Electronic Warfare Signal Detection: Identifying Jamming, Spoofing, and Hostile Emitters

Q: How is TDOA used to geolocate a jammer under active jamming conditions?

Time Difference of Arrival (TDOA) geolocation distributes multiple receiver nodes across a wide area, each logging the precise reception timestamp of the same jamming signal using GPS-disciplined clocks or atomic references. Because the jamming signal reaches each node at a slightly different time depending on geometry, the differences in arrival time define hyperbolae on a map. With three or more nodes, the intersection of those hyperbolae produces a fix. Jamming does not prevent TDOA from working — the jammer's own signal is the measurement input. GPS-denied conditions require an alternative timing reference such as a network time protocol server or a distributed oscillator.

By Corvus Intelligence Engineering Team · About the team →

May 29, 2026 11 min read

Electronic warfare signal detection is the capability that separates a passive spectrum monitor from an active EW defense system. Where general spectrum monitoring asks "what is transmitting in my area of operations?", EW signal detection asks a harder question: "which of those transmissions is trying to kill, blind, or deceive me?" Jamming, spoofing, and deceptive emission are not simply unauthorized transmissions — they are deliberate technical attacks against the electromagnetic functions that modern military operations depend on: navigation, communications, radar, and data links. Detecting them accurately, classifying them quickly, and locating them precisely is the first step toward neutralizing them.

Building automated EW detection into a SIGINT platform requires understanding the threat taxonomy, designing a detection pipeline that handles each threat class, and integrating the outputs with operational systems — from navigation receivers and communication networks to fire support and electronic warfare battle management. This article walks through each layer of that architecture.

EW threat taxonomy: the signal types you are detecting against

Electronic warfare threats arrive across a wide spectrum of technical implementations. Understanding the taxonomy is a prerequisite for designing detection logic, because each threat type has a different spectral signature and demands a different detection approach.

Noise jamming. The most technically straightforward category — a broadband or narrowband noise source is transmitted to overwhelm receiver front-ends on protected frequencies. Barrage jamming covers a wide frequency range simultaneously, degrading communications across an entire band. Spot jamming concentrates power on a single frequency to maximize the jamming-to-signal (J/S) ratio against a specific link. Sweep jamming scans across a band sequentially, denying communications to any system that attempts to use it. All three variants share a common signature: anomalous noise floor elevation that does not match atmospheric, thermal, or man-made background baselines for the monitored area.

Deceptive jamming. More sophisticated than noise-based approaches, deceptive jamming transmits a false but plausible signal. In radar applications this includes range-gate pull-off (RGPO), which injects a delayed copy of the radar's own return to manipulate the tracked range, and angle deception, which synthesizes a false return from a displaced apparent position. Against communications networks, deceptive injection attacks insert false messages or commands into a link that the victim system accepts as authentic.

GNSS spoofing. GPS and GNSS spoofing generates a synthetic satellite constellation signal that drives navigation receivers to compute a false position, velocity, or time. Modern spoofers can drive receivers to any attacker-selected position with sub-meter accuracy. GNSS spoofing is increasingly a battlefield weapon — it can route autonomous vehicles and loitering munitions to incorrect targets, disrupt timing-dependent data links, and cause fire control systems to compute incorrect ballistic solutions.

Communications jamming. Beyond broadband noise, targeted communications jamming attacks specific waveforms — often using signal intelligence to identify which frequencies and protocols are carrying high-value traffic before tasking the jammer. Reactive jammers detect a transmission and respond with a jamming burst within microseconds, making them effective even against frequency-hopping waveforms if the hopper does not change frequency fast enough.

Detection pipeline: from wideband scan to alert

The EW detection pipeline is architecturally similar to a general anomaly detection pipeline, but with additional classification stages tuned to hostile EW signatures. The canonical pipeline moves through five stages: wideband SDR scan, anomaly detection, classification, geolocation, and alert routing.

Stage 1 — Wideband SDR scan. A software-defined radio receiver covers the monitored frequency range, typically from HF (3 MHz) through microwave (18 GHz and above for some threat systems). The SDR samples the spectrum continuously, producing a stream of FFT frames that capture instantaneous power in each frequency bin. Modern wideband SDRs can cover several hundred megahertz of instantaneous bandwidth; scanning a wider range requires frequency-hopped coverage or multiple front-end chains. The raw IQ data stream is the input to all downstream processing.

Stage 2 — Anomaly detection. Each FFT frame is compared against the baseline model for the current frequency, location, and time of day. Anomaly detectors operate in multiple dimensions: power level anomalies (noise floor elevation, spot power spikes), temporal anomalies (signals appearing outside their registered schedule), and structural anomalies (waveform characteristics inconsistent with the baseline signal on a given channel). CFAR (Constant False Alarm Rate) thresholding normalizes detection sensitivity to the local noise environment, preventing false alarms from temporary propagation changes.

Stage 3 — Classification. Detected anomalies are passed to the EW classifier, which assigns a threat-type hypothesis. Classification uses a combination of rules-based logic (known jammer spectral masks, known spoofing signal parameters) and machine-learning models trained on labeled EW signal datasets. The output is a scored hypothesis: "barrage jammer, 87% confidence", "GNSS spoofer, 73% confidence", "unknown hostile emitter, 61% confidence". Multiple classification hypotheses can coexist for a single detection until additional data resolves the ambiguity.

Stage 4 — Geolocation. Confirmed or high-confidence detections are immediately tasked to the geolocation subsystem. Depending on the node infrastructure, geolocation uses TDOA, AOA, FDOA, or a combination, producing a position estimate and uncertainty ellipse within seconds to minutes of initial detection.

Stage 5 — Alert routing. Classified, geolocated detections are routed to the appropriate downstream systems: the operator dashboard, the common operational picture, EW battle management, and, for fire support eligible detections, the targeting workflow.

Jamming detection: noise floor, J/S ratio, and spectral mask violations

Jamming detection algorithms are anchored to three measurable parameters: noise floor deviation, jamming-to-signal ratio, and spectral mask compliance.

Noise floor baseline deviation. For each monitored channel, the system maintains a statistical model of the expected noise floor — mean power in the absence of any signal, variance over time, and the distribution of background occupancy. A jammer elevates this floor. The detector computes a noise floor estimate over a sliding window and compares it against the baseline model. A deviation exceeding the threshold (typically 3–6 dB above the 99th-percentile baseline, depending on the band) triggers a noise-jamming alert. Time-of-day and environmental corrections are applied to prevent false alerts from diurnal propagation shifts.

J/S ratio measurement. When a potential jammer is detected in proximity to a protected link, the system computes the jamming-to-signal ratio at the victim receiver's estimated location. This requires knowledge of the protected link's transmitter position and power, which is available from the frequency management database for friendly systems. The J/S computation uses a simplified link budget model and the jammer's estimated power from the detection. A J/S ratio above the link's designed margin (typically 10–20 dB for tactical waveforms) indicates effective jamming and elevates the alert priority.

Spectral mask violation detection. Every authorized emission type has a defined spectral mask — the boundary of allowable power in adjacent frequency channels. Jamming signals routinely violate spectral masks because they are not designed to comply with friendly frequency management rules. Mask violation detection compares the measured spectral shape of any signal against the registered mask for that frequency and flags deviations. This is particularly effective against spot jammers that have not been specifically tuned to mimic authorized emission characteristics.

Key design consideration: Distinguishing intentional jamming from high-power friendly transmissions that are off-frequency due to oscillator drift or operator error requires correlating the detection with friendly force positions and registered parameters. An anomaly that correlates spatially with a friendly asset and temporally with that asset's communication schedule is more likely a misconfiguration than a hostile act. Automated correlation against the friendly order of battle significantly reduces false hostile classifications.

GNSS spoofing detection: four complementary checks

GNSS spoofing detection cannot rely on a single technique — a sophisticated spoofer can defeat any individual check while being detectable through others. Robust anti-spoofing requires four complementary verification methods running in parallel.

Multipath signature analysis. Authentic satellite signals arrive at a receiver after traveling through the atmosphere and reflecting off terrain and structures, producing a characteristic multipath distribution visible in the signal's correlation function. A spoofer transmitting from a local ground station produces an anomalously clean correlation peak with minimal multipath spreading — a signature that is physically impossible for genuine satellite signals arriving from 20,000 km altitude. Multipath signature monitoring compares the measured correlation function against a statistical model of expected authentic multipath for the receiver's environment.

Clock drift anomaly monitoring. A GNSS receiver continuously estimates and corrects a clock bias to maintain timing accuracy. The rate at which this clock bias must be corrected follows a characteristic statistical pattern for authentic satellite signals. A spoofing signal — particularly during the initial attack when the spoofer is acquiring the receiver — produces anomalous clock correction behavior: sudden large jumps, implausibly smooth corrections with zero noise, or a correction pattern inconsistent with the receiver's thermal environment. The clock drift monitor tracks the time series of clock corrections and flags statistical deviations.

Cross-receiver consistency checking. A spoofer transmitting from a single location cannot, in general, produce a physically consistent false signal for receivers at significantly different positions — the timing and phase relationships required for the spoofed signals to produce different (but internally consistent) false positions for each receiver are computationally and physically difficult to maintain in real time. Deploying two or more GNSS receivers separated by 10–50 meters and comparing their reported positions against the known baseline separation vector provides a powerful detection layer. If both receivers report the same absolute position (rather than positions separated by the correct baseline), spoofing is indicated.

Inertial navigation cross-validation. An inertial measurement unit (IMU) provides a dead-reckoning position track that is entirely independent of GNSS. The EW detection system continuously compares the GNSS-derived position and velocity against the IMU-derived track. A spoofing attack that moves the reported GNSS position instantaneously — or at a velocity inconsistent with the IMU's measured acceleration — is immediately flagged. The integration of GNSS and INS is standard in modern military navigation systems, and the cross-validation layer can be implemented as a software module without hardware changes.

Deceptive signal classification: statistical fingerprinting against a known-good baseline

Deceptive signals — whether radar deception waveforms, communications injection attacks, or GNSS spoofing variants — share a common vulnerability: they are generated by an adversary who is not the original transmitter, and their statistical properties differ measurably from authentic emissions.

The classification approach builds a known-good emissions baseline for every monitored waveform type: the characteristic power spectral density, the symbol timing statistics, the phase noise profile, the cyclostationary features, and the higher-order statistical moments of the modulation. This baseline is derived from authenticated samples of the genuine signal — recorded from trusted transmitters under controlled conditions.

When a received signal on a protected channel deviates from this baseline in one or more dimensions, it is flagged as a deception candidate. Deviation scoring computes a composite distance metric across all baseline dimensions; signals exceeding a threshold are forwarded to the EW classifier. The classifier then attempts to match the deviation pattern against known deception waveform templates — a RGPO attack has a characteristic timing deviation pattern, a voice-injection attack has characteristic framing anomalies relative to the expected codec. Unknown deception waveforms that match no template are escalated as high-priority unknowns.

Statistical fingerprinting also applies to emitter identification: each real transmitter has a unique RF fingerprint arising from component tolerances in its oscillator, amplifier, and filter chain. Tracking these fingerprints allows the system to detect when a frequency is occupied by a transmitter whose hardware signature does not match the registered equipment — an indicator that the emitter has been replaced or that a replay attack is in progress.

Emitter geolocation under jamming: TDOA, AOA, and FDOA

Geolocating a hostile emitter that is actively jamming presents a paradox: the jammer's signal is simultaneously the strongest input to the collection system and the most difficult to work with, because it degrades the synchronization references that some geolocation techniques rely on.

TDOA with distributed nodes. Time Difference of Arrival geolocation places multiple receiver nodes across the operational area, each equipped with a precise timing reference — GPS-disciplined oscillators under benign conditions, atomic frequency standards under GPS-denied conditions. Each node records the arrival timestamp of the jamming signal. The differences in arrival time between node pairs define hyperbolae on a map; with three or more nodes, the intersection of hyperbolae produces a fix. TDOA accuracy scales with timing precision and node separation: 100-nanosecond timing precision with nodes separated by 10 km produces position accuracy of approximately 30 meters at the emitter's distance — sufficient for artillery targeting. Increasing node count improves fix accuracy and provides redundancy if one node is jammed or destroyed.

AOA triangulation. Angle of Arrival geolocation uses directional antenna arrays — interferometric, Adcock, or phased array — to measure the bearing from each node to the emitter. Two bearings from separated nodes triangulate to a fix; additional bearings reduce the uncertainty ellipse. AOA does not require synchronized clocks, making it suitable for degraded-timing environments. Its weakness is angular accuracy, which degrades with multipath and with emitter distance. AOA is the fastest technique to provide an initial bearing — a well-designed array can provide a bearing within one second of signal onset — and is typically used to cue TDOA processing rather than as a standalone geolocation method.

FDOA for moving emitters. Frequency Difference of Arrival exploits the Doppler shift differences that a moving emitter produces at spatially separated receivers. For a jammer mounted on a moving vehicle or aircraft, the velocity component along each receiver-emitter line of sight differs, producing measurable differential Doppler. FDOA processing cross-correlates the received signals to extract both the time difference and the frequency difference, providing simultaneous position and velocity estimates. Combined TDOA/FDOA processing — sometimes called hyperbolic geolocation — is the standard technique for moving emitters in high-value EW applications.

Alert and reporting: SALUTE, EWIR, CoT, and the operator dashboard

Detection and geolocation produce intelligence that must reach the right operators in the right format within the operational time window. The alert and reporting layer handles this distribution.

Automated SALUTE and EWIR generation. On hostile emitter classification, the platform immediately generates two report drafts in parallel. The SALUTE report (Size, Activity, Location, Unit, Time, Equipment) is formatted for tactical consumption — brief, standardized, and routable over standard military messaging. The Electronic Warfare Incident Report (EWIR) is formatted for the EW battle manager and the intelligence chain, carrying full technical parameters: frequency, bandwidth, modulation, estimated power, geolocation fix with uncertainty, duration, and threat classification with confidence. Both reports are generated automatically from the detection and geolocation records; a human reviewer approves before transmission, though the review process is designed to take under 60 seconds for routine detections.

Integration with TAK/ATAK via Cursor on Target. The platform outputs Cursor on Target (CoT) XML events for each confirmed hostile emitter, publishing them to a TAK Server or directly to clients via an Event Streaming Server. Each CoT event carries the emitter's WGS-84 position, the uncertainty ellipse encoded in the standard hae/ce/le fields, a MIL-STD-2525D symbol code identifying the threat category, and a remarks field with key technical parameters accessible on tap. ATAK users see hostile EW emitters on their map overlaid with friendly force positions, enabling immediate tactical decisions without leaving the situational awareness tool.

Operator dashboard. The EW detection dashboard presents a real-time spectrum waterfall alongside a map view showing all active detections. Each detection card shows the threat type, confidence score, geolocation fix, time of first and last activity, and one-click access to the raw IQ recording. Analysts can annotate detections, escalate to targeting, or dismiss as non-threatening with a single interaction. Dashboard metrics — mean time to detection, active threats by category, J/S ratio trends on protected links — provide the EW officer a continuous picture of the electromagnetic threat environment.

Counter-EW integration: from detection to action

EW signal detection is not an end in itself — its operational value is realized when detected emitter locations and technical parameters feed downstream action systems.

Fire support integration. Confirmed hostile emitter positions that meet targeting criteria — geolocation accuracy sufficient for the weapon system, positive hostile identification, deconfliction with friendly forces — can be nominated as targets through the joint targeting process. The EW platform exports emitter records in standardized formats (NFMT, MIDB, or formatted SALUTE), triggering a target development workflow in the fire support coordination system. The platform enforces a human confirmation gate: automated detection produces a target candidate, not a fire order. Targeting staff review the geolocation uncertainty ellipse, the identification confidence, and the proximity to friendly forces before accepting the nomination.

EW coordination deconfliction database. When a hostile emitter is detected and characterized, its frequency band, location, and activity pattern are entered into the EW deconfliction database. This database prevents friendly EW systems from transmitting on frequencies that would mask collection of the detected emitter — a common problem when offensive EW and SIGINT collection are operating simultaneously in the same area. The deconfliction database also records which friendly systems may be affected by the detected jamming, enabling rapid notification to affected units and alternative communication routing.

Adaptive collection cueing. Confirmed EW threats cue additional collection assets. A detected GNSS spoofer location is forwarded to direction-finding teams for higher-accuracy geolocation. A communications jammer detection triggers monitoring of adjacent bands for the command links that control the jammer — a jammer that is itself observable over RF is often controlled over a separate RF channel that becomes a second collection target. This adversarial signal-chaining — following the jammer to its controller — is one of the highest-value applications of integrated EW detection in a SIGINT platform.

Discuss Your Project

We develop EW signal detection and SIGINT platform software for defense applications — from jamming detection engines and anti-spoofing modules to TDOA geolocation networks and TAK-integrated alert pipelines. Let's discuss your operational requirements.

SIGINT Development → Book a Briefing

This analysis was prepared by Corvus Intelligence engineers who build mission-critical software for defense and government organizations. Learn about our team →

Frequently Asked Questions

What is electronic warfare signal detection?

Electronic warfare signal detection is the automated process of identifying adversarial RF emissions — jamming transmitters, GPS spoofers, communications-denial systems, and deceptive beacons — in a monitored spectrum. The detection pipeline combines wideband SDR scanning, statistical anomaly detection, modulation classification, and geolocation to produce actionable intelligence about hostile emitters in near-real-time.

How does jamming detection differ from general spectrum anomaly detection?

General anomaly detection flags any signal that deviates from a baseline. Jamming detection specifically looks for signals whose technical characteristics match known jamming archetypes: broadband noise elevation that degrades the jamming-to-signal ratio on a protected channel, swept carriers that hop across a frequency band to deny communications, or spot jamming that concentrates power on a single target frequency. The detector computes J/S ratio estimates and compares spectral mask occupancy against allowable envelopes to distinguish intentional interference from environmental noise.

What are the main techniques for detecting GPS spoofing?

Four complementary techniques are used together. First, multipath signature analysis detects the unnaturally clean signal profile of a spoofer versus authentic satellite signals. Second, clock drift anomaly monitoring flags sudden jumps or implausible smoothness in the GNSS receiver clock correction. Third, cross-receiver consistency checking compares GNSS fixes from spatially separated receivers — a spoofer typically drives all local receivers toward the same false position. Fourth, inertial navigation cross-validation compares the GNSS-derived trajectory against an IMU track; large instantaneous position jumps that the IMU cannot corroborate are a strong spoofing indicator.

How is TDOA used to geolocate a jammer under active jamming conditions?

TDOA geolocation distributes multiple receiver nodes across a wide area, each logging the precise reception timestamp of the same jamming signal. Because the signal reaches each node at a slightly different time depending on geometry, the differences in arrival time define hyperbolae on a map. With three or more nodes, the intersection of those hyperbolae produces a fix. Jamming does not prevent TDOA from working — the jammer's own signal is the measurement input. GPS-denied conditions require an alternative timing reference such as an atomic frequency standard.

What is deceptive jamming and how is it classified?

Deceptive jamming transmits a carefully crafted false signal that the victim receiver accepts as legitimate. Examples include false GNSS constellations, range-gate pull-off in radar deception, and voice/data injection on communications networks. Classification relies on comparing received signal parameters against a known-good emissions baseline: a genuine signal has characteristic modulation statistics, timing relationships, and spectral shape that a deceptive replay or synthetic generator cannot perfectly reproduce. Statistical fingerprinting and coherence analysis provide the discrimination score.

How does FDOA help detect moving hostile emitters?

Frequency Difference of Arrival (FDOA) exploits the fact that a moving emitter produces slightly different Doppler shifts at spatially separated receivers. By cross-correlating the signals received at two nodes and computing the differential Doppler, the system estimates both the emitter's position and its velocity vector. FDOA is especially useful for airborne jammers and vehicle-borne EW systems that move too quickly for AOA or TDOA alone to track effectively.

What is EWIR format and when is it generated?

Electronic Warfare Incident Report (EWIR) is a NATO-standardized reporting format documenting detected EW events, capturing technical parameters, geolocation estimate, time and duration, and threat assessment. An automated EW detection platform generates a draft EWIR immediately on hostile emitter classification, routing it to the EW battle manager and intelligence chain simultaneously. SALUTE format is generated in parallel for tactical units needing immediate warning rather than detailed technical intelligence.

How does the EW detection system integrate with ATAK via Cursor on Target?

The detection platform outputs Cursor on Target (CoT) XML events for each confirmed hostile emitter. Each event carries the emitter's WGS-84 position, the uncertainty ellipse as hae/ce/le fields, a MIL-STD-2525D SIDC symbol code, and a remarks field with key technical parameters. ATAK receives these events via an EL Streaming Server or a TAK Server federation, rendering them on the operator's map overlaid with friendly force positions.

How are detected emitter locations fed into fire support targeting?

Confirmed hostile emitter positions with sufficient geolocation accuracy can be nominated as targets through the Joint Targeting process. The platform exports emitter records in NFMT or MIDB format, triggering a target development workflow. A human-in-the-loop confirmation gate is enforced — automated detection produces a target candidate, not a fire order. The EW coordination deconfliction database is also updated to mark the emitter's frequency band and location, preventing friendly EW systems from masking collection of that emitter.

What are the latency requirements for operational EW signal detection?

Latency requirements vary by threat type. For active communications jamming, detection-to-alert latency under 10 seconds is the operational target. For GNSS spoofing affecting navigation, a sub-5-second detection window is required to prevent a vehicle from navigating on false coordinates. For slow-onset threats such as a new persistent surveillance emitter, latency of minutes is acceptable. Geolocation accuracy requirements drive TDOA node synchronization needs: a 100-nanosecond timing error produces approximately 30 meters of position error.