J Intell Robot Syst (2016) 84:107–120
DOI 10.1007/s10846-015-0284-1
Unmanned Aerial Vehicle Security Using Recursive
Parameter Estimation
Zachary Birnbaum · Andrey Dolgikh ·
Victor Skormin · Edward O’Brien ·
Daniel Muller · Christina Stracquodaine
Received: 11 December 2014 / Accepted: 28 September 2015 / Published online: 20 October 2015
© Springer Science+Business Media Dordrecht 2015
Abstract The proliferation of Unmanned Aerial
Vehicles (UAVs) brings about many new security con-
cerns. A common concern with UAV security is for
an intruder to take control of a UAV, which leads
for a need for a real time anomaly detection system.
This research resulted in a prototype UAV monitor-
ing system that captures flight data, and then performs
real time estimation and tracking of the airframe and
controller parameters. The aforementioned is done
by utilizing the Recursive Least Squares Method
(RLSM). Using statistical validation and trend analy-
sis, parameter estimates are critical for the detection
Z. Birnbaum · A. Dolgikh · V. Skormin ·
E. O’Brien () · D. Muller · C. Stracquodaine
Electrical and Computer Engineering, Binghamton
University Binghamton, NY, USA
e-mail: eobrien8@binghamton.edu
Z. Birnbaum
e-mail: zbrinba1@binghamton.edu
A. Dolgikh
e-mail: adolgik1@binghamton.edu
V. Skormin
e-mail: vskromin@binghamton.edu
D. Muller
e-mail: dmuller5@binghamton.edu
C. Stracquodaine
e-mail: cstracq2@binghamton.edu
of cyber attacks and incipient hardware failures that
can invariably jeopardize mission success. The results
demonstrate that achieving efficient anomaly detec-
tion during flight is possible through the application
of statistical methods to profile system behavior. The
anomaly detection system that was designed can be
performed in real time while the UAV is in flight,
constantly verifying its parameters.
Keywords Unmanned aerial vehicle · Security ·
Parameter estimation · Safety
1 Introduction
Unmanned Aerial Vehicles (UAVs) are aircrafts with-
out a human pilot aboard. They are commonly used
for military operations but are increasing their role
in a number of civil applications [1]. The number of
UAVs has increased drastically over the years. Since
2011, the number of countries which are involved with
UAV production has increased by 30 %, model vari-
eties of UAVs rose by 20 %, and military applications
rose by 40 % [2]. UAVs are an ever-increasing devel-
opment since they are able to perform tasks without
human casualty. Researchers in many difference dis-
ciplines are constantly trying to find new ways to use
UAVs [3]. There are many ways which UAVs may be
108
used in today’s society, such as search and rescue, law
enforcement, firefighting, weather forecasting, and
communications [4].
The widespread use of UAVs brings about an abun-
dance of security concerns. One major concern is for
the UAV’s sensing and avoidance capabilities; this is
an area in which improved flight reliability is greatly
needed and is in development [5]. Another major con-
cern is the data integrity and health monitoring of a
UAV, which could prevent a UAV from falling from
the sky, flying to an unauthorized location, or having
its mission monitored by an intruder [6, 7].
In this paper a system for health monitoring and
security evaluation of UAVs is put forth. This sys-
tem is able to operate in real time and can accurately
estimate the UAV control laws and airframe param-
eters. This system can detect immediate changes in
the critical UAV parameters due to a cyber attack or a
hardware failure.
2 Threat Model
We propose UAV threat modes as the following:
Malicious Hardware is a threat in which part of the
UAV’s hardware has been tampered with so that it will
behave in a way which is not specified by its design-
ers. This is a recent attack method which assumes
that the hardware was tampered with to accomplish a
specific goal, ranging from failing under a certain set
of conditions, to the exfiltration of data. One recent
example of this type of attack happened when more
than one hundred thousand computers were bugged
with monitoring devices to conduct surveillance [10].
Hardware Failure is when there is a malfunction in
either the UAV’s mechanical or electronic system,
which leads to an inability of the UAV to complete
its mission. This can occur for many reasons such as
battlefield damage, general wear, and environmental
factors. It is extremely important that in the event of a
hardware failure, any damage that is done to the UAV
is minimized. This safeguarding is possible by utiliz-
ing existing adaptive control algorithms [8, 9]. In the
event of hardware failure, the UAV should take action
accordingly.
J Intell Robot Syst (2016) 84:107–120
An attack against the Flight Control Com-
puter could result in the adulteration of flight con-
trol laws by jeopardizing communication onboard
the UAV, and could result in the change of mis-
sion parameters. An appropriate defense against this
type of attack can be determined by the specifics
of the onboard hardware and software. This may
include real-time estimation of the controller status
and the flight plan based on the available sensor
data.
An attack against the Navigation Sensors could
result in a loss of positional information or in the
receiving of modified or misleading feedback infor-
mation. An example of this would be the onboard
GPS sensors being attacked with various spoofing
techniques as evidenced by Shepard et al. in [11].
Attacks against the Communications Channel on
the UAV could result in a loss of communication with
the ground control station, or in malicious commands
being sent to and accepted by the UAVs. Current
UAVs used by the U.S. military accept only encrypted
commands, making this a difficult attack method
for military drones. However, most civilian UAVs
use unencrypted communication links which make
sending false and malicious data a viable possibility
[12].
Attacks against the Ground Control Station
(GCS) are against a computer running dedicated soft-
ware to control and communicate with the UAV. A
successful attack would enable an attacker to send
erroneous or malicious commands to the UAV. This
is the most difficult attack method to detect from
the UAV because the UAV has no way to ver-
ify if the GCS has been compromised. Although
it is possible to implement multiple ground station
authentication techniques, many civilian UAVs and
ground control systems do not support this scheme
[13, 14].
3 Contributions
This paper focuses on addressing the first three types
of attacks: hardware failure, malicious hardware,
and attacks against the flight control computer. Our
approach is the development of a system that monitors
UAV behavior and detects the aforementioned attacks.
J Intell Robot Syst (2016) 84:107–120 109

This system utilizes the following technologies:
• Automatic detection of changes in UAV airframe
dynamics indicative of mechanical degradation
• Automatic detection of changes in UAV flight
control law indicative of cyber attacks
• Real time anomaly detection system which
detects deviations in UAV parameters
step t, t = kt, and y(t), V (t) turn into y(k),
V (k).
To adopt this method for our needs, we define the
input vector as a concatenation of vectors containing
system inputs and outputs
V (k) = [u1 (k) u2 (k) , . . . um (k) , x1 (k) x2 (k) , . . . xn (k)]T
(1)

where
4 Approach
k = 1, 2, . . . N is the discrete-time index,
Our approach relies on the ability to identify and ui (k) − i-th input i ∈ 1..m
track flight dynamics of the UAV. We use the Recur- xj (k) − j-th output j ∈ 1..n
sive Least Squares (RLS) method to identify imme-
diate values of system parameters and detect devi- For our flight model, we can choose to monitor
ations from their nominal values. Since the change all available flight data including roll, pitch, yaw,
of the flight dynamics is usually caused by incipient elevator, throttle, rudder, aileron, and GPS location.
mechanical failures or ice buildup, we can use the RLS The N-th step of RLS procedure is outlined in
method to identify these conditions. Fig. 1.
In a similar way, flight controller parameters may where:
change unexpectedly from cyber attack, software
bugs, or electronics failure. By monitoring flight con-
A0 represents the initial values of the estimated
troller parameters, we can detect if the controller
parameters (nominal parameter values are uti-
behaves according to the design specifications.
lized).
P0 is the covariance matrix of vector V (t)
4.1 Recursive Least Squares
I is the identity matrix
KN represents the Kalman Gain
This method offers a recursive modification of the
Least Squares procedure ideal for real-time estimation
In the following sections, we will show how the
and tracking of system parameters based on continual
RLS method can be applied to UAV parameter estima-
measurements of relevant input/output signals.
tion. We present the application of RLS to state space
The RLS method is well described in [15]. The
parameter estimation and as an aspect of our anomaly
RLS procedure is a numerically efficient algorithm
detection system.
that enables estimation and tracking of the parame-
ters A of a linear equation y (t) = V (t) A, where
y(t) represents the output variable and V (t) is the vec-
tor of input variables. At each time step, separated by
a constant t, the procedure acquires two new mea-
surements, y (t) and V (t), and updates the previously
obtained parameter estimation Â(t − 1), i.e. computes
Â(t). With reasonable initial conditions and enough
samples, the sequence of parameter estimates, Â(t),
t =1,2,3,... will eventually converge to the “true”
parameter values ATRUE . A finite-memory version of
the RLS procedure allows for tracking time-dependent
parameters ATRUE (t). Note that for a constant time Fig. 1 Recursive least squares procedure implementation
110 J Intell Robot Syst (2016) 84:107–120

4.2 State Space Parameter Estimation Y (t) = CX(t) (5)

A dynamic system, such as an UAV, can be described

in the matrix-vector format [16]. The following consti- U (t) = R(t) − F X(t) (6)
tutes an open-loop system description that represents
where:
the propertied of the airframe (no feedback controller
in the loop). F is a matrix containing the parameters of the state-
X(t + 1) = QX(t) + BU (t) (2) variable controller,
R is the reference signal for the control loop, con-
sistent with desired flight path or aircraft position,
Y (t) = CX(t) (3)
The fundamental matrix for the closed-loop system
where:
in that case can be written as:
t = 1,2,3,... is discrete time index,
QCL = Q − BF (7)
X (t) = [x1 (t) x2 (t) x3 (t) . . . xm (t)]T represents
the state vector of the system comprising m state Using the RLS method enables us to estimate matrix
variables, Q and matrix B of the airframe, matrix QCL and
Y (t) = [y1 (t) y2 (t) y3 (t) . . . yn (t)]T represents finally matrix F of the state-variable controller.
the output vector of the system, Consider j -th state Eq. 2:
U (t) = [u1 (t) u2 (t) u3 (t) . . . uk (t)]T represents m k
an input vector containing control efforts and exter- xj (t + 1) = qj i xi (t) + bj i ui (t),
i=1 i=1
nal forcing functions.
assume
Q is a m × m matrix and is known as the fun-
damental matrix of the system, representing system y(N ) = xj (t + 1),
inertia and interactions between particular state vari- V (N ) = [x1 (t), x2 (t), . . . , xm (t), u1 (t), u2 (t), . . . , uk (t)]T ,
ables. In our case, matrix Q represents the unique A = [qj 1 , qj 2 , . . . , qj m , bj 1 , bj 2 , . . . , bj k ]T
dynamic properties of the airframe reflecting its iner-
tia and interaction with the environment. Matrix B
has dimension m × k and describes the effect of forc- Now, Fig. 1 explains how the row number j of
ing functions on individual state equations. One can the matrix Q of the open-loop system could be esti-
realize that such factors as ice buildup, mechanical mated. This procedure, repeatedly utilized for every
failures, and battlefield damage can be detected and j =1,2,..,m would result in the estimates Q(N) and
assessed in flight only by the estimation of matrix Q B(N) at the every step of the RLS procedure.
and matrix B of the airframe. A similar approach is applied for the estimation
C is a n × m matrix providing the definition of the of the fundamental matrix of the closed-loop system,
system’s output variables through the state variables. QCL . Indeed, assume
In our system we assume that n = m and matrix C is
an identity matrix of n × n. y(N ) = xj (t + 1),
While Eqs. 2, 3 represent of the UAV airframe, V (N ) = [x1 (t), x2 (t), . . . , xm (t), r1 (t), r2 (t), . . . , rk (t)]T ,
a complete description of UAV dynamics includes a
1 , qj 2 , . . . , qj m , bj 1 , bj 2 , . . . , bj k ]
A = [qjCL CL CL T
controller capable of automatically stabilized flight
that follows waypoints and avoids obstacles. This state
space description is referred to as the closed-loop where
system as there is a feedback controller in the loop.
The matrix vector description of the controlled air- ri (t), i=1, 2,. . . are components of the vector R(t),
frame and its state variable feedback controller can be qijCL are appropriate elements of matrix QCL ,
written as follows:
then every N-th step of the RLS procedure results in
X(t + 1) = QX(t) + BU (t) (4) estimated matrix QCL (N).Thus while an estimated
J Intell Robot Syst (2016) 84:107–120
Q(N) also exists, matrix F of the state-variable con-
troller could be also estimated as
 
F (N) = B(N)−1 Q(N) − QCL (N) (8)
This result is based on a realistic assumption that
the number of reference signals ri (t) is equal to the
number of state variables xi (t) and B is a square non-
singular matrix. It should be noted that Eq. 8 does
not represent the solution of the controller design
problem, but instead it is an attempt to deduct the con-
troller parameter values from the observed behavior
of the UAV. This task facilitates the detection of sig-
nificant discrepancies between the actual and nominal
parameter values that could be attributed to a cyber
attack.
4.3 Statistical Significance
The application of the RLS procedure to flight data
yields a sequence of parameter estimates that fluctu-
ate with time due to measurement noise and a number
of unaccounted factors. These estimates are randomly
distributed around some unknown “true” values that
represent the immediate status of the UAV. Our effort
is aimed at the detection and validation of the devia-
tions between the immediate (estimated) and nominal
parameter values known to UAV designers.
First, recall that for all practical purposes, after a
sufficient number of steps, RLS estimation becomes
equivalent to Least Squares estimation, and as such
results in a minimum variance unbiased estimates of
unknown parameters. The “true” value of the esti-
mated parameter, ρ T RU E , is defined as the mean value
of the obtained estimates, ρ (t), t = 1, 2, 3, . . . . .
The distance between an RLS estimate of unknown
parameter aj (N) and its “true” value ajT RU E assum-
ing that N>>1 can be characterized as:
  
 
aj (N) − ajT RU E  ≤ t (α, ∞)SE Kjj = j (α) (9)
where:
t (α, ∞) is Student distribution defined for the cho-
sen level of significance α and infinite number of
degrees of freedom,
SE is standard deviation of the modeling error
E(N) = y(N) − A(N)T V (N)
111
and Kjj is the j -th diagonal element of the covari-
ance matrix of the “input” vector V (t).
One can conclude that a deviation between a nomi-
nal value of a system parameter ajNOM and its immedi-
ate value represented by estimate aj (N)is statistically
significant, and as such manifests an anomaly, if
 
 
aj (N) − ajNOM  ≥ j (α) (10)
In other words, the occurrence of condition (10) can
be interpreted as an indicator of a systematic change
to the monitored parameters, caused by a cyber attack
or physical changes in the airframe. The confidence
level of such a conclusion is (1-2α).
This method can be used to design an anomaly
detection system. This system monitors the UAV’s
parameters and when there is a significant deviation it
is able to detect and take appropriate actions immedi-
ately. This is done by taking a sliding window of the
data and analyzing it using RLSM and comparing the
difference between the normal flight and the current
flight data.
5 Implementation
5.1 Hardware Health Monitor
We propose to embed within the UAV a hardware
health monitoring system, shown in Fig. 2, capable
of detecting various types of cyber attacks as well
as hardware failures. The monitoring system will be
responsible for ensuring safe flight and completion of
the flight mission
The Health Monitor will take all available UAV
data including sensor data, control surface positions,
and other control efforts to determine UAV health,
Health
Sensors
Monitoring
Controller UAV
or operator actuators
Fig. 2 Hardware health monitoring system
112
which will be placed into one of the following cate-
gories:
• UAV operating normally
• UAV hardware failure
• UAV controller failure
The UAV health state can be determined by the
implementation of the described approach to find sta-
tistically significant deviations from nominal UAV
hardware and control parameters. If a significant devi-
ation is detected, the failsafe procedures are executed.
The failsafe protocol may depend on the severity of
the detected failure, e.g. the UAV may attempt to
return back home or to execute an emergency landing.
6 Experiments
For experimental verification of our approach, we
chose to use the ArduPlane platform. ArduPlane is
an open source plane autopilot system developed by
the DIY Drones community, and is flashed onboard
an Arduino micro controller board. The ArduPlane
open source platform is ideal for experimentation as
it allows for the modification of source code and the
uploading of custom firmware to the pilot. ArduPlane
is able to connect to any GCS which supports the
MAVlink protocol. This allowed us to run fully script-
able missions in addition to real-time waypoint control
and constant two-way communication to monitor the
flight.
6.1 Data Collection
We chose to use a Hardware in the Loop (HIL) setup
to run our experiments in the configuration displayed
in Fig. 3.
Analysis
Flight Gear ArduPilot
Engine
Ground
Control MAV Proxy Log Parser
Station
Fig. 3 Simulation setup
J Intell Robot Syst (2016) 84:107–120
Flight Gear, an open source flight simulator pro-
vides all flight data, including location, wind, and air
pressure to the ground control station, which in turn
relays it to MAV Proxy. MAV Proxy then sends this
data to the ArduPilot, which generates control surface
responses to maintain flight according to the plan gen-
erated by the GCS. The ArduPilot was configured to
report all measured or controlled variables during the
flight. This data is forwarded by MAV Proxy to the
Log Parser and Analysis Engine. This arrangement
allowed us to gather the necessary data for our experi-
ments such as roll, pitch, and yaw, as well as the servo
motor control efforts such as aileron, ruder, elevator,
and throttle.
When running a flight simulation, environmental
variables such as flight location, wind, time of day,
and atmospheric pressure can affect collected mea-
surements. Therefore, environment can also affect
estimated parameters by introducing systemic errors.
To keep the effect of the environmental conditions
on our experiments minimal, we ran all experiments
under the same environmental conditions and all of the
test flights flew along the same path pictured in Fig. 4.
6.2 Experimental Results
The experimental results were collected to empirically
verify our contributions, i.e. the ability to detect and
interpret changes in airframe and control parameters.
The first part of this section will demonstrate the per-
formance of the parameter identification engine. The
second part will show that we were able to detect
significant changes in the UAV control parameters.
6.2.1 Identification of Airframe and Controller State
Space Parameters
Before takeoff, we loaded our UAV controller with
known nominal parameters for the UAV airframe to be
flown. Then the UAV was flown along the path shown
in Fig. 5 for 15 minutes while we collected UAV state
data such as roll, pitch, yaw, and servo responses. The
measured airplane attitude data is presented in Fig. 5.
Each UAV state space data point was forwarded to
our parameter estimation engine depicted in Fig. 1.
The parameter estimation engine produced eighteen
estimates for the airframe and controller state space
J Intell Robot Syst (2016) 84:107–120 113

Fig. 4 Flight path

parameters. The parameters estimated for the closed
loop (CL) and open loop (OL) systems are seen in
Table 1.
The estimated parameters in Table 1 cover 15-
minute flights during which the simulated UAV exe-
cuted 6 loops and 24 turns. The parameters that are
important to focus upon are 1, 8, and 15. These are
roll, pitch and yaw.
Table 1 demonstrates that the parameters remain
constant between flights if the airframe and control
law were not altered. Consider parameter 4 for the
open loop. It has not changed, remaining constant at

Fig. 5 UAV state vector UAV State Space

plot 1
Roll
0.8
Pitch
0.6 Yaw
0.4
Roll/Pitch/Yaw

0.2

-0.2

-0.4

-0.6

-0.8

-1
0 500 1000 1500 2000 2500 3000 3500 4000 4500
Samples Ts=.2s
114 J Intell Robot Syst (2016) 84:107–120

0.28. For the closed loop, parameter 4 changed negli-
gibly. The same can be said about all other parameters;
all parameters show little or no change.
6.2.2 Identification of Parameter Alteration in State
Space
To test the ability of our system to detect control
parameter changes, we loaded the UAV controller with
a different set of control law parameters and ran the
same flight plan as presented in Fig. 4 for ten minutes.
According to our computations, the estimated control
law parameters did reflect the applied change in the
control law. When viewing the flight in the simula-
tion environment, we noticed that it was not as smooth
when compared to normal flight.
We applied the same analysis method to the flight
data collected with an altered flight controller. The
estimates for the airframe parameters and for the flight
controller are presented in Table 2.
The Table 2 clearly shows that the estimated param-
eters have changed noticeably from those in Table 1.
This change is caused by the UAV being initialized
with different controller parameters. For example,
parameter 4 has changed from 2.71 to 5.58 due to
change in the control law. The same effect can be
observed for a number of estimated parameters.
To compare the parameters identified in each of
the flights, we used Normalized Root Mean Square
Deviation (NRMSD).

n
E(A, B) = ([ai ] − [bi ])2 /var(ai ) (11)
i=0
where:
A, B are the flights being compared
[ai ] and [bi ] are the mean values for the i-th esti-
mated parameters in flights A and B.
var(ai ) is the variance of the i-th estimated parame-
ter in flight A
The closer two sets of parameters are to each other,
the lower the NRMSD will be. Table 3 compares the
flights in Tables 1 and 2 using NRMSD.
There were minimal differences in the NRMSD
values between flights when parameters were kept

Table 1 Identified UAV state space parameters (Normal

Flight) Table 2 Identified UAV state space parameters (Altered Flight)

Normal flight 0 Normal flight 1 Altered flight 0 Altered flight 1

Parameter OL CL OL CL Parameter OL CL OL CL

1 1.02 1.01 1.02 1 1 0.87 1.05 0.87 1.05

2 0.04 −0.14 0.02 −0.15 2 −0.43 −0.93 −0.48 −0.93
3 0 0 0 −0.01 3 0.02 0 0 0
4 0.28 2.63 0.28 2.71 4 0.17 5.43 0.17 5.58
5 0.01 −2.49 0.01 −2.59 5 −0.02 −4.79 0.02 −4.91
6 −0.3 −0.13 −0.3 −0.12 6 −0.21 −0.64 −0.23 −0.64
7 0.02 −0.03 0.02 −0.03 7 0 −0.05 −0.01 −0.05
8 0.96 0.86 0.96 0.87 8 0.79 0.8 0.77 0.78
9 0.01 0 0 −0.01 9 0 −0.01 0 −0.01
10 0.06 −0.31 0.05 −0.39 10 0 −0.4 0 −0.42
11 −0.2 0.39 −0.19 0.44 11 −0.02 0.54 −0.02 0.51
12 0.11 −0.08 0.12 −0.06 12 0.02 −0.14 0.02 −0.09
13 −0.02 −0.01 0 −0.01 13 0 0 0 −0.01
14 −0.04 −0.04 0.05 −0.02 14 0 −0.04 −0.02 −0.06
15 1 1.01 1 1.01 15 1 1.01 1 1.01
16 −0.01 −0.02 0.01 −0.1 16 0 −0.04 0 −0.08
17 0.02 −0.45 −0.02 −0.4 17 −0.01 −0.48 0 −0.44
18 −0.01 0.47 0.01 0.5 18 0.01 0.51 0 0.52
J Intell Robot Syst (2016) 84:107–120
consistent. When parameters were changed e.g.,
between normal flight 0 and altered flight 0, the
NRMSD takes a noticeably larger value. This result
allowed us to build an anomaly detection system that
detects parameter deviations.
6.2.3 Real Time Anomaly Detection System
The main goal of this research was to develop a real-
time anomaly detection system which could detect
deviations in the UAV’s flight parameters mid-flight.
The ability of the system to self-monitor mid-flight
fully protects the system, leaving no time-specific
weaknesses for an attacker to take advantage of. Also,
the isolation of this system to the UAV itself makes
it invulnerable to communication-channel faults and
ground control station attacks. Any UAV using this
system off-line can detect systemic faults. The plan
of recourse of the detected fault would be specifically
designed for each UAV and its purpose.
In our designed system, flight data of the closed
loop system is continually logged for analysis. The
nature of the data required the use of the RLSM pro-
cedure to make the data continuous. The acquired data
was windowed in blocks of 500 samples. As flight
time passed, data was collected and each new set of
500 samples constituted a new immediate window for
analysis. The mean and standard deviation for each
window were calculated. Since each window now
could be analyzed by statistical means, these mean and
standard deviation parameters allowed for the compar-
ison of the particular window’s observed values to the
values expected for this window.
The ability to judge each window of flight time pro-
vides the ability to evaluate the system at each window
of flight time. This is how the system is capable of
detecting anomalous behavior mid-flight. This config-
uration can be used to evaluate system stability and
Table 3 Flight parameters comparison (Closed Loop)
Normal Normal Altered Altered
flight 0 flight 1 flight 0 flight 1
Normal flight 0 0 0.77 139.38 147.81
Normal flight 1 0.75 0 129.43 137.72
Altered flight 0 7.85 7.40 0 0.22
Altered flight 1 9.16 8.47 0.23 0
115
health. Since the data for each window is expected
to fall within a normal distribution, a significant z-
score can determine that an observed flight does not
match the data corresponding to a normal flight. A z-
score of 3 or greater means that the observed value
assigned this z-score is 3 or more standard deviations
away from the mean, either above or below the mean.
Since this is a normal distribution as stated previously,
this would mean that 99.7 % of normal values would
have a z-score less than 3, and therefore only 0.3 % of
cases could exhibit such a z-score. This low probabil-
ity of normalcy is an statistically reasonable cause for
determining any observed data greater than 3 standard
deviations from the mean to be indicative of anoma-
lous behavior. This is how the comparison of expected
values and observed values leads to a conclusion of
systemic faults.
Our designed system was tested with a normal
flight and an altered flight for performance evaluation.
Figure 6 shows the recorded findings from the nor-
mal flight. Parameters roll, pitch, and yaw were all
individually monitored in this trial. Figure 7 shows
the recorded findings from the altered flight. In this
flight, the controller roll parameter was altered, and
the designed system was used to detect such a change.
The same parameters were monitored. In this altered
flight, the roll parameter was changed approximately
11 minutes into the flight, and then returned to its
original value 31 minutes into the flight. This con-
trol alteration emulates a systemic change we would
aim to detect, whether it would be from malicious
Fig. 6 UAV anomaly detection system: normal flight
116
changing of mission plan, equipment malfunction, or
physical damage.
The comparison of these two results, normal flight
(Fig. 6) and altered flight (Fig. 7) is clear proof of the
designed system’s ability to detect systemic changes.
As expected, Fig. 7 shows similar pitch and yaw
parameter values as in Fig. 6, while the altered param-
eter, roll, shows dramatic deviations in Fig. 7. The
results accompanying the trial in Fig. 7 also exhibit
a significantly higher standard deviation for the roll
parameter than in the trial accompanied by Fig. 6.
The results of this system test prove the acute abil-
ity of our design to detect anomalies in the UAV. While
the test provided an example of a change in the con-
troller, the same detection logic makes this useful for
an anomaly caused by any of our targeted UAV threats.
The little disruption the change in the roll parameter
had on the pitch and yaw parameters shows that there
is little cross-talk between parameters. The decoupling
of the parameters allows for successful detection and
future isolation of faults.
The same method can be applied to the open loop
system. Changes in the identified open loop sys-
tem parameters may indicate physical damages to the
airframe or flight equipment.
6.3 Results Summary
Our experimental results successfully support our
claim that it is possible to automatically identify
Fig. 7 UAV anomaly detection system: altered flight
J Intell Robot Syst (2016) 84:107–120
airframe and control parameters of the UAV. We
also confirmed that any significant changes to UAV
control law can be detected through our anomaly
detection system. We believe that hardware degra-
dation or damage can be identified with the same
method.
7 Discussion
This paper presents a method for the real time auto-
matic detection of anomalous status of a UAV that
might be the result of cyber attack or mechanical
failure. This method is designed to address particu-
lar types of anomalies associated with adulteration of
control laws and degradation of the properties of the
airframe. This method has limitations outside of its
application area.
7.1 Limitations
The cyber attack against the UAV may have many
different implementations and could cause failures
at multiple levels. Our method reliably detects the
changes in the UAV dynamics which is important for
flight safety. Our method is not designed to and will
not be able to detect attacks against the GPS sys-
tem or the waypoint scheduling system. Our method
for real time anomaly detection relies heavily on the
length of the window, if the window is too large
or too small the methods accuracy would drastically
decrease.
The results presented in this paper were obtained in
an advanced simulation environment which might not
completely capture the complexity of the real world.
However, we believe that all significant aspects of
UAV flight were successfully modeled by our simula-
tion.
8 Related Work
In the domain of UAV security, many approaches are
taken to detect failures and intrusions in UAV sys-
tems. The work done by Freeman et al. is similar to
this paper in its fault detection system [17]. They com-
pared both model-based and data-driven techniques,
and concluded that a combination of both would be
J Intell Robot Syst (2016) 84:107–120
the most realistically useful approach. In their model-
based approach, the model is an aerodynamic model
based on physics, as opposed to our modern control
model. An H∞ model-matching procedure was uti-
lized which minimizes the norm of error signals in
the controllers. Weighting functions were used to ade-
quately minimize sensitivity to sensor noise. Their
data-driven approach fed system parameters through
a Fourier transform to create a baseline parameter,
and collected windowed values of this baseline param-
eter were collected into a normal distribution. The
observed baseline value was compared to obtain the
probability that this baseline occurred in the system
without a flaw in the system, and then the prob-
ability score was given a z-score to determine the
normalcy of the result. Their results showed that a
data-driven technique was circumstantially less suc-
cessful than a model-driven approach. The work done
here shows a slightly similar approach to that of this
paper, demonstrating how predetermined data about
the system allow for a more meaningful detection of
system changes.
Though the work by Freeman et al. was similar to
this process, many of these approaches differ from the
approach in this paper as they rely on a predetermined
set of conditions for failure statuses or profiling of the
malicious system attacker. Also, many other works do
not operate on a closed loop, requiring external moni-
toring infrastructure to determine a status of failure or
intrusion.
8.1 External Detection
Many past works in UAV threat detection have relied
on external monitoring systems to detect an intrusion
or system failure. In particular, Mitchell and Chen
implemented a Behavior Rule-based UAV Intrusion
Detection System (BRUIDS) with both internal sen-
sors and neighboring UAVs for monitoring [18]. Cer-
tain configurations of the internal monitoring sensors
would leave vulnerabilities to doubly-spoofed sensor
reading; one sensor would be false and the monitor-
ing sensor would report no issues. Also demonstrated
by Mitchell and Chen, the need for wireless com-
munication alone added the issue of signal integrity
into the detection performance. A method that would
not require an external system to detect failures and
attacks in a UAV would also be invulnerable to the
117
possibility of the monitoring system being compro-
mised by the attacker.
8.2 Attacker Profiling
In the scheme of UAV intrusion detection, many works
have taken advantage of expected reasoning of an
attack to formulate the best defense. Goppert et al.
used classification of the attacker in their detection
model [19]. Their attacker profiles were separated
based on three different cases of malicious intent:
obstruction of the mission, overtaking control of the
UAV, and UAV destruction. This scheme was quite
robust, accounting for more recent threats, such as
GPS spoofing. In this design, the profile perspective
was used to parameterize the failure model. Failure
was detected as an envelope including UAV location,
altitude with respect to location, and so on. Their
approach was successful in many ways, but weak
when confronted with cross-coupled system interfer-
ences, such as noise in the sensors and an intruder.
In a similar approach, Mitchell and Chen profiled
the detected attacks into three categories of attack-
ers: reckless, random, and opportunistic [18]. This
categorical profiling was then used to determine a
probability of event patterns, to compare expected
events. Their detection success was heavily dependent
on the expected event probability, and while very suc-
cessful in with the ideal modeling, any inaccuracies in
this model would result in dramatically increased false
positive and false negative rates.
8.3 Predetermined Failure Cases
Of all of the trends in this field, the use of prede-
termined failure types seems to be one of the most
prevalent methods of detection. In the work done
by Mitchell and Chen, the contemporary publicized
attacks and system weaknesses were evaluated to
determine seven categorical threat behaviors, such
as attempting to target a friendly entity [18]. Their
model was strategic in its prioritized order of behavior
rules. Rules of behavior, such as not opening weapons
outside of a battle scene, were ranked on priority
of system integrity down to information integrity. If
any events were detected that violated one of these
rules, the system determined a threat. The ordering
of these behavior rules allowed for the more urgent
118
threats to be detected first, efficiently using time to
detect.
In an alternative study, Keller et al. designed a
failure detection filter (FDF) using a linear observer
[20]. The filter relied directly on preconceived fail-
ure modes to alert the system to an intrusion. Their
filter used minimal information (accelerometer and
angular rate measurements) as input to their FDF and
with considerable success. As Keller et al. progressed
through the work; they identified the complexity of
using a filter in such a way, and noted that this type
of filter is not properly suited for detection of system
degradation.
The approach to this method taken by Lang et al.
is arguably less vulnerable to classification failures,
and therefore a more successful use of failure clas-
sification techniques [21]. The focus of this method
was in evaluating the aerodynamic envelope: the set
of parameters available and reasonably controlled to
safely land the UAV. This classification begins with
differentiating airframe damage from control actuator
faults. Since the UAV’s expected envelope is deter-
mined with extensive controlled wind-tunnel testing,
the first case of airframe damage required mathemat-
ical estimation of each flight parameter (drag, lift,
etc) with linear regression. This is a highly math-
ematical process which utilized progressive model
updating. Their approach allowed the model to con-
tinually acquire new data and incrementally improve
the temporary model. While inaccurate at first, the
method could theoretically react to any type of air-
frame damage provided enough computational time.
The second case of failure is control actuator faults,
which were easily modeled based on expected possi-
ble categorical failures being previously modeled. The
information from the UAV could be compared to an
offline library and then used for online stabilization of
the aircraft. The use of a pragmatic failure library does
make for a very timely response, but inherently leaves
the system vulnerable to an unforeseen or expectedly
unlikely failure type.
9 Conclusion
The increasing widespread use of Unmanned Aerial
Vehicles (UAVs) raises a host of new security concerns.
J Intell Robot Syst (2016) 84:107–120
We put forth a novel process for defining UAV
flight behavior. Our proposed technology allows us to
detect a cyber attack against UAV electronic hardware.
It also can detect UAV hardware degradation and
failure.
Our research resulted in a prototype UAV monitor-
ing system, which captures flight data and estimates
airframe and controller parameters. Estimated param-
eters are constantly compared to previously known
parameters. If a significant change in parameters is
observed, the system alerts the ground control station
and may execute predefined actions.
We adapted the Recursive Least Squares method
to implement an estimator for UAV parameters. This
estimator is used in conjunction with the state space
model parameters and difference equation parameters.
The vectors of estimated parameters are accumulated
and subjected to confidence interval testing. If the
monitored parameters fall off the corresponding con-
fidence interval, the statistically significant deviation
is detected. We also show that simpler normalized root
squared deviation can be used to detect anomalous
parameter change.
We tested our system with a set of experiments
based on a state of the art flight simulator. Our experi-
ments demonstrated that it is possible to automatically
establish UAV flight parameters and detect significant
deviations.
Our results establish that achieving efficient
anomaly detection in flight is possible through the
intelligent application of statistical methods to system
behavioral profiling.
Acknowledgments This project became possible due to the
support of graduate student research at Binghamton University
by the Air Force Office of Scientific Research. In addition, the
authors would like to thank Dr. George Siouris for his expertise
and valuable suggestions.
References
1. Amazon Prime Air http://www.amazon.com/b?node=8037
720011, accessed on 13 Feb 2014
2. UAV Roundup 2013 http://www.aerospaceamerica.org/
Documents/AerospaceAmerica-PDFs-2013/July-August-
2013/UAVRoundup2013t-AA-Jul-Aug2013.pdf, accessed
on 13 Feb 2014
J Intell Robot Syst (2016) 84:107–120
3. Federal Aviation Administration selects Rutgers for drone
research program. http://www.dailytargum.com/news/fede-
ral-aviation-administration-selects-rutgers-for-drone-re-
search-program/article 403dc68a-7888-11e3-a0c2-0019bb
30f31a.html, accessed on 13 Feb 2014
4. Unmanned Aircraft Systems: PercePtions & Potential, http://
www.aia-aerospace.org/assets/AIA UAS Report small.pdf,
accessed on 13 Feb 2014
5. FAA Selects Six Sites for Unmanned Aircraft Research.
http://www.faa.gov/mobile/index.cfm?event=news.read&
update=75399, accessed on 13 Feb 2014
6. Rawnsley, A.: Iran’s alleged drone hack: tough, but
possible, http://www.wired.com/dangerroom/2011/12/iran-
drone-hack-gps, accessed on 13 Feb 2014
7. Gorman, S., Dreazen, Y.J., Cole, A.ugust.: Insurgents hack
US drones, The Wall Street Journal 17. Dow Jones and
Company, Inc (2009)
8. Case Study: Rockwell Collins demonstrates damage tol-
erant flight controls and autonomous landing capabilities.
http://www.rockwellcollins.com/sitecore/content/Data/Suc-
cess Stories/DARPA Damage Tolerance.aspx, accessed on
13 Feb 2014
9. Nguyen, N.T., Krishnakumar, K.: Hybrid intelligent flight
control with adaptive learning parameter estimation. J.
Aerosp. Comput. Inf. Commun. 6(3), 171–186 (2009)
10. http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-
open-computers-not-connected-to-internet.html? r=1, acces-
sed on 13 Feb 2014
11. Shepard, D.P., et al.: Evaluation of smart grid and civilian
UAV vulnerability to GPS spoofing attacks. In: Proceedings
of the ION GNSS Meeting (2012)
12. SkyJack: Hacker-drone that can wirelessly hijack &
control other drones. http://rt.com/news/hacker-drone-air-
craft-parrot-704/, accessed on 13 Feb 2014
13. Nilsson, D.K., Larson, U.: A defense-in-depth approach
to securing the wireless vehicle infrastructure. Journal of
Networks 4(7), 552–564
14. Javaid, A.Y., Sun, W., Devabhaktuni, V.K., Alam, M.:
Cyber security threat analysis and modeling of an
unmanned aerial vehicle system. In: 2012 IEEE Conference
on Technologies for Homeland Security (HST). 13-15 Nov,
p. 585,590 (2012)
15. Spripada, N.R., Fisher, D.G.: Improved least squares iden-
tification. Int. J. Control. 46(6), 1889–1913 (1987)
16. Siouris, G.M.: Missile Guidance and Control Systems.
Springer (2004)
17. Freeman, P.: Model-Based and Data-Driven Fault Detec-
tion Performance for a Small UAV. IEEE/ASME Trans.
on Mechatronics 18(4), 1300–1309 (2013). doi:10.1109/
TMECH.2013.2258678
18. Mitchell, R., Chen, I.: Adaptive intrusion detection of
malicious unmanned air vehicles using behavior rule
specifications. IEEE Transactions on Systems, Man, and
Cybernetics: Systems 44(5), 593–604 (2013). doi:10.1109/
TSMC.2013.2265083
19. Goppert, J., et al.: Numerical analysis of cyberattacks
on unmanned aerial systems. In: in Infrotech@Aerospace
2012, Garden Grove, California, 2012
119
20. Keller, J.D., et al.: Aircraft flight envelope determina-
tion using upset detection and physical modeling methods.
In: AIAA Guidance, Navigation, and Control Conference,
Chicago, Illinois (2009)
21. Tang, L., et al.: Methodologies for adaptive flight envelope
estimation and protection. In: AIAA Guidance, Navigation,
and Control Conference, Chicago,Illinois (2009)
Zachary Birnbaum is a PhD student at Binghamton University.
Upon completing BS in Electrical Engineering at Bingham-
ton University, he immediately began his doctoral work. In
his first year, he developed a novel Intrusion Detection Sys-
tem for computers capable of detecting cyber-attacks. He took
his winter and summer experience working for the navy to
guide his current research direction, Unmanned Aerial Vehicle
(UAV) security. In this area he hopes to apply his knowl-
edge of military systems and security to develop an origi-
nal security system for UAVs. His research interests include
intrusion detection, cyber physical system security, and data
mining.
Andrey Dolgikh is a Research Scientist at Binghamton Univer-
sity, where he also received his PhD in Electrical Engineering.
His research interests include behavioural based intrusion detec-
tion, cloud security and industrial control systems security.
For his PhD research he developed two behavioural detection
engines: A Fast Coloured Petri Net based malicious function-
ality detector, and control flow graph matching detector. The
current focus of his work is industrial control systems secuirty.
He also designed a new computer security class and teaches it
at Binghamton University.
Victor Skormin is a Distinguished Service Professor at Bing-
hamton University, Binghamton NY. He has an MS (1968) and
PhD (1974) degrees. His research in the areas of technical
diagnostics, laser communications, and computer security was
supported by the NSF, NASA and Air Force. He has been active
in industrial consulting. He served two terms as an Air Force
Senior Research Associate appointed by the National Research
Council. He is an author/editor of several books and a large
number of research papers; he supervised 20 PhD dissertations,
and served as an Editor for Space Systems of the IEEE AES
Transactions. He is a Senior Member of IEEE.
Edward O’Brien graduated with his Master’s in Electrical
Engineering from Binghamton University. After completing his
Bachelor’s at Binghamton University, he enrolled in an accel-
erated program to complete his Master’s in one year while
working on UAV security. He is currently working on research
and development on high pulsed currents, high pulsed voltages,
AC-DC difference and high resistance. His primary interests
are signal processing, FPGA development, control systems,
computer security and metrology.
120
Daniel Muller is a junior at Binghamton University currently pur-
suing a BS in Computer Engineering. His research career started late
freshmen year when he began studying behavioral approaches to
detecting attacks against Cyber Physical Systems (CPS), particularly
Unmanned Aerial Vehicles (UAVs). Since then he has fostered an
interest in security of CPS and continues to use UAVs as models
for behavioral based anomaly detection of CPS. His research at
Binghamton University has set a good foundation for what he
hopes is a successful career in cyber security.
J Intell Robot Syst (2016) 84:107–120
Christina Stracquodaine is a Master’s student of Electrical
Engineering at Binghamton University. As part of an acceler-
ated program, she began her master’s work in the final year
of her BS. She is currently continuing the work done at Bing-
hamton in Unmanned Aerial Vehicle (UAV) security. Outside
of academia, she has also spent time working as an industrial
consultant for Control projects. In the future, she hopes to con-
tinue onto doctoral work in autonomous systems, where she can
apply her experience to Robotics.