Anomaly Framework

Anomaly Detection Types

SkyGrid uses eight anomaly classes to identify aircraft behavior that deviates from expected patterns. Each class is defined by observable metrics and is enriched with real-time weather, location, and NOTAM context to support practical monitoring, review, and alert routing.

Loiter Detection

Class ID: loiter

Definition

Aircraft observed circling or hovering in the same geographic region for an extended period without filing a flight plan or following a normal departure pattern.

Observable Characteristics

  • Same aircraft returns to same region repeatedly
  • Dwell time exceeds configured threshold (default 15 minutes)
  • No standard commercial routing pattern
  • Pattern repeats across multiple observation windows

Who Needs This Detection

  • Airspace research teams
  • Newsroom investigation teams
  • Monitoring analysts and design partners
  • Regional situational-awareness teams

Review Priority

Medium — extended dwell time is worth review when it repeats or combines with other anomaly types.

Real-World Context

Loiter patterns help teams identify aircraft that stay over one area longer than expected. The goal is to flag review-worthy behavior, not to assume intent from a single event.

Ghost Aircraft Detection

Class ID: ghost

Definition

Aircraft detected operating without standard transponder signals (ADS-B), radar returns, or flight plan filing — appearing and disappearing from tracking coverage with no reasonable explanation.

Observable Characteristics

  • No ADS-B transponder code broadcast
  • Sporadic radar/MLAT returns only
  • No associated flight plan in FAA/ICAO databases
  • Unexplained coverage gaps in normal traffic flow
  • Often near restricted or monitored airspace

Who Needs This Detection

  • Research analysts
  • Airspace integrity teams
  • Newsroom investigation teams
  • Regional monitoring groups

Review Priority

Medium — tracking gaps and unusual identity data should be reviewed with context before drawing conclusions.

Real-World Context

Ghost detections help teams isolate aircraft that appear without a normal tracking profile. They are useful for investigation queues, especially when combined with location and timing context.

Squawk Code Anomaly Detection

Class ID: squawk

Definition

Aircraft broadcasting emergency or unusual squawk codes (7700 — general emergency, 7600 — loss of comms, 7500 — hijack) that appear suspicious based on location, duration, or flight context.

Observable Characteristics

  • Squawk codes outside normal commercial range
  • Emergency codes in non-emergency contexts
  • Repeated squawk cycling (on/off patterns)
  • Duration inconsistent with declared emergency
  • Unusual location for declared emergency type

Who Needs This Detection

  • Emergency response coordinators
  • Operations analysts
  • Regional monitoring teams
  • Alert review teams

Review Priority

Medium — unusual squawk activity can indicate real emergencies, false signals, or behavior that needs fast review.

Real-World Context

Squawk anomalies help teams review emergency-coded aircraft in context, especially when duration, location, or repetition does not match expected behavior.

Rapid Descent Detection

Class ID: rapid-descent

Definition

Aircraft exhibiting an abnormally high rate of descent that exceeds the configurable threshold (default 3,000 ft/min), outside of a normal approach corridor.

Observable Characteristics

  • Vertical rate exceeds threshold (e.g., -3,000 ft/min)
  • Descent not correlated with a known approach procedure
  • Often combined with other anomaly indicators
  • Detectable from ADS-B vertical rate telemetry

Who Needs This Detection

  • Safety monitoring teams
  • Emergency response coordinators
  • Flight operations analysts
  • Investigation and review teams

Review Priority

High — rapid uncontrolled descent can indicate mechanical failure, pilot incapacitation, or deliberate action.

Real-World Context

Rapid descent detection provides early warning when an aircraft is losing altitude at an unusual rate. Context from altitude, speed, and proximity to airports helps determine urgency.

ICAO Spoof Detection

Class ID: icao-spoof

Definition

The same ICAO24 transponder address appears at two physically implausible locations in a short timeframe, suggesting identity spoofing or cloning.

Observable Characteristics

  • Same ICAO24 observed at locations exceeding feasible travel speed
  • Distance between observations exceeds 200 km
  • Effective speed would need to exceed 3× maximum feasible aircraft speed
  • Indicates potential transponder cloning or replay attack

Who Needs This Detection

  • Airspace integrity teams
  • Research analysts studying ADS-B security
  • Electromagnetic spectrum monitoring groups
  • Regulatory compliance teams

Review Priority

High — identity spoofing undermines transponder trust and may indicate intentional deception.

Real-World Context

ICAO spoof detection flags cases where the same aircraft identity appears to teleport between distant locations, which is physically impossible and may indicate ADS-B manipulation.

Formation Flight Detection

Class ID: formation-flight

Definition

Three or more distinct aircraft detected moving at speed within the same geographic cell, suggesting coordinated or formation flight activity.

Observable Characteristics

  • Three or more unique ICAO24 addresses in the same H3 cell
  • All aircraft moving above 80 knots
  • Spatial clustering in a small geographic area
  • Potential military, aerobatic, or coordinated activity

Who Needs This Detection

  • Airspace research teams
  • Regional situational-awareness teams
  • Open-source intelligence analysts
  • Event monitoring teams

Review Priority

Medium — formation flight may be routine (air shows, training) or may warrant review in sensitive airspace.

Real-World Context

Formation detection highlights clusters of aircraft moving together, which can indicate military exercises, air shows, or coordinated operations near monitored regions.

Callsign Duplicate Detection

Class ID: callsign-duplicate

Definition

Two or more aircraft with different ICAO24 addresses broadcasting the same non-blank callsign simultaneously, suggesting a data integrity issue or deliberate misidentification.

Observable Characteristics

  • Multiple distinct ICAO24 addresses sharing the same callsign
  • Both aircraft actively broadcasting simultaneously
  • Callsign is non-blank and matches exactly
  • May indicate transponder misconfiguration or intentional cloning

Who Needs This Detection

  • Data integrity teams
  • ADS-B research analysts
  • Air traffic monitoring teams
  • Regulatory compliance reviewers

Review Priority

Medium — duplicate callsigns can be benign misconfigurations or indicate deliberate identity masking.

Real-World Context

Callsign duplicates help teams identify cases where two planes claim to be the same flight, which could be a database error, operator mix-up, or intentional deception.

GPS Jamming Signature Detection

Class ID: gps-jamming

Definition

A cluster of ghost-candidate aircraft concentrated in the same low-resolution H3 cell, suggesting a regional GPS jamming or spoofing event affecting multiple aircraft positions.

Observable Characteristics

  • Multiple ghost-candidate aircraft in the same low-resolution cell
  • Cluster size exceeds configurable threshold
  • Affected aircraft are airborne (altitude > 300m) with blank callsigns
  • Pattern suggests area-wide electronic interference

Who Needs This Detection

  • Electromagnetic spectrum analysts
  • Navigation safety teams
  • Critical infrastructure monitoring groups
  • Regional conflict monitoring teams

Review Priority

High — GPS jamming affects navigation safety for all aircraft in the affected region.

Real-World Context

GPS jamming detection identifies regions where multiple aircraft simultaneously lose identity data, a signature often observed in conflict zones or near electronic warfare activity.

Integration into Operations

SkyGrid continuously streams these anomaly classes into the live map and dashboard, enriched with weather conditions, reverse-geocoded locations, and active NOTAMs. Teams can toggle each class, drill down by region, and route alerts into role-specific review workflows.

Back to Live MapOpen User Guide