ADVERSARIAL EVALUATION OF ADS-B ANOMALY DETECTORS

You cannot collect a labelled corpus of real ADS-B spoofing, so we make the attacks ourselves. AeroScope injects a documented taxonomy of synthetic attacks into real captured traffic, then measures how reliably each detector recovers them. The output is a set of honest detection and false-positive numbers and an open benchmark anyone can re-run.

INJECTED ATTACKS
VS
DETECTORS
SYNTHETIC INJECTION → MEASURED DETECTION
4
Injected Attack Classes
0.87
Baseline ROC-AUC
~50%
Detection @ 2% FPR
≥2
Detectors to Flag

WHY EVALUATE WITH INJECTED ATTACKS?

ADS-B was designed in the 1990s with no security considerations. Every transmission is unencrypted, unauthenticated, and broadcast in the clear on 1090 MHz. A low-cost RTL-SDR dongle and an open-source tool like dump1090 can receive aircraft positions across a wide radius, and transmit-capable hardware can inject fabricated messages into the airspace picture. Spoofing has been demonstrated by academic and security researchers for over a decade. The protocol offers no built-in defence.

The practical problem for anyone building a detector is data. Real attacks against live airspace are rare, mostly unlabelled, and illegal to generate on the air. You cannot simply download a balanced set of genuine-versus-spoofed examples and train a classifier. Without labelled attacks you also cannot honestly report how well a detector works.

The standard answer in the literature is to inject synthetic attacks into real captured traffic, then measure recovery. We follow the attack taxonomy and evaluation framing of Habler and Shabtai (Computers & Security, 2018): take genuine flights, perturb specific fields in controlled ways, and check whether the detector flags the perturbed records without flagging the clean ones. This gives a ROC curve and an operating point you can actually quote.

WHAT CHANGED FROM THE EARLIER PROTOTYPE

An earlier version of this page described reinforcement-learning agents trained by self-play. That approach was retired. It was a stub that never accumulated meaningful training, and self-play does not produce numbers you can defend. The adversarial concept survives in a narrower, more honest form: synthetic attack injection used to evaluate detectors. There are no PPO, DQN, A2C, or GAN-style agents in AeroScope. The detectors that ship are built on established open-source anomaly-detection libraries, and every flag they raise is explainable from its contributing features.

THE EVALUATION PIPELINE

Evaluation runs as a five-step pipeline. It is a measurement procedure, not a training loop: the detectors are not modified by it. The same procedure produces the published benchmark dataset.

01
Start from real captured ADS-B traffic, including the integrity fields (NIC, NACp, SIL)
02
Inject a controlled attack into a subset of records: altitude or velocity tampering, ghost kinematics, or integrity downgrade
03
Score every record with each detector (streaming, baseline, Kalman innovation, envelope, windowed outlier)
04
Compute ROC-AUC and detection rate at a fixed false-positive budget against the known injection labels
05
Publish records, labels, and model scores as the open benchmark so the numbers are reproducible

MEASURED, NOT SELF-TRAINED

HOW THE DETECTORS COMBINE

No single model decides. Each aircraft is scored by several independent detectors that look at different things: a streaming anomaly model (River HalfSpaceTrees), a batch baseline (scikit-learn IsolationForest), the Kalman filter innovation (predicted versus observed position), per-type performance-envelope checks (OpenAP), and a windowed outlier second opinion (PyOD ECOD and IsolationForest). Their per-record scores feed a consensus rule: an aircraft is flagged only when at least two independent detectors agree. The features that drove each contributing detector are kept so the flag can be explained rather than asserted.

ADS-B FIELDS DERIVED FEATURES DETECTORS CONSENSUS
● Raw ADS-B Fields ● Detectors ● Clean (Consensus) ● Flagged (Consensus)

THE INJECTED ATTACK TAXONOMY

The benchmark injects four documented attack classes into real flights. Each class perturbs a specific part of the message so the resulting record stays superficially plausible while breaking one form of internal self-consistency. The first four cards below are the injected attacks; the last two are related rule-layer checks the physics engine performs alongside the ML detectors.

ALTITUDE TAMPERING

Reported altitude is shifted while position and velocity are left intact. The barometric and geometric altitude relationship and the altitude-rate consistency are what give it away, not the altitude value alone.

INJECTED

VELOCITY TAMPERING

Ground speed, vertical rate, or heading is falsified. The mismatch between successive positions and the reported velocity vector is the detectable signal, since the two should agree over consecutive updates.

INJECTED
👻

GHOST KINEMATICS

A fabricated track whose motion does not obey realistic flight dynamics. Implausible turn rates, accelerations, or trajectory shape separate a synthesised path from a real one even when every individual field is well-formed.

INJECTED

INTEGRITY DOWNGRADE

The DO-260B integrity indicators (NIC, NACp, SIL) are lowered to mask a fabricated position behind claimed low accuracy. Tracking how those fields move relative to the rest of the message exposes the manipulation.

INJECTED

HEX COLLISION (RULE)

Two simultaneous tracks sharing one ICAO 24-bit hex address. This is a deterministic rule-layer check rather than an injected ML attack: a single hex should not appear in two places at once.

RULE LAYER

POSITION JUMP (RULE)

A reported position that moves further between updates than the aircraft could physically travel. The Kalman filter innovation makes this measurable, and the rule layer flags jumps that exceed the performance envelope.

RULE LAYER

BASELINE EVALUATION RESULTS

These are the measured numbers for the scikit-learn IsolationForest baseline against the injected attack taxonomy. They are deliberately presented as a single-detector baseline, not as the performance of the full consensus system. A ROC-AUC near 0.87 is a respectable but not heroic result for an unsupervised detector on unauthenticated data, and the detection rate at a strict false-positive budget is the honest cost of keeping false alarms low.

ISOLATIONFOREST BASELINE — INJECTED ATTACK SET
FPR BUDGET ~2%
ROC-AUC
~0.87
Detection @ 2% FPR
~50%
False-Positive Budget
~2%
Consensus Threshold
≥2 detectors
hi lo 0.0 0.02 0.05 0.10 FPR CLEAN SCORES INJECTED SCORES

SCORE SEPARATION DRIVES THE 2% FALSE-POSITIVE OPERATING POINT

WHY CONSENSUS INSTEAD OF ONE SCORE

The baseline numbers above describe one detector in isolation. Reporting a single model's detection rate is honest but incomplete, because different detectors fail on different attacks. The streaming model adapts to drift but is weaker on slow, low-amplitude tampering. The Kalman innovation is sharp on position jumps but blind to a static altitude offset. The envelope check only fires for the roughly 37 aircraft types OpenAP models. Each one has a different blind spot.

Combining them under a consensus rule trades a little raw recall for a large drop in false alarms: an aircraft is flagged only when at least two independent detectors agree. On crowdsourced data with millions of legitimate records a day, a low false-positive rate matters more than catching every marginal anomaly, because an analyst will stop trusting a panel that cries wolf. The trade-off is deliberate, and we would rather state it plainly than quote a single inflated accuracy figure.

STREAMING (RIVER)

HalfSpaceTrees learns continuously in constant memory. Strong on regime changes and emerging anomalies; weaker on slow, small-magnitude field tampering.

KALMAN INNOVATION

The gap between predicted and observed position. Sharp on position jumps and discontinuities; insensitive to a self-consistent but falsified altitude.

ENVELOPE (OPENAP)

Per-type max speed, ceiling, and climb rate. Decisive when violated, but only asserted for the modelled aircraft types; silent for the rest.

BASELINE (ISOLATIONFOREST)

The batch baseline whose ROC-AUC of about 0.87 anchors the evaluation. A general second opinion across the full derived-feature set.

WINDOWED OUTLIER (PYOD)

ECOD and IsolationForest over short windows. Catches features that look normal per record but odd across a short span.

SHAPE / CHANGE-POINT

stumpy matrix-profile discords and ruptures change-points surface trajectory-shape oddities and phase boundaries the point detectors miss.

WHAT THE PIPELINE IS BUILT ON

ESTABLISHED LIBRARIES, NO CUSTOM TRAINING LOOP

The detectors are standard implementations from maintained open-source projects: River (HalfSpaceTrees) for online streaming detection, scikit-learn IsolationForest for the batch baseline, PyOD (ECOD and IsolationForest) for windowed second opinions, pykalman for trajectory smoothing and short-horizon prediction, OpenAP from TU Delft for per-type performance envelopes, and stumpy plus ruptures for trajectory-shape and change-point analysis. There is no bespoke reinforcement-learning loop and no GPU training cluster. This is a deliberate choice: off-the-shelf detectors are easier to reason about, easier to reproduce, and harder to misrepresent.

DERIVED SELF-CONSISTENCY FEATURES

A raw ADS-B message carries roughly a dozen fields (ICAO, callsign, latitude, longitude, altitude, ground speed, vertical rate, heading, squawk, NIC, NACp, SIL). On their own these are easy to fake. The pipeline derives self-consistency features from them: agreement between successive positions and the reported velocity vector, altitude-rate plausibility, turn rate and acceleration, and how the integrity fields move relative to the rest of the message. Most injected attacks are invisible in any single field but break one of these derived relationships, which is what the detectors actually score.

EVALUATION, NOT ONLINE OPTIMISATION

The injection harness exists to produce numbers, not to update a model against itself. Real flights are perturbed with known labels, every detector scores every record, and the labels are used only to compute ROC-AUC and detection at a fixed false-positive budget. The streaming model does learn continuously in production, but it learns from live traffic in an unsupervised way, not from a self-play adversary. The captured records, injection labels, and deployed-model scores are published so the same evaluation can be reproduced independently.

USE CASES

SITUATIONAL AWARENESS

For an observer watching their local airspace, a flag with a stated reason is more useful than a green dot. The consensus detectors surface tracks whose self-consistency has broken down, with the contributing features shown, so you can decide whether something is worth a second look.

DATA-QUALITY TRIAGE

Crowdsourced ADS-B carries noise, stale positions, and the occasional genuinely manipulated record. The same checks that catch injected attacks also catch ordinary bad data, which makes the live map more trustworthy without claiming to authenticate anything.

METHODOLOGY REFERENCE

The injection taxonomy and operating-point reporting follow published work (Habler & Shabtai, 2018). The page documents the four attack classes and the false-positive budget so the approach can be examined and critiqued rather than taken on faith.

🔬

OPEN BENCHMARK FOR RESEARCH

Generating attacks on live frequencies is illegal, so we publish them instead. The AeroScope ADS-B Anomaly Benchmark v1 ships real traffic plus injected attacks (CSV, JSONL, dataset card) under CC-BY 4.0 so you can test your own detector against the same set.

FREQUENTLY ASKED QUESTIONS

What does adversarial evaluation mean for ADS-B anomaly detection?

+

Because ADS-B is unauthenticated, there is no large labelled set of real spoofing to train or test on. Instead we inject a documented taxonomy of synthetic attacks into real captured traffic, then measure how well each detector recovers them. The framing follows Habler and Shabtai (Computers & Security, 2018). It is an evaluation harness that produces honest numbers, not a system that trains itself against an opponent.

How well do the detectors perform on the injected attacks?

+

The scikit-learn IsolationForest baseline reaches a ROC-AUC of about 0.87 against the injected taxonomy. Held to a strict false-positive rate near 2 percent, it recovers roughly half of the injected attacks. These are deliberately modest single-detector numbers. The deployed system runs several detectors and flags a track only when at least two agree, which lowers the false-positive rate further at the cost of some recall.

Does AeroScope use reinforcement learning or adversarial self-play?

+

No. An earlier prototype experimented with reinforcement-learning agents; it was a stub that never trained meaningfully and has been retired. The adversarial idea survives only as synthetic attack injection used to evaluate detectors. The live pipeline is built on established libraries (River, scikit-learn, PyOD, pykalman, OpenAP, stumpy, ruptures) with no PPO, DQN, A2C, or GAN-style training anywhere in it.

Can I reproduce these numbers myself?

+

Yes. The AeroScope ADS-B Anomaly Benchmark v1 publishes the real captured traffic and the injected attacks as CSV and JSONL, with 38 documented columns including the raw ADS-B integrity fields, the derived self-consistency features, and the deployed-model scores. It is released under CC-BY 4.0; see the dataset card for the column definitions and injection methodology.

OPEN THE LIVE MAP