21-EFT.WP.Metrology.Sync v1.0 | Chapter 12 — Boundaries & Anomalies (Virtualization / Spoofing / GNSS Risks)

Home ／ Docs-Technical WhitePaper ／ 21-EFT.WP.Metrology.Sync v1.0

Chapter 12 — Boundaries & Anomalies (Virtualization / Spoofing / GNSS Risks)

One-line objective: In virtualized and adversarial environments, define detect–isolate–fallback guardrails for synchronization so that ts / tau_mono, measurement links, and reference sources remain contract-grade available under spoofing, jamming, and anomalies.

I. Scope & Objects

1. Applies to
   • Sync endpoints and boundary clocks on VM/container/mixed nodes.
   • Networks exposed to NTP/PTP/GNSS spoofing, jamming, asymmetry, and routing jitter.
   • Systems with multiple references (GNSS/SyncE/PTP) and inter-domain peering.
2. Inputs
   • Reference observations: z_ptp, z_ntp, z_gnss, C/N0, DOP, sky_mask, link metrics q_path, asym, sigma.
   • Local timing: tau_mono, ts, virtualization noise J_vmm, scheduler quantization q_sched.
   • Arrival-path metrics: dual-form T_arr and delta_form.
   • SLO/SLA: tol_sync, slew_max, T_detect, FPR, FNR.
3. Outputs
   • Anomaly labels & root cause: {virtualization, spoofing, jamming, multipath, leap, asym}.
   • Mitigations & fallbacks: holdover, failover, weight_drop, path_switch.
   • Audit artifacts: manifest.sync.incident.*.

II. Terms & Variables

• Virtualization & host: J_vmm (VMM jitter), q_sched (scheduler quantization), t_guest, t_host.
• Spoofing & jamming: b_adv(t) (adversarial bias), r_adv(t) (adversarial drift), p_jam (jam power).
• GNSS observation:
  rho_i = || r_rx - r_sv_i || + c*(dT_rx - dT_sv_i) + I_i + T_i + m_i + n_i。
• Detection statistics: S_cusum, T_glrt, RAIM_parity = v^T R^{-1} v.
• Constraints & thresholds: C/N0_min, DOP_max, tol_Tarr, tol_asym, alpha (significance).

III. Axioms P612- **

• P612-1 (Monotonic isolation): tau_mono is supplied by a monotonic source and decoupled from ts; clock_gettime/vDSO drift is constrained by align_timebase.
• P612-2 (Dual-form mandatory): For all arrival metrics, compute both T_arr forms and record delta_form, enforcing delta_form ≤ tol_Tarr.
• P612-3 (Multi-source consistency): Require cross-consistency of at least two among GNSS/PTP/NTP/SyncE before promoting a master source.
• P612-4 (Virtualization caps): Persist J_vmm and q_sched; when J_vmm > J_max, forbid the instance from acting as GM/BC/TC.
• P612-5 (Security minimization): Default to de-weighting/untrusting external time; enable source whitelists, certificates, and message authentication.
• P612-6 (Progressive response): On anomalies, first de-weight and slew-limit; then switch or holdover—no “fast steps” that break causality.

IV. Minimal Equations S612- **

• S612-1 (Virtualization error model)
  z_meas(t) = z_true(t) + n(t) + e_vmm(t)
  e_vmm(t) = q_sched * k(t) + jitter(t)，J_vmm = std( jitter )
  check_dim( z_meas - z_true ) → unit "s"
• S612-2 (Spoofing bias/drift)
  z_t = ( x_i - x_ref ) + b_adv(t) + r_adv(t)*t + n_t
  H0: b_adv=r_adv=0; H1: b_adv≠0 ∨ r_adv≠0
  T_glrt = ( L(z|H1) / L(z|H0) )
• S612-3 (CUSUM sequential test)
  S_cusum(t) = max( 0, S_cusum(t-1) + g(z_t) - k )
  Trigger when S_cusum(t) ≥ h, controlling alpha, beta and T_detect.
• S612-4 (GNSS RAIM / integrity)
  v = y - H x_hat, RAIM_parity = v^T R^{-1} v
  Rule: RAIM_parity ≤ chi2_{df,1-alpha}
• S612-5 (Multi-source fusion)
  x_hat = arg min_x ( ∑_s w_s * ( z_s - x )^2 ), with w_s ∝ 1/var_s; if source s is flagged, set w_s ← 0 or w_s ← w_s * eta with eta ∈ (0,1).
• S612-6 (Dual-form arrival audit)
  delta_form = | ( 1 / c_ref ) * ( ∫ n_eff d ell ) - ( ∫ ( n_eff / c_ref ) d ell ) |
  Assert delta_form ≤ tol_Tarr.

V. Flow M60-12 (Boundary & Anomaly Governance)

1. Ready
   • Collect tau_mono/ts, q_path/asym/sigma, C/N0, DOP, and dual-form T_arr.
   • Load J_vmm, q_sched; validate check_dim.
2. Online monitoring
   • Run CUSUM/GLRT on offset/frequency residuals; run RAIM and C/N0, DOP gates.
   • Track delta_form, asym, and path-delay drift.
3. Decision & grading
   Use T_glrt / S_cusum / RAIM_parity, J_vmm, C/N0, and psi (stability) to issue A/B/C alerts.
4. Mitigation
   • Cascaded actions: weight_drop → path_switch → failover → holdover, always within slew ≤ slew_max.
   • For GNSS anomalies, prefer ground references (SyncE/PTP) or INS/oscillator holdover.
5. Reset & rollback
   After resolution, progressively restore weights; maintain a guard window Delta_t_guard.
6. Audit & persistence
   Emit manifest.sync.incident.*: start/stop, trigger stats, sources/paths, actions & impact; attach hash_sha256(blob) and signature.

VI. Contracts & Assertions

• C60-121 (Virtualization boundary): J_vmm ≤ J_max ∧ q_sched ≤ q_max; otherwise forbid GM/BC/TC roles.
• C60-122 (Spoofing detection): T_glrt ≤ tau_glrt ∧ S_cusum < h; on breach, de-weight or switch.
• C60-123 (GNSS integrity): C/N0 ≥ C/N0_min, DOP ≤ DOP_max, RAIM_parity ≤ chi2_{df,1-alpha}.
• C60-124 (Arrival consistency): delta_form ≤ tol_Tarr; offending paths exit the candidate set.
• C60-125 (Progressive slewing): |ds/dt| ≤ slew_max; forbid overspeed re-steps.
• C60-126 (Multi-source consistency): Any master-source change must be corroborated by at least one independent auxiliary source.

VII. Implementation Bindings I60-12*

• estimate_vmm_jitter(node) -> {J_vmm, q_sched}
• detect_spoofing(stream) -> {T_glrt, S_cusum, label}
• gnss_integrity_check(obs) -> {RAIM_parity, C/N0, DOP, label}
• fuse_time_sources(meas, weights, policy) -> x_hat
• mitigate_and_failover(state, policy) -> action_plan
• emit_incident_manifest(event) -> manifest.sync.incident
• Invariants: units/dimensions pass; actions are rollback-safe; all trigger stats & thresholds are persisted and traceable.

VIII. Cross-References

• Servo & filtering: Chapter 6.
• Delay & asymmetry modeling: Chapter 7.
• Noise & stability propagation: EFT.WP.Metrology.TimeBase v1.0 Chapter 7.
• Cleaning & release contracts: Methods.Cleaning v1.0 Chapter 10.
• A/B and sequential-test statistics: Methods.CrossStats v1.0 Chapters 6 and 8.

IX. Quality Metrics & Risk Control

1. Metrics: T_detect_p95, FPR/FNR, time_in_holdover, failover_success_rate, sync_error_p99, delta_form_breach_rate, mean_slew, incident_mttr.
2. Risk strategies:
   • Raise the conservativeness of T_glrt and h during high-threat periods.
   • Enforce source whitelists and message authentication.
   • Configure GNSS masks and shielding; tune oscillator holdover classes.
   • Restrict VMs to slave-only roles; migrate timing to bare-metal domains when needed.

Summary