CYBER SECURITY FOR AVIATION OPERATIONS DR ELENA SITNIKOVA, PHD, BE - - PowerPoint PPT Presentation

CYBER SECURITY FOR AVIATION OPERATIONS

DR ELENA SITNIKOVA, PHD, BE (HONS), CSSLP, SFHEA

CRITICAL INFRASTRUCTURE PROTECTION, RESEARCH LEADER THE SPITFIRE MEMORIAL DEFENCE FELLOW UNSW CANBERRA @ ADFA

E.SITNIKOVA@ADFA.EDU.AU

OUTLINE

BACKGROUND TECHNOLOGICAL ADVANCEMENTS: OPPORTUNITIES AND CHALLENGES NEED FOR CYBERSECURITY FOR AVIATION OPERATIONS SPITFIRE DEFENCE MEMORIAL FELLOWSHIP – 2019 PROJECT FUTURE RESEARCH INITIATIVES Q/A

THE AUSTRALIA’S CYBER SECURITY STRATEGY 2020

• Investing $1.67 billion over 10 years to achieve a

more secure online world for Australians, their businesses and the essential services

• Ensuring Australians are secure online is a shared

responsibility

• UNSW Canberra Cyber looks forward to

contributing to the Strategy’s success.

• research in cybersecurity, intelligent defence, cyber-

physical systems, IIoT

• education to build Australia’s cyber skills pipeline

BACKGROUND

The typical commercial UAV is a remote- controlled aircraft with an off the shelf flight computer capable of autonomous

• peration that is carrying an optical

sensor payload. It is an inexpensive airframe running an inexpensive computer that is designed carry low cost, low power, high fidelity sensors to collect data for real time and post processing. The most important growth of UAVs will not be in hardware, it will be in software and data analysis, development of innovate AI-enabled cyber defences for protecting UAV’s hardware and software.

USE OF UAVS

The Loyal Wingman The MQ-25 Stingray

MQ-9 Reaper [Predator B]

SYSTEMATIC WORKFLOW OF UAV

CHALLENGES FOR AVIATION ECOSYSTEMS

• The increasing prevalence of Unmanned Autonomous Vehicles (UAVs) in the military and

civilian sectors, has been accompanied by an increase in sophisticated malicious activities.

• Since UAVs comprise a complex infrastructure as piloted aircraft without an onboard
• perator, they still need a resilient security control to ensure their safe operation.
• Global connections and complexity (new and legacy systems), Io(F)T
• Handling heterogenous data sources through e-operations from UAVs and their network

communications

• UAV’s devices with constrained or limited hardware resources (precluding certain basic or

“common-sense” security measures)

• Lightweight and adaptive AI-enabled cyber defence models are still not mature
• New advanced persistent threats such as DDoS, hijacking, and botnets, can not be easily

discovered

SPACE INFRASTRUCTURE CYBERSECURITY

• Global connections

and complexity

• UAS rely on satellite

communications, GPS

HIJACK OF UAV

• Various commercial UAVs use WiFi for command & control and data.
• A user can identify the SSID, deauthenticate the UAV, and then capture the UAVs attempt to

reestablish the link.

• Once the link is established, they can control the UAV, download telemetry, or download

sensor data.

• Other commercial solutions use 915Mhz links using the MavLink protocol which can also be

hijacked.

• An assume control attack has been demonstrated on most of the consumer/commercial remote

controllers independent of the data link

• If you have access to the C2 or data link, you can also change waypoints and other mission

parameters

ADF UNMANNED AERIAL SYSTEMS

• ADF investment in unmanned aerial systems is increasing and is expected to

exceed $20 billion over the next decade

• The UAS platforms range from the smallest hand held devices to full-scale

aircraft and each present challenges in their effective use and support

• The UAS are ideal for “Dull, Dirty, or Dangerous” missions

UNSW CANBERRA RESEARCH ON AUTONOMOUS OPERATIONS FOR A CYBER-PHYSICAL UAV DISTRIBUTED ANOMALY DETECTION SYSTEM*

• This research promotes awareness of cybersecurity in autonomous

aviation operations and related confidentiality-integrity- availability (CIA-triad) issues across the Australian Defence Force. It addresses the following question:

How to identify malicious attacks through anomaly detection in ways that will make UAV’s mission-critical systems resilient to cyber-attacks?

* Supported by the Spitfire Defence Memorial Association's Fellowship grant to lead this research project ( PS39150)

STAGE 1- DESIGNING A REALISTIC ARCHITECTURE OF A UAV NETWORK AT THE IOT LAB

THE ARCHITECTURE OF UAV NETWORK TESTBED LINKED TO CLOUD AND FOG SYSTEMS

Fog computing to decrease computational resources at the network edges Fog computing to decrease computational resources at the network edges Cloud computing paradigm to store data collected Cloud computing paradigm to store data collected Flight control Position control Velocity control Attitude control Sensors Approaches and models Serial commuincation

Network Communication Network Communication Network Communication Network Communication

UAV

Human Machine Interface (HMI)/API

P r

• p
• s

e d f r a m e w

• r

k

Network Communication

Physical-digital Anomaly detection framework

STAGE 2- LAUNCHING DIFFERENT ATTACKING SCENARIOS AND NORMAL OPERATIONS

• Scanning/probing - Nessus tool to scan the vulnerabilities of the entire systems in the testbed including the Ubuntu server, Security

Onion, and UAV system. The aim: a hacker collects information about systems such as open services and protocols, types of operating systems, and weaknesses. Then, the hacker uses other exploits to breach the open the vulnerabilities of systems, such as using DoS and DDoS to corrupt services.

• Denial-of-Service (DoS) attack - is a cyber-attack to corrupt services of a targeted system, e.g hacking a UAV system to stop

it from moving and corrupt its control unit. We used Metasploit and Scapy platforms installed at the Kali to exploit the systems of the UAV, Security Onion and Ubuntu server. Once we launched the hacking activities, there was a floodof traffic targeting the systems of the testbed, with superfluous requests to overload systems and prevent them from executing any normal action.

• Distributed Denial-of-Service (DDoS) attack - is a cyber-attack of multiple sources of DoS to disrupt normal traffic of

the targeted systems (i.e., the UAV system, Security Onion, and Ubuntu server) by sending massive flooding traffic from several zombie

• machines. DDoS attacks accomplish efficiency by using many compromised systems as sources of attack traffic. We used the virtual machine of

Kali Linux using the Metasploit framework to exploit the entire testbed network of the UAV system for corrupting its legitimate operations such as movement and flying.

• Normal traffic generation -

Ostinato tool is a packet generator and network traffic generator that has a graphic user interface that supports the process of normal operation such as generating TCP traffic in a predefined range of IP addresses and protocols with the subnet of the testbed network. We simulated different network protocol cases either ethernet or WIFI traffic to mimic a real UAV system network.

STAGE 3- COLLECTING AND LABELING LEGITIMATE AND ATTACK EVENTS

• used the Security Onion platform, which is a free and open-source Linux distribution.
• Security Onion’s services: intrusion detection, enterprise security monitoring, and log management.
• utilized the snort agent as a logger to collect pcap files that include normal and attack traffic. Then, we

used the Argus tool to generate network header information such as source and destination IP addresses. The Argus tool was configured to log the network packets in the MySQL database.

• ~2 million records of normal and various attack events of Probing, DoS and DDoS collected
• added a new column in the database, named Class, which was used to label or tag each record as normal
• r attack.
• used an update command of SQL that allows the automation process of labeling.
• We considered a record to be an attack when we found the source or destination IP addresses of the Kali system (i.e., the

hacking machine), otherwise we considered the record to be normal.

• This process is the initial stage of applying anomaly detection-based machine learning, whereby the labeling process is the
• nly way to train and validate the performance of machine learning algorithms and determine their credibility of

discovering attacking events.

STAGE 4 - MACHINE LEARNING MODELS FOR INTRUSION DETECTION

• Machine Learning (ML) models have great potential to discover cyber-attacks against UAV’s
• networks. We developed ML techniques: Decision Tree, K-Nearest Neighbours, Multi-Layer

Perceptron, Naïve Bayes and Support Vector Machine, using Python scripts.

• The sklearn package in Python was used for implementing the models, which were not
• ptimized, as no hyperparameters were altered.
• For training and testing ML models, the original generated dataset was split into a training set

(70%) and testing set (30%) to determine their performance of discovering attack events from the UAV’s network.

• Next, we present the confusion matrices that were generated post-testing. Additionally, five

metrics are also provided, to better depict the performance of the classifiers.

DISCUSSION OF RESULTS

Performance Metrics Decision Tree K-Nearest Neighbors Multi-Layer Perceptron Naïve Bayes Support Vector Machine Accuracy 0.999908 0.999822 0.999876 0.39924 0.990265 Precision 0.99995 0.999887 0.999887 0.999986 0.998316 Recall 0.99995 0.999921 0.99998 0.354525 0.991212 Fall-out 0.0006584 0.001514 0.001514 6.584e-05 0.022451 F1 Score 0.9999509 0.999904 0.999933 0.523466 0.994751 train time 3462784600 ns (3.462 sec) 1017190047800 ns (1017.19 sec) 52587907100 ns (52.59 sec) 309061500 ns (0.3 sec) 104948771600 ns (104.945 sec) testing time 28006400 ns (0.028 sec) 137822227100 ns (137.82 sec) 496112000 ns (0.5 sec) 138031500 ns (0.14 sec) 13002200 ns (0.013 sec)

• Table. Performance metrics of the five models

FINDINGS AND FUTURE DIRECTIONS

• A new UAV-IDS framework for detecting intrusive activities is developed
• Effective recognition of both known and unknown attacks using UAV anomaly-based detection
• The experiments were conducted in a simulated environment and include a dataset generation

from the UAV’s networks.

• Various machine learning algorithms were trained and evaluated using the dataset, and

detection accuracy and false alarm rates were established.

• The collaboration promotes greater awareness of cyber security in autonomous operations

and related confidentiality-integrity-availability (CIA-triad) issues across the Australian Defence Force, while providing guidance on how, to identify malicious attacks, through anomaly detection, in ways that will make mission-critical systems resilient to cyber-attacks.

CURRENT RELATED PROJECTS

• Spitfire 2020 project Threat Intelligence for IoT– Dr. Nour

Moustafa

• Software Assurance for Cyberworthiness with DST Group, Weapons

and Combat Systems Division.

• A pilot: risk management-based framework for developing intelligent

systems for natural disasters PLuS Alliance Seed Grant.

NEW RESEARCH DIRECTIONS

Airworthiness Cyberworthiness

is an assessment of the resilience of a system from cyber attacks. It can be applied to a range of software and hardware elements (such as standalone software, code deployed on an internet site, the browser itself, military mission-critical systems, commercial equipment, or IoT devices)

Anti-fragility

THANK YOU!

• Any Questions ?

REFERENCES

• Crowe K., 2015 USE OF UNMANNED SYSTEMS BY THE AUSTRALIAN DEFENCE FORCE.
• Fowler S, Sitnikova E., 2019, A framework for assessing the cyber-worthiness of complex

mission critical systems, Military Communications and Information Systems Conference (MilCIS) IEEE Stream , Nov 2019

• Koroniotis N, Moustafa N, Sitnikova E, 2020, A new network forensic framework based on

deep learning for Internet of Things networks: A particle deep framework , Future Generation Computer Systems.

• Peterson S., Exclusive: Iran hijacked US drone, http://www.csmonitor.com/World/Middle-

East/2011/1215/Exclusive-Iran-hijacked-US-drone-says-Iranian-engineer-Video