The following abbreviations are herewith defined, at least some of which are referred to within the following description of the present disclosure.    3GPP 3rd-Generation Partnership Project    AB Access Burst    AGCH Access Grant Channel    ASIC Application Specific Integrated Circuit    BSS Base Station Subsystem    BTS Base Transceiver Station    CN Core Network    CR Change Request    eNB Evolved Node B    EDGE Enhanced Data rates for GSM Evolution    EGPRS Enhanced General Packet Radio Service    eMTC Enhanced Machine Type Communications    E-SMLC Evolved-Serving Mobile Location Center    E-UTRAN Evolved Universal Terrestrial Radio Access Network    GSM Global System for Mobile Communications    GERAN GSM/EDGE Radio Access Network    GPRS General Packet Radio Service    ID Identifier    IoT Internet of Things    LMU Location Measurement Unit    LTE Long-Term Evolution    MME Mobility Management Entity    MS Mobile Station    MTA Multilateration Timing Advance    MTC Machine Type Communications    NB Node B    NB-IoT Narrow Band Internet of Things    PDN Packet Data Network    PLMN Public Land Mobile Network    RACH Random Access Channel    RAN Radio Access Network    RAT Radio Access Technology    RLC Radio Link Control    RRLP Radio Resource Location Services Protocol    SMLC Serving Mobile Location Center    SGSN Serving GPRS Support Node    TA Timing Advance    TBF Temporary Block Flow    TDMA Time Division Multiple Access    TLLI Temporary Logical Link Identifier    TS Technical Specification    TSC Training Sequence Code    TSG Technical Specification Group    UE User Equipment    UL Uplink    UTRAN Universal Terrestrial Radio Access Network    WCDMA Wideband Code Division Multiple Access    WiMAX Worldwide Interoperability for Microwave Access
The 3rd-Generation Partnership Project (3GPP) is completing work on the Release 14 “ePOS_GERAN” work item for positioning enhancements for the GSM/EDGE Radio Access Network (GERAN) which introduces enhanced methods for multilateration based position estimation of a mobile station (MS) that does not require any additional hardware (e.g., Location Measurement Units (LMUs) at the network side) for performing enhanced position estimation. The enhanced multilateration positioning methods and associated signaling procedures are described in a Change Request (CR) from Radio Access Network (RAN) Working Group 6 (WG6) Meeting #3 (see R6-170151; “CR 43.059 Introduction of Multilateration”; Source: Ericsson L M; Athens, Greece; 13-17 Feb. 2017 where the contents of which are hereby incorporated herein by reference for all purposes) and are included as part of the Rel-14 specifications. The enhanced MTA positioning methods include the Radio Link Control (RLC) data block method, the Access Burst method, and the Extended Access Burst method.
The RLC data block method, the Access Burst method, and the Extended Access Burst method all involve estimating the position of a mobile station (MS) based on timing advance values being estimated by the Base Station Subsystem (BSS)/Base Transceiver Station (BTS) for the MS while it is in the serving cell and in a subset of neighbor cells. To allow the BSS/BTS to estimate the timing advance value applicable to a given MS in a specific cell, the MS must perform the MTA procedure in the specific cell and provide some information (e.g., MS Sync Accuracy parameter, MS Transmission Offset parameter) to the BSS/BTS. The MS that has been commanded to perform the MTA procedure therefore performs an MTA access procedure in a subset of the neighbour cells (and optionally in the serving cell) and sends some information to the BSS/BTS thereby allowing the BSS/BTS to acquire corresponding timing advance information. This timing advance information is then forwarded by the BSS/BTS to the Serving Mobile Location Center (SMLC) which then processes it to estimate the position of the corresponding MS.
One drawback of the enhanced MTA procedure, when performed using the RLC Data Block method or the Extended Access Burst method, is that a bandit MS (e.g., invalid or unauthorized MS) can monitor MTA transmissions made by a valid MS in a given cell and duplicate them in a neighbour cell. The information provided by the bandit MS when sending MTA related transmissions in a neighbour cell can be selected with the purpose of misleading the BSS/BTS receiving those transmissions thereby causing the BSS/BTS to estimate a substantially inaccurate timing advance value for the valid MS. This then leads to the SMLC processing the full set of timing advance values including the misleading timing advance value it receives for the valid MS and estimating a corresponding position of the valid MS with degraded accuracy. A more detailed discussion is provided next to explain the problems associated with the RLC Data Block method and the Extended Access Burst Method.
Problems with RLC Data Block Method:
The SMLC triggers the MTA procedure for a valid MS by sending a Radio Resource Location services Protocol (RRLP) Multilateration Timing Advance Request message to the valid MS indicating that the RLC Data Block method is to be used. The valid MS upon receiving the RRLP Multilateration Timing Advance Request message proceeds to perform the MTA procedure using the RLC Data Block method as follows:                The valid MS sends a multilateration access request message on the random access channel (RACH) followed by an uplink Temporary Block Flow (TBF) establishment to enable the transfer of a single RLC data block. The RLC data block sent by the MS includes Temporary Logical Link Identifier (TLLI), MS Sync Accuracy and MS Transmission Offset parameters.        A bandit MS that detects the transmission of the multilateration access request message on the random access channel (RACH) also monitors the access grant channel (AGCH) to determine the packet resources that the BSS assigns the valid MS to be used for transmitting the RLC data block.        The bandit MS then monitors the RLC data block transmitted by the valid MS and thereby determines the TLLI, MS Sync Accuracy and MS Transmission offset parameters included therein.        The bandit MS can then re-select to one or more neighbour cells and send a multilateration access request message on the random access channel (RACH) followed by an uplink TBF establishment to enable the transfer of a single RLC data block.        The bandit MS includes the same TLLI used by the valid MS and a misleading MS Transmission Offset value in the single RLC data block it sends, thereby causing the serving BSS/BTS to estimate a substantially inaccurate timing advance value for the MS corresponding to the TLLI.        The BSS/BTS does not know it has estimated a timing advance value for a bandit MS and so it sends the SMLC a report containing what can include a substantially inaccurate timing advance value for the MS corresponding to the received TLLI.        The SMLC then uses this substantially inaccurate timing advance value when estimating the position of the corresponding valid MS thereby resulting in an estimated position that can have substantially degraded accuracy.Problems with Extended Access Burst Method:        
The SMLC triggers the MTA procedure for a valid MS by sending a RRLP Multilateration Timing Advance Request message to the valid MS indicating that the Extended Access Burst method is to be used. The valid MS upon receiving the RRLP Multilateration Timing Advance Request message proceeds to perform the MTA procedure using the Extended Access Burst method as follows:                The valid MS sends a first multilateration access request message on the random access channel (RACH) using an Access Burst followed by sending a second multilateration access request message on the random access channel (RACH) using a Normal Burst. The payload within the first and second multilateration access request messages include MTA Reference ID Low, MTA Reference ID High, MS Sync Accuracy and MS Transmission Offset parameters.        A bandit MS that detects the transmission of the first multilateration access request message on the random access channel (RACH) will be able to determine the MTA Reference ID Low (4 least significant bits of the 16 bit MTA Reference ID) and the MS Transmission Offset of the valid MS.        The bandit MS that detects the transmission of the second multilateration access request message on the random access channel (RACH) will be able to determine the MTA Reference ID Low (4 least significant bits of the 16 bit MTA Reference ID), the MTA Reference ID High (12 most significant bits of the 16 bit MTA Reference ID), and the MS Sync Accuracy of the valid MS.        The bandit MS can assume it has detected a matching pair of first and second multilateration access request messages on the random access channel (RACH) if both the first and second multilateration access messages have the same value for the MTA Reference ID Low parameter (4 least significant bits of the 16 bit MTA Reference ID).        The bandit MS can then re-select to one or more neighbour cells and send a first and a second multilateration access request message on the random access channel (RACH) and include the same MTA Reference ID Low and MTA Reference ID High parameters as sent by the valid MS but will include a misleading MS Transmission Offset value, thereby causing the serving BSS/BTS to estimate a substantially inaccurate timing advance value for the MS corresponding to the MTA Reference ID.        The BSS/BTS does not know it has estimated a timing advance value for a bandit MS and so it sends the SMLC a report containing what can be a substantially inaccurate timing advance value for the MS corresponding to the received MTA Reference ID.        The SMLC then uses this substantially inaccurate timing advance value when estimating the position of the corresponding MS thereby resulting in an estimated position that can have substantially degraded accuracy.        
In view of the foregoing, it can be seen there is a need to address the aforementioned problems in the state-of-the art associated with the MTA procedure. The present disclosure addresses at least these problems.