Anti-Spoofed Observation Rejection

Mechanism

The admissibility evaluator sits between the inbound observation queue and the position solver. Each observation entering the queue carries a structured envelope: the contributing-unit identifier, a cryptographic signature over the observation payload, a declared timestamp expressed in mesh time, a declared modality identifier (radio time-of-flight, acoustic ranging, inertial dead-reckoning increment, optical bearing, barometric altitude differential, and so forth), the modality-native measurement, and a self-declared uncertainty. The evaluator does not trust any of these fields in isolation; rather, it executes a sequence of admissibility predicates whose conjunction must hold before the observation is released to the solver.

The first predicate is credential validity. The contributing-unit signature is verified against published keying material associated with the unit's governance enrollment. An observation whose signature does not verify, or whose signing key has been revoked or has not yet been published as of the declared timestamp, fails the credential predicate. This step prevents trivial injection of forged observations by adversaries lacking access to enrolled signing material.

The second predicate is timing consistency. The declared timestamp must fall within an acceptance window relative to the receiver's local mesh-time estimate, accounting for expected propagation delay and clock-skew tolerance. Replays, time-shifted records, and observations whose timestamps drift outside the window are rejected. Importantly, the timing predicate also tests for monotonicity violations within a contributing unit's observation stream, since spoofers commonly fail to preserve fine-grained timing structure across replayed sequences.

The third predicate is modality plausibility. Each modality has declared physical bounds: a maximum observable range, a maximum slew rate, a noise floor, and a measurement-domain envelope. Observations falling outside these bounds, or whose internal structure is inconsistent with the declared modality (for example, a radio time-of-flight measurement whose claimed precision exceeds the modality's information-theoretic limit at the declared signal-to-noise ratio), fail the plausibility predicate.

The fourth and most architecturally significant predicate is cross-source corroboration. The evaluator assembles, for each candidate observation, the set of contemporaneous observations from independent contributing units and independent modalities bearing on overlapping spatial regions. The candidate is projected into a comparison space shared with the corroborating set, and the residual disagreement is computed. When the residual exceeds a corroboration threshold parameterized by the declared uncertainties, the candidate is treated as failing cross-source corroboration. Disagreement among independent sources is the structural signature of spoofing: a spoofer can fabricate a single coherent stream, but fabricating coherent streams across independently keyed and physically distinct modalities at the receiver's location is an exponentially harder adversarial problem.

Observations failing any predicate are not silently discarded. Each rejection produces a signed rejection record naming the failed predicate, the residual statistic that triggered the failure, the corroborating set against which the candidate was compared, and the evaluator's identity. Rejection records flow into the same lineage substrate as accepted observations and contribute, in aggregate, to longitudinal monitoring of spoofing pressure on the deployment.

Operating Parameters

The corroboration threshold is the principal tunable parameter and is expressed as a multiplier on the combined declared uncertainty of the candidate and the corroborating set. Threshold multipliers in the range of two to four standard deviations are typical; tighter thresholds increase spoofing sensitivity at the cost of higher false-rejection rates against benign multipath and clock noise, while looser thresholds preserve admissibility under benign degradation at the cost of admitting more sophisticated spoofing patterns. The threshold is policy-declared per deployment profile and is itself a credentialed governance object, so that adjustments are auditable.

The acceptance window for timing consistency is parameterized by expected propagation delay, clock-skew tolerance, and a deployment-specific replay-resistance margin. Maritime deployments operating over wide-area mesh links typically tolerate windows on the order of tens of milliseconds; close-formation tactical deployments tighten the window to single-digit milliseconds to defeat short-haul replay attacks.

The minimum corroborating cardinality declares how many independent sources must be available before a candidate observation is even eligible for cross-source evaluation. Below the cardinality floor, the evaluator does not reject the candidate but instead admits it into the solver under a degraded admissibility class, signaling to downstream consumers that the observation has not been corroborated and that derived positions inherit a reduced confidence label. This preserves operability under partial-mesh conditions while preventing silent acceptance of uncorroborated input.

Confidence-class downgrade rules govern how rejected or partially corroborated observations propagate into the solution. A position estimate derived from a fully corroborated observation set carries the highest admissibility class. An estimate derived under degraded cardinality, or in the presence of nearby rejections clustered in time or space, is published with an explicit downgrade flag. Consumers of the position stream can condition their behavior on the published class.

Alternative Embodiments

In a first alternative embodiment, cross-source corroboration is performed not against contemporaneous observations alone but against a short rolling window of recent observations from the same corroborating set. This embodiment is suited to deployments where modality update rates differ substantially and strict contemporaneity is unavailable; the rolling-window variant trades temporal precision for corroboration coverage.

In a second alternative embodiment, the admissibility evaluator is distributed across multiple receivers cooperating over the mesh, with each receiver evaluating a subset of incoming observations and broadcasting its rejection records. A receiver's local solver consumes both directly accepted observations and rejection records produced elsewhere in the mesh, allowing spoofing detected at the network edge to influence solver behavior at receivers that did not themselves observe the spoofed stream.

In a third alternative embodiment, the corroboration threshold is adapted online based on observed rejection density. Sustained elevated rejection rates trigger a tightening of the threshold and an elevation of the deployment's spoofing-pressure indicator, which propagates to operator interfaces and to higher-level mission planners. This embodiment is appropriate to contested operating profiles where spoofing pressure is expected to vary on operationally relevant timescales.

In a fourth alternative embodiment, the rejection record itself participates in a feedback loop with the contributing-unit credentialing system. Sustained rejection of observations attributed to a particular contributing unit, in patterns inconsistent with benign hardware degradation, triggers a credentialing review of that unit. This embodiment treats the contributing-unit credential as a revocable governance object whose continued validity is conditioned on the empirical admissibility of its emitted observations.

Composition

Anti-spoofed rejection composes with the broader mesh-coordinates architecture at three structural seams. At the inbound seam, it consumes the credentialed observation envelope produced by the contributing-unit signing layer, which is independently disclosed as part of the mesh-coordinates provisional. At the outbound seam, it emits accepted observations into the position solver and emits rejection records into the lineage substrate, both of which are credentialed governance flows shared with adjacent subsystems.

At the policy seam, the corroboration threshold, acceptance window, and minimum cardinality are not constants compiled into the evaluator but declared parameters retrieved from the deployment's policy object. The policy object is itself credentialed and versioned, so that changes to admissibility behavior are auditable and reversible. The composition with the policy substrate ensures that spoofing-defense behavior can be tightened in response to threat intelligence without requiring software redeployment.

The rejection record's role in lineage merits emphasis. Because rejections are signed and persisted on the same substrate as acceptances, the deployment's longitudinal record contains not only what positions were computed but what observations were excluded from those computations and why. This composition with the lineage substrate is what permits the architecture to support post-incident reconstruction and forensic analysis under the same evidentiary discipline that governs the position solution itself.

Prior-Art Distinctions

Single-modality spoofing defenses have a long history in GNSS receiver design. Signal-quality monitoring inspects correlator outputs for distortions characteristic of spoofing transmitters; multi-antenna spatial filtering exploits the angle-of-arrival difference between authentic satellite signals and a co-located spoofer; cryptographic GNSS authentication binds satellite transmissions to authenticated keying material at the constellation operator. Each of these defenses is implementation-coupled to a single modality and a single threat model; each can be defeated by spoofers tailored to that defense.

The disclosed anti-spoofed rejection differs structurally. It is modality-agnostic: the same admissibility predicates apply uniformly across radio, acoustic, inertial, and optical observations. It is corroboration-driven: a spoofer must defeat the cross-source predicate, which requires fabricating coherent streams across independently keyed modalities at the receiver's instantaneous location, an adversarial burden that scales with the number and diversity of corroborating modalities rather than with the implementation cost of any single defense. And it is governance-integrated: the rejection record is a credentialed governance object rather than a transient log line, so that defense behavior is auditable and policy-governed rather than implementation-buried.

Receiver-autonomous integrity monitoring (RAIM) in aviation GNSS performs a related corroboration test but is restricted to within-constellation consistency checks among redundant satellite measurements. The disclosed technique generalizes the corroboration principle across heterogeneous modalities and ties the rejection outcome to a credentialed lineage substrate, neither of which is contemplated by RAIM as conventionally practiced.

Disclosure Scope

The disclosure encompasses methods, systems, and computer-readable media implementing anti-spoofed observation rejection through cross-source corroboration with credentialed rejection records and confidence-class downgrade. The disclosure includes embodiments in which the admissibility evaluator is co-located with the position solver and embodiments in which the evaluator is distributed across cooperating receivers over a mesh substrate. The disclosure includes embodiments in which corroboration thresholds are static, embodiments in which they are policy-declared, and embodiments in which they adapt online to observed spoofing pressure.

The disclosure further encompasses the use of rejection records as inputs to credentialing review of contributing units, and the use of confidence-class downgrade flags as inputs to consumer behavior conditioning. The disclosure is not limited to GNSS spoofing scenarios and applies to any positioning architecture in which heterogeneous observations are admitted into a position solver under credentialed governance. The Provisional Application 64/049,409 establishes priority for the mesh-coordinates subsystem within which this admissibility discipline operates.