Wide-Area GNSS Spoofing and Jamming Detection Using AIS-Derived Spatiotemporal Integrity Monitoring

This paper proposes a three-stage framework that filters communication-layer defects from AIS data to reliably detect and classify wide-area GNSS spoofing and jamming events, achieving a 98.6% reduction in false alarms compared to naive clustering methods.

The Gist

Imagine the ocean is a giant, busy highway, and every ship is a car equipped with a GPS and a radio. The radio (called AIS) constantly shouts out the ship's location, speed, and direction so everyone else can see them on a map. This system is crucial for safety.

However, there's a problem: the GPS signal can be tricked (spoofed) or blocked (jammed) by bad actors, making ships think they are somewhere they aren't, or stopping them from reporting their location entirely.

The problem is, the radio system itself is messy. Sometimes ships shout the same ID number by mistake, or the radio repeats old messages with the wrong time stamp. These "radio glitches" look exactly like GPS tricks on a map, causing a lot of false alarms.

This paper introduces a smart detective system that filters out the radio noise to find the real GPS attacks. Here is how it works, using simple analogies:

1. The "Noise Filter" (Cleaning the Radio)

Before looking for attacks, the system first cleans up the radio chatter.

• The "Twin ID" Glitch: Imagine two different cars accidentally using the same license plate number. On a map, it looks like one car instantly teleported from New York to London. The system spots this "impossible jump" and realizes, "Ah, this isn't a teleportation; it's just two ships sharing a wrong ID." It throws this data away.
• The "Echo Chamber" Glitch: Sometimes, a radio repeats an old message with a new time stamp. It's like a bad echo where you hear someone say "Hello" from 10 seconds ago, but the clock says "Now." This makes the ship look like it's moving backward. The system spots these "time-traveling" echoes and deletes them.

2. The "Bodyguard" (Checking the Ship's Movement)

Once the radio noise is gone, the system watches how the ships move. It uses a smart bodyguard (called an IMM filter) that knows the laws of physics.

• The "Impossible Turn": If a massive cargo ship suddenly turns 90 degrees in a split second or accelerates like a rocket, the bodyguard raises a red flag.
• The "Silent Car": If a ship suddenly stops sending messages for a long time (when it should be talking), the bodyguard notes it as a "silence anomaly."

3. The "Crowd Detective" (The Final Verdict)

This is the most clever part. The system asks: "Is this happening to just one ship, or to the whole neighborhood?"

• Scenario A: The "Sick Ship" (Sensor Fault)
  If one ship is acting weird (jumping around or going silent) while all its neighbors are driving normally, the system says, "That's just that ship's GPS broken." It's like one person in a crowd stumbling; the crowd isn't tripping, just that one person. The system ignores this as a local error.

• Scenario B: The "Magic Carpet" (Spoofing)
  If ten ships in the same area suddenly all jump 50 miles to a fake location at the exact same time, the system screams, "This is a Spoofing Attack!" It's like a magician making a whole group of people vanish and reappear in a different spot. Since they all moved together, it must be an external force messing with their GPS.

• Scenario C: The "Blackout" (Jamming)
  If ten ships in the same area all suddenly go silent at the exact same time, the system says, "This is a Jamming Attack!" It's like someone turned off the lights in a whole room. Since they all went dark together, it's not a broken bulb; it's a power outage caused by an attacker.

Why This Matters

In the past, researchers looked at the data and saw thousands of "weird events," but most were just radio glitches or broken ship sensors. This new system acts like a high-tech sieve:

1. It catches the "radio glitches" (MMSI duplicates, time delays).
2. It catches the "broken sensors" (single ships acting weird).
3. It only keeps the "real attacks" (groups of ships acting weird together).

The Result:
When they tested this on nearly 1 billion messages from Korean waters, they found that the old methods were screaming "Attack!" 98.6% of the time when there was no attack at all. This new system cleaned up that noise, finding only the real attacks (17 spoofing events and 343 jamming events) and ignoring the rest.

In short: This paper teaches us how to stop confusing a broken radio with a terrorist attack, ensuring that when we see a group of ships acting strangely, we know it's a real threat and not just a glitch.

Technical Summary

Here is a detailed technical summary of the paper "Wide-Area GNSS Spoofing and Jamming Detection Using AIS-Derived Spatiotemporal Integrity Monitoring."

1. Problem Statement

Global Navigation Satellite System (GNSS) spoofing and jamming pose severe threats to maritime safety by corrupting vessel positioning data broadcast via the Automatic Identification System (AIS). While AIS is a cornerstone of maritime situational awareness, its reliance on unencrypted GNSS signals makes it vulnerable.

Existing AIS-based anomaly detection methods face two critical challenges:

1. High False Alarm Rates: AIS data contains numerous "communication-layer artifacts" (e.g., MMSI duplication, timestamp-delayed retransmissions, stale data) that mimic GNSS interference but originate from transmission errors rather than navigation sensor degradation.
2. Lack of Multi-Vessel Coherence: Many current methods analyze vessels independently. They fail to distinguish between isolated sensor faults and wide-area GNSS interference, which is characterized by coordinated anomalies across multiple vessels within a specific spatiotemporal region.
3. Jamming Blindness: Traditional trajectory-based methods often fail to detect GNSS jamming, which manifests as a complete absence of valid position reports (outages) rather than distorted trajectories.

2. Methodology

The authors propose a three-stage hierarchical framework designed to filter out non-interference artifacts before identifying genuine GNSS interference. The pipeline processes approximately 966 million AIS messages from Korean coastal waters.

Stage 1: Communication-Integrity Diagnostics (Rule-Based Filtering)

Before any kinematic analysis, the system explicitly identifies and removes data artifacts caused by the AIS communication chain:

• MMSI Duplication Detection: Identifies cases where a single Maritime Mobile Service Identity (MMSI) broadcasts from multiple spatially separated locations simultaneously (violating physical motion constraints). These are flagged as identifier misuse rather than spoofing.
• Stale-Data Retransmission Detection: Detects repeated navigation tuples (Latitude, Longitude, SOG, COG) with inconsistent timestamps, indicating buffering or synchronization errors that create artificial backward motion or position jumps.
• Action: Records identified as communication artifacts are discarded immediately to prevent them from polluting subsequent analysis.

Stage 2: Anomaly Cue Generation

The remaining data is processed to generate "anomaly cues" without premature classification. Two types of cues are extracted:

• Kinematic-Consistency Cues: An Interacting Multiple Model (IMM) filter (combining Constant Velocity and Constant Turn Rate models) estimates the expected vessel state. Large residuals between the reported AIS position and the IMM prediction indicate kinematic violations (e.g., impossible acceleration or position jumps).
• Transmission-Continuity Cues: The system analyzes inter-message intervals. Reporting gaps exceeding a dynamic threshold (based on the vessel's median reporting interval and a 60-second floor) are flagged as potential jamming outages.

Stage 3: Spatiotemporal Clustering and Categorization

All preserved anomaly cues are fed into a Spatiotemporal DBSCAN (ST-DBSCAN) algorithm to group anomalies based on spatial proximity ($\epsilon_s = 10$ km) and temporal coherence ($\epsilon_t = 1800$ s).

• Single-Vessel Clusters: Anomalies confined to one vessel are classified as Sensor-Integrity Artifacts (either persistent if long-term, or transient if short-lived).
• Multi-Vessel Clusters: Anomalies shared by multiple vessels within the same spatiotemporal bounds are classified as GNSS Interference.
  • GNSS Spoofing: Identified by coordinated trajectory distortions across multiple vessels.
  • GNSS Jamming: Identified by synchronized reporting outages (absence of data) across multiple vessels.
• Coherence Criteria: To be classified as a wide-area event, a cluster must contain at least 5 distinct MMSIs with at least 60% of them exhibiting anomalous behavior.

3. Key Contributions

1. Explicit Separation of Artifacts: The framework is the first to rigorously separate communication-layer defects (MMSI duplication, stale data) from genuine GNSS interference using rule-based diagnostics before clustering.
2. Unified Detection of Spoofing and Jamming: Unlike prior works that focus only on trajectory distortion, this method simultaneously detects spoofing (distortion) and jamming (outages) by analyzing both kinematic residuals and transmission continuity.
3. Spatiotemporal Coherence Logic: The use of ST-DBSCAN with strict multi-vessel coherence criteria allows the system to distinguish regional interference from isolated sensor faults, significantly reducing false positives.
4. Scalability: The approach operates on raw AIS data without requiring dedicated GNSS monitoring infrastructure, making it suitable for wide-area maritime surveillance.

4. Experimental Results

The framework was tested on 966 million AIS messages from the Korean coastal region (Nov–Dec 2024).

• False Alarm Reduction: The hierarchical filtering reduced false alarms by 98.6% compared to naive clustering approaches.
• Detection Performance:
  • GNSS Spoofing: Detected 17 distinct spoofing clusters (distortion-type).
  • GNSS Jamming: Detected 343 distinct jamming clusters (outage-type).
• Artifact Removal:
  • Communication-integrity diagnostics removed ~1.03% of kinematic cues (MMSI duplication) and ~0.19% of transmission cues (stale data).
  • The majority of initial anomaly candidates were reclassified as single-vessel sensor artifacts or noise.
• Case Studies:
  • MMSI Duplication: Successfully identified a single MMSI appearing in two locations, preventing it from being misclassified as a spoofing event.
  • Sensor Faults: Correctly identified persistent off-trajectory deviations of a single vessel as sensor issues, not regional interference.
  • Real Events: Detected a coordinated spoofing event affecting 11 vessels over 18 km and a double-pulse jamming event affecting 11 vessels with synchronized outages.

5. Significance

This research addresses a critical gap in maritime security by providing a robust, sensor-independent method for detecting GNSS interference.

• Operational Viability: It demonstrates that AIS data, often considered "noisy" and unreliable for high-precision monitoring, can be transformed into a reliable wide-area detection tool through rigorous pre-filtering and spatiotemporal analysis.
• Safety Impact: By accurately distinguishing between benign communication errors and malicious interference, the framework reduces the burden on maritime authorities and enhances situational awareness in congested sea lanes.
• Future Direction: The paper highlights the need for ground-truth validation and suggests integrating AIS with other modalities (e.g., ADS-B, ground stations) to further refine interference characterization.

In conclusion, the proposed framework offers a scalable, interpretable, and highly effective solution for monitoring the integrity of maritime PNT (Positioning, Navigation, and Timing) systems in the absence of dedicated GNSS monitoring infrastructure.