Multi-Source Adversarial Attribution

Mechanism

The architecture treats a single-sensor disruption observation as a provisional input rather than as final attribution. An observation produced by one sensor — a GPS receiver detecting a position anomaly, a software-defined radio detecting band-edge interference, a power-line monitor detecting an unexplained transient — is admissible into the disruption-modeling pipeline but does not by itself constitute attributed cause. The pipeline keeps the provisional observation, its sensor identity, its calibration record, and its credential chain in the agent's lineage so that subsequent aggregation can audit each contributing input.

Attribution requires aggregation across multiple credentialed sensors with corroborating evidence drawn from different physical or logical modalities. The aggregator is itself a credentialed analysis function: it carries a signed policy reference defining which evidence types it accepts, what consistency tests it applies, what confidence bounds it may assert, and which authority it may invoke when it signs an attribution. The aggregator consumes the contributing observations, evaluates their cross-modal consistency against credentialed signature templates, computes a confidence interval, and produces a credentialed attribution observation. That observation references the contributing sensors, the supporting evidence vectors, the confidence bound, the signature template matched, and the credentialing authority that signs the attribution itself.

The mechanism explicitly distinguishes adversarial cause from environmental cause. An environmental disruption — solar weather, tropospheric ducting, multipath propagation, transformer aging — typically presents with cross-modal signatures consistent with a known natural source, with broad spatial extent, with monotone temporal envelopes, and without targeting structure. An adversarial disruption typically presents with narrowly directed energy, with timing correlated to the protected operation, with signature features inconsistent with cataloged environmental sources, and with persistence under counter-measures that should suppress an environmental cause. The aggregator weighs these competing hypotheses against each modality's evidence and emits the more strongly supported attribution, with the residual weight reported as the unattributed remainder.

Operating Parameters

Each attribution observation carries explicit confidence bounds. The credentialing policy defines minimum corroboration thresholds: the number of independent sensors required, the minimum modal diversity (for example, RF plus inertial plus optical), the maximum permissible inter-sensor disagreement, and the minimum confidence the aggregator must compute before signing as 'attributed' rather than as 'partial-attribution' or 'novel-disruption'. Thresholds are tunable per consequence class — counter-fire engagement requires stricter thresholds than spectrum-coordination notice — and the threshold profile in force is recorded with the attribution.

Sensor credentialing is itself parameterized. Each contributing sensor presents a credential chain that binds its identity, its calibration record, its firmware hash, and its operating envelope. The aggregator rejects observations whose sensor credentials are expired, whose calibration is stale, or whose operating envelope was exceeded at the moment of observation. The architecture also defines temporal windows: corroborating observations must fall within a credentialed coincidence window, and the window itself is parameterized by the suspected cause class so that slow-onset interference and instantaneous pulse events are evaluated under appropriate timing tolerances.

Attribution authority is parameterized rather than asserted. The policy reference enumerates which authorities may sign attributions of which cause classes — a defense authority may sign 'hostile-jamming' attributions; an FCC enforcement authority may sign 'unlicensed-emitter' attributions; a utility cyber authority may sign 'grid-intrusion' attributions. The aggregator selects the eligible authority by cause class and consequence scope, and the resulting attribution observation is admissible only within the scope its signing authority is credentialed to attest. Out-of-scope attributions are rejected at policy level rather than asserted and later contested.

Alternative Embodiments

The disclosed structure admits multiple aggregator embodiments. A centralized embodiment runs the credentialed aggregator at a regional fusion node that ingests sensor feeds from a fielded array; a distributed embodiment runs the aggregator as a quorum among credentialed peers, each holding a partial signing key and contributing to a threshold signature on the attribution observation; a hierarchical embodiment runs local aggregators that emit provisional attributions consumed by an upstream aggregator authorized to escalate provisional attributions to final attributions for higher-consequence response.

Evidence modalities are not limited to RF. Embodiments include kinetic and acoustic sensing for counter-UAS attribution, optical and infrared sensing for directed-energy attribution, network-flow telemetry for cyber-physical attribution, supply-chain provenance signals for tampered-component attribution, and human-in-the-loop credentialed observations from trained operators. The policy reference defines which modality combinations are admissible for which cause classes, and embodiments may add new modalities by extending the policy without altering the aggregator structure.

Confidence representations also vary by embodiment. A simple embodiment emits a scalar confidence bounded in the unit interval; a richer embodiment emits a posterior distribution over a discrete cause-class space; a forensic embodiment emits a Dempster-Shafer mass assignment over compound hypotheses suitable for downstream legal review. The architecture is indifferent to the representation provided the credentialed signing authority is bound to the representation it signed.

Composition With Composite Signatures and Downstream Response

Multi-source corroboration and composite-signature matching are complementary. Composite signatures specify the cross-medium pattern that characterizes a cause; multi-source corroboration specifies the cross-sensor consistency that supports the attribution. An operating attribution requires both criteria: the observed evidence matches a credentialed signature template, and the observations come from multiple credentialed sensors with consistent reporting under the credentialed coincidence window. When both criteria are met, the attribution observation is signed by the credentialed authority. When one criterion fails, the observation propagates as 'partial-attribution', 'novel-disruption', or 'environmental-candidate' rather than as confident adversarial attribution.

Downstream response actions consume the attribution observation through credentialed interfaces. Counter-measure engagement, spectrum reallocation, geographic exclusion, and law-enforcement notification each subscribe to attribution observations of specific cause classes and minimum confidence bounds, and each refuses to act on observations outside its subscription envelope. The composition makes the attribution result load-bearing for downstream automation while preserving a credentialed audit chain from raw sensor observation through aggregator signature to action authorization.

Prior-Art Distinction

Conventional disruption attribution in spectrum monitoring and cyber-physical defense relies either on single-sensor heuristics — 'this receiver lost lock, therefore jamming' — or on ad-hoc human aggregation in which an analyst assembles evidence from disparate consoles and renders a judgment that is recorded textually rather than structurally. Neither approach binds attribution to credentialed authority, neither emits a confidence-bounded observation a downstream system can consume programmatically, and neither distinguishes adversarial cause from environmental cause through a structured cross-modal test. The disclosed mechanism converts attribution from a human narrative artifact into a credentialed structural object.

Existing fusion architectures in defense and intelligence aggregate sensor data but typically do not separate the evidence-aggregation function from the authority-signing function; the system that fused the data is the system that pronounces the attribution, and the authority of that pronouncement is implicit in the deployment rather than explicit in a credential. The disclosed architecture separates these concerns, so the same evidence may be aggregated for situational awareness without invoking attribution authority, or aggregated and signed for legal-grade attribution when the cause class and consequence scope warrant.

Failure Modes and Their Structural Treatment

Several classes of failure are addressed structurally rather than left to operator discretion. Sensor compromise, in which an adversary gains influence over a contributing sensor and feeds plausible but fabricated observations, is mitigated by the credential chain: a compromised sensor whose attestation is detected as anomalous is excluded by the aggregator before the corroboration test is applied, and the exclusion is recorded as a contributing input to the eventual attribution decision. Coordinated multi-sensor compromise is mitigated by modal diversity: if the policy reference requires evidence from physically independent modalities (RF plus inertial plus optical), an adversary capable of compromising one modality remains structurally unable to fabricate cross-modal corroboration without simultaneous compromise of all required modalities under the credentialed coincidence window.

Confidence inflation, in which weak corroboration is reported with high confidence to drive aggressive response, is prevented by binding confidence to the structural evaluation rather than to operator narrative. The aggregator's signing authority is permitted to assert only the confidence its policy-defined evaluation produces; an authority that consistently signs at higher confidence than the underlying evaluation supports is identifiable through replay against the lineage, and its credential weight may be adjusted by a credentialing governance process. Replay attacks, in which an authentic past attribution is replayed as if current, are prevented by binding each attribution observation to a temporal credential — the coincidence window, the evaluation timestamp, and the credentialing authority's session credential — so that an attribution detached from its temporal binding fails verification.

Novelty cases, in which a real disruption matches no credentialed signature template, are explicitly first-class. The mechanism emits a 'novel-disruption' observation rather than forcing a fit to an existing template, and the novel observation propagates through downstream subscribers as an unattributed disruption requiring credentialed human review. The architecture thereby distinguishes 'we do not know what this is' from 'we attribute this to X with low confidence', a distinction that conventional single-authority attribution typically loses.

Disclosure Scope

The disclosure encompasses the credentialed multi-sensor aggregator, the cross-modal consistency evaluation, the confidence-bounded attribution observation, the credential-chained signing of attribution by an authority scoped to cause class and consequence, the policy-driven rejection of out-of-scope or undercorroborated attributions, and the composition of attribution with composite signatures and downstream credentialed response. Defense operations gain attribution that supports legal-grade response — counter-UAS engagement, counter-jamming actions, attribution-based restrictions — that survives legal review. Civilian critical-infrastructure attribution gains the same foundation: cyber-physical attack attribution, GPS spoofing attribution for liability allocation, RF interference attribution for spectrum-license enforcement. The patent positions the primitive at the structural layer that legally sound adversarial attribution requires across both defense and civilian use cases.

Equivalents within scope include any aggregator that consumes credentialed sensor observations from at least two independent modalities, evaluates cross-modal consistency under a credentialed policy, and emits a confidence-bounded attribution observation signed by an authority whose credential is itself bound to a defined cause-class and consequence scope. Embodiments that omit any of these structural elements — for example, asserting attribution without confidence bounds, or signing under an authority whose scope is not credentialed, or aggregating without modal independence — fall outside the disclosed mechanism. The structural commitment is the conjunction: credentialed inputs, credentialed evaluation, credentialed authority, confidence-bounded output, lineage-recorded composition.