Self-Measurement Without Central Observability

22 January 2026 • Yuriy Polyulya •

#distributed-systems #edge-computing #observability #anomaly-detection

---

Prerequisites

The measurement problem addressed here emerges directly from the framework in Why Edge Is Not Cloud Minus Bandwidth. It does not exist independently of that foundation.

Three results from that foundation shape everything in this article. First, the Semi-Markov connectivity model ( Definition 12 ) establishes when measurement becomes the system’s only source of truth. During the None regime ($\mathcal{N}$ ), there is no external observability infrastructure - no central monitoring, no cloud metrics, no human operator in the loop. Every judgment the system makes about its own health must be drawn from local evidence alone. Self-measurement is not about building better dashboards; it is about survival during partition.

Second, the capability hierarchy ($\mathcal{L}_0$ –$\mathcal{L}_4$ ) establishes what measurement must protect. A system that cannot assess its own capability level cannot make sound decisions about which recovery actions to attempt, how aggressively to heal, or when to shed load. Accurate health knowledge is the prerequisite for any subsequent autonomous action.

Third, the inversion thesis - “design for disconnected, enhance for connected” - establishes the design constraint. The observation mechanisms developed here must function in complete isolation from day one. Reporting to a central collector, when connectivity permits, is an enhancement. It is never a dependency.

The state variables \(\Sigma(t)\) and \(\mathbf{H}(t)\) defined in Why Edge Is Not Cloud Minus Bandwidth exist formally in the model. This article addresses how they are actually estimated: from local sensor readings, from inter-node gossip when the mesh is intact, and from statistical inference when observations age. These mechanisms require $\mathcal{L}_0$ survival capability already in place — stable power, safe-state defaults, and basic mission function in complete isolation. Anomaly detection on a node that cannot maintain power or safe state is unsound regardless of detection accuracy.

Throughout this series: Node = a logical autonomous control unit (a drone, vehicle, or embedded MCU running the autonomic stack). Device = the physical platform hosting a node. Sensor = a data source on a device. These are distinct roles: a single device may host one node and dozens of sensors.

---

Memory budget prerequisite. All definitions and propositions in this article assume the zero-tax autonomic tier ( Definitions 95–97 , The Constraint Sequence and the Handover Boundary) is active, providing a ~200-byte baseline for health tracking. On platforms where the full measurement stack cannot fit (< 4 KB SRAM), the definitions below cannot activate and the system degrades to heartbeat-only L0 observation.

Architectural prerequisite. This article assumes the Inversion Threshold condition ( Proposition 2 , Why Edge Is Not Cloud Minus Bandwidth) is satisfied: \(P(C(t) = 0) > \tau^*\). When partition probability falls below \(\tau^*\), cloud-connected diagnostics dominate and the local autonomy stack described here is over-engineered for that deployment profile.

Overview

Self-measurement lets autonomous systems know their own state without external infrastructure. Each concept in this article connects directly to a design consequence:

Concept	What It Tells You	Design Consequence
Anomaly Detection	Flag anomaly when $P(H_1 \mid z_t) > C_{\text{FP}}/(C_{\text{FP}} + C_{\text{FN}})$	Set detection sensitivity from error costs
Gossip Propagation	Convergence $O(\ln n / f_g)$	Size fleet from acceptable propagation delay
Staleness Theory	$\tau_{\max} = (\Delta h / (z_{\alpha/2}\sigma))^2$	Bound observation age from acceptable drift and diffusion coefficient
Byzantine Tolerance	$\sum_{\text{Byz}} T_i < \frac{1}{3}\sum_{\text{all}} T_i$	Trust-weight nodes to bound adversarial influence

Decoding the overview table.

• Anomaly detection threshold: The detection trigger equals the ratio of false-positive cost to total error cost. When missing a failure costs \(10\times\) more than a false alarm, the optimal threshold is \(\geq 91\%\) (illustrative value — derived from the 10× cost ratio via Proposition 9) posterior probability, not 50%.
• Gossip convergence $O(\ln n / f_g)$ : Fleet-wide health state propagates in logarithmic time. A 127-node OUTPOST mesh converges in ~5 gossip rounds (illustrative value) at a 0.5/s fanout rate (illustrative value) — under 15 seconds (illustrative value).
• Maximum staleness bound: Observation age has a hard ceiling: beyond $\tau_{\max}$ , the estimate has drifted so far that acting on it is worse than having no data.
• Byzantine bound: If compromised nodes control more than one-third of aggregate trust weight, the fleet’s health picture can be corrupted. Design trust weighting to enforce this ceiling even under adversarial enrollment.

This builds on fault detection (Cristian, 1991) and epidemic algorithms (also called gossip protocol or epidemic dissemination — terms used interchangeably in this series) [1] , applying both in contested edge environments where central infrastructure is unavailable.

---

Opening Narrative: OUTPOST Under Observation

Early morning. OUTPOST BRAVO’s 127-sensor perimeter mesh has been operating for 43 days. Without warning, the satellite uplink goes dark - no graceful degradation. Seconds later, Sensor 47 stops reporting. Last transmission: routine, battery at 73%, mesh connectivity strong. Then silence.

OUTPOST needs to answer: how do you diagnose this failure without external systems?

Hardware failure routes around the sensor; communication failure attempts alternative paths; environmental occlusion waits and retries; adversarial action triggers alert and defensive posture.

Each diagnosis implies different response. Without central observability, OUTPOST must diagnose itself — analyze patterns, correlate with neighbors, assess probabilities, decide on response. All locally. All autonomously.

The sensor cannot speak for itself. Everything OUTPOST knows about Sensor 47 must be inferred from what Sensor 47 is not saying, what its neighbors observed last, and what the baseline predicted it should be doing right now.

This is self-measurement: assessing health and diagnosing anomalies without external assistance. You can’t heal what you haven’t diagnosed, and you can’t diagnose what you haven’t measured.

---

The Self-Measurement Challenge

Cloud-native observability assumes continuous connectivity. The diagram below traces that pipeline from raw metrics to human-driven remediation. Every arrow is a network call — and every one fails when connectivity is denied.

    
    graph LR
    A[Metrics] -->|"network"| B[Collector]
    B -->|"network"| C[Storage]
    C -->|"network"| D[Analysis]
    D -->|"network"| E[Alerting]
    E -->|"network"| F[Human Operator]
    F -->|"network"| G[Remediation]

    style A fill:#e8f5e9
    style F fill:#ffcdd2
    linkStyle 0,1,2,3,4,5 stroke:#f44336,stroke-width:2px,stroke-dasharray: 5 5

Every arrow represents a network call. For edge systems, this architecture fails at the first arrow - when connectivity is denied, the entire observability pipeline is severed.

Read the diagram. Every arrow is a network call. In the Denied regime, the first arrow fails — and with it, the entire pipeline. Human operators and cloud analysis are not “later steps”; they are load-bearing columns. Remove them and the structure collapses.

The edge alternative inverts the data flow [2] : sensors, analysis, and actuation all reside on the device, and the feedback loop closes locally without any external network call.

    
    graph LR
    A[Local Sensors] --> B[Local Analyzer]
    B --> C[Health State]
    C --> D[Autonomic Controller]
    D --> E[Self-Healing Action]
    E -->|"feedback"| A

    style A fill:#e8f5e9
    style B fill:#c8e6c9
    style C fill:#fff9c4
    style D fill:#ffcc80
    style E fill:#ffab91

Analysis happens locally. Alerting goes to an autonomic controller, not human operators. The loop closes locally without external connectivity.

Read the diagram. No arrow leaves the device. The feedback loop closes from local sensors through local analysis to autonomic action and back. Cloud reporting, when connectivity permits, is an out-of-band enhancement — not a dependency.

The table below shows how every dimension of the observability problem differs between the two architectures — not just the technical constraints but also the economic cost structure of errors.

Aspect	Cloud Observability	Edge Self-Measurement
Analysis location	Central service	Local device
Alerting target	Human operator	Autonomic controller
Training data	Abundant historical data	Limited local samples
Ground truth	Labels from past incidents	Uncertain, inferred
Compute budget	Elastic (scale up)	Fixed (device limits)
Memory budget	Practically unlimited	Constrained (MB range)
Response latency	Minutes acceptable	Seconds required

Analysis must happen locally, and alerting must be autonomous. Waiting for human operators or external services is not an option. The system must detect, diagnose, and decide within the constraints of local compute and memory.

Physical translation. The asymmetry in the cost column is the design driver. A false positive triggers an unnecessary healing action — wasteful but recoverable. A false negative leaves a failure undetected — potentially cascading in environments where one missed sensor failure enables adversarial exploitation of the coverage gap. This asymmetry determines the detection threshold — the cost model drives the architecture.

Cognitive Map — Section 1. Three results from Why Edge Is Not Cloud Minus Bandwidth motivate self-measurement: Denied regime eliminates external observability, capability hierarchy requires accurate health to trigger recovery, inversion thesis requires measurement to function in complete isolation \(\to\) cloud observability pipeline has six network dependencies, all failing together \(\to\) edge local loop has zero external dependencies \(\to\) false-negative cost asymmetry drives detection threshold design.

---

Local Anomaly Detection

The Detection Problem

Anomaly detection is signal classification. The sensor produces a sequence of scalar observations \(x_1, x_2, \ldots, x_t\) indexed by time, where each \(x_t\) is a single reading (voltage, temperature, signal strength, etc.) at step \(t\).

$$x_1, x_2, \ldots, x_t$$

At each timestep, the local analyzer must decide: is this observation normal, or anomalous?

This is a binary classification under uncertainty:

• \(H_0\) (null hypothesis): The observation is from the normal distribution
• \(H_1\) (alternative): The observation is from an anomalous process

Definition 19 (Local Anomaly Detection Problem). Given a time series $\{x_t\}_{t \geq 0}$ generated by process \(P\), the local anomaly detection problem is to determine, for each observation \(x_t\), whether \(P\) has transitioned from nominal behavior \(P_0\) to anomalous behavior \(P_1\), subject to:

• Computational budget \(O(1)\) per observation
• Memory budget \(O(m)\) for fixed \(m\)
• No access to ground truth labels
• Real-time decision requirement

In other words, the detector must classify each incoming reading as normal or anomalous using only a fixed-size memory footprint and constant work per sample — ruling out batch methods or model retraining on the fly.

Mode-Transition Safety Requirement. Upon any capability-level transition ( Definition 3 , Why Edge Is Not Cloud Minus Bandwidth), the anomaly detector must immediately recompute both the dynamic threshold \(\theta^*(t)\) and the stability-region lower bound \(\delta_q\) using the new mode’s parameters (\(T_\text{tick}(q)\), Stability Region from Definition 4 ). Do not carry over \(\theta^*(t)\) from the previous mode; recompute it with the current \(T_\text{acc}\) value and the new \(\delta_q\) floor. This ensures the detector never operates outside the new mode’s Stability Region boundary, as required by the series’ mode-switching stability guarantee.

T_acc carry-over. Since \(T_\text{acc}\) does not reset on mode transitions ( Definition 15 , Why Edge Is Not Cloud Minus Bandwidth), the threshold recomputation uses the old \(T_\text{acc}\) value with the new mode’s \(\delta_q\) and \(\gamma_\text{FN}\). The net effect: entering a more degraded mode mid-partition produces a tighter threshold (the new mode’s smaller Stability Region means \(\delta_q\) consumes more headroom) applied to the same accumulated partition age.

Simultaneous transition + partition crossing. When a mode transition and a partition boundary crossing occur in the same MAPE-K tick (e.g., battery drops to L0 while connectivity fails simultaneously): apply the mode transition first (compute new \(\theta^*(t)\) using the new mode’s \(\delta_q\) and current \(T_\text{acc}\)), then evaluate partition-dependent triggers ( Proposition 37 circuit breaker, threshold tightening). This order ensures the new mode’s Stability Region is respected before partition-specific thresholds are applied. Reversing the order would evaluate the circuit breaker against a pre-transition \(\delta_q\), potentially firing at the wrong threshold.

Constraint	Cloud Detection	Edge Detection
Compute	GPU clusters, distributed	Single CPU, milliwatts
Memory	Terabytes for models	Megabytes for everything
Training data	Petabytes historical	Days of local history
Ground truth	Labels from incident response	Inference from outcomes
FP cost	Human review time	Unnecessary healing action
FN cost	Delayed response	Undetected failure, potential loss

The asymmetry of costs is critical. A false positive triggers an unnecessary healing action - wasteful but recoverable. A false negative leaves a failure undetected - potentially catastrophic in contested environments where undetected failures cascade.

The diagram below shows the local anomaly detection pipeline: raw sensor data flows through the Kalman estimator, the residual is compared to the adaptive threshold, and an anomaly triggers an alert while a normal reading updates the baseline.

    
    sequenceDiagram
    participant S as Sensor
    participant K as Kalman Estimator
    participant T as Threshold Engine
    participant A as Alert Bus
    S->>K: raw measurement x(t)
    K->>K: predict: x_hat(t|t-1)
    K->>K: update: gain, state, variance
    K->>T: residual z(t) = x(t) - x_hat(t|t-1)
    T->>T: compare |z(t)| vs theta_star(t)
    alt anomaly detected
        T->>A: raise alert(severity, timestamp)
    else normal
        T->>K: update baseline
    end

Statistical Approaches

MAPE-K [Kephart & Chess, 2003] (Monitor–Analyse–Plan–Execute with Knowledge Base): the four-phase autonomic control loop executing periodically at tick interval T_tick(q). The Monitor phase collects measurements; Analyse applies anomaly detection; Plan selects healing actions; Execute issues commands. The Knowledge Base K provides shared state across all four phases.

Edge anomaly detection requires algorithms that are computationally lightweight (O(1) per observation), memory-efficient (constant or logarithmic memory), adaptive (capable of adjusting to changing baselines without retraining), and interpretable (providing confidence values rather than binary classification).

Three approaches meet these requirements:

Exponential Weighted Moving Average (EWMA)

The simplest effective approach. The two equations below update the running mean \(\mu_t\) and running variance $\sigma_t^2$ after each new observation \(x_t\), where \(\alpha \in (0,1)\) is the smoothing weight that trades recency for stability.

$$\begin{aligned} \mu_t &= \alpha x_t + (1 - \alpha) \mu_{t-1} \\ \sigma_t^2 &= \alpha (x_t - \mu_{t-1})^2 + (1 - \alpha) \sigma_{t-1}^2 \end{aligned}$$

Physical translation: \(\mu_t\) is a weighted average that remembers recent readings at weight \(\alpha\) and forgets old ones at rate \((1 - \alpha)\). $\sigma_t^2$ tracks how much the signal bounces around its own recent mean. Together they define “what normal looks like right now” — updating in two multiply-adds per observation tick.

The smoothing weight \(\alpha\) typically falls between 0.05 and 0.3 (threshold — the right value depends on the noise variance of the target metric); at \(\alpha = 0.1\) (illustrative value) the effective window spans approximately 10 samples, and larger values accelerate adaptation at the cost of noisier baselines.

Mode-indexed smoothing — the stability-region coupling. When $T_{\text{tick}}$ changes across capability levels ( Definition 3 in Why Edge Is Not Cloud Minus Bandwidth), a fixed \(\alpha\) produces windows of different physical duration. At L1 with $T_{\text{tick}}$ doubled, \(\alpha = 0.1\) tracks a 100-second window instead of 50 seconds, halving baseline responsiveness exactly when the system’s Stability Region ( Definition 4 in Why Edge Is Not Cloud Minus Bandwidth) is smallest.

To preserve a constant physical time constant $T_{\text{window}}$ across modes, the smoothing weight must be mode-indexed:

$$\alpha_q = 1 - e^{-\kappa_{\mathrm{drift}} \cdot T_{\mathrm{tick}}(q)}$$

Physical translation: The smoothing coefficient grows with the tick interval — in survival mode where \(T_\text{tick}\) is longer, \(\alpha\) is larger, meaning the baseline updates faster per tick but is still updated less frequently in wall-clock time. This prevents a sudden switch to a low-frequency survival schedule from freezing the baseline at a stale value: the first post-switch observation still gets appropriate weight. Without this correction, a baseline appropriately tuned at L3 becomes underresponsive at L1 — suppressing the anomaly score exactly when the healing loop’s corrective authority is most reduced.

where $\kappa_{\text{drift}}$ is the process drift rate in s${}^{-1}$ , calibrated from stationary field data.

Example: $\kappa_{\text{drift}} = 0.02\,\text{s}^{-1}$ (illustrative value) gives $\alpha_{L3} \approx 0.095$ (illustrative value) (5 s tick, 53 s effective window) and $\alpha_{L1} \approx 0.181$ (illustrative value) (10 s tick, 55 s effective window) — windows matched to within 4% (illustrative value).

Without this correction, a baseline that is appropriately tuned at L3 becomes systematically underresponsive at L1, suppressing $z_t^K$ below the detection threshold precisely when the healing loop’s corrective authority ( Definition 40 in Self-Healing Without Connectivity) is most reduced.

$\kappa_{\text{drift}}$ (process drift rate, \(s^{-1}\)) is the Kalman model noise rate calibrated from stationary field data. Distinct from: Weibull scale \(\lambda_i\) ( Definition 13 ), gossip contact rate \(f_g\) ( Proposition 12 ), and information decay rate \(\lambda_c\) ( Definition 5b ).

\(\lambda\) notation legend. \(\lambda\) carries six distinct roles in this article; subscripts and function notation are the sole disambiguators at each occurrence:

1. Gossip contact rate — \(f_g > 0\) (exchanges per second per node); see Definition 24 and Propositions 12–13 .
2. Weibull scale / drift rate — \(\lambda_i\) or \(\lambda_W\); Weibull scale parameter for partition duration ( Definition 13 in Why Edge Is Not Cloud Minus Bandwidth).
3. Adaptive L2 regularization coefficient — \(\lambda_\text{reg}\); used in the online SVM weight update.
4. Distributional shift decay constant — \(\xi_\text{shift}\); model accuracy decay under covariate shift.
5. Eigenvalue notation — $\lambda_{\max}(\cdot)$ and \(\lambda_i(\cdot)\); standard linear algebra convention throughout.
6. Shadow price — $\zeta_i = \partial U / \partial g_i$ ; Lagrangian multiplier on observability constraint \(g_i\).

Key distinction: \(\kappa_\text{drift}\) (local baseline drift rate, calibrated from stationary field data) and \(\lambda_c\) (partition-induced information decay rate, Why Edge Is Not Cloud Minus Bandwidth) are separate quantities. During partition, \(\lambda_c\) governs staleness of received peer data; \(\kappa_\text{drift}\) governs the local baseline update.

Physical translation: A drift rate of \(0.02\,s^{-1}\) sounds negligible — but in 60 seconds the baseline has shifted by a factor of \(3{\times}\) without adaptive correction. This is why the EMA window must track wall-clock elapsed time, not tick count: at L2 throttling (double the tick interval), the window must double too, or baseline drift appears as a false anomaly.

Where \(\alpha \in (0, 1)\) controls the decay rate. Smaller \(\alpha\) means longer memory. Note: variance uses $\mu_{t-1}$ to keep the estimate independent of \(x_t\), consistent with the anomaly score calculation.

The anomaly score \(z_t\) normalizes the current observation’s deviation from the running mean by the running standard deviation, yielding a dimensionless measure of surprise that can be compared against a fixed threshold regardless of the signal’s units or scale.

$$z_t = \frac{|x_t - \mu_{t-1}|}{\sigma_{t-1}}$$

Physical translation: Divide the current reading’s distance from the running mean by the running standard deviation. A result of 2.5 means this observation is 2.5 standard deviations from what the sensor has been reporting recently — statistically unlikely under a normal distribution regardless of the signal’s units or absolute scale.

Anomaly Classification Decision Problem:

Objective Function: The formula selects the binary decision \(d\) (flag or not flag) that maximizes expected utility given the current observation \(x_t\), where false positive cost $C_{\text{FP}}$ and false negative cost $C_{\text{FN}}$ are the key parameters.

$$d^* = \arg\max_{d \in \{0, 1\}} \mathbb{E}[U(d \mid x_t)] = \arg\max_{d \in \{0, 1\}} \left[ -C_{\text{FP}} \cdot P(H_0 \mid x_t) \cdot d - C_{\text{FN}} \cdot P(H_1 \mid x_t) \cdot (1-d) \right]$$

where \(d = 1\) indicates “anomaly detected”.

Optimal Decision Rule:

The system flags an observation as anomalous when $z_t > \theta^*$ . The optimal threshold \(\theta^*\) is the inverse-normal quantile that balances the prior probabilities of the two hypotheses against their respective error costs, shifting the decision boundary toward sensitivity when missed detections are more costly than false alarms.

Throughout this article, \(\theta^*\) denotes the anomaly-classification threshold (a dimensionless z-score boundary). In Why Edge Is Not Cloud Minus Bandwidth, \(\tau^*\) denotes the Inversion Threshold (a partition-probability boundary). When citing results from both articles in the same context, use $\theta^*_\text{anom}$ for the anomaly threshold and $\tau^*_\text{inv}$ for the inversion threshold.

$$\theta^* = \Phi^{-1}\left(1 - \frac{C_{\text{FN}} \cdot P(H_1)}{C_{\text{FP}} \cdot P(H_0) + C_{\text{FN}} \cdot P(H_1)}\right)$$

Physical translation: \(\theta^*\) shifts the alarm boundary based on how bad each type of mistake is. If missing a fault costs ten times more than raising a false alarm ($C_{\text{FN}}/C_{\text{FP}} = 10$ ), the detector triggers on weaker signals, accepting more false alarms to avoid catastrophic misses. When both costs are equal, the formula reduces to the standard 50th-percentile boundary.

Proposition 9 (Optimal Anomaly Threshold). Applies the anomaly classification problem of Definition 19 to derive: given asymmetric error costs $C_{\text{FP}}$ for false positives and $C_{\text{FN}}$ for false negatives, the optimal detection threshold \(\theta^*\) satisfies the likelihood ratio condition:

Flag an anomaly when the anomalous distribution is more likely than normal, scaled by the relative cost of each mistake.

$$\frac{f_1(\theta)}{f_0(\theta)} = \frac{C_{\text{FP}}}{C_{\text{FN}}}$$

where \(f_1\) is the probability density under \(H_1\) (anomaly) and \(f_0\) under \(H_0\) (normal). The decision boundary lies where the anomaly likelihood exceeds the normal likelihood by the cost ratio.

In other words, the detector should flag an observation as anomalous exactly when the data is more likely to have come from the anomalous distribution \(H_1\) than from the normal distribution \(H_0\), scaled by the relative cost of each type of error.

Proof: The expected cost is the sum of false-positive cost weighted by the false-positive rate and false-negative cost weighted by the false-negative rate, both functions of the chosen threshold \(\theta\).

$$\mathbb{E}[\text{Cost}(\theta)] = C_{\text{FP}} \cdot P_{\text{FP}}(\theta) + C_{\text{FN}} \cdot P_{\text{FN}}(\theta)$$

Setting the derivative of the expected cost with respect to \(\theta\) to zero gives the first-order condition, where \(f_0\) and \(f_1\) are the probability densities under \(H_0\) and \(H_1\) evaluated at the boundary point \(x_\theta\).

$$\frac{d\mathbb{E}[\text{Cost}]}{d\theta} = C_{\text{FP}} \cdot f_0(x_\theta) - C_{\text{FN}} \cdot f_1(x_\theta) = 0$$

This yields the Neyman-Pearson condition. Equivalently, flagging when $z_t > \theta^*$ is identical to the posterior-probability rule below: declare anomaly when the probability of \(H_1\) given the current score exceeds the ratio of false-positive cost to total error cost (see Proposition 9 ).

$$P(H_1 \mid z_t) > \frac{C_{\text{FP}}}{C_{\text{FP}} + C_{\text{FN}}}$$

Both formulations select the same decision boundary; the z-score form is computationally convenient while the posterior form makes the cost trade-off explicit. For tactical edge systems where $C_{\text{FN}} \gg C_{\text{FP}}$ , both shift toward sensitive detection.

Partition-Duration-Aware Threshold ( Definition 13 extension): Under the Weibull partition model, the relative cost of false negatives rises as partition duration grows — missed anomalies cannot be externally remediated. Let $T_{\mathrm{acc}}(t)$ be the partition duration accumulator ( Definition 15 ) and $Q_{0.95}$ the P95 planning threshold ( Definition 13 ). The cost ratio evolves as:

$$\frac{C_{\mathrm{FN}}(t)}{C_{\mathrm{FP}}(t)} = \frac{C_{\mathrm{FN}}}{C_{\mathrm{FP}}} \cdot \left(1 + \gamma_{\mathrm{FN}} \cdot \frac{T_{\mathrm{acc}}(t)}{Q_{0.95}}\right)$$

Physical translation: As the device stays disconnected longer, missing a fault becomes costlier — there is no central system to compensate. This term scales the false-negative cost upward proportionally with partition age, so the detector automatically becomes more sensitive the longer it operates in isolation.

where $\gamma_{\mathrm{FN}} \geq 0$ is the false-negative cost escalation rate (deployment parameter; $\gamma_{\mathrm{FN}} = 0$ recovers the static threshold). Substituting into the Neyman-Pearson condition yields the time-varying optimal threshold:

$$\theta^*(t) = \frac{\theta^*_0}{1 + \gamma_{\mathrm{FN}} \cdot T_{\mathrm{acc}}(t)/Q_{0.95}}$$

Physical translation: At partition start, $\theta^*(t) = \theta^*_0$ — baseline sensitivity. As partition age approaches the P95 planning horizon $Q_{0.95}$ , the alarm threshold shrinks by a factor of $(1 + \gamma_{\text{FN}})$ . When help is farthest away, the detector is most alert.

where $\theta^*_0$ is the static baseline threshold from the likelihood ratio condition above.

Interpretation: As $T_{\mathrm{acc}} \to 0$ , $\theta^*(t) \to \theta^*_0$ (partition just started, baseline sensitivity). As $T_{\mathrm{acc}} \to Q_{0.95}$ , $\theta^*(t) \to \theta^*_0 / (1 + \gamma_{\mathrm{FN}})$ — the detector becomes $(1 + \gamma_{\mathrm{FN}})$ times more sensitive. For $T_{\mathrm{acc}} > Q_{0.95}$ : the circuit breaker ( Proposition 37 ) fires, the system enters L0, and \(\theta^*(t)\) is frozen at its current value — further threshold drift is irrelevant since healing actions are suspended.

The numbers in this calibration block are illustrative values chosen for the OUTPOST scenario; they are not theoretical bounds.

OUTPOST calibration: With $\gamma_{\mathrm{FN}} = 2.0$ (example value — replace with your measured figure), the threshold drops from $\theta^*_0 = 2.5\,\sigma$ (example value) at partition start to $\theta^*_0 / 3 \approx 0.83\,\sigma$ (theoretical bound given the example values above) at the P95 boundary. This triggers more sensitive detection of health anomalies precisely when external recovery is least available.

Calibration example ( RAVEN ). Missed motor degradation costs 1000 J (lost drone); false alarm costs 50 J (wasted diagnostics). Cost ratio \(C_\text{FN}/C_\text{FP} = 20\) (illustrative value). With \(P(H_0) = 0.95\) (illustrative value) (nominal operation 95% of flight time), the optimal threshold \(\theta^*\) requires a posterior anomaly probability \(\geq 95.2\%\) — substantially tighter than a naive 50% threshold. The cost-ratio condition yields $\theta^* \approx 1.8\hat{\sigma}$ (illustrative value — derived from the \(C_\text{FN}/C_\text{FP} = 20\) and \(P(H_0) = 0.95\) choices above), where \(\hat{\sigma}\) is the estimated noise standard deviation from the baseline estimator.

As partition age grows toward \(Q_{95}\), the denominator reaches \((1 + \gamma_\text{FN})\): $\theta^*(Q_{95}) = \theta^*_0 / (1 + \gamma_\text{FN})$ . For OUTPOST with \(\gamma_\text{FN} = 2\) (illustrative value), a threshold initially set at \(2.5\hat{\sigma}\) (illustrative value) becomes \(0.83\hat{\sigma}\) (theoretical bound given the illustrative inputs above) — nearly three times more sensitive. The system grows progressively trigger-happy as partition age approaches the planning horizon, prioritising missed-fault detection over false-alarm suppression.

Circuit breaker interaction. The threshold tightening in this proposition applies only while \(T_\text{acc} \leq Q_{95}\). When \(T_\text{acc}\) exceeds \(Q_{95}\) (the P95 partition duration from Definition 13 ), Proposition 37 (Self-Healing Without Connectivity) fires — the Weibull circuit breaker suspends all healing actions and halts threshold tightening. The system enters L0 monitoring-only mode regardless of currently detected anomalies. Treat \(Q_{95}\) as the hard ceiling on \(T_\text{acc}\) for the purposes of this proposition.

Worked example — OUTPOST with n = 127 sensors. For OUTPOST Weibull parameters \(k = 1.4\) (illustrative value) (shape) and \(\lambda_W = 14400\,\text{s}\) (illustrative value) (scale, 4 h), the P95 partition duration is $Q_{0.95} \approx 32{,}400\,\text{s}$ (theoretical bound under the illustrative Weibull parameters above) (about 9 hours). With $\theta^*_0 = 2.5\sigma$ (illustrative value) and \(\gamma_\text{FN} = 2.0\) (illustrative value):

• At partition onset (\(T_\text{acc} = 0\)): \(\theta^*(0) = 2.5\sigma\) — baseline sensitivity, one alarm per ~80 healthy observations (illustrative value).
• At the circuit-breaker boundary (\(T_\text{acc} = Q_{0.95}\)): $\theta^*(Q_{0.95}) \approx 0.83\sigma$ — nearly three times more sensitive, one alarm per ~3 healthy observations (illustrative value).
• Beyond \(Q_{0.95}\): \(\theta^*\) is frozen at \(0.83\sigma\) and healing actions are suspended.

The \(\theta^*(t)\) state transitions follow four cases. On partition onset, \(\theta^*(t)\) tightens as \(T_\text{acc}\) accumulates, converging toward $\theta^*_0 / (1 + \gamma_\text{FN})$ . At the circuit-breaker boundary (\(T_\text{acc} > Q_{0.95}\)), \(\theta^*(t)\) is frozen at its current value and healing actions are suspended. On reconnection (\(T_\text{acc}\) resets), \(\theta^*(t)\) unfreezes and resumes from its frozen value — the prior partition’s accumulated sensitivity is preserved as the new baseline. On re-partition with a previously frozen \(\theta^*\), tightening resumes from the frozen value, so a node that survived a prior long partition starts the new one already at heightened sensitivity.

Reconnection recovery rule. When the partition ends and \(T_\text{acc}\) resets to zero, the threshold does not snap back to $\theta^*_0$ . Instead it decays back toward baseline via:

$\theta^*(t_{\text{reconnect}}) = \max(\theta^*_{\text{frozen}},\; \theta^*_0 \cdot e^{-\kappa_{\text{recover}} \cdot T_{\text{connected}}})$

where $\kappa_{\text{recover}}$ is a decay constant (default: \(1/T_\text{quarantine}\)) and \(T_\text{connected}\) is elapsed time since reconnection. The \(\max\) ensures the threshold does not fall below the frozen sensitivity level until the node has observed sufficient connected-regime data to justify a looser threshold, preventing chronic false alarms after repeated partitions while preserving the heightened vigilance earned through long isolation.

(Notation: \(\delta\)-subscripted symbols in this section carry distinct roles: \(\delta_q\) is the monitoring guard band (stability margin floor); $\delta_{\text{flat}}$ , $\delta_{\text{noise}}$ are chi-squared test bounds ( Proposition 11 ); $\delta_{\max}$ is the SVM weight-norm bound; $\delta_{\text{crit}}$ , $\delta_{\text{norm}}$ are gossip convergence time parameters. Each is dimensionally distinct; subscripts are the sole disambiguator.)

Stability-region lower bound on \(\theta^*(t)\). The time-varying threshold tightens \(\theta^*(t)\) as partition grows. However, there is a lower bound below which tightening itself destabilizes the healing loop: if \(\theta^*(t)\) drops too far, the error signal $e(t) = z_t^K - \theta^*(t)$ grows even for an unchanged $z_t^K$ , consuming stability margin without any healing action firing. Under the Stability Region framework ( Definition 4 in Why Edge Is Not Cloud Minus Bandwidth), the minimum safe threshold is:

$$\theta^*(t) \;\geq\; \delta_q \;=\; \sqrt{c_q \,/\, \lambda_{\max}(P_q)} - \varepsilon$$

Physical translation: Every stability region has a minimum guard band \(\delta_q\). Tightening the alarm threshold below \(\delta_q\) makes the detector itself a source of instability — small deviations in \(z_t\) generate large error signals that consume control authority without triggering any healing action. Stop tightening at \(\delta_q\).

where \(\delta_q\) is the monitoring guard band for mode \(q\), $\lambda_{\max}(P_q)$ is the largest eigenvalue of the Lyapunov matrix, and \(\varepsilon > 0\) is a small margin. Tightening \(\theta^*(t)\) past \(\delta_q\) pushes the initial error state toward $\partial \mathcal{R}_q$ before any healing action fires — the detector becomes a destabilizing input. In practice, for RAVEN L3 parameters, $\delta_{L3} \approx 0.6\sigma$ (illustrative value), and for L1 thermal throttle, $\delta_{L1} \approx 0.9\sigma$ (illustrative value) — the guard band is tighter exactly when the stability region is smaller.

What this means in practice: The optimal detection threshold is not a tuning knob — it is determined by the cost ratio between wrong action types. If a false positive costs \(10\times\) less than a missed detection, the boundary shifts toward sensitivity; if costs are equal, it reduces to the 50% posterior threshold.

Analogy: A smoke detector vs. a fire — set too sensitive, every burnt piece of toast triggers it; set too lenient, real fires go undetected. The threshold is calibrated from the relative cost of each error type, not from an arbitrary sensitivity preference.

Logic: Proposition 9 derives \(\theta^*\) via the Neyman-Pearson likelihood ratio condition: flag when \(f_1(\theta)/f_0(\theta) = C_{\text{FP}}/C_{\text{FN}}\), shifting the boundary toward sensitivity as the missed-detection cost grows relative to false-alarm cost.

Watch out for: the likelihood-ratio formula assumes both \(H_0\) and \(H_1\) are Gaussian; heavy-tailed sensor noise (vibration transients, electromagnetic interference) shifts the optimal boundary beyond what the Gaussian derivation predicts, so the actual false-negative rate exceeds what the cost ratio implies.

Constraint Set: Any algorithm implementing the optimal decision rule must satisfy these three resource limits; they rule out batch-processing and unbounded-memory approaches that would otherwise be valid statistical choices.

$$\begin{aligned} g_1: && \text{compute}(d) &\leq O(1) && \text{(constant-time per observation)} \\ g_2: && \text{memory}(d) &\leq O(m) && \text{(bounded memory)} \\ g_3: && \theta &\in [\theta_{\min}, \theta_{\max}] && \text{(threshold bounds)} \end{aligned}$$

State Transition Model: The paired update rule below shows how the EWMA accumulates the new observation \(x_t\) into the running mean and variance estimates in a single constant-time step.

$$(\mu_t, \sigma_t^2) = \left(\alpha x_t + (1-\alpha)\mu_{t-1}, \alpha(x_t - \mu_{t-1})^2 + (1-\alpha)\sigma_{t-1}^2\right)$$

EWMA updates take O(1) time (two multiply-adds) and O(1) memory (storing only \(\mu\) and \(\sigma^2\)); adaptation is automatic through exponential decay with no retraining step.

Holt-Winters for Seasonal Patterns

For signals with periodic structure (day/night cycles, shift patterns), Holt-Winters captures level, trend, and seasonality. The three equations below update, respectively, the deseasonalized level \(L_t\), the local trend \(T_t\), and the seasonal correction \(S_t\), each controlled by its own smoothing coefficient (\(\alpha\), $\beta_{\text{hw}}$ , $s_{\text{hw}}$ ) and a period length \(p\). (We write \(\beta_{\text{hw}}\) for the trend coefficient rather than bare \(\beta\) to distinguish it from the bandwidth asymmetry ratio \(\beta = B_b/B_l\) used in the ingress filter later in this article.)

$$\begin{aligned} L_t &= \alpha (x_t - S_{t-p}) + (1 - \alpha)(L_{t-1} + T_{t-1}) \\ T_t &= \beta_{\text{hw}} (L_t - L_{t-1}) + (1 - \beta_{\text{hw}}) T_{t-1} \\ S_t &= s_{\mathrm{hw}} (x_t - L_t) + (1 - s_{\mathrm{hw}}) S_{t-p} \end{aligned}$$

Physical translation: \(L_t\) strips the seasonal swing to expose the true underlying level. \(T_t\) tracks whether that level is rising or falling. \(S_t\) records the repeating up-and-down pattern for this time of day or week. Combine all three for a one-step-ahead forecast — flag an anomaly when the actual reading diverges from that forecast beyond the calibrated threshold.

Where \(L_t\) is level, \(T_t\) is trend, \(S_t\) is seasonal component, and \(p\) is period length.

Holt-Winters updates all three components continuously, requiring O(1) time per observation and O(p) memory to store one period of seasonal factors. The period length \(p\) is scenario-specific: RAVEN flight telemetry has no meaningful seasonality (\(p = 1\); use EWMA instead); CONVOY uses \(p = 24\) hours (illustrative value) for communication quality and \(p = 8\) hours (illustrative value) for engine thermal cycles; OUTPOST uses \(p = 24\) hours (illustrative value) for solar and thermal cycles and \(p = 7\) days (illustrative value) for perimeter activity patterns.

Isolation Forest Sketch for Multivariate

For multivariate anomaly detection with limited memory, streaming isolation forest assigns each point an anomaly score based on how quickly it can be isolated in a random tree ensemble. The formula below maps expected isolation path length \(E[h(x)]\) — normalized by the average path length \(c(n)\) in a random tree of \(n\) points — to a score between 0 and 1, where scores near 1 indicate anomalies that isolate unusually quickly.

$$\text{Anomaly Score} = 2^{-E[h(x)] / c(n)}$$

Physical translation: Points that are easy to isolate (short path through random trees) score near 1 — they stand apart from the crowd and are anomalies. Normal points are hard to isolate (long paths through dense regions) and score near 0.5. The exponential mapping compresses path-length ratios into a 0–5 range regardless of tree depth or dataset size.

Where \(h(x)\) is path length to isolate \(x\), and \(c(n)\) is average path length in a random tree.

Scoring each new point requires O(log n) time per query and O(t) time per tree build, with \(O(t \times d)\) total memory for \(t\) trees at depth limit \(d\); reservoir sampling updates the tree ensemble online without retraining from scratch.

Parameter derivation for CONVOY :

Under assumption set $\mathcal{A}_{IF}$ (memory budget \(M \leq 32\)KB, anomaly rate \(\pi_1 \approx 0.02\), feature dimension \(d = 12\)), the three equations below derive the number of trees \(t\), maximum tree depth $d_{\max}$ , and resulting memory footprint \(M\) from the stated constraints.

$$\begin{aligned} t &= \lceil \ln(1/\delta) / \ln(2) \rceil = 50 \text{ trees for } \delta = 10^{-15} \text{ failure probability} \\ d_{\max} &= \lceil \log_2(n_{\text{sample}}) \rceil = 8 \text{ for } n = 128 \\ M &= t \times d_{\max} \times d \times 4 \text{ bytes} \approx 25\text{KB} \end{aligned}$$

Detection rate derivation: Under $\mathcal{A}_{IF}$ , the formula below lower-bounds the true positive rate as a function of \(t\) and $d_{\max}$ ; the approximation uses $1-(1-p)^t \geq 1-e^{-pt}$ and evaluates to roughly 0.85 (illustrative value) for these parameters.

$$\text{TPR} = 1 - \left(1 - \frac{1}{2^{d_{\max}}}\right)^t \geq 1 - e^{-t/2^{d_{\max}}} \approx 0.85$$

False positive rate $\text{FPR} = \pi_0 \cdot P(\text{anomaly score} > \theta) \approx 0.03$ (illustrative value) for threshold at 95th percentile.

CUSUM for Change-Point Detection

When the goal is detecting when a change occurred (not just that it occurred), CUSUM provides optimal detection for shifts in mean [3] . The statistic \(S_t\) accumulates evidence of a positive shift above the slack \(k\) relative to nominal mean \(\mu_0\), resetting to zero whenever evidence goes negative, and triggers an alarm when it exceeds threshold \(h\).

$$S_t = \max(0, S_{t-1} + x_t - \mu_0 - k)$$

Physical translation: \(S_t\) accumulates evidence of a persistent upward shift. Each sample contributes \(x_t - \mu_0 - k\): negative when the reading is within the allowable slack \(k\), positive when it consistently exceeds it. The \(\max(0, \cdot)\) reset forgets evidence when readings return to normal, so CUSUM only alarms when the shift is sustained — not just occasional — making it ideal for catching slow-onset degradation that EWMA adapts to and misses.

where \(\mu_0\) is the nominal mean and \(k\) is the allowable slack. Alarm when \(S_t > h\).

Detection speed comparison: For a shift of magnitude \(\delta\), the formula below gives the expected number of samples CUSUM needs before triggering, as a function of alarm threshold \(h\), slack \(k\), and shift \(\delta\).

$$N_{\text{CUSUM}} = \frac{h}{\delta - k} \quad \text{for } \delta > k$$

EWMA with smoothing \(\alpha\) detects when $\bar{x}_t$ crosses the control limit $h_{\text{EWMA}} = L \cdot \sigma\sqrt{\alpha/(2-\alpha)}$ . The average run length under \(H_1\) (ARL\(_1\)) depends on both \(\delta\) and \(\alpha\) and has no simple closed form — it is computed from Markov chain approximations or simulation. For standard operating parameters (\(\delta = \sigma\), \(\alpha = 0.3\), control limit \(L = 2.5\)), the standard ARL table entry is shown below.

$$\text{ARL}_1(\text{EWMA}) \approx 12.9 \text{ samples (from standard ARL tables)}$$

Detection speedup analysis:

Under assumption $\delta \in [0.5\sigma, 1.5\sigma]$ , $\Delta U_{\text{speed}} \in [1.15, 1.29]$ . The speedup increases with shift magnitude because CUSUM is parameterized for a known step change (\(k = \delta/2\) is optimal for shift \(\delta\)) while EWMA is a general-purpose smoother not tuned to any specific shift. CUSUM’s optimality for step changes (proven by Moustakides, 1986) means it dominates EWMA for the abrupt sensor failure scenario.

Error rate derivation:

With threshold $\theta = z_\alpha \sigma$ where \(z_\alpha = 2.5\) (illustrative value) and anomaly score $z_t = |x_t - \mu|/\sigma$ , the two-sided normal distribution gives the following false positive and false negative rates; the FNR assumes a shift of $\delta = 4\sigma$ from the anomalous distribution.

$$\begin{aligned} \text{FPR} &= P(|Z| > z_\alpha \mid H_0) = 2\Phi(-z_\alpha) \approx 0.012 \\ \text{FNR} &= P(|Z| \leq z_\alpha \mid H_1) = \Phi(z_\alpha - \delta/\sigma) \approx 0.07 \text{ for } \delta = 4\sigma \end{aligned}$$

Detection latency: EWMA effective memory spans \(1/\alpha\) to $(2-\alpha)/\alpha$ observations. For \(\alpha = 0.3\) (illustrative value): \(N \in [3, 5]\) (illustrative value) observations contribute meaningfully to the statistic.

OUTPOST Sensor 47 uses EWMA for primary detection: temperature, motion intensity, battery voltage each tracked independently. Cross-sensor correlation uses a lightweight covariance estimate between Sensor 47 and its mesh neighbors.

Adaptive Change-Point Detection: From Static to Kalman-Optimal Baseline

The CUSUM statistic above uses a fixed nominal mean \(\mu_0\). Sensor baselines drift in practice: OUTPOST thermal sensors track diurnal temperature cycles, CONVOY engine metrics shift with load and altitude, and RAVEN RF interference patterns change with formation geometry. A stale \(\mu_0\) turns baseline drift into a continuous false alarm stream. The fix is to replace the static \(\mu_0\) with a Kalman-optimal adaptive estimator that tracks “normal” as it evolves.

Definition 20 (Adaptive Baseline Estimator). Given a sensor time series $\{x_t\}$ , the adaptive baseline is the Kalman-optimal estimate of the true instantaneous mean \(\mu_t\) under the first-order drift model [4] :

$$\begin{aligned} \text{State model:} \quad & \mu_t = \mu_{t-1} + w_t, \quad w_t \sim \mathcal{N}(0,\, Q) \\ \text{Observation model:} \quad & x_t = \mu_t + v_t, \quad v_t \sim \mathcal{N}(0,\, R) \end{aligned}$$

The recursive Kalman update at each timestep is:

$$\begin{aligned} \hat{P}_{t|t-1} &= P_{t-1} + Q && \text{(prediction: uncertainty grows with drift)} \\ K_t &= \frac{\hat{P}_{t|t-1}}{\hat{P}_{t|t-1} + R} && \text{(Kalman gain } \in (0,1)\text{)} \\ \hat{\mu}_t &= \hat{\mu}_{t-1} + K_t\!\left(x_t - \hat{\mu}_{t-1}\right) && \text{(update: weighted correction)} \\ P_t &= (1 - K_t)\,\hat{P}_{t|t-1} && \text{(updated variance)} \end{aligned}$$

The Kalman anomaly score (normalized innovation) is:

$$z_t^K = \frac{x_t - \hat{\mu}_{t-1}}{\sqrt{\hat{P}_{t|t-1} + R}}$$

Under \(H_0\) (no anomaly) at steady state: $z_t^K \sim \mathcal{N}(0,1)$ .

Design parameter $r_{QR} = Q/R$ (drift-to-noise ratio) controls the adaptation rate:

• $r_{QR} \to 0$ : baseline nearly frozen — correct for very slow drift, wrong for fast environmental shifts
• $r_{QR} \to 1$ : aggressive tracking — follows rapid changes, more false alarms during genuine transients

(Notation: $r_{QR} = Q/R$ is the drift-to-noise ratio used in this adaptive estimator. This is distinct from \(\rho = T_d/T_s\) — the compute-to-transmit energy ratio defined in Why Edge Is Not Cloud Minus Bandwidth’s Notation Legend.)

Connection to EWMA: The update $\hat{\mu}_t = \hat{\mu}_{t-1} + K_t(x_t - \hat{\mu}_{t-1})$ is structurally identical to the EWMA update $\mu_t = \alpha x_t + (1-\alpha)\mu_{t-1}$ , with \(K_t\) in place of \(\alpha\). The critical difference: EWMA uses a fixed \(\alpha\); the Kalman gain \(K_t\) starts large (high initial uncertainty, learns fast) and converges to a smaller steady-state value \(K_\infty\) (tracks at the optimal rate for the observed noise level). Fixed-\(\alpha\) EWMA is a degenerate Kalman filter with $P_{t-1}$ forced constant at \(\alpha R/(1-\alpha)\) every step.

Physical translation: The adaptive estimator tracks the sensor’s “normal” behavior using exponential smoothing. A new reading updates the mean estimate, with the learning rate \(\alpha_q\) scaled by how fast the connectivity regime is changing: when the node is transitioning between regimes ($\kappa_{\mathrm{drift}}$ large), the estimator adapts quickly to the new baseline. When connectivity is stable, it adapts slowly — preventing false alarms from random fluctuations around a steady operating point.

Empirical status: The cost ratio $C_{\text{FN}}/C_{\text{FP}} = 3\text{–}10$ and the RAVEN example value of 20 are engineering estimates from mission-cost analysis, not statistically derived from field data. The Neyman-Pearson threshold formula is exact given the ratio; the ratio itself requires calibration per deployment. The partition-duration escalation parameter $\gamma_{\text{FN}}$ has no published empirical baseline — treat as a design choice until validated in integration testing.

Compute Profile: CPU: $O(1)$ per sample — four scalar operations (prediction, gain update, state update, variance update). Memory: $O(1)$ — fixed-size state vector and covariance scalar at steady-state gain. The bottleneck at high sample rates is memory bandwidth from sensor DMA, not filter arithmetic.

Analogy: A hospital monitor tracking a patient’s personal baseline vitals — it alerts when you deviate from your own normal, not the population average. A fit patient with a resting heart rate of 48 bpm will not trigger an alarm at 55 bpm; the system learned that 48 is your normal and adjusts its alert window accordingly.

Logic: Definition 20 replaces the EWMA’s fixed smoothing weight \(\alpha\) with a Kalman gain \(K_t\) that starts large (fast learning during warm-up) and converges to \(K_\infty\), the optimal steady-state value derived from the ratio \(Q/R\) of process noise to measurement noise.

Proposition 10 (Kalman Baseline Convergence Rate). The Kalman gain sequence $\{K_t\}$ converges geometrically to the steady-state value \(K_\infty\), where:

The adaptive learning rate settles to the unique value balancing process noise against sensor noise.

$$P_\infty = \frac{-Q + \sqrt{Q^2 + 4QR}}{2}, \qquad K_\infty = \frac{P_\infty + Q}{P_\infty + Q + R}$$

Here $Q_{\text{proc}}$ is the process noise variance and $R_{\text{obs}}$ is the sensor noise variance; a larger ratio $Q_{\text{proc}}/R_{\text{obs}}$ produces a gain closer to 1, meaning the filter trusts new measurements more than its own model.

For small drift $r_{QR} = Q/R \ll 1$ : $K_\infty \approx \sqrt{r_{QR}}$ — the steady-state gain scales as the square root of the process-to-noise ratio. Convergence to \(K_\infty\) is geometric with rate $(1 - K_\infty)^t$ from any initial \(P_0\), reaching steady state in approximately \(1/K_\infty\) samples.

Proof: Substitute $P_t = P_{t-1}$ into the Riccati recursion $P_t = R(P_{t-1}+Q)/(P_{t-1}+Q+R)$ and solve the resulting quadratic $P_\infty^2 + QP_\infty - QR = 0$ . Convergence rate follows from linearization of the recursion near \(P_\infty\). \(\square\)

Design consequence: After a transient of approximately \(1/K_\infty\) samples, the false positive rate for the Kalman anomaly score is exactly \(2\Phi(-\theta^*)\) — not an approximation. The EWMA-based score with fixed \(\alpha\) is only asymptotically calibrated and may carry excess false-alarm rate during the warm-up period.

Validity condition — white noise assumption: The Kalman gain convergence (Prop 24) and the \(H_0\) distribution $z_t^K \sim N(0,1)$ both require measurement noise \(v_t\) to be approximately i.i.d. Gaussian with stationary variance \(R\). Real MEMS sensors violate this: \(1/f\) noise dominates below ~1 Hz; variance is temperature-correlated ($R(T) \approx R_0(1 + \beta_T \cdot \Delta T)$ for thermistors, where \(\beta_T\) is the temperature sensitivity coefficient — distinct from the Holt-Winters trend coefficient \(\beta_{\text{hw}}\) above and the bandwidth asymmetry ratio \(\beta\) later in this article); aging causes slow \(R\) drift.

The false-alarm guarantee is void if \(R\) is off by more than 50% (threshold — requires accurately calibrated sensor noise variance) — the actual false-alarm rate scales as $P(|N(0,1)| > \theta \cdot \sqrt{R_{\text{assumed}}/R_{\text{actual}}})$ .

OUTPOST calibration: Temperature sensors drift at $\approx 1\,^\circ\text{C}\,\text{day}^{-1}$ (illustrative value) with sensor noise $\sigma_{\text{sens}} = 0.1\,^\circ\text{C}$ (illustrative value). At $f_s = 1\,\text{Hz}$ (sensor sampling rate): $Q = (1/86400)^2 \approx 1.3 \times 10^{-10}\,\text{K}^2/\text{sample}$ (illustrative value), \(R = 0.01\,\text{K}^2\) (illustrative value), giving $r_{QR} \approx 1.3 \times 10^{-8}$ (illustrative value) and $K_\infty \approx 1.1 \times 10^{-4}$ (illustrative value). Baseline adapts on a timescale of $1/K_\infty \approx 9000\,\text{s} \approx 2.5\,\text{h}$ (illustrative value) — slow enough to track seasonal drift without following measurement noise.

Empirical status: The steady-state formulas for \(P_\infty\) and \(K_\infty\) are exact given \(Q\) and \(R\). The OUTPOST drift figure of $1\,^\circ\text{C}\,\text{day}^{-1}$ and \(R = 0.01\,\text{K}^2\) are representative sensor-datasheet values; actual calibration requires pre-deployment measurement. The “50% \(R\) misestimation voids the false-alarm guarantee” bound is analytically derived, not empirically measured.

Watch out for: \(K_\infty\) and the \((1-K_\infty)^t\) convergence rate both assume stationary measurement variance \(R\); if temperature or aging drives \(R\) beyond 50% of its calibrated value, the steady-state gain is miscalibrated and the false-alarm rate guarantee from the Design Consequence paragraph does not hold until \(R\) is re-estimated.

Definition 21 (Bayesian Surprise Metric). The Bayesian Surprise statistic $S_t^K$ is the adaptive-baseline generalization of CUSUM, accumulating Kalman log-likelihood ratios:

$$S_t^K = \max\!\left(0,\; S_{t-1}^K + \Lambda_t^K - \kappa\right)$$

where the log-likelihood ratio under a \(\delta\)-standard-deviation shift is:

$$\Lambda_t^K = \delta \cdot z_t^K - \frac{\delta^2}{2}$$

and \(\kappa > 0\) is the allowance that prevents indefinite accumulation. Alert condition: $S_t^K > h$ for threshold \(h\).

When the Kalman filter tracks a drifting baseline, each day’s $\Lambda_t^K$ stays near zero even as the raw sensor mean climbs — the accumulator only fires when a genuine anomaly diverges from the tracked trend, not when the trend itself shifts.

Difference from static CUSUM: The static form $S_t = \max(0, S_{t-1} + x_t - \mu_0 - k)$ uses a fixed \(\mu_0\). Definition 21 replaces \(x_t - \mu_0\) with $\Lambda_t^K$ , computed from the Kalman innovation $z_t^K$ normalized by the current innovation variance $\hat{P}_{t|t-1} + R$ . When the baseline drifts by \(5\,^\circ\text{C}\) over a season, $\Lambda_t^K \approx 0$ throughout (the Kalman filter tracks the drift), while the static form accumulates \(S_t \propto 5/\sigma\) — triggering continuous false alarms.

Bayesian interpretation: $S_t^K$ is a discounted accumulation of log Bayes factors [5] . An alarm at $S_t^K > h$ corresponds to posterior odds $P(\text{change} \mid x_{1:t})/P(\text{no change}) > e^h$ — the detector declares a change when the Bayesian evidence ratio exceeds \(e^h\).

Proposition 11 (Sensor Death Override Condition). The Brownian diffusion confidence interval ( Proposition 14 ) is derived under the assumption that the sensor innovation $z_t^K$ is $\mathcal{N}(0,1)$ . Two sensor death modes violate this assumption in opposite directions; both are detected by the sample chi-squared statistic over window \(w\):

A stuck or exploding sensor is caught by checking whether recent innovation variance is too small or too large.

$$\chi^2_w(t) = \frac{1}{w} \sum_{s=t-w+1}^{t} \left(z_s^K\right)^2$$

Under \(H_0\) (alive sensor): $\mathbb{E}[\chi^2_w] = 1$ . The diffusion model is overridden — and the node is flagged P_CRITICAL regardless of staleness — whenever:

$$\chi^2_w(t) \notin [\delta_{\text{flat}},\; \delta_{\text{noise}}]$$

Failure modes detected:

• $\chi^2_w < \delta_{\text{flat}}$ : Flatline death — sensor stuck at constant value, innovations collapse to zero. The diffusion model produces an artificially narrow CI suggesting high confidence, but the reading is uninformative.
• $\chi^2_w > \delta_{\text{noise}}$ : Noise death — sensor producing random garbage, innovations explode. The diffusion model produces a wide CI suggesting uncertainty, but the reading is adversarially misleading.

Proof: Under \(H_0\), $z_s^K \overset{\text{i.i.d.}}{\sim} \mathcal{N}(0,1)$ asymptotically ( Proposition 10 ), so $w \cdot \chi^2_w \sim \chi^2_w$ (chi-squared with \(w\) degrees of freedom). For window \(w = 30\): $P(\chi^2_{30}/30 < 0.1) = P(\chi^2_{30} < 3) \approx 2 \times 10^{-10}$ and $P(\chi^2_{30}/30 > 10) = P(\chi^2_{30} > 300) < 10^{-50}$ — false override rates are negligible. \(\square\)

Calibration: Set $\delta_{\text{flat}} = 0.1$ (illustrative value), $\delta_{\text{noise}} = 10$ (illustrative value), $w = \max(30, \tau_{\max} \cdot f_s)$ (\(\tau_\text{max}\) is the Maximum Useful Staleness bound, formally derived at Proposition 14 later in this article; a provisional calibration value of $\tau_\text{max} = 45\,\text{s}$ is used here for OUTPOST parameters), where \(f_s\) is the sensor sampling rate in Hz. The window must span at least $\tau_{\max}$ seconds (Prop 5) to ensure the chi-squared test has power against slow-onset flatline failures.

Failure mode	\(\chi^2_w(t)\) signature	CI behavior	Override effect
Alive sensor	\(\approx 1.0\)	Correct width	No override
Flatline death	\(\to 0\)	Falsely narrow (high false confidence)	Flags P_CRITICAL
Noise death	\(\gg 1\)	Wide but misleading	Flags P_CRITICAL

OUTPOST scenario: In the 127-sensor perimeter mesh, flatline and noise deaths were the two most common hardware failure modes in field trials, making this chi-squared override the primary health guard for sensor trust decisions.

Empirical status: The thresholds $\delta_{\text{flat}} = 0.1$ and $\delta_{\text{noise}} = 10$ and window \(w = 30\) are analytically justified by chi-squared tail probabilities (\(<10^{-10}\) false-override rate). The claim that flatline and noise deaths dominate OUTPOST failure modes is a scenario illustration, not a measured failure-mode frequency from field data.

Watch out for: the chi-squared tail probabilities in the proof assume \(z_t^K \overset{\text{i.i.d.}}{\sim} \mathcal{N}(0,1)\), which holds only after the Kalman gain has converged (Proposition 10); during warm-up, the chi-squared statistic is inflated, so the override fires with higher probability than the \(<10^{-10}\) bound implies.

The minimum viable sensor set required for continued operation and the transition to reduced capability mode under growing P_CRITICAL count are addressed in Self-Healing Without Connectivity ( Definition 121 , Minimum Viable System ).

Optional: Game-Theoretic Extension — Adversarial Threshold Selection

Proposition 9 derives \(\theta^*\) against a non-strategic anomaly distribution. An adversary who controls a compromised sensor (as in the OUTPOST scenario) can output $z_t = \theta^* - \varepsilon$ continuously, evading detection with zero effort. The correct defense is a randomized threshold - the Nash equilibrium of the inspection game.

Inspection game: Inspector selects threshold \(\theta\) (possibly mixed strategy \(\pi(\theta)\)); evader selects signal pattern $a \in \mathcal{U}$ to minimize detection probability.

At the Nash equilibrium \((\pi^*, a^*)\), the inspector is indifferent over all thresholds in the support of \(\pi^*\), and the evader is indifferent over all evasion strategies. The equation below states the equilibrium condition: the mixed threshold strategy \(\pi^*(\theta)\) must produce the same expected detection probability against every evasion action \(a\) the adversary might choose, so the adversary gains nothing by switching strategies.

$$\int_{\theta} P(\text{detect} \mid \theta, a) \, \pi^*(\theta) \, d\theta = \text{const} \quad \forall a \in \mathcal{U}$$

Physical translation: A fixed threshold of \(\theta^* = 2.5\sigma\) is an open invitation — an adversary-controlled sensor need only output exactly \(2.4\sigma\) indefinitely. Using a randomized threshold drawn fresh each round forces the adversary to erase any calibration advantage: they cannot tune their evasion signal to a moving target. The Nash equilibrium mixes over a range of thresholds so that every evasion strategy faces the same expected detection probability, closing the calibration exploit entirely.

Cross-sensor defense: For the OUTPOST mesh, cross-sensor consistency - checking whether sensor \(i\)’s report is consistent with what \(i\)’s neighbors’ models predict - defeats the threshold-calibration attack, since exploiting it requires simultaneous compromise of multiple sensors.

Practical implication: In adversarial settings, draw $\theta_t \sim \pi^*$ fresh each detection round rather than using a fixed \(\theta^*\). For OUTPOST ’s 127-sensor mesh, cross-sensor consistency checks are the primary Byzantine detection layer; randomized thresholds are a secondary defense for individual sensor evaluation.

Distinguishing Failure Modes

Detection answers “is something wrong?” Diagnosis answers “what is wrong?”

For Sensor 47’s silence, the fusion node must distinguish four failure modes. Sensor hardware failure shows gradual degradation before silence (increasing noise, drifting calibration) with neighboring sensors unaffected and unusual power consumption before failure. Communication failure shows abrupt silence with no prior degradation, multiple sensors in the same mesh region affected, and common relay nodes degraded. Environmental occlusion affects specific sensor types (e.g., optical but not acoustic) in a geographic pattern (flooding, debris) with intermittent function as conditions change. Adversarial action shows precise silence with no RF emissions, a tactical pattern (sensors on approach path silenced), and timing coordinated with other events.

The fusion node maintains causal models for each failure mode. Given observed evidence \(E\), the formula below applies Bayes’ theorem to compute the posterior probability of each candidate cause, combining the prior likelihood of that failure mode with the likelihood of observing the evidence given that cause.

$$P(\text{cause} | E) = \frac{P(E | \text{cause}) \cdot P(\text{cause})}{P(E)}$$

Priors $P(\text{cause})$ come from historical failure rates. Likelihoods $P(E | \text{cause})$ come from the signature patterns.

For Sensor 47, the abrupt silence with no degradation weights against hardware failure; neighbors functioning normally weights against communication failure; a single sensor affected weights against environmental occlusion; and its location on the approach path weights toward adversarial action.

The diagnosis is probabilistic, not certain. Self-measurement provides confidence levels, not ground truth.

Machine Learning Approaches for Edge Anomaly Detection

ML extends detection to multivariate anomalies under edge constraints (<1MB models, <10ms inference, milliwatts power budget).

Lightweight Autoencoder for Multivariate Anomaly Detection

Autoencoders learn to compress and reconstruct normal behavior; anomalies produce high reconstruction error.

Architecture for edge deployment; the bottleneck at the latent layer (dim=3) forces the encoder to discard information that cannot be recovered by the decoder, so reconstruction error is high precisely when the input lies outside the learned normal manifold.

    
    graph LR
    subgraph "Encoder"
        I["Input
d=12 sensors"]
        E1["Dense 8
ReLU"]
        E2["Dense 4
ReLU"]
        L["Latent
dim=3"]
    end

    subgraph "Decoder"
        D1["Dense 4
ReLU"]
        D2["Dense 8
ReLU"]
        O["Output
d=12"]
    end

    I --> E1 --> E2 --> L --> D1 --> D2 --> O

    style L fill:#fff3e0,stroke:#f57c00

Read the diagram: Sensor readings enter as a 12-dimensional vector. The encoder compresses them through layers of decreasing width down to a 3-number latent summary (highlighted). The decoder then tries to reconstruct the original 12 values from those 3 numbers alone. When the system operates normally, reconstruction is accurate and the error is small. When something is wrong, the decoder cannot recover the anomalous pattern — the reconstruction error becomes the anomaly score.

For CONVOY (12-sensor vehicle telemetry), the model takes a 12-dimensional input (engine temp, oil pressure, RPM, coolant, transmission temp, brake pressure, fuel flow, battery voltage, alternator output, exhaust temp, vibration, GPS quality), passes it through the $12 \to 8 \to 4 \to 3 \to 4 \to 8 \to 12$ architecture, totaling $12\times8 + 8\times4 + 4\times3 + 3\times4 + 4\times8 + 8\times12 = 280$ weights — 280 bytes (illustrative value) when quantized to INT8 — with inference requiring 280 multiply-adds at under 0.1 ms (illustrative value) on ARM Cortex-M4.

The anomaly score for input \(x\) is the squared reconstruction error \(|x - \hat{x}|^2\) normalized by the baseline variance $\sigma^2_{\text{baseline}}$ estimated from validation data, so that a score near 1 indicates normal behavior and scores well above 1 indicate anomaly.

$$\text{AnomalyScore}(x) = \frac{\|x - \hat{x}\|^2}{\sigma^2_{\text{baseline}}}$$

where $\hat{x} = \text{Decoder}(\text{Encoder}(x))$ and $\sigma^2_{\text{baseline}}$ is computed from validation data.

The edge autoencoder is trained offline on historical normal data with INT8 quantization-aware training to avoid accuracy loss under fixed-point arithmetic. Detection threshold calibration occurs on-device from the first 1000 observations (illustrative value) after the model is active — this is an operational constant, not a design parameter, because the ambient noise floor and sensor characteristics are only fully observable in-deployment.

Performance bounds (derived from model capacity analysis): Under assumption set $\mathcal{A}_{perf}$ — anomaly distribution \(P_1\) separable from normal \(P_0\) with overlap \(\epsilon\), model capacity \(C_m\), sample complexity \(n\) — the table below gives worst-case precision and recall bounds, per-inference computational complexity, memory footprint, and drift protection mechanism for each edge-viable detector family.

Method	Precision Bound	Recall Bound	Complexity	Memory	Drift Protection
EWMA (per-sensor)	$1 - \epsilon_{\text{marginal}}$	$1 - \text{FNR}(z_\alpha)$	\(O(1)\)	96 bytes	Kalman baseline tracking
Isolation Forest	$1 - \epsilon \cdot 2^{-d}$	\(1 - (1-1/2^d)^t\)	\(O(\log n)\)	25 KB	Periodic forest replacement
Autoencoder (INT8)	$1 - \epsilon_{\text{joint}}$	$1 - e^{-C_m/d}$	\(O(d^2)\)	280 bytes	$\sigma_{\text{baseline}}$ recalibration
One-Class SVM	\(1 - \nu\)	$1 - \text{VC}(d)/(n\nu)$	\(O(d)\)	20 bytes	$\lambda_{\text{reg}} + \rho(\mathbf{J}_w) < 1$
Ensemble	$\max(P_i) + \delta_{\text{ensemble}}$	$1 - \prod(1-R_i)$	$O(\sum C_i)$	376 bytes	Component-wise drift checks

Utility improvement of autoencoder over EWMA: The net utility gain \(\Delta U\) decomposes into a precision improvement term (joint detection catches more true positives per alarm) minus a recall-reciprocal term penalizing the relative miss rate of each detector weighted by the false-negative cost $C_{\text{FN}}$ .

$$\Delta U = U_{\text{AE}} - U_{\text{EWMA}} = (P_{\text{AE}} - P_{\text{EWMA}}) \cdot V_{\text{TP}} - (R_{\text{AE}}^{-1} - R_{\text{EWMA}}^{-1}) \cdot C_{\text{FN}}$$

$\text{sign}(\Delta U) > 0$ when $\epsilon_{\text{joint}} < \epsilon_{\text{marginal}}$ : autoencoder captures correlated deviations (e.g., simultaneous small shifts in engine temp, oil pressure, RPM) that per-sensor EWMA misses because joint anomaly probability exceeds the product of marginal probabilities.

Tiny Neural Network for Failure Classification

Beyond detection, classification identifies which failure mode is occurring. The formula below gives the probability distribution over failure classes produced by a two-layer network: weights \(W_1, b_1\) map the anomaly feature vector \(x\) to a hidden layer, \(W_2, b_2\) map to class logits, and softmax normalizes these into a probability vector summing to 1.

$$P(\text{failure\_type} | \text{anomaly\_vector}) = \text{softmax}(W_2 \cdot \text{ReLU}(W_1 \cdot x + b_1) + b_2)$$

The RAVEN failure classifier takes an 8-dimensional anomaly feature vector (motor currents, IMU residuals, GPS error, battery voltage deviation), classifies into 5 output classes (motor degradation, sensor drift, communication fault, power issue, unknown) through an $8 \to 6 \to 5$ architecture, with $8\times6 + 6\times5 = 78$ weights totaling 78 bytes in INT8.

Classification accuracy bound: The bound below gives the minimum guaranteed classification accuracy as a function of the number of fault classes \(K\) (distinct from the Kalman gain \(K_t\) in this article and from the EXP3-IX arm count \(K\) in Anti-Fragile Decision-Making at the Edge), the VC dimension of the hidden layer $\text{VC}(h)$ , the training sample count \(n\), and the confidence parameter \(\delta\).

$$\text{Accuracy} \geq 1 - \frac{K \cdot \text{VC}(h)}{n} - \sqrt{\frac{\ln(1/\delta)}{2n}}$$

For sufficient training samples (\(n > 100 \cdot K\) (illustrative value)) and well-separated failure modes, the lower bound exceeds \(0.9\).

Diagnosis-to-action mapping. Classification without a prescribed response is observational theater. Each fault class maps directly to a prescribed autonomic action; without this mapping, the classifier is inert.

Fault class to autonomic action. Priority order for simultaneous faults: Power issue > Communication fault > Motor degradation > Sensor drift > Unknown. The highest-priority fault’s prescribed action governs the current MAPE-K tick; lower-severity actions are deferred to the next tick, preventing action thrashing.

Fault class	Immediate action	Autonomic consequence
Motor degradation	Reduce mission authority	Fall back to L2 heartbeat-only behavior
Sensor drift	Reweight sensor to 50% confidence in aggregation	Escalate gossip priority for this metric
Communication fault	Increase retry window for peer contacts	Assume local isolation; do not propagate stale data
Power issue	Trigger load shedding ( Definition 44 )	Enter L1 capability level
Unknown	Enter Safety Mode ( Definition 53 )	Freeze actuator outputs; await self-test pass on two consecutive MAPE-K ticks
Multiple faults simultaneously	Apply highest-severity action above; defer lower-severity actions to next tick	Priority order as above

Safety Mode entry (Unknown fault class) persists until two consecutive MAPE-K ticks pass with all signals within normal thresholds and no new anomalies detected ( Definition 53 , Self-Healing Without Connectivity).

One-Class SVM for Novelty Detection

When anomalies are rare and diverse, one-class SVM learns the boundary of normal behavior. The objective below finds the weight vector \(w\) and margin \(\rho\) that enclose the training data as tightly as possible, with the hyperparameter \(\nu \in (0,1)\) bounding the fraction of training points allowed outside the boundary and \(\phi(x_i)\) the feature mapping for point \(x_i\). (\(\rho\) here is the SVM margin hyperparameter. Later in this article \(\rho(\cdot)\) denotes spectral radius of the weight-update Jacobian, \(\rho_i[j]\) denotes the gossip observation-age tracker, and \(\rho_{\text{max}}\) denotes the anti-flood rate ceiling — subscripts and function notation differentiate all four at every occurrence.)

$$\min_{w, \rho} \frac{1}{2}\|w\|^2 - \rho + \frac{1}{\nu n} \sum_{i=1}^{n} \max(0, \rho - w^T \phi(x_i))$$

For edge deployment, use linear kernel with explicit feature mapping. The feature vector \(\phi(x)\) below summarizes a raw observation \(x\) into five scalars derived from the running EWMA statistics, trend estimate, CUSUM accumulator, and nearest-neighbor cross-correlation.

$$\phi(x) = [\mu_{\text{EWMA}}, \sigma_{\text{EWMA}}, \text{trend}, \text{cusum}, \text{cross\_corr}]$$

This 5-dimensional feature space captures statistical summaries, enabling efficient linear SVM:

• Training: Offline on normal data
• Inference: Single dot product = <0.01ms (illustrative value)
• Memory: 5 support vector weights = 20 bytes (illustrative value) (float32)

Drift-aware weight update: Under non-stationary conditions, the distribution of “normal” shifts over time. Without regularization, weights drift toward the current distribution and lose generalization across connectivity regimes. The regularized gradient penalizes deviation from the baseline weight vector \(w_0\) calibrated on clean training data:

$$\nabla_w \mathcal{L}_{\text{reg}} = \frac{\partial \mathcal{L}}{\partial w} + \lambda_{\text{reg}} \cdot (w_t - w_0)$$

where $\lambda_{\text{reg}} = \alpha \cdot \|x_t - x_{t-1}\|^2$ scales with local input variation as an edge-practical proxy for distributional shift. (This is a point-to-point heuristic; a sliding-window variance estimate is more robust when compute permits.)

Jacobian stability check: Define the weight update map $\Phi: w_{t-1} \mapsto w_t = w_{t-1} - \eta \nabla_w \mathcal{L}_{\text{reg}}(w_{t-1})$ . Its Jacobian is $\mathbf{J}_w = I - \eta H_{\text{reg}}$ , where $H_{\text{reg}} = \partial^2\mathcal{L}/\partial w^2 + \lambda_{\text{reg}} I$ is the regularized Hessian. The autonomic layer becomes a noise generator when the spectral radius exceeds 1:

$$\rho(\mathbf{J}_w) = \max_i \lvert\lambda_i(\mathbf{J}_w)\rvert = \max_i \lvert 1 - \eta\,\lambda_i(H_{\text{reg}})\rvert < 1$$

(\(\rho(\cdot)\) here is the spectral radius — see the \(\rho\) notation note at the one-class SVM objective above for the full disambiguation. For \(\lambda\) disambiguation — gossip contact rate, Weibull scale, L2 regularization, distributional shift, eigenvalue, and shadow price — see the \(\lambda\) notation legend in the Notation note above.)

If $\rho(\mathbf{J}_w) > 1 + \varepsilon$ , weights are diverging and the SVM must be recalibrated or reverted to \(w_0\). For edge deployment with limited compute, estimate the dominant eigenvalue via power iteration:

$$\begin{aligned} v_{k+1} &= \mathbf{J}_w v_k \;/\; \|\mathbf{J}_w v_k\| \\ \rho(\mathbf{J}_w) &\approx v_k^T \mathbf{J}_w v_k \end{aligned}$$

Convergence rate is $O(\log(1/\varepsilon)\,/\,\log(\lambda_1/\lambda_2))$ , where $\lambda_1/\lambda_2$ is the dominant spectral gap. For \(d = 5\) features with well-separated eigenvalues, typically fewer than 10 iterations (illustrative value).

Detection rate derivation for OUTPOST :

For one-class SVM with \(\nu\)-parameterization, the fraction of training points outside the boundary is at most \(\nu\). Setting \(\nu = 0.02\) (illustrative value) (the expected anomaly rate), the bounds below give the worst-case false positive rate and the minimum true positive rate as a function of VC dimension $\text{VC}(d)$ and training size \(n\).

$$\text{FPR} \leq \nu = 0.02, \quad \text{TPR} \geq 1 - \frac{\text{VC}(d)}{n} \cdot \nu^{-1}$$

For \(d=5\) features and \(n > 500\) training samples (illustrative value): $\text{TPR} \geq 0.80$ (theoretical bound). The low FPR is critical for battery-constrained sensors where false positives waste power $P_{\text{alert}}$ on unnecessary transmissions.

Drift detection trigger: Recalibrate or revert SVM weights when either condition holds:

$$\rho(\mathbf{J}_w) > 1 + \varepsilon \quad \lor \quad \|w_t - w_{t-1}\| > \delta_{\max}$$

Typical parameters: \(\varepsilon = 0.1\) (illustrative value), $\delta_{\max} = 0.5 \cdot \|w_0\|$ (illustrative value). The spectral condition catches divergence before it compounds; the weight-norm condition catches slow persistent drift that Jacobian monitoring alone may miss.

RFF Extension: Non-Linear Boundary Approximation

The linear kernel assumption holds when failure modes cluster in linearly separable regions of the 5-dimensional feature space. In practice, bursty RF interference, partial jamming onset, and intermodulation products produce overlapping, non-convex clusters that a flat hyperplane cannot separate. Two drop-in replacements keep the same SRAM footprint.

Definition 22 (Random Fourier Feature Map). For the RBF kernel $k(\phi, \psi) = \exp(-\gamma_{\text{rbf}}\|\phi-\psi\|^2)$ , a D-dimensional RFF approximation draws offline $W \in \mathbb{R}^{D \times 5}$ with $W_{ji} \sim \mathcal{N}(0, \gamma_{\text{rbf}})$ and $b_j \sim \mathcal{U}[0, 2\pi]$ , then maps each pre-scaled feature vector \(\phi\) to:

$$z(\phi) = \sqrt{\frac{2}{D}} \begin{bmatrix} \cos(W_1^T \phi + b_1) \\ \vdots \\ \cos(W_D^T \phi + b_D) \end{bmatrix} \in \mathbb{R}^D$$

The one-class SVM operates on \(z(\phi)\) in place of \(\phi\) with the same linear objective (above), yielding decision value $f(\phi) = w^T z(\phi) - \rho$ . By Bochner’s theorem, $\mathbb{E}[z(\phi)^T z(\psi)] = k(\phi, \psi)$ for all \(\phi, \psi\), so a linear classifier in RFF space approximates the full RBF kernel classifier.

At D=4 on an edge MCU (illustrative value), the working set comprises \(5 \times 4 = 20\) Q15 values for W (40 bytes SRAM), 4 values for b (8 bytes), and 4 values for w (8 bytes) — 56 bytes total, larger than the 20-byte linear weight budget but within a 128-byte SRAM block allocation. The kernel bandwidth is set to $\gamma_{\text{rbf}} = 1/(2\,\hat{\sigma}_\phi^2)$ where $\hat{\sigma}_\phi^2$ is the empirical variance of \(\phi\) on clean training data; for OUTPOST sensors this gives $\gamma_{\text{rbf}} \approx 0.5$ (illustrative value). When RFF code overhead is unacceptable, a Decision Stump Forest of five single-threshold stumps — one per \(\phi_i\) at 4 bytes each (2-byte Q15 threshold, 1-bit direction, 1-byte signed weight) for 20 bytes total — provides a piecewise-constant boundary with zero trigonometric computation.

Definition 23 (Q15 Pre-Scaling for RF Feature Dimensions). Before any classification step, each of the five feature dimensions is normalized to the fixed-point range $[-1, +1]$ using stored per-dimension statistics $\mu_i$ (Q15 mean) and $\texttt{inv3s}_i$ (Q15 encoding of $1/(3\sigma_i)$ ):

$$\phi_i^{(\text{Q15})} = \operatorname{clamp}\!\left(\frac{x_i - \mu_i}{3\,\sigma_i},\;-1,\;+1\right) \times 32767$$

All subsequent arithmetic — RFF projection, dot product, confidence comparison — operates on 16-bit signed integers. No floating-point unit is required.

Q15 fixed-point is chosen because a 16-bit multiply followed by an arithmetic right-shift in ARM Thumb-2 is exactly two instructions; division by $3\sigma_i$ is precomputed as $\texttt{inv3s}[i]$ at calibration time, so inference is multiply-shift only. The calibration constants $\mu[5]$ and $\texttt{inv3s}[5]$ require only 20 bytes and may reside in flash, leaving SRAM free for working buffers. The 3-sigma clamp also improves classification: concentrating 99.7% of normal-condition samples across the full $[-1, +1]$ dynamic range pushes anomalous samples to the rail and increases the decision margin for both the linear and RFF classifiers without touching training data.

Confidence Gate and Safety Mode Fallthrough

The decision value $f(\phi) = w^T z(\phi) - \rho$ is a signed margin distance. On ambiguous RF conditions — partial jamming onset, marginal connectivity, sensor degradation — the value may be non-negative but small, indicating a boundary-straddling sample. Acting on an inconclusive score risks both false positives (wasted power on spurious transmissions) and false negatives (missed threat transitions).

Fallthrough rule: The Q15 integer equivalent of a 0.6 confidence threshold is $\lfloor 0.6 \times 32767 \rfloor = 19660$ . When the scaled decision value falls below this gate, the node does not act on the current classification — treating it as inconclusive — and enters Safety Mode by freezing actuator outputs at their last confirmed-safe state, reducing MAPE-K to the minimum viable tick rate ( Definition 52 ), and suppressing non-critical radio transmissions. After one refractory window ( Definition 46 ), if the confidence gate is passed on two consecutive ticks the node resumes normal operation; otherwise it escalates to the Terminal Safety State ( Definition 53 ).

If the confidence gate has not cleared within \(N_\text{ref,max} = 5\) consecutive refractory cycles, the node elevates to the lowest-cost available safe posture locally: it freezes its anomaly classifier outputs (returning only the last known classification), logs a stale-output flag in its health vector, and defers escalation to the Terminal Safety State ( Definition 53 , Self-Healing Without Connectivity) until the next connectivity window. This local dwell bound prevents indefinite Safety Mode persistence during prolonged partitions.

Wall-clock maximum: regardless of connectivity state, if the node has been in Safety Mode for longer than $T_\text{safe,max} = 4 \times T_\text{quarantine,max}$ (default: 4 hours), it must declare a local emergency state and freeze all outputs at their last known-good values pending connectivity recovery or manual intervention. This prevents indefinite Safety Mode persistence during multi-hour denied-regime partitions.

Once a node enters the local emergency state, four behaviors engage unconditionally. The physical-layer heartbeat (L0 watchdog ping) is never suspended, even in emergency state — a silent node is indistinguishable from a dead node, and the heartbeat allows the fleet to distinguish “alive but isolated” from “failed.” All actuator command outputs hold at the last confirmed-safe value; no new classifications, setpoints, or control actions are issued until the state is exited, and outputs marked stale-output in the health vector remain frozen. A compact distress packet (node ID, \(T_\text{acc}\), last health score) is broadcast on every available radio channel once per \(T_\text{quarantine}\), rate-limited to prevent collapsing the bandwidth budget during fleet-wide emergencies. The emergency state clears automatically when the connectivity regime returns to degraded or connected (i.e., \(T_\text{acc}\) resets) or when an authenticated operator override is received; on exit, the node resumes the normal MAPE-K loop from its frozen state — not from the initial baseline — and applies the reconnection recovery rule for \(\theta^*(t)\).

The 0.6 threshold (illustrative value) is calibrated empirically: at \(\nu = 0.02\) and \(n > 500\) training samples (illustrative value), the margin distribution of normal samples has a median near 0.85 (illustrative value) in the normalized scale; 0.6 sits two standard deviations below the median, catching genuine boundary straddlers while passing well-separated normal readings.

RFF Inference Pipeline: Code Budget Verification

The three sequential stages — pre-scale, RFF projection, and classification with confidence gate — occupy fewer than 150 bytes (illustrative value) of compiled ARM Thumb-2 code. The budget is verified by enumerating the dominant instruction patterns per stage.

Stage	Algorithm	Thumb-2 instructions	Code budget
Pre-scale (Definition 23)	5 Q15 multiply-shifts followed by saturating clamp to \([-32767, +32767]\)	\(\approx 10\)	20 B
RFF projection (Definition 22)	4 inner products \(W_j^T \varphi + b_j\) (Q15 multiply-accumulate, 5 terms each); 16-entry symmetric cosine LUT with 2-bit quadrant sign flip	\(\approx 28\)	56 B
Classify + confidence gate	Inner product \(w_{\mathrm{svm}}^T z\) (Q15, 4 terms); compare to 19660 (\(\lfloor 0.6 \times 32767 \rfloor\)); tail-call to Safety Mode if below gate	\(\approx 30\)	60 B
Total		\(\approx 68\)	136 B — below the 150 B target

Stack during classification (freed on return): 5 pre-scaled Q15 values \(\varphi[5]\) = 10 B plus 4 RFF features \(z[4]\) = 8 B = 18 B stack. The Safety Mode call is a tail-call with no additional frame. Non-stack SRAM (parameters W, b, w_svm, cosine LUT) totals 72 B and may reside in flash read-only data.

Implementation notes: (i) cos_lut[16] holds one symmetric quarter-period of cosine in Q15 (values from cos(0)=32767 down to cos(\(\pi/2\))=0); full-period wrapping uses bits 14–79 of the index for sign. The maximum LUT approximation error is $|\cos(\pi/32)-\cos(0)| \approx 0.005$ , well above Q15 quantization noise ($1/32768 \approx 3 \times 10^{-5}$ ) but negligible for anomaly detection where margin differences of $\gg 0.01$ drive classification. (ii) enter_safety_mode() is a tail-call and does not add to the classification code budget. (iii) Instruction counts assume ARM Cortex-M0+ (no single-cycle 32-bit multiply); Cortex-M4 is cheaper by roughly 30% due to the hardware MAC unit in rff_map.

Temporal Convolutional Network (TCN) for Sequence Anomalies

Some anomalies are only visible in temporal patterns - normal individual readings but abnormal sequences. The diagram below shows the tiny TCN architecture: three dilated Conv1D layers with exponentially increasing dilation rates (1, 2, 4) extend the receptive field to 15 timesteps without adding parameters, followed by global average pooling and a sigmoid output that produces an anomaly probability.

    
    graph LR
    subgraph "Dilated Convolutions"
        C1["Conv1D
k=3, d=1
8 filters"]
        C2["Conv1D
k=3, d=2
8 filters"]
        C3["Conv1D
k=3, d=4
4 filters"]
    end

    subgraph "Output"
        P["GlobalAvgPool"]
        O["Dense 1
Sigmoid"]
    end

    I["Input
32 timesteps
4 channels"] --> C1 --> C2 --> C3 --> P --> O

    style C1 fill:#e8f5e9,stroke:#388e3c
    style C2 fill:#e8f5e9,stroke:#388e3c
    style C3 fill:#e8f5e9,stroke:#388e3c

Read the diagram: A 32-timestep window of 4 sensor channels enters from the left. Three dilated convolution layers process it with increasing gaps between positions (dilation 1, 2, 4), letting each layer see longer temporal context without adding parameters — the receptive field grows to 15 timesteps at no extra cost. Global average pooling collapses the temporal dimension into a single summary vector; the final sigmoid outputs an anomaly probability between 0 and 1.

The TCN takes \(32\) timesteps \(\times 4\) channels (160 samples at 5 Hz) as input, achieves a receptive field of \(1 + 2\times(1+2+4) = 15\) timesteps (3 seconds), requires 388 bytes (illustrative value) of parameters plus a 128-byte ring buffer for a total footprint of approximately 520 bytes (illustrative value), and runs inference in under 1 ms on Cortex-M4 (illustrative value).

Energy feasibility on RAVEN : Definition 2 establishes local dominance when \(n_c < T_s/T_d\). For the RAVEN platform (\(T_d = 50\,\mu\text{J}\), $T_s = 5\,\text{mJ}$ ) the threshold is \(n_c < 100\) inference passes. The TCN uses \(n_c = 1\) — one forward pass per anomaly check — and the 9,000 internal MACs determine the cost of that pass, not the value of \(n_c\). At approximately 5 nJ per MAC on a Cortex-M4, one TCN inference costs $E_{\text{TCN}} \approx 9000 \times 5\,\text{nJ} = 45\,\mu\text{J}$ . The energy ratio versus a single radio transmission is:

$$\frac{E_{\text{TCN}}}{T_s} = \frac{9000 \cdot e_{\text{MAC}}}{T_s} \approx \frac{45\,\mu\text{J}}{5\,\text{mJ}} = 0.009 \ll 1$$

Running at 5 Hz, the continuous inference power is $45\,\mu\text{J} \times 5\,\text{Hz} = 225\,\mu\text{W}$ . Avoiding a single unnecessary radio transmission (5 mJ) recovers 22 seconds of continuous inference — a favorable exchange whenever detection accuracy suppresses even one spurious transmission per 22-second window.

Energy-adaptive scheduling: For deployments where the energy margin is tighter than the RAVEN reference, scale anomaly detection frequency with the connectivity regime. The radio-savings justification weakens as connectivity degrades; inference frequency should follow:

Regime	Detection rate	Primary method	Energy logic
Connected (\(C \approx 1.0\))	5 Hz	TCN ensemble	Radio available as fallback; ML precision maximizes detection quality
Degraded (\(C \approx 0.5\))	1 Hz	TCN + EWMA	Reduced inference budget; EWMA fills inter-TCN intervals
Intermittent (\(C \approx 0.25\))	0.2 Hz	EWMA + CUSUM	Conserve for mission-critical windows only
None (\(C = 0\))	On-demand	CUSUM only	Minimal power; inference triggers only when CUSUM threshold is crossed

This schedule keeps $E_{\text{TCN}}/T_s < 1$ across all connectivity states by reducing inference frequency proportionally with the radio-savings justification.

Application: RAVEN motor anomaly detection . Individual current readings appear normal, but the temporal signature of a failing bearing shows characteristic oscillation.

Utility improvement of TCN over EWMA: The formula expresses the gain entirely as a recall improvement — since both models produce the same value per true positive, the difference is how many additional anomalies the TCN catches by exploiting temporal context that the per-sample EWMA cannot see.

$$\Delta U_{\text{TCN}} = U_{\text{TCN}} - U_{\text{EWMA}} = (R_{\text{TCN}} - R_{\text{EWMA}}) \cdot V_{\text{detect}}$$

TCN’s receptive field (15 timesteps) captures oscillation patterns with period \(T \leq 15/f_s\). EWMA operates per-sample without temporal context. For anomalies where $P(\text{anomaly} | x_{t-k:t}) > P(\text{anomaly} | x_t)$ , TCN achieves higher recall by design: $R_{\text{TCN}} / R_{\text{EWMA}} \approx T_{\text{pattern}} / T_{\text{sample}}$ .

Model Ensemble Strategy

Production edge systems combine multiple models into a single weighted anomaly score. The formula below is a linear combination of the four individual model scores — EWMA z-score, autoencoder reconstruction error, TCN output, and one-class SVM decision value — with weights \(w_i\) that balance each detector’s contribution.

$$\text{FinalScore} = w_1 \cdot z_{\text{EWMA}} + w_2 \cdot s_{\text{AE}} + w_3 \cdot s_{\text{TCN}} + w_4 \cdot s_{\text{OCSVM}}$$

The table below shows the weights learned via logistic regression on validation anomalies, together with the rationale for each model’s relative contribution.

Model	Weight	Rationale
EWMA	0.25	Fast, catches obvious anomalies
Autoencoder	0.35	Catches multivariate correlations
TCN	0.25	Catches temporal patterns
One-class SVM	0.15	Catches novel out-of-distribution

Ensemble utility derivation:

For \(K\) independent models with per-model recall \(R_i\), the ensemble recall under the union rule is strictly at least as high as the best individual model’s recall, because a true anomaly is detected if any model flags it.

$$R_{\text{ensemble}} = 1 - \prod_{i=1}^{K}(1 - R_i) \geq \max_i R_i$$

Utility improvement: The net gain from using the ensemble over the single best model equals the additional recall it achieves multiplied by the detection value, minus the overhead cost of running multiple models.

$$\Delta U_{\text{ensemble}} = (R_{\text{ensemble}} - \max_i R_i) \cdot V_{\text{detect}} - C_{\text{overhead}}$$

$\text{sign}(\Delta U) > 0$ when models detect different anomaly subsets (low $\rho_{ij}$ correlation). For \(K=4\) models (illustrative value) with \(R_i \approx 0.8\) (illustrative value) and $\rho_{ij} < 0.5$ (illustrative value): $R_{\text{ensemble}} \geq 0.92$ (theoretical bound).

Model Update and Drift Management

Edge models degrade as operating conditions change. Detecting and managing model drift:

Three drift indicators signal when a model needs updating: reconstruction error baseline shift (mean reconstruction error increasing more than 20% over 7 days suggests a stale model), false positive rate increase (tracked via operator feedback loop), and confidence calibration drift (predicted probabilities should match empirical rates).

Update strategies: The table orders four responses by increasing intervention severity; the Connectivity Required column is the key constraint — the first two strategies work entirely offline, while the last requires a connected interval.

Strategy	Trigger	Method	Connectivity Required
Threshold adjustment	FP rate >5%	Local recalibration	None
Incremental update	Drift detected	Online gradient step	None
Full retrain	Major drift	Federated learning	Intermittent
Model replacement	Architecture obsolete	OTA update	Connected

Drift handling strategy derivation:

When covariate shift occurs ($P_{\text{deploy}}(X) \neq P_{\text{train}}(X)$ ), detection accuracy degrades exponentially with the KL-divergence between deployment and training distributions, as shown below; $\xi_{\text{shift}}$ is the sensitivity of the particular model to distributional shift.

$$\text{Accuracy}(t) = \text{Accuracy}_0 \cdot e^{-\xi_{\text{shift}} \cdot D_{KL}(P_{\text{deploy}} \| P_{\text{train}})}$$

Local threshold adjustment (recomputing \(\theta\) from recent \(X\)) restores accuracy when \(P(Y|X)\) is unchanged. Full retraining required when \(P(Y|X)\) shifts.

Cognitive Map: Local anomaly detection scales from a 2-line EWMA update (constant time, constant memory) through CUSUM (optimal for step changes and sustained drift), Kalman adaptive baselines (optimal when the “normal” baseline itself evolves), and ML ensembles (optimal for correlated multi-sensor faults that no single-sensor method catches). The threshold \(\theta^*\) is not a fixed value — it tightens automatically as partition age grows, and has a hard lower bound at the stability-region guard band \(\delta_q\). Every algorithm in this section fits in under 1 KB and runs on a microcontroller. Next: gossip protocols aggregate these local health scores across the fleet without any central coordinator.

---

Distributed Health Inference

Phase-0 attestation is the initial fleet commissioning window. Every node registers its identity, public key, and baseline health metrics with its direct neighbors before autonomous operation begins. These records become the trust root for subsequent Byzantine detection and ejection decisions.

Gossip-Based Health Propagation

Individual nodes detect local anomalies. Fleet-wide health requires aggregation without a central coordinator.

Scope note — H\(^\text{fleet}\) vs H\(^\text{node}\): The fleet health vector $\mathbf{H}^\text{fleet} = [h_1, \ldots, h_n] \in [0,1]^n$ in this definition is indexed over the \(n\) nodes in the fleet — distinct from the per-component \(\mathbf{H}^\text{node}(t)\) in Why Edge Is Not Cloud Minus Bandwidth, which is indexed over the subsystems within a single node (antenna, battery, CPU, etc.). For RAVEN: \(\mathbf{H}^\text{fleet}\) has 47 elements; \(\mathbf{H}^\text{node}(t)\) has 6 elements. Do not confuse these when sizing gossip payloads or CRDT health-state records.

Definition 24 ( Gossip Health Protocol). A gossip health protocol is a tuple \((\mathbf{H}, f_g, M, T)\) where [1] :

• $\mathbf{H}^{\text{fleet}} = [h_1, \ldots, h_n] \in [0,1]^n$ is the fleet-wide health vector indexed over \(n\) nodes (distinct from the per-component $\mathbf{H}^{\text{node}}(t)$ vector in Why Edge Is Not Cloud Minus Bandwidth, which is indexed over subsystems within a single node)
• \(f_g > 0\) is the gossip rate (exchanges per second per node)
• $M: [0,1]^n \times [0,1]^n \rightarrow [0,1]^n$ is the merge function
• $T: \mathbb{R}^+ \rightarrow \mathbb{R}^+$ is the staleness decay function

In other words, every node keeps a score between 0 and 1 for each fleet member, periodically swaps that list with a random neighbor, and combines the two copies using a merge rule that discounts older entries via the staleness function \(T\).

Algebraic contract on M. For gossip to converge regardless of message ordering, the merge function must be commutative, associative, and idempotent. Simple averaging and last-write-wins both fail at least one property under out-of-order delivery.

Required properties of the merge function M. Conservative merge \(M(h_a, h_b) = \max(h_a, h_b)\) satisfies all three. Staleness-weighted blend $M_\tau(h_a, h_b) = (w_a h_a + w_b h_b)/(w_a + w_b)$ with $w_i = e^{-\gamma_s \tau_i}$ is idempotent only when both observations carry equal staleness weights.

Property	Formal requirement	Why it matters
Commutativity	\(M(H_a, H_b) = M(H_b, H_a)\)	Node A merging B’s view must reach the same result as B merging A’s
Associativity	\(M(H_a, M(H_b, H_c)) = M(M(H_a, H_b), H_c)\)	Three messages that cross mid-network resolve to the same state regardless of arrival order
Idempotence	\(M(H, H) = H\)	Duplicate messages from gossip fan-out do not shift the estimate

Metadata overhead analysis. Each gossip packet carries two mandatory overhead fields: a Unified Autonomic Header (UAH, ~20 bytes, constant per packet) and a Dotted Version Vector (DVV, \(2 \times N\) bytes, scaling with fleet size). For RAVEN (N = 47), total overhead is ~114 bytes (illustrative value); a 10-byte temperature payload achieves only ~8% (illustrative value) protocol efficiency. For OUTPOST (N = 127), efficiency drops to ~4% (illustrative value).

DVV scaling warning. Above \(N \approx 100\), the DVV alone can exceed LoRaWAN/BLE MTUs (\(\leq 255\) bytes). Evaluate Bloom-clock or epoch-scoped DVV when fleet size N > 100 and typical health payload size < 20 bytes. The autonomic detection logic is independent of this choice; the overhead affects transport, not detection.

DVV strategy comparison.

Strategy	DVV size	Trade-off
Full DVV	2N bytes	Exact causal ordering; impractical above N \(\approx\) 100
Bloom-clock (probabilistic)	16–80 bytes fixed	0.1–5% false-positive causal violation rate
Epoch-scoped DVV (partition-local)	\(2 \times K\) bytes (K = partition subgroup size)	Exact within partition; requires epoch reconciliation on reconnect

Compute Profile: CPU: $O(n)$ per gossip round — merge of two $n$ -entry health vectors plus staleness weight computation. Memory: $O(n)$ — one health vector per node. The binding cost at large $n$ is the DVV comparison, not merge arithmetic.

Definition 36 (Synthetic Observability — Proxy-Observer). For $\mathcal{L}_0$ -incompatible hardware without native health APIs, define the proxy health signal:

$$H_{\text{proxy}}(t) = w_I \cdot I_{\text{norm}}(t) + w_V \cdot V_{\text{norm}}(t) + w_H \cdot H_{\text{norm}}(t)$$

where:

• $I_{\text{norm}}(t) = \operatorname{clamp}\!\left(\frac{\text{current\_draw}(t) - I_{\min}}{I_{\max} - I_{\min}},\, 0,\, 1\right)$ — normalized current draw (0 = overcurrent/short, 1 = nominal)
• $V_{\text{norm}}(t) = 1 - \operatorname{clamp}\!\left(\frac{\text{vibration}(t)}{V_{\max}},\, 0,\, 1\right)$ — inverted vibration index (0 = excessive, 1 = nominal)
• $H_{\text{norm}}(t) = e^{-t_{\text{silence}} / T_{\text{heartbeat}}}$ — heartbeat freshness (decays exponentially with silence duration $t_{\text{silence}}$ )
• \(w_I + w_V + w_H = 1\), with defaults $w_I = 0.5,\, w_V = 0.3,\, w_H = 0.2$ (illustrative defaults)

The proxy confidence bound is $C_{\text{proxy}}(t) = 1 - \sigma_{\text{proxy}} / H_{\text{proxy}}(t)$ where $\sigma_{\text{proxy}}$ is estimated from calibration measurements. The legacy device is admitted to the autonomic fleet when $C_{\text{proxy}}(t) \geq C_{\text{threshold}}$ and $H_{\text{proxy}}(t) \geq H_{\min}$ , establishing Phase 0 (Hardware Trust) without requiring a native self-health API.

Typical deployments: Modbus RTU sensors, Serial/RS-485 actuators, GPIO-only embedded controllers. Current draw and heartbeat timeout are available from virtually any embedded device; vibration is optional and replaced by $H_{\text{norm}}$ doubling its weight if absent.

The protocol operates in rounds: node \(i\) updates \(h_i\) based on local anomaly detection , selects a random peer \(j\), the two nodes exchange health vectors, and each merges the received vector with its local knowledge.

The diagram below illustrates a single gossip exchange: before the exchange each node holds only its own health vector, and after the merge both nodes hold the combined view of the pair.

    
    graph LR
    subgraph Before Exchange
    A1["Node A: H_A"] -.->|"sends H_A"| B1["Node B: H_B"]
    B1 -.->|"sends H_B"| A1
    end
    subgraph After Merge
    A2["Node A: merge(H_A, H_B)"]
    B2["Node B: merge(H_A, H_B)"]
    end
    A1 --> A2
    B1 --> B2

    style A1 fill:#e8f5e9
    style B1 fill:#e3f2fd
    style A2 fill:#c8e6c9
    style B2 fill:#bbdefb

Read the diagram: Before the exchange (left), Node A knows only its own health and Node B knows only its own. Both send their full vector to the other. After the merge (right), both nodes hold the union of what either knew — each exchange doubles the amount of current knowledge held at each endpoint. Repeat this across the fleet and health propagates like an epidemic.

The merge function must handle three challenges: staleness (older observations are less reliable), conflicts (different nodes may observe different values), and adversarial injection (compromised nodes may inject false health values).

The merge function combines two health estimates for node \(k\) into a single value by taking a trust-weighted average, where each source’s weight \(w\) reflects how recently its observation was made.

$$h_k^{\text{merged}} = \frac{w_A \cdot h_k^A + w_B \cdot h_k^B}{w_A + w_B}$$

Physical translation: When two nodes disagree on a third node’s health, neither report is simply discarded. Both estimates are blended, with the fresher estimate counting more. A 1-second-old reading outweighs a 30-second-old reading by the ratio of their exponential weights.

The weight assigned to each observation decays exponentially with its staleness \(\tau_\text{stale}\) ( Definition 26 ) at rate \(\gamma_s\), so a 10-second-old reading contributes far less than a fresh one.

$$w = e^{-\gamma_s \tau_{\text{stale}}}$$

With \(\tau_\text{stale}\) as time since observation ( Definition 26 ) and \(\gamma_s\) as decay rate (distinct from the gossip rate \(\lambda\), from $\gamma_{\mathrm{FN}}$ the false-negative cost escalation rate in Proposition 9 , and from \(\gamma\) in the Holt-Winters equations above where it denotes the seasonal smoothing coefficient).

Proposition 12 ( Gossip Convergence). For a gossip protocol with contact rate \(f_g\) and \(n\) nodes in a fully-connected network (any node can reach any other), the expected time for information originating at one node to reach all nodes is [6] :

The expected time for information to reach all n nodes is \(O(\ln n / f_g)\). For a \(1 - 1/n\) high-probability guarantee (via Markov’s inequality), plan for $n \cdot O(\ln n / f_g) = O(n \ln n / f_g)$ .

$$\mathbb{E}[T_{\text{convergence}}] = O\left(\frac{\ln n}{f_g}\right)$$

Physical translation: Doubling the fleet adds only $\ln 2 / f_g \approx 0.7/f_g$ seconds to convergence — not double the time. At $f_g = 0.2\,\text{Hz}$ , adding 47 drones to a 47-drone swarm adds roughly 3.5 seconds (illustrative value) to health convergence, not the 39 seconds (illustrative value) a linear model would predict.

In other words, fleet-wide awareness scales only logarithmically with fleet size: doubling the number of nodes adds a fixed $O(\ln 2 / f_g)$ seconds to convergence, not a proportional delay.

Analogy: Rumor spreading in an office — even if each person only tells two others, within \(\log_2(N)\) rounds everyone knows, because every informed person becomes a new spreader. The information doubles with each round, so the total time grows only logarithmically with headcount.

Logic: Proposition 12 shows \(\mathbb{E}[T_{\text{convergence}}] = O(\ln n / f_g)\) because each gossip round the informed set grows as \(dI/dt = f_g I(1-I)\) — logistic dynamics whose solution reaches 1 in logarithmic time.

For sparse topologies with network diameter \(D\), convergence scales as $O(D \cdot \ln n / f_g)$ since information must traverse \(D\) hops.

Proof sketch: The information spread follows logistic dynamics \(dI/dt = f_g I(1 - I)\) where \(I\) is the fraction of informed nodes. Solving with initial condition \(I(0) = 1/n\) and computing time to reach \(I = 1 - 1/n\) yields $T = (2 \ln(n-1))/f_g$ . Corollary 2. Doubling swarm size adds only $O(\ln 2 / f_g) \approx 0.69/f_g$ seconds to convergence time, making gossip protocol s inherently scalable for edge fleets.

The lossless fully-connected model of Proposition 12 is a lower bound. Real edge meshes are sparse and contested: OUTPOST operates on a 127-sensor mesh with diameter \(D \approx 8\) hops under sustained jamming at $p_{\text{loss}} = 0.35$ . The actual convergence time is not \(O(\ln n / \lambda)\) but a function of both topology and loss rate.

Empirical status: The \(O(\ln n / f_g)\) bound is a mathematically proven result for fully-connected lossless networks. The RAVEN figure of adding ~3.5 s for 47 additional drones at \(f_g = 0.2\,\text{Hz}\) is a direct application of the formula, not a measurement. Actual gossip convergence in field deployments depends on radio topology and interference — treat this as a lower bound.

Watch out for: the \(O(\ln n / f_g)\) bound assumes a fully-connected topology with no packet loss; in contested meshes with diameter \(D > 1\) and loss probability \(p_{\text{loss}} > 0\), the correct bound is \(O(D \ln n / (f_g(1-p_{\text{loss}})))\) (Proposition 13), which can be larger by orders of magnitude — using the fully-connected bound for a sparse contested topology produces dangerously optimistic convergence estimates.

Proposition 13 ( Gossip Convergence on Lossy Sparse Mesh). Let \(G = (V, E)\) be a connected graph with \(n\) nodes and edge conductance:

Sparse topology and packet loss slow gossip multiplicatively; the bottleneck is graph conductance, not just fleet size.

$$\Phi = \min_{\substack{S \subseteq V \\ 0 < |S| \leq n/2}} \frac{|E(S,\, V \setminus S)|}{|S| \cdot (n - |S|)/n}$$

Under push-pull gossip with contact rate \(f_g\) and independent per-message loss probability $p_{\text{loss}} \in [0, 1)$ , the expected convergence time satisfies:

$$\mathbb{E}[T_{\text{convergence}}] \leq \frac{2\ln n}{f_g \cdot (1 - p_{\text{loss}}) \cdot \Phi}$$

in expectation. For any connected graph with diameter \(D\), the operational bound $\Phi \geq 1/D$ gives:

$$\mathbb{E}[T_{\text{convergence}}] \leq \frac{2 D \ln n}{f_g \cdot (1 - p_{\text{loss}})}$$

Proof sketch: Let \(S_t\) denote the informed set at gossip round \(t\), with \(|S_t| = k\). By definition of \(\Phi\), the number of boundary edges is at least \(\Phi \cdot k(n-k)/n\). Each boundary edge activates — an informed node contacts an uninformed neighbor and the message arrives — with probability $(1-p_{\text{loss}})/\bar{d}$ per round (\(\bar{d}\) = average degree). The expected growth satisfies $\mathbb{E}[|S_{t+1}| - |S_t|] \geq (1-p_{\text{loss}}) \cdot \Phi \cdot k(n-k)/n$ .*

This is the discrete logistic equation with rate $r = (1-p_{\text{loss}})\Phi$ . The logistic ODE solution \(dI/dt = r \cdot I(1-I)\) reaches \(I = 1 - 1/n\) from \(I = 1/n\) in \(T = (2\ln(n-1))/r\). Applying \(\Phi \geq 1/D\) gives the diameter bound.

The bound holds in expectation; the stopping time is a non-negative random variable, so by Markov’s inequality $P(T > c \cdot \mathbb{E}[T]) \leq 1/c$ . For operational planning, use $3 \times \mathbb{E}[T_{\text{convergence}}]$ as the minimum safety budget; budget $n \times \mathbb{E}[T_{\text{convergence}}]$ when \(1-1/n\) coverage is required. Chernoff-style analysis with bounded increments improves the tail to $\mathbb{E}[T] + O(\sqrt{\mathbb{E}[T] \log n})$ . \(\square\)

Probability tail caveat — Markov vs. Chernoff.

Markov’s inequality gives $P(T > c \cdot \mathbb{E}[T]) \leq 1/c$ for any non-negative random variable. The \(1-1/n\) probability guarantee therefore holds only at \(c = n\): the convergence time must be bounded by $n \cdot \mathbb{E}[T]$ , not $\mathbb{E}[T]$ itself.

At the mean $T = \mathbb{E}[T_{\text{convergence}}]$ , Markov guarantees only $P(T \leq \mathbb{E}[T]) \geq 0$ — trivially true but operationally useless for planning.

For a high-probability bound at the \(O(\ln n / \lambda)\) scale, the correct tool is a Chernoff or Azuma-Hoeffding concentration inequality applied to the martingale \(|S_t|/n\). Under the logistic growth model, convergence time concentrates around the mean with sub-Gaussian tails:

$$P\!\left(T_{\text{convergence}} > (1 + \delta)\,\mathbb{E}[T]\right) \leq \exp\!\bigl(-\Omega(\delta^2 n)\bigr)$$

Practical implication: budget $3 \times \mathbb{E}[T_{\text{convergence}}]$ as the \(1-1/n\) operational target — the factor-3 overhead covers the gap between median convergence time and the high-probability tail. The OUTPOST calibration table below uses the correct diameter bound directly; the \(1-1/n\) language in the proposition statement should be read as an asymptotic characterization, not a tight guarantee at $\mathbb{E}[T]$ .

Specializations:

Graph topology	\(\Phi\)	Expected convergence
Fully connected, lossless	\(1\)	$O(\ln n / f_g)$ — recovers Prop 4
\(k\)-regular expander, lossless	\(\Omega(1)\)	$O(\ln n / f_g)$
Grid ($\sqrt{n} \times \sqrt{n}$ ), lossless	$\Omega(1/\sqrt{n})$	$O(\sqrt{n}\ln n / f_g)$
OUTPOST mesh (\(D=8\), $p_{\text{loss}}=0.35$ )	\(\geq 1/8\)	$\leq 2 \cdot 8 \cdot \ln(127)/(f_g \cdot 0.65) \approx 119/f_g\,\text{s}$

OUTPOST calibration gap: At $f_g = 0.5\,\text{Hz}$ , Proposition 12 predicts \(T \approx 9.7\,\text{s}\); Proposition 13 predicts $T \leq 238\,\text{s} \approx 4\,\text{min}$ (theoretical bound under the illustrative \(D=8\), \(p_\text{loss}=0.35\) parameters) under jamming. Designing for 10-second health awareness and receiving 4-minute convergence is a mission-critical gap — the two propositions formalize the cost of contested topology: every doubling of diameter or packet loss fraction drives the bound linearly wider.

Physical translation — Proposition 12 vs. Proposition 13 . In a lab environment (full mesh, negligible packet loss), health converges in \(O(\ln n / f_g)\) seconds per Proposition 12 . In field conditions (contested mesh, jamming, sparse links), convergence is $O(D \cdot \ln n / (\lambda \cdot (1 - p_\text{loss})))$ per Proposition 13 , where \(D\) is mesh diameter. OUTPOST example: \(D = 8\) hops (illustrative value), \(p_\text{loss} = 0.35\) (illustrative value), \(\lambda = 0.5\) Hz transforms Proposition 12 ’s predicted 9.7 s into Proposition 13 ’s theoretical bound of 238 s (theoretical bound under the illustrative parameters above) (4 minutes).

Watch out for: the bound assumes independent Bernoulli packet loss at each edge; correlated loss events — burst jamming or synchronized interference that silences multiple edges simultaneously — violate the independence assumption underlying the conductance argument, causing actual convergence time to exceed the diameter formula.

Corollary 3 (Loss-Rate Gossip Budget). To maintain convergence within target time \(T^*\) under loss probability $p_{\text{loss}}$ on a diameter-\(D\) mesh, the minimum gossip rate is:

$$f_g^* \geq \frac{2 D \ln n}{T^* \cdot (1 - p_{\text{loss}})}$$

Watch out for: the \(1/(1-p_{\text{loss}})\) scaling factor assumes loss probability is the same on every edge; in adversarial environments where a jammer targets the bottleneck edges connecting different sub-clusters, a few edges dominate convergence time and the network-average \(p_{\text{loss}}\) systematically underestimates the required gossip rate — measure per-edge loss on the critical path, not fleet-average loss, when sizing the gossip budget.

Gossip Rate Selection: Formal Optimization

Objective Function: The formula finds the gossip rate \(\lambda^*\) that best balances convergence speed (which benefits from higher \(\lambda\)) against communication power cost (which scales linearly with \(\lambda\)).

$$f_g^* = \arg\max_{f_g \in [f_{g,\min}, f_{g,\max}]} \left[ -w_1 \cdot T_{\text{converge}}(f_g) - w_2 \cdot P_{\text{comm}}(f_g) \right]$$

where $T_{\text{converge}}(f_g) = \frac{2 \ln n}{f_g}$ is convergence time and $P_{\text{comm}}(f_g) = f_g \cdot E_{\text{msg}}$ is power consumption.

Constraint Set: Three hard limits bound the feasible rate range — the binding constraint (whichever is most restrictive) determines $f_g^*$ .

$$\begin{aligned} g_1: && f_g \cdot E_{\text{msg}} &\leq P_{\text{budget}} && \text{(power constraint)} \\ g_2: && f_g \cdot B_{\text{msg}} &\leq B_{\text{available}}(C(t)) && \text{(bandwidth)} \\ g_3: && \frac{2\ln n}{f_g} &\leq \tau_{\text{staleness}}^{\max} && \text{(freshness requirement)} \end{aligned}$$

Optimal Solution: The formula below takes the minimum of the three per-constraint maximum rates; whichever constraint is most restrictive determines $f_g^*$ , and the other two are automatically satisfied.

$$f_g^* = \min\left(\frac{P_{\text{budget}}}{E_{\text{msg}}}, \frac{B_{\text{available}}}{B_{\text{msg}}}, \frac{2\ln n}{\tau_{\text{staleness}}^{\max}}\right)$$

Physical translation: Take the three per-constraint speed limits — the maximum rate your power budget allows, the maximum rate your bandwidth allows, and the minimum rate needed to keep data fresh enough — and pick the smallest. Whichever constraint binds first sets $f_g^*$ ; the other two are automatically satisfied.

State Transition Model: The rule below describes how a node’s staleness either resets to zero (when a fresh gossip exchange occurs, with probability proportional to rate \(\lambda\)) or grows by \(\Delta t\) when no exchange happens in the current interval.

$$\tau_{\text{staleness}}(t+1) = \begin{cases} 0 & \text{with probability } 1 - e^{-f_g \cdot \Delta t} \\ \tau_{\text{staleness}}(t) + \Delta t & \text{otherwise} \end{cases}$$

For tactical parameters (\(n \sim 50\), \(f_g \sim 0.2\) Hz), Proposition 12 gives \(T = 2\ln(49)/0.2 \approx 39\) seconds (illustrative value) — convergence within 30–40 seconds (illustrative value), fast enough to establish fleet-wide health awareness within a single mission phase. Broadcast approaches scale linearly with \(n\), which is why gossip wins at scale.

For strategic health reporting scenarios where nodes have incentives to misreport, see below.

Empirical status: The Proposition 13 bound $T \leq 2D\ln n / (f_g(1-p_{\text{loss}}))$ is analytically derived. The OUTPOST values \(D = 8\), $p_{\text{loss}} = 0.35$ are scenario parameters, not measured from a deployed system. The “\(3\times\) overhead” recommendation for operational planning is a conservative engineering heuristic, not derived from measured tail distributions in adversarial radio environments.

Optional: Game-Theoretic Extensions

Strategic Health Reporting

The gossip merge assumes truthful health reporting. Nodes competing for limited healing resources have incentives to under-report health (appear more sick) to attract healing attention.

Cheap-talk game (Crawford-Sobel): Node \(i\) with true health \(h_i\) sends report \(\hat{h}_i\). Healing resources are allocated proportional to reported sickness \(1 - \hat{h}_i\). If node \(i\) values healing resources, the equilibrium report satisfies \(\hat{h}_i < h_i\) - systematic under-reporting.

Crawford-Sobel equilibrium: With \(k\) nodes, reports are only coarsely informative - the equilibrium partitions the health space into \(k\) intervals, revealing only which interval each node’s health falls in, not the exact value.

Incentive-compatible allocation: Replace proportional allocation with a Groves mechanism for healing priority: each node reports health and the mechanism allocates healing proportional to the marginal value of healing (not reported sickness). Truthful reporting becomes a dominant strategy when the node’s healing benefit is fully internalized.

Comparative health reporting — where nodes rank their own health relative to neighbors rather than reporting absolute values — resists strategic manipulation and preserves the ordering needed for healing priority assignment while removing the incentive for absolute-value inflation.

Gossip as a Public Goods Game

The gossip rate optimization assumes a central planner selects \(\lambda\). In an autonomous fleet, each node independently selects its gossip rate - and gossip is a public good: each message costs the sender (power, bandwidth) but benefits all nodes’ health awareness.

Public goods game: Node \(i\) selects rate \(\lambda_i \geq 0\). The formula below expresses aggregate health quality \(Q\) as a function of the mean gossip rate $\bar{\lambda}$ across all \(n\) nodes, where \(t\) is elapsed time; quality rises toward 1 as $\bar{\lambda}$ increases but each individual node bears the full cost of its own transmissions while sharing the benefit equally with all peers.

$$Q(\boldsymbol{\lambda}) = 1 - e^{-\bar{\lambda} t}, \quad \bar{\lambda} = \frac{1}{n}\sum_i \lambda_i$$

Physical translation: Fleet health quality is a shared resource that approaches 1 as the average gossip rate rises, but each node pays the full radio and battery cost of its own transmissions while the benefit is split equally among all \(n\) nodes. Every selfish node has an incentive to under-gossip and free-ride on neighbors’ transmissions — exactly as in a public goods game. The result is a fleet that under-monitors itself in the absence of explicit coordination.

Node \(i\) captures only \(1/n\) of the benefit of its own gossip . The Nash equilibrium satisfies $\frac{\partial Q}{\partial \lambda_i}\big|_{\text{NE}} = \frac{t}{n} e^{-\bar{\lambda}^{\text{NE}} t} = c_i'(\lambda_i)$ , while the social optimum satisfies $t \cdot e^{-\bar{\lambda}^{\text{OPT}} t} = c_i'(\lambda_i)$ . Since \(1/n < 1\), the comparison below holds and the equilibrium rate falls short of the social optimum.

$$\bar{\lambda}^{\text{NE}} < \bar{\lambda}^{\text{OPT}}$$

Physical translation: Left to their own devices, autonomous nodes gossip at \(1/n\) of the rate that maximizes fleet health quality. Uncoordinated gossip achieves roughly \(1/n\) of the optimal gossip frequency, yielding convergence times approximately \(n\times\) longer than a coordinated protocol. For RAVEN (\(n=47\)), this means gossip convergence takes roughly \(47\times\) longer than it would under a centrally coordinated schedule — making coordination subsidies economically justified even at significant per-message overhead cost.

For RAVEN (\(n = 47\)), autonomous gossip equilibrium provides approximately \(1/47\) of the socially optimal convergence rate.

VCG mechanism: A Groves mechanism assigns task-allocation transfers to nodes proportional to their gossip contribution: nodes that gossip more receive fewer computational tasks (reducing effective cost). Under this mechanism, truthful power-budget reporting is a dominant strategy and the social optimum is achieved.

Physical translation: Reward high gossip contributors with lighter computational workloads — the battery cost of extra transmissions is offset by fewer CPU-intensive inference tasks. A node reporting a tight power budget gets fewer gossip assignments but also fewer heavy tasks; reporting a false low battery gains nothing because the coordinator sees through it and assigns proportionally. During the next connected window, these rate targets are distributed fleet-wide and hold through the following partition.

Practical implication: During connected intervals, compute gossip rate assignments centrally and distribute them as target rates. The VCG transfer - differential task assignment - incentivizes nodes to maintain their assigned rates during partition. Priority gossip multipliers should be set to cover the \(1/n\) free-rider discount, not arbitrary priority levels.

Commercial Application: AUTODELIVERY Fleet Health

AUTODELIVERY operates autonomous delivery vehicles across a metropolitan area. Vehicles navigate urban canyons, parking structures, and dense commercial districts with intermittent cellular connectivity. Each vehicle must maintain fleet health awareness - vehicle availability, road conditions, charging status - without continuous cloud connectivity.

The gossip architecture implements hierarchical health propagation: local gossip between nearby vehicles, zone aggregation at hub gateways, and fleet-wide propagation when connected.

Local gossip (vehicle-to-vehicle): Vehicles within DSRC range (approximately 300 meters in urban environments) exchange health vectors at 0.5 Hz. Each vehicle maintains the fields below; the Staleness Threshold column gives the maximum age at which each field still supports useful decisions — longer-lived fields like charging station status remain valid for 10 minutes because infrastructure changes slowly.

Health Field	Size	Update Frequency	Staleness Threshold
Vehicle ID + Position	12 bytes	Every exchange	30s
Battery SoC + Range	4 bytes	Every exchange	60s
Current Task Status	8 bytes	On change	120s
Road Hazard Reports	16 bytes	On detection	300s
Charging Station Status	8 bytes	On visit	600s

Zone-level aggregation: Hub gateways (vehicles stationed at distribution centers) aggregate zone health and gossip between zones via longer-range V2X communication. Zone summaries include:

• Available vehicles by capability level
• Coverage gaps (areas with no vehicle within 10 minutes)
• Charging infrastructure status
• Road condition summaries

Fleet-wide propagation: From Proposition 12 , $T = 2\ln(n)/f_g$ , so typical metropolitan fleets achieve full health convergence in under a minute, enabling real-time rebalancing of delivery assignments.

Position validation in urban environments: AUTODELIVERY faces spoofing risks from GPS multipath in urban canyons and potential adversarial spoofing from competitors or theft attempts. The function below classifies each vehicle’s claimed position \(p_i\) as true (corroborated by a nearby peer), suspect (no peer within validation range), or false (contradicted by a peer’s observation beyond the kinematically possible travel distance).

$$\text{Valid}(p_i) = \begin{cases} \text{true} & \text{if } \exists j \in \mathcal{N}_i: \|p_i - p_j^{\text{observed}}\| < \epsilon \\ \text{suspect} & \text{if no nearby peer can validate} \\ \text{false} & \text{if } \exists j: \|p_i^{\text{claimed}} - p_j^{\text{observed}}\| > d_{\text{impossible}} \end{cases}$$

where \(\epsilon = 50m\) (illustrative value) is the validation tolerance and $d_{\text{impossible}}$ is the maximum distance a vehicle could have traveled since last validated position.

Vehicles with sustained position validation failures are flagged for operational review and excluded from sensitive tasks (high-value deliveries, access to secure facilities).

Delivery coordination under partition: When a vehicle enters an underground parking garage (complete cellular blackout), it continues operating with cached task assignments. Upon emergence:

1. Gossip exchange with first encountered peer
2. Receive updates accumulated during blackout
3. Reconcile any conflicting task assignments (first-commit-wins semantics)
4. Resume normal gossip participation

Average underground dwell time: 4.2 minutes (illustrative value). With 60-second staleness threshold, vehicles emerge with stale but still-useful health data - well within the maximum useful staleness for task rebalancing decisions.

Priority-Weighted Gossip Extension

Standard gossip treats all health updates equally. In tactical environments, critical health changes (node failure, resource exhaustion, adversarial detection) should propagate faster than routine updates.

Priority classification:

• $P_{CRITICAL}$ (priority 3): Node failure, Byzantine detection, adversarial alert
• $P_{URGENT}$ (priority 2): Resource exhaustion (<10%), capability downgrade
• $P_{NORMAL}$ (priority 1): Routine health updates, minor degradation

Accelerated propagation protocol:

The gossip rate \(\lambda_p\) for priority-\(p\) messages scales the base rate by a factor proportional to priority level, where \(\eta\) is the acceleration coefficient and \(p = 1, 2, 3\) for normal, urgent, and critical messages respectively.

$$\lambda_p = \lambda_{\text{base}} \cdot (1 + \eta \cdot (p - 1))$$

where \(\eta\) is the acceleration factor (typically 2–3 (illustrative value)). Critical messages gossip at \(3\times\) normal rate.

Message prioritization in constrained bandwidth:

When bandwidth is limited, each gossip exchange prioritizes by urgency. The protocol proceeds as follows:

Step 1: Merge local and peer health vectors into a unified update set.

Step 2: Sort updates by priority (descending), then by staleness (ascending) within each priority class.

Step 3: Transmit updates in sorted order until the bandwidth budget is exhausted. The condition below permits update \(u_i\) only when all previously selected updates plus \(u_i\) itself still fit within $B_{\text{budget}}$ .

$$\text{Transmit update } u_i \text{ iff } \sum_{j < i} \text{size}(u_j) + \text{size}(u_i) \leq B_{\text{budget}}$$

Step 4: Critical override — the implication below unconditionally forces transmission of any $P_{\text{CRITICAL}}$ update regardless of whether the budget would be exceeded.

$$\text{priority}(u) = P_{\text{CRITICAL}} \implies \text{transmit}(u) = \text{true}$$

This ensures safety-critical information propagates regardless of bandwidth constraints, accepting temporary budget overrun. In each gossip round, at most $C_{\text{max}}$ concurrent \(P_\text{CRITICAL}\) overrides are processed (default: $C_{\text{max}} = 5$ (illustrative value)); excess critical messages queue for the next round. This aggregate cap prevents a burst of simultaneous critical events from collapsing the bandwidth budget entirely while still guaranteeing timely propagation of every critical message within $\lceil N_\text{crit} / C_{\text{max}} \rceil$ additional rounds, where \(N_\text{crit}\) is the number of queued critical messages.

Convergence improvement: For RAVEN with \(\eta = 2\), priority-weighted gossip triples the effective critical gossip rate, as the formula below shows by substituting $P_{\text{CRITICAL}} = 3$ into the general rate equation.

$$\lambda_{\text{crit}} = \lambda_{\text{base}} \cdot (1 + \eta \cdot (P_{\text{CRITICAL}} - 1)) = \lambda_{\text{base}} \cdot 3$$

Since convergence time scales inversely with effective rate, the ratio of normal to critical convergence times equals the ratio of critical to normal gossip rates, giving a theoretical 3x speedup for \(n = 47\) drones.

$$\frac{T_{\text{norm}}}{T_{\text{crit}}} = \frac{\lambda_{\text{crit}}}{\lambda_{\text{norm}}} = 3.0 \text{ (theoretical)}$$

Accounting for message overhead and collision backoff, the expected speedup is approximately \(2.6\times\) (illustrative value). Under the assumptions $\mathcal{A}_{\text{gossip}}$ (uniform message sizes, bounded collision probability), critical updates converge in $O(D \cdot \delta_{\text{crit}})$ versus $O(D \cdot \delta_{\text{norm}})$ for normal updates, where \(D\) is network diameter.

Anti-flood protection: To prevent priority abuse by a Byzantine node that floods $P_{\text{CRITICAL}}$ messages, the node’s historical rate of critical messages must not exceed $\rho_{\text{max}}$ ; the condition below enforces this per-source rate limit.

$$\text{Allow } P_{\text{CRITICAL}} \text{ from node } i \text{ iff } \frac{N_{\text{crit}}^i(t)}{t - t_{\text{start}}} < \rho_{\text{max}}$$

where $\rho_{\text{max}} \approx 0.01$ messages/second (illustrative value). Exceeding this rate triggers trust decay.

Combined fleet critical-message rate bound: with \(n\) nodes each at the per-source rate limit \(\rho_\text{max}\), the maximum combined critical-message rate is $n \cdot \rho_\text{max}$ . For RAVEN (\(n=47\), $\rho_\text{max} = 0.01\,\text{msg/s}$ ), this yields at most 0.47 forced-critical messages per second (illustrative value) across the fleet — approximately 15–20 bytes/s overhead (illustrative value) assuming 40-byte messages, well within the minimum bandwidth floor \(B_\text{min}\). Deployments with $n > B_\text{min}/(40 \cdot \rho_\text{max})$ must lower \(\rho_\text{max}\) proportionally.

Bandwidth Asymmetry and Ingress Filtering

The gossip prioritization above assumes backhaul bandwidth is scarce but nonzero. At the extreme — when the radio link is a tiny fraction of the local sensor bus — prioritization alone is insufficient. The node must also decide which metrics are worth transmitting at all.

Define the bandwidth asymmetry ratio:

$$\beta = \frac{B_b}{B_l}$$

where \(B_b\) is backhaul bandwidth (radio uplink) and \(B_l\) is local bus bandwidth (intra-node sensor bus). Typical edge values: $B_b \approx 9.6\,\text{kbps}$ (illustrative value) (tactical HF radio), $B_l \approx 100\,\text{Mbps}$ (illustrative value) (sensor bus), giving $\beta \approx 10^{-4}$ (illustrative value). At \(\beta < 0.01\), the backhaul is less than 1% of local capacity. Sending everything the node observes locally is physically impossible.

Physical translation: The backhaul link carries only 1 Mbps when the local sensor bus runs 100 Mbps — a 10,000:1 gap. You must discard 99.99% of local observations before they can leave the device. This is not a cost optimisation; it is a physical constraint that makes centralised aggregation architecturally impossible at full sensor resolution.

Definition 25 (Bandwidth-Asymmetry Ingress Filter). The ingress filter $\Pi: \mathcal{T} \times \mathbb{R}_{\geq 0} \to \{0,1\}$ determines whether metric $m \in \mathcal{T}$ observed at time \(t\) is transmitted:

$$\Pi(m,\,t) = \begin{cases} 1 & \text{if priority}(m) = P_{\text{CRITICAL}} \\ 1 & \text{if } t - t_{\text{last}}(m) > \tau_{\max} \\ 1 & \text{if } \dfrac{|m(t) - m(t_{\text{last}})|}{m_{\text{range}}} > \dfrac{\theta_\Pi}{\beta} \\ 0 & \text{otherwise} \end{cases}$$

Here $C_{\text{proc}}$ is the local processing capacity in bytes/s; the filter drops input that exceeds $C_{\text{proc}} \cdot T_{\text{tick}}$ bytes per scheduling window.

Physical translation: On a severely bandwidth-constrained uplink ($\beta = 10^{-4}$ ), only a metric that has changed by more than 10% of its full operating range is worth transmitting — anything smaller is noise relative to the channel’s information capacity. The filter enforces this automatically: safety-critical events always get through ($P_{\text{CRITICAL}}$ override), stale readings are forced through at $\tau_{\max}$ to keep the MAPE-K loop alive, and everything else is silenced until the change is large enough to be actionable. The result is a 100,000-fold reduction in radio transmissions on a 72-hour mission with no loss of decision-relevant information.

where $m(t_{\text{last}})$ is the last transmitted value of \(m\), $m_{\text{range}}$ is the metric’s operational dynamic range, \(\theta_\Pi\) is a baseline sensitivity parameter, \(\beta = B_b/B_l\) is the bandwidth asymmetry ratio, and $\tau_{\max}$ is the maximum useful staleness bound from Proposition 14 .

Three conditions trigger transmission (any one suffices): P_CRITICAL metrics bypass the filter entirely so safety-critical information always transmits; even a slowly changing metric transmits at least once per $\tau_{\max}$ so the MAPE-K loop never starves on stale P2/P3 inputs (a metric silent beyond $\tau_{\max}$ carries zero confidence and must refresh, tying directly to Proposition 14 ); and as $\beta \to 0$ the normalized-change threshold $\theta_\Pi/\beta \to \infty$ , so only extreme deviations transmit in normal operation.

Calibration example for OUTPOST ($\beta = 10^{-4}$ , \(\theta_\Pi = 0.001\)):

Metric	Normal threshold	Filtered threshold ($\theta_\Pi/\beta$ )	Interpretation
Temperature drift	\(0.1\,^\circ\text{C}\) (0.1% of \(100\,^\circ\text{C}\) range)	\(10\,^\circ\text{C}\) (10% of range)	Only transmit on significant excursion
Battery state-of-charge	1% change	10% change	Coarse reporting only
Seismic amplitude	any spike	always (P_CRITICAL)	Bypasses filter
Mesh link quality	5% drop	50% drop	Catastrophic degradation only

The filter preserves the P0–P2 observability hierarchy: availability (P0) and resource exhaustion (P1) metrics carry P_CRITICAL priority and are never dropped; performance (P2) and anomaly (P3) metrics are subject to the \(\beta\)-scaled threshold.

Energy connection: Each filtered-out metric saves \(T_s\) joules ( Definition 2 ). Over a 72-hour partition with 1,000 sensor metrics updating at 1 Hz, filtering to $\beta = 10^{-4}$ reduces transmissions from 259 million potential packets to fewer than 2,600 — a 100,000x reduction in radio energy expenditure, directly extending battery life.

Gossip Under Partition

Fleet partition creates isolated gossip domains. Within each cluster, convergence continues at rate $O(\ln n_{\text{cluster}})$ . Between clusters, state diverges until reconnection.

Remark (Partition Staleness). For node \(i\) in cluster \(C_1\) observing node \(j\) in cluster \(C_2\), staleness - the elapsed time since observation - accumulates from partition time \(t_p\):

$$\tau_{ij}(t) = t - t_p + \tau_{ij}(t_p)$$

The staleness grows unboundedly during partition, eventually exceeding any useful threshold.

The diagram below shows two gossip clusters separated by a hard partition: gossip continues normally within each cluster (solid edges), but the severed link (crossed dashed edge) blocks all cross-cluster exchanges.

    
    graph LR
    subgraph Cluster_A["Cluster A (gossip active)"]
    A1[Node 1] --- A2[Node 2]
    A2 --- A3[Node 3]
    A1 --- A3
    end
    subgraph Cluster_B["Cluster B (gossip active)"]
    B1[Node 4] --- B2[Node 5]
    B2 --- B3[Node 6]
    B1 --- B3
    end
    A3 -.-x|"PARTITION
No communication"| B1

    style Cluster_A fill:#e8f5e9
    style Cluster_B fill:#e3f2fd

Read the diagram: Within each cluster (green and blue subgraphs), gossip continues normally — solid edges show active exchanges. The crossed dashed edge between Cluster A and Cluster B is severed; no health information crosses that boundary. Each cluster converges to a locally-consistent but globally-stale view. Cross-cluster staleness accumulates for as long as the partition persists.

Cross-cluster state tracking:

Each node maintains a partition vector \(\rho_i\) that records, for every other node \(j\), either zero (still reachable) or the timestamp of the last confirmed contact (if unreachable), enabling staleness calculations when connectivity is later restored.

$$\rho_i[j] = \begin{cases} 0 & \text{if } j \text{ reachable directly or via gossip} \\ \text{hlc}_{\text{last}} & \text{if } j \text{ unreachable} \end{cases}$$

where $\text{hlc}_{\text{last}}$ is the HLC timestamp ( Definition 61 ) of the last confirmed contact, recorded as an HLC timestamp rather than wall-clock time, to preserve causal ordering across nodes with clock drift.

When \(\rho_i[j] > 0\) and $t - \rho_i[j] > \tau_{\text{max}}$ , node \(i\) marks its knowledge of node \(j\) as uncertain rather than stale.

Reconciliation priority:

Upon reconnection, nodes exchange partition vectors. The formula below assigns reconciliation priority to each node \(j\) as the product of how long it has been partitioned ($t_{\text{reconnect}} - \rho[j]$ ) and its operational importance weight, so cluster leads and critical sensors are updated first.

$$\text{Priority}(j) = (t_{\text{reconnect}} - \rho[j]) \cdot \text{Importance}(j)$$

Nodes with longest partition duration and highest importance (cluster leads, critical sensors) reconcile first.

Confidence Intervals on Stale Data

Health observations age. A drone last heard from 30 seconds ago may have changed state since then.

Definition 26 (Staleness). The staleness \(\tau_\text{stale}\) of an observation is the elapsed time since the observation was made. An observation with staleness \(\tau_\text{stale}\) has uncertainty that grows with \(\tau_\text{stale}\) according to the underlying state dynamics.

In other words, the older a health reading is, the less reliable it becomes — not because the data was wrong when recorded, but because the underlying system may have changed in the intervening time.

Model health as a stochastic process. If health evolves with variance \(\sigma^2\) per unit time, the formula below gives the \((1-\alpha)\) confidence interval around the last known health value $h_{\text{last}}$ : the half-width grows as $\sqrt{\tau_\text{stale}}$ , so uncertainty widens slowly at first and then accelerates.

$$\text{CI} = h_{\text{last}} \pm z_{\alpha/2} \sigma \sqrt{\tau_{\text{stale}}}$$

Physical translation: The confidence interval widens as the square root of elapsed time \(\tau_\text{stale}\). A node last seen 4 seconds ago has twice the uncertainty of a node last seen 1 second ago. At 100 seconds, the interval has grown 10x from its initial width. When the interval spans a capability-level boundary, you can no longer make reliable decisions about that node.

Where:

• $h_{\text{last}}$ = last observed health value
• \(\tau_\text{stale}\) = time since observation
• \(\sigma\) = health volatility parameter
• $z_{\alpha/2}$ = confidence multiplier (1.96 for 95%)

Assumption: Health evolves as a Brownian diffusion with variance \(\sigma^2\) per unit time, so the \((1-\alpha)\) confidence interval grows as $\sqrt{\tau_{\text{stale}}}$ . This assumption breaks for strongly mean-reverting or bounded metrics (e.g., binary health indicators), where alternative staleness models should be used.

Implications for decision-making:

The CI width grows as $\sqrt{\tau_{\text{stale}}}$ — a consequence of the Brownian motion model. This square-root scaling means confidence degrades slowly at first but accelerates with staleness .

When the CI spans a decision threshold (like the $\mathcal{L}_2$ capability boundary), you can’t reliably commit to that capability level . The staleness has exceeded the decision horizon for that threshold - the maximum time at which stale data can support the decision.

Different decisions have different horizons. Safety-critical decisions with narrow margins have short horizons. Advisory decisions with wide margins have longer horizons. The system tracks staleness against the relevant horizon for each decision type.

When confidence is insufficient, three response strategies apply: attempt direct communication to get a fresh observation, assume health at the lower bound of the CI as a conservative fallback, or escalate observation priority by increasing the gossip rate for that node.

Proposition 14 (Maximum Useful Staleness). For a health process modeled as Brownian diffusion with volatility \(\sigma\) (as in Definition 26 ), and a decision requiring discrimination at precision \(\Delta h\) with confidence \(1 - \alpha\), the maximum useful staleness is:

Beyond this age, uncertainty has grown too wide to distinguish normal from anomalous — old data misleads rather than informs.

$$\tau_{\text{max}} = \left( \frac{\Delta h}{z_{\alpha/2}\, \sigma} \right)^2$$

Physical translation: Maximum sensor reading age before the confidence interval widens enough to straddle the decision threshold. After $\tau_{\text{max}}$ , the reading contributes less certainty than not measuring at all — old data becomes an active liability, not just a passive gap.

where $z_{\alpha/2}$ is the standard normal quantile and \(\Delta h\) is the acceptable drift. Beyond $\tau_{\text{max}}$ , the confidence interval spans the decision threshold and the observation cannot support the decision.

Proof: Under the diffusion model ( Definition 26 ), health evolves as a Brownian process with variance \(\sigma^2\) per unit time. Given the last observation at time \(t_0\), the current state at time \(t_0 + \tau\) lies within a \((1-\alpha)\) confidence interval of half-width $z_{\alpha/2} \sigma \sqrt{\tau}$ . Setting this equal to the required decision precision \(\Delta h\) and solving for \(\tau\) gives the result. Under the diffusion model, the staleness bound is independent of observation rate \(\lambda\) — more frequent observations do not reduce uncertainty about the current state between observations, only about the state at each observation time.

Corollary 4. The quadratic relationship $\tau_{\text{max}} \propto (\Delta h / \sigma)^2$ implies that tightening decision margins dramatically reduces useful staleness . Systems with narrow operating envelopes must refresh observations more frequently — not because more observations narrow the diffusion uncertainty, but because each observation must occur before the health state drifts by \(\Delta h\).

Time-varying \(\sigma\) caveat: Prop 5 assumes constant measurement volatility \(\sigma\). OUTPOST thermistors exhibit $\sigma(T) \approx 0.05 + 0.003 \cdot |T - T_{\text{ref}}|\,{^\circ}\text{C}$ — three times higher (illustrative value) at $-30\,{^\circ}\text{C}$ than at $20\,{^\circ}\text{C}$ .

For sensors with temperature-correlated variance, substitute $\sigma_{\max} = \max_{T \in \text{operating range}} \sigma(T)$ as a conservative upper bound on $\tau_{\max}$ . This produces a shorter, conservative staleness limit.

Decision systems with narrow operating envelopes ($\Delta h < 0.1\,{^\circ}\text{C}$ ) will find $\tau_{\max}$ below 10 seconds (illustrative value) in cold conditions — requiring far higher gossip rates than a lab-temperature calibration implies.

Empirical status: The $\tau_{\text{max}}$ formula is exact given the Brownian diffusion model and the parameters \(\sigma\), \(\Delta h\), \(\alpha\). The OUTPOST temperature-variance model $\sigma(T) \approx 0.05 + 0.003|T - T_{\text{ref}}|$ is a representative sensor-datasheet curve; actual values vary by manufacturer and operating history. The “under 10 seconds” characterization for fast-moving deployments is an illustration, not a measured bound.

Watch out for: the Brownian diffusion model captures gradual drift but not abrupt failures; a sensor that jumps discontinuously to a failed state exceeds \(\Delta h\) in a single tick regardless of \(\tau_{\max}\), so the staleness bound does not constrain step-function fault modes.

Byzantine-Tolerant Health Aggregation

In contested environments, some nodes may be compromised. They may inject false health values to:

• Mask their own degradation (hide compromise)
• Cause healthy nodes to appear degraded (create confusion)
• Destabilize fleet-wide health estimates (denial of service)

Definition 27 ( Byzantine Node). A node is Byzantine if it may deviate arbitrarily from the protocol specification, including sending different values to different peers, reporting false observations, or selectively participating in gossip rounds [7] .

In other words, a Byzantine node is one that cannot be assumed to behave honestly in any predictable way — unlike a crashed node, it may actively lie, and it may lie differently to different neighbors simultaneously.

Scope: this threat model applies within a single partition epoch — specifically to gossip health aggregation while nodes are co-partitioned and can observe each other’s messages. Post-reconnection Byzantine treatment (reputation-weighted CRDT admission, quorum-gated state merge) builds on this foundation but introduces additional per-epoch mechanisms addressed in Fleet Coherence Under Partition.

Compute Profile: CPU: $O(n \log n)$ per aggregation round — trust-weighted trimmed mean requires sorting $n$ reporters by trust weight before trimming. Memory: $O(n \cdot W)$ — consistency-history buffer of $W$ rounds and $n$ nodes; this buffer becomes the binding constraint above $n = 200$ nodes.

The aggregation function uses a trust-weighted trimmed mean: the bottom and top \(f/n\) weight fractions are excluded before computing the weighted average. This makes the aggregate robust to up to \(f\) Byzantine contributors.

Weighted voting based on trust scores. The formula below computes a trust-weighted average of each node’s reported health for member \(k\), where \(T_i\) is the accumulated trust score of reporting node \(i\); nodes with low or decayed trust contribute proportionally less to the aggregate.

$$h_k^{\text{aggregated}} = \frac{\sum_i T_i \cdot h_k^i}{\sum_i T_i}$$

Physical translation: This is a weighted average where each reporter’s vote is scaled by its accumulated trust. A node with trust 0.9 influences the aggregate nine times more than a node with trust 0.1. A node whose trust has decayed to 0.01 — due to repeated inconsistent reports — is almost completely silenced without being formally ejected.

Where \(T_i\) is the trust score of node \(i\). Trust is earned through consistent, verifiable behavior and decays when inconsistencies are detected.

Outlier detection on received health reports: A report from node \(i\) about node \(k\) is flagged suspicious when the absolute deviation from the current consensus value exceeds the outlier threshold $\theta_{\text{outlier}}$ .

$$\text{suspicious} = |h_k^i - h_k^{\text{consensus}}| > \theta_{\text{outlier}}$$

Repeated suspicious reports decrease trust score for node \(i\).

Isolation protocol for nodes with inconsistent claims:

1. Track history of claims per node (sliding window of \(W\) rounds; memory: \(O(n \cdot W)\) bits)
2. Compute consistency score: fraction of claims matching consensus
3. If consistency below threshold, quarantine node from health aggregation
4. Quarantined nodes can still participate but their reports are not trusted

Memory bound: For \(n = 50\) nodes (illustrative value) and \(W = 100\) rounds (illustrative value), history storage requires \(50 \times 100 / 8 = 625\) bytes (illustrative value) using 1-bit flags per observation.

Proposition 15 ( Byzantine Tolerance Bound). With trust-weighted aggregation, correct health estimation is maintained if the total Byzantine trust weight is bounded [7, 8] :

Correct consensus holds as long as compromised nodes collectively carry less than one-third of total trust weight (theoretical bound — derived from the structure of trust-weighted BFT aggregation; not an empirical measurement).

$$\sum_{\text{Byzantine}} T_i < \frac{1}{3} \sum_{\text{all}} T_i$$

This generalizes the classical \(f < n/3\) bound: with uniform trust weights \(T_i = 1\), this reduces to \(f < n/3\) (fewer than one third of nodes are Byzantine ). With trust decay on suspicious nodes, Byzantine influence decreases over time, allowing tolerance of more compromised nodes provided their accumulated trust is low.

Equal initial weights give an attacker a free \(1/n\) share of influence from the first gossip round; hardware-attested enrollment delays that influence until the device earns it through observed behavior.

This is not foolproof - a sophisticated adversary who understands the aggregation mechanism can craft attacks that pass consistency checks. Byzantine tolerance provides defense in depth, not absolute security.

Bootstrap dependency: Trust weights \(w_i\) require an initialization source. Without a functional PKI at deployment time, the only option is uniform \(w_i = 1\), which reduces Prop 6 to the classical \(f < n/3\) bound. A Byzantine node that corrupts its weight record before the reputation system accumulates any observations inflates its influence above the \(1/3\) threshold from the first gossip round.

The operational implication: trust weight initialization requires a hardware root of trust — secure boot attestation or a pre-deployment enrollment step that cryptographically binds \(w_i\) to a device identity. Systems without enrollment have no Byzantine tolerance guarantee at startup. Prop 6 applies only after each node has accumulated sufficient legitimate observations to build a meaningful trust differential (in practice: \(\geq 20\) (illustrative value) gossip exchanges with a given peer).

Trust accumulation attack: The \(f < n/3\) bound is instantaneous. An adversary can compromise nodes gradually, with each behaving honestly until sufficient trust accumulates. When $\sum_{\text{compromised}} T_i$ approaches $\frac{1}{3} \sum_{\text{all}} T_i$ , coordinated Byzantine behavior can dominate aggregation before detection triggers trust decay.

Trust budget decay bounds the maximum trust any coalition can accumulate: total system trust $\sum_i T_i$ decreases over time unless re-earned through verified behavior:

$$T_{\text{budget}}(t+1) = T_{\text{budget}}(t) \cdot (1 - \epsilon) + T_{\text{earned}}(t), \quad \epsilon \ll \gamma_{\text{recover}}$$

Condition	Strategy	Complexity	Byzantine tolerance
< 10 nodes, all trusted	Weighted voting (uniform trust)	\(O(n)\)	\(f < n/3\) with equal weights
> 10 nodes, mixed trust history	Trust-weighted trimmed mean + reputation	\(O(n \log n)\)	\(f < n/3\), adaptive over ~20 rounds (illustrative value)
Adversarial enrollment suspected	Reputation filter + behavioral fingerprint consistency check	\(O(n) + O(w)\) window	\(f < n/3\) guaranteed after consistency filter

Empirical status: The \(f < n/3\) bound is a proven impossibility result (Lamport-Shostak-Pease). The trust-weighted generalization is analytically derived. The parameters $\gamma_{\text{decay}} \approx 0.1$ (illustrative value), $\gamma_{\text{recover}} \approx 0.01$ (illustrative value), $\theta_{\text{recovery}} \approx 0.95$ , and the 20-round warm-up figure are engineering design choices, not empirically validated values.

Watch out for: the bound is instantaneous — it holds only while Byzantine trust weight remains below \(1/3\) at every moment; if trust weights are not updated continuously, a slow accumulation attack can cross the one-third threshold before the decay mechanism responds.

Optional: Game-Theoretic Extension — Byzantine Reporting as a Signaling Game

Proposition 15 ’s fraction bound $\sum_{\text{Byz}} T_i < \frac{1}{3}\sum_{\text{all}} T_i$ assumes Byzantine behavior is a fixed fraction, not a strategic choice. A strategic Byzantine node maximizes its trust weight to amplify its influence.

Signaling game: Each node \(i\) has true health $h_i^{\text{true}}$ . A Byzantine node selects reported health \(\hat{h}_i\) to maximize detection error. The trust weight $w = e^{-\gamma_s\tau}$ rewards freshness - a Byzantine node maintaining \(\tau \approx 0\) (frequent fresh reports) achieves maximum trust weight while reporting inverted health values $\hat{h}_i = 1 - h_i^{\text{true}}$ .

The staleness -decay flaw: The current trust model rewards Byzantine node s who invest in frequent reporting. The corrected trust weight below multiplies the staleness factor by a hard consistency indicator — zero weight is assigned whenever the node’s report contradicts neighbor-model predictions, regardless of how fresh the report is.

$$w_j^{\text{trust}} = e^{-\gamma_s\tau} \cdot \mathbb{1}\!\left[\hat{h}_j \text{ consistent with neighbor predictions}\right]$$

Reputation update: The EWMA-like update below maintains a reputation score \(r_j(t) \in [0,1]\) for each node, blending the previous score (weight \(\alpha\)) with a binary consistency indicator for the current round (weight \(1-\alpha\)), where $\hat{h}_j^{\text{pred}}(t)$ is the neighbor-model prediction and \(\delta\) is the consistency tolerance.

$$r_j(t+1) = \alpha \cdot r_j(t) + (1-\alpha) \cdot \mathbb{1}\!\left[|\hat{h}_j(t) - \hat{h}_j^{\text{pred}}(t)| < \delta\right]$$

where $\hat{h}_j^{\text{pred}}(t)$ is the prediction from neighbor models. Nodes with consistent reports (honest or genuinely healthy) maintain high \(r_j\); Byzantine node s whose inversions conflict with neighbor cross-validation see \(r_j \to 0\) over time.

Practical implication: Replace staleness -only trust weights with reputation-weighted trust. For OUTPOST ’s 127-sensor mesh, this catches both adversarial Byzantine sensors and genuinely malfunctioning sensors without false Byzantine labels - failing sensors produce noisy (not inverted) reports, which are distinguishable from strategic inversion.

Trust Recovery Mechanisms

Trust decay handles misbehaving nodes, but legitimate nodes may be temporarily compromised (e.g., sensor interference, transient fault) and later recover. A purely decaying trust model permanently punishes temporary failures.

Trust recovery model:

Trust evolves according to a mean-reverting process: each round it either decays multiplicatively toward zero on an inconsistent report or recovers toward $T_{\text{max}}$ on a consistent one, with $\gamma_{\text{decay}}$ and $\gamma_{\text{recover}}$ controlling the respective speeds.

$$T_i(t+1) = \begin{cases} T_i(t) \cdot (1 - \gamma_{\text{decay}}) & \text{if inconsistent} \\ T_i(t) + \gamma_{\text{recover}} \cdot (T_{\text{max}} - T_i(t)) & \text{if consistent} \end{cases}$$

where $\gamma_{\text{decay}} \approx 0.1$ (illustrative value) (fast decay) and $\gamma_{\text{recover}} \approx 0.01$ (illustrative value) (slow recovery). The asymmetry ensures that building trust takes longer than losing it — appropriate for contested environments.

Recovery conditions:

Trust recovery does not begin immediately after one good report; a node becomes eligible only when its consistency fraction over the recent window \(W\) exceeds the threshold $\theta_{\text{recovery}}$ .

$$\text{Recovery eligible iff } \frac{\text{consistent reports in window } W}{\text{total reports in } W} > \theta_{\text{recovery}}$$

where \(W\) is typically 50–100 gossip rounds (illustrative value) and $\theta_{\text{recovery}} \approx 0.95$ (illustrative value). A node with even 5% inconsistent reports continues decaying.

Sybil attack resistance:

An adversary creating multiple fake identities (Sybil attack) can attempt to dominate the trust-weighted aggregation. Four countermeasures compose the defense. Identity binding requires nodes to prove identity through cryptographic challenge-response or physical attestation (GPS position consistency over time). Trust inheritance limits ensure new nodes start with $T_{\text{initial}} = T_{\text{sponsor}} \cdot \beta$ where \(\beta < 0.5\), so no node can spawn high-trust children; the minimum inheritance bound $\beta \geq \beta_\text{min} = 0.05$ (illustrative value) prevents a sponsoring node from setting \(\beta \approx 0\) as a denial-of-service against fleet expansion, placing the usable range at \(\beta \in [0.05, 0.5)\) (illustrative value). A global trust budget caps the sum of trust scores across all nodes at $T_{\text{max}} \cdot n_{\text{expected}}$ :

$$\sum_i T_i \leq T_{\text{budget}} = T_{\text{max}} \cdot n_{\text{expected}}$$

New node admission therefore requires either trust redistribution or explicit authorization. Behavioral clustering groups nodes with suspiciously correlated behavior (same reports, same timing) and caps their combined trust at the maximum of any single member — not the sum — preventing a coalition of colluders from accumulating more influence than one honest node:

$$T_{\text{cluster}} = \max_{i \in \text{cluster}} T_i \quad \text{(not sum)}$$

Trust recovery example:

CONVOY vehicle V3 experiences temporary GPS interference causing inconsistent position reports for 10 minutes, dropping trust from 1.0 to 0.35. After interference clears, trust rises to 0.42 in the first 5 minutes of consistent reports, to 0.58 over the following 10 minutes, to 0.78 by 30 minutes, and returns to 0.95 after 1 hour of consistency. The slow recovery prevents adversaries from rapidly cycling between attack and “good behavior” phases.

Behavioral Fingerprinting and Proof of Useful Work

Trust decay and cross-validation (above) detect nodes that report inconsistent health values. They do not detect a more sophisticated adversary: a node that reports plausible health values — passing every consistency check — while its anomaly detector has been disabled, replaced with a random-number generator, or is producing outputs uncalibrated to actual sensor data. A heartbeat proves the node is alive; cross-validation proves the node is reporting plausibly; neither proves the node is doing useful work.

Definition 28 (Behavioral Fingerprint). The behavioral fingerprint of node \(i\) over observation window \([t - w, t]\) is the tuple $\varphi_i(t) = (\mathcal{F}_i,\, \mathcal{K}_i,\, \mathcal{R}_i)$ :

• $\mathcal{F}_i$ : the empirical CDF of Kalman anomaly scores $\{z_s^K\}_{s \in [t-w,t]}$ . Under a calibrated detector running on real data, $\mathcal{F}_i \approx \Phi$ (standard normal CDF).
• $\mathcal{K}_i$ : the cross-correlation matrix $\rho_{ij} = \operatorname{Corr}(z_i^K(s), z_j^K(s))$ for each neighbor \(j \in N(i)\) over \([t-w,t]\). Under genuine sensor readings, $\rho_{ij}$ matches the known physical correlation from the deployment calibration.
• $\mathcal{R}_i$ : the action rate vector — counts of healing decisions per severity level per hour, which must be consistent with the observed anomaly rate implied by $\mathcal{F}_i$ .

Proof of Useful Work (KS test on anomaly score distribution). Node \(i\) passes the fingerprint test if the Kolmogorov-Smirnov statistic \(D_w\) is below the critical value:

$$D_w = \sup_{x \in \mathbb{R}} \left|\hat{F}_i(x) - \Phi(x)\right| \leq c_{\alpha,w} = \sqrt{\frac{-\ln(\alpha/2)}{2w}}$$

where $\hat{F}_i$ is the empirical CDF of $\{z_s^K\}$ and $c_{\alpha,w}$ is the KS critical value at significance \(\alpha\) with window \(w\).

What each component catches:

Adversary behavior	\(\mathcal{F}_i\) signature	\(\mathcal{K}_i\) signature	Detected?
Dead detector (always \(z=0\))	\(D_w \approx 0.5\) (point mass at 0)	$\rho_{ij} \approx 0$	Yes — \(\mathcal{F}_i\) fails KS
Frozen detector (constant \(z\))	\(D_w \approx 0.5\)	$\rho_{ij} \to \infty$	Yes — \(\mathcal{F}_i\) fails KS
Spoofed: fake \(\mathcal{N}(0,1)\) draws	\(D_w \approx 0\) — passes \(\mathcal{F}_i\)	$\rho_{ij} \approx 0$ — wrong	Yes — \(\mathcal{K}_i\) fails
Calibrated Byzantine (inverted)	\(D_w \approx 0\)	$\rho_{ij}$ matches	No — actions \(\mathcal{R}_i\) inconsistent
Genuine useful work	$D_w \leq c_{\alpha,w}$	$\rho_{ij}$ matches	Passes all three

To pass both $\mathcal{F}_i$ (genuine normal distribution) and $\mathcal{K}_i$ (correct spatial correlation with all neighbors), an adversary must either run a genuinely calibrated detector on actual sensor data — which is the useful work required — or learn the full spatial correlation structure $\{\rho_{ij}\}$ for all neighbors and generate synthetic correlated noise, which requires communicating with all neighbors continuously, making the adversary detectable via traffic analysis and increasing their energy expenditure above Definition 2 ’s threshold.

Physical translation: A node that is genuinely running an anomaly detector on real sensor data will produce anomaly scores that look like a standard normal distribution (by construction of the Z-score) and will be spatially correlated with neighbors measuring the same physical environment. A node that is dead, frozen, or generating synthetic scores will fail one of these three checks within 30 minutes of data collection. The key practical consequence: this fingerprint catches malfunctioning sensors that accidentally mimic Byzantine behavior — frozen sensors, dead sensors, calibration drift — without requiring any dedicated Byzantine detection protocol.

Connection to Definition 27 ( Byzantine Node): Def 7 identifies Byzantine nodes as those that may deviate arbitrarily from the protocol. Prop 6’s trust bound stops them from dominating aggregation. Definition 28 adds a third line of defense that complements both: it is triggered not by what a node reports but by whether the reporting process itself is consistent with genuine sensor-coupled inference. A Byzantine node that understands and avoids Prop 6’s trust threshold can still be caught by the fingerprint’s spatial correlation test, provided the physical environment is not under the adversary’s full control.

OUTPOST calibration: Window \(w = 1800\) samples (30 minutes at $\lambda = 1\,\text{Hz}$ ), \(\alpha = 0.01\) — giving $c_{0.01,\, 1800} \approx 0.038$ . For a dead detector: \(D_w = 0.5 \gg 0.038\) — detected in 30 minutes. For a fake-$\mathcal{N}(0,1)$ generator: $\mathcal{F}_i$ passes, but $\rho_{ij} = 0$ vs. expected $\rho_{ij} \approx 0.3$ (thermal correlation between adjacent sensors) — detected by Fisher z-test on the correlation difference within the same window.

Fingerprint Warm-Up Quarantine

Any node that re-enters the fleet after a partition of duration $T_\text{partition} > T_\text{fp,window}$ is placed in Provisional Status for a minimum of \(T_\text{fp,window}\) before its gossip messages are admitted to fleet consensus. During Provisional Status: (1) the node’s messages are forwarded as read-only advisory input — visible to peers but not updating the Welford estimator or gossip health vectors; (2) the rehabilitation gate ( Trust-Root Anchor protocol) applies concurrently, requiring \(r\) consecutive clean observations; (3) both conditions must be satisfied before full fleet membership is restored.

For OUTPOST, the combined entry barrier is $\max(T_\text{fp,window}, r \cdot T_\text{tick}) = \max(1800\,\text{s}, 5 \times 120\,\text{s}) = 1800\,\text{s}$ — 30 minutes regardless of tick rate.

Physical translation: A returning node earns read-only observer status immediately but cannot influence fleet decisions for 30 minutes. This is the same logic a hospital uses for a patient returning from isolation — they can speak and be heard, but cannot handle shared equipment until cleared.

Federated Learning for Distributed Health Models

Individual nodes learn anomaly detection models from local data. But local data is limited - each node sees only its own failures and operating conditions. Federated learning enables fleet-wide model improvement without centralizing sensitive telemetry data.

The Federated Learning Problem for Edge Health:

(Notation: in this section and throughout federated learning, \(\theta\) and $\theta_{\text{ml}}^*$ denote ML model parameter vectors — weights of the anomaly detection model. This is distinct from \(\theta^*\) in Propositions 9–19 , where it denotes the scalar anomaly detection threshold. Context distinguishes the two; the subscript \(\theta_k\) (node-local model) vs. \(\theta^*\) (optimal threshold) disambiguates when both appear.)

Traditional ML requires centralized data. The objective below finds model parameters $\theta_{\text{ml}}^*$ that minimize total loss $\mathcal{L}$ across all \(n\) labeled samples \((x_i, y_i)\) pooled in one place.

$$\theta_{\text{ml}}^* = \arg\min_\theta \sum_{i=1}^{n} \mathcal{L}(f_\theta(x_i), y_i) \quad \text{(centralized)}$$

Federated learning distributes the same optimization across \(K\) nodes so that only gradient updates — not raw telemetry — travel over the network. Each node \(k\) minimizes its own local loss $\mathcal{L}_k(\theta)$ over its private dataset \(D_k\) of size \(n_k\), and the contributions are weighted by data-set size to approximate the global optimum $\theta_{\text{ml}}^*$ .

$$\theta_{\text{ml}}^* = \arg\min_\theta \sum_{k=1}^{K} \frac{n_k}{n} \mathcal{L}_k(\theta) \quad \text{where } \mathcal{L}_k(\theta) = \frac{1}{n_k} \sum_{i \in D_k} \mathcal{L}(f_\theta(x_i), y_i)$$

Each node \(k\) computes local gradients; only gradients (not data) are shared.

Federated Averaging (FedAvg) for Edge Deployment: The diagram shows one complete round — server broadcast, parallel local SGD on each node, then weighted aggregation back to the server; data never leaves each node, only gradient updates travel.

    
    graph TD
    subgraph "Round t"
        S1["Server broadcasts
global model theta_ml(t)"]
        C1["Node 1: Local SGD
theta_ml1(t+1) = theta_ml(t) - eta*dL1"]
        C2["Node 2: Local SGD
theta_ml2(t+1) = theta_ml(t) - eta*dL2"]
        C3["Node K: Local SGD
theta_mlk(t+1) = theta_ml(t) - eta*dLk"]
        A1["Server aggregates
theta_ml(t+1) = sum(nk/n)*theta_mlk(t+1)"]
    end

    S1 --> C1
    S1 --> C2
    S1 --> C3
    C1 --> A1
    C2 --> A1
    C3 --> A1
    A1 --> S2["Round t+1"]

    style S1 fill:#e3f2fd,stroke:#1976d2
    style A1 fill:#e3f2fd,stroke:#1976d2
    style C1 fill:#e8f5e9,stroke:#388e3c
    style C2 fill:#e8f5e9,stroke:#388e3c
    style C3 fill:#e8f5e9,stroke:#388e3c

Read the diagram: The server broadcasts the current global model to all nodes (blue). Each node runs several steps of local gradient descent on its own private data (green) — raw telemetry never leaves the node. Nodes return only their updated weights. The server aggregates these weighted by dataset size and produces a better global model for the next round. Raw sensor data stays local; only model weights travel.

Adaptation for contested connectivity:

Standard FedAvg assumes synchronous communication — all nodes participate in each round. Edge systems require asynchronous federated learning with three key adaptations. Each round includes only nodes with connectivity; the formula below aggregates the available subset \(S_t\) using data-size weights \(n_k\), so the update is still an unbiased estimator of the full-data gradient when participation is random:

$$\theta^{(t+1)} = \frac{\sum_{k \in S_t} n_k \theta_k^{(t+1)}}{\sum_{k \in S_t} n_k}$$

where $S_t \subseteq \{1, ..., K\}$ is the set of participating nodes in round \(t\). Nodes may also contribute gradients computed from stale global models; the staleness -discounted weight \(w_k\) reduces a node’s contribution exponentially with the number of rounds \(\tau_k\) elapsed since its last synchronization:

$$w_k = \frac{n_k}{n} \cdot \gamma_{\text{fed}}^{\tau_k}$$

where \(\tau_k\) is the model staleness (rounds since last sync) and \(\gamma_{\text{fed}} \in (0.9, 0.99)\) is the per-round staleness discount for federated gradient aggregation. (We write \(\gamma_{\text{fed}}\) rather than bare \(\gamma\) to distinguish from \(\gamma_s\), the staleness decay rate in the gossip weight formula, and from the Holt-Winters seasonal coefficient \(s_{\text{hw}}\).) For large fleets, two-level hierarchical aggregation reduces coordination: during partition, each connected cluster performs intra-cluster aggregation independently, and cross-cluster aggregation resumes upon reconnection with staleness weighting. The diagram below shows the two-level structure: individual nodes feed cluster aggregators, which in turn feed a fleet-level aggregator that produces the global model \(\theta^*\).

    
    graph TD
    subgraph "Local Clusters"
        N1["Node 1"] --> L1["Cluster 1
Aggregator"]
        N2["Node 2"] --> L1
        N3["Node 3"] --> L2["Cluster 2
Aggregator"]
        N4["Node 4"] --> L2
    end

    subgraph "Fleet Level"
        L1 --> G["Fleet
Aggregator"]
        L2 --> G
    end

    G --> M["Global Model
theta*"]

    style L1 fill:#fff3e0,stroke:#f57c00
    style L2 fill:#fff3e0,stroke:#f57c00
    style G fill:#e3f2fd,stroke:#1976d2

Read the diagram: During partition, each cluster runs its own local aggregation loop independently (orange nodes). When connectivity returns, cluster-level models flow up to the fleet aggregator (blue), which produces the global model \(\theta^*\). Cluster-internal updates continue at full gossip rate even when the fleet-level link is severed.

CONVOY Federated Anomaly Detection:

12 vehicles, each with local autoencoder (280 bytes). Federated learning improves detection by pooling training data without centralization.

Convergence analysis under assumption set $\mathcal{A}_{FL}$ :

• \(A_1\): Loss function $\mathcal{L}$ is \(L\)-smooth and \(\mu\)-strongly convex
• \(A_2\): Partial participation \(|S_t| \geq K/2\) per round
• \(A_3\): Bounded gradient variance $\mathbb{E}[\|\nabla \mathcal{L}_k - \nabla \mathcal{L}\|^2] \leq \sigma^2$

The table below shows how the expected loss evolves with round count: it decreases at an \(O(1/t)\) rate toward the global optimum $\mathcal{L}^*$ , with a residual term \(O(\sigma^2/K)\) that shrinks as more nodes participate.

Round \(t\)	Expected Loss	Convergence Bound
0	\(\mathcal{L}_0\)	Baseline (local only)
\(t\)	\(\mathcal{L}_t\)	$\mathcal{L}^* + O(1/t) + O(\sigma^2/K)$
$T \to \infty$	\(\mathcal{L}^*\)	Optimal for aggregated data

Utility improvement derivation: The formula decomposes the net gain from federated learning into two labeled terms — the recall improvement from pooling training data across all nodes, minus the gradient-communication cost over \(T\) rounds.

$$\Delta U_{\text{FL}} = U_{\text{federated}} - U_{\text{local}} = \underbrace{(R_{\text{fed}} - R_{\text{local}}) \cdot V_{\text{detect}}}_{\text{detection gain}} - \underbrace{C_{\text{comm}} \cdot T}_{\text{communication cost}}$$

$\text{sign}(\Delta U) > 0$ because:

1. Effective training set size increases from \(n_k\) to $\sum_k n_k$ , reducing generalization error by $O(1/\sqrt{K})$
2. Communication cost $C_{\text{comm}} = 560$ bytes/round (illustrative value) is negligible vs. detection value

Communication efficiency: Model updates require \(280 \times 2 = 560\) bytes (illustrative value) per round. For connectivity probability \(p_c = 0.1\), expected rounds per vehicle-day: $p_c \cdot 24 \cdot 60 / T_{\text{round}}$ .

Differential Privacy for Sensitive Telemetry:

Vehicle telemetry may reveal sensitive information (location patterns, operational tactics). Differential privacy adds Gaussian noise scaled by the gradient clipping bound \(C\) and privacy parameter \(\sigma\) to each gradient \(g_k\) before it is shared, producing noisy gradient \(\tilde{g}_k\) that prevents inference of individual data points.

$$\tilde{g}_k = g_k + \mathcal{N}(0, \sigma^2 \cdot C^2 \cdot I)$$

where \(C\) is the gradient clipping threshold and \(\sigma\) is calibrated for \((\epsilon, \delta)\)-differential privacy.

Privacy-utility tradeoff derivation: For \((\epsilon, \delta)\)-differential privacy with the Gaussian mechanism, the required noise multiplier \(\sigma\) is determined by the privacy budget \(\epsilon\) and the failure probability \(\delta\) as follows.

$$\sigma = \frac{C \cdot \sqrt{2 \ln(1.25/\delta)}}{\epsilon}$$

Convergence-privacy relationship: The ratio $T_{\text{private}} / T_{\text{baseline}}$ below quantifies how many more training rounds the noisy private model needs compared to the baseline, as a function of the noise level \(\sigma\), the model dimension \(d\), and the gradient magnitude $\|\nabla \mathcal{L}\|$ .

$$T_{\text{private}} / T_{\text{baseline}} = 1 + \frac{\sigma^2 \cdot d}{\|\nabla \mathcal{L}\|^2}$$

The table below evaluates the convergence-privacy trade-off at four privacy levels, from no noise ($\epsilon = \infty$ ) to strong privacy (\(\epsilon = 0.1\)); the Utility Bound column shows how detection accuracy degrades as noise \(\sigma\) increases relative to gradient magnitude.

\(\epsilon\)	Noise \(\sigma\)	Slowdown Factor	Utility Bound
\(\infty\)	0	\(1\times\)	\(U^*\) (optimal)
10	\(O(0.1C)\)	$\approx 1.3\times$	\(U^* - O(\sigma^2/n)\)
1	\(O(C)\)	$\approx 3\times$	\(U^* - O(d\sigma^2/n)\)
0.1	\(O(10C)\)	\(>10\times\)	Utility-dominated by noise

For tactical systems, \(\epsilon = 10\) (illustrative value) balances privacy (gradient direction obscured) against utility (convergence within \(1.5\times\) (illustrative value) baseline).

Personalization Layers:

Fleet-wide models capture common failure patterns, but node-specific baselines and environmental offsets require local adaptation. The formula below decomposes node \(k\)’s prediction function into a federally trained shared component $f_{\text{shared}}$ parameterized by $\theta_{\text{global}}$ and a locally maintained residual $f_{\text{local}}$ parameterized by \(\theta_k\).

$$f_k(x) = f_{\text{shared}}(x; \theta_{\text{global}}) + f_{\text{local}}(x; \theta_k)$$

The federated layers handle generic feature extraction and common failure patterns; the local (non-shared) layers handle node-specific baselines and environmental adaptation.

For CONVOY autoencoders:

• Encoder ($8\to4\to3$ ): Federated - learns common compression
• Decoder ($3\to4\to8\to12$ ): Federated - learns common reconstruction
• Threshold: Local - adapts to vehicle-specific noise floor
• Bias terms: Local - adapts to vehicle-specific sensor offsets

Handling Non-IID Data:

Edge nodes experience different operating conditions (non-IID data). CONVOY vehicles in mountain terrain see different failure modes than those in desert. Three strategies address this. FedProx augments the local loss with a proximal penalty that pulls node \(k\)’s parameters \(\theta\) toward the current global model $\theta^{(t)}$ , with \(\mu\) controlling how tightly local updates are anchored:

$$\mathcal{L}_k^{\text{FedProx}}(\theta) = \mathcal{L}_k(\theta) + \frac{\mu}{2}\|\theta - \theta^{(t)}\|^2$$

Clustered Federated Learning identifies node clusters with similar data distributions and federates only within each cluster. The diagram below shows three terrain-based clusters for CONVOY vehicles — mountain, desert, and urban — each maintaining its own shared model while nodes within a cluster exchange gradient updates with each other.

    
    graph LR
    subgraph "Cluster A (Mountain)"
        V1["V1"]
        V3["V3"]
        V7["V7"]
    end

    subgraph "Cluster B (Desert)"
        V2["V2"]
        V5["V5"]
        V9["V9"]
    end

    subgraph "Cluster C (Urban)"
        V4["V4"]
        V6["V6"]
        V8["V8"]
    end

    V1 <--> V3 <--> V7
    V2 <--> V5 <--> V9
    V4 <--> V6 <--> V8

    CA["Model A"] --- V1
    CB["Model B"] --- V2
    CC["Model C"] --- V4

    style CA fill:#e3f2fd,stroke:#1976d2
    style CB fill:#fff3e0,stroke:#f57c00
    style CC fill:#e8f5e9,stroke:#388e3c

Read the diagram: Vehicles operating in similar terrain — mountain, desert, urban — form separate federated clusters. Within each cluster, gradient updates flow between peers (double-headed arrows). Each cluster maintains a distinct shared model calibrated to its terrain’s failure modes. This prevents a vehicle tuned for mountain pass conditions from contaminating the model for urban delivery routes.

Multi-task learning treats each node as a related task, sharing representations while allowing task-specific outputs.

Convergence Guarantees Under Partition:

The bound below gives the expected squared gradient norm after \(T\) rounds of asynchronous federated learning as a function of the participation rate \(p\) and maximum staleness \(\tau_{\text{rounds}}\) — written \(\tau_{\text{rounds}}\) rather than \(\tau_{\max}\) to distinguish it from the maximum useful staleness bound in physical seconds ( Proposition 14 ), which counts wall-clock seconds rather than synchronization rounds; both terms decrease with \(T\), confirming that convergence is guaranteed whenever staleness is bounded.

$$\mathbb{E}[\|\nabla F(\theta^{(T)})\|^2] \leq O\left(\frac{1}{\sqrt{pT}} + \frac{\tau_{\text{rounds}}^2}{T}\right)$$

Key insight: convergence slows but is still guaranteed if staleness is bounded. For CONVOY with \(\tau_{\text{rounds}} = 5\) rounds (illustrative value) and \(p = 0.6\) (illustrative value), convergence to \(\epsilon = 0.05\) (illustrative value) gradient norm requires \(T \approx 30\) rounds (illustrative value) — achievable within one operational month.

Under the Weibull connectivity model ( Definition 13 , Why Edge Is Not Cloud Minus Bandwidth), the expected participation rate is $p \approx 1 - F_W(T_\text{tick})$ where \(F_W\) is the Weibull CDF at the tick interval, and maximum round-staleness \(\tau_{\text{rounds}}\) is bounded by the Weibull P95 partition duration expressed in synchronization rounds. Denser connectivity (lower \(T_{\text{acc}}\)) yields higher \(p\) and lower \(\tau_{\text{rounds}}\), improving convergence.

Cognitive Map: Gossip is the protocol that turns per-node anomaly scores into fleet-wide health awareness — without any central server. The convergence guarantee degrades gracefully from $O(\ln n / f_g)$ in ideal meshes to $O(D \ln n / f_g(1-p_{\text{loss}}))$ in contested sparse ones. Staleness imposes a hard deadline \(\tau_{\max}\) on every health observation (physical seconds; Proposition 14 ); Byzantine tolerance requires the compromised fraction of trust weight to stay below \(1/3\). Federated learning completes the picture: nodes improve their local detectors together without sharing raw telemetry. Next: what measurements matter most, and in what order, when resources are scarce.

---

The Observability Constraint Sequence

Hierarchy of Observability

With limited resources, what should be measured first?

The observability constraint sequence prioritizes metrics by importance, ensuring that the most survival-critical information is collected first whenever resources are scarce. The table below lists the five priority levels from P0 (fundamental liveness) to P4 (root-cause diagnosis), together with representative metrics and their resource cost tier.

Level	Category	Examples	Resource Cost
P0	Availability	Is it alive? Responding?	Minimal (heartbeat)
P1	Resource exhaustion	Power, memory, storage remaining	Low (counters)
P2	Performance degradation	Latency, throughput, error rates	Medium (aggregates)
P3	Anomaly patterns	Unusual behavior, drift	Medium-High (models)
P4	Root cause indicators	Why is it behaving this way?	High (correlation)

A well-resourced system implements all levels. A constrained system implements as many as resources allow, starting from P0.

Resource Budget for Observability

Observability competes with the primary mission for resources. The hard budget constraint below states that combined observability cost $R_{\text{observe}}$ and mission cost $R_{\text{mission}}$ must not exceed the device’s total available resources $R_{\text{total}}$ .

$$R_{\text{observe}} + R_{\text{mission}} \leq R_{\text{total}}$$

Where:

• $R_{\text{observe}}$ = resources for self-measurement
• $R_{\text{mission}}$ = resources for primary function
• $R_{\text{total}}$ = total available resources

The objective below selects the allocation that maximizes the combined value of mission output $V_{\text{mission}}$ and health-knowledge quality $V_{\text{health}}$ , subject to that budget constraint.

$$\max \quad V_{\text{mission}}(R_{\text{mission}}) + V_{\text{health}}(R_{\text{observe}})$$

Subject to $R_{\text{observe}} + R_{\text{mission}} \leq R_{\text{total}}$

Typically, mission value exhibits diminishing returns — more resources yield proportionally less capability — while health value has threshold effects: below a minimum allocation health knowledge becomes useless, and above it marginal gains decrease.

The optimal allocation gives sufficient resources to observability for reliable health knowledge, then allocates remainder to mission.

OUTPOST allocation example:

• Total compute: 1000 MIPS
• Total bandwidth to fusion: 100 Kbps

Allocation:

• P0-P1 monitoring: 50 MIPS (5%) (illustrative value), 5 Kbps (5%) (illustrative value) — heartbeats and resource counters
• P2-P3 monitoring: 100 MIPS (10%) (illustrative value), 15 Kbps (15%) (illustrative value) — performance aggregates, anomaly detection
• Gossip overhead: 0 MIPS local, 20 Kbps (20%) (illustrative value) — health propagation
• Mission (sensor processing): 850 MIPS (85%) (illustrative value), 60 Kbps (60%) (illustrative value) — primary function

This 15% (illustrative value) observability overhead enables reliable self-measurement while preserving 85% (illustrative value) of resources for mission function.

Commercial Application: PREDICTIX Manufacturing Monitoring

PREDICTIX monitors CNC machines in aerospace manufacturing. Each machine generates continuous telemetry: spindle vibration, coolant temperature, tool wear, power consumption. Challenge: detect failures before costly component defects, with unreliable plant floor connectivity. Machines must self-diagnose during disconnection.

The observability constraint sequence for PREDICTIX maps directly to manufacturing priorities:

Level	Category	PREDICTIX Implementation	Business Impact
P0	Machine alive	Heartbeat every 5s, cycle counter incrementing	Production stoppage detection
P1	Resource exhaustion	Coolant level, tool life remaining, chip bin capacity	Prevent mid-cycle failures
P2	Quality degradation	Surface finish variance, dimensional drift	Catch defects before scrap
P3	Anomaly patterns	Vibration signatures, power profile deviations	Predict failures 2-8 hours ahead
P4	Root cause	Cross-machine correlation, supply chain integration	Systemic issue identification

Local anomaly detection architecture: Each edge controller routes its four sensor streams through three parallel detection algorithms that feed a weighted-voting aggregator. The diagram below shows which sensors feed which detectors and how the outputs are fused into a single anomaly score.

    
    graph LR
    subgraph "Sensor Inputs"
        VIB["Vibration
10 kHz sampling"]
        TEMP["Temperature
1 Hz sampling"]
        PWR["Power
100 Hz sampling"]
        DIM["Dimensional
Per-part"]
    end

    subgraph "Detection Algorithms"
        EWMA["EWMA
Fast drift detection
15 KB memory"]
        HW["Holt-Winters
Shift pattern modeling
48 KB memory"]
        IF["Isolation Forest
Multivariate anomaly
200 KB memory"]
    end

    subgraph "Fusion"
        AGG["Anomaly Aggregator
Weighted voting"]
    end

    VIB --> EWMA
    TEMP --> EWMA
    PWR --> HW
    VIB --> IF
    TEMP --> IF
    PWR --> IF
    DIM --> IF
    EWMA --> AGG
    HW --> AGG
    IF --> AGG

    style EWMA fill:#e8f5e9,stroke:#388e3c
    style HW fill:#fff3e0,stroke:#f57c00
    style IF fill:#e3f2fd,stroke:#1976d2
    style AGG fill:#fce4ec,stroke:#c2185b

Read the diagram: Four sensor streams enter from the left. Vibration and temperature feed EWMA (fast scalar spike detection). Power feeds Holt-Winters (shift pattern modeling with 8-hour and 24-hour seasonal components). All four streams feed the Isolation Forest for correlated multivariate anomalies. The three algorithm outputs feed the weighted-voting aggregator (pink) which produces a single anomaly score for the MAPE-K loop.

Algorithm selection rationale: EWMA covers thermal and vibration baselines, catching sudden shifts in spindle temperature or bearing vibration within 5–10 samples (illustrative value) at 15 KB (illustrative value) for 50 monitored parameters. Holt-Winters covers power consumption, capturing 8-hour shift patterns, 24-hour maintenance cycles, and weekly production planning effects at 48 KB (illustrative value) for 168-hour seasonality. Isolation Forest covers multivariate anomalies — detecting combinations such as normal vibration and normal temperature alongside abnormal power consumption, which signals an imminent bearing seizure — at 200 KB (illustrative value) for a 50-tree ensemble.

Anomaly confidence fusion: The combined score is a weighted sum of the three algorithm outputs, where each weight reflects that algorithm’s relative detection power and score stability for PREDICTIX ’s failure modes.

$$\text{Anomaly Score} = w_E \cdot z_{\text{EWMA}} + w_H \cdot z_{\text{HW}} + w_I \cdot s_{\text{IF}}$$

Weight derivation: Weights are set proportional to each detector’s AUC divided by its score variance ($w_i \propto \text{AUC}_i / \text{Var}(s_i)$ ), rewarding detectors that are both accurate and consistent. Applying this to PREDICTIX gives the specific values below.

$$w_E = 0.3, \quad w_H = 0.25, \quad w_I = 0.45$$

Isolation Forest receives highest weight because multivariate detection (joint anomaly space) has higher AUC than marginal detectors for correlated failure modes.

Staleness and decision authority: As staleness increases and the cloud becomes unreachable, the edge controller assumes progressively more decision authority. The table below maps each staleness band to the corresponding cloud connectivity state and the scope of decisions the local controller takes autonomously.

Staleness	Cloud Status	Local Authority
0-30s	Connected	Advisory only; cloud makes decisions
30s-5min	Degraded	Local P0-P2 decisions; P3+ queue for cloud
5-30min	Intermittent	Local P0-P3 decisions; aggressive caching
>30min	Denied	Full local authority; conservative thresholds

At 30+ minutes disconnection, the edge controller tightens anomaly thresholds by 20% (illustrative value) (more false positives, fewer missed failures) because the cost of a missed failure without cloud backup is higher than during connected operation.

Cross-machine gossip : Machines on the same production line exchange health summaries via local Ethernet every 30 seconds. Each machine’s summary is a three-field tuple capturing current anomaly level, estimated time to next maintenance, and parts produced since last inspection.

$$H_{\text{machine}} = (\text{anomaly\_score}, \text{time\_to\_maintenance}, \text{parts\_since\_inspection})$$

The line controller combines per-machine summaries into a single production-line health score $H_{\text{line}}$ that is bottlenecked by the weakest machine’s availability and averaged over all machines’ quality scores.

$$H_{\text{line}} = \min_i H_i^{\text{availability}} \cdot \text{mean}_i(H_i^{\text{quality}})$$

Line health below threshold triggers automatic workload rebalancing - shifting high-precision parts away from degraded machines.

Utility analysis:

System utility \(U\) is production value minus the three cost categories that self-measurement can reduce: unplanned downtime $C_{\text{downtime}}$ , scrapped parts $C_{\text{scrap}}$ , and inspection overhead $C_{\text{inspection}}$ .

$$U = V_{\text{production}} - C_{\text{downtime}} - C_{\text{scrap}} - C_{\text{inspection}}$$

Utility improvement from self-measurement: The formula decomposes the net economic gain into three labeled terms — downtime avoided, scrap avoided, and false-alarm inspection cost — so the break-even condition for each cost type can be evaluated separately.

$$\Delta U = \underbrace{R \cdot C_{\text{downtime}}}_{\text{avoided downtime}} + \underbrace{(R - \text{FNR}) \cdot C_{\text{scrap}}}_{\text{avoided scrap}} - \underbrace{\text{FPR} \cdot C_{\text{inspection}}}_{\text{false alarm cost}}$$

$\text{sign}(\Delta U) > 0$ when:

$$R > \frac{\text{FPR} \cdot C_{\text{inspection}}}{C_{\text{downtime}} + C_{\text{scrap}}}$$

For manufacturing where $C_{\text{scrap}} \gg C_{\text{inspection}}$ ($C_{\text{scrap}} / C_{\text{inspection}} \approx 500$ (illustrative value) for high-value components), even moderate recall (\(R > 0.8\)) with high FPR (\(< 0.1\)) yields \(\Delta U > 0\). The observability constraint sequence delivers economic value when detection value exceeds false alarm cost.

---

RAVEN Self-Measurement Protocol

The RAVEN drone swarm requires self-measurement at two levels: individual drone health and swarm-wide coordination state.

Per-Drone Local Measurement

Each drone continuously monitors:

Power State

• Battery voltage, current draw, temperature
• Estimated flight time remaining: $t_{\text{remain}} = E_{\text{remaining}} / P_{\text{avg}}$
• Anomaly detection: Sudden voltage drop, unusual current patterns

Sensor Health

• Camera: Image quality metrics, focus response, exposure accuracy
• Radar: Return signal strength, calibration consistency
• GPS: Satellite count, position dilution of precision (PDOP)
• IMU: Gyro drift rate, accelerometer noise floor

Link Quality

• RSSI to each mesh neighbor
• Packet delivery ratio per link
• Latency distribution per link

Mission Progress

• Coverage completion percentage
• Threat detection count
• Position relative to assigned sector

EWMA tracking on each metric with \(\alpha = 0.1\) (illustrative value) (10-second effective memory (illustrative value)). Anomaly threshold at \(3\sigma\) (illustrative value) for critical metrics (power, flight controls), \(2\sigma\) (illustrative value) for secondary metrics (sensors, links).

Swarm-Wide Health Inference

Gossip protocol parameters:

• Exchange rate: 0.2 Hz (once per 5 seconds) (illustrative value)
• Staleness threshold: 30 seconds (illustrative value) (confidence drops below 90%)
• Trust decay: \(\gamma_s = 0.05\) (illustrative value) per second
• Maximum useful staleness : 60 seconds (illustrative value) (confidence drops below 50%)

Relationship: The staleness threshold (30s) marks where data begins degrading meaningfully - decisions based on 30s-old data have ~90% confidence. The maximum useful staleness (60s) marks where confidence falls below 50% - beyond this, the data provides little more than a guess. These are design parameters chosen for the RAVEN mission envelope; from Proposition 14 , $\tau_{\max}$ scales as \((\sigma/\Delta h)^2\) so tightening decision margins reduces useful staleness rapidly.

Health vector per drone contains:

• Binary availability (alive/silent)
• Power state (percentage)
• Critical sensor status (functional/degraded/failed)
• Mission capability level ($\mathcal{L}_0$ -$\mathcal{L}_4$ )

Merge function uses timestamp-weighted average for numeric values, latest-timestamp-wins for categorical values. In contested environments where clock drift is measurable, replace wall-clock LWW with HLC -aware merge ( Definition 62 , Fleet Coherence Under Partition) using the Hybrid Logical Clock ordering to determine recency; node-ID tiebreakers resolve simultaneous HLC values.

Convergence guarantees: With logarithmic propagation dynamics, fleet-wide health convergence occurs within 30–40 seconds (illustrative value) — fast enough to track operational state changes while remaining robust to individual message losses.

Anomaly Detection and Self-Diagnosis

Cross-sensor correlation matrix maintained locally. Example correlations:

• GPS PDOP vs. IMU drift: High PDOP should not correlate with low drift (if they do, likely spoofing)
• Battery voltage vs. current: Should follow known discharge curve (deviation indicates cell degradation)
• Camera image vs. radar return: Consistent threat detections (divergence suggests sensor failure)

Self-diagnosis follows a structured decision process, mapping each combination of anomaly type and cross-sensor correlation to the most likely failure cause and the recommended autonomous response.

Observation Pattern	Diagnosis	Action
Power anomaly with neighbors unaffected or recent maneuver	Local power issue	Reduce power consumption, report to swarm
Sensor anomaly with cross-sensor consistency	Environmental condition	Continue with degraded confidence
Sensor anomaly with cross-sensor inconsistency	Sensor failure	Disable sensor, rely on alternatives
Communication anomaly affecting multiple neighbors	Environmental interference or jamming	Increase transmit power, switch frequencies
Communication anomaly affecting only self	Local radio failure	Attempt radio restart, fall back to minimal beacon

The diagnosis is probabilistic - the table represents the most likely paths, but confidence levels are maintained throughout.

---

CONVOY Self-Measurement Protocol

The CONVOY ground vehicle network operates with different constraints: vehicles have more resources than drones but face different failure modes.

Convoy-Level Health Inference

Hierarchical aggregation runs in two modes: in primary mode the lead vehicle collects health from all vehicles, computes the aggregate, and distributes a summary; if the lead is unreachable, the convoy falls back to peer-to-peer gossip among reachable vehicles.

Lead vehicle aggregation:

• Computes minimum capability level across convoy: $L_{\text{convoy}} = \min_i L_i$
• Identifies vehicles with critical anomalies
• Determines convoy-wide constraints (e.g., maximum safe speed based on worst vehicle)

Fallback gossip parameters:

• Exchange rate: 0.1 Hz (once per 10 seconds) (illustrative value) — lower than RAVEN due to vehicle stability
• Staleness threshold: 60 seconds (illustrative value)
• Trust decay: \(\gamma_s = 0.02\) (illustrative value) per second

Anomaly Detection Focus

Position spoofing detection:

Each vehicle tracks its own position via GPS, INS, and dead reckoning, and also receives claimed positions from neighbors. The discrepancy $\Delta_{ij}$ below measures how far vehicle \(i\)’s claimed position deviates from where neighbor \(j\) independently observed it; a large discrepancy across multiple neighbors indicates spoofing.

$$\Delta_{ij} = \|p_i^{\text{claimed}} - p_i^{\text{observed-by-}j}\|$$

If $\Delta_{ij}$ exceeds threshold for vehicle \(i\) as observed by multiple neighbors \(j\), vehicle \(i\) is flagged for position anomaly.

Vehicle \(i\) is flagged as potentially spoofed if \(\geq k\) neighbors (\(k = \lceil n/3 \rceil\)) each independently report $\Delta_{ij} > \theta$ . A suitable threshold is $\theta = d_{\max}/2$ where $d_{\max}$ is the maximum distance a vehicle can travel during one gossip period — any discrepancy larger than this cannot be explained by legitimate movement.

Communication anomaly classification:

Distinguishing jamming from terrain effects requires examining correlation patterns: jamming affects all frequencies simultaneously, correlates with adversarial activity, and affects multiple vehicles; terrain effects are path-specific, correlate with geographic features, and are predictable from maps.

Use convoy’s position history to build terrain propagation model. Deviations from model suggest adversarial interference.

Integration with Semi-Markov connectivity model:

From the Semi-Markov connectivity model, the expected sojourn time distributions and embedded transition probabilities are known. A transition is flagged as anomalous when its model-predicted probability falls below threshold $\theta_{\text{transition}}$ , meaning the observed regime change is too abrupt or too frequent to be explained by natural causes.

$$\text{anomaly} = P(\text{observed transition} | \text{model}) < \theta_{\text{transition}}$$

Unexpectedly rapid transitions from connected to denied suggest adversarial action rather than natural degradation.

---

OUTPOST Self-Measurement Protocol

The OUTPOST sensor mesh operates with the most extreme constraints: ultra-low power, extended deployment durations (30+ days), and fixed positions that make physical inspection impractical.

Per-Sensor Local Measurement

Each sensor node continuously monitors with minimal power:

Power State

• Solar panel voltage and current
• Battery state of charge (SoC): $\text{SoC} = E_{\text{current}} / E_{\text{capacity}}$
• Power budget: $P_{\text{solar}} - P_{\text{load}} = P_{\text{net}}$
• Anomaly detection: Solar panel degradation, battery cell failure

Environmental Monitoring

• Temperature: Affects sensor calibration and battery performance
• Humidity: Risk of condensation and corrosion
• Vibration: Indicates physical disturbance or tampering
• Ambient light: Validates solar panel output

Proposition 16 (Power-Aware Measurement Scheduling). For a sensor with solar charging profile $P_{\text{solar}}(t)$ and measurement cost \(C_m\) per measurement, the optimal measurement schedule maximizes information gain while maintaining positive energy margin:

Measure as often as information justifies, subject to never depleting the battery below a safety reserve.

$$\max \sum_t I(m_t) \quad \text{s.t.} \quad \int_0^T (P_{\text{solar}}(t) - P_{\text{base}} - \sum_{t'} C_m \cdot \delta(t - t')) \, dt \geq E_{\text{reserve}}$$

where \(I(m_t)\) is the information gain from measurement at time \(t\) and $E_{\text{reserve}}$ is the required energy reserve.

A greedy heuristic — sort measurements by information-gain-per-watt ratio \(I(m)/C_m\) and schedule in decreasing order until the power budget is exhausted — achieves \(O(n \log n)\) computation complexity. The gap to the optimal schedule depends on environmental correlation structure.

Physical translation: A sensor reading carries value only if the energy budget allows it to be processed before the battery forces a downgrade. The proposition computes the exact measurement rate that maximizes information gain within the energy envelope — measuring faster when power is abundant and slowing to a trickle in survival mode rather than stopping completely, which would blind the healing loop entirely.

Empirical status: The optimization formulation is exact given the solar profile $P_{\text{solar}}(t)$ and cost model \(C_m\). The OUTPOST greedy prioritization (passive seismic through radar) is an illustrative ordering, not derived from a measured information-gain-per-watt experiment. Solar profiles vary by geography, season, and panel orientation.

Watch out for: the schedule is optimal given the forecast solar profile \(P_{\text{solar}}(t)\); forecast error shifts the schedule against the available energy budget, and the positive-energy-margin constraint can be violated mid-mission if actual irradiance falls below the predicted profile.

Observer Parsimony: The Overhead Budget Constraint

Proposition 16 schedules measurements to preserve energy margin. A deeper constraint applies to the autonomic layer itself: the Observer Parsimony Condition. If the monitoring layer consumes more CPU and RAM than the margin separating the current capability level from the next downgrade, the observer becomes the cause of the level transition it exists to prevent. This is the Heisenberg Observation Problem for resource-constrained autonomic systems — the act of observing accelerates the failure being observed.

Definition 29 (Autonomic Overhead Budget). For each capability level $\mathcal{L}_q,\ q \in \{0,1,2,3,4\}$ , the overhead budget is a triple \((\pi_q,\, M_q,\, T_q)\) specifying the maximum CPU fraction, RAM reservation, and minimum MAPE-K tick interval permitted to the entire autonomic observation layer:

Level	Regime	CPU \(\pi_q\)	RAM \(M_q\)	Tick floor \(T_q\)	Permitted algorithm tier
\(\mathcal{L}_0\)	Survival — complete isolation	0.1%	4 KB	60 s	Q15 fixed-point EWMA + CUSUM only; no FPU; no gossip
\(\mathcal{L}_1\)	Minimal mission	0.5%	64 KB	10 s	Q15 fixed-point EWMA + CUSUM; no Kalman; no Isolation Forest
\(\mathcal{L}_2\)	Degraded operation	1.0%	256 KB	5 s	Floating-point EWMA; Holt-Winters; no Isolation Forest
\(\mathcal{L}_3\)	Normal operation	2.0%	1 MB	1 s	Full scalar Kalman; Isolation Forest sketch (\(\leq 50\) trees)
\(\mathcal{L}_4\)	Full connectivity	No local limit	No local limit	0.1 s	Any algorithm; offload to cloud

The budgets are monotone: $\pi_0 \leq \pi_1 \leq \ldots \leq \pi_4$ and $M_0 \leq M_1 \leq \ldots \leq M_4$ . The $\mathcal{L}_3$ ceiling of 2% CPU and 1 MB RAM is the design constraint for the full Self-Measurement stack described in this article.

Physical translation: At $\mathcal{L}_0$ (battery critically low, all connectivity severed), a node running floating-point Kalman updates at 1 Hz would consume roughly 60 FP multiply-adds per second on ARM Cortex-M4 — not catastrophic in isolation, but the covariance update, gossip Welford estimators, and Isolation Forest inference stack together into a measurable fraction of a 64 MHz core. The Q15 fixed-point EWMA replaces all of this with 12 integer operations per tick — under \(1\,\mu\text{s}\) at 64 MHz — leaving the CPU in WFI (Wait For Interrupt) sleep the remaining 59.999 seconds.

Proposition 17 (Observer Parsimony Condition). Let \(u(t) \in [0,1]\) be the node’s current CPU utilization fraction, \(u_q\) the utilization fraction that triggers downgrade from $\mathcal{L}_q$ to $\mathcal{L}_{q-1}$ , and \(\pi_q\) the observation overhead fraction at level \(q\). The autonomic observation layer satisfies the parsimony condition iff:

Observing must consume less CPU headroom than remains before the next forced downgrade — the watcher must not trigger what it watches for.

$$\pi_q < u_q - u(t)$$

That is, the overhead consumed by observing must be strictly less than the CPU margin remaining before the next forced downgrade. If the condition is violated, observing at level \(q\) guarantees a transition to $\mathcal{L}_{q-1}$ .

Note: \(u(t)\) denotes CPU utilization fraction here (distinct from the compute-to-transmit energy ratio \(\rho = T_d/T_s\) from Proposition 1 in Why Edge Is Not Cloud Minus Bandwidth, which is a hardware constant, not a runtime measurement).

Proof: If \(u(t) + \pi_q \geq u_q\), then enabling level-\(q\) observation pushes utilization past the downgrade trigger \(u_q\), causing an immediate transition to $\mathcal{L}_{q-1}$ . This transition is itself observed by the MAPE-K Monitor loop, potentially triggering further recursive observation overhead — a positive feedback path to $\mathcal{L}_0$ . \(\square\)

Physical translation: An autonomic manager that spends 3% of CPU on health monitoring when the CPU is already at 98% utilization will itself push the node over the edge into survival mode. The observation budget must be sized against the current CPU margin, not against the theoretical maximum. Proposition 17 is the formal statement of “the doctor must not kill the patient with the examination.”

(Scope note: The parsimony condition uses CPU utilization fraction \(u(t)\) — a single-resource signal intentionally scoped to CPU only. The capability-level downgrade trigger in Proposition 7 uses the composite resource state \(R(t)\) (battery SOC, free memory, CPU). These gates are complementary rather than redundant: the composite \(R(t)\) gate prevents downgrade under adequate-CPU-but-depleted-battery conditions; the parsimony condition prevents the observation layer itself from consuming the last CPU margin. A node can satisfy $R(t) \geq R_{\min}$ yet violate parsimony if CPU is near \(u_q\) regardless of battery state. Both conditions must be evaluated at each MAPE-K tick.)

Assumption set $\mathcal{A}_{63}$ : CPU utilization \(u(t)\) is measured by a hardware cycle counter (DWT on ARM Cortex-M) with negligible overhead (\(<0.001\%\)), not by the autonomic layer itself. The downgrade thresholds \(u_q\) are static design parameters, not runtime estimates.

OUTPOST scenario: At $\mathcal{L}_3$ , the full Self-Measurement stack consumes approximately 2% (illustrative value) of the 64 MHz Cortex-M4 core; violating parsimony near the 80% (illustrative value) CPU threshold would trigger immediate cascade to survival mode.

Empirical status: The parsimony condition is analytically exact. The OUTPOST figure of ~2% CPU for the Self-Measurement stack at $\mathcal{L}_3$ and the 80% downgrade threshold are design parameters, not measured CPU profiles; actual overhead depends on MCU clock speed, compiler optimization, and workload mix.

Watch out for: the parsimony condition is evaluated at a point in time; if CPU utilization \(u(t)\) is measured by a procedure that itself consumes overhead \(\pi_q\), the condition becomes circular — measuring whether you can observe consumes the headroom it is trying to protect.

Switched-Mode Stability Extension: Limit-Cycle Prevention

Proposition 17 identifies when a single downgrade transition occurs. It does not bound the number of transitions: if utilization oscillates near the downgrade threshold \(u_q\), the system can enter an infinite downgrade-upgrade cycle — revising to $\mathcal{L}_{q-1}$ , recovering, promoting back to $\mathcal{L}_q$ , then downgrading again — which permanently precludes a stable operating level without ever reaching $\mathcal{L}_0$ . The extension below reframes the multi-level transition logic as a discrete-time switched linear system, constructs a Common Lyapunov Function, and derives the minimum dwell-time that eliminates limit cycles regardless of workload variability or changes in $T_{\text{tick}}$ .

Definition 30 (Discrete-Time Switched Utilization System). Let $\sigma(t) = q \in \{0,1,2,3,4\}$ be the active capability level. In mode \(q\) with tick interval \(T_q\) (Definition 29), CPU utilization evolves as:

$$u(t + T_q) = \alpha \cdot u(t) + \pi_q + w(t), \qquad w(t) \in [-\delta_w,\, \delta_w]$$

where $\alpha \in (0,1)$ is the per-tick utilization decay factor (workload dissipation), $\pi_q$ is the observer overhead at level \(q\) ( Definition 29 ), and \(w(t)\) is bounded external disturbance. The unique mode-\(q\) equilibrium is:

$$u_q^* = \frac{\pi_q}{1 - \alpha}$$

Switching rules: downgrade $q \to q-1$ when $u(t) + \pi_q \geq u_q$ ( Proposition 17 violated); upgrade $q \to q+1$ eligible only when $u(t) + \pi_{q+1} < u_{q+1} - \delta_{\text{hyst}}$ AND dwell-time $\Delta t_{\text{dwell}}(q)$ has elapsed since the last transition.

Here $\alpha = 1 - T_q/\tau_u$ where $\tau_u$ is the CPU load decay time constant; for burst compute tasks on OUTPOST sensors, $\tau_u \approx 5\,T_q$ at each level (illustrative value), giving $\alpha \approx 0.80$ independent of \(q\).

Proposition 18 (Switched-Mode CLF Stability and Dwell-Time Bound). Under Definition 30 with $\alpha \in (0,1)$ and disturbance bound $\delta_w \geq 0$ :

Each observation mode is individually stable; switching between modes is safe provided the node waits a minimum dwell time before switching again.

(i) Intra-mode contraction. Let $e_q(t) = u(t) - u_q^*$ . Then $V(e_q) = e_q^2$ is a Lyapunov function for each mode in isolation:

$$\Delta V \;=\; (\alpha^2 - 1)\,e_q^2(t) \;<\; 0 \quad \text{for all } e_q(t) \neq 0,\; \delta_w = 0$$

The error decays geometrically at rate \(\alpha\) per tick:

$$e_q(t + k\,T_q) = \alpha^k \cdot e_q(t_{\text{enter}})$$

The number of ticks to reach $|e_q| < \varepsilon$ is $\lceil \log_\alpha(\varepsilon/|e_q(t_{\text{enter}})|) \rceil$ , independent of the value of \(T_q\). The wall-clock convergence time scales with \(T_q\), but the Lyapunov decrease per tick — and therefore the tick count — does not.

(ii) Inter-mode boundedness. At a downgrade $q \to q-1$ , the state \(u(t)\) is continuous. The error in the new mode satisfies:

$$e_{q-1}(t^+) = e_q(t^-) + \underbrace{(u_q^* - u_{q-1}^*)}_{\geq\, 0}$$

Each downgrade injects at most $u_q^* - u_{q-1}^* = (\pi_q - \pi_{q-1})/(1-\alpha)$ of error. Since there are at most four downgrades, total error injection across the full sequence is bounded by $\pi_4/(1-\alpha) \leq 1$ .

(iii) Dwell-time lower bound. Define the safe re-upgrade margin:

$$u_{\text{safe}}(q) \;=\; u_q - \pi_q - \delta_{\text{hyst}}$$

A limit cycle between levels \(q\) and \(q-1\) requires an upgrade attempt before \(u(t)\) has decayed below $u_{\text{safe}}(q)$ — which immediately triggers another downgrade. The minimum dwell-time at level \(q-1\) that eliminates this possibility is:

$$\Delta t_{\text{dwell}}(q-1) \;=\; T_{q-1} \cdot \left\lceil \frac{\displaystyle\log\!\left(\frac{u_q - u_{q-1}^*}{u_{\text{safe}}(q) - u_{q-1}^*}\right)}{\log(1/\alpha)} \right\rceil$$

Proof of (i): From Definition 30 with $\delta_w = 0$ :

$$e_q(t+T_q) \;=\; u(t+T_q) - u_q^* \;=\; \alpha\,u(t) + \pi_q - \frac{\pi_q}{1-\alpha} \;=\; \alpha\!\left(u(t) - \frac{\pi_q}{1-\alpha}\right) \;=\; \alpha\,e_q(t)$$

Therefore $V(e_q(t+T_q)) = \alpha^2\,V(e_q(t))$ and $\Delta V = (\alpha^2-1)\,V < 0$ for $\alpha < 1$ . The convergence rate \(\alpha\) does not appear in the expression for \(T_q\), so changing \(T_q\) does not affect the tick-by-tick Lyapunov decrease. With bounded disturbance $\delta_w > 0$ , the bounded real lemma gives ultimate boundedness: $V(e_q) \leq \delta_w^2/(1-\alpha^2)$ in steady state. \(\square\)

Proof of (iii): After a downgrade at \(t_0\) with $u(t_0^-) \approx u_q$ , the trajectory at level \(q-1\) is:*

$$u(t_0 + k\,T_{q-1}) \;=\; u_{q-1}^* + \alpha^k\,(u_q - u_{q-1}^*)$$

Setting this equal to $u_{\text{safe}}(q)$ and solving for \(k\) gives the stated expression. Any upgrade attempted before tick \(k^*\) satisfies $u(t) > u_{\text{safe}}(q)$ , so $u(t) + \pi_q > u_q - \delta_{\text{hyst}}$ , and the Schmitt-trigger upgrade gate ( Definition 47 in Self-Healing Without Connectivity) with hysteresis $\delta_{\text{hyst}}$ blocks the transition. \(\square\)

OUTPOST calibration ($\alpha = 0.80$ (illustrative value), $\delta_{\text{hyst}} = 0.02$ (illustrative value)):

Transition	$u_q$	$u_{q-1}^*$	$u_{\text{safe}}$	$k^*$	$\Delta t_{\text{dwell}}$	Tick floor $T_{q-1}$	Auto-satisfied?
$\mathcal{L}_3 \to \mathcal{L}_2$	0.80	0.05	0.76	1	5 s	5 s	Yes — 1 tick
$\mathcal{L}_2 \to \mathcal{L}_1$	0.60	0.025	0.56	1	10 s	10 s	Yes — 1 tick
$\mathcal{L}_1 \to \mathcal{L}_0$	0.50	0.005	0.46	1	60 s	60 s	Yes — 1 tick

The dwell-time requirement is always met by waiting one tick at the lower level. The tick floor of Definition 29 is the natural dwell-time enforcer — no additional timer infrastructure is required. The existing MAPE-K tick clock implements the constraint by construction.

Gain-bound invariance across $T_{\text{tick}}$ changes. The MAPE-K loop stability criterion ( Proposition 22 in Self-Healing Without Connectivity) requires control gain $K < 1/(1 + \tau/T_{\text{tick}})$ . As $T_{\text{tick}}$ increases (capability downgrade), the bound relaxes monotonically: a gain \(K\) satisfying the tightest constraint at the highest level automatically satisfies the constraint at all lower levels. If \(K\) is calibrated at $\mathcal{L}_4$ ($T_{\text{tick}} = 0.1\,\text{s}$ ), it remains stable at $\mathcal{L}_0$ ($T_{\text{tick}} = 60\,\text{s}$ ) without recalibration.

Corollary (Error Convergence Under Changing $T_{\text{tick}}$ ). Suppose the switching sequence undergoes \(m \leq 4\) downgrades before reaching stable level $q_\infty$ . The error at time \(t\) after the last transition satisfies:

$$|e_{q_\infty}(t)| \;\leq\; \alpha^{\lfloor t/T_{q_\infty} \rfloor} \cdot \left(|e_0| + \frac{\pi_4}{1-\alpha}\right) \;\to\; 0 \quad \text{as } t \to \infty$$

The error converges to zero exponentially regardless of the path $q_0 \to \cdots \to q_\infty$ and regardless of how many times $T_{\text{tick}}$ changed along the way. The convergence exponent \(\alpha\) is a hardware characteristic of the MCU’s workload dissipation, not a function of $T_{\text{tick}}$ .

Empirical status: The Lyapunov stability result for individual modes is mathematically exact given the linear model. The OUTPOST dwell-time table (\(\alpha = 0.80\) (illustrative value), $\delta_{\text{hyst}} = 0.02$ (illustrative value)) uses illustrative design parameters; the actual convergence rate \(\alpha\) is a property of the MCU workload profile. The “one tick is sufficient” result holds only when the tick floor exactly equals the computed $\Delta t_{\text{dwell}}$ .

Watch out for: the dwell-time bound is derived under the assumption that mode transitions respect the minimum inter-switch interval; if the healing loop triggers successive transitions faster than \(\Delta t_{\text{dwell}}\) allows, the CLF value at each new mode entry has not decreased by the required amount, and the Lyapunov stability argument fails.

Fixed-Point Algorithm Tier ($\mathcal{L}_0$ –$\mathcal{L}_1$ )

Definition 31 (Fixed-Point Sensor State). At $\mathcal{L}_0$ and $\mathcal{L}_1$ , the scalar Kalman filter (Definition 20) is replaced by a Q15 fixed-point EWMA. The sensor observation record for sensor \(i\) is a triple of 16-bit integers:

$$\mathbf{s}_i = \bigl(\hat{\mu}_i^{(15)},\; \hat{\sigma}_i^{2(15)},\; S_i^{(15)}\bigr)$$

where the superscript \((15)\) denotes Q15 fixed-point representation (1 sign bit, 15 fractional bits; range \([-1, +1)\), resolution $2^{-15} \approx 3 \times 10^{-5}$ ). The Q15 EWMA update for one observation $x_t^{(15)}$ is:

$$\hat{\mu}^{(15)}_{\text{new}} = \Bigl(\alpha_{q}^{(15)} \cdot x_t^{(15)} + (32768 - \alpha_{q}^{(15)}) \cdot \hat{\mu}^{(15)}_{\text{old}}\Bigr) \mathbin{\gg} 15$$

where $\alpha_q^{(15)} = \lfloor \alpha_q \cdot 32768 \rfloor$ is the pre-computed integer smoothing weight and \(\gg 15\) is a right-shift (equivalent to dividing by $2^{15}$ ). Variance update follows the same pattern with the squared deviation. The CUSUM accumulator $S_i^{(15)}$ uses integer subtraction and a hardware-assisted compare-with-reset.

The implementation cost is minimal: 6 16-bit multiply-shifts plus 2 comparisons give 12 ARM Cortex-M cycles (illustrative value) per sensor per tick with no FPU required, and at $6\,\text{bytes/sensor}$ the full 127-sensor OUTPOST mesh occupies 762 bytes (illustrative value) — fitting in a single cache line. The Q15 approximation tracks the true Kalman steady-state mean to within $Q/R \cdot 32768^{-1} \approx 3 \times 10^{-9}$ fractional error for OUTPOST thermal parameters; at $\mathcal{L}_0$ , where the only question is “still alive?” rather than “how anomalous?”, this precision is entirely sufficient.

Physical translation: Replacing the Kalman filter with a Q15 EWMA at $\mathcal{L}_0$ is not a degraded fallback — it is the correct algorithm for the task. The Kalman covariance update ($P_t = (1-K_t)\hat{P}_{t|t-1}$ ) adds precision in tracking the noise model, but at $\mathcal{L}_0$ the noise model does not matter: the binary question is whether $z_t > \theta^*_{L0}$ . Two multiply-shifts answer this question; six floating-point operations do not answer it better.

Variable-Fidelity Monitor Schedule

Definition 32 (Variable-Fidelity Monitor Schedule). The MAPE-K Monitor phase at level \(q\) selects an algorithm tier $\ell_{\text{tier}} \in \{0, 1, 2, 3\}$ based on current CPU availability \(1 - u(t)\) (where \(u(t)\) is CPU utilization as in Proposition 17), independently of the capability level transition threshold. (We write \(\ell_{\text{tier}}\) rather than \(\tau\) because \(\tau\) is reserved for time-valued staleness quantities throughout this article.)

$$\ell_{\text{tier}}(t) = \begin{cases} 0 & 1 - u(t) < \varepsilon_0 \quad \text{(heartbeat only)} \\ 1 & \varepsilon_0 \leq 1 - u(t) < \varepsilon_1 \quad \text{(Q15 EWMA + CUSUM)} \\ 2 & \varepsilon_1 \leq 1 - u(t) < \varepsilon_2 \quad \text{(FP EWMA + Holt-Winters)} \\ 3 & 1 - u(t) \geq \varepsilon_2 \quad \text{(Kalman + Isolation Forest)} \end{cases}$$

Default thresholds: $\varepsilon_0 = 0.05,\ \varepsilon_1 = 0.30,\ \varepsilon_2 = 0.70$ . Tier \(\ell_{\text{tier}}(t)\) is re-evaluated at each MAPE-K tick before the Monitor phase executes — the manager is itself autonomic, scaling its own cost to the available margin. Tier selection takes 2 integer comparisons (\(<10\) cycles) and precedes all other Monitor work.

The variable-fidelity schedule operates at finer granularity than capability level transitions: a node at $\mathcal{L}_3$ running a temporary burst computation drops to tier 1 during the burst without triggering a level transition, preserving detection coverage at minimal cost rather than either suspending detection or forcing a premature downgrade. A dead-band of $\pm \varepsilon_{\text{hyst}} = 0.05$ applies to tier transitions (Schmitt Trigger hysteresis — Definition 47 in Self-Healing Without Connectivity) to prevent oscillation between tiers during CPU load ramps.

Physical translation: Variable fidelity means the monitoring system trades accuracy for energy: during degraded conditions, it samples less frequently and uses simpler detection algorithms. A RAVEN drone on 20% battery switches from the full anomaly detector to a lightweight threshold check — it may miss subtle anomalies, but it will still catch gross failures while preserving enough power to complete the mission.

Event-Driven vs. Polling

The MAPE-K Monitor tick fires at fixed interval $T_{\text{tick}}$ (polling). At $\mathcal{L}_0$ with $T_{\text{tick}} = 60\,\text{s}$ , this already achieves near-optimal power on ARM Cortex-M by keeping the CPU in WFI between ticks. One further refinement eliminates the tick entirely for sensors whose readings remain in the normal band: hardware ADC threshold interrupts.

Under hardware-interrupt-driven sampling — where the CPU remains in wait-for-interrupt sleep until a threshold crossing is detected — the expected CPU activity for sensors that remain in-band (the typical case at \(\mathcal{L}_0\)) is:

$$\bar{c}_{L0} = f_s \cdot \pi_1 \cdot C_{\text{ISR}} + \frac{C_{\text{tick}}}{T_{\text{tick}}}$$

where \(f_s\) is ADC sampling rate, \(\pi_1 \approx 0.02\) is the anomalous-sample fraction, $C_{\text{ISR}} = 12$ cycles/event, and $C_{\text{tick}}$ is the cost of the 60-second housekeeping tick.

Physical translation: At 1 Hz ADC sampling with 2% anomalous fraction, the interrupt-driven ISR runs 1.2 times per minute — 12 cycles each — consuming $12 \times 1.2 / (64 \times 10^6 \times 60) \approx 3.8 \times 10^{-9}$ CPU fraction, or roughly 0.000000038% CPU. The 0.1% $\mathcal{L}_0$ budget is larger by a factor of \(2.6 \times 10^6\). The autonomic layer at $\mathcal{L}_0$ is, in every practical sense, invisible to the host application.

DMA-assisted ADC ring buffer: Under DMA-driven sampling, the transfer engine fills a ring buffer autonomously while the CPU reads only the tail pointer — one load instruction. This separates sampling (hardware-driven, zero CPU) from analysis (software-triggered by timer or threshold interrupt), allowing the CPU budget for the \(\mathcal{L}_0\) monitor to approach its theoretical floor.

Per-Algorithm Complexity Audit

The table below audits each algorithm in this article against the Definition 29 overhead budgets, identifying the minimum capability level at which each algorithm is viable and the correct $\mathcal{L}_0$ /$\mathcal{L}_1$ replacement.

Algorithm	CPU complexity	RAM	Min level	\(\mathcal{L}_0\)/\(\mathcal{L}_1\) replacement
Q15 EWMA + CUSUM (Def 84)	\(O(1)\), 12 cycles	6 B/sensor	\(\mathcal{L}_0\)	— (this is the replacement)
FP EWMA (Def 23, simplified)	\(O(1)\), ~20 cycles	8 B/sensor	\(\mathcal{L}_2\)	Q15 EWMA
Scalar Kalman (Def 23)	\(O(1)\), ~60 cycles FP	32 B/sensor	\(\mathcal{L}_3\)	Q15 EWMA
CUSUM, static \(\mu_0\)	\(O(1)\), 10 cycles	4 B/sensor	\(\mathcal{L}_0\)	— (already integer-safe)
Holt-Winters (period \(p\))	\(O(1)\), ~80 cycles FP	\(8p\) B	\(\mathcal{L}_2\)	Skip (period data unavailable at \(\mathcal{L}_0\)–\(\mathcal{L}_1\))
Isolation Forest (\(t\) trees, depth \(d\))	\(O(t)\), ~200 cycles	\(t \cdot d \cdot 4d\) B	\(\mathcal{L}_3\)	Skip (19 KB at \(t=50, d=8\))
Bayesian Surprise (Def 24)	\(O(1)\), ~40 cycles FP	8 B/sensor	\(\mathcal{L}_3\)	CUSUM (\(S_t^K \to S_t\) at \(\mathcal{L}_0\))
Gossip (Def 5, per round)	\(O(1)\) local, \(O(\ln n)\) fleet	6 B/peer	Suspend at \(\mathcal{L}_0\)	Frozen weights from Def 60
Welford estimator (Def 58)	\(O(1)\), ~30 cycles FP	24 B/peer	Freeze at \(\mathcal{L}_0\)	Trust-root anchor (Def 60)

Notes on the audit:

• “Skip” means the algorithm is neither run nor approximated at that level — its contribution to health assessment is omitted until the node recovers to a higher level.
• Gossip suspension at $\mathcal{L}_0$ is consistent with the Denied connectivity regime ($\Xi = \mathcal{N}$ , Definition 6 ): gossip has no peers to reach and consumes power transmitting into silence. The trust-root anchor ( Definition 35 ) provides frozen peer weights that remain valid until reconnection.
• Welford estimator freeze at $\mathcal{L}_0$ is already handled by Definition 35 ’s Phase-0 seeding mechanism; no additional design change is required.
• The Isolation Forest sketch requires $t \cdot d_{\max} \cdot d \cdot 4$ bytes (19.2 KB for CONVOY parameters). This exceeds the $\mathcal{L}_1$ 64 KB budget only when combined with other algorithm state; the total footprint must be verified against \(M_q\) before combining with other algorithm state.

Fleet-level complexity: Gossip convergence is \(O(\ln n / \lambda)\) ( Proposition 12 ). Per-node gossip state is \(O(n)\) — the Welford estimator ( Definition 33 ) requires \(24\,\text{bytes} \times n\) peers. For OUTPOST (\(n=127\)): \(127 \times 24 = 3{,}048\) bytes at $\mathcal{L}_3$ , frozen at 0 bytes at $\mathcal{L}_0$ . The \(O(n)\) growth is bounded by fleet size, which is a fixed deployment parameter — not a runtime variable. Fleet size does not affect per-observation compute complexity (which remains \(O(1)\)) and only affects the static RAM allocation.

OUTPOST $\mathcal{L}_0$ calibration: \(127 \times 6\,\text{bytes}\) (Q15 state) = 762 bytes RAM (illustrative value). DMA ring buffer: \(64 \times 2\,\text{bytes}\) = 128 bytes (illustrative value). Gossip state: frozen, 0 bytes active. Total autonomic observation footprint: 890 bytes (illustrative value) against the 4 KB \(M_0\) budget (22% utilization (illustrative value)). CPU: $12\,\text{cycles/tick} \times 1$ active tick/60 s = 200 cycles/hour at 64 MHz = $8.7 \times 10^{-8}$ CPU fraction (illustrative value) — three orders of magnitude below the 0.1% $\mathcal{L}_0$ ceiling (illustrative value). The observer parsimony condition ( Proposition 17 ) is satisfied with a margin of \(> 99.99\%\).

Mesh-Wide Health Inference

OUTPOST uses hierarchical aggregation with fusion nodes; the diagram shows a simplified three-layer structure where the backup link between fusion nodes (F1 to F2) allows intra-mesh health exchange to continue even when the satellite uplink is severed.

    
    graph TD
    subgraph Sensors["Sensor Layer (distributed)"]
    S1[Sensor 1]
    S2[Sensor 2]
    S3[Sensor 3]
    S4[Sensor 4]
    S5[Sensor 5]
    S6[Sensor 6]
    end
    subgraph Fusion["Fusion Layer (aggregation)"]
    F1[Fusion A]
    F2[Fusion B]
    end
    subgraph Command["Command Layer (satellite)"]
    U[Uplink to HQ]
    end
    S1 --> F1
    S2 --> F1
    S3 --> F1
    S4 --> F2
    S5 --> F2
    S6 --> F2
    F1 --> U
    F2 --> U
    F1 -.->|"backup link"| F2

    style U fill:#c8e6c9
    style F1 fill:#fff9c4
    style F2 fill:#fff9c4
    style Sensors fill:#e3f2fd
    style Fusion fill:#fff3e0
    style Command fill:#e8f5e9

Read the diagram: Sensors report to their local fusion node (Fusion A or B, yellow). Both fusion nodes forward to the satellite uplink (green). The dashed backup link between F1 and F2 enables intra-mesh health exchange to continue even when the uplink is severed — the mesh can still maintain local awareness and consensus even under complete satellite denial.

(Simplified illustration; OUTPOST operates 127 sensors in practice)

Gossip parameters for OUTPOST (power-optimized for extended deployment):

• Exchange rate: 0.017 Hz (once per minute) (illustrative value) — optimized for power
• Staleness threshold: 300 seconds (illustrative value) (5 minutes)
• Trust decay: \(\gamma_s = 0.002\) (illustrative value) per second
• Maximum useful staleness : 600 seconds (illustrative value)

Tamper Detection

Fixed sensor positions make physical tampering a significant threat. Multi-layer detection:

Physical indicators:

• Accelerometer for movement detection (sensor should be stationary)
• Light sensor for enclosure opening
• Temperature anomaly from human proximity
• Magnetic field disturbance from tools

Logical indicators:

• Sudden calibration drift after stable period
• Communication pattern change (new signal characteristics)
• Behavior inconsistent with neighboring sensors

Response protocol:

1. Log tamper indicators with timestamp
2. Increase reporting frequency if power permits
3. Alert fusion node with tamper confidence level
4. Continue operation unless tamper confidence exceeds threshold
5. Switch to quarantine when accumulated tamper confidence $P(\text{tamper} \mid \text{evidence}) > 0.85$ , computed as a Bayesian update over the listed physical and logical indicators
6. At high confidence: switch to quarantine mode (report but don’t trust own data)

Cross-Sensor Validation

OUTPOST leverages overlapping sensor coverage for cross-validation. The formula below computes a confidence score for sensor \(s_i\) as the trust-weighted fraction of agreement with its coverage-overlapping neighbors $\mathcal{N}_i$ , where $w_{ij}$ is the link trust weight and $\text{Agreement}(s_i, s_j)$ measures detection correlation between the two sensors.

$$\text{Confidence}(s_i) = \frac{\sum_{j \in \mathcal{N}_i} w_{ij} \cdot \text{Agreement}(s_i, s_j)}{\sum_{j \in \mathcal{N}_i} w_{ij}}$$

where $\mathcal{N}_i$ is the set of sensors with overlapping coverage, and $\text{Agreement}(s_i, s_j)$ is the fraction of common time windows where both sensors agree on event presence/absence within a spatial-temporal tolerance window.

Low confidence triggers:

• Sensor \(s_i\) reports detection that no neighbors corroborate
• Sensor \(s_i\) fails to report detection that all neighbors report
• Sensor \(s_i\) timing systematically differs from neighbors

Cross-validation doesn’t determine which sensor is correct - it identifies sensors requiring investigation.

---

The Limits of Self-Measurement

Self-measurement has boundaries. Recognizing these limits is essential for correct system design.

Novel Failure Modes

Anomaly detection learns from historical data. A failure mode never seen before - outside the training distribution - may not be detected as anomalous.

Example: OUTPOST sensors are trained on hardware failures, communication failures, and known environmental conditions. A new adversarial technique - acoustic disruption of MEMS sensors - produces sensor behavior within “normal” ranges but with corrupted data. The anomaly detector sees normal statistics; the semantic content is compromised.

Mitigation: Defense in depth. Multiple detection mechanisms with different assumptions. Cross-validation between sensors. Periodic ground-truth verification when connectivity allows.

Adversarial Understanding

An adversary who understands the detection algorithm can craft attacks that evade detection.

If the adversary knows we use EWMA with \(\alpha = 0.1\), they can introduce gradual drift that stays within \(2\sigma\) at each step but accumulates to significant deviation over time. The “boiling frog” attack.

Mitigation: Ensemble of detection algorithms with different sensitivities. Long-term drift detection (comparing current baseline to baseline from days ago). Randomized detection parameters.

Cascading Failures

Self-measurement assumes the measurement infrastructure is functional. But the measurement infrastructure can fail too.

If the power management system fails, anomaly detection may lose power before it can detect the power anomaly. If the communication subsystem fails, gossip cannot propagate health. The failure cascades faster than measurement can track.

Mitigation: P0/P1 monitoring on dedicated, ultra-low-power subsystem. Watchdog timers that trigger even if main processor fails. Hardware-level health indicators independent of software.

The Judgment Horizon

When should the system distrust its own measurements?

• When confidence intervals are too wide to support decisions
• When multiple sensors give irreconcilable readings
• When the system is operating outside its training distribution
• When measurement infrastructure itself is compromised

At the judgment horizon , self-measurement must acknowledge its limits. The system should:

1. Log that it has reached measurement uncertainty limits
2. Fall back to conservative assumptions
3. Request human input when connectivity allows
4. Avoid irreversible actions until confidence is restored

Sensor 47 Resolution

Return to our opening scenario. Sensor 47 went silent. How did OUTPOST diagnose the failure?

The fusion node applied the diagnostic framework from Section 2.3. Signature analysis found the abrupt silence with no prior degradation inconsistent with gradual sensor element failure but consistent with abrupt power regulation failure. Correlation check confirmed sensors 45, 46, 48, and 49 all operational, ruling out regional communication failure. Environmental context showed no known jamming indicators and nominal weather, lowering adversarial probability. The staleness trajectory of Sensor 47’s last 10 readings showed normal variance with no drift, ruling out slow degradation.

Diagnosis: localized hardware failure (most likely power regulation) with 78% confidence (illustrative value). The fusion node routed Sensor 47’s coverage zone to neighbors (Sensors 45 and 48), flagged the unit for physical inspection on next patrol, and updated its anomaly detection baseline to reduce reliance on Sensor 47’s historical patterns.

Post-reconnection analysis (satellite uplink restored 6 hours later): Sensor 47’s voltage regulator had failed suddenly - a known failure mode for this component batch. The diagnosis was correct. The system had self-measured, self-diagnosed, and self-healed without human intervention.

Cognitive Map: Self-measurement has four hard limits — novel failures outside the training distribution, adversarial attacks calibrated to evade the detector, measurement infrastructure failures that cut the observation loop before an anomaly is logged, and the judgment horizon where confidence intervals are too wide to support any decision. Recognition of these limits is not a weakness of the design; it is the feature that prevents the system from taking irreversible actions on uninformative data.

Learning from Measurement Failures

Measurement failures provide training data for improved detection. The four-step post-hoc process below turns each failure event into a concrete improvement to the detection catalog, threshold settings, or classifier model.

Step	Action	Output
1	Document failure mode	Failure signature added to catalog
2	Extract detection features	New features for anomaly detector
3	Adjust thresholds	$\theta' = \theta - \Delta\theta$ if false negative
4	Retrain models	Updated classifier with new case

Measurable improvement: $P(\text{detect} \mid \text{failure type})$ increases after each logged failure of that type.

---

Model Scope and Failure Envelope

Each mechanism has bounded validity. When assumptions fail, so does the mechanism.

Validity Domain: Summary

Each mechanism is valid only within a domain $\mathcal{D}$ defined by its assumptions. Outside that domain the protocol continues to run, but its correctness and performance guarantees no longer hold. The table below shows, for each component, which assumptions must hold, what breaks when they fail, and what mitigations exist.

Component	Assumptions	Breaks When	Mitigation
Gossip (Prop 4)	Connected network; delivery prob \(> 0.5\); uniform peer selection	Partition isolates clusters; high message loss; biased peer selection	Hierarchical gossip; bridge detection; priority messages; random peer forcing
Detection (Prop 3)	Abrupt step-like shift $\delta \in [0.5\sigma, 1.5\sigma]$ ; stable baseline; Gaussian noise	Gradual drift; unstable baseline; heavy-tailed noise	Dual-CUSUM for drift; adaptive windowing; robust statistics
Byzantine (Prop 6)	Byzantine minority (\(f < n/3\)); honest nodes truthful; attacker cannot predict trimming	\(f \geq n/3\); coordinated alignment past trimming; compromised honest node	Hierarchical trust; random trimming; continuous trust reassessment
Staleness (Prop 5)	Brownian diffusion model with accurate \(\sigma\); reliable timestamps	Volatility misestimate; clock spoofing; strongly mean-reverting metrics	Adaptive volatility estimation; authenticated time; relative ordering

Counter-scenarios: Adversary who selectively jams inter-cluster gossip creates divergent health views undetectable within each cluster — detection requires cross-cluster comparison on reconnection. Adversary who compromises exactly \(n/3\) sensors gradually stays below instantaneous detection thresholds — detection requires trend analysis of trust scores, not just instantaneous counts.

Summary: Claim-Assumption-Failure Table

The table below consolidates the key correctness claims from this article, the assumptions each relies on, and the specific conditions under which each breaks down.

Claim	Key Assumptions	Valid When	Fails When
Gossip converges in \(O(\ln n)\)	Connected network, uniform peer selection	Network mostly connected	Partition isolates clusters
CUSUM detects faster than EWMA	Abrupt shift $\delta \in [0.5\sigma, 1.5\sigma]$	Step-like anomalies	Gradual drift; tiny shifts
Trimmed mean tolerates \(f\) Byzantine	\(f < n/3\)	Byzantine minority	\(f \geq n/3\); coordinated attack
Confidence degrades as $\sqrt{\tau}$	State evolution follows Brownian motion model	Stable volatility	Volatility spikes; regime change
Ensemble improves detection	Models capture different anomaly types	Anomaly diversity	All anomalies same type

---

Irreducible Trade-offs

No design eliminates these tensions. The architect selects a point on each Pareto front.

Trade-off 1: Detection Sensitivity vs. False Positive Rate

Multi-objective formulation: Raising \(\theta\) decreases false positives but also decreases true positives — the formula captures both dimensions so the cost of each trade-off direction is explicit.

$$\max_{\theta} \left( U_{\text{TPR}}(\theta), -U_{\text{FPR}}(\theta) \right)$$

ROC trade-off: No threshold \(\theta\) achieves both TPR = 1 and FPR = 0 for overlapping distributions.

Cost-weighted decision: The formula selects the threshold that minimizes total expected error cost, explicitly weighting missed detections by $C_{\text{FN}}$ and false alarms by $C_{\text{FP}}$ .

$$\theta^* = \arg\min_\theta \left[ C_{\text{FN}} \cdot P(\text{FN}|\theta) + C_{\text{FP}} \cdot P(\text{FP}|\theta) \right]$$

Pareto front derivation (Gaussian anomaly model):

For normally distributed metrics with anomaly shift \(\delta\), the two closed-form expressions below give the TPR and FPR as a function of threshold \(\theta\) in units of \(\sigma\); the gap between the two curves widens as \(\delta\) increases relative to \(\sigma\).

$$\text{TPR}(\theta) = \Phi\left(\frac{\delta - \theta}{\sigma}\right), \quad \text{FPR}(\theta) = 1 - \Phi\left(\frac{\theta}{\sigma}\right)$$

The table below evaluates these expressions at four operating points and shows the cost-ratio condition under which each is optimal; the Use-when column is the key reference for practitioners choosing a threshold.

Threshold	TPR = $\Phi((\delta-\theta)/\sigma)$	FPR = $1-\Phi(\theta/\sigma)$	Use when $C_{FN}/C_{FP}$ is
$\theta = 1.5\sigma$	$\Phi(\delta/\sigma - 1.5)$	\(0.067\)	High (FN aversion; tolerate FP)
$\theta = 2.0\sigma$	$\Phi(\delta/\sigma - 2.0)$	\(0.023\)	Medium
$\theta = 2.5\sigma$	$\Phi(\delta/\sigma - 2.5)$	\(0.006\)	Low
$\theta = 3.0\sigma$	$\Phi(\delta/\sigma - 3.0)$	\(0.001\)	Very low (FP aversion)

Optimal threshold selection: The closed-form below gives \(\theta^*\) as the $\Phi^{-1}$ quantile of the cost-normalized false-positive fraction, placing the decision boundary where the marginal cost of a false positive equals the marginal cost of a false negative.

$$\theta^* = \sigma \cdot \Phi^{-1}\left(\frac{C_{FP}}{C_{FP} + C_{FN}}\right)$$

For tactical edge where $C_{FN} \gg C_{FP}$ : the cost-optimal threshold is the $\theta = 1.5\sigma$ row of the table above (FPR = 0.067, high sensitivity), accepting false positives to minimize missed detections.

Trade-off 2: Staleness vs. Bandwidth Cost

Multi-objective formulation: Increasing gossip rate \(\lambda\) improves data freshness but consumes proportionally more bandwidth — the formula sets up the optimization that finds the rate balancing both.

$$\max_{\lambda} \left( U_{\text{freshness}}(\lambda), -C_{\text{bandwidth}}(\lambda) \right)$$

where \(f_g\) is gossip rate.

Confidence-bandwidth surface derivation: The table below samples the Pareto front at four gossip rates, showing bandwidth in units of \(\lambda \cdot m\) (message-rate times message-size) and confidence as $e^{-\gamma/\lambda}$ where \(\gamma\) is the staleness decay rate.

With gossip contact rate \(f_g\), mean staleness is \(\tau = 1/f_g\) and confidence is $\kappa(\tau) = e^{-\gamma_s \tau}$ ; the two expressions below make the linear bandwidth cost and exponential confidence gain explicit as functions of the single design parameter \(f_g\).

$$\text{Bandwidth} = f_g \cdot m_{\text{msg}}, \quad \text{Confidence} = e^{-\gamma_s/f_g}$$

Gossip Rate \(\lambda\)	Staleness \(1/\lambda\)	Bandwidth	Confidence $e^{-\gamma/\lambda}$
\(0.1\)/s	\(10\)s	\(f_g \cdot m\)	$e^{-10\gamma_s}$
\(0.5\)/s	\(2\)s	\(5 f_g \cdot m\)	$e^{-2\gamma_s}$
\(1.0\)/s	\(1\)s	\(10 f_g \cdot m\)	$e^{-\gamma_s}$
\(2.0\)/s	\(0.5\)s	\(20 f_g \cdot m\)	$e^{-0.5\gamma_s}$

Diminishing returns analysis: $d\kappa/df_g = \gamma_s f_g^{-2} e^{-\gamma_s/f_g}$ decreases as $f_g \to \infty$ . Marginal confidence gain from doubling \(f_g\): $\Delta\kappa = e^{-\gamma_s/(2f_g)} - e^{-\gamma_s/f_g} \to 0$ as \(f_g\) increases.

Trade-off 3: Model Complexity vs. Adaptability

Multi-objective formulation: Choosing model \(m\) simultaneously determines accuracy on known patterns, adaptability to novel ones, and compute cost — the three-way trade-off that prevents any single model from dominating.

$$\max_{m \in \mathcal{M}} \left( U_{\text{accuracy}}(m), U_{\text{adaptability}}(m), -C_{\text{compute}}(m) \right)$$

Pareto front derivation (bias-variance tradeoff): The bound below shows that accuracy is limited by two terms moving in opposite directions as model complexity increases — bias decreases while variance increases.

$$\text{Accuracy}(m) \leq 1 - \underbrace{\text{Bias}^2(m)}_{\downarrow \text{ with complexity}} - \underbrace{\text{Var}(m)}_{\uparrow \text{ with complexity}}$$

The table below evaluates all three trade-off dimensions for the four models used in this article; no row dominates all others, confirming the Pareto structure.

Model	Capacity \(C_m\)	Adaptability \(\propto 1/C_m\)	Compute \(O(\cdot)\)	Memory
EWMA	\(O(1)\)	High	\(O(1)\)	96B
Isolation Forest	\(O(t \log n)\)	Medium	\(O(\log n)\)	25KB
Autoencoder	\(O(d^2)\)	Low	\(O(d^2)\)	280B
Ensemble	$\sum_i C_i$	Medium	$\sum_i O_i$	25KB

No model dominates: High-capacity models (autoencoder) achieve lower bias but higher variance on novel distributions. Low-capacity models (EWMA) adapt to drift but miss complex patterns. The Pareto frontier is convex - gains on one objective require losses on another.

Trade-off 4: Byzantine Tolerance vs. Latency

Multi-objective formulation: Tolerating more Byzantine node s \(f\) requires more participating nodes and more message rounds, directly increasing aggregation latency — the formula makes this tension explicit.

$$\max_{f} \left( U_{\text{tolerance}}(f), -C_{\text{latency}}(f) \right)$$

where \(f\) is the number of Byzantine node s tolerated. The table below shows how tolerating each additional faulty node requires \(3\) more participating nodes and one additional message round, so the latency cost is linear in \(f\).

Tolerance Level	Required Nodes	Message Rounds	Latency
\(f = 0\)	\(n \geq 1\)	1	Low
\(f = 1\)	\(n \geq 4\)	2	Medium
\(f = 2\)	\(n \geq 7\)	3	High
\(f = k\)	\(n \geq 3k+1\)	\(k+1\)	\(O(k)\)

Higher Byzantine tolerance requires more nodes and more communication rounds, increasing latency. Cannot achieve high tolerance with low latency and few nodes.

Cognitive Map: The four trade-offs — sensitivity vs. false positive rate, freshness vs. bandwidth, accuracy vs. adaptability, Byzantine tolerance vs. latency — are Pareto frontiers, not optimization problems with a single correct answer. Every deployment chooses a point on each frontier based on its mission cost ratios. The optimal threshold ( Proposition 9 ), gossip rate (Corollary 3), and ensemble composition (Section 2) are the three levers that move those operating points. Adjust them together, not independently.

Cost Surface: Measurement Under Resource Constraints

The formula below gives the total cost of measurement as a function of sampling rate and fidelity: the first term is the resource cost of sampling (quadratic in fidelity), while the second term is the staleness cost that increases as rate drops.

$$C_{\text{measure}}(\text{rate}, \text{fidelity}) = \alpha \cdot \text{rate} \cdot \text{fidelity}^2 + \beta \cdot \frac{1}{\text{rate}}$$

The first term represents sampling cost (higher rate and fidelity cost more). The second term represents staleness cost (lower rate increases staleness ). The optimal operating point balances these competing costs.

Resource Shadow Prices

The shadow price $\zeta_i = \partial U / \partial g_i$ quantifies how much additional utility one more unit of each resource delivers at the current operating point; a high shadow price identifies the binding constraint where investment yields the largest return.

Resource	Shadow Price \(\zeta_i\) (c.u.)	Interpretation
Gossip bandwidth	2.10/KB-hr	Value of an additional kilobyte per hour of health-synchronization capacity
Detection compute	0.05/inference	Value of one additional detection inference pass at current anomaly rate
Sensor power	0.80/mW-hr	Value of one additional milliwatt-hour sustaining continuous sensing
Memory	0.01/KB	Value of one additional kilobyte enabling longer observation history

(Shadow prices in normalized cost units (c.u.) — illustrative relative values; ratios convey resource scarcity ordering. Detection compute (0.05 c.u./inference) is the reference unit. Calibrate to actual platform resource costs.)

Irreducible Trade-off Summary

The four trade-offs developed in this section are irreducible: no design choice eliminates the tension, only shifts the operating point along the Pareto frontier.

Trade-off	Objectives in Tension	Cannot Simultaneously Achieve
Sensitivity-Precision	Catch all anomalies vs. no false alarms	Perfect TPR and zero FPR
Freshness-Bandwidth	Current information vs. low network cost	Both with limited bandwidth
Accuracy-Adaptability	High accuracy vs. novel anomaly detection	Both without ensemble overhead
Tolerance-Latency	Byzantine resilience vs. fast aggregation	Both with few nodes

---

Reputation-Based Consensus at the Measurement Layer

The Byzantine framework established in Definitions 27 and 22 and Proposition 15 handles fault tolerance at the aggregation layer: trust-weighted trimmed means guard against nodes whose reports fall outside the statistical envelope. What it does not handle is a slower attack surface: a node whose divergence \(D_j(t)\) drifts systematically but stays within the trimming threshold, corrupting the gossip health vector ( Definition 24 ) and the adaptive baseline ( Definition 20 ) over many observation cycles before the damage becomes detectable.

Three mechanisms close this gap. A per-peer running estimator flags anomalous divergence history ( Definition 33 ). A local ejection rule removes the offending node from trust-weighted merges without requiring a fleet-wide vote ( Definition 34 ). A Phase-0-anchored trust-root maintains calibrated weights during the Denied regime ( Definition 35 ) — the connectivity state where gossip cannot propagate reputation updates at all.

Definition 33 (Divergence Sanity Bound). Node \(i\) maintains a Welford running estimator over divergence observations from peer \(j\): sample count \(n_j\), running mean \(\mu_j\), and second moment $M_{2,j}$ . On each new divergence observation \(d = D_j(t)\) the estimator updates as:

$$\begin{aligned} n_j &\leftarrow n_j + 1 \\ \delta_1 &= d - \mu_j \\ \mu_j &\leftarrow \mu_j + \delta_1 / n_j \\ \delta_2 &= d - \mu_j \\ M_{2,j} &\leftarrow M_{2,j} + \delta_1 \cdot \delta_2 \\ \sigma^2_j &\leftarrow M_{2,j} / (n_j - 1), \quad n_j \geq 2 \end{aligned}$$

Cold-start handling: when \(n_j < 2\), the variance term is undefined. For the first observation, a prior variance \(\sigma_\text{prior}^2\) is substituted; the ejection gate is suppressed entirely for \(n_j = 0\), and the prior variance is used for \(n_j = 1\).

Observation \(d\) is flagged anomalous if $d > \mu_j + k \cdot \sigma_j$ , where \(k\) is a fleet-wide policy parameter (\(k = 3\) (illustrative value) for standard operation; \(k = 4\) (illustrative value) for high-safety contexts). The estimator is seeded from the Phase-0 attestation window ( Definition 35 ), not from cold-start zeros. \(D_j(t)\) is the per-node scalar approximation of Definition 57 ’s pairwise divergence metric, computed against the last-known fleet consensus snapshot received via gossip ( Definition 24 ).

Physical translation: Each node silently tracks how far each peer’s divergence deviates from that peer’s own history. A peer whose divergence was normally around 0.04 and suddenly hits 0.31 is flagged — not because of any absolute threshold, but because it is behaving three standard deviations outside its own baseline. The Welford update requires no stored history, only three running scalars per peer, making it viable on constrained hardware. Cold-starting from zeros would produce false flags during warm-up; seeding from Phase-0 eliminates this entirely.

Definition 34 (Soft-Quorum Ejection). Node \(i\) maintains a per-peer suspicion counter \(v_j\), a sliding-window flag count \(F_j(w)\) over the last \(w\) observations, and reputation weight \(w_j \in [0, w_0]\), where \(w_0\) is the Phase-0 calibrated baseline. The update rules are: a flagged observation sets \(v_j \leftarrow v_j + 1\); a clean observation reduces suspicion rather than resetting it: $v_j \leftarrow \max(0,\, v_j - 1)$ . When \(v_j \geq m\), node \(i\) sets \(w_j \leftarrow 0\) (soft-eject). Secondary rate-based trigger: if \(F_j(w) / w > r_\text{eject}\) over a sliding window of \(w\) observations, node \(i\) soft-ejects peer \(j\) regardless of consecutive-run length; default values \(r_\text{eject} = 0.4\) (illustrative value) and \(w = 10\) (illustrative value). The decaying counter prevents a Byzantine node that alternates flagged and clean observations from keeping \(v_j\) perpetually near zero; the rate-based trigger catches sustained low-grade misbehaviour that would evade an m-consecutive-flags gate alone. After \(r\) consecutive post-eject clean observations, \(w_j \leftarrow w_0\) (reinstatement). No broadcast is emitted; the decision is purely local. A soft-ejected peer \(j\) is excluded from Definition 58b’s Reputation-Weighted Merge and from Definition 65’s Reputation-Weighted Fleet Coherence Vote. Peer \(j\) remains in the denominator of Definition 66’s Logical Quorum — a cascade of ejections cannot erode the quorum threshold.

Physical translation: When a peer starts reporting values that are consistently far outside its own historical norm, the local node stops trusting it for aggregation decisions — silently, without coordinating with anyone else. The ejection is soft: the suspect peer’s count still contributes to quorum thresholds (so the fleet cannot be reduced to a rump quorum by ejecting a majority), but its reports no longer influence health consensus. Ejection is not permanent; it is a probationary state.

Rehabilitation: An ejected node may re-enter the quorum after reconnecting to a trust-root anchor ( Definition 35 ) and passing \(r\) consecutive validation rounds without triggering the ejection predicate. Re-entry is additionally gated by the reconnecting node’s Bayesian surprise score falling below \(\kappa / 2\) for a full gossip convergence period ( Proposition 12 ), where \(\kappa\) is the fleet-wide anomaly threshold used in Definition 33 . This prevents a briefly compliant Byzantine node from gaming the \(r\)-clean-observation window and re-entering at full weight \(w_0\).

Proposition 19 (False-Positive Ejection Bound). Under Gaussian divergence residuals and independent peers, the probability that an honest peer \(j\) is wrongly soft-ejected by node \(i\) within \(T\) observation steps satisfies:

Requiring multiple consecutive flags before ejection makes accidental exclusion of honest peers astronomically unlikely.

$$P(\text{false eject}) \leq \bigl(1 - \Phi(k)\bigr)^m \cdot T$$

where \(\Phi\) is the standard normal CDF. At \(k = 3, m = 5\) (illustrative value): $P \approx 4.5 \times 10^{-15} \cdot T$ (theoretical bound), negligible for any realistic operating window.

Physical translation: With a 3-sigma threshold and requiring 5 consecutive flags to eject, the probability that a normally-behaving peer gets wrongly kicked out is so small that it would not be expected to happen once in the lifetime of any conceivable fleet deployment. The requirement for five consecutive flags (not just five total) is the key: a single clean observation resets the counter to zero, so transient sensor noise cannot accumulate into a false ejection.

Watch out for: this bound holds under the assumption of Gaussian divergence residuals with approximately independent peers; in the Denied regime where \(T_{\text{acc}}\) exceeds the Weibull P95 partition threshold, temporal autocorrelation violates both the Gaussianity and independence assumptions, causing actual false-ejection rates to exceed the stated bound.

Proof sketch. A false ejection requires \(m\) consecutive anomalous flags on an honest peer. Under Gaussian residuals, each flag occurs independently with probability \(1 - \Phi(k)\). The \(m\)-consecutive-flag probability is \((1 - \Phi(k))^m\); a union bound over \(T\) possible streak-ending positions gives the stated result. \(\square\)

OUTPOST scenario: With \(k = 3\) (illustrative value), \(m = 5\) (illustrative value), and a 14-day operating window (\(T \approx 1.2 \times 10^6\) steps at 1 Hz) (illustrative value), the fleet-wide expected false ejections remain below \(10^{-8}\) (theoretical bound) — effectively zero over any mission duration.

Empirical status: The \(P(\text{false eject})\) formula is exact under the Gaussian independence assumption. Real divergence residuals are not perfectly Gaussian or fully independent — temporal autocorrelation in sensor streams can cause streak lengths longer than independence predicts. The \(4.5 \times 10^{-15}\) figure for \(k=3,\,m=5\) is analytically correct under the model; empirical false-ejection rates in non-Gaussian environments have not been characterized.

Definition 35 (Trust-Root Anchor). At Phase-0, each node \(i\) generates an attestation record signed by hardware TPM:

$$A_i = \bigl(id_i,\; H(\mathrm{config}_i),\; \mathrm{PKI\_root}\bigr)$$

The fleet trust-root for node \(i\) is $\mathcal{T}_{\text{root},i} = \{A_j : j \in \text{fleet, Phase-0 attested}\}$ . During the Denied connectivity regime ( Definition 6 , $\mathcal{N}$ ), gossip cannot propagate reputation updates. Node \(i\) applies the following defaults: peer $j \in \mathcal{T}_{\text{root},i}$ receives weight \(w_j = w_0\); peer $j \notin \mathcal{T}_{\text{root},i}$ (introduced post-Phase-0 without re-attestation) receives weight $w_j = w_{\text{low}} < w_0$ .

Physical translation: Before the mission begins, every node in the fleet exchanges hardware-attested identity records. During the mission, this pre-shared roster is the only trust reference available in the Denied regime — there is no way to verify a newcomer or revoke a known node without connectivity. Nodes added after Phase-0 (replacements, reinforcements) operate at reduced trust weight until they can be re-attested through a connected phase. The anchor does not prevent compromise; it bounds how much damage a compromised or new node can do without coordination.

Anchor compromise: If the trust-root anchor is itself Byzantine — for example, if Phase-0 attestation records were forged or the TPM was compromised before deployment — the fleet degrades to pairwise Proposition 15 (Byzantine Tolerance Bound): no quorum decisions are made until a new anchor is established through an out-of-band key ceremony. Individual nodes continue operating on local anomaly detection ( Definition 19 ) and can still form local soft-quorums among mutually trusting peers, but fleet-wide consensus requires re-establishing a verified trust root.

When hardware TPM attestation is unavailable (air-gapped deployments, legacy hardware, or emergency re-commissioning): the system falls back to a software-only attestation using a pre-shared symmetric key exchanged during physical installation. Software attestation provides weaker guarantees — it is vulnerable to a compromised node that knows the key — so deployments using software fallback must set \(f_\text{max} < n/4\) (one fewer faulty node tolerance) rather than the standard \(n/3\) Byzantine tolerance bound.

Proposition 20 (Isolated-Node Trust Guarantee). A node operating in the Denied regime for duration \(\tau\) maintains calibration error bounded by:

Trust weights drift linearly during isolation; a longer Phase-0 calibration window limits how fast that drift can accumulate.

$$\lvert \hat{w}_j(\tau) - w_j(0) \rvert \leq \varepsilon_{\text{drift}} \cdot \tau$$

where $\varepsilon_{\text{drift}} \leq w_0 / L_{\text{P0}}$ for Phase-0 calibration window length $L_{\text{P0}}$ , under the assumption that fleet divergence statistics are approximately stationary over the partition duration.

Proof sketch: In the Denied regime, the Welford estimators are frozen — no gossip updates arrive. Weight drift accumulates only from the last observation window before partition start. The maximum drift rate is bounded by the per-sample update magnitude $w_0 / L_{\text{P0}}$ (the Phase-0 window normalizes the step size). Over duration \(\tau\) with stationary divergence, drift accumulates linearly: $|\hat{w}_j(\tau) - w_j(0)| \leq (w_0 / L_{\text{P0}}) \cdot \tau = \varepsilon_{\text{drift}} \cdot \tau$ . Trust degrades gracefully rather than catastrophically; the Phase-0 anchor prevents unbounded weight drift regardless of partition duration. \(\square\)

Physical translation: A node isolated for 18 hours in the Denied regime will have trust weights that have drifted by at most $\varepsilon_{\text{drift}} \cdot 18$ from their calibrated values — a bounded, calculable degradation, not a free fall. The longer the Phase-0 calibration window $L_{\text{P0}}$ , the smaller $\varepsilon_{\text{drift}}$ is, so investing in a thorough pre-mission calibration directly reduces how much the trust model degrades during extended disconnection.

OUTPOST illustration. Day 44 of operation. Sensor 88 begins reporting threat coordinates 340 m (illustrative value) east of the consensus estimate. Its $D_{88}(t)$ climbs from a historical \(\mu \approx 0.04\) (illustrative value) to 0.31 (illustrative value) over six reporting cycles, exceeding $\mu + 3\sigma \approx 0.09$ (illustrative value). Node 12 flags Sensor 88 on the fifth observation (streak $v_{88} = 5 \geq m = 5$ ) and sets $w_{88} = 0$ . Nodes 11, 13, and 14 reach the same conclusion independently over the next two gossip cycles. The 126 remaining sensors continue operating; no coordinator is contacted; no fleet-wide vote is called.

At hour 72, sustained jamming drives OUTPOST into the Denied regime. Gossip halts. Node 12’s Welford estimators freeze at their current values. For the 126 Phase-0-attested peers, \(w_j = w_0\) is applied from $\mathcal{T}_{\text{root},12}$ ; for a sensor added at day 40 without re-attestation, $w_j = w_{\text{low}}$ . Proposition 20 bounds the trust drift over the 18-hour partition at $\varepsilon_{\text{drift}} \cdot 18$ — a calculable, bounded degradation.

Parameter	Standard OUTPOST	High-Safety OUTPOST
\(k\) (sigma threshold)	3	4
\(m\) (violations to eject)	5	5
\(r\) (clean to reinstate)	10	20
$P(\text{false eject})$ per \(10^6\) steps	$4.5 \times 10^{-9}$	$< 10^{-16}$

Empirical status: The drift bound $|\hat{w}_j(\tau) - w_j(0)| \leq (w_0/L_{\text{P0}})\cdot\tau$ is analytically derived under the stationary-divergence assumption. The OUTPOST illustration values (\(\mu \approx 0.04\), $\mu + 3\sigma \approx 0.09$ ) are scenario parameters, not measured fleet divergence statistics. The assumption of stationary divergence during partition may not hold if the physical environment changes significantly during an 18-hour blackout.

Watch out for: the bound assumes the operational environment remains stationary during isolation; if the environment shifts sharply during a partition — a new failure mode appears or ambient conditions change — the model drift can exceed \(\varepsilon_{\text{drift}} \cdot \tau\) independently of isolation duration, since the Brownian bound does not cover non-stationary divergence statistics.

---

Closing: The Measurement-Action Loop

Measurement feeds action; without action, measurement is logging. AUTODELIVERY ’s gossip propagation feeds task assignment; PREDICTIX ’s anomaly detection feeds workload rebalancing.

The diagram below shows the measurement-action loop (the MAPE-K cycle); notice that Execute feeds back into Monitor, meaning the system continuously validates whether its own healing actions had the intended effect rather than assuming success.

    
    graph LR
    M["Monitor
(observe state)"] --> A["Analyze
(detect anomaly)"]
    A --> P["Plan
(select action)"]
    P --> E["Execute
(apply healing)"]
    E -->|"feedback loop"| M

    style M fill:#c8e6c9
    style A fill:#fff9c4
    style P fill:#ffcc80
    style E fill:#ffab91

Read the diagram: Monitor (green) observes the system state and feeds it to Analyze (yellow), which classifies anomalies. Plan (orange) selects a healing action; Execute (red-orange) applies it. The feedback arrow from Execute back to Monitor is the critical design requirement — every healing action becomes a new observation. Without this loop, the system cannot distinguish “healing worked” from “healing failed but we stopped looking.”

This is the MAPE-K loop (Monitor, Analyze, Plan, Execute, Knowledge) that IBM formalized for autonomic computing [9] .

Return to OUTPOST BRAVO.

Sensor 47 is silent. The fusion node has measured: abrupt silence, no prior degradation, neighbors fully operational, no correlated regional failure. The analysis suggests localized hardware failure with 78% confidence. The plan: reroute coverage to neighboring sensors, flag for inspection on the next patrol, log for human review when uplink restores.

But measurement alone doesn’t execute this plan. Self-healing must decide: Is 78% confidence sufficient to reroute coverage and degrade mission posture for that sector? What is the cost of a false alarm versus a missed failure? How does the rerouting affect the rest of the mesh?

These are the questions that precise measurement makes it possible to ask. Without a calibrated anomaly score and a staleness -bounded observation, there is no meaningful basis for any healing decision at all.

---

Related Work

Gossip and epidemic dissemination. The gossip health protocol in this article ( Definition 24 ) is grounded in the epidemic-algorithm literature. Demers et al. [1] introduced the epidemic model for replicated database reconciliation, demonstrating logarithmic propagation times in fully connected networks — the direct antecedent of the \(O(\ln n / \lambda)\) convergence bound in Proposition 12 . Kermarrec et al. [6] tightened these results for probabilistic reliable dissemination in large-scale systems under message loss, providing the theoretical basis for the lossy sparse-mesh extension in Proposition 13 . Both papers treat the fully-connected and sparse cases separately; the synthesis into the edge mesh model — with explicit mesh diameter \(D\), per-edge loss probability \(p_\text{loss}\), and the conductance bound \(\Phi \geq 1/D\) — is specific to the contested-environment setting developed here.

Anomaly detection and change-point methods. The CUSUM statistic (Page [3] ) remains the standard for optimal detection of step shifts in mean, and its optimality for that specific problem class (proven by Moustakides) motivates its placement alongside EWMA rather than as a replacement. The Kalman-based adaptive baseline ( Definition 20 ) follows the linear filtering framework introduced in Kalman [4] ; the scalar form used here for edge deployment is the degenerate one-dimensional case of the full matrix filter, with the key insight that EWMA with fixed \(\alpha\) is a special case where the Riccati equation is prevented from converging. The Bayesian interpretation of the Surprise metric ( Definition 21 ) connects to the Bayesian framework for inference under uncertainty in Gelman et al. [5] ; the log Bayes factor formulation follows standard practice for sequential hypothesis testing in that tradition.

Byzantine fault tolerance. The classical impossibility result that correct consensus requires more than \(2/3\) of nodes to be honest was established by Lamport, Shostak, and Pease [7] . The trust-weighted generalization in Proposition 15 — replacing the node-count fraction with a trust-weight fraction — is a natural extension; Byzantine trust weight below \(1/3\) is a necessary condition. Castro and Liskov [8] demonstrated practical BFT in asynchronous networks through PBFT, which operates under the same \(f < n/3\) bound but with full replication semantics inapplicable to the gossip-health problem. The trust-decay and behavioral-fingerprint mechanisms ( Behavioral Fingerprint , Soft-Quorum Ejection, and Trust-Root Anchor) address the gap between the instantaneous fraction bound and the slow-accumulation attack that falls below the threshold until a coordinated action.

Autonomic computing and edge self-management. The MAPE-K control loop (Monitor–Analyse–Plan–Execute with Knowledge Base) was formalized by Kephart and Chess [9] as the organizing framework for self-managing systems; the four-phase structure pervades this article’s local anomaly detection pipeline and the closing measurement-action loop. Huebscher and McCann [10] surveyed the degrees and models of autonomic behavior, noting the dependence on local state awareness as a prerequisite for any self-* capability — the precise motivation for treating self-measurement as the foundational problem in this series rather than a supporting component. The edge computing context — limited compute, constrained memory, contested connectivity — follows the landscape surveyed by Satyanarayanan [2] , which identifies local processing and graceful disconnection as the distinguishing design properties of edge deployments relative to cloud architectures.

---

Three results carry forward from this article. First, the cost-optimal detection threshold ( Proposition 9 ) places the decision boundary where the ratio of anomaly likelihoods equals the ratio of error costs — a concrete, tunable criterion that replaces the ad hoc \(2\sigma\) or \(3\sigma\) thresholds common in practice. Second, gossip convergence in \(O(\ln n / f_g)\) time ( Proposition 12 ) means that fleet-wide health awareness scales gracefully: doubling a 47-drone swarm adds roughly 0.7 seconds to convergence at 1 Hz gossip rate, not a proportional delay. Third, the maximum useful staleness bound ( Proposition 14 ) gives designers a principled way to size observation frequency: the tighter the decision margin \(\Delta h\), the higher the sampling rate must be, in a quadratic relationship that makes aggressive margin requirements expensive.

But measurement is only half the loop. A system that can diagnose a failure with 78% confidence still faces the question of what to do about it: which recovery actions are safe to attempt, in what order, under what resource constraints, and with what guarantees of stability. Those are the questions addressed in Self-Healing Without Connectivity, which develops the formal autonomic control loop, defines healing action severity, and derives the stability conditions under which closed-loop recovery converges rather than oscillates.

---

References

[1] Demers, A., Greene, D., Hauser, C., Irish, W., Larson, J., Shenker, S., Sturgis, H., Swinehart, D., Terry, D. (1987). “Epidemic Algorithms for Replicated Database Maintenance.” Proc. PODC, 1–58. ACM. [doi]

[2] Satyanarayanan, M. (2017). “The Emergence of Edge Computing.” IEEE Computer, 50(1), 30–39. [doi]

[3] Page, E.S. (1954). “Continuous Inspection Schemes.” Biometrika, 41(1/2), 100–44. [doi]

[4] Kalman, R.E. (1960). “A New Approach to Linear Filtering and Prediction Problems.” Trans. ASME — Journal of Basic Engineering, 82(1), 35–66. [doi]

[5] Gelman, A., Carlin, J.B., Stern, H.S., Rubin, D.B. (2003). Bayesian Data Analysis, 2nd ed. Chapman & Hall/CRC. [web]

[6] Kermarrec, A.-M., Massoulié, L., Ganesh, A.J. (2003). “Probabilistic Reliable Dissemination in Large-Scale Systems.” IEEE Transactions on Parallel and Distributed Systems, 14(3), 248–258. [doi]

[7] Lamport, L., Shostak, R., Pease, M. (1982). “The Byzantine Generals Problem.” ACM Trans. Programming Languages and Systems, 4(3), 382–401. [doi]

[8] Castro, M., Liskov, B. (1999). “Practical Byzantine Fault Tolerance.” Proc. OSDI, 173–186. [pdf]

[9] Kephart, J.O., Chess, D.M. (2003). “The Vision of Autonomic Computing.” IEEE Computer, 36(1), 41–50. [doi]

[10] Huebscher, M.C., McCann, J.A. (2008). “A Survey of Autonomic Computing — Degrees, Models, and Applications.” ACM Computing Surveys, 40(3), Article 7. [doi]

---

Back to top