Sequential collaborative detection strategy on ADS-B data attack

doi:10.1016/j.ijcip.2018.11.003

International Journal of Critical Infrastructure Protection

Volume 24, March 2019, Pages 78-99

https://doi.org/10.1016/j.ijcip.2018.11.003 Get rights and content

Abstract

Automatic Dependent Surveillance - Broadcast (ADS-B) surveillance is regarded as the core technology in the next generation air traffic management. Due to the absence of consideration on security, ADS-B data is faced with various challenges on integrity and authentication, especially for ADS-B data attack with high concealment. In this paper, common attack pattern models are analyzed. In terms of sequential ADS-B data, detection methods are designed according to flight and ground station capabilities, which integrate several detection methods, including flight plan validation, single node data detection and group data detection, to generate comprehensive attack probability as reference for judgment on data attack. To improve the positive detection ratio, ground to ground, ground to air and air to air collaborative detections are proposed to enhance each single node detection ability. Experiments conducted on real ADS-B data illustrated that the sequential collaborative detection strategy was efficient on effectiveness and accuracy, especially for random deviation injection attack, constant deviation injection attack and DoS attack.

Introduction

With the increase on flight density and type, difficulties and risks in Air Traffic Management (ATM) are much more severe than before. As the data foundation of the ATM system, air surveillance network is vital on availability and security of the whole system. At present, various surveillance methods, including Primary Surveillance Radar (PSR), Secondary Surveillance Radar (SSR), Wide Area Multilateration (WAM) and Automatic Dependent Surveillance - Broadcast (ADS-B) and so on, are implemented to satisfy the demand of collection, transmission and analysis on flight status data. Specifically, relying on high accuracy, favorable data share and large coverage, ADS-B is becoming the leading surveillance method in the next generation ATM system. As a result, ADS-B is chosen as one of the core technologies in Single European Sky ATM Research (SESAR) and Next Generation Air Transportation System (NEXTGEN) projects. In 2020, ADS-B devices will be equipped under mandatory demands for the majority of countries with developed aviation [1], which will make airplanes qualified to transmit ADS-B signals to construct the surveillance system.

ADS-B surveillance plays a role of data supporter for the majority of key functional subsystems of next generation ATM system [2]. Data asset is the foundation of collaborative decision and intelligent analysis. However, there was no sufficient security consideration on initial ADS-B protocol design [3]. The broadcasted data is absent of data integrity and authentication support, which makes air surveillance network with ADS-B as the main means face with severe security threats. Specifically, with the increase of flight amount and type fast, the scale of flight status data under attacks shows worsening trends. In such a situation, flight status data is vulnerable to be manipulated by various attacks such as data tampering attack, data replay attack and ghost node injection attack. These years it is obvious that the stealth of attacks on ADS-B is reinforced [4], which hinders the surveillance network from sensing and detecting attacks in time to avoid quantitative loss.

Hence, it is necessary to assure security of ADS-B data. ADS-B protocol has been an international standard with RTCA 260B [5], so it is not practical to add extra information or encrypt the whole information [6]. When attacked, air surveillance network should detect the attacks and make efficient responses in time to assure ADS-B data usage within trustworthy scales. Traditional detection methods on ADS-B data attack neglect with full considerations on the temporal and spatial correlations in ADS-B data features when applied to distinguish attack behaviors. As a result, current ADS-B data attack detection is limited on accuracy and efficiency. It is necessary to design efficient detection strategies and deploy reasonable detection systems to accomplish attack detection tasks on ADS-B data. Such a strategy and system will spare more time for defense system to make responses and reduce the influence on data from hidden attacked nodes.

In order to deal with attack detection efficiency and accuracy on ADS-B, we proposed sequential collaborative attack detection strategy. Each flight is regarded as one node with continuous status data and each ground station is regarded as one node with complicated data processing functions. Different detection methods are designed and integrated to improve detection accuracy. Ground station and flight collaborative cooperation are taken into consideration to improve the whole detection system. The main contributions are as following:

•
The analyses of attack detection condition are implemented and common attack patterns are established abstractly.
•
Attack detection strategies are designed for flight node and ground station node respectively. The flight node detections consist of Interaction Multiple Model (IMM) residual validation method. Ground station node detections consist of various detection methods, including flight plan validation, single node detection strategies and group node detection strategies, to accomplish the attack detection. For all detection nodes, the detection probabilities are final references for attack judgements. Considering time relevance and space relevance, detection accuracy is improved.
•
Distributed attack detection system is designed. And ground to ground, ground to air and air to air collaborative detection strategies are proposed to improve the detection performance for flight and ground station nodes.

The rest of paper is organized as follows: Section 2 analyzes the current development of attack detection on ADS-B; Section 3 analyzes the detection condition for attacks and describe common attack pattern models; Section 4 designs the sequential attack detection methods for flight and ground station nodes; Section 5 proposes the distributed detection architecture and collaborative detection strategies; Section 6 implements several experiments to illustrate the accuracy and efficiency of the sequential collaborative detection strategy; Section 7 concludes the advantages and shortages of proposed detection strategy.

Section snippets

ADS-B

ADS-B is the key technology in the next generation surveillance system, which is a dependent cooperative method. The significant feature is the broadcast work scheme. Its transmission flow is as Fig. 1 illustrated.

Global Navigation Satellite System (GNSS) is based on satellite to offer accurate navigation data, which includes flight status information such as longitude, latitude, velocity and so on. Current aircraft receives satellite navigation data by GPS receiver and integrates with

Attack detection condition analysis

When implementing attacks, attackers not only pay attention to how to maximize damages but also consider to enhance concealment. Hence, the detection strategies based on data analysis maybe cannot cover all of attack types [16]. When attackers force the output of systems to mitigate attack features as much as possible, the attacks cannot be detected theoretically [17].

In terms of ADS-B data attacks, the foundation of detection is ADS-B data, which contains current flight status with potential

Sequential data attack detection

Considering the tolerance principles for data processing in air surveillance network, the minority of bad points will not have obvious impacts on air situation sensing. Hence, in terms of the reality of air surveillance network security, some assumptions are put forward before designing surveillance data attack detection strategies.

Collaborative data attack detection

With fast developments of air surveillance, different components in surveillance network are gradually being integrated deeply, interacting tightly with each other. Air surveillance has become the vital data foundation for air surveillance CPS. For air surveillance, only relying on ground or airborne Surveillance Data Processing(SDP) unit to analyze and process data alone, it is difficult to adapt with complex environments to achieve high detection precision. However, if collaborative detection

Dataset

In the experiments, we use ADS-B dataset from OpenSky¹ project [23] as analysis foundation. Analyzing the dataset, it shows that the scale of flights per hour is about 6900 and there exists to be attribute data absence phenomenon on location, velocity and altitude in some degree. During experiment analysis, the missing data records are abandoned directly. Considering the high sampling frequency as 2 times per second, such processing procedure is acceptable [24].

Conclusion

Considering the characteristics of air surveillance and ADS-B data, we design sequential data attack detection strategies. Taking consideration of time correlation and space correlation on data security, we design flight node detection and ground station node detection methods. Adapting to next generation ATM developments, we analyze the collaborative function on different components to strengthen the detection accuracy.

However, the focus of our paper is ADS-B data itself, ignoring PSR, SSR,

References (24)

D. Mccallie, J. Butts, R. Mills, Security analysis of the ads-b implementation in the next generation air...
K. Y. Baek, H. C. Bang, Ads-b based trajectory prediction and conflict detection for air traffic management,...
L. Purton, H. Abbass, S. Alam, Identification of ads-b system vulnerabilities and threats, Special Libraries 38 (1)...
M. R. Manesh, N. Kaabouch, Analysis of vulnerabilities, attacks, countermeasures and overall risk of the automatic...
R. F. SC-186, Minimum Operational Performance Standards (MOPS) for 1090 MHz Extended Squitter Automatic Dependent...
K. D. Wesson, T. E. Humphreys, B. L. Evans, Can cryptography secure next generation air traffic surveillance?, IEEE...
M. Strohmeier, M. Schofer, P. Rui, V. Lenders, I. Martinovic, On perception and reality in wireless air traffic...
B. S. Ali, System specifications for developing an automatic dependent surveillance-broadcast (ads-b) monitoring...
M. Strohmeier, V. Lenders, I. Martinovic, On the security of the automatic dependent surveillance-broadcast protocol,...
M. Strohmeier, V. Lenders, I. Martinovic, Intrusion detection for airborne communication using phy-layer...

D. Jeon, Y. Eun, H. Kim, Estimation fusion with radar and ads-b for air traffic surveillance, International Journal of...

T. Zhang, R. Wu, R. Lai, Z. Zhang, Probability hypothesis density filter for radar systematic bias estimation aided by...

Cited by (18)

TTSAD: TCN-Transformer-SVDD Model for Anomaly Detection in air traffic ADS-B data
2024, Computers and Security
ADS-B (Automatic Dependent Surveillance-Broadcast) is a key technology in the new generation air traffic surveillance system. However, it is vulnerable to various cyber attacks because it broadcasts data in plaintext format and lacks authentication mechanism. Previous research has rarely considered the application scenarios of ATM (Air Traffic Management) in commercial air transport, and there are the problems of low anomaly detection rate and the non-lightweight model. This paper focuses on ADS-B anomaly detection under the background of ATM. We propose the TTSAD (TCN-Transformer-SVDD Model for Anomaly Detection) model, which aims to address the problems of existing ADS-B anomaly detection methods including inadequate considerations of long-term dependencies and distribution characteristic, the non-lightweight model and the poor adaptive threshold. First, ADS-B time series is input into TCN (Temporal Convolutional Network) prediction module which predicts data in an accurate and quick way using causal convolution and dilated convolution. Then, the predicted ADS-B time series is input into Transformer reconstruction module which reconstructs data accurately and quickly based on Self-Attention and Multi-Head Attention mechanism. Finally, the difference values between the reconstructed values and the real values are input into SVDD (Support Vector Data Description) threshold determination module for an optimal threshold. Experimental results show that the TTSAD model can detect ADS-B anomaly data generated from attacks such as altitude slow offset and DOS (Denial of Service). The TTSAD model is superior to other machine learning methods in terms of recall rate, detection rate, accuracy rate, missing detection rate and false alarm rate. Furthermore, compared with other deep learning methods including LSTM, GRU and LSTM-AE, the TTSAD model has a shorter training time and a lightweight characteristic. This approach guarantees the information security of ADS-B, thereby improving the operational security of ATM.
ADS-B anomaly data detection model based on VAE-SVDD
2021, Computers and Security
Citation Excerpt :
Attacks such as jamming and message modification suffered by ADS-B data are discussed, also attack difficulty and severity level are analyzed (Strohmeier et al., 2015a). In our previous work, many types of attacks on ADS-B data were analyzed and modeled (Li and Wang, 2019). It shows that USRP (Universal Software Radio Peripheral) device can be used to implement attacks on ADS-B, which proves the simplicity and feasibility of attacks (Costin and Francillon, 2012; Schafer et al., 2013).
As a key technology of the new generation air traffic surveillance system, ADS-B (Automatic Dependent Surveillance-Broadcast) is vulnerable to cyber security challenges because it lacks data integrity and authentication mechanism. For detecting ADS-B data attacks accurately, an anomaly detection model is proposed which fully considers temporal correlations and distribution characteristics of ADS-B data. First, VAE (Variational AutoEncoder) is used to reconstruct ADS-B data so that the reconstructed values can be obtained. Then, for the sake of solving the adaptive problem of anomaly detection threshold, the difference values between the reconstructed values and the actual values are put into SVDD (Support Vector Data Description) for training, and a hypersphere classifier that can detect ADS-B anomaly data is obtained. In addition, in order to prevent overfitting and underfitting, appropriate reconstructed values are selected which can reduce FPR (False Positive Rate) and FNR (False Negative Rate) of anomaly detection. Experiments show that the VAE-SVDD model can detect ADS-B anomaly data which is generated by attacks such as random position deviation and constant position deviation. Moreover, compared with other machine learning methods, this model is not only more adaptable, but also has a lower FPR and FNR.
Dynamic temporal ADS-B data attack detection based on sHDP-HMM
2020, Computers and Security
Citation Excerpt :
Based on motion laws of flights, the traffic model is set up to validate the collected data (Zhang et al., 2018). Kalman filter is utilized to predict the ADS-B data with one more step (Li and Wang, 2019). Based on the fluctuation of residual error, the attack behaviours are detected.
For the next generation air traffic surveillance, ADS-B is becoming the primary method to obtain more accurate data with wide coverage, which establishes the foundation for automatic and intelligent air traffic management system. However, ADS-B is designed without sufficient security considerations, transmitting with plain text without integrity and authentication validations. Thus, ADS-B data is in face of various attack threats, which may cause disruptions on system availability and reliability. To eliminate effects of attack behaviours, attack detection is in demand to avoid attack data injecting into decision making flow. Based on hidden Markov model with sticky hierarchical Dirichlet process, the dynamic temporal detection method is proposed to detect multiple attack patterns. Taking advantage of multiple attribute data, the dimensions of data are reduced to one dimension to set up feature sequences. With sticky hierarchical Dirichlet process, the parameters are obtained for hidden Markov model dynamically. Utilizing hidden Markov model, the generative model is established to predict hidden states of ADS-B data sequence. By analysing the contextual deviation information on hidden state sequences, the attack behaviours are discriminated to determine the attack data. By experiments on real ADS-B data, the feasibility and accuracy of the proposed method are validated.
Online sequential attack detection for ADS-B data based on hierarchical temporal memory
2019, Computers and Security
Citation Excerpt :
At present, it is not possible to detect various attack patterns effectively for each single detection method. Thus, we proposed the sequential collaborative detection strategy (Li and Wang, 2019) to integrate various detection methods with attack probability to improve the adaptive capability on variety and uncertainty of attack behaviors. However, the aforementioned detection methods on ADS-B data are confronted with several deficiencies: (I) the methods cannot mine the knowledge fully of large scale ADS-B data to support attack detection. (
In the next generation air traffic surveillance, ADS-B is the primary surveillance method to improve situation awareness capabilities. But ADS-B protocol is absent of sufficient security considerations, especially for data integrity and authentication. As a result, attack patterns on ADS-B data are emerging and efficient attack detection strategies are in great demand to enhance data security. To decrease the time delay of detection, enhance accuracy and mitigate the concept drift impacts, the online sequential attack detection strategy based on hierarchical temporal memory are proposed. By applying binary encoding, ADS-B data is transformed into sparse distribution representation with temporal and spatial correlations. The encoded data is push into hierarchical temporal memory and online learning schemes are established for the ADS-B stream data. With the sequential ADS-B data, hierarchical temporal memory is updated and used to generate the deviations between predictions and original values for the corresponding ADS-B data. Designing and applying deviation analysis, sequential analysis and adaptive threshold check, the differences between normal and novelty are magnified and easy to be distinguished. According to experimental analysis, the attack detection strategy is efficient on processing time and accuracy.
Automatic Dependent Surveillance-Broadcast Deceptive Jamming Detection Method Based on Track Data
2024, Journal of Circuits, Systems and Computers
A Look into the Vulnerabilities of Automatic Dependent Surveillance-Broadcast
2023, 2023 IEEE 13th Annual Computing and Communication Workshop and Conference, CCWC 2023

View all citing articles on Scopus

View full text