Abstract

Well poisoning is an ancient war stratagem which was frequently used as a "scorched earth tactic". Today this tactic has been adapted by malicious attackers to the digital world and evolved into "stream poisoning", in which corrupt or fallacious data is injected into a data lake, so as to corrupt the integrity of the information stored there. Numerous maritime surveillance systems nowadays rely on the Automatic Identification System (AIS), which is compulsory for vessels over 299 Gross Tones, for vessel tracking purposes. Ship AIS spoofing involves creating a nonexistent vessel or masquerading a vessel's true identity, resulting in hiding or transmitting false positional data, so that a vessel appears to behave legitimately, thus deceiving stakeholders and authorities. Due to the volume and velocity of data received traditional approaches fail to automatically detect these spoofing events in real time. We focus on an industrial use case of detecting spoofing events in AIS streams and validate our approach in real world conditions.