The proposed method focuses on designing a TSA by solving an optimization problem. The attack is designed by taking the idea from the proposed method in [14] and changing the ephemerides variables. In this method, the amount of receiver clock offset can be maximized by changing the ephemerides and the receiver location and solving the optimization problem with new optimization algorithms such as Chimp Optimization Algorithm (ChoA) [17], Grey Wolf Optimization (GWO) [18] and Particle Swarm Optimization (PSO) [19]. Changes in receiver position and satellite location are bounded to avoid detection by protection schemes. These boundaries are used in solving the optimization problem.

## 3.2. Positioning

The primary purpose of GPS navigation is to estimate the position, velocity, and time of the receiver at any given time, known as the PVT solution. In this section, the radio navigation method used in GPS is briefly described. The GPS receiver uses satellite range signals which contain satellite parameters such as ephemerides data to estimate the satellite position for determining the user's position. The position of the user (GPS receiver) can be shown in the Earth-Center, Earth Fixed (ECEF) coordinate as \({s}_{u}=({x}_{u}.{y}_{u}.{z}_{u})\) [21].

Similarly, the position of the *n*th satellite for *N = 1, 2, …, N* during each satellite transmission time \({t}_{n}\) is displayed as \({s}_{n}=\left({x}_{n}\left( {t}_{n}\right), {y}_{n}\left( {t}_{n}\right),{z}_{n}\left( {t}_{n}\right)\right)\). In addition, it should be noted that the signal reception time at the receiver is \({t}_{r}\). The actual distance between the user and the satellite can be defined as \({d}_{n}={‖{s}_{n}-{s}_{u}‖}_{2}\), where \({\left|\right|}_{2}\) represents the 2-norm. The distance can be expressed as the difference between the time of signal transmitting and receiving as \({d}_{n}=c\left({t}_{r}^{GPS}-{t}_{n}^{GPS}\right)\) where \({t}_{r}^{GPS}\) and \({t}_{n}^{GPS}\) are the exact time of sending and receiving, respectively, and *c* is the speed of light propagation. By introducing the receiver time offset, the receiver clock inaccuracy is modeled as \({{t}_{r}=t}_{r}^{GPS}+{b}_{u}\)and similarly for the satellite transmission time as \({{t}_{n}=t}_{n}^{GPS}+{b}_{n}\) that \({b}_{u}\)and \({b}_{n}\) shows the receiver and satellite clock offset [1]. The presence of this offset makes the measured distance different from the real value. This measured value \({\rho }_{n}=c\left({t}_{r}-{t}_{n}\right)\) is called pseudo-range. The pseudo-range relation can be expressed using the real range\({d}_{n}:\)

$${\rho }_{n}={‖{s}_{n}-{s}_{u}‖}_{2}+\text{c}\left({b}_{u}-{b}_{n}\right)+{\epsilon }_{{\rho }_{n}}$$

5

Table 1

Coordinate system elements.

WGS 84 value of the earth's gravitational constant for GPS user | \({\mu }=3.986005\mathbf{*}{10}^{14}{{m}{e}{t}{e}{r}{s}}^{3}/{{s}{e}{c}}^{2}\) |

**WGS 84 value of the earth's rotation rate** | \({\dot{{\Omega }}}_{{e}}=7.2921151467\mathbf{*}{10}^{-5}{r}{a}{d}/{s}{e}{c}\) |

**Semi-major axis** | \({A}={\left(\sqrt{{A}}\right)}^{2}\) |

**Computed mean motion (rad/sec)** | \({{n}}_{0}=\sqrt{\frac{{\mu }}{{{A}}^{3}}}\) |

**Time from ephemeris reference epoch** | \({{t}}_{{k}}={t}-{{t}}_{{o}{e}}^{\mathbf{*}}\) |

**Corrected mean motion** | \({n}={{n}}_{0}+\varDelta {n}\) |

**Mean anomaly** | \({{M}}_{{k}}={{M}}_{0}+{n}{{t}}_{{k}}\) |

**Kepler's equation for eccentric anomaly (may be solved** **by iteration) (radians)** | \({{M}}_{{k}}={{E}}_{{k}}-{e} {s}{i}{n}{ {E}}_{{k}}\) |

**True anomaly** | \({{v}}_{{k}}={\mathbf{tan}}^{-1}\left\{\frac{\mathbf{sin}{{v}}_{{k}}}{\mathbf{cos}{{v}}_{{k}}}\right\}\) \(={\mathbf{tan}}^{-1}\left\{\frac{\sqrt{1-{{e}}^{2}}\mathbf{sin}{{E}}_{{k}}/(1-{e}\mathbf{cos}{{E}}_{{k}})}{(\mathbf{cos}{{E}}_{{k}}-{e})/(1-{e}\mathbf{cos}{{E}}_{{k}})}\right\}\) |

**Eccentric anomaly** | \({{E}}_{{k}}={\mathbf{cos}}^{-1}\left\{\frac{{e}+\mathbf{cos}{{v}}_{{k}}}{1+{e}\mathbf{cos}{{v}}_{{k}}}\right\}\) |

**Argument of latitude** | \({{\varphi }}_{{k}}={{v}}_{{k}}+{\omega }\) |

**Second harmonic perturbations** | \({{\delta }{u}}_{{k}}={{C}}_{{u}{s}}\mathbf{sin}2{{\varphi }}_{{k}}+{{C}}_{{u}{c}}\mathbf{cos}2{{\varphi }}_{{k}}\) \({{\delta }{r}}_{{k}}={{C}}_{{r}{s}}\mathbf{sin}2{{\varphi }}_{{k}}+{{C}}_{{r}{c}}\mathbf{cos}2{{\varphi }}_{{k}}\) \({{\delta }{i}}_{{k}}={{C}}_{{i}{s}}\mathbf{sin}2{{\varphi }}_{{k}}+{{C}}_{{i}{c}}\mathbf{cos}2{{\varphi }}_{{k}}\) |

**Corrected argument of latitude** | \({{u}}_{{k}}={{\varphi }}_{{k}}+{{\delta }{u}}_{{k}}\) |

**Corrected radius** | \({{r}}_{{k}}={A}\left(1-{e}\mathbf{cos}{{E}}_{{k}}\right)+{{\delta }{r}}_{{k}}\) |

**Corrected inclination** | \({{i}}_{{k}}={{i}}_{0}+{{\delta }{i}}_{{k}}+\left({I}{D}{O}{T}\right){{t}}_{{k}}\) |

**Positions in orbital plane** | \({{x}}_{{k}}^{\mathbf{{\prime }}}={{r}}_{{k}}\mathbf{cos}{{u}}_{{k}}\) \({{y}}_{{k}}^{\mathbf{{\prime }}}={{r}}_{{k}}\mathbf{sin}{{u}}_{{k}}\) |

**Corrected longitude of ascending node** | \({{\Omega }}_{{k}}= {{\Omega }}_{0}+\dot{({\Omega }}-{\dot{{\Omega }}}_{{e}}){{t}}_{{k}}-{\dot{{\Omega }}}_{{e}}{{t}}_{{o}{e}}\) |

**Earth-fixed coordinates** | \({{x}}_{{k}}={{x}}_{{k}}^{\mathbf{{\prime }}}\mathbf{cos}{{\Omega }}_{{k}}-{{y}}_{{k}}^{\mathbf{{\prime }}}\mathbf{cos}{{i}}_{{k}}\mathbf{sin}{{\Omega }}_{{k}}\) \({{y}}_{{k}}={{x}}_{{k}}^{\mathbf{{\prime }}}\mathbf{sin}{{\Omega }}_{{k}}+{{y}}_{{k}}^{\mathbf{{\prime }}}\mathbf{cos}{{i}}_{{k}}\mathbf{cos}{{\Omega }}_{{k}}\) \({{z}}_{{k}}={{y}}_{{k}}^{\mathbf{{\prime }}}\mathbf{sin}{{i}}_{{k}}\) |

where \({s}_{n}\) is the satellite position at the time of transmission, \({s}_{u}\) is the receiver position at the time of reception, \({b}_{u}\) and \({b}_{n}\) are the change in the clock of the receiver and the satellite (in seconds) and \({\epsilon }_{{\rho }_{n}}\) is combined errors due to atmospheric delays and thermal noise, respectively. Pseudo-range, satellite locations, and satellite clock offset are recognized or calculated by the receiver, while \({s}_{u}\) and \({b}_{u}\) are estimated using the pseudo-range relation.

Similarly, the receiver can measure the Doppler (residual) frequency change above the carrier frequency due to the relative difference between the \({v}_{n}\)as satellite speed and the \({v}_{u}\) as user speed, which is also expressed in three-dimensional coordinates. This estimated Doppler residue is related to the rate at which the pseudo-range measurement changes over time and is denoted by \({\dot{\rho }}_{n}\) (in meters per second). The pseudo-range rate is expressed as Eq. (6):

$${\dot{\rho }}_{n}={( {v}_{n}- {v}_{u})}^{T}\frac{{s}_{n}-{s}_{u}}{{‖{s}_{n}-{s}_{u}‖}_{2}}+\dot{{b}_{u}}+{\epsilon }_{{\dot{\rho }}_{n}}$$

6

where \({v}_{n}\) is the satellite’s speed obtained from the navigation message, \({v}_{u}\) is the user’s speed, \(\dot{{b}_{u}}\) is the clock drift, and \({\epsilon }_{{\dot{\rho }}_{n}}\) is the modeled noise. Similarly to Eq. (5), the unknowns to be estimated from Eq. (6) are \({b}_{u}\)and \({v}_{n}\). For a typical receiver, the goal of PVT is to obtain the user’s position, speed, clock offset, and the clock drift. This includes a total of eight unknown variables, usually calculated by Weighted Least Squares (WLS) or dynamically using the Extended Kalman Filter (EKF). The dynamic state equation of an eight-state EKF is equivalent to a stochastic walking model [18]:

$${x}_{k}=\underset{{F}_{k}}{\underset{⏟}{\left(\begin{array}{c}\varphi 0 0 0\\ 0 \varphi 0 0\\ 0 0 \varphi 0\\ 0 0 0 \varphi \end{array}\right)}{x}_{k-1}+{w}_{k}}$$

7

where \(x\equiv {[{x}_{u},{\dot{x}}_{u},{y}_{u},{\dot{y}}_{u},{z}_{u},{\dot{z}}_{u},{cb}_{u},{c\dot{b}}_{u}]}^{T}\) state vector, \({cb}_{u} and {c\dot{b}}_{u}\) are the clock offset and clock drift of the user, \({(x}_{u},{y}_{u},{z}_{u}\)) is the user location in meters, \(\left({\dot{x}}_{u},{\dot{y}}_{u},{\dot{z}}_{u}\right)\)indicates the user speed in m/s, the \({w}_{k}\) is process noise, and ϕ is a transition state matrix for the discrete time instant *k* that belongs to each position-velocity and \(\varphi\) is defined as Eq. (8) [1,21]:

$$\varphi =\left[\begin{array}{cc}1& \varDelta t\\ 0& 1\end{array}\right]$$

8

In which, the ∆t is discrete time instant for any measurement. The measurements given by the Eq.s (5) and (6) are used for pseudo-range, the pseudo-range rate, and eight-state EKF, Eq. (7) is used for dynamic PVT solving. For a static receiver, the position of the receiver (\({s}_{u})\) is determined, and \({v}_{u}\) is assume zero; therefore, only clock offset and drift should be estimated. The pseudo-range relationships and pseudo-range rate relationships are expressed as:

$$\left[\begin{array}{c}{cb}_{u}\left[k\right]\\ {c\dot{b}}_{u}\left[k\right]\end{array}\right]=\varphi \left[\begin{array}{c}{cb}_{u}[k-1]\\ {c\dot{b}}_{u}[k-1]\end{array}\right]+w\left[k\right]$$

9

$$\left[\begin{array}{c}\rho \left[k\right]\\ \dot{\rho }\left[k\right]\end{array}\right]=\text{C}\left[\begin{array}{c}{cb}_{u}\left(k\right)\\ {c\dot{b}}_{u}\left(k\right)\end{array}\right]+{c}_{l}\left[k\right]+ϵ\left[k\right]$$

10

$$C=\left[\begin{array}{cc}{1}_{N*1}& {0}_{N*1}\\ {0}_{N*1}& {1}_{N*1}\end{array}\right]$$

11

$${c}_{l}\left[k\right]=\left[\begin{array}{c}\begin{array}{c}‖{s}_{1}\left[k\right]-{s}_{u}\left[k\right]‖-c{b}_{1}\left[k\right]\\ ⋮\\ ‖{s}_{N}\left[k\right]-{s}_{u}\left[k\right]‖-c{b}_{N}\left[k\right]\end{array}\\ {\left( {v}_{1}\right[k]- {v}_{u}[k\left]\right)}^{T}\frac{{s}_{1}\left[k\right]-{s}_{u}\left[k\right]}{{‖{s}_{1}\left[k\right]-{s}_{u}\left[k\right]‖}_{2}}-{c\dot{b}}_{1}\left[k\right]\\ \begin{array}{c}⋮\\ {\left( {v}_{N}\right[k]- {v}_{u}[k\left]\right)}^{T}\frac{{s}_{N}\left[k\right]-{s}_{u}\left[k\right]}{{‖{s}_{N}\left[k\right]-{s}_{u}\left[k\right]‖}_{2}}-{c\dot{b}}_{N}\left[k\right]\end{array}\end{array}\right]$$

12

where *w* and *ϵ[k]* indicate the measurement noise. The \({c}_{l}\) vector is based on the specified parameters of position, speed and clock of the receiver.

## 3.3. Explain the Problem

The purpose of solving this problem is to maximize the difference between the receiver clock offset before and after the attack, while the GPS receiver may implement some kind of spoof detection scheme. In the most general case, constraints are set on the absolute value of the difference between: (1) the actual receiver position (calculated by real GPS signals) and the receiver position calculated with spoofed GPS signals, (2) real ephemerides and spoofed ephemerides, (3) real satellite positions and spoofed satellite positions, and (4) real pseudo-ranges and spoofed pseudo-ranges. For example, for the absolute value of the difference in the receiver position before and after the attack, the boundaries should be set such that the change in the receiver position after the attack is less than the level of position accuracy provided by the GPS receiver. In addition, for the absolute value of the difference between the actual satellite positions and the spoofed satellite positions, the constraints should be set such that the change in the position of the calculated satellite after the attack is less than the margin of the GPS almanac error. In the optimization problem, the decision variables are ephemerides and the receiver position.

For four satellites in-sight the clock offset \({t}_{u}\) is expressed as Eq. (13) [14]:

$${t}_{u}=\frac{-1}{4 c}\sum _{i=1}^{4}({\rho }_{i}-{r}_{i}\left({\stackrel{-}{s}}_{i},{\stackrel{-}{s}}_{u}\right))$$

13

where \({\stackrel{-}{s}}_{i}\) is the position vector of the satellite and \({\stackrel{-}{s}}_{u}\) is the position vector of the receiver. The dependence between the satellite position vector and the receiver position vector is demonstrated. The position of the satellite is also influenced by ephemerides through the relations mentioned in Table 1. In the optimization problem, the receiver clock offset should be maximized as follows:

$$\underset{{\stackrel{-}{s}}_{u},{\stackrel{-}{\delta }}_{i},{\rho }_{i}}{\text{maximize }}{({t}_{u}-{t}_{u}^{*})}^{2}$$

$$subject to {\rho }_{i}={r}_{i}-c{t}_{u} i=\text{1,2},\text{3,4}$$

$$\left|{s}_{u}\left(l\right)-{s}_{u}^{*}\left(l\right)\right|\le {\epsilon }_{{s}_{u}}\left(l\right) l=\text{1,2},3$$

$$\left|{\delta }_{i} \left(j\right)-{{\delta } }_{i}^{*}\left(j\right)\right|\le {\epsilon }_{{\delta }_{i}}\left(j\right) j=\text{1,2},3,\dots m$$

$$\left|{s}_{i}\left(k\right)-{s}_{i}^{*}\left(k\right)\right|\le {\epsilon }_{{s}_{i}}\left(k\right) k=\text{1,2},3$$

14

The difference between the values of the decision variables \({s}_{u}\), \({\delta }_{i}\)and their pre-attack values (denoted by *) are bounded by \({\epsilon }_{{s}_{u}}\)and \({\epsilon }_{{\delta }_{i}}\), respectively. Also, the change of position of the satellite is limited by \({\epsilon }_{{s}_{i}}\). If the receiver does not consider sudden changes as a way to detect spoofing attack, then these limits can be reduced to infinitely positive.

In the proposed method for changing the ephemerides, a parameter is selected to change according to the range of changes of the variables. The variable that is changed in this method is displayed with *M0*. According to the Table 1, *M0* directly affects the mean anomaly \({M}_{k}\) and changes the states of the receiver, including the location and time. By plotting the values of *M0* for a number of received time samples in Fig. 1, we see that the variation range of the variable *M0* is in the range of [-3 1.5].

The ephemerides’ variations are bounded to 2% to change the receiver clock offset. Small changes in ephemeris values result in large changes in the receiver location. Therefore, constraints must be imposed to prevent the attack from being detected by receiver location changes. The ephemerides and position of the receiver are considered optimization variables. In the design, the maximum location changes of the receiver are limited to 10 meters in each dimension. MATLAB programming software on a corei7 computer is exploited to implement and view the results. Raw satellite data and information are extracted from [1].