Adversarial Marker Rejection

Mechanism

Markers are physical or virtual objects placed in the navigable environment whose payload, in the credentialed regime, ties them to a specific segment of a credentialed route. Each legitimate marker carries a credential issued by an authority whose chain anchors to the route operator and ultimately to the operator's regulatory or commercial root. A vehicle traversing the route reads markers through whatever sensing modality the marker class supports — optical fiducial, radio identifier, visual landmark, infrastructure-published beacon — and constructs a candidate marker observation that includes the credential, the asserted segment, and the vehicle's estimated position at observation time.

Adversarial rejection operates by composing three independent consistency checks against the candidate observation. The credential check verifies the credential against the authority chain; failure here indicates a forged or revoked credential. The lineage check compares the marker's asserted segment and sequence position against the credentialed sequence published by the route authority; failure here indicates a marker whose credential is valid in form but whose claim is inconsistent with the segment's structural identity — a marker placed out of order, replayed from another segment, or planted at a location the credential does not cover. The spatial-temporal check compares the marker's claimed position against the vehicle's confidence-bounded position estimate derived from independent sensing; failure here indicates a marker whose position assertion is inconsistent with the vehicle's own dead-reckoned trajectory under its declared error model.

A marker that fails any of the three checks is excluded from the vehicle's solution set for the segment in question. Exclusion is not silent: the rejection is constructed as a credentialed lineage event that names the marker, the failed check, the credential chain at the time of failure, and the vehicle's position estimate at observation. The event is anchored against the same credential authority that would have admitted the marker had it passed, so that the rejection lineage is itself auditable. Downstream — the vehicle's planner, peer vehicles operating under cross-recognition, the route operator's monitoring infrastructure, and any regulator with credentialed read-access — consume the rejection event as evidence of adversarial activity at the named segment.

Operating Parameters

The primitive exposes a parameter surface declared in route policy. The credential-chain depth specifies how far up the issuing authority chain verification traverses; deeper traversal increases robustness against compromised intermediate authorities at the cost of verification latency. Revocation freshness specifies the maximum permissible age of the revocation list consulted at verification time, bounding the window in which a revoked credential might be admitted. The lineage tolerance parameter declares the permissible deviation between asserted and expected sequence position — typically zero for high-assurance segments, larger for segments where legitimate construction or maintenance produces transient sequence reordering.

The spatial-temporal envelope is the parameter most exposed to operating conditions. It is declared as a function of the vehicle's position-estimate error model and the credentialed segment geometry: a marker observed at a position outside the envelope around its asserted location fails the spatial-temporal check. Operators tune the envelope per segment class; tightly-instrumented urban segments admit narrow envelopes, lightly-instrumented rural segments admit broader envelopes. The envelope is declared in policy and recorded in each rejection event so that downstream consumers can evaluate whether a rejection reflects genuine adversarial activity or routine envelope tuning.

Quorum parameters govern the rejection of a marker class rather than a single marker. When the rejection rate within a segment exceeds a configured threshold, the segment is escalated: subsequent markers are admitted only under tightened policy, and a structural alert is raised to the route operator. The escalation is itself anchored, so that an operator reviewing the segment's history can reconstruct the moment of escalation and the evidence that triggered it.

Alternative Embodiments

The primitive admits embodiments across marker modality, verification topology, and rejection-anchor placement. Optical fiducial embodiments use camera-based reading with cryptographic payload verification; radio-identifier embodiments use short-range radio tags with the credential carried in the broadcast; visual-landmark embodiments use perceptual features whose credential is published by infrastructure rather than carried by the marker itself; beacon embodiments use infrastructure-published markers whose physical existence and credential are decoupled from any roadside object. The structural mechanism — credential, lineage, spatial-temporal check, anchored rejection — is identical across modalities; only the means of reading the marker and verifying its credential vary.

Verification may be local, distributed, or hybrid. In a local embodiment the vehicle performs all three checks on-board and emits the rejection event to the lineage substrate. In a distributed embodiment a credentialed verification authority external to the vehicle receives the candidate observation, performs the checks, and returns an admission or rejection as a credentialed observation; the vehicle anchors the response in its own lineage. Hybrid embodiments perform credential check locally and defer lineage and spatial-temporal checks to authority, or vice versa, under policy that records the split.

Rejection-anchor placement may be vehicle-local, segment-shared, or operator-global. A vehicle-local anchor produces a rejection lineage that is auditable through the vehicle's own credential chain. A segment-shared anchor publishes the rejection to a credentialed substrate readable by all vehicles operating on the segment, producing a fleet-visible adversarial signal. An operator-global anchor publishes to the operator's primary lineage substrate, producing an enterprise-visible adversarial record. Embodiments may compose anchors — a vehicle-local rejection that is also published to the segment-shared anchor under credentialed cross-publication — under policy that records each anchor's credential.

Composition with Adjacent Primitives

Adversarial marker rejection composes with the marker-track architecture's other primitives. Route construction reads admitted markers and excludes rejected markers from the segment's solution set; the rejection lineage informs the route's confidence record. Cross-vehicle coordination reads segment-shared rejection events as credentialed observations of adversarial activity, allowing peer vehicles to elevate their own envelope parameters as they enter the affected segment. Forecasting reads rejection-rate trajectories as evidence of adversarial pressure and informs route-selection policy at the planning layer.

Validation, in the broader cognition pipeline that the marker-track architecture inherits or interfaces with, treats admitted markers as credentialed observations subject to the same admissibility checks applied to other credentialed evidence. A marker that passes adversarial rejection is not unconditionally trusted; it is admitted to validation, where it may still be rejected on grounds independent of the adversarial-rejection primitive — for example, on freshness grounds, or on conflict with an authoritative segment update. The primitive is a necessary, not sufficient, gate.

Audit composes naturally. A regulator with credentialed read-access reconstructs the segment's marker history by traversing admitted-marker and rejected-marker events anchored against the segment's credential authority. The reconstruction yields a complete account of which markers were trusted, which were rejected, on what grounds, and by which vehicles — without any of the actors having to reveal sensor internals or proprietary heuristics.

Prior-Art Distinction

Conventional adversarial-marker handling falls into two families. The first uses per-vehicle perception heuristics: a sensor stack attempts to classify markers as legitimate or adversarial through visual or radio signal characteristics. Such heuristics are brittle against well-prepared adversaries, produce no structural artifact when they reject a marker, and offer no cross-vehicle or cross-fleet visibility into adversarial activity. The second uses centralized infrastructure verification — a route operator publishes an authoritative marker list and vehicles consult it — but lacks per-vehicle spatial-temporal cross-checks, lacks credentialed rejection lineage, and concentrates trust in a single oracle whose compromise defeats the system.

The novelty is the composition of credential, lineage, and spatial-temporal checks into a single rejection primitive whose result is itself anchored as a credentialed lineage event. No prior art treats adversarial-marker rejection as a structural event of the architecture rather than a perception heuristic; no prior art produces a per-rejection lineage record anchored against the credentialing authority and consumable by peer vehicles, operators, and regulators as primary evidence; and no prior art binds the rejection to the per-segment credentialed sequence in a manner that forces an adversary to compromise multiple independent structural elements rather than the perception layer alone.

Rejection-Lineage Anchoring

The rejection lineage is the persistent structural artifact of the primitive, and it is the principal output by which downstream consumers reason about adversarial activity on the route over time rather than only at the moment of observation. Every rejected marker produces a lineage event that names the marker identifier, the failed check, the credential chain consulted at the moment of failure, the spatial-temporal envelope active at the segment, the vehicle's confidence-bounded position estimate, and a content-addressed reference to the candidate observation. The event is anchored against the segment's credentialing authority, producing a record whose integrity does not depend on the vehicle that produced it: the authority's anchor permits any credentialed reader to verify the event's existence and contents without trusting the vehicle's local store.

Anchoring against the credentialing authority — rather than against an arbitrary timestamp service or the vehicle's own root — is structural. It binds the rejection to the same trust domain that issued the credentials in the first place, so that an adversary capable of forging a marker credential is the same adversary that would be required to forge the rejection of that credential. The trust model collapses into a single domain, which makes the security argument tractable and the audit chain coherent.

Rejection-lineage replay follows the same pattern as admission-lineage replay: a credentialed reader reconstructs the segment's marker history, verifies each rejection against the credentialing authority's anchor, and confirms that the policy parameters in force at each rejection were consistent with the operator's declared policy version. Where a rejection rate trend indicates persistent adversarial pressure on a segment, operators escalate policy parameters, and the escalation is itself a credentialed lineage event that future rejections reference. The composite trail — admission, rejection, escalation, re-admission — is the segment's complete adversarial-event record.

Disclosure Scope

The disclosure covers the structural rejection of markers inconsistent with credentialed lineage, the three-fold composition of credential, lineage, and spatial-temporal checks, the anchored rejection-lineage event with its named credential authority, the policy-declared parameter surface governing each check, the segment-level escalation behavior under quorum-bounded rejection rates, and the composition of the primitive with route construction, cross-vehicle coordination, forecasting, validation, and audit. The scope spans optical, radio, visual-landmark, and beacon marker modalities; local, distributed, and hybrid verification topologies; and vehicle-local, segment-shared, and operator-global anchor placements. The scope does not depend on a particular marker modality, a particular cryptographic suite, or a particular sensor stack; it depends on the structural treatment of marker admission as a credentialed event and rejection as an anchored lineage artifact.