Tunnel Ops

Multi-Domain Threat Correlation: Linking Surface Activity to Subsurface Signatures

Split-level cross-section visualization linking surface surveillance data with subsurface seismic sensor signatures

Underground threat detection treated in isolation produces a limited operational picture. Subsurface sensors can tell you something is moving in a tunnel corridor — they can provide approximate velocity, direction, and rough count of contacts. What they can't do by themselves is tell you why it's happening, or connect the activity to observable behavior on the surface. When you layer surface-domain surveillance data on top of subsurface sensor output and run them through a correlation engine, you get something qualitatively different from either layer alone: an activity model that spans the air-ground boundary and lets you reason about cause and effect across domains.

We've been building this correlation layer for two years and have tested it in three operational contexts. The approach has produced meaningful improvements in operator confidence and reduced response time. It has also produced some failure modes we didn't anticipate, which are worth being honest about.

Why multi-domain correlation matters operationally

Consider the standard underground detection scenario: a seismic node array detects footstep signatures consistent with two to three individuals moving at walking pace in a known tunnel corridor. The detection is high-confidence — the signal is clean, the classifier is confident. But the operator has to decide: is this a threat event or normal activity? In many environments, authorized personnel — maintenance crews, inspectors, utility workers — traverse the same corridors that adversaries might use. Without surface-domain context, that distinction is hard to make from underground signatures alone.

Now layer in surface pattern-of-life data. If surface surveillance has recorded two vehicles arriving at a surface access point 15 minutes before the subsurface movement started, and both vehicles are unknown to the system's vehicle registry, the correlation shifts the assessment significantly. The surface and subsurface data points individually are ambiguous. Together they're much less so. That's the core value proposition of multi-domain correlation: it converts individually ambiguous detections into higher-confidence assessments by exploiting the temporal and spatial relationships between them.

The surface data types that have proven most useful in our testing are access point monitoring (cameras or presence sensors at known surface entry points), vehicle pattern-of-life in the surrounding area, and in some contexts, atmospheric signatures near suspected excavation or ventilation points. The last category is the most speculative — we've had limited success correlating CO2 and particulate plumes with subsurface activity — but access point correlation has consistently been our highest-value surface data source.

Building the temporal correlation model

The technical challenge in multi-domain correlation is not collecting the data — it's building a model of the expected time relationships between surface and subsurface events that is tight enough to be informative but loose enough to tolerate uncertainty in both domains. Surface access to subsurface movement involves a transit time that depends on the specific access geometry: distance from surface entry to the corridor being monitored, walking speed, and any staging or preparation that occurs between surface arrival and underground entry.

For a specific site with known geometry, we can bound this transit window fairly tightly — typically 5 to 20 minutes depending on the access configuration. The correlation engine looks for subsurface events that fall within the expected window after a qualifying surface event. The difficulty is that this window has to be calibrated per-site and per-access-point, which requires prior knowledge of the tunnel geometry that isn't always available for adversarial tunnel networks. For known infrastructure (border-control corridors, monitored facility perimeters), the calibration is straightforward. For discovered tunnel networks of unknown geometry, the temporal model has to be learned incrementally as events accumulate.

We handle this with a Bayesian update framework: initial priors on transit time are broad, and they tighten as the system observes confirmed correlations. In testing, the model converges to operationally useful precision after roughly 8–12 correlated events. Before convergence, the system flags potential correlations with explicit uncertainty quantification rather than suppressing them — the operator sees the evidence and the confidence level, not just a binary alert.

False correlation: the problem we underestimated

Multi-domain correlation reduces some false positives (standalone underground detections that turn out to be benign) while introducing a new failure mode: false correlations, where a surface event and a subsurface event are associated by the system even though they're causally unrelated. In high-activity environments — urban border crossings, active mining operations — there are many surface events occurring continuously, and a random subsurface event will nearly always have a temporally plausible surface event nearby just by chance.

Our early testing in a high-activity test environment showed false correlation rates around 22% — more than one in five correlations the system flagged were coincidental rather than causal. We addressed this in two ways. First, we added spatial filtering: the system only correlates surface events at access points that are geometrically plausible for the specific subsurface detection location, rather than all surface events in the area. Second, we tuned the temporal window to be narrower than the maximum plausible transit time, sacrificing some recall for precision. Together these changes reduced the false correlation rate to approximately 8% in the same test environment — still not zero, but operationally manageable.

The lesson here is that correlation is not causation, and the system has to be designed to resist the confirmation-bias dynamic where an operator, presented with a correlation, treats it as proof. Our interface explicitly labels correlations as "supporting evidence" rather than "confirmed linked events" and shows the base rate context — how often a surface-subsurface pair at this site and time-of-day correlates without causal connection. That context is uncomfortable for some operators who want a simpler readout, but it's necessary for the system to be used responsibly.

Integration architecture with existing ISR feeds

Most of the environments where this capability is operationally relevant already have some form of surface ISR infrastructure — cameras, access-control logs, perimeter sensors. The question is whether our correlation layer can ingest those existing feeds rather than requiring a dedicated surface sensor deployment. The answer is yes in principle, but the practical challenges are significant.

Data format and timestamp standardization is the first hurdle. Existing surveillance systems use a wide variety of data formats, and many of them have inconsistent or poorly-calibrated timestamps — which matters enormously for a system that depends on precise temporal relationships. We've built adapters for the most common camera and access-control system formats, but each new integration still requires engineering time to validate timestamp fidelity and handle edge cases.

Classification consistency is the second hurdle. Our correlation engine needs to know whether a surface event involved a person, a vehicle, or an animal — but the existing camera system may be outputting raw video rather than classified events. We've integrated a lightweight on-edge classification layer that can process camera feeds and produce structured event outputs, but this adds latency and requires compute resources at the sensor location.

Despite these hurdles, ISR feed integration is the right long-term architecture. Deploying dedicated surface sensors at every site where we want multi-domain correlation is expensive and operationally slow. The value of the correlation layer scales with the richness of the surface data it can access, which means making integration with existing infrastructure as frictionless as possible is a first-order product priority.

What operators actually do with this information

The honest answer to "does multi-domain correlation improve outcomes?" is: it improves operator confidence and reduces response latency, but only when operators understand what the correlation does and doesn't mean. In our testing, teams that received a two-hour briefing on how the correlation system works and what its error modes look like made significantly better decisions with the data than teams that received only a system overview. The technical capability is not sufficient — the operator model of the system matters.

The most consistent operational benefit we've observed is reduction in "alert fatigue" dismissal. In single-domain underground monitoring, operators at high-activity sites gradually calibrate to a baseline where many alerts are treated as low-probability. When a surface correlation is added to an underground alert, operators consistently re-engage with alerts they would otherwise have downgraded. That re-engagement behavior is the mechanism through which multi-domain correlation reduces miss rates — not through algorithmic improvements alone, but through changing how operators interact with borderline-confidence alerts.