DDoS-Resilient Positioning Through Mesh Cooperation

1. Regulatory and Domain Context

The threat catalogue is documented and growing, and it is now a regulated category in its own right. The U.S. Executive Order 13905 of February 2020 on "Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services" reframed PNT from an availability problem to a structural-resilience requirement, and it tasked the Department of Commerce, NIST, and DHS with delivering a Cybersecurity Profile (NIST IR 8323, with revision 8323r1 published in 2023) and the DHS PNT Conformance Framework. ICAO Annex 10 Volume I (radio navigation aids), IMO Resolution A.1046(27) on the IMO Worldwide Radionavigation System, and the IMO e-Navigation Strategy Implementation Plan each name resilient-PNT as a required design property rather than a procurement option. The U.S. Space-Based PNT Policy (NSPD-39, reaffirmed by SPD-7 in 2021) explicitly directs federal critical-infrastructure dependents to plan for sustained GPS-denied operation rather than for outage recovery.

The operational environment behind those instruments is by now hard to dispute. Black Sea GNSS spoofing in 2017 misreported approximately twenty vessels into Gelendzhik Airport in a coordinated event widely catalogued by C4ADS, Resilient Navigation and Timing Foundation, and the U.S. Maritime Administration. Eastern Mediterranean GPS denial during the Syrian conflict has been continuous since 2018, with FAA SAFO bulletins and ICAO State Letters acknowledging the operational impact on civil aviation routes through Beirut, Tel Aviv, and Cairo flight information regions. The Strait of Hormuz has seen recurrent jamming since 2019. Northern European GNSS interference, attributed to Russian electronic-warfare assets in Kaliningrad, has affected Finnair operations into Tartu and triggered Finnish, Estonian, Latvian, and Lithuanian government statements throughout 2022 to 2024. The U.S. Department of Transportation's Volpe Center catalogues domestic personal-privacy-device jamming incidents at trucking corridors, and the FAA's Newark Liberty International Airport ground-based augmentation system experienced repeated disruptions traceable to truckers' personal jammers transiting the New Jersey Turnpike.

Beyond GNSS, the attack surface has broadened to every alternative on which the procedural fallback ladder depends. BLE flooding attacks against indoor-positioning fingerprint databases inject false beacons to corrupt position estimates used by warehouse robotics, hospital asset tracking, and retail wayfinding. Wi-Fi RTT poisoning exploits the unauthenticated nature of 802.11mc Fine Timing Measurement to advertise false access-point positions; the IEEE 802.11az amendment introduces secure ranging but is not yet ubiquitously deployed. Adversarial fiducials defeat computer-vision positioning by presenting AprilTag or ArUco markers with manipulated identifiers, and academic work has demonstrated robust attacks against the dictionary-based decoding used by autonomous vehicles and drones. Cellular-tower spoofing using software-defined radios defeats cell-ID positioning; the false base station is now a routine tool in red-team kits. Each modality, considered alone, has a documented attack vector with a documented exploitation cost, and the cost is falling.

2. Architectural Requirement

A DDoS-resilient positioning architecture must satisfy three properties simultaneously, and the requirement is structural rather than procedural. First, no single source can determine the position output. The contribution weight of any modality, beacon, satellite, or peer must be bounded such that defeating that source degrades but does not control the position estimate, and the bound must be enforced at the architectural layer rather than left to operator discretion. Second, contributing observations must be credentialed and verifiable, so that an attacker injecting false observations faces both a cryptographic barrier and a cross-modality consistency check. The credentialing scheme must accept multiple authority taxonomies — a Galileo OSNMA-authenticated satellite signal, a defense-PKI-signed peer range, a port-authority-signed coastal marker, an FAA-signed ground station — without privileging any one of them. Third, the architecture must continue to operate when significant fractions of the observation set are degraded, jammed, or actively malicious, with the consensus property exposing the degradation to the consuming application rather than masking it. The application must receive honest uncertainty, not a smoothed-over best-guess.

Resilience is not the same as redundancy, and the conflation of the two is at the root of every failed PNT contingency design. A positioning stack that falls back from GNSS to inertial dead-reckoning when GNSS is jammed is not resilient against a sustained GNSS-denial environment because inertial drift defeats the fallback within minutes; a tactical-grade IMU drifts on the order of one nautical mile per hour, a navigation-grade IMU one nautical mile per ten hours, and the contested environments documented above persist for days or weeks. A positioning stack that falls back from GNSS to Wi-Fi positioning is not resilient against a coordinated jamming-plus-poisoning attack because the fallback modality has its own attack vector and the same adversary can run both campaigns. Redundancy multiplies hardware; resilience requires consensus across heterogeneous sources whose attack vectors are independent and whose contributions are bounded.

The architectural requirement also includes auditability. Post-incident analysis of a corrupted position must reconstruct which observations contributed, which were rejected, what their credentials were, and how the consensus weighted them. Without this property, regulatory regimes cannot distinguish a positioning system that survived an attack from one that was successfully spoofed into reporting a plausible-looking result, and operators cannot improve the consensus weighting from incident telemetry. Auditability is itself a structural property: it cannot be bolted on to a stack that does not retain per-observation provenance at the moment of consensus.

3. Why Procedural Compliance Fails

Procedural responses to positioning attacks have followed two patterns, both inadequate to the regulatory bar EO 13905, NIST IR 8323r1, and the DHS PNT Conformance Framework now set. The first pattern is hardening the primary source: M-code GPS receivers for military users (the GPS III modernization program and the Military GPS User Equipment effort), Galileo OSNMA (Open Service Navigation Message Authentication, declared operational by the European GNSS Agency in 2023) for civil GNSS, the BeiDou B-CNAV navigation-message authentication for Asian users, and anti-jam controlled-reception-pattern antennas (CRPA) for aviation and defense platforms. These measures raise the cost of attacking GNSS but do not eliminate the single-source dependency. A jammer that overwhelms the receiver front end defeats CRPA in a high-power-density environment because the antenna cannot null what saturates its low-noise amplifier. OSNMA authenticates the navigation message but does not defend against meaconing — record-and-replay — attacks where the adversary rebroadcasts a legitimately authenticated signal with a controlled delay. M-code raises the cryptographic floor for government users but leaves civil aviation, maritime, and critical-infrastructure timing entirely outside its protection envelope.

The second pattern is procedural fallback to alternative positioning sources. Aviation falls back to DME-DME (distance measuring equipment, the ICAO PBN ground-based backup) and inertial reference systems sized for the gap between DME coverage. Maritime falls back to eLoran where deployed — the UK General Lighthouse Authorities operate a partial eLoran service, and South Korea has reactivated its Loran-C towers under an eLoran upgrade — or to celestial navigation in the limit case, which the U.S. Naval Academy reinstated as a required midshipman skill in 2015. Ground systems fall back to cellular trilateration, Wi-Fi fingerprinting, or Network Time Protocol stratum-1 timing references. Each fallback has its own attack surface, its own integrity-monitoring gap, and its own coverage holes. eLoran is not deployed across most of the world's coasts. DME ground-station density is insufficient over oceans and remote terrain. Cellular trilateration is degraded or absent in the maritime environment that needs it most.

The fallback decision logic is itself an attack surface, and it is the attack surface adversaries are now learning to exploit. An adversary who induces a false GNSS-fault indication — for example, by spoofing a satellite signal slightly outside the receiver autonomous integrity monitoring (RAIM) tolerance — can force the system into a more easily attacked fallback modality. The Volpe Center's GPS Risk Assessment and the Resilient PNT Conformance Framework explicitly call out fallback-induced attack escalation as a documented failure mode. Neither pattern produces auditable post-incident analysis. When a position estimate has been corrupted, the procedural systems cannot reconstruct which observations contributed, which were rejected, and why. Forensic analysis of the 2017 Black Sea spoofing incident relied on AIS data and on third-party signal-of-opportunity logs from research-grade receivers operated by C4ADS and the University of Texas, because the affected receivers themselves did not retain per-observation provenance. The investigation worked only because researchers happened to be listening; nothing in the regulatory architecture required that they be.

4. The AQ Primitive: Mesh-Coordinates (64/049,409)

The Adaptive Query mesh-coordinates primitive, disclosed under USPTO provisional 64/049,409, makes consensus across credentialed peers the structural property of the position estimate rather than an outcome of procedural fallback. Each participating node contributes observations from the modalities available to it: GNSS pseudoranges (with OSNMA, B-CNAV, or M-code authentication when present), UWB time-of-flight ranges to credentialed peers under IEEE 802.15.4z secure ranging, lidar and radar reflections against surveyed reflectors with cryptographic identifiers, optical fiducials carrying signed identifiers (signed AprilTag or ArUco extensions), RFID and NFC proximity events at credentialed gates, BLE and Wi-Fi RTT measurements against attested infrastructure under IEEE 802.11az secure ranging, magnetic-dipole observations against surveyed anomaly maps, inertial integration with bounded drift over short windows, and visual SLAM correspondence against credentialed feature databases. Each observation carries a credential, a timestamp, and an uncertainty, and the credential is structural — not an annotation that can be removed at the consensus boundary.

The consensus protocol resolves position from the credentialed observation set, weighting observations by credential strength, recency, cross-modality consistency, and bounded contribution. An attacker attempting to corrupt the position must therefore defeat the credentialing system on multiple modalities simultaneously, present timing that survives cross-source consistency checks against ground truth the attacker does not control, and avoid producing a contributing-observation manifest that flags the manipulation under post-incident review. The attacker burden is structural: it grows with the diversity of the observation set rather than with the security of any single source. This is the inventive distinction from prior multi-constellation receivers, which sum independent GNSS systems but treat each as a single trust domain, and from sensor-fusion stacks that blend modalities under a Kalman framework but do not credential the inputs or audit the contribution.

On-demand densification supports operations entering contested environments without retreating to a procedural fallback. A vessel approaching a known spoofing region requests additional ranging cycles against nearby credentialed peers — other vessels under IMO LRIT credentials, port infrastructure under harbor-master credentials, coastal markers under classification-society credentials. An aircraft approaching a known jamming area requests additional ground-based DME and ADS-B credentialed observations from FAA-signed transmitters and from credentialed cooperating aircraft via ADS-B In. A ground convoy entering an electromagnetic-warfare area densifies its peer mesh with the convoy's other vehicles under defense-PKI credentials. The density adjustment is exposed to operations rather than buried in a fallback heuristic, which means operators can plan for it and regulators can audit it.

GPS-degraded operation is the design point rather than the failure mode. When GNSS contribution drops to zero, the consensus continues to resolve from the remaining modalities, with the application receiving an honest uncertainty that reflects the loss of the GNSS observation class. The application can decide whether the residual uncertainty is acceptable for the mission — landing, port entry, weapon release, time-stamping a financial trade — rather than receiving a smoothed estimate that hides the fact that the primary source is gone. The recursive property of the chain is that each consensus output is itself a credentialed observation that downstream systems and downstream consensus rounds can admit, weight, and audit; the position estimate is not an opaque output but a credentialed input to whatever consumes it.

5. Compliance Map

The mesh-coordinates observation manifest maps onto positioning-integrity regulations across domains in a way that procedural fallback cannot. ICAO Annex 10 PBN (Performance-Based Navigation) integrity-monitoring requirements are satisfied by the per-observation provenance and uncertainty propagation that the consensus protocol exposes; the FMS receives a position with a documented contribution chain rather than a black-box estimate. IMO e-Navigation resilient-PNT guidance maps to the multi-modal observation set and the credentialed-peer densification, with the IMO's S-100 framework providing the data-model substrate for the credential lineage. U.S. Executive Order 13905 on responsible PNT use, the corresponding NIST Cybersecurity Profile for PNT (NIST IR 8323r1), and the DHS PNT Conformance Framework Levels 1 through 4 all specify the per-source provenance, the cross-source consistency checking, and the post-incident auditability that the mesh-coordinates manifest provides directly. A Conformance Framework Level 4 deployment, which requires demonstrated resilience under sustained adversarial conditions, is structurally achievable with mesh-coordinates and structurally unachievable with single-source-plus-fallback.

Defense applications under DoD instruction 4650.08 (PNT and Navigation Warfare), the U.S. Space Force's contested-environment requirements, and the DoD Assured-PNT (A-PNT) programs of record are addressed by the structural consensus property and by the credentialing of peer observations under defense-PKI credentials. Civil-aviation OSNMA adoption integrates as one credential class within the consensus rather than as a single point of dependency. NIS2 directive obligations on critical-infrastructure operators in the EU, the EU Cyber Resilience Act conformance posture for connected products, and the SEC cyber-disclosure regime for U.S. public companies whose operations depend on PNT timing all converge on the same structural requirements: documented per-source provenance, demonstrated resilience under adversarial conditions, and post-incident auditability of the contribution chain.

6. Adoption Pathway

Adoption proceeds along three operational tracks, each pegged to an existing regulatory and procurement cycle so that mesh-coordinates lands as an upgrade to an in-flight program rather than as a green-field replacement. Maritime adoption begins with vessels operating in documented spoofing regions — Black Sea, Eastern Mediterranean, Persian Gulf, Northern European archipelago waters. The peer mesh composes vessel-to-vessel UWB and radar ranging, port-infrastructure credentialed markers, and Galileo OSNMA-authenticated GNSS contributions. The IMO and classification societies (DNV, ABS, Lloyd's Register, ClassNK, BV) provide the credentialing framework already in place for vessel identity and equipment certification, and the IMO e-Navigation S-100 data model supplies the lineage substrate. Insurance underwriters — the IUMI Cyber Committee, the Joint War Committee — are independently demanding evidence of resilient-PNT posture for hulls operating in listed war-risk areas, and the mesh-coordinates manifest is the document that satisfies them.

Aviation adoption integrates the mesh as a contributing source to the existing PBN and integrity-monitoring stack rather than as a replacement. ADS-B ground-station credentials, DME and VOR transmitter credentials, and inter-aircraft credentialed ranging compose into a consensus that the FMS treats as one PBN-eligible source among several. The FAA's Alternative Position, Navigation, and Timing program, the EASA Resilient-PNT working items, and the Eurocontrol GNSS Vulnerabilities Task Force provide the regulatory pathway. Commercial-aviation deployment is gated by airworthiness certification (RTCA DO-229, DO-178C, DO-254) and by the FAA's TSO-C145/C146 GPS sensor TSOs, and the mesh substrate is structured to ride beneath the existing TSO architecture rather than to require new ones.

Ground and surface adoption starts with critical-infrastructure operators — power-grid PMU timing under NERC CIP-012, financial-transaction timestamping under MiFID II RTS 25 and the SEC Consolidated Audit Trail, telecommunications synchronization under ITU-T G.8272 — whose dependency on GPS timing is acknowledged in DHS sector risk assessments and in the Volpe Center reports. The mesh contributes credentialed timing-peer observations alongside GPS, with the consensus property protecting the timing application from a successful GPS-only attack. Defense and emergency-response adoption follows established credentialing infrastructure (DoD PKI, FirstNet credentials, FEMA emergency-services PKI), with the structural resilience property surviving the contested-environment conditions that defeat single-source positioning by construction.

The pathway is incremental rather than disruptive. A vessel, an aircraft, a critical-infrastructure operator, or a defense unit does not abandon GNSS to adopt mesh-coordinates; the existing GNSS receiver simply becomes one credentialed observation source among several. The investment that owners have already made in OSNMA-capable receivers, in inertial reference systems, in DME-DME-capable flight management systems, and in eLoran or similar terrestrial backups is preserved and is augmented in value rather than depreciated. What changes is the architectural property that composes those sources: from a procedural fallback ladder vulnerable at every rung, to a credentialed consensus whose attack-cost grows with the breadth of the observation set rather than with the security of any single component. The compliance posture that EO 13905, NIS2, and IMO e-Navigation are converging on is the posture mesh-coordinates produces structurally; the adoption question is not whether the property is required but which platforms acquire it first.