Anti-Spoofed Time Observations

Mechanism

The anti-spoofed time mechanism operates as an admissibility filter interposed between raw time observations and the time-consensus solver. Each candidate observation arrives carrying a credential identifying its attester, a modality tag indicating its source class (e.g., GPS L1, GPS L5, Galileo E1, GLONASS L1OF, peer-time receipt, holdover prediction), an asserted timestamp, and ancillary metadata including signal-quality indicators where available. The admissibility filter runs four structural checks in sequence: credential validity against the governance roster, offset plausibility against the disciplined-oscillator drift envelope, freshness against the active consensus window, and cross-attester consistency against the corroborated reference assembled from peer observations.

Multi-source corroboration is the core primitive. The architecture does not select a single "best" source and then check the others against it; instead, it computes a corroborated reference as a robust statistic over the admissible observations, and admissibility is evaluated against that reference rather than against any individual source. When a spoofer injects a coherent but false time into one modality — for example, a GPS-rebroadcast attack offsetting reported time by tens of microseconds — the spoofed observations diverge from the corroborated reference assembled from the unspoofed modalities. The divergence drives the spoofed observations into the rejection record rather than into the solver.

Rejection is itself a credentialed event. Each rejection record retains the rejecting authority, the failing check, the offending observation, and the corroborated reference at the moment of rejection. Downstream audit can therefore reconstruct not only the consensus that was admitted but the observations that were excluded and the structural reason for exclusion. Systematic rejection patterns — repeated rejections from a single attester, geographically clustered rejections, or rejections concentrated in a single modality — surface as diagnostic events without manual triage.

The corroborated reference is computed using a robust statistic — typically a trimmed mean or a weighted median — over the admissible observations within the active consensus window. The choice of statistic is itself a governance-declared parameter: trimmed means are appropriate where the modality mix is approximately Gaussian under nominal conditions; weighted medians are appropriate where outliers are expected and where the modality count is small. The architecture admits both, and the resolution observation records which statistic was applied so that downstream auditors can reconstruct the reference computation deterministically. A reference computation that cannot be reproduced from its declared inputs and statistic is itself flagged as an admissibility failure, preventing a class of attack in which a compromised solver injects a false reference under the guise of a robust computation.

Modality independence is the structural property the architecture exploits. Two GNSS signals from satellites of the same constellation share an upstream control segment and are therefore jointly compromisable by an attacker with access to that segment; observations from independent constellations (GPS, Galileo, GLONASS, BeiDou) do not share that vulnerability. Peer-time exchanges among mesh participants share no GNSS-segment vulnerability at all and are therefore independent of all space-segment attacks. Disciplined-oscillator holdover is independent of any external transmission and depends only on the local oscillator's intrinsic stability. The architecture's anti-spoofing strength is bounded below by the independence of the admitted modalities, and the governance roster declares which modality combinations qualify as independent for the purposes of corroboration.

Operating Parameters

The drift envelope governing offset plausibility is parameterized by oscillator class. A temperature-compensated crystal oscillator (TCXO) under typical environmental conditions yields a holdover envelope on the order of microseconds per minute; an oven-controlled oscillator (OCXO) yields tens of nanoseconds per minute; a chip-scale atomic clock yields a comparable or tighter envelope over the relevant intervals. The architecture admits the envelope as a declared parameter so that the same admissibility logic operates correctly across heterogeneous mesh participants.

Consensus-window freshness is parameterized by the application's tolerance for time staleness. Critical-infrastructure timing applications operating at millisecond resolution may admit observations within a window of a few hundred milliseconds; defense applications requiring tighter synchronization may narrow the window to tens of milliseconds. Cross-attester consistency thresholds are parameterized similarly: the corroboration tolerance — the maximum admissible deviation from the corroborated reference — scales with the noise floor of the modality mix and with the consensus-window width.

Quorum and weight parameters govern the corroborated reference itself. The architecture admits weighted contributions, allowing modalities with stronger anti-spoofing properties (encrypted military GPS, authenticated Galileo OSNMA, peer-time over authenticated channels) to dominate the corroborated reference where present, while still drawing on lower-assurance modalities to broaden the structural attack burden.

Rejection-rate parameters govern the operational health of the admissibility filter itself. A baseline rejection rate is established during nominal operation and is monitored as a diagnostic signal: a sudden rise in rejection rate against a single modality, a single attester, or a single geographical region indicates either an operational degradation or an adversarial event, and the architecture admits either interpretation under the governance posture. The threshold at which a rejection-rate excursion triggers an automatic posture change — for example, narrowing the admissibility window, raising the corroboration tolerance, or quarantining a specific attester — is itself a declared parameter, and the posture-change directive is a credentialed observation in its own right.

Reconciliation parameters govern the behavior of the holdover layer when peer-time exchanges resume after an outage. The reconciliation tolerance is the maximum admissible discrepancy between the holdover-carried reference and the freshly admitted peer-time corroboration; a discrepancy within tolerance is reconciled silently, while a discrepancy outside tolerance enters the rejection lineage and triggers a governance-visible reconciliation event. The tolerance is parameterized by the holdover envelope and the elapsed disconnection interval, so that long disconnections automatically loosen the reconciliation tolerance proportionally to the legitimate accumulated drift.

Alternative Embodiments

The mechanism admits embodiments ranging from terrestrial mesh deployments to satellite-augmented networks. A purely terrestrial embodiment may rely on peer-time exchanges among mesh participants combined with disciplined-oscillator holdover, with GNSS contributions admitted only when corroborated. A satellite-augmented embodiment may admit multiple independent GNSS constellations as the dominant corroboration sources, with peer-time and holdover serving as fallback when the GNSS layer is degraded or under attack.

Embodiments may further differentiate by trust posture. A high-assurance embodiment may require credential validity and signal-authenticity proofs (OSNMA, Chimera) before admitting any GNSS observation; a permissive embodiment may admit unauthenticated GNSS subject to stricter cross-attester corroboration. The architecture is invariant under these choices because the admissibility filter and the corroborated reference are defined structurally rather than against any specific source.

Embodiments addressing meaconing and replay attacks may extend the modality set to include direction-of-arrival measurements, signal-power profiles, and Doppler signatures. These observations enter the admissibility filter on equal footing with timestamp observations and contribute to the structural divergence that flags spoofed inputs.

Mobile and intermittently connected embodiments admit additional flexibility. Where peer-time exchanges are unavailable for sustained intervals, the disciplined-oscillator holdover layer carries the corroborated reference forward, and the admissibility filter widens its tolerance band proportionally to the holdover envelope. When peer connectivity is restored, the holdover-carried reference is reconciled against the freshly admitted peer observations, with reconciliation discrepancies themselves entering the rejection lineage. The architecture therefore admits intermittent operation without abandoning the structural anti-spoofing posture, and the parameterized envelope makes the resulting trust trade-off explicit in the lineage record rather than implicit in the implementation.

Composition

Anti-spoofed time composes with the broader multi-source-corroboration primitive that governs admissibility throughout the architecture. The same structural pattern — credentialed observations, robust corroborated reference, divergence-as-rejection — applies to position observations, sensor observations, and identity observations across the mesh. Anti-spoofed time is therefore not a bespoke defense layered on top of the time subsystem; it is the time-domain expression of a primitive that runs throughout the architecture.

Anti-spoofed time also composes with the trust-slope and health-monitoring primitives. A modality producing a sustained pattern of rejections will exhibit a downward trust slope under health monitoring, triggering re-credentialing or downgrade procedures independently of the timekeeping operation. The two primitives operate on the same lineage substrate and reinforce one another.

Composition with cross-mesh federation extends the structural attack burden across organizational boundaries. Time observations admitted in one mesh, when exchanged with a peer mesh, carry their credential and modality lineage and are evaluated against the receiving mesh's corroborated reference rather than admitted on the basis of the sending mesh's prior admission. Federated meshes therefore produce a multiplicative defense: an attacker would need to coordinate spoofing across modalities and across mesh boundaries simultaneously, a structurally harder problem than spoofing a single mesh in isolation.

Prior Art Distinction

Conventional anti-spoofing approaches either (i) trust a single hardened source — typically encrypted military GNSS — and degrade gracefully when that source is unavailable, or (ii) detect spoofing through signal-level features (correlator distortions, antenna-array null-steering, RAIM exclusion) inside a single receiver. Both approaches concentrate the trust assumption inside one device or one source, and both fail under coordinated attacks that degrade the trusted source or that reproduce the signal-level features authentically.

The disclosed mechanism differs structurally. Trust does not concentrate in any single source; the corroborated reference is a function of multiple independent modalities, and an attacker must coordinate a spoofing attack across all admitted modalities simultaneously to avoid producing the divergence signature. The structural attack burden grows with the modality count and with the credentialing diversity, rather than with any single device's signal-processing sophistication.

The disclosed mechanism is further distinct from receiver-internal RAIM (Receiver Autonomous Integrity Monitoring) and its descendants, which compare the over-determined position-time solution from a single receiver's view of multiple satellites against an internal consistency check. RAIM is a single-receiver primitive and does not produce a credentialed observation, does not retain a lineage of rejected satellites, and does not compose with peer-mesh corroboration. The disclosed mechanism subsumes the RAIM concept under the broader corroborated-reference primitive and exposes the rejection lineage as governance-grade evidence rather than receiver-internal diagnostic state.

The disclosed mechanism is also distinct from authenticated-broadcast schemes such as Galileo OSNMA and GPS Chimera taken in isolation. Authenticated broadcast establishes that a particular signal originated from the declared satellite constellation; it does not establish that the resulting time observation is consistent with corroborated peer or holdover references, and it does not protect against meaconing attacks in which authenticated signals are captured and rebroadcast with delay. The disclosed mechanism admits authenticated broadcast as a high-weight modality contribution but does not rely on any single authenticated source as authoritative, so that meaconing of an authenticated signal still produces a divergence against the corroborated reference and is rejected under the same admissibility logic that handles unauthenticated spoofing.

Disclosure Scope

The disclosure encompasses the admissibility filter and the corroborated-reference computation, the credentialed-rejection lineage, the parameterization of drift envelopes and consensus windows, and the composition of the time-domain anti-spoofing primitive with the broader multi-source-corroboration substrate. Embodiments span terrestrial mesh, satellite-augmented, and hybrid deployments, and span the threat surface from signal-level rebroadcast through coordinated multi-modality attacks.

The disclosure further contemplates application contexts including but not limited to defense timing under contested electromagnetic conditions, civilian power-grid synchrophasor networks, financial-market timestamping under regulatory clock-traceability requirements, telecommunications backhaul timing where GNSS dependence has been identified as a single-point vulnerability, and autonomous-vehicle and unmanned-systems timing where spoofed time can drive errors in dead-reckoning, sensor fusion, and inter-vehicle coordination. In each context the same structural primitive applies: an admissibility filter operating on credentialed observations, a corroborated reference assembled from independent modalities, divergence converted into rejection lineage, and rejection lineage exposed to governance for downstream action.

The disclosure is intended to be construed broadly with respect to the modality count, the credential schema, the corroboration statistic, and the governance posture under which rejection events are admitted. Variants in any of these dimensions remain within the disclosed primitive provided the structural pattern of credentialed admissibility, multi-source corroboration, and divergence-as-rejection is preserved. The architectural value resides in that pattern rather than in any specific implementation choice, and the pattern is the subject of the disclosure.