Method and system for context-aware threat anomaly detection in satellite navigation communications

A context-aware approach using hybrid machine learning and context-based models addresses the limitations of existing GNSS threat anomaly detection by modeling the receiver's environment, effectively neutralizing sophisticated attacks and enhancing detection capabilities.

JP2026522217APending Publication Date: 2026-07-07

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Filing Date
2024-05-23
Publication Date
2026-07-07

AI Technical Summary

Technical Problem

Existing solutions for detecting GNSS threat anomalies are limited to identifying individual threat vectors and are vulnerable to sophisticated attacks, failing to account for the complex and dynamic nature of the local environment of a receiver device.

Method used

A context-aware solution that models the receiver's local environment using hybrid machine learning and context-based models, incorporating various sensor data to detect deviations from expected behavior, thereby reducing the feasibility of targeted attacks.

Benefits of technology

The solution effectively neutralizes and limits the impact of sophisticated attacks by requiring attackers to mimic the receiver's context, raising the complexity barrier for successful attacks and enhancing detection capabilities.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 2026522217000001_ABST
    Figure 2026522217000001_ABST
Patent Text Reader

Abstract

A method and system for detecting threat anomalies in satellite navigation and communication networks. The method includes, in a receiver device, receiving data transmitted from a satellite navigation network; determining context data related to the receiver device; and detecting, at least in part, based on the determined context data and the transmitted data from the satellite received by the receiver device, that the received data transmitted from the satellite network constitutes a threat anomaly.
Need to check novelty before this filing date? Find Prior Art

Description

[Technical Field]

[0001] This application claims priority to U.S. Provisional Patent Application No. 63 / 468,511, filed on 23 May 2023, which is incorporated herein by reference in its entirety.

[0002] The embodiments described herein relate to the detection of threat anomalies, specifically the detection of newly emerging threat anomalies in integrated satellite navigation and communication platforms. [Background technology]

[0003] Satellite navigation and communications provide real-time, accurate position, navigation, and time information using satellite networks that transmit signals to ground-based receiver devices. Several satellite navigation and communications systems are in operation, including the Global Positioning System (GPS), Globalnaya Navigazionnaya Sputnikovaya Sistema (GLONASS), Galileo, and BeiDou systems. Global Navigation Satellite Systems (GNSS) is a general term for any group of satellites that provide Earth-based or regional-based positioning, navigation, and time services.

[0004] GNSS has become a critical infrastructure due to its wide range of applications. These include, but are not limited to, transportation (air, maritime, and land), agriculture, emergency services, surveying, communications, and military operations. GNSS has transformed the way we navigate and perform tasks, resulting in increased efficiency, safety, and productivity across multiple industries.

[0005] As GNSS becomes increasingly integrated into modern society, the system also faces growing threats. These threats can be classified into unintentional (e.g., signal interference, space weather) and intentional (e.g., jamming, spoofing, and cyberattacks). Unintentional threats are generally caused by natural phenomena or man-made causes that interfere with GNSS signals, while intentional threats are deliberate acts that attempt to disrupt, manipulate, or disable GNSS services. [Brief explanation of the drawing]

[0006] [Figure 1] This describes satellite navigation and communication systems relating to one or more examples. [Figure 2] This document presents an example of a computer system architecture for threat anomaly detection within satellite navigation and communication systems. [Figure 3] This document presents an example of a system for detecting threat anomalies within satellite navigation and communication systems. [Figure 4] This example demonstrates the implementation of a system for threat anomaly detection within a satellite navigation and communication system. [Figure 5] Further implementations of the system for threat anomaly detection within satellite navigation and communication systems are shown in the embodiment example. [Figure 6] This document describes a method for detecting threat anomalies within a satellite navigation and communication system in an example embodiment. [Figure 7] This document describes a method for detecting threat anomalies within a satellite navigation and communication system in an example embodiment. [Modes for carrying out the invention]

[0007] Embodiments of this specification provide, in particular, solutions for detecting attack attempts against the integrity of navigation and communications satellite infrastructure. Embodiments of this specification recognize that existing solutions for GNSS threat anomaly detection rely on checking whether multiple signals are arriving from a single ground source or multiple nearby sources, searching for unexpected deviations in signal characteristics based on predefined statistical thresholds, or monitoring differences across multiple sources by combining different sensor data. While such solutions can detect attacks belonging to a particular threat vector under consideration, they are vulnerable to more sophisticated attacks. Thus, embodiments of this specification recognize that existing solutions focus on identifying individual problems within a given threat vector. The detection capabilities of existing approaches are limited to assumptions about the underlying threat vector and remain vulnerable to the evolving sophistication of attackers.

[0008] The embodiments of this specification, among other advantages, provide a receiver context-aware solution that advantageously captures and models the complex and dynamic nature of the local environment of a receiver device (also referred to herein as the “receiver”), and leverages this to reduce the probability of a targeted attack succeeding, recognizing that an attacker would need to possess the same device as the target receiver at the same time and location in order to mimic the context. By modeling the receiver context in this way, the feasibility of large-scale attacks is advantageously reduced, and the complexity barrier required for an attacker to successfully execute a targeted attack is raised. In particular, the embodiments of this specification recognize that mimicking the context associated with a receiver device is difficult because any attack requires deviation from the context, and by using a context-aware adaptive solution, both the feasibility and impact of the attack are neutralized, or at least limited. By modeling the context centered on the underlying receiver, the threat vector is essentially limited to following the context in order to successfully execute the attack. Because the context depends on several factors and varies between receiver devices, the threat vector is limited to targeted attacks. Furthermore, in the case of a targeted attack, it is difficult for an attacker to model and accurately reproduce the receiver context in order to carry out a substantial attack.

[0009] Where used herein, a threat anomaly (also referred to herein as “anomaly”) means a data communications anomaly that indicates an attack threat or attack attempt that adversely affects, or may adversely affect, the data integrity of satellite signals broadcast to and received by a receiver device. Embodiments herein utilize receiver-centered contextual considerations in assessing the presence of a threat anomaly. Receiver devices or modules referred herein are configured to receive satellite communications and navigation signals. In some embodiments, the system detects a threat anomaly in a given area by placing a fixed receiver in a fixed location close to critical infrastructure that relies on GNSS. One or more embodiments described herein may be implemented using program modules, engines, or components. A program module, engine, or component may include a program, a subroutine, a part of a program, or a software or hardware component capable of performing one or more of the described tasks or functions. Where used herein, a module or component may reside on a hardware component independently of other modules or components. Alternatively, a module or component may be a shared element or process of other modules, programs, or machines.

[0010] Some embodiments described herein may generally require a computing device including processing and memory resources. For example, one or more embodiments described herein may be implemented in whole or in part on a computing device such as a server, desktop computer, mobile phone or smartphone, tablet, wearable electronic device, laptop computer, printer, digital picture frame, network equipment (e.g., router), and tablet device. Memory, processing, and network resources may all be used in connection with the establishment, use, or execution of any embodiment described herein (including the execution of any method or the implementation of any system).

[0011] Furthermore, one or more embodiments described herein may be implemented through the use of instructions executable by one or more processors. These instructions may be executed on a computer-readable medium. The machines shown and described below with reference to the figures provide processing resources and a computer-readable medium on which instructions for implementing embodiments of the present invention can be carried and / or executed. In particular, many of the machines shown with embodiments of the present invention include a processor(s) and various forms of memory for holding data and instructions. Examples of computer-readable media include persistent memory storage devices such as hard drives on personal computers or servers. Other examples of computer storage media include portable storage units such as CD or DVD units, flash memory (such as those found in smartphones, multifunction devices, or tablets), and magnetic memory. Computers, terminals, and network-enabled devices (such as mobile devices like cell phones) are all examples of machines and devices that utilize processors, memory, and instructions stored on a computer-readable medium. Embodiments may also be implemented in the form of computer programs or computer-usable transport media capable of carrying such programs. System Description

[0012] Figure 1 shows a satellite navigation and communication system 100 relating to one or more examples. A receiver device 101 is communicatively coupled to satellite devices 102a-n and a ground-based transceiver or transmission tower 104. Embodiments implemented for stationary satellite receivers may be based on a mobile device as the receiver device 101, which incorporates a threat anomaly detection module 105 that models the receiver's environmental context over time. Based on this, the threat anomaly detection module 105 can detect threat anomalies and issue alerts in areas such as ports with incoming ship traffic and congested airports. The solutions herein may also be implemented for dynamic systems with a mobile receiver device 101, in which case an initial model of the receiver context may be created using a training harness such as a drone or vessel that moves slowly in advance in a finite space encompassing a set of expected trajectories for the dynamic system.

[0013] To illustrate the complexity of context, consider a sample environment for a mobile device-based satellite navigation and communications receiver 101. In this example, the receiver may be affected by obstacles and multipath effects from buildings 103a, trees 103b, or airborne objects 103. The receiver may also be affected by unintentional radio interference from aircraft or base station towers. A truck 103d using a personal privacy device (PPD) to jam its own GNSS receiver may, in some cases, interfere with the mobile receiver. Ground surfaces near the receiver may have certain radio frequency (RF) reflectivity properties that affect the reception and integrity of incoming signals. This is an example of an exemplary and limited viewpoint of objects present in the receiver environment that directly affect the context perceived by the receiver. Physical phenomena related to the satellite signal characteristics measured for the receiver device also affect the receiver's environmental perception. The receiver context referred to herein includes not only physical parameters but also other factors, including major surrounding socioeconomic factors such as congested days with multiple vehicles in the vicinity, high-security events taking place nearby, and strikers and protesters with amateur radio equipment. All of these factors affect the local RF environment and influence the receiver device 101's environmental perception, i.e., the context referred to herein.

[0014] Figure 2 shows an example architecture of a computer system 200 for threat anomaly detection in a satellite navigation and communication system. The computer system 200 may be implemented, for example, in a server or a server group, or may be present in the receiver device 101. In one implementation, the computer system 200 includes a processor resource 201, a memory resource 202 (such as a read-only memory (ROM) or a random access memory (RAM)), and a communication interface 207 communicatively coupled within the satellite navigation and communication system 100. The communication interface 207 enables the computer system 200 to communicate with one or more user computing devices via one or more networks (such as a cellular network). The memory resource 202 may include instructions that configure a threat anomaly detection module 105 executable within the processor 201. The memory resource 202 may also be used to store temporary variables or other intermediate information during the execution of program instructions by the processor 201.

[0015] The computer system 200 may also include a display screen 203 and an input mechanism 204. As will be described in various examples, the processor 201 can detect and process any number of sensor inputs from the input sensor device 205. By way of example, such sensor inputs can include, but are not necessarily limited to, physical parameter measurements related to the timing of signals received from satellite navigation services, orbital dynamics of one or more satellites of the satellite navigation service with respect to the characteristics of the propagated signals, RF signal characteristics related to satellite geospatial parameters, carrier-to-noise ratios related to satellite elevation angles with respect to the receiver device 101, obstacles and signal propagation effects observed across a frequency band, and various sensor devices that provide obstacles and signal propagation effects observed in relation to satellite geospatial parameters.

[0016] In addition to the physical phenomena and physical parameters sensed by the sensor device 205, the system 200 can consume various types of inputs representing contexts such as, for example, socio-economic factors. For example, the system can be connected to a live calendar application or similar current event application data 206 indicating whether a high-traffic event is occurring in the surrounding environment of the receiver device. This can be a useful indicator of context because congested days may suggest a noisy RF environment.

[0017] Thus, the examples described herein are related to the use of the computer system 200 for implementing the techniques described herein. According to an aspect, the techniques are performed by the computer system 200 in response to a processor 201 executing one or more sequences of one or more instructions included in the memory 202. Such instructions can be read into the memory 202 from another machine-readable medium. Execution of the instruction sequences included in the memory 202 causes the processor 201 to perform the process steps described herein, including the process steps of the embodiments described herein in conjunction with the embodiments illustrated in FIGS. 3-7. In an alternative implementation, instead of software instructions or in combination with software instructions, hardwired circuitry can be used to implement the examples described herein. Accordingly, the described examples are not limited to a particular combination of hardware circuitry and software.

[0018] Figure 3 shows an example of System 300 for threat anomaly detection in satellite navigation and communication systems, based on a context-aware adaptive approach to anomaly detection that captures the complex and evolving nature of the receiver device environment. The system shown in the embodiment of Figure 3 can utilize hybrid machine learning and context-based models for the set of sensor data. The system models health by considering not only the sensor data but also a set of expected values ​​that represent the context. The system is highly flexible and can take any number of sensor data across different sensors. The more sensor inputs there are, the more accurately the context can be modeled. The use of context-based models makes the system context-aware, and the use of machine learning provides adaptability, so that it is intended to capture any complex and evolving nature of the receiver environment and provides robustness against the sophistication of evolving attackers.

[0019] System 300 provides an overview of a context-aware threat anomaly detection process, where various sensor inputs are provided by different sensor devices 205 that measure physical phenomena related to a receiver device within a satellite navigation and communication system 100. Sensors may include, but are not limited to, a Global Navigation Satellite System (GNSS) 301, an IMU 302, Bluetooth 304, and Wi-Fi, cellular communication, temperature, ambient pressure, and humidity, and other input sources may be used to capture context related to the receiver device 101. Sensor inputs 305 are consumed by a context-based model 304, according to Figure 3, to extract a set of features representing the receiver device context. Both sensor inputs and context-based features are provided as inputs to a machine learning model 306, which uses these two input groups to learn the context perceived by the receiver and to determine when the behavior deviates from the learned context. In embodiments, deviations from the learned context may be expressed as a confidence index 307 indicating the degree to which the system considers the observed behavior to be not as expected and to constitute a threat anomaly.

[0020] The following is a non-exhaustive list of sensor inputs available for measuring variable parameters shown and used as inputs to anomaly detection processes. While presented as physical phenomena, the system can consume various types of inputs that express context, such as socioeconomic factors. For example, the system could be connected to a live calendar application indicating whether traffic-heavy events are occurring around the receiver device. This could be useful, as congested days may suggest a noisy RF environment. [Table 1]

[0021] For example, context-based models can extract feature sets based on various different phenomena using a single variable or multivariate measurements using two or more related variables within the same input group or across different groups. Here, the context is implicitly described by the expected deviation of the set of measurements from a physics-based model. If the apparent deviation is within the expected range, the behavior follows the context; if the apparent deviation is outside the expected range, the behavior includes an external source of error not explained by the context. Examples of how such variables can be related include, but are not limited to, the following:

[0022] Correlation between timing information and signal characteristics: For example, the rate of change across pseudodistance and carrier phase is compared. Deviations between these measurements may indicate cycle slip, signal interference, or other anomalies in satellite communication signals.

[0023] Correlation between signal characteristics and orbital dynamics: For example, the observed Doppler shift for a satellite is compared with its expected value based on the satellite's relative motion.

[0024] Correlation between RF characteristics and geospatial parameters: The carrier-to-noise ratio is compared with the satellite elevation angle relative to the receiver.

[0025] Correlating obstacles and propagation effects across frequency bands; comparing the incidence of cycle slips across frequency bands for the same satellite.

[0026] Correlation between obstacles and propagation effects and geospatial parameters: To look for discrepancies based on potential obstacles or changes in the local environment / receiver device, the effects of multipath effects across different satellites are compared, taking geospatial parameters into consideration.

[0027] In this example, context can be implicitly measured through a physical parameter-based approach. Several physical parameters may be used to measure the context related to satellite navigation anomaly detection. However, it is considered that the term context as used herein encompasses a broader definition and a wide range of variables, including physical variables. Measuring whether a given day is a congested day, knowing whether a high-security event is taking place nearby, socioeconomic factors, business requirements, political events, and strikes are all examples of context. There are also multiple ways to model context; for example, context can be explicitly modeled by using context variables as conditional variables to model the probability distribution of a measured variable, or by using time as a conditional variable to model the probability distribution of a carrier-to-noise ratio as a measured variable.

[0028] In some embodiments, an anomaly detection method may be implemented to provide not only a confidence index of the presence of an anomaly, but also an explanation of why it constitutes a threat anomaly. Using statistical methods with dynamically generated thresholds and weights, the scored confidence index may be explained through the relative contribution (with respect to low, medium, or high deviations) of each input to the model to learned thresholds and weights that represent the context of the model.

[0029] This system can be implemented for fixed receivers in a fixed location using mobile devices, and it models the environmental context over time. Based on this, the system can detect anomalies and issue alarms in areas such as ports with incoming ship traffic or congested airports. It may also be implemented for dynamic systems with mobile receivers, in which case the initial model of the context can be created using a training harness, such as a drone or ship, that moves slowly in advance within a finite space encompassing the expected trajectory set of the dynamic system.

[0030] Figure 4 shows an implementation of threat anomaly detection within a satellite navigation and communication system 100 in an embodiment example 400. In the embodiment, physical parameter-based modeling provides a source for defining the receiver device context, as several different physical concepts are applied to the sensor inputs collected by the receiver device. The physical parameters may be applied later to model and learn the receiver context and used to build a set of expected values ​​to which inputs can be tested. In the embodiment, the anomaly detection system shown in Figure 4 is designed to identify and characterize satellite signal interference within a designated area. In the embodiment, threat anomalies are detected by positioning fixed receiver devices in a fixed location near critical infrastructure that relies on satellite navigation and communication. Based on the findings of the anomaly detection system, appropriate measures can be taken to mitigate the impact of communication signal interference on the surrounding infrastructure, depending on its accuracy and repeatability.

[0031] In the embodiment shown in Figure 4, the system includes a satellite receiver device at a fixed position 401 that collects raw satellite communication signal data 402 and other sensor data described herein. The data acquired from the device is then preprocessed, and both physical parameter-based modeling (as a context-based model) and basic feature extraction approaches are applied to generate two feature sets 403, 404. These features are then consumed by an anomaly detection module that learns the specific context of the receiver device 101 using a machine learning model 405 and adapts over time to detect anomalies. In addition to threat anomaly detection, a separate interconnected module 407 may be used to classify detected anomalies and assign severity levels. Furthermore, the machine learning model 407 may be configured to be available to provide model-based explanations 408 regarding the generated inferences. These include generating a confidence index 406 indicating the presence of anomalies, anomaly classifications, and explanations that conform to assigned classes and severity levels 407.

[0032] Receiver device and data source. In an example implementation, the receiver device 401 may be a Google Pixel 7 equipped with a dual-band GNSS receiver. However, other Android devices equipped with satellite navigation and communications receivers may be deployed, along with an Android version that supports the collection of raw GNSS data using the android.location library. Furthermore, other mobile devices and operating systems, including iOS devices that support the collection of raw sensor data, may also be deployed. The data is acquired via an Android app that runs continuously on the device. The app accesses the raw GNSS data using the android.location library. Access to this data requires that location permissions, which allow the app to access location data, be enabled. In embodiments, the app can be used to acquire the data and send it to a remote server for further processing, or this can be done directly on the receiver device. In certain implementations described herein, all processing is performed directly on the receiver device via the app.

[0033] Regarding the reprocessing of raw GNSS data 402, the majority of the data processing is specific to the formulas relating to each extracted feature. Certain GNSS observations are expressed in different formats or are not provided natively via the android.location API. This can also apply to variables between different sensor inputs that may be obtained in different implementation forms.

[0034] In this implementation, this primarily applies to pseudodistances not natively provided via the android.location API. However, other variables are provided via the API and can be used later to calculate the pseudodistance. This is done by obtaining the local time reported by the receiver clock and the transmission time assigned by the satellite clock, adjusting for time-related biases, and calculating the transmission time, which is the time it takes for the message to be received by the receiver. This transmission time can then be multiplied by the speed of light to determine the pseudodistance.

[0035] In this embodiment, parameter-based feature extraction may be based on the following features:

[0036] The interval between consecutive transmissions. This feature is based on classical physics surrounding atomic clocks, which generate highly accurate and stable time standards based on the vibrations of atoms such as cesium or rubidium. The error in the delay between two consecutive transmissions is limited by the physical properties of the atomic clock and the assumed functions of the satellite hardware. A related feature is the difference in the receiving satellite vehicle time between two consecutive transmissions, and its formula can be expressed as follows: ΔReceived SV Time=Received SV Time t -Received SV Time t-1 Consecutive Transmission Discrepancy=ΔReceived SV Time

[0037] While it is generally assumed that this feature converges to 1, it may deviate and the error may fluctuate depending on clock bias or drift factors. These contextual factors include receiver position, satellite position, and timing. This context is captured by a machine learning model, and Consecutive Transmission Discrepancy represents satellite-level features that can be calculated for each satellite in a given satellite navigation and communication network. Carrier code consistency. GNSS receivers have two sources for distance measurements: one is the pseudo-distance and the other is the cumulative delta distance.

[0038] The calculation of pseudodistance involves the principles of classical physics, particularly the concepts of distance, time, and the speed of light. Pseudodistance is an estimated distance between a GNSS satellite and a receiver. It is calculated by multiplying the time it takes for the signal to travel from the satellite to the receiver by the speed of light. Since the signal transmission time is affected by factors such as satellite clock bias, receiver clock bias, and atmospheric delay, pseudodistance is called "pseudo" because it is an approximation of the true distance.

[0039] The calculation of cumulative delta distance (ADR) is based on carrier phase measurement, which utilizes the principles of wave physics. Carrier phase measurement tracks the continuous phase of the GNSS signal as it travels from the satellite to the receiver. By counting all cycles and measuring the fractional part of the last cycle, the receiver can estimate the change in distance between the satellite and the receiver over time. This change in distance, i.e., the cumulative delta distance, is a more accurate measurement than the pseudo-distance because it is less affected by noise and other factors that influence the signal. However, continuous tracking of the carrier wave is necessary to maintain its accuracy.

[0040] Under normal conditions, both pseudo-distance and ADR are expected to change over time, accompanied by some context-based error. The consistency of this change can be measured using the following formula. Carrier Code Discrepancy =ΔADR-ΔPseudorange Carrier code discrepancy is a satellite-level characteristic and can be calculated for each satellite.

[0041] Consistency of carrier distance variation. This feature is based on the principles of kinematics and signal propagation. The motion of the satellite relative to a fixed receiver, as well as the time required for the signal to travel between them, are important factors in determining the expected variation in carrier-based distance measurements. Measured carrier-based distances are expected to follow expected behavior, with some degree of error.

[0042] Errors may be related to atmospheric effects such as ionospheric and tropospheric delays that affect signal propagation, and relativistic effects arising from the motion of satellites in the Earth's gravitational field must also be considered. All of these can be tied to the receiver's specific context with respect to the receiver's position, time, and other factors. The difference can be measured using the following formula.

number

number

[0043] The pseudo-distance rate represents the speed of the satellite vehicle and is the first derivative with respect to the ADR. The expected ADR is based on a first-order Taylor approximation. The difference is partly related to estimation error and partly implicitly captures the receiver context. Deviations from the context may indicate anomalies. ADR Discrepancy is a satellite-level feature. This feature can be calculated for each satellite.

[0044] Relative motion consistency. This determines how much a GNSS satellite moves relative to a receiver on Earth, based on satellite orbital dynamics and the Doppler effect. This feature checks whether the observed elevation change and Doppler effect are consistent with the expected satellite motion. Sign agreement indicates that the relative motion between the satellite and the receiver is consistent with the underlying physics. This is measured using the following formula, which is called the Pseudo-Distance Rate Elevation Consistency Index or PECI. ΔElevation × Pseudorange Rate ≥ 0, then PECI = 1 If ΔElevation × Pseudorange Rate < 0, then PECI = 0

[0045] This represents a robust consistency check and can be extended to contextualizing or more accurate modeling of physics based on relative motion consistency. This can be done by converting the pseudo-distance rate to a Doppler shift, determining the expected elevation angle change using the Doppler shift along with the distance measurement, and comparing it to the measured elevation angle change, which is expected to have some error that captures the underlying context.

[0046] PECI is a satellite-level feature. This feature can be calculated for each satellite.

[0047] Geospatial propagation (or obstacle)-based LOS modeling. The physics underlying the satellite position-related influence on GNSS observations is based on the principles of electromagnetic wave propagation through the atmosphere and the interaction between satellite signals and the Earth's topography around the receiver. Using propagation and obstacle effects observed by the receiver based on dispersed satellites and their relative positions, the receiver's environment or line of sight can be implicitly modeled. This can be done in two ways. One is to measure multipath effects, acquire satellite signals, and compare the observed multipath effects with those of other satellites, using the following equation.

number

[0048] Here, MI is the multipath index. Position provides a 3D unit vector of the satellite's position relative to the receiver based on azimuth and elevation. This allows for comparing deviations in measurements between several satellites and applying a weighted sum based on how close the satellites are. It is expected that satellites closer to each other will have similar lines of sight and therefore exhibit similar propagation effects as measured by the multipath index.

[0049] The same applies to obstacle effects, and a different equation is used to model them.

number

[0050] Implicit LOS Propagation Consistency and Implicit LOS Obstruction Consistency are both satellite-level features calculated for each satellite.

[0051] Here, with respect to basic feature extraction 404, in an embodiment based on mean frequency domain RF characteristics, for example, several sensor inputs may be supplied directly to the system with or without significant preprocessing. In this implementation example, only a set of features based on calculating the average of RF characteristics in a frequency band across several satellites is included.

[0052] For example, the mean carrier-to-noise ratio can be measured over a given time across several signals from different satellites in a frequency band such as GPS L1 or GAL E1. This provides some indicator of the level of noise in the receiver environment.

number

[0053] For example, gain measurement values can also be used to monitor and measure the degree of environmental noise in a specific frequency band such as GPS L1 or GAL E1. When an unknown strong source appears, it will become clear by monitoring the change in the indicator AGC t in it.

[0054] Both Average C / NO and AGC are characteristics of the RF level. These characteristics can be calculated for each RF input. For example, GPS L1 and GAL e5 are examples of RF inputs. They are associated with specific frequency bands in which signals from different satellites across different satellite groups operate.

[0055] FIG. 5 shows an implementation of a system for threat anomaly detection in a satellite navigation and communication system 100 based on an additional receiver device context-based feature extraction method that covers a broader context defined beyond the physical parameter-based modeling techniques described herein in Embodiment Example 500. In particular, additional methods to which different types of context-based modeling can be applied may include the following.

[0056] Seasonal effects. Based on time, day of the week, or time of year, different levels of traffic volume may exist, such as the traffic volume of nearby vehicles or pedestrians. Traffic volume in a broad sense can affect the RF environment. A large number of people and the accompanying infrastructure suggest a large number of devices and may mean a noisy RF environment. Socioeconomic factors, such as a five-day workweek or an eight-hour workday pattern, can affect the RF environment. As one method, these effects can be captured by modeling noise based on time and applying a vector representing time in a continuous format.

Number

[0057] Here, time t is given in seconds, and the time vector is a unit vector representing the time. Next, we define k points around the unit sphere, and the range of possible values ​​is determined as follows:

number

[0058] For each point, the time context TimeVec t The mean and standard deviation of a given measured variable x. i and sd i These are calculated. These can be updated using the following formulas.

number

number

[0059] The renewal criteria are:

number

[0060] This is a time context TimeVec t It can be used to create a model of the measured variable x related to [the condition].

[0061] Using this, we then calculate a difference index called ToD Noise Inconsistency, which is used to assume a mean carrier-to-noise ratio.

number

[0062] This allows us to calculate a weighted sum of z-scores using a trained Gaussian distribution over defined points. Based on this, we can measure how much the mean carrier-to-noise ratio at time t deviates from the time-based expectation.

[0063] This could be extended to the use of a live calendar that provides a "congestion coefficient" between 0 and 1 to indicate how congested the environment is expected to be based on the occurrence of any high-traffic event. t It is necessary to replace this with a scalar that measures the "degree of congestion" which can represent Busy, and at this point Point becomes a scalar between 0 and 1, which can be calculated by the following formula.

number

[0064] Next, the previous equation is,

number

number

[0065] Here, with respect to the machine learning model 405 applied to the threat anomaly detection module 105, a moving average and standard deviation are assigned to each feature supplied to the machine learning model. These are initialized to a set of nominal values ​​based on statistically observed phenomena. The moving average and standard deviation can then be used to calculate the probability measure that the observation point belongs to a distribution. The observation point itself is used to update the moving average and standard deviation. The probability measure of each feature is multiplied by a relative weight that is uniformly initialized, and the value obtained by subtracting the weighted sum from 1 is used as the confidence score for the presence of an anomaly. A confidence score near 1 indicates a high probability of an anomaly, and a score near 0 indicates a low probability of an anomaly. The relative weights of the features are then updated based on the probability here. This updating of the moving average and standard deviation, as well as the relative weights, allows the model to adapt to the acquired sensor input. These values ​​are then updated over time as the model adapts to the acquired sensor input.

[0066] In embodiments relating to model initialization, training, and inference, the processes for model initialization, training, and inference are considered as follows. Start with model initialization: 1. Assign a moving average and standard deviation to each feature across the physical model-based features and the set of basic features. a. These include a total of six features per satellite and two features per RF input. b. Moving averages and standard deviations are set based on general observed phenomena. c. The initial values ​​are highly flexible and can vary widely. The model ultimately adjusts for bias and variance as it adapts to the specific context of the receiver. 2. Assign relative weights to each feature across the physical model-based features and the basic feature set. a. These include a total of six features per satellite and two features per RF input. b. Therefore, the weights of each feature across the two sets are 1 / 6 and 1 / 2, respectively. About model learning: 1. Calculate the measured values ​​for each feature across the physical model-based features and the basic feature set. Use these to update the moving average and standard deviation. a. These include a total of six features per satellite and two features per RF input. b. For each feature, update the moving average using the following formula.

number

number

number

number

number

number

number

number

number

[0067] Here, w k,t-1 represents the weight of feature k in the previous time step, and p k,t is the current probability measure calculated for feature k. Finally, β=1 represents the update coefficient for the relative weights based on K time steps, which is assumed to be greater than T, which was used to update the moving average and standard deviation. However, the weights of features with fixed weights are not included in the above sum. Note that the model weights are updated only if it is determined that no anomalies have occurred at time t. The criteria for what constitutes an anomaly are explained in model inference as follows:

[0068] Regarding model inference: 1. Calculate the confidence score for an anomaly based on a weighted sum of probability measures for each feature of all satellites and RF sources.

number

number

[0069] Next, regarding the explainability of the model according to model-based explanation 407, model-based explainability can be generated for the score using the following approach. 1.w k,t (1-p k,t Each feature of the satellite source or RF input is ranked based on a weighted probability. 2. For each ranked feature, generate the following statement: [Feature's generic name] is [w in the receiver context] k,t ·100% explains. This measures a high level of explanation of what is being measured. Its apparent value [xt] [appropriate unit] is the usual value [

number

[0070] For these explainability messages, more specific or customized messages can be created depending on the features. Furthermore, the deviations and dependencies of features can be explained using a comprehensive classification of threat anomalies, such as low, medium, and high. methodology

[0071] Figure 6 shows an example method 600 of an embodiment of threat anomaly detection in satellite navigation and communication systems. Method 600 may be performed by one or more computing devices and / or processes. In embodiments, the technique of Method 600 proceeds in relation to the devices, systems, and techniques described herein with reference to Figures 1-7.

[0072] In block 610, the receiver device 101 receives data transmitted from the satellite navigation network 100. In some embodiments, the receiver device may be, for example, a mobile phone, a manned vehicle, an unmanned vehicle, a ground vehicle, a sea vehicle, and an aircraft. In some embodiments, the computing system 200 may be incorporated into or located in one of the ground base stations that are communicably connected to the receiver device 101 and / or the satellite navigation network 100.

[0073] In block 620, context data related to the receiver device is determined. In embodiments, the context data is broadly defined according to both (i) a real-time assessment of one or more incidental socioeconomic factors likely to influence radio frequency (RF) noise factors related to the local area encompassing the receiver device, and (ii) a set of physical parameter measurements relating to both timing anomalies in the signal received from the satellite navigation service, the orbital dynamics of one or more satellites of the satellite navigation service with respect to the characteristics of the propagated signal, RF signal characteristics related to satellite geospatial parameters, carrier-to-noise ratio related to the satellite elevation angle to the receiver device, observed obstacle and signal propagation effects across the frequency band, and one or more observed obstacle and signal propagation effects related to satellite geospatial parameters.

[0074] In block 630, based at least in part on the determined context data and the transmitted data from the satellite received by the receiver device, it is detected that the received data transmitted from the satellite navigation network constitutes a threat anomaly.

[0075] Figure 7 shows a method for detecting threat anomalies in a satellite navigation and communication system in an embodiment 700. In this embodiment, method 700 may be performed in conjunction with any method steps described herein, such as the technique of method 600 shown in the embodiment of Figure 6.

[0076] In block 710, a confidence index is generated indicating the degree of deviation from expected behavior, and a threat anomaly is detected depending on whether the confidence index is above or below a cutoff threshold confidence index.

[0077] In block 720, a threat anomaly classification and at least one severity assigned to the threat anomaly are generated. In some embodiments, a trained machine learning model, trained according to the description herein relating to Figures 3-5, generates the threat anomaly classification and the severity assigned to the threat anomaly.

[0078] In block 730, the trained machine learning model further generates a model-based description related to the classification of the threat anomaly and at least one of the severity levels assigned to the threat anomaly, according to a confidence index.

[0079] In block 740, in response to the detection of a threat anomaly, a threat anomaly remediation measure is activated, which includes generating alerts to a set of receiver devices and a set of computing devices within the spatial domain encompassed by the satellite navigation network 100.

[0080] In embodiments, the anomaly detection system may be extended to include components for learning patterns of false positives. Detected anomalies may be flagged as false positives. One way to do this is to employ a human-guided approach where an analyst monitoring the anomalies can review the underlying data to determine the occurrence of false positives. The components then learn patterns of false positives over time and are used as an additional check to determine whether an anomaly exists. This functions as a “warning suppression” feature to reduce the occurrence of false positives over time.

[0081] In related variations, the system can be extended to include components for learning patterns of flexibly defined classes, similar to how false positive patterns are learned. Examples of anomalies can be flagged with custom-defined tags representing flexibly defined classes. This can be done using a human-guided approach similar to that used for learning false positive patterns. Over time, the system learns patterns of different anomaly classes and automatically classifies them into one or the other. conclusion

[0082] While embodiments are described in detail herein with reference to the accompanying drawings, it should be understood that the concept is not limited to these literal embodiments. Therefore, the scope of the concept is intended to be defined by the following claims and their equivalents. Furthermore, certain features described individually or as part of an embodiment may be combined with other features or parts thereof described individually in other examples, even if those other features and examples do not refer to those particular features. Therefore, the absence of a description of such combinations does not preclude any right to such combinations.

Claims

1. A method performed in a computing system, which is implemented by one or more processors of the computing system, In a receiver device, receiving data transmitted from a satellite navigation network, Determining context data related to the receiver device, Based at least in part on the determined context data and the data transmitted from the satellite received by the receiver device, it is possible to detect that the received data transmitted from the satellite navigation network constitutes a threat anomaly. A method for providing this.

2. The method according to claim 1, wherein the receiver device comprises at least one of a mobile phone, a manned vehicle, an unmanned vehicle, a ground vehicle, a sea vehicle, and an aircraft.

3. The method according to claim 1, wherein the computing system is incorporated into or located in the same location as the receiver device and / or one of the ground base stations that are communicatively connected to the satellite navigation network.

4. The method according to claim 1, wherein determining the context data related to the receiver device includes a real-time assessment of one or more incidental socioeconomic factors that are likely to influence radio frequency (RF) noise factors related to a local area encompassing the receiver device.

5. The method according to claim 1, wherein determining the context data relating to the receiver device includes a set of physical parameter measurements relating to at least one of the following: timing anomalies of the signal received from the satellite navigation service, orbital dynamics of one or more satellites of the satellite navigation service with respect to the characteristics of the propagated signal, RF signal characteristics relating to satellite geospatial parameters, carrier-to-noise ratio relating to satellite elevation angle to the receiver device, obstacle and signal propagation effects observed across frequency bands, and obstacle and signal propagation effects observed in relation to satellite geospatial parameters.

6. Detecting the aforementioned threat anomaly means The method involves generating a confidence index indicating the presence of a threat anomaly, wherein the confidence index represents the degree of deviation from expected behavior. The threat anomaly is detected according to whether the confidence index is above or below the cutoff threshold confidence index. The method according to claim 1, comprising:

7. The method according to claim 6, further comprising generating a classification of the threat anomaly and at least one of the severity levels assigned to the threat anomaly.

8. The method according to claim 7, wherein a trained machine learning model generates the classification of the threat anomaly and the severity assigned to the threat anomaly.

9. The method according to claim 8, wherein the trained machine learning model further generates a model-based description relating to the classification of the threat anomaly and the severity assigned to the threat anomaly according to a confidence index.

10. The method according to claim 7, further comprising initiating a threat anomaly remediation measure in response to detecting the threat anomaly, the threat anomaly remediation measure including generating an alert to one or more devices that a cyberattack may be underway, the one or more devices including at least one of a set of receiver devices and a set of computing devices in at least a portion of the spatial domain encompassed by the satellite navigation network.

11. One or more processors, Memory to store the instruction set and The instruction set, when executed on the one or more processors, is configured to be used by the one or more processors. In a receiver device, receiving data transmitted from a satellite navigation network, Determining context data related to the receiver device, Based at least in part on the determined context data and the data transmitted from the satellite received by the receiver device, it is possible to detect that the received data transmitted from the satellite navigation network constitutes a threat anomaly. A computing system that performs operations including those mentioned above.

12. The computing system according to claim 11, wherein the receiver device comprises at least one of a mobile phone, a manned vehicle, an unmanned vehicle, a ground vehicle, a sea vehicle, and an aircraft.

13. The computing system according to claim 11, wherein the computing system is incorporated into or located at the same location as the receiver device and / or one of the ground base stations that are communicatively connected to the satellite navigation network.

14. The computing system according to claim 11, wherein determining the context data related to the receiver device includes a real-time assessment of one or more incidental socioeconomic factors that are likely to influence radio frequency (RF) noise factors related to a local area encompassing the receiver device.

15. The computing system according to claim 11, wherein determining the context data related to the receiver device includes a set of physical parameter measurements relating to at least one of the following: timing anomalies of signals received from a satellite navigation service, orbital dynamics of one or more satellites of the satellite navigation service with respect to the characteristics of the propagated signal, RF signal characteristics relating to satellite geospatial parameters, carrier-to-noise ratio relating to satellite elevation angle to the receiver device, obstacle and signal propagation effects observed across frequency bands, and obstacle and signal propagation effects observed in relation to satellite geospatial parameters.

16. Detecting the aforementioned threat anomaly means The method involves generating a confidence index indicating the presence of a threat anomaly, wherein the confidence index represents the degree of deviation from expected behavior. The threat anomaly is detected according to whether the confidence index is above or below the cutoff threshold confidence index. The computing system according to claim 1, comprising instructions executable by one or more processors that cause an operation including the following:

17. The computing system according to claim 16, further comprising instructions executable by the one or more processors for causing an operation that includes classifying the threat anomaly and generating at least one of the severity levels assigned to the threat anomaly.

18. The computing system according to claim 17, wherein a trained machine learning model generates at least one of the classification of the threat anomaly and the severity assigned to the threat anomaly.

19. The computing system according to claim 18, wherein the trained machine learning model further generates a model-based description relating to the classification of the threat anomaly and the severity assigned to the threat anomaly according to a confidence index.

20. When executed by one or more processors of a computing device, the one or more processors: In a receiver device, receiving data transmitted from a satellite navigation network, Determining context data related to the receiver device, Based at least in part on the determined context data and the data transmitted from the satellite received by the receiver device, it is possible to detect that the received data transmitted from the satellite navigation network constitutes a threat anomaly. A non-temporary computer-readable medium that stores instructions for performing an action that includes the following.