You cannot collect a labelled corpus of real ADS-B spoofing, so we make the attacks ourselves. AeroScope injects a documented taxonomy of synthetic attacks into real captured traffic, then measures how reliably each detector recovers them. The output is a set of honest detection and false-positive numbers and an open benchmark anyone can re-run.
ADS-B was designed in the 1990s with no security considerations. Every transmission is unencrypted, unauthenticated, and broadcast in the clear on 1090 MHz. A low-cost RTL-SDR dongle and an open-source tool like dump1090 can receive aircraft positions across a wide radius, and transmit-capable hardware can inject fabricated messages into the airspace picture. Spoofing has been demonstrated by academic and security researchers for over a decade. The protocol offers no built-in defence.
The practical problem for anyone building a detector is data. Real attacks against live airspace are rare, mostly unlabelled, and illegal to generate on the air. You cannot simply download a balanced set of genuine-versus-spoofed examples and train a classifier. Without labelled attacks you also cannot honestly report how well a detector works.
The standard answer in the literature is to inject synthetic attacks into real captured traffic, then measure recovery. We follow the attack taxonomy and evaluation framing of Habler and Shabtai (Computers & Security, 2018): take genuine flights, perturb specific fields in controlled ways, and check whether the detector flags the perturbed records without flagging the clean ones. This gives a ROC curve and an operating point you can actually quote.
An earlier version of this page described reinforcement-learning agents trained by self-play. That approach was retired. It was a stub that never accumulated meaningful training, and self-play does not produce numbers you can defend. The adversarial concept survives in a narrower, more honest form: synthetic attack injection used to evaluate detectors. There are no PPO, DQN, A2C, or GAN-style agents in AeroScope. The detectors that ship are built on established open-source anomaly-detection libraries, and every flag they raise is explainable from its contributing features.
Evaluation runs as a five-step pipeline. It is a measurement procedure, not a training loop: the detectors are not modified by it. The same procedure produces the published benchmark dataset.
MEASURED, NOT SELF-TRAINED
No single model decides. Each aircraft is scored by several independent detectors that look at different things: a streaming anomaly model (River HalfSpaceTrees), a batch baseline (scikit-learn IsolationForest), the Kalman filter innovation (predicted versus observed position), per-type performance-envelope checks (OpenAP), and a windowed outlier second opinion (PyOD ECOD and IsolationForest). Their per-record scores feed a consensus rule: an aircraft is flagged only when at least two independent detectors agree. The features that drove each contributing detector are kept so the flag can be explained rather than asserted.
The benchmark injects four documented attack classes into real flights. Each class perturbs a specific part of the message so the resulting record stays superficially plausible while breaking one form of internal self-consistency. The first four cards below are the injected attacks; the last two are related rule-layer checks the physics engine performs alongside the ML detectors.
Reported altitude is shifted while position and velocity are left intact. The barometric and geometric altitude relationship and the altitude-rate consistency are what give it away, not the altitude value alone.
INJECTEDGround speed, vertical rate, or heading is falsified. The mismatch between successive positions and the reported velocity vector is the detectable signal, since the two should agree over consecutive updates.
INJECTEDA fabricated track whose motion does not obey realistic flight dynamics. Implausible turn rates, accelerations, or trajectory shape separate a synthesised path from a real one even when every individual field is well-formed.
INJECTEDThe DO-260B integrity indicators (NIC, NACp, SIL) are lowered to mask a fabricated position behind claimed low accuracy. Tracking how those fields move relative to the rest of the message exposes the manipulation.
INJECTEDTwo simultaneous tracks sharing one ICAO 24-bit hex address. This is a deterministic rule-layer check rather than an injected ML attack: a single hex should not appear in two places at once.
RULE LAYERA reported position that moves further between updates than the aircraft could physically travel. The Kalman filter innovation makes this measurable, and the rule layer flags jumps that exceed the performance envelope.
RULE LAYERThese are the measured numbers for the scikit-learn IsolationForest baseline against the injected attack taxonomy. They are deliberately presented as a single-detector baseline, not as the performance of the full consensus system. A ROC-AUC near 0.87 is a respectable but not heroic result for an unsupervised detector on unauthenticated data, and the detection rate at a strict false-positive budget is the honest cost of keeping false alarms low.
SCORE SEPARATION DRIVES THE 2% FALSE-POSITIVE OPERATING POINT
The baseline numbers above describe one detector in isolation. Reporting a single model's detection rate is honest but incomplete, because different detectors fail on different attacks. The streaming model adapts to drift but is weaker on slow, low-amplitude tampering. The Kalman innovation is sharp on position jumps but blind to a static altitude offset. The envelope check only fires for the roughly 37 aircraft types OpenAP models. Each one has a different blind spot.
Combining them under a consensus rule trades a little raw recall for a large drop in false alarms: an aircraft is flagged only when at least two independent detectors agree. On crowdsourced data with millions of legitimate records a day, a low false-positive rate matters more than catching every marginal anomaly, because an analyst will stop trusting a panel that cries wolf. The trade-off is deliberate, and we would rather state it plainly than quote a single inflated accuracy figure.
HalfSpaceTrees learns continuously in constant memory. Strong on regime changes and emerging anomalies; weaker on slow, small-magnitude field tampering.
The gap between predicted and observed position. Sharp on position jumps and discontinuities; insensitive to a self-consistent but falsified altitude.
Per-type max speed, ceiling, and climb rate. Decisive when violated, but only asserted for the modelled aircraft types; silent for the rest.
The batch baseline whose ROC-AUC of about 0.87 anchors the evaluation. A general second opinion across the full derived-feature set.
ECOD and IsolationForest over short windows. Catches features that look normal per record but odd across a short span.
stumpy matrix-profile discords and ruptures change-points surface trajectory-shape oddities and phase boundaries the point detectors miss.
The detectors are standard implementations from maintained open-source projects: River (HalfSpaceTrees) for online streaming detection, scikit-learn IsolationForest for the batch baseline, PyOD (ECOD and IsolationForest) for windowed second opinions, pykalman for trajectory smoothing and short-horizon prediction, OpenAP from TU Delft for per-type performance envelopes, and stumpy plus ruptures for trajectory-shape and change-point analysis. There is no bespoke reinforcement-learning loop and no GPU training cluster. This is a deliberate choice: off-the-shelf detectors are easier to reason about, easier to reproduce, and harder to misrepresent.
A raw ADS-B message carries roughly a dozen fields (ICAO, callsign, latitude, longitude, altitude, ground speed, vertical rate, heading, squawk, NIC, NACp, SIL). On their own these are easy to fake. The pipeline derives self-consistency features from them: agreement between successive positions and the reported velocity vector, altitude-rate plausibility, turn rate and acceleration, and how the integrity fields move relative to the rest of the message. Most injected attacks are invisible in any single field but break one of these derived relationships, which is what the detectors actually score.
The injection harness exists to produce numbers, not to update a model against itself. Real flights are perturbed with known labels, every detector scores every record, and the labels are used only to compute ROC-AUC and detection at a fixed false-positive budget. The streaming model does learn continuously in production, but it learns from live traffic in an unsupervised way, not from a self-play adversary. The captured records, injection labels, and deployed-model scores are published so the same evaluation can be reproduced independently.
For an observer watching their local airspace, a flag with a stated reason is more useful than a green dot. The consensus detectors surface tracks whose self-consistency has broken down, with the contributing features shown, so you can decide whether something is worth a second look.
Crowdsourced ADS-B carries noise, stale positions, and the occasional genuinely manipulated record. The same checks that catch injected attacks also catch ordinary bad data, which makes the live map more trustworthy without claiming to authenticate anything.
The injection taxonomy and operating-point reporting follow published work (Habler & Shabtai, 2018). The page documents the four attack classes and the false-positive budget so the approach can be examined and critiqued rather than taken on faith.
Generating attacks on live frequencies is illegal, so we publish them instead. The AeroScope ADS-B Anomaly Benchmark v1 ships real traffic plus injected attacks (CSV, JSONL, dataset card) under CC-BY 4.0 so you can test your own detector against the same set.
Because ADS-B is unauthenticated, there is no large labelled set of real spoofing to train or test on. Instead we inject a documented taxonomy of synthetic attacks into real captured traffic, then measure how well each detector recovers them. The framing follows Habler and Shabtai (Computers & Security, 2018). It is an evaluation harness that produces honest numbers, not a system that trains itself against an opponent.
The scikit-learn IsolationForest baseline reaches a ROC-AUC of about 0.87 against the injected taxonomy. Held to a strict false-positive rate near 2 percent, it recovers roughly half of the injected attacks. These are deliberately modest single-detector numbers. The deployed system runs several detectors and flags a track only when at least two agree, which lowers the false-positive rate further at the cost of some recall.
No. An earlier prototype experimented with reinforcement-learning agents; it was a stub that never trained meaningfully and has been retired. The adversarial idea survives only as synthetic attack injection used to evaluate detectors. The live pipeline is built on established libraries (River, scikit-learn, PyOD, pykalman, OpenAP, stumpy, ruptures) with no PPO, DQN, A2C, or GAN-style training anywhere in it.
Yes. The AeroScope ADS-B Anomaly Benchmark v1 publishes the real captured traffic and the injected attacks as CSV and JSONL, with 38 documented columns including the raw ADS-B integrity fields, the derived self-consistency features, and the deployed-model scores. It is released under CC-BY 4.0; see the dataset card for the column definitions and injection methodology.