. Their system combines multiple software-based detection methods to identify inconsistencies and integrity violations in navigation data streams that indicate potential spoofing attacks. Lee et al. (2020) demon- strates how NMEA messages can detect timing spoofing by analysing message 30 irregularities. When spoofing occurs, discrepancies emerge in GGA, RMC, and VTG (all different NMEA message formats. GGA has time, position and DOP (dilution of precision) etc, RMC also has same with addition of velocity except DOP and VTG has velocity, head- ing etc) timing data compared to expected values, allowing detection without complex raw measurements processing, making it suitable for legacy receivers with limited com- putational resources. In this thesis, a similar NMEA message analysis method is used to detect spoofing from the jammertest data since u-blox has a built-in validity flag that tells if the NMEA message is authentic or not. Actual details on how the receiver deter- mines if it is spoofed are classified since its their trade secret. More details are provided in chapter five. Lastly, considering from the positioning methods, pseudorange measurements provide another approach to spoofing detection. Xiao et al. (2019) developed a method using pseudo-range double-differences (PRDD) between two receivers. Their technique anal- yses discrepancies between actual PRDD measurements and expected PRDD estimations to identify spoofing. The system accounts for unknown receiver attitudes and creates a statistical decision variable for detection. Monte Carlo simulations (computational algo- rithms that use random sampling to estimate mathematical or physical systems' out- comes and probabilities) showed impressive results, achieving 99.99% detection proba- bility with only a 0.001 false alarm rate using a 10-meter baseline. Another approach is looking at the pseudorange rms errors, which is also used in this thesis to identify spoof- ing. This technique will be explored in greater detail in chapter five. Another study de- tects GNSS timing spoofing by analysing clock bias change covariance between satellite pairs. By exploiting the synchronized variation patterns in spoofed signals, Jia and Liao (2025) developed an algorithm that detects Time Synchronization Attacks with 17.86% faster response time than previous methods. This computationally efficient approach requires minimal processing resources while maintaining high detection sensitivity, mak- ing it ideal for resource-constrained devices that require protection against sophisticated timing attacks. Furthermore, another study by Gao et al. (2023) presents a novel method for detecting GNSS time synchronization attacks by analysing the synchronicity patterns 31 in pseudorange measurements. Their Separate Clock Drift Matched Filter (SCD-MF) cal- culates individual clock drifts from different satellite signals and monitors their abnormal similarity using matched filtering techniques. This low-computational approach requires no precise clock model, making it more efficient than existing methods while detecting even subtle timing attacks with higher sensitivity. Although most of these techniques are generic traditional approaches to detect GNSS spoofing, they can still work on timing spoofing and are not just bound to position or navigation types. However, some studies do not fall under the umbrella of either tradi- tional or AI based approaches but are still effective in combating GNSS timing spoofing. A notable approach mitigates GNSS timing spoofing by implementing a sparse optimiza- tion framework that identifies malicious signal patterns in derivative domains. By ob- serving timing attacks that exhibit sparsity in higher-order derivatives, the researchers developed a novel linearization method that jointly estimates authentic PVT states while identifying spoofing components (Lee et al., 2023). This approach formulates a convex quadratic program that effectively distinguishes between authentic signals and spoofing attacks, successfully reducing timing errors in both stationary and low-dynamic receivers without requiring additional hardware modifications or cryptographic techniques. In conclusion, traditional GNSS spoofing detection methods encompass signal pro- cessing, geometry processing, and positioning approaches. These techniques analyse correlation peaks, signal power, antenna arrays, arrival measurements, and pseudorange data to identify inconsistencies that reveal spoofing attempts, providing essential pro- tection for critical timing applications. 2.3.2 AI Based Approaches Artificial intelligence is transforming satellite communication by addressing complex challenges like beam hopping, interference detection, and channel modelling (Fourati & Alouini, 2021). In terms of spoofing detection and mitigation, extensive work has been done with promising results. Like traditional approaches, AI-based methods can be 32 classified into three major categories: Machine Learning (ML), Deep Learning (DL), and Reinforcement Learning (RL). Both ML and DL can be further divided into supervised and unsupervised approaches as shown in Figure 8. Figure 8: AI methods to detect GNSS spoofing Referring to the flowchart in Figure 8, the ML approach is explored first. A study by Khoei et al. (2022) compares various machine learning approaches for detecting GPS spoofing attacks on UAVs. Their research evaluates nine different models, including both super- vised models (Gaussian Naïve Bayes, CART, Random Forest, L-SVM, LR, ANN) and unsu- pervised models (PCA, K-means, Autoencoder). Through comprehensive performance analysis using metrics like accuracy, detection probability, and processing efficiency, they found that the Classification and Regression Decision Tree (CART) model outperforms others in effectively detecting GPS spoofing attacks on UAVs. Figure 9 shows the perfor- mance of various models. AI Methods to detect GNSS Spoofing Machine Learning (ML) Supervised Learning Unsupervised Learning Deep Learning (DL) Supervised Learning Unsupervised Learning Reinforcement Learning (RL) 33 Figure 9: Performance of difference ML models in detecting GPS spoofing (Khoei et al., 2022). Shafique et al. (2021) developed a machine learning approach to detect GPS spoofing attacks on UAVs by analysing signal characteristics. Their method utilizes Support Vector Machine (SVM) with polynomial kernel combined with K-fold analysis and voting tech- niques (hard and soft voting). The system classifies signals using features like jitter, shim- mer, and frequency modulation. Their model achieved 99% accuracy in distinguishing between authentic and spoofed GPS signals, significantly outperforming previous detec- tion systems. When it comes to timing specifically, Wei et al. (2022) developed an inno- vative GPS spoofing detection approach that exploits the statistical correlation between consecutive GPS signals. Their method analyses the Power Spectral Density (PSD) of re- ceived GPS signals using a windowed approach, then applies a statistical runs test to quantify signal correlation. This correlation data trains supervised learning algorithms, particularly CART, to identify timing attacks. Their experimental results demonstrate de- tection rates exceeding 95% with minimal false alarms, effectively protecting Phasor Measurement Units (PMUs) from malicious time desynchronization in power grids. Just like the previous study by Khoei et al. (2022), CART is proven to be better in detecting spoofing. In another study, Iqbal et al. (2023-a) developed a machine learning approach 34 that detects GPS spoofing attacks targeting Phasor Measurement Units without waiting for position-velocity-time solutions. They used Random Forest Classifier, Support Vector Machines, K-Nearest Neighbours, Gradient Boost, and Artificial Neural Network algo- rithms. Their framework extracts seven complementary features from radio frequency and tracking stages of GPS receivers, including received power and signal quality metrics. Testing five different classifiers on the TEXBAT dataset demonstrated over 99% detection accuracy with minimal false alarms, providing early warning capabilities that protect power grid synchronization integrity. While their previous work used traditional machine learning approaches, the same authors introduce a novel representation learning tech- nique using Variational Autoencoders (VAE) in a different study. Iqbal et al. (2023-b) demonstrate that their VAE-based method can detect GPS timing spoofing attacks on synchrophasors by learning only from authentic signal patterns. This unsupervised ap- proach outperforms supervised methods, especially on subtle attacks like DS-7, achiev- ing 98% detection probability with only 2.5% false alarms, without requiring examples of all possible attack scenarios during training. Another study by Shereen et al. (2022) uses Graph Signal Processing (GSP) to model power grid structures as graphs, allowing detection of PMU time synchronization attacks that traditional methods miss. Their ap- proach combines GSP with machine learning algorithms to identify attacks with high ac- curacy, even those specifically designed to be undetectable by conventional methods. Now coming to deep learning approach, extensive work has been done to mitigate GNSS spoofing, especially the timing one. Romaniuc et al. (2024) implemented a novel Long Short-Term Memory (LSTM) neural network to detect NTP spoofing attacks affecting GNSS-synchronized time servers. Their approach monitors key timing parameters which include Modified Julian Date, Clock Offset, Roundtrip Delay, Dispersion, and RMS Jitter, and analyses their statistical patterns to identify anomalies. When tested against a sim- ulated attack where timestamps were manipulated by 16 years, their LSTM algorithm successfully detected the attack by recognizing reconstruction errors between expected and actual timing values. Li et al. (2025) developed a real-time GNSS time spoofing de- tection framework that processes multi-satellite feature data using correlation 35 coefficient screening and local standardization for efficient computation. They imple- mented AdaBoost, Random Forest, BP neural network, and SVM machine learning mod- els with their framework, achieving F1 scores above 99% and reducing computation time by tenfold compared to traditional methods, with response times under 10 μs. Huang and Li (2022) developed a neural network approach for detecting GPS time synchroniza- tion attacks against PMUs by implementing "phase coding" to capture relationships be- tween amplitude and phase angles in phasor measurements. Their vector neural net- work with dynamic routing learns encoded relationship vectors, achieving over 95% de- tection accuracy across various IEEE bus systems while detecting multiple simultaneous attacks across up to five buses with better performance than traditional likelihood-based methods. Lastly, coming to reinforcement learning approaches in GNSS spoofing detection, re- searchers have explored how autonomous learning agents can identify deception pat- terns without explicit programming. Ma et al. (2024) developed a novel deep reinforce- ment learning approach for UAV GPS spoofing that doesn't require prior knowledge of victim UAV reference trajectories or internal Kalman filtering parameters. Their Deep Re- inforcement Learning-Navigation Deception (DRL-ND) algorithm generates deceptive position estimates based solely on radar-detected UAV motion information, using Twin Delayed Deep Deterministic Policy Gradient (TD3), Deep Deterministic Policy Gradient (DDPG), and Soft Actor-Critic (SAC) methods to learn optimal deception strategies that remain below detection thresholds while successfully redirecting UAVs to false destina- tions. In another study, Dasgupta et al. (2022) developed a deep reinforcement learning (DRL) approach for detecting GNSS spoofing attacks in autonomous vehicles that doesn't require predetermined rules. Their method uses low-cost in-vehicle sensor data to de- tect sophisticated turn-by-turn spoofing attacks by comparing predicted versus calcu- lated distance travelled, achieving 99.99-100% accuracy and 100% recall in testing. The Deep Q-Network (DQN) agent intelligently adjusts detection thresholds to maximize spoofing identification while minimizing false positives, demonstrating how reinforce- ment learning can effectively model complex spoofing patterns through environmental 36 interaction rather than relying on predefined rules. While not specific to timing spoofing, RL can effectively model the complex patterns of spoofing attacks by learning from en- vironmental data rather than relying on predefined rules or thresholds. Unlike traditional methods that require specific knowledge of attack characteristics, RL approaches can adapt to novel spoofing techniques through continuous learning. This also presents a research gap that needs to be addressed. 2.4 Challenges in Spoofing Detecting and Mitigation Detecting GNSS timing spoofing presents several significant challenges due to the so- phisticated nature of modern spoofing techniques. Radoš et al. (2024) emphasize that the increasing availability of low-cost software-defined radios (SDRs) has made spoofing more accessible to potential attackers, while detection methods must constantly evolve to counter these threats. A fundamental challenge is distinguishing between authentic signal degradation and spoofing, as Lee et al. (2023) note that concealed spoofing at- tacks must maintain synchronicity between satellite channels to avoid detection, requir- ing monitoring of clock bias changes across multiple satellites. Similarly, Gao et al. (2023) highlights that detecting slow-changing spoofing signals requires specialized filtering techniques, as subtle timing manipulations can evade traditional threshold-based detec- tion methods. The detection challenge is particularly acute for timing applications, as spoofing attacks targeting time synchronization can be more subtle than position spoof- ing yet equally damaging to critical infrastructure. Lee et al. (2020)'s research reveals a key challenge in timing spoofing detection: smartphone GNSS receivers with high sensi- tivity may still be vulnerable when attackers target single constellations with elevated noise levels that mask authentic signals, making detection particularly difficult when multiple constellations aren't available for cross-verification When examining timing specifically, Wei et al. (2022) highlight that attackers can manip- ulate GPS timing by maliciously desynchronizing PMUs through ephemeris manipulation or signal propagation time alterations, with even small timing errors exceeding 26.5 μs 37 potentially causing power grid blackouts. Traditional detection methods often struggle with subtle attacks where spoofers align carrier phase with authentic signals, as demon- strated by Iqbal et al. (2023-a) with the TEXBAT DS-7 dataset where supervised ML ap- proaches achieved only 36% detection probability. Romaniuc et al. (2024) note that timing synchronization vulnerabilities extend beyond power grids to critical infrastructures, with NTP spoofing attacks proving difficult to dis- tinguish from normal operations. The challenge is further complicated by what Iqbal et al. (2023-b) describe as the "zero-day attack problem," where detectors must identify previously unseen attack patterns without exhaustive training on all possible scenarios. This suggests that unsupervised approaches like representation learning may provide more robust detection capabilities for emerging spoofing threats. A significant challenge in GNSS timing spoofing detection involves distinguishing be- tween environmental signal degradation and actual attacks, as Ma et al. (2024) noted that spoofing often mimics natural signal behaviour. Developing reliable real-time detec- tion systems is further complicated by computational constraints in receiver hardware (Dasgupta et al., 2022), while the diversity of spoofing techniques requires multi-modal detection approaches that monitor signal characteristics across domains (Zidan et al., 2020). Wei and Sikdar (2019) demonstrate that GNSS timing attacks can be particularly deceptive when implemented by inserting identical delays to all satellite signals, creating minimal pseudorange errors (below 5ns change in timing due to these errors) while still causing significant timing disruptions. This approach maintains consistent receiver loca- tion errors (283.6m) yet can effectively manipulate timing enough to threaten power grid operations. Such challenges necessitate adaptive algorithms, like the isolation forest approach utilized in this thesis, capable of identifying anomalous timing behaviour with- out extensive prior knowledge of specific attack vectors. 38 3 Jammertest Dataset and Experimental Setup This chapter presents the methodology of this thesis and how the data was collected. Jammertest is an annual event held regularly in Norway with the purpose of testing var- ious spoofing and jamming conditions. Since this thesis takes data from Jammertest 2024, this section will highlight how the data was collected and what were the conditions re- garding the data collection. 3.1 Description of Jammertest Data Jammertest is an annual event hosted in Andøya, Norway, which stands as the world’s largest open test for PNT/GNSS resilience, challenging navigation, and positioning sys- tems against real-world interference (Jammertest, 2025). It is organized in partnership with national agencies such as the Norwegian Public Roads Administration, Communica- tions Authority, and Defence Research Establishment, among others. This unique event offers four specialized test zones namely Bleik, Starve, Grunnvatn and the airport site as shown in Figure 10. Participants face jamming, spoofing, and meaconing attacks under dynamic outdoor conditions in these sites, testing out their equipment. With its natural geography, Andøya allows for high-power signal transmission tests while limiting impacts on public infrastructure, hence the reason for having this site for Jammertest. Many ar- ticles with relevant results including both academic and industrial continue to be pub- lished with the help of data gathered during the jammertest. 39 Figure 10: Different sites of Jammertest (2024-b) Many tests were conducted during the jammertest, some focusing on spoofing and some on jamming attacks. Each test was given a unique event number to identify and get the information regarding its conditions from the log report. Since the useful data for this thesis is mainly gathered from Event 2.4.2, which was a dedicated timing spoofing ex- periment, this thesis will primarily focus on that and explain the analysis performed on that data. 3.2 Data Collection Process and Preprocessing The data was gathered by the researchers at the University of Vaasa using three main devices: the u-blox F9P receiver, a Samsung Galaxy A23, and a Google Pixel 6. Unfortu- nately, out of all the data collected, only the log from Event 2.4.2 in the Jammertest da- taset was relevant for this thesis, as it was the only one associated with GNSS timing spoofing. Within that event, only the data recorded by the u-blox receiver appeared to contain timing spoofing signals. Both mobile phones were switched on after the spoofing had ended, making their data unusable for this analysis. 40 3.2.1 Receiver Details The u-blox ZED-F9P-00b-02 GNSS receiver was utilized for data collection during Jam- mertest 2024. This device can receive GNSS signals from multiple satellite constellations including GPS, Galileo, BeiDou, and GLONASS. It features centimetre-level accuracy with multi-band RTK and integrated support for standard RTCM corrections. The module ex- hibits a cold start time of 24 seconds and provides position accuracy of 0.01 m. Addition- ally, it incorporates active CW detection and removal capabilities with an onboard band- pass filter, along with sophisticated anti-spoofing algorithms such as Galileo open service navigation message authentication (OSNMA) (u-blox, 2024). OSNMA is a cryptographic mechanism that allows users to verify the authenticity of nav- igation data, protecting against spoofing attacks by ensuring signals originate from legit- imate Galileo satellites rather than malicious sources. It uses the Timed Efficient Stream Loss-tolerant Authentication (TESLA) protocol to provide cryptographic authentication data within the E1 I/NAV message to perform the checks (European GNSS Service Centre, 2025). The TESLA protocol is a broadcast authentication method using symmetric cryp- tography and loose time synchronization to make sure data is genuine (Perrig et al., 2002). However, in our case, the OSNMA feature of u-blox receiver was switched off. The receiver is installed on its module board which makes it easier to connect it to ex- ternal antennas and a computer to gather and view the data. The module features mul- tiple communication interfaces including UART, SPI, I2C, and USB 2.0 FS. It operates on a voltage supply of 2.7-3.6V with typical current consumption of 85mA when tracking mul- tiple constellations. The module can simultaneously track multiple satellite constella- tions (GPS, GLONASS, Galileo, BeiDou) on different frequency bands including L1/L2C for GPS, L1OF/L2OF for GLONASS, E1-B/C/E5b for Galileo, and B1I/B2I for BeiDou. It 41 supports QZSS and various SBAS systems (WAAS, EGNOS, GAGAN, L1Sb) (u-blox, 2024). The USB and antenna are both connected on the bottom side as shown in Figure 11. Figure 11: Frequencies of the ZED receiver (u-blox, 2024) Figure 12: ZED-F9p-00b-02 with its board (ArduSimple, 2025) The data produced by the receiver is in the ubx format. A simple and straight forward way to view the data would be using the u-center software which is the official software released by the u-blox to configure the receivers and replay their data. However, u-cen- ter lacks critical diagnosis of the data and for that reason, most of the analysis done during this thesis was completed using the pyubx2 Python library. 42 3.2.2 Test Details from Log The data gathered during the time spoofing event in the ubx file spanned from 07:17 UTC to 08:45 UTC (Universal Time Coordinated) with a total duration of 1 hour, 27 minutes and 14 seconds. This data was collected in Bleik. The test logs from Jammertest 2024 provide detailed data on the tests conducted for various jamming and spoofing conditions (Jammertest, 2024-a). Since the log file is in Central European Summer Time (CEST), it is 2 hours ahead of the UTC. So 9:04 CEST corresponds to 7:04 UTC. As our data starts from 7:17, it corresponds to 9:17 entry in the log when the spoofing power was at 0 dBm. For the event 2.4.2, the spoofing of 900 seconds into the future started at 7:04 UTC (9:04 CEST) with an initial power of -35 dBm, which increased after every two minutes with an increment of 5 dBm. It went all the way up to 30 dBm and then had a sudden drop to - 15 dBm for the event 4.2.3 with time offset of 3 minutes into the past for this. However, the u-blox f9p receiver showed excellent resilience and was only affected during the event 2.4.2 (see details in chapter 4). The ubx file also contains data from the 2.4.12 and 2.4.13 events but those are irrelevant to the scope of this thesis. Details of the test con- ducted during the duration of the ubx file are given in Table 1. Table 1: Jammertest event details for the ubx file (Jammertest, 2024-a). Test ID Test name Date Start CEST) Stop (CEST) Comment Jam- ming power (W) Jam- ming power (dBm) Spoof- ing power (dBm) 2.4.2 Time offset 15 minutes from real time, with power ramp 2024- 09-12 9.04.10 9.06.10 -35 2.4.2 Time offset 15 minutes from real time, with power ramp 2024- 09-12 9.06.10 9.08.10 -30 43 2.4.2 Time offset 15 minutes from real time, with power ramp 2024- 09-12 9.08.10 9.10.10 -25 2.4.2 Time offset 15 minutes from real time, with power ramp 2024- 09-12 9.10.10 9.12.10 -20 2.4.2 Time offset 15 minutes from real time, with power ramp 2024- 09-12 9.12.10 9.14.10 -15 2.4.2 Time offset 15 minutes from real time, with power ramp 2024- 09-12 9.14.10 9.16.10 -10 2.4.2 Time offset 15 minutes from real time, with power ramp 2024- 09-12 9.16.10 9.18.10 -5 2.4.2 Time offset 15 minutes from real time, with power ramp 2024- 09-12 9.18.10 9.20.10 0 2.4.2 Time offset 15 minutes from real time, with power ramp 2024- 09-12 9.20.10 9.22.10 5 2.4.2 Time offset 15 minutes from real time, with power ramp 2024- 09-12 9.22.10 9.24.10 10 2.4.2 Time offset 15 minutes from real time, with power ramp 2024- 09-12 9.24.10 9.26.10 15 2.4.2 Time offset 15 minutes from real 2024- 09-12 9.26.10 9.28.10 Spoofing ramp con- tinued 20 44 time, with power ramp higher than TP 2.4.2 Time offset 15 minutes from real time, with power ramp 2024- 09-12 9.28.10 9.30.10 Spoofing ramp con- tinued higher than TP 25 2.4.2 Time offset 15 minutes from real time, with power ramp 2024- 09-12 9.30.10 09:32:27 Spoofing ramp con- tinued higher than TP 30 2.4.3 Time offset -3 minutes from real time, with power jump 2024- 09-12 9.50.10 10.00.10 -20 2.4.3 Time offset -3 minutes from real time, with power jump 2024- 09-12 10.00.10 10:05:16 15 2.4.12 Static + Pseudor- ange error 2024- 09-12 10.20.10 10:35:15 Increasing pseudorange error in the test period of 5 to 15 min, up to 1800 m. This gives a pseu- dorange error of 3 m/s, equiva- lent to a time error of 9 ns/s. A total accumulated time error of 6 µs 15 2.4.13 Static + Pseudor- ange error, with initial and con- tinous jam- ming 2024- 09-12 10.50.08 10.50.21 Initial jamming (E6, L2, E5b, L5) 35 2.4.13 Static + Pseudor- ange error, with initial and con- tinous jam- ming 2024- 09-12 10.50.21 10.55.19 Jamming of L1, G1, B1I acti- vated 35 2.4.13 Static + Pseudor- ange error, with initial and 2024- 09-12 10.55.19 10.55.23 Spoofing activated. Spoofing power dif- ferent than TP 35 15 45 continous jamming 2.4.13 Static + Pseudor- ange error, with initial and con- tinous jam- ming 2024- 09-12 10.55.23 10.55.24 Jamming of E5b de- activated 35 15 2.4.13 Static + Pseudor- ange error, with initial and con- tinous jam- ming 2024- 09-12 10.55.24 10.55.25 Jamming of L5 de- activated 35 15 2.4.13 Static + Pseudor- ange error, with initial and con- tinous jam- ming 2024- 09-12 10.55.25 10.55.26 Jamming of L2 de- activated 35 15 2.4.13 Static + Pseudor- ange error, with initial and con- tinous jam- ming 2024- 09-12 10.55.26 11:05:21 Jamming of L1 deac- tivated. Time error of 9 ns/s. A total ac- cumulated time er- ror of 6 µs 35 15 3.3 Testbed Setup and Assumptions The data was collected using the u-blox f9p receiver as mentioned in section 3.2. Initially the receiver is at a fixed position (69.27547832 in latitude and 15.96832496 in longitude) and so is the spoofer. The spoofer is located at, Latitude: 69.27547832 and Longitude: 15.96832496 with an altitude of 35 m (Jammertest, 2024-b). The distance between the spoofer and receiver can be determined using the Haversine formula, which calculates great-circle distances between two points on a sphere based on their respective longi- tudes and latitudes. This mathematical approach represents an approximation as it as- sumes Earth is spherical. In reality, Earth exists as an oblate spheroid with its radius 46 varying from 6,357 km at the poles to 6,378 km at the equator (Moritz, 2000). Despite this approximation, the Haversine formula is highly accurate for short distances, with an error margin of less than 0.5% (Azdy & Darnis, 2020) (Upadhyay, 2019) (Agafonkin, 2016). The formula is given in equation 1: 𝑎 = sin2 ( Δlat 2 ) + cos(lat1) ⋅ cos(lat2) ⋅ sin2 ( Δlon 2 ) (1) where, Δlat is the difference between latitudes and Δlon is the difference between lon- gitudes. Once we have the 𝑎 , we can calculate the central angle 𝑐 : 𝑐 = 2 ⋅ arcsin(√𝑎) (2) After obtaining the central angle, we can finally compute the distance 𝑑 using: 𝑑 = 𝑅 ⋅ 𝑐 (3) Where 𝑅 is the radius of Earth (approximately 6,371,000 meters). The distance between spoofer and receiver is then computed to be approximately 34.91 meters. Figure 13 shows it on a map: 47 Figure 13: Distance between receiver and spoofer. This test employed a Cigarette-type (which could be mounted in a car’s cigarette port) GNSS spoofer with power ranging from 3.16e-07W to 0.0316W, targeting bands L1, L2, L5, E1, E5a, and E5b. The test aimed to evaluate equipment response to misleading GNSS-PNT information, particularly timing. The spoofed signals were not consistent with actual satellite transmissions; however, they successfully held the receiver's navigation fix at the intended location. These signals were generated from a stationary antenna using different ephemerides and spanned multiple GNSS bands and constellations. Some scenarios began with 5-minute jamming periods, while others featured continuous jam- ming. Tests were separated by breaks allowing receivers to get authentic satellite signals again. According to the Jammertest (2024-b), the transmitter had a range of a few hun- dred meters so the receiver being only 35 meters away was well within the effective range. Receiver Spoofer 48 4 Analysis of Timing Spoofing Event in Jammertest The analysis of the .ubx file generated during the event 2.4.2 by the Ublox receiver was conducted using Python, specifically the pyubx2 library. It was first developed around 2020 with still getting latest version updates as of April 2025 (semuadmin, 2025). The pyubx2 library is a Python 3 package designed to not only parse but also generate UBX protocol messages for u-blox GNSS/GPS devices. It supports UBX, NMEA 0183, and RTCM3 protocols, making it possible to extract and build GNSS data such as position, velocity, and time details (semuadmin, 2025). Since most of the analysis was done in Google Colab environment, pyubx2 can be easily installed using pip command. After installation, UBXReader class is used to read and parse UBX, NMEA, and RTCM3 messages from different data streams. !pip install pyubx2 from pyubx2 import UBXReader 4.1 Power and General Observations The first analysis performed on the UBX file was checking when the receiver's time actu- ally started to get spoofed. For this, we can examine the GNRMC message in the .ubx file (GN stands for GNSS and RMC stands for Required Minimum Specific) (Tavotech, n.d.). This message is part of the NMEA 0183 protocol which is used for communication be- tween marine electronics and GNSS receivers. It provides essential GNSS data such as time, date, position, speed, and course overground. This information is crucial for navi- gation and tracking purposes. A sample GNRMC message is shown from the ubx file, giving all the crucial information: ['071745.00', 'A', '6916.54516', 'N', '01558.07361', 'E', '0.013', '', '120924', '', '', 'A', 'V'], '_checksum': '1B', 'time': datetime.time(7, 17, 45), 'status': 'A', 'lat': 69.2757526667, 'NS': 'N', 'lon': 15.9678935, 'EW': 'E', 'spd': 49 0.013, 'cog': '', 'date': datetime.date(2024, 9, 12), 'mv': '', 'mvEW': '', 'posMode': 'A', 'navStatus': 'V'} The yellow highlighted part in the message shows the timing information, the green one shows the location, and the blue one shows the speed. If the timing information showed any jumps in the GNRMC message, we could deduce that the receiver’s time was spoofed. Since our data starts at 7:17:45 UTC when the spoofing power was 0 dBm, I assumed there was no spoofing at that time. A true time series was created and the difference between that and the GNRMC message timestamps were observed as shown in the graph of Figure 14: Figure 14: Time jumps in the GNRMC messages There are a total of 5235 GNRMC messages in the ubx file. The spoofing threshold is set to be 30 seconds since the test log clarifies a time jump of 15 minutes (900 seconds). As we can see from the graph in Figure 14, the receiver started to get spoofed at around 2024-09-12 07:30:44, ending at 2024-09-12 07:32:37 for a total duration of 1.88 minutes. We can further zoom in on the graph and make a power analysis to see how much spoof- ing power was required to get the receiver time spoofed. 50 Figure 15: Graph showing how different spoofing power affected the receiver, clipped until 7:40 UTC. In Figure 16 we can see that the u-blox f9p receiver showed excellent resilience against the time spoofing signal, only getting spoofed when the spoofing signal was at maximum power of 30 dBm. From the test log, we can see that 30 dBm power spoofed signal started at around 7:30:10 UTC and the receiver took approximately 34 seconds to get spoofed at that power. When the spoofer stopped working at 7:32:27, it took the re- ceiver 10 seconds to return the time to normal state at around 7:32:37. Next, if we want to see how the position and speed were affected, we can again take a look at GNRMC messages. Latitudes and longitudes can be converted into north and east coordinates using a local tangent plane approximation. The north component represents the distance in the north-south direction, while similarly, the east component represents the distance in the east-west direction, adjusted by the cosine of the reference latitude to account for meridian convergence. This way, we can visualize them in a better way as conversion to north and east allow us to check for subtle position shifts in meters and see how the location was affected in what was otherwise a static event. The formulas for conversion are given in equation 4 and 5: North = (𝑙𝑎𝑡 − 𝑙𝑎𝑡𝑟𝑒𝑓) ⋅ π 180 ⋅ 𝑅𝑒𝑎𝑟𝑡ℎ (4) 51 East = (𝑙𝑜𝑛 − 𝑙𝑜𝑛𝑟𝑒𝑓) ⋅ π 180 ⋅ 𝑅𝑒𝑎𝑟𝑡ℎ ⋅ cos (𝑙𝑎𝑡𝑟𝑒𝑓 ⋅ π 180 ) (5) Where, • 𝑙𝑎𝑡 and 𝑙𝑜𝑛 are the latitude and longitude of a point • 𝑙𝑎𝑡𝑟𝑒𝑓 and 𝑙𝑜𝑛𝑟𝑒𝑓 are the reference (starting) latitude and longitude • 𝑅𝑒𝑎𝑟𝑡ℎ is the Earth's radius (6,378,137 meters) • 𝜋 180 converts degrees to radians Figure 16: Location parameter change during the spoofing event. Yellow indicates when receiver experienced time jump. 52 The graphs in Figure 16 show the changes in various GNSS parameters during the 2.4.2 event. The yellow-shaded area indicates the period when the receiver’s time was actu- ally spoofed. An interesting observation is that even before the timing was spoofed, the receiver’s location and speed had already been spoofed and showed changes. Once the receiver completely lost authentic signals, it started to broadcast last known fix hence why the location and speed looks recovered. The receiver suddenly appeared to travel approximately 1200 meters east and 400 meters south within one minute, reaching a maximum speed of 30 knots with a sudden stop, something that is not physically possi- ble for a human or even a car unless it is an accident. These positional jumps happened when the spoofer was transmitting signals at around 20 – 25 dBm. The cause of this behaviour can be better understood by analysing the pseudorange graphs (see next sec- tion for more details). Another interesting observation is that the receiver has data points (taken from GNRMC) during the spoofing window, indicating the location, how- ever same could not be said about the RAW messages that were used to derive this po- sition. This discrepancy is also further explained in the next section. Next, we can take a look at the HDOP (horizontal dilution of precision). HDOP is a meas- ure of how satellite geometry affects the accuracy of GNSS horizontal positioning (Kaplan & Hegarty, 2006, p. 327). Lower HDOP values indicate better satellite geometry and more accurate positioning. This means more satellites are in Line of Sight (LOS) of the receiver and it is receiving better signal quality. As Kaplan and Hegarty (2006, p. 328) explain, HDOP represents the ratio between horizontal position error and the User Equivalent Range Error (which is standard deviation of pseudorange measurement errors (Kaplan & Hegarty, 2006, p. 327)), providing a numerical indicator of positioning reliability. The HDOP is extracted from GNGGA message which is also another NMEA message format containing information about HDOP and number of satellites used in location estimate (NovAtel, n.d.-a) Coming to our graph, we can clearly see a rise in HDOP values when the receiver is get- ting spoofed. This is happening because the receiver is not catching signals from 53 satellites but instead from the spoofer, making the value of HDOP as high as 99, which practically means that no satellites were being read during that time. Even before the receiver time is spoofed at 7:30:10 UTC, the location and speed are already getting spoofed as shown in Figure 16, something which can verified from the HDOP graph in Figure 17. Once the spoofing period ends, we observe HDOP values returning to normal, indicating that now receiver is getting normal signals. Figure 17: HDOP graph with respect to time These are all the behaviours observed on the navigation layer of the message. In the next section, the raw data its behaviour is studied during the timing spoofing event. 4.2 Pseudoranges and Other Raw Observations Pseudorange is the measure of physical distance between a satellite and a receiver which is used to estimate the location of the receiver. It is called "pseudo" because it includes various errors such as satellite clock errors, atmospheric delays, and multipath effects (He et al., 2020) (Yuanfa, Xigang, & Huli, 2009). It is one of the most fundamental raw measurements that is used in position estimation. Other raw data include C/N0 (Carrier- to-Noise-Density ratio), carrier phase and the doppler shift. 54 C/N0 is a measure of signal strength that indicates the quality of the received GNSS signal, expressed in dB-Hz. It represents the ratio of carrier power to noise power spectral den- sity, higher the value, the better the signal quality (Ma et al., 2024). Carrier phase is the measurement of the phase of the incoming satellite signal's carrier wave, providing sig- nificantly more precise measurements than pseudorange but by resolving the integer ambiguity of the carrier cycles (Feng et al., 2012). Doppler shift is the frequency change in the received satellite signal due to the relative motion between the satellite and re- ceiver, which can be used to determine velocity and assist in position calculations (Rouan, 2023). These four measurements work together to provide comprehensive positioning solu- tions. Navigation algorithms typically integrate all these measurements through tech- niques like Kalman filtering to produce optimal position, velocity, and timing solutions while minimizing the impact of measurement errors and environmental interferences (Tondaś et al., 2023). Now coming to our event 2.4.2, we can look at all the raw measurements one by one during the timing spoofing attack. For this we will check the RXM-RAWX message which contains the raw data. In the raw message format, pseudorange is denoted by C1C, C/N0 is denoted by S1C, carrier phase is denoted by L1C, and finally Doppler by D1C. In order to extract data and make streamlined plots, a Receiver Independent Exchange Format (RINEX) file was created from the .ubx file containing these four measurements. RINEX format serves as the standardized data structure utilized worldwide for sharing and pro- cessing GPS observations collected from the extensive network of IGS tracking stations, enabling diverse international research efforts in geodesy and atmospheric science (Jin, 2012, p. 360). Since many data points were either missing or had unrealistic values, li- braries like georinex or software such as RTKLIB couldn’t be used, and instead custom Python functions were written to parse the RINEX file. 55 Figure 18: Pseudoranges of the whole ubx file showing all satellite systems. From left to right in first row it shows GPS and then Galileo. In the second row it shows GLONASS and BeiDou. Figure 18 depicts the C1C observations or pseudoranges for all four satellite systems dur- ing the entire duration of the data collected in the ubx file. G is for GPS, E is for Galileo, R is for GLONASS, and finally C is for BeiDou. QZSS is ignored during the analysis due to its unavailability during the spoofing event in the geographical location at Bleik. Since the spoofer was mostly affecting the GPS and Galileo satellite systems, we can see that these are mostly affected. According to the jammertest log (2024-a), event 2.4.2 ended at around 7:32 UTC, so we would be mostly focusing on the disturbances caused during that time. In the whole diagram, we can see the effects of jamming and pseudorange errors also occurring later in the ubx file, but they are out of scope of this thesis. Now firstly let’s zoom in on the C1C observations that were recorded during the 2.4.2 event as shown in the Figure 19. 56 Figure 19: Pseudoranges during the 2.4.2 spoofing event The first observation we can make from Figure 19 is obvious: the spoofer was actively preventing the receiver from connecting to the satellites, leaving it void of any useful raw data during the spoofing event. As seen in the shaded area, which represents the time when the receiver’s time was spoofed, only a few measurements from GPS and Galileo were recorded. The GLONASS system stopped working even a few minutes earlier than the time jump, approximately when the location was being spoofed. As for BeiDou, a few satellites such as C32 were visible close to the time jump, but as soon as the time jump occurred, they also disappeared. When the spoofing was turned off, the receiver recalibrated itself, and within 10 seconds all the satellite constellations were visible again, allowing the receiver to obtain a location fix. 57 Figure 20: Carrier Phase during the 2.4.2 spoofing event Just like the pseudorange graphs, carrier phase shows a similar trend. For GPS and Gali- leo, they have multiple stable carrier phase measurements before the spoofing event, and as the raw data becomes unavailable during the time jump, so do the measurements of carrier phase. For GLONASS and BeiDou, both show greater carrier instability and er- ratic behaviour before the time jump, especially BeiDou showing cycle slips in C16 and C33. These cycle slips occur when a receiver temporarily loses lock on the satellite sig- nal's carrier wave and then reacquires it. When this happens, the receiver's phase track- ing loop can't maintain count of the exact number of complete wavelengths between the satellite and receiver (Hu & Fang, 2009). This is likely caused by fluctuating signal strength (something could be blocking it) as seen earlier in the C/N0 graphs, or the sat- ellite geometry since these satellites appear to be furthest as indicated by the pseudor- ange graphs. Once the spoofer is turned off, everything returns to normal except a few fluctuations in carrier phase in GLONASS which could be due to dropping signal strength. 58 Figure 21: Doppler shift during the 2.4.2 spoofing event Lastly, observing the Doppler shift graphs, we again see a similar trend. Data is mostly unavailable during the time jump. GPS shows some oscillating patterns, indicating chang- ing relative velocities of the satellites. Galileo has fewer visible satellites but shows more stable Doppler measurements than GPS. For GLONASS, some signals show abrupt changes before disappearing, a likely indication that something is wrong. For BeiDou, some satellites exhibit unusual patterns with rapid changes and frequent jumps, again due to low signal quality and cycle slips as seen in the carrier phase graphs. Once the spoofer is turned off, the Doppler shift returns to normal except for a few fluctuations in GLONASS in a satellite that is receding from the receiver. As indicated in the section 4.1, the receiver does have location despite not having the raw data available during the time jump. When observing the location and speed, the 59 receiver is simply outputting the last known value, hence, creating an illusion of position despite not having any data. In the next chapter we can see that the receiver was mark- ing the solution as invalid (a traditional way of detecting spoofing or simply solution availability limitation due to degraded signal environments such as indoor or tunnels etc.), so whatever position solution it was outputting was simply of no use. Although the plots show complete lack of data during the known time jump period, some satellites (either 1 or 2 at times) were still visible. They were just simply not enough to compute any position since a minimum of four satellites are needed to compute location and time. 60 5 Traditional Detection As explained in the chapter 2, there are many ways to detect if the receiver is spoofed. The method that can be relied on with the u-blox receiver is its validity flag illustrating solution availability and trustworthiness. In this chapter we look at the validity flag and pseudorange RMS errors and the C/N0 to check if the receiver was correctly identifying the interference. Referring to the flowchart in Figure 5, the detection would be studied using signal analysis method (C/N0), validity flag and the positioning method (pseudor- ange RMS errors). 5.1 Signal Analysis Method The signal analysis method used is a power analysis approach or more precisely a method focusing on looking at the C/N0 values of the incoming signals. Figure 22: C/N0 during the spoofing period 61 Looking at the C/N0 graph in Figure 23, a big gap can be observed during the spoofing period. The GPS signal strength remained within 20-50 dB-Hz for event 2.4.2. Satellite G02 showed the highest fluctuation, ranging from 22 to 52, even achieving a high signal strength of 50 during the time jump but quickly fading afterwards when the power of the spoofer was too high. Similarly, E05 from Galileo was the only satellite showing some resilience during the time jumps, but its signal also died down once the receiver started to experience the time jump. For the Russian GLONASS and Chinese BeiDou, both showed similar patterns, with their C/N0 declining as the spoofer's power increased, eventually disappearing altogether a few minutes before the time jump. They also had relatively low signal strength compared to the other two satellite systems. Once the spoofer was turned off, just like before, every satellite system returned to normal within 10 seconds. Next, we can check the carrier phase measurements. As stated by Radoš et al. (2024), the C/N0 tends to increase during the spoofing period. Figure 24 shows the sparse values of the satellites raw data during the spoofing period. Figure 23: Raw measurements sample with C/N0 highlighted. These are in dB/Hz. 62 Judging from the given values in Figure 24, mostly the GPS satellites consistently main- tain a high signal to noise ratio values. While this could be a potential indication of inter- ference, the lower value from other satellites throws of the entire reading and makes it difficult to conclude whether that is a result of interference or just naturally good signal strength at the time. Therefore, it can be safely concluded that signal to noise ratio is not very helpful in detecting time spoofing attempt in this case. 5.2 Positioning Method Next, we can look at the pseudorange RMS errors which is a part of a positioning-level related detection method. The RMS error in pseudorange measurements represents the statistical deviation between expected and actual signal readings. These discrepancies stem from multiple sources including satellite clock inaccuracies, ionospheric and trop- ospheric errors, and equipment-related noise factors. Spoofing detection methodologies can identify potential threats by examining variations in pseudorange measurements across consecutive time intervals, revealing anomalous patterns that would indicate sig- nal manipulation attempts (Shang et al., 2022) (Angrisano et al., 2013). RMS errors of the whole .ubx file is plotted in Figure 24. 63 Figure 24: Averaged pseudorange RMS errors in the ubx file These errors were extracted from RXM-MEASX messages, which is another format of raw data available within a u-blox receiver. Upon closer examination of the graph in Figure 25, we notice straight lines at our time jump points. Since we have already analysed the raw measurements, it can be concluded that this is due to the unavailability of raw data. These straight lines, although resulting from a lack of measurements, can also indicate that something is wrong, and the data gathered during this period is likely invalid. 5.3 Validity Flag Method For even better understanding, next the validity flag is studied which is a part of NMEA analysis method. Figure 26 shows the data validity plot from 7:18 UTC to 7:40 (duration of the 2.4.2 event). 64 Figure 25: GNRMC message status The validity flag was extracted from the GNRMC messages. In the GNRMC message, "A" or "Autonomous" stands for a valid solution and "V" is for an invalid solution. In Figure 26, we can see that the u-blox receiver was correctly identifying the spoofing region. It marked the whole region as invalid and was 100% detecting that something was wrong. However, looking at the number of parsed messages, something peculiar is noticed. The receiver is missing data for almost about two minutes, the same time when the time jump was valid. Since Figure 25 is a continuous plot, those missing points are also marked as invalid. If the receiver had moved indoors and GNSS data became unavailable, it would also have been marked invalid. Another thing we notice is that the receiver started to mark messages as invalid even before the time jump occurred. This is due to the fact that location and speed were affected before the time was spoofed. However, it is still giving some valid messages, struggling between validity and invalidity. If this is taken as an indicator for time spoofing in many applications where timing is only required and location/speed aren't needed (such as in grid time synchronization), these fluctuations before the time jump could act as an early warning, even though they are false positives if only taking timing spoofing into consideration