Security of Unmanned Aerial Vehicles: Dynamic state estimation undercyber-physical attacks

Leonard Petnga§, Huan Xu†

Abstract— The goal of this work is to detect faults andcyber-physical attacks on unmanned aerial vehicles (UAVs)using dynamic state estimation to determine the nature ofsuch vulnerabilities. We develop and introduce a distributedUAV architecture to characterize attacks and their propagation.Central to the distributed control architecture is a supervisorycontroller that relies on active sensing and actioning of control-lable contactors to collect the needed information for systemstate estimation using an adaptive algorithm. Uncertaintyisreduced through adaptive reconfiguration of the system basedon correlation of measurements from sensor readings andprior information on system state. We show that an adaptivegreedy strategy algorithm guarantees theoretical worst-caseperformance for various cyber-physical attack scenarios.Thisis demonstrated by the results of prototype implementationsand simulation on a subgraph of the UAV in the case of a gaincontrol attack.

Index Terms— Unmanned Aerial Vehicle (UAV), Data in-tegrity, Cyber-physical attacks, Cybersecurity.

I. I NTRODUCTION AND MOTIVATION

With the ever-growing use of unmanned aerial vehicles(UAVs) in both military and civilian domains, safety andthe ability to withstand cybersecurity threats is becominga foremost problem. UAVs, as well as other cyber-physicalsystems (e.g., power grid, transportation, etc.) need to bedesigned in a manner that accounts for such attacks. Becausedecisions are based on the state of the cyber-physical system,knowledge gained from data collection and processing arecritical to the success of the UAV mission. Furthermore,the strategic value of information enclosed in military UAVsmake them valuable targets to espionage, thefts, manipulationand attacks of all kinds. Security forces around the worldworry of scenarios in which UAVs are hijacked by remoteattacker(s) and are used against soft and sensitive targets.In recent years, several incidents involving cyber attacksonUAVs are illustrations that this scenario could become realitysoon. In 2009, insurgents in Iraq successfully interceptedanddistributed US military drone video feeds in their network[5]. In September 2011, a “keylogging” virus infected a USmilitary UAV fleet at Creech Air Force Base in Nevada[20], followed three months later by the loss of an RQ-170Sentinel to Iranian forces [14].

These incidents are a stark reminder of the challenges theresearch community and industry face in securing UAVs.When the system is under cyber attack, effective estimation

§Department of Civil and Environmental Engineering, Universityof Maryland, College Park, MD 20742, correspondence:lpetnga@umd.edu

†Department of Aerospace Engineering, University of Maryland, CollegePark, MD 20742

of its state is critical for any successful recovery action ormaneuver. This task proves especially challenging if sensorsare compromised during the attack. Because the state of thesystem is heavily dependent on sensor measurements, theproblem of state estimation from sensor readings is crucialto the safety of the entire system and its mission.

Estimation of UAV state (e.g., position, orientation andvelocity) is an active research topic. A large body of workexists on the development of estimation techniques andmethods for effective navigation in challenging environmentsincluding GPS-denied environments [3], [18], [24], clutteredsurroundings and neighborhoods [11] and windy conditions[15]. These approaches rely on localization algorithms basedon variations and extensions of filters such as the GaussianParticle Filter [3] and the Extended Kalman Filter (EKF)[12], [1] to fuse sensor measurements and maintain accuratestate estimates. Researchers have also investigated and ex-perimented feedback control-based algorithms [2]. However,Langelaan [11] points out that navigation is only one ofmany critical flight tasks. Aviation and communications areequally critical to successful flights and missions. Thus,navigation-based estimation approaches of the state of theUAV are inefficient in capturing the full grasp of the statusof the system, especially when it is under attacks such as theones identified above. In such circumstances, it is importantto have an estimation of the system state that accountsfor the internal state of the components in order to: (1)establish/infer the type and extend of the attack and, (2)provide lead(s) on possible pathway(s) to effective recovery.This extension of the scope of the system state parametersexacerbates the already difficult challenge of optimal sensorplacement in UAVs, especially small ones [23], [19], [8].

Our overall research goal is to provide theoretical guar-antees on the ability to estimate security threats to cyber-physical systems in general, and UAVs in particular. Themain objective of this work is to model and develop asimulation in which an adaptive submodularity-based math-ematical framework can be used to assess cyber threats(both internal and external) to the system. Thus, we aim toobtain state estimates with a limited number of sensors byutilizing software-based dynamic estimation strategies.Weare particularly interested in detecting and localizing faultsin the system as result of attacks and use that informationto establish and characterize cyber-physical threats. To thataim, we build from lessons learned in fault diagnostics [17]and previous applications in aircraft electric control system[13] to discretize continuous flow of data and signal aswell as health statuses of components in the system before

performing state estimation. Although the application areatargets UAVs, the results of this work can be applied tomultiple cyber-physical systems domains.

We limit the scope of this work to the cruising operationalmode, when the command and control of the UAV systemis performed by the autopilot. We investigate and modelthe standalone UAV system as well as security threatsto which it is exposed. The state estimation mathematicalformulation uses a property of set functions called adaptivesubmodularity [4]. Finally, simulation will be conducted toverify the theoretical results.

Fig. 1. High level architecture of a UAV. The system is made ofsixinterconnected subsystems plus the payload (mission dependent). Four ofthem exchange data and information with a complex mix of systems in theenvironment including other UAVs.

II. SYSTEM AND ATTACK MODELING

A. UAV system modeling for threat analysis

For the purpose of this work, we adopt a cyber-physicalperspective of the UAV system. This view is consistentwith the tight coupling and bidirectional interactions betweencyber (command, control, communication) and physical (sen-sors, actuators) components in such systems.

1) High level architecture:For the sake of simplification,we use the UAV airframe as system boundary as shown inFigure 1. Thus, we model the system as an integrated setof five modules/subsystems: (1) Guidance System-GS, (2)Control/Actuation system-CAS , (3) Navigation System-NS,(4) Communication system-CS and (5) Computing and net-work platform-CNP. While the boundaries of these modulesare not always clearly defined in all UAV systems, they arefairly common to the vast majority of UAV models usedin dynamics studies [10], [7] and cyber attack analyses [9],[6]. The presence and configuration of the payload/missionsystem module are dependent on the application and use ofthe UAV. Therefore, they are kept outside of the scope ofthis work. The environment of the system is complex anddiversified with elements including satellite, ground controlsystem and other UAVs.

The inner structure of the modules, shown in the sin-gle line diagram in Figure2, shows the decompositioninto cyber (in white) and physical (in yellow) components

Fig. 2. Simplified single line dataflow diagram of a UAV. The graphshows the decomposition of the main subsystems into components and theirconnections. Cyber components appear in white while physical componentsare in yellow. Buses (e.g.CSB1, GSB1) serve as interfaces betweenmodules while sensors (Si with i ∈ (1, 4)) measure and report the state ofthe components and contactors (Cj with j ∈ (1, 17)) control the flow ofsignal/data in the system.

and the interactions between them within and beyond thegiven module. EntitiesEi, i ∈ (1, 4), NSj , j ∈ (1, 3),CASk, k ∈ (1, 3), GSl, l ∈ (1, 3), CSm, m ∈ (1, 2)respectively make up the setE, NS, CAS, GS, andCSof environment, navigation, control and actuation, guidanceand communication system components. The environment iscomposed of the ground system transceiverE1, other UAVADS-B transceiversE2, the terrain/target/reference pointsE3 and the satelliteE4. All external components (Ei) aremodeled as physical entities while individual subsystemsare hybrid. The navigation system (NS) is composed ofphysical components such as the GPS receiver (NS2) andset of navigation instruments (IMU, magnetometer, etc. )grouped asNS3 and the filter responsible for NS sensorsfusion (NS1) which is a cyber entity. Inside the controland actuation (CAS) module, the main system controller(CAS2) is located between a gain controller (CAS1) andthe set of actuators (CAS3). Similarly, the guidance systemis composed of an ADS-B transceiver (GS1) connected to apath planner (GS2) which reads in guidance sensors feeds(GS3), (e.g., vision and radar). Finally, a simplified viewof the communication system shows the transceiver (CS1)for data exchange with ground systems and communicationprotocols (CS2) as main components.

2) Sensors, contactors and bus positioning:The connec-tions between the components in Figure2 illustrate possibledata exchange paths for the proper operation of the system.We assume the existence (not shown in the figure) of asupervisory controller that tracks the state of the system.Tothat aim, it needs a set of sensors placed at strategic locationsalong the dataflow paths. For the purpose of this research,they are depicted as follows.

Buses serve as the interface between the module orsubsystem and the rest of the system. A bus here (e.g.:CSB1, CASB1) is a connection point for data flows (in andout) for the subsystem components to which it is attached.

Sensorscapture the state of (physical) components in-teracting directly with active entities within the UAV en-vironment. The sensor (e.g.,S1, S2, S3) is positioned atthe port communicating with the UAV cyber component.A sensor can also capture the state of cyber componentsthat could be the source of cyber infections/attacks (e.g.:S4). Sensors for internal feedback control are ignored (notwatched by the supervisory controller). Sensor measurementsare normalized to feed the supervisory controller with thestate of the component as either (0) no data/signal flow, (1)within the acceptable range, or (2) outside the acceptablerange. These measurements are contingent to the sensorbeing itself healthy or unhealthy at the time the readingoccurs.

Contactors are “dataflow breakers” that can be opened orclosed and are mounted on connections between components.Contactors that are controlled (in green) are accessible andactionable by the supervisor. They are either associated withsensors for control of (signal/data) flow to/from controlledcomponents (e. g.:C5, C6, C8, C10) or flows between criticalsubsystem interconnections - 1 per interconnection whenmany exist (e.g.:C13, C14, C16, C17, C18). Uncontrolled con-tactors (e.g.:C7, C9, C12) are not accessible/controlled by thesupervisory controller. In the context of this study, an openuncontrolled contactor can be interpreted as the break of thecommunication link between two components as the resultof an attack or some fault in the system.

B. Simplified threat modeling

Elements and connections along the dataflow are suscepti-ble to attacks. In order to effectively characterize known andfuture attacks on the UAV, we first create a threat modelingframework that makes use of the CPS prospective introducedin sectionII-A while accounting for the types of attacks andtheir propagation mechanisms.

1) Attack modeling and categorization:Researchers havebeen actively developing threat modeling techniques andapproaches [21], [28] and investigating cyber attacks [25]onCPS such as UAVs and automobiles. However, cross domainor cyber-physical threats are equally important, given thepo-tential catastrophic consequences of such attacks [22], [16].Yampolskiy et al. introduce a taxonomy for description ofcross-domain attacks on CPS [26] and a language describingattacks on such systems [27]. We build from these work togenerate a simplified classification of attacks on our UAVas modeled in sectionII-A . Attacks are categorized into fourclasses, independently of their origin as shown in tableI. AnInfluenced elementis the type of the object (source) of theattack while aVictim elementrefers to the type of the objectthat has been influenced by the attack (effect).

2) Attack propagation:In TableI, bothInfluenced elementand Victim elementcan be different, thus, the issue ofpropagation of attack between components arises. Therefore,

we ought to be able to understand and describe mechanismsthrough which cyber and cyber-physical attacks propagatein our system. To that aim, we considerphysical interde-pendenciesbetween components which nicely espouse thefunctional perspective of our modeling approach introducedin sectionII-A . It is also consistent with the system dataflowstructure as per Figure2. Because of their reliance ordependence on implementation details, other possible inter-dependencies (geographic, cyber or logical) were left aside inorder to preserve the result of this work from the side effectsof early design commitments. In the case of a gain schedulingattack, a possible scenario could be as follows. For differentflight modes (take off, landing, and cruising), the autopilotneeds different gains for flight control depending on the UAVstate (mass, altitude, speed, flaps down, etc). For effectivecontrol of the vehicle, the autopilot will require that appro-priate gains been loaded for each flight phase. An attackercan successfully access the UAV control system (most likelyon the ground, before the flight) and override/alterate thepre-computed gains stored in the on-board autopilot. With thegain controller (CAS1) compromised, the controller (CAS2)will also be affected as it relies on corrupted gains totrack the guidance path and stabilize the aircraft for thecorresponding flight mode(s). It now sends inappropriatecommands to actuators (CAS3) thus, affecting the systemdynamics with possible multiple safety consequences. Thisscenario illustrates a situation in which an attack on a cybercomponent propagates to other components through theinterdependency connections and ultimately leads to physicalconsequences. Thus, this is clearly a C2P attack (i.e. ofcategory II). Because of its open architecture, complex andnumerous physical interdependencies, there is almost no endto the list of possible attacks and threats to UAVs. Therefore,there might be multiple branchings to the propagation treeof a given attack. An analysis of vulnerabilities such asfuzzing attack, GPS spoofing or digital update rate attack[9] are some illustrations. This requires a more detailedclassification system which is beyond the scope of this work.

III. M ATHEMATICAL PROBLEM FORMULATION AND

STATE ESTIMATION STRATEGY

A. General problem description

We consider a graphG = (N , E) representing the UAVarchitecture shown in the data flow diagram in Figure2.The various system components - communication (CSi withi ∈ (1, 2)), navigation (NSj with j ∈ (1, 3)), guidance(GSk with k ∈ (1, 3)), control and actuation (CASl withl ∈ (1, 3)) - along with their buses and sensors (Si, i ∈(1, 4)) are elements in the set of nodesN of G. Similarly,contactors (Ci, with i ∈ (1, 17)) and physical connectorsbetween components are elements of the set of edgesE .ContactorsC ⊆ E can either beopenor closed. Entities in theset of communicationM, navigationI, guidanceU , controland actuationA are uncontrollable. We callP the set ofcomponents in the graph i.e.P = M∪I ∪U ∪A, with P ⊂G. The state of components inP can either beunhealthy(i.e., the component is online but outputting data/signal

Category Description Influenced Element Victim Element Example attacksI Cyber over Cyber(C2C) Cyber Cyber Buffer overflow, DoS, man in the middle, etc.II Cyber over Physical(C2P) Cyber Physical Stuxnet, Gain controlIII Physical over Cyber(P2C) Physical Cyber Side-channel attack, Sensor jammingIV Physical over Physical(P2P) Physical Physical Physical tempering, Propagation of C2P, etc.

TABLE I

ATTACK CLASSIFICATION AND CHARACTERIZATION

outside the acceptable operational range),healthy (i.e., thecomponent is online and outputting data/signal within theacceptable operational range), oroffline (i.e., the componentis not online and/or there is no data/signal flow). Thesestates are read by the supervisory controller as introducedinsectionII-A.2. Nodes associated to pure system level sensingfunctionality such asE3, E4 or NS2, NS3, GS3 have onlyoutgoing edges and no incoming edges. All other edges inthe graph are bidirectional.

SensorsS ⊆ N are special nodes in the graphG. Theirreadings are dependent on the status of their components(in P) as well as the one of the contactor located on thelink between the selected pair of components. For a sensorreading to be considered, there needs to be an “active” pathbetween the two nodes of the graph corresponding to thecomponents involved. In other words, the following threeconditions should be satisfied: (1) there exists a simple pathin G that connects the two nodes, (2) no component alongthat path is offline and, (3) all contactors along the pathare closed. Under these conditions, the possible readingsof a sensors ∈ S can be one of the following values (i)unacceptable valueif there is an active path betweens andsomep ∈ P (not offline) which is unhealthy; (ii)acceptablevalueif, for all pi, pj ∈ P , i 6= j that have an active path tos,each pair(pi, pj) along such paths is made of componentsthat are healthy; or (iii)no signal/dataflowif there is noactive path betweens and any componentp ∈ P .

In this framework, the supervisory controller acts as anembedded controller siting on top of the distributing sensingand control architecture. It is the ultimate responsible forthe system dynamic state estimation and it is able to detectfaults and abnormal system behaviors resulting from (cyber-physical) attacks. To that aim, the supervisory controllercontrols a subsetC \ C

′

of contactors (i.e.,C5, C6, C8 andC10 in Figure2).

We express the statex of the system as a valuation ofthe state of individual componentsp ∈ P and uncontrollablecontactorse ∈ C′ ⊆ C. Given the limited amount of sensorsand the presence of uncontrollable contactors in the system,the statex of the system is unknown. Thus, we model itas a random variableX whose values are possible systemstates mapped to sensor readings. We would like to developa fault detection adaptive estimation strategy the supervisorycontroller will use to figure out the discrete state of thesystem for various cyber-physical attack configurations. Theadaptive estimation strategy is performed by the controllerwhich “acts” on the system by opening and closing control-lable contactors, then, reads sensors measurements.

B. Mathematical formulation

We base the mathematical formulation from Golovin andKrause [4]. For further details, we also refer the reader to[13]. What follows is a summary of the mathematical frameof the dynamic state estimation problem.

The set of all system states is defined asΩ while thestateX of the system is modeled as a random variable. Aprobability measureP[x] is built on the setΩ based on datacomponents and reliability levels. The initial state is theun-known statex0 ∈ Ω and it is assumed unchanged during theestimation process. We also assume independence betweenfaults in the system. The rationale behind these assumptionsis that the timescale of the estimation process, by design,is expected to be much smaller than the failure rates of thecomponents and the timescales of other controllers in thesystem.

1) Formulating the optimal estimation strategy:Thereexists a setV of actions v, in the controllable subset ofcontactors, and a setY of measurementsy that can beobserved. For an actionv ∈ V , y = µ(v, x) ∈ (Y ) is theunique outcome of performing actionv if the system is inthe statex. The actionsv0, ..., vt performed, and outcomesy0, ..., yt observed up until stept, are represented by thepartial realizationψt = (vi, yi)i∈0,...,t. At each stept,the probability measureP[x] can be updated by conditioningit on ψt to obtainP[x | ψt].

An effective estimation process should adaptively elimi-nate “invalid” states to get to the actual statex0. We defineD(y, v) with y = µ(v, x0), as the set of statesx ∈ Ω thatare indistinguishable fromx0 under the actionv. Similarly,we introduceSt as the set of states that produce the sameset of outcomesµ(v0, x0), . . . , µ(vt, x0) asx0 under thesame set of actionsv0, . . . , vt.

To represent the uncertainty in the state estimate, wedefine an objective functionf : 2V×Y × Ω → R+ thatmaps the set of actionsA ⊆ V under statex0 to rewardf(A, x0). A strategyπ is a function from partial realizationsto actions such thatπ(ψt) is the actionvt+1 taken byπwhen observingψt. The fault detection controller is assigneda budgetk ≪ |V|, indicating the number of steps withinwhich the estimation process should terminate, starting fromthe initial (unknown) statex0. Then, for i = 1, . . . , k, asequence of decision, measurement and update operations isperformed as part of the estimation process.

With the goal of reducing the uncertainty ofX representedby the probability distributionP[x] through performingk

actions, the following reward function is considered:

f(v0:k, x0) = −P[Sk] = −∑

x∈Sk

P[x]. (1)

Therefore, maximizingf is equivalent to removing as muchprobability mass (uncertainty) as possible fromΩ in k steps.WhenP is uniform,f becomes proportional to the size ofSk.In such situation, maximizingf is equivalent to minimizingthe number of indistinguishable states. Thus, our ultimategoal is to devise the estimation strategyπ∗ that delivers the“best expected estimate” for the state as follows.

π∗ ∈ argmaxπ

E[f(V(π,X), X)], (2)

subject to |V(π, x)| 6 k for all x, and with expectationtaken with respect toP[x]. Here, V(π, x) ⊆ V is the setof all actions performed under the strategyπ; the state ofthe system beingx.

2) Greedy strategy and guarantee of its worst case execu-tion performance :The supervisory controller needs a faultdetection strategy able to plan ahead fork steps. However, inequation (2), the complexity of the optimal strategy scales upexponentially withk. The greedy strategy in [13] solves thisissue while maximizing the one-step expected uncertaintyreduction problem. Recent results in adaptive submodularityare exploited to provide theoretical guarantees for its worst-case execution performance [4]. In brief, the strategy picks,at each step, the action maximizing the expected one-stepgain in uncertainty reduction. At a given stept, it uses theavailable informationψt to compute the probability measureP[x | ψt] on the setSt, using the Bayesian update:

P[x | ψt] =

P[x]P[ψt]

∀ x ∈ St0 elsewhere

(3)

At each stept, the strategy consists of choosing the nextactionvt+1 that maximizes the gain in uncertainty reduction.The value of the functionf in equation (1) is used as measureof uncertainty and the benefit is expressed in terms of itschange as a new actionv is chosen. Thus, in other to realizethe estimation goal, we choose to maximize the mean benefitat each step under the expectation taken with respect to theupdated probability measureP[x | ψt]. This leads to thegreedy strategy :

vt+1 ∈ argmaxv∈V

E[f(v0:t ∪ v, X)− f(v0:t, X) | ψt]. (4)

Given the fact that greedy strategies are known to deliverbad performance arbitrarily, recent results from adaptivesubmodularity research come in handy to provide lowerbounds to their performance. With respect to the issue ofguaranteeing worse case performance for the greedy strategy,a brief overview of those results can be found in the appendixof [13]. As for the conditions to be satisfied by the rewardfunctionf used by the greedy strategy in equation (4), it hasto be adaptive and submodular; both properties demonstratedto be satisfied byf . Therefore, the following result follows.

Theorem 1:For any true statex0 ∈ Ω, the uncertaintyreduction achieved ink steps by the greedy strategy givenin Algorithm 1 is no worse than(1 − 1/e) of what can beachieved ink steps by any other strategy, including the bestpossible strategy [4].

IV. I MPLEMENTATION AND PROTOTYPE SIMULATION

In this section, we illustrate the implementation of the dy-namic state estimator employing the adaptive submodularity-based greedy algorithm on a simplified UAV topology suchas the one introduced in sectionII-A , in the context of cyber-physical attacks.

A. Estimation process

Algorithm 1 Adaptive greedy strategyInput: Probability measureP[x] on Ω, number of actions to per-

form k. The system is in the statex0 ∈ Ω, fixed and unknown,and the controlled contactors are in some configurationv0.

Output: Partial realizationψk and the setSk of compatible statesafter k actions are taken based on the strategyπgreedy

1: Take the measurementy0 = µ(v0, x0).2: ψ0 = (v0, y0)3: for t ∈ 1, . . . , k do4: vt = πgreedy(ψt−1)5: Perform actionvt6: Take the measurementyt = µ(vt, x0)7: ψt = ψt−1 ∪ vt, yt8: St = St−1 ∩D(yt, vt)9: ComputeP[x | ψt] (Bayesian update)

10: end for11: return (ψk, Sk,P[x | ψk])

Algorithm 1 provides a summary of the estimation pro-cess. In other to improve computation efficiency, some stepscan and will be computed offline. As an illustration, weconsider the inverse mapping from sensor measurementsto appropriate component states. In the absence of a closeform expression for the setsD(y, v) of states for the action-measurement pairs(v, y) (where v ∈ V is an action andy ∈ Y is the resulting measurement), its computation willrequire a straighforward but thorough and repeated searchfor paths on the graphG. Thus, the pairs(v, y) are computedoffline, stored in a database, then accessed on the fly at runtime. Also, the estimation framework supports the encodingand integration of assumptions about the components, thesystem architecture and, most importantly the cyber-physicalattacks. Given the focus of this work on the latter aspect,we will assume that an attack has happened on an existingsystem i.e. a UAV. Assumptions reduce the initial of size ofthe state setΩ by eliminating infeasible states.

In order to evaluate the performance of the greedy strategyin estimating the state of the UAV while under attack, wesystematically test the dynamic estimator in Algorithm1on increasingly extensive portions of the dataflow diagramin Figure 2. The selection of the size and boundaries ofthe subgraph to consider will remain consistent with thefindings in sectionII-B.2 on attack propagations. For bothsimplification and experimentation purpose, we assume a

uniform probability distribution overΩ. Thus, the size ofthe feasible set is reduced to the reward functionf (see Eq.(1)).

Increasingly stringent constraints on weight, wingspans(volume) and cost - especially on small UAVs - force de-signers and systems engineers to limit the number of sensorsonboard. In such situations, it is virtually impossible forthesupervisory controller to guaranty a determinate, uncertainty-free assessment of the state of the system. We check theperformance of the greedy strategy implemented by thesupervisory controller against a brute force strategy, whichexhaustively and systematically tries every single authorizedaction v ∈ V . Despite its obvious advantage of gatheringand providing more information than the greedy strategy,the brute force strategy is impractical as the size ofV i.e.|V| can be very big. However, it can serve as performancebenchmark to the greedy strategy. For the rest of this paper,we perform the test methodology described in Algorithm2.

Algorithm 2 Simplified test methodologyInput: Initial configuration of the controlled contactorsv0 ∈ V

1: for x0 ∈ Ω do2: Set the graph in the statex0

3: Put the controlled contactors in the configurationv4: Run the strategy tested (Greedy or brute force strategy)5: Record the computation time and the value off at the end

for statistics.6: end for

B. Simulations on a UAV subgraph

1) Simulation set up:We consider the subgraph compris-ing the UAV communication system (CS) and control andactuation system (CAS) as delimited by the yellow dashedbox in Figure2. The subgraph is made of 8 nodes (compo-nents) including, 1 external component (E1), 2 communica-tion components (CS1, CS2) , 3 control and actuation com-ponents (CAS1, CAS2, CAS3), 2 buses (CSB1, CASB1)and 7 contactors (C1, C5, C11, C10, C18, CB1, CB5). Amongthe contactors, 3 (C5, C10, C18) are controlled by the super-visory controller. All sensors are assumed to be healthy (state= “h” ), i.e., they properly capture and represent the state ofthe component/flow they are sensing/measuring. We use thegain control attack described in sectionII-B.2 as the baselinefor our experiments. For the sake of simplification, we willassume that the ground system transceiver (E1) is healthy.Therefore, the configurations in tableII are considered andencoded during simulation as assumptions on the subgraphof interest whenever needed for this attack (category II).

2) Simulation results: Simulation platform.Our systemspecifications are as follows:Intelr CoreTM i5-1600M 64bits CPU2.5 GHz, 8.00 Gb RAM. The code is written inPython. Both brute force and greedy strategies were run onthe very same platform for the configurations identified intableII . On this particular example, there are three controlledcontactors. Therefore, the brute force strategy performs|V| =23 = 8 actions.

Fig. 3. Histogram of the size of the search space. The latter reducesdrastically as assumptions on faults pile up. Also, the performance of boththe brute force and greedy strategies is the same when the greedy strategyis executed with a horizon length ofk = 6.

Size of the state-space.Figure 3 shows the histogram ofthe size of the search space for the configurations identifiedin tableII . It appears that the size of the search space, takinginto account the assumptions on faults, reduces drastically asassumptions pile up. It drops 99%, from the initial 93,000states under “none” configuration to less than 1,200 statesunder “fgca” configuration. Also, the performance of bothstrategies is the same when the greedy strategy is executedwith a horizon length ofk = 6. Specifically, for a givenattack, the value of the objective functionf at the end ofthe 6 steps using the greedy strategy is the same as after thebrute force strategy with 8 steps.

Average execution time.For this experiment, we select the“sgca” and “fgca” configurations and summarize in Figure4(a) and 4(b) the average execution time for the greedystrategy. Under suspected gain control attack assumption,in 80% of cases, it takes less than 80 ms to computethe next best action to perform using the greedy strategyagainst 73% of cases and just 6 ms for the full gain con-trol attack configuration. Overall, the graph shows that thegreedy strategy is very fast. However, the offline computationtakes significantly more time under the “sgca” configuration(7min 30s) than under the “fgca” configuration (8s). Thisdiscrepancy can be explained by the relative low size of thesearch space under “fgca” configuration (1%) as opposed tothe “sgca” configuration (6%) with respect to the full spaceas shown in Figure3.

Final value of the reward functionf . Figure5 shows theperformance comparison between greedy and brute forcestrategies. It appears that the greedy strategy performs aswell as our benchmark i.e. the brute force strategy. For apoint at coordinates(a, b) in the graphic, ina% of the cases,there areb or fewer states that can’t be distinguished after thegiven strategy runs its normal course of action. The numberof indistinguishable states under a specific attack assumptionremains unchanged. However, it increases as assumptions areprogressively relaxed. Overall, the greedy strategy matchesthe performance of the brute force strategy. After thek = 6steps, the search state is reduced to only 4.2% of its initial

Configuration Description Assumptions encoded“none” or “unknown” No specific attack assumed None i.e. no assumption on infected component. The full state space is used

“gcd” Gain controller down Only the gain controller (CAS1) is infected“sgca” Suspected gain controller attack The gain controller (CAS1) andthe controller (CAS2) or the actuator (CAS3) are infected.“fgca” Full gain controller attack All CAS components i.e. the gain controller (CAS1, the controller (CAS2) and the actuator

(CAS3) are infected.

TABLE II

ATTACK ASSUMPTIONS AND CONFIGURATIONS ENCODING FOR SIMULATION.

(a) Execution time-“sgca”.

(b) Execution time-“fgca”.

Fig. 4. Average execution time for various attack configurations. Undersuspected gain controller attack or “sgca” configuration, it takes less than80 ms in 80% of cases to compute the next best action to performusing thegreedy strategy against just 6 ms in 73% of cases for the full gain controlattack or “fgca” configuration.

size by the greedy strategy in all configurations except in thefirst one (i.e. “none”) where it performs even better with areduction to just 1.4% of the initial size.

V. D ISCUSSION

The complexity of the dataflow diagram can grow expo-nentially with the number of components and connectionsbetween them. Solving the dynamic state estimation problemon the resulting graph for such complex architectures canbe very computationally and time expensive. Thus, we needstrategies to simplify the graph by reducing its size. When-ever it is possible, clustering certain components togetherinto metacomponentsis a possible solution. However, this

Fig. 5. Performance comparison between greedy and brute force strategies.The greedy strategy performs as well as the benchmark i.e. the brute forcestrategy. The number of indistinguishable states under a specific attackassumption remains unchanged. However, it increases as assumptions areprogressively relaxed.

approach should preserve the quality of the state estimationprocess. Specifically, the reduction of the complexity of thediagram can be achieved by abstracting away connectionsbetween two uncontrolled components that do not have anysensor on their internal connecting port. In this case, someof the individual states of the components may becomeindistinguishable from what can be measured with the avail-able sensors. The global behavior of these metacomponentswill be similar to the one of a single basic component.Therefore, estimating the states of individual componentswill require first, the estimation of the state of the metacom-ponent then, its mapping to possible states of correspondingbasic components. Thus, one needs to make the necessaryadjustments when running state estimation algorithms on thereduced graph in order to guarantee lossless abstraction inthe transformations.

Simulations have shown that the greedy strategy performswell with respect to all the metrics considered and incomparison to the brute force strategy. However, real-worldproblems are bigger, more complex and require extensivecomputation resources (memory and space on the disk).Model reduction mechanisms like the one just describedmight not be good enough to keep the computation loadin check. As an illustration, we have tried to implementthe full graph in Figure2 in order to support the analysisof other attacks such as the GPS spoofing and the digitalupdate rate attacks. It didn’t work out well as we quicklyran out of memory, even under the most stringent set of

assumptions. Thus, we should consider coupling losslessabstraction mechanisms to sensors repositioning strategyin order to successfully scale up this approach to largerarchitectures.

Also, we need to stress the trade-off existing betweenthe number of sensors available and the complexity of theestimation process. More sensors allows a better estimationby reducing the uncertainty on the state, but also generatesa growing complexity resulting in the increase of the com-putation time. Moreover, more sensors leads to more weightand less (mission) payload for the UAV.

VI. CONCLUSION AND FUTURE WORK

In this work, we investigate cyber-physical attacks onUAVs and the use of a greedy strategy for dynamic stateestimation to characterize such vulnerabilities. A simplifiedand generic UAV architecture accounting for internal signal-s/dataflows is introduced and used to support both attackscharacterization and propagation and algorithm implemen-tation and testing. Sensors positioning for effective systemstate estimation is considered. The algorithm guarantees the-oretical worst-case performance for various cyber-physicalattack scenarios. Moreover, it performs as well as the bruteforce strategy as demonstrated by the results of prototypeimplementations and simulation on a subgraph of the UAVin the case of gain control attacks. The estimation processgenerates either the set of all observable states or, whenapplicable, the unique feasible state of the system.

As preliminary results have shown, there is a need togo beyond the reliance on a simple taxonomy to betterunderstand and tackle the complexity of the propagationmechanisms of attacks and handle them in attack models.Thus, future work should look at candidate formal, UML-based languages to capture those complex interactions andattack models as a whole in a systematic way. There is alsoa need to formulate and integrate safety requirements in theestimation process. One illustrative issue is the ability togain insight into the algorithm performance bounds undertime-constrained changes of actions. We believe the actualsupport of our framework for assumptions is a way forward.The ability to eliminate unsafe actions from the initial setcan be encoded in a similar way. Finally, the number andlocation of sensors in the system topology are architectureand application-dependent. Integrating sensors placementstudies and analysis in the system design loop will provide anoptimal solution to this problem thus, ultimately amelioratethe performance of the system state estimation process.

ACKNOWLEDGEMENT

This work was supported in part by MITRE Corporation.

REFERENCES

[1] J. D. Barton. Fundamentals of small unmanned aircraft flight.Technical Digest, 31(2):132–149, 2012.

[2] J. D. Barton. Suas code: Uav state estimation examples. 2012.[3] A. Bry, A. Bachrach, and N. Roy. State estimation for aggressive flight

in gps-denied environments using onboard sensing. IEEE InternationalConference on Robotics and Automation (ICRA), 2012.

[4] Krause A. Golovin, D. Adaptive submodularity: Theory and appli-cations in active learning and stochastic optimization.Journal ofArtificial Intelligence Research, pages 427–486, 2011.

[5] S. Gorman, Y. Dreazen, and A. Cole. Insurgents hack u.s.drones. http://www.wsj.com/articles/SB126102247889095011, Re-trieved 25 January 2016, 2009.

[6] K. Hartmann and C. Steup. The vulnerability of uavs to cyber attacks- an approach to the risk assessment. 5th International Conference onCyber Conflict, 2013.

[7] J. B. Hstmark. Modelling simulation and control of fixed-wing uav:Cyberswan. MS Thesis, Engineering and Cybernetics, NorwegianUniversity of Science and Technology, Trondheim, Norway, 2007.

[8] N. Kandasamy, F. A. Aloul, and T. J. Koo. Sensor selectionandplacement for failure diagnosis in networked aerial robots. IEEE In-ternational Conference on Robotics and Automation Orlando, Florida,USA, 2006.

[9] A. Kim, B. Wampler, J. Goppert, and I. Hwang. Cyber attackvul-nerabilities analysis for unmanned aerial vehicles. Infotech aerospace,Garden Grove, CA, USA, 2012.

[10] R. Klenke. Development of a novel, two-processor architecture fora small uav autopilot system. Virginia Commonwealth University,School Of Engineering, Electrical Engineering, Richmond,VA, 2006.

[11] J. Langelaan. State estimation for autonomous flight inclutteredenvironments. PhD Dissertation, Department of Aeronautics andAstronautics, Stanford University, Stanford, CA 94305, 2006.

[12] T. Magnusson. State estimation of uav using extended kalmanfilter. MS Thesis, Department of Electrical Engineering, LinkopingsUniversity, Sweeden, 2013.

[13] Q. Maillet, H. Xu, N. Ozay, and R. M. Murray. Dynamic stateestimation in distributed aircraft electric control systems via adaptivesubmodularity. IIEEE Conference on Decision and Control, Florence,Italy, 2013.

[14] S. Peterson and P. Faramarzi. Exclusive: Iran hijackedu.s. drone, saysiranian engineer. csmonitor.com, Retrieved 25 January 2016, 2011.

[15] D. Poorman. State estimation for autopilot control of small unmannedaerial vehicles in windy conditions. MS Thesis, DepartmentofAerospace Engineering Sciences, University of Colorado, CO, USA,2014.

[16] G. Raz. Hacking drones and the dangers it presents.http://www.npr.org/2012/07/08/156459939/hacking-drones-and-the-dangers-it-presents, Retrieved 25 January 2016, 2012.

[17] M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen, and D.C.Teneketzis. Failure diagnosis using discrete-event models. ControlSystems Technology, IEEE Transactions on, 4(2):105–124, 1996.

[18] S. Saripalli. State estimation for aggressive flight ingps-deniedenvironments using onboard sensing. International Conference onEnvironmental and Agriculture Engineering (ICEAE 2009), 2009.

[19] H. Semke, K. J. J. Lemler, and M. Thapa. An experimental modalchannel reduction procedure using a pareto chart.Topics in ModalAnalysis II, 8:101–110, 2014.

[20] N. Shachtman. Computer virus hits u.s. drone fleet.http://www.wired.com/2011/10/virus-hits-drone-fleet/, Retrieved25 January 2016, 2011.

[21] C. Vestlund. Threat analysis on vehicle computer systems. MSThesis, Department of Computer and Information Science, LinkopingUniversity, Linkoping, Sweeden, 2010.

[22] J. Villasenor. Cyber-physical attacks and dronestrikes: The next homeland security threat.http://www.brookings.edu/research/papers/2011/07/05-drones-villasenor, Retrieved 25 January 2016, 2011.

[23] M. Vitus and C. Tomlin. Sensor placement for improved roboticnavigation. Robotics: Science and Systems VI, 2010.

[24] D. Wu, E. Johnson, M. Kaess, F. Dellaert, and G. Chowdhary.Autonomous flight in gps-denied environments using monocular visionand inertial sensors. American Institute of Aeronautics and Astronau-tics, 2013.

[25] M. Yampolskiy, P. Horvath, X. D. Koutsoukos, Y. Xue, andJ. Szti-panovits. Systematic analysis of cyber-attacks on cps evaluatingapplicability of dfd-based approach. pages 55 – 62. 5th InternationalSymposium on Resilient Control Systems (ISRCS), Salt Lake city,UT, USA, 2012.

[26] M. Yampolskiy, P. Horvath, X. D. Koutsoukos, Y. Xue, andJ. Szti-panovits. Taxonomy for description of cross-domain attacks on cps.HiCoNS ’13 Proceedings of the 2nd ACM international conference onHigh confidence networked systems, 2013.

[27] M. Yampolskiy, P. Horvath, X. D. Koutsoukos, Y. Xue, andJ. Szti-panovits. A language for describing attacks on cyber-physical systems.International Journal of Critical Infrastructure Protection, 8:40–52,2015.

[28] J. Zalewski, S. Drager, W. McKeever, and A. J. Kornecki.Threatmodeling for security assessment in cyber-physical systems. CSI-IRW’2012, ACM 978-1-4503-1687-3/12/10, Oak Ridge, Tenn.,USA,2013.