Baseline Departure Detection

Mechanism

The baseline is structured as a multi-modal envelope of expected observations indexed by deployment region, time-of-day phase, operational tempo, and seasonal context. For each modality - radio-frequency spectral occupancy, optical intensity and chromaticity, acoustic spectrum and statistics, chemical species concentration, vibrational and seismic signature, magnetic and electromagnetic field structure - the envelope records central tendency, dispersion, characteristic temporal autocorrelation, and the cross-modality covariance that links one channel to another. Each component of the envelope is a credentialed declaration: the contributor identity, the observation window, the instrument calibration record, and the governance authority that admitted the contribution are bound into a signed lineage object retained for audit.

Detection proceeds by computing departure statistics per modality and per cross-modality joint distribution. A departure event carries departure-magnitude (signed deviation expressed in standardized units against the dispersion model), departure-direction (which modality, which spectral band, which spatial cell), departure-duration (instantaneous spike, sustained shift, oscillatory excursion), and departure-corroboration (the count and credentialed identity of independent sensors registering coherent departures). Single-sensor departures are admitted as candidate events; multi-sensor coherent departures cross the threshold to confirmed events that propagate into governance. The architecture explicitly distinguishes magnitude from confidence: a small but tightly corroborated cross-modality shift can outrank a large single-sensor spike when adversarial-resistance is the operative concern.

Confirmed departures gate two architectural responses. First, governed active probing: the mesh dispatches credentialed probe operations - directional RF interrogation, optical illumination sweeps, acoustic pings, chemical sampler activation - whose results enter lineage as response observations. Second, composite admissibility decline: any composite query whose evidentiary set draws from the disrupted region is either rejected outright, returned with a credentialed degradation marker, or held pending baseline reconciliation. Both responses are governance-scoped, meaning the authority to probe and the authority to decline are themselves credentialed primitives subject to audit.

The departure-event object itself is structured to carry sufficient lineage to support downstream verification without requiring the verifier to re-execute the detection pipeline. Each event includes the contributing-sensor identifier set, the time window over which the departure was observed, the per-sensor signed observation summaries that participated in the corroboration calculation, the baseline envelope segment against which the departure was evaluated (referenced by content-addressed identifier rather than embedded in full), the threshold parameter values in force at the time of evaluation, and the cryptographic signature of the detection authority. A downstream consumer that wishes to verify the event walks the lineage references, retrieves the baseline segment and the contributing observations, and re-applies the deterministic departure statistic. Disagreement between the consumer's recomputation and the published event is itself a flag that propagates back through governance for review.

Operating Parameters

The departure threshold is an engineering parameter set per deployment context and per modality. A low-traffic logistics depot tolerates tighter thresholds because its baseline RF and acoustic envelope is narrow; a contested electromagnetic environment requires wider thresholds calibrated against adversarial probing rates. Thresholds are declared, signed, and revisable only through the governance procedure that originally admitted them. Threshold drift over operational time is itself recorded as a meta-observation, so that an attacker cannot quietly relax thresholds without leaving lineage.

Baseline updates are credentialed contributions. A contributor proposes an updated envelope segment - say, the new acoustic profile produced by an authorized HVAC retrofit, or the seasonal optical baseline shift produced by foliage growth - and the governance layer evaluates the proposal against existing lineage, attestation requirements, and corroboration policy. Accepted updates supersede prior envelope segments with a versioned, signed transition. Rejected proposals remain in the audit record. Baseline poisoning therefore requires compromising the governance layer, not merely flooding the sensor field with crafted observations.

Departure-evaluation latency is bounded by the modality and the corroboration policy. Single-sensor electromagnetic departures evaluate within milliseconds; multi-sensor cross-modality corroboration may admit latency on the order of seconds to permit additional witnesses to register. The architecture exposes these latency budgets as declared parameters so that downstream consumers - active-probing schedulers, composite-admissibility evaluators - can reason about freshness deterministically.

Corroboration policy is itself a parameter set declared per modality and per deployment. The policy specifies the minimum number of independently credentialed sensors that must register coherent departures within a configured time window, the maximum spatial diameter within which the contributing sensors must lie to count as observing the same physical event, and the cross-modality weighting matrix that translates per-modality departures into a unified corroboration score. Stricter policies reduce false-positive rates at the cost of detection latency; looser policies catch transient or narrowly localized events at the cost of admitting noise. As with thresholds, the policy is signed and revisable only through governance.

Calibration metadata is bound to every observation that contributes to baseline construction or to departure evaluation. Each instrument carries a credentialed calibration record - the date of last calibration, the calibration standard against which it was performed, the responsible authority, and the validity interval. Observations made outside the calibration validity interval are admitted as candidate inputs but are weighted at a discounted level and flagged in lineage. Departures evaluated entirely against discounted observations are themselves marked as low-confidence and propagate downstream with the corresponding marker. This calibration-aware admission ensures that baseline integrity does not silently degrade under fleet-wide calibration drift.

Alternative Embodiments

One embodiment fixes the baseline at deployment and updates only through manual governance ceremonies; this is appropriate for hardened defense installations where any baseline drift is itself suspect. A second embodiment admits continuous online baseline adaptation gated by majority-corroborated contributions, suitable for civilian critical-infrastructure deployments where seasonal and operational drift is expected. A third embodiment partitions the baseline by operational phase, swapping envelope segments as the deployment transitions between declared phases (pre-mission, transit, on-station, withdrawal); each phase carries its own departure thresholds and probing entitlements.

Sensor heterogeneity is accommodated by per-modality detection pipelines feeding a unified departure-event schema. Optical baseline detection may rely on radiometric difference imaging; acoustic on spectral envelope tracking; chemical on parts-per-billion species concentration timeseries. The architecture is agnostic to the per-modality mathematics so long as the output conforms to the credentialed departure-event format.

Adversarial-resistance variants further harden the baseline against coordinated injection. In one variant, baseline contributions require minimum geographic and temporal diversity before acceptance, foreclosing attacks that flood a single locale. In another, baseline-corroboration is asymmetric: contributions from instruments under independent custody chains receive higher weight than contributions from co-located instruments, even if both are credentialed.

A federated embodiment partitions the mesh into administrative domains, each maintaining its own baseline envelope under its own governance authority, with cross-domain departures requiring corroboration across domains before being admitted as confirmed events. This is appropriate for coalition operations or for civilian deployments where multiple jurisdictions share monitoring responsibility. A privacy-preserving embodiment performs detection over homomorphically aggregated observation summaries rather than over raw observations, exposing departure events without exposing the underlying observation streams. A retrospective embodiment retains the raw observation buffer over a configured window and re-evaluates historical observations against revised baselines or revised thresholds when governance authorizes a backfill, producing departure events whose timestamps precede the time of detection but whose lineage records the retrospective re-evaluation explicitly.

Composition

Baseline departure detection composes upward into the governance and admissibility primitives of Provisional 64/049,409. Confirmed departures populate lineage-evidence objects consumed by composite-query admissibility evaluators; the detection primitive thus participates directly in whether a composite answer is admissible at all. Departures also compose with the multi-source corroboration primitive, providing the seed events around which corroboration windows are opened. When the architecture's adversarial-action differentiation primitive is active, departure events carry a candidate-cause field populated by the differentiation logic - distinguishing equipment fault, environmental drift, civilian interference, and adversarial action through the structure of the departure rather than its raw magnitude.

Downward, baseline departure detection composes with the active-probing primitive, providing the credentialed trigger that authorizes a probe to be dispatched at all. Probes outside a departure context require independently credentialed authority; probes inside a departure context inherit the departure's credentialed scope. This composition pattern - a credentialed event authorizing a credentialed response - is the architectural core that distinguishes governance-grounded sensing from ad-hoc telemetry.

Lateral composition admits departure events as inputs to peer primitives that operate at the same architectural layer. The forecasting primitive consumes departures as evidence shifts that may invalidate prior projections and trigger forecast revision. The trust-evolution primitive consumes departures associated with a contributing sensor's lineage as inputs to that sensor's trust trajectory; a sensor whose contributions are repeatedly contradicted by independently credentialed witnesses experiences a degraded trust slope. The empathy and coherence primitives consume departures as context that may modulate downstream behavior, for example by shortening the forecasting horizon under sustained environmental disruption. Each lateral composition operates through the same departure-event schema and requires no bridging adapter: the schema is the contract, and any primitive that can consume the schema can consume any departure, regardless of its modality of origin.

Prior-Art Distinction

Statistical anomaly detection in environmental sensing is mature: spectrum surveillance, intrusion detection, and structural-health monitoring all rely on baseline-relative statistics. The distinction here is not the detection mathematics but the credentialing of the baseline itself, the binding of departures into composite-admissibility decisions, and the governance-scoped authorization of active responses. Conventional anomaly systems publish events to operators; this architecture admits departures as first-class objects in a credentialed lineage graph, where downstream queries verify the departure was produced under proper authority before allowing it to gate admissibility.

The adversarial-resistance posture - resistance via baseline-corroboration rather than via signature-matching - also distinguishes the primitive from traditional intrusion-detection systems. Signature-based detectors fail open against novel adversarial modalities; the baseline-corroboration approach fails closed, because an unrecognized but coherent departure still registers as a departure even when no signature library knows what to call it.

Disclosure Scope

The disclosure encompasses the baseline declaration format, the credentialed contribution and update procedures, the departure-event schema, the per-modality and cross-modality detection pipelines reduced to a uniform output schema, the threshold-engineering procedure scoped per deployment, the governance-scoped active-probing authorization, the composite-admissibility decline pathway, and the alternative embodiments described above. The disclosure further encompasses the use of baseline departure detection as an architectural input to lineage-evidence admissibility, multi-source corroboration, and adversarial-action differentiation, whether deployed in defense environmental-monitoring operations, civilian critical-infrastructure monitoring, contested-spectrum operations, or commercial structural-health regimes.

Implementation choices left explicitly open include the per-modality statistical machinery, the corroboration weighting function, the latency-versus-confidence trade-off curve, and the granularity of phase partitioning. The architecture's contribution is the credentialed structure within which any of these choices may be made; the choices themselves remain engineering decisions exercised by the implementing party under the governance procedures the architecture specifies.

Deployment contexts contemplated include but are not limited to forward-deployed defense environmental-monitoring perimeters, fixed and mobile critical-infrastructure protection regimes covering electrical substations and water-treatment facilities, contested-electromagnetic-spectrum operations where the baseline itself is dynamic and adversarially probed, port and harbor operations where chemical and acoustic baselines are tightly correlated with shipping traffic, and commercial structural-health monitoring of high-value structures where vibrational and acoustic baselines must be distinguished from environmental and operational sources. In each context, the architecture's contribution is to make the baseline, the departure, and the response into credentialed objects whose authority can be audited rather than into ad-hoc operator decisions whose authority cannot.

The architecture additionally contemplates baseline-portability: a baseline envelope generated under one deployment may be migrated, with appropriate governance, to a comparable deployment in a different geography, with the migration recorded as a credentialed event and the receiving deployment retaining the option to refine, replace, or audit the imported baseline against locally collected observations. Baseline-portability admits efficient cold-start of new deployments while preserving the credentialed lineage required by downstream admissibility decisions.