
A practical primer on the world's largest openly broadcast surveillance dataset — and what it takes to trust it.
1. Hook
Every commercial aircraft in the sky is, right now, broadcasting its identity, position, speed, and altitude in the clear — unencrypted, unauthenticated, and free for anyone with a $30 antenna to receive. This single design choice, made decades ago for safety reasons, has quietly become one of the richest open datasets for behavioral anomaly detection in the airspace domain, and understanding its structure is the first step to using it well.
ADS-B stands for Automatic Dependent Surveillance–Broadcast. Unpacking that name explains the whole system: it's automatic (the aircraft transmits without a pilot triggering it), it's dependent surveillance (the aircraft determines its own position, usually via GPS/GNSS — Global Navigation Satellite System — rather than being tracked by a ground radar sweeping a beam), and it's a broadcast (the data goes out openly, to anyone listening, not to a single addressed recipient).
This is a fundamentally different model from traditional radar. Radar works by a ground station actively sending out a pulse and measuring the reflection — it's the ground doing the work, and the ground infers position from physics. ADS-B flips this: the aircraft computes its own position from GNSS and simply announces it, roughly once or twice per second, over a radio frequency (1090 MHz for most aircraft, using a scheme called 1090ES — Extended Squitter — and 978 MHz for a lower-altitude variant called UAT, Universal Access Transceiver, used mainly by general aviation in the United States). Any ground station, satellite receiver, or even a hobbyist's antenna within radio range can pick up the broadcast and decode it, with zero coordination or permission required from the aircraft.
This openness is deliberate and, for its original purpose, a genuine success. ADS-B was designed to improve safety by giving pilots and controllers a shared, high-frequency, high-precision picture of surrounding traffic — considerably better than older radar, which updates only every several seconds and loses accuracy at range. The tradeoff for that openness is the subject of the rest of this article.

2.2 What's Actually Inside an ADS-B Message
An ADS-B transmission isn't one big packet — it's a continuous stream of short messages, each 112 bits long, each carrying a different slice of information depending on its message type code. The core fields that matter for analysis are:
Each of these fields arrives at a different cadence, in a different message subtype (airborne position, airborne velocity, aircraft identification, and so on), which matters considerably for anomaly detection: position updates are frequent — often every half-second to one second — but some status fields update far less often, so a "complete" picture of an aircraft's current state is actually a mosaic assembled from several message types received over the course of a few seconds, not a single self-contained snapshot.

2.3 Why This Data Is "Dependent" — and Why That Matters
The word "dependent" in ADS-B's name is not incidental — it's the single most important fact for anyone doing security-relevant analysis on this data. Because the aircraft self-reports its own position rather than having that position independently measured by the receiving infrastructure, the ground system has no built-in way to verify that what it's hearing is true.
There is no encryption and no cryptographic signature on standard ADS-B messages — a deliberate design decision from decades ago, made in the interest of universal interoperability and low-cost equipment, long before airspace security against digital spoofing was a serious design consideration. If a transmitter — legitimate or not — broadcasts a well-formed message with a given ICAO address, position, and velocity, a receiver has no native way to distinguish that from a genuine aircraft transmission. The message is either well-formed or it isn't; there's no signature to check, no key to verify, and no built-in mechanism to ask "prove you are who you say you are."
This "dependent, unauthenticated" property is precisely why ADS-B is vulnerable to several distinct attack patterns, each worth naming individually since they produce different signatures in the data:
This is also precisely why raw ADS-B streams are such fertile ground for anomaly detection systems in the first place: the data is rich, frequent, and structured, but it needs external cross-validation — from radar, multilateration, or statistical modeling — before it can be fully trusted as ground truth.
A single ADS-B message tells you almost nothing on its own; the value emerges once messages are assembled into a track — a continuous time series of an aircraft's position, velocity, and status over the duration of a flight. This assembly process, often called track building or track correlation, involves grouping messages by ICAO address, resolving the CPR position-encoding ambiguity across message pairs, interpolating between updates, and stitching together the different message subtypes into a coherent per-aircraft state estimate at each point in time.
This is where the "goldmine" framing becomes literal: a busy terminal area can generate tens of thousands of raw messages per minute across all aircraft in range, and once decoded and assembled, that stream becomes a dense, structured, near-real-time dataset of every aircraft's kinematic behavior. Speed, altitude, turn rate, climb rate, message timing, and status flags all become time-series features — exactly the kind of structured, high-frequency, multivariate data that anomaly-detection models (statistical baselining, clustering, or learned sequence models such as recurrent networks or transformers) are built to consume. Unlike many sensor modalities used in defense analytics, this one is globally available, continuously generated, free to collect, and — critically for research and prototyping — entirely legal and unclassified to work with at scale.
In practice, very few organizations rely on a single receiver. Global tracking platforms such as FlightAware, ADS-B Exchange, and OpenSky Network operate by aggregating feeds from thousands of independently owned, low-cost ground receivers — often just a Raspberry Pi and a small antenna run by hobbyists — into a single global picture. This crowdsourced architecture is a strength for coverage (a global surveillance network built without a global infrastructure budget) but it is also a data-quality consideration worth understanding: feed quality, receiver placement, antenna performance, and even a feeder's own clock accuracy all vary, which introduces noise into any downstream dataset that must be accounted for before anomaly detection models can distinguish a genuine behavioral anomaly from a receiver-side artifact.
Think of ADS-B like every car on a highway shouting its own license plate, speed, and lane position out loud, once a second, over a loudspeaker anyone can hear — instead of a highway patrol officer using radar to measure each car independently. Most of the time this is wonderfully efficient: everyone can hear everyone else and build a shared picture of traffic without needing patrol cars stationed everywhere. Drivers can see who's ahead, who's merging, and who's slowing down, all without the patrol officer lifting a radar gun.
But it only works if every car is telling the truth. Nothing stops a car from shouting a false license plate, or a fake speed, or even claiming to exist in a lane where there's no physical car at all — the loudspeaker system has no way to check credentials, because it was never built to. That's the exact tradeoff of ADS-B: extraordinary situational awareness, built on an honor system.
Anomaly detection, in this analogy, is the practice of noticing when a "car" reports something physically implausible — a sudden teleport across three lanes, an impossible instantaneous speed change, two cars broadcasting the identical license plate at once — even without directly, cryptographically verifying its identity. You're not checking IDs; you're checking whether the story being told is physically coherent.
Building intuition for what "anomalous" actually looks like in raw ADS-B data helps connect the concept above to real analytic work. A few recurring signatures show up repeatedly across published research and open-source tracking community reports:
| Signature | What It Looks Like in the Data | Likely Cause |
|---|---|---|
| Position jump | Latitude/longitude changes by an amount physically impossible given elapsed time and airspeed | Spoofed or injected message, or a CPR decoding error |
| Altitude step | Reported altitude jumps hundreds or thousands of feet between consecutive messages | Sensor fault, message corruption, or spoofing |
| Duplicate ICAO address | Two simultaneous, geographically distant tracks share the same 24-bit address | Address spoofing, hardware misconfiguration, or address reuse |
| Ground track mismatch | Reported track angle is inconsistent with the position delta between successive messages | Fabricated or replayed message sequence |
| Message dropout pattern | Track vanishes and reappears with a suspiciously clean, linear "gap-filled" trajectory | Possible meaconing/replay, or simply poor receiver coverage |
| Callsign inconsistency | Callsign doesn't match any known flight plan, or changes mid-flight | Spoofing, or a legitimate but unusual operational callsign change |
None of these signatures is proof of malicious activity on its own — clean coverage gaps, GPS multipath, and ordinary equipment faults produce some of the same statistical fingerprints. This is exactly why practical anomaly-detection systems combine several of these signals, weight them against known base rates of benign causes, and — wherever possible — cross-reference against an independent source such as radar or multilateration before escalating anything to a human analyst.

5. Application to Defense & Aerospace
For a Defense & Aerospace AI Center of Excellence, ADS-B is a uniquely valuable training and monitoring signal precisely because of its openness and volume. Unlike classified radar feeds, ADS-B data is abundant, continuously available, and ideal for building and validating anomaly-detection pipelines before deploying similar techniques on more sensitive, restricted sensor data — it functions as an excellent, low-risk proving ground for methods that will later be applied to higher-stakes feeds.
Concrete use cases include:
Because ADS-B is unauthenticated by design, any defense-relevant surveillance fusion system must treat it as a corroborating input, cross-checked against radar or multilateration, rather than a sole source of truth. The same openness that makes ADS-B a superb research and training dataset is exactly what makes it unsuitable as a standalone trust anchor in an operational security context — a distinction that should inform every system design decision built on top of it.