3.1. Feature Analysis of Flight Data
Selecting appropriate data is an important step in ML. Specific relevant features can speed up ML processing and improve accuracy [
31]. We selected the features for our ML-based approach,
ConstDet, through an analysis of the control semantics. The control semantics are the mechanism and theory about how to control UAVs using flight data.
Stable flight is assured by UAV PID control systems [
29,
30], which contain lots of control data, as shown in
Figure 2. A UAV PID control system is constructed by a flight altitude PID control system and a horizontal flight position PID control system. The UAV control system controls a UAV to accomplish the mission, which is composed of the desired altitude and desired horizontal position for the altitude control and horizontal position control, respectively.
The flight altitude PID control system is a three-loop cascading controller, which contains an altitude controller, a vertical speed controller, and a vertical acceleration controller. To reach the desired altitude, it computes and generates the controlling value by processing the actual altitude, actual vertical speed, and actual vertical acceleration, which are obtained from the control system.
The horizontal flight position PID control system is a four-loop cascading controller, which is composed of a position control system (including a position controller and a horizontal speed controller) and an attitude control system (including an angular controller and an angular rate controller). To reach the desired horizontal position, the horizontal position controller computes and generates the controlling value by processing the actual horizontal position, actual horizontal speed, actual angle, and actual angular rate, which are derived from the control system.
The control semantics are essentially the same for the various UAVs. The control process depends on the data gathered by the UAV sensors that perceive the state of the UAV. Meanwhile, these data are relevant since they represent the control process and the UAV’s dynamic flight, which reflects the control semantics. Therefore, these data can be used to represent the control semantics of UAVs. It is reasonable to select these data types as features for model training. The flight data features of the above UAV PID control theory are summarized in
Table 1 including the 12 features used for model training. The explanation and units of the features are provided in the 3rd and 4th columns, respectively. The 3rd, 5th, and 12th features (the altitude, vertical speed, and vertical acceleration) are collected from the flight altitude PID control system and the other features are collected from the horizontal flight position PID control system. The first two features represent the horizontal position. The 6th, 7th, and 8th features denote the actual angle. The 9th, 10th, and 11th features represent the actual angular rate. To train the ML models, these data were obtained from flight logs. Specified log messages that store these feature data are shown in the 5th column.
3.2. Control Semantics-Based Intelligent Detection Framework
The framework of our detection approach,
ConstDet, is shown in
Figure 3. It contains seven steps, as seen below.
(1)
Data acquisition. To train ML models, we first collected the UAV data from the flight log generated by a real flight. The required data were discussed in the previous section (
Section 3.1) and are shown in the 2nd column in
Table 1 including the 3D position (latitude, longitude, and altitude), speed (horizontal and vertical speed), attitude (roll, pitch, and yaw), and rate (roll rate, pitch rate, yaw rate, and vertical acceleration). The flight log contained a lot of flight information such as the 3D position, speed, attitude, rate, and so on. They were generated through specified log message structures [
32] so that the original flight data could be recorded in the log. The relationship between the required data and log messages is shown in the 5th column in
Table 1 and includes the GPS, ATT, and RATE messages. When
ConstDet was implemented on a UAV, the data for detection were obtained from flight controllers in real time.
(2)
Feature analysis. The feature analysis was carried out in
Section 3.1. The selected features are presented in
Table 1.
(3)
Data preprocessing. Firstly, data filtering was carried out. Since the flight log of the attack scenario contained normal data and attack data, we distinguished between these data for the data collection. For example, to obtain the attack dataset, normal data needed to be removed from the log. Additionally, the sensors had different data acquisition frequencies so it was necessary to unify the frequency of these data. Applying the StandardScaler module is an important step in data preprocessing. There was a need to scale the original data in our dataset because the features had diverse proportions and different units, such as degree, meter, m/s, degree/s, and cm/s/s, as shown in the 4th column in
Table 1, so the units cm/s/s were converted to m/s/s. When features are scaled, these multidimensional features have similar scales and the accuracy of models can be effectively improved. Finally, we obtained the dataset of the features for model training.
(4) Feature selection. Since we were not sure of the representative ability of each data feature to reflect the UAV position, there was a need to measure the importance of these features so that we could discard the lower correlated or even irrelevant features. This can save time and resources for model training and classification. Therefore, we first applied the random forest (RF) model to the dataset based on the information gain theory to compute the feature importance. Then, we chose the most informative features that had the most stable and lowest mean absolute errors (MAE).
(5) Model training. Different kinds of ML algorithms were applied for model training using the feature data including support vector machine (SVM), K-nearest neighbor (KNN), RF, gradient boosting decision tree (GBDT), decision tree (DT), multi-layer perceptron (MLP), and extreme gradient boosting (XGBoost). In this paper, various models were used so that we could (1) compare the performance of these models and (2) know which model was suitable for the detection of GPS spoofing attacks, and then the best detector could be built. SVM is suitable for a small sample and nonlinear datasets, as well as high-dimensional pattern recognition problems. However, it is not suitable for multiple classification problems and is sensitive to missing data so it is necessary to select the appropriate kernel function. KNN is simple and easy to understand. It requires no training and no parameter estimation. It is suitable for multi-label problems and has high accuracy. However, its prediction speed is slow and its interpretability is poor. If the sample number of a class is not balanced, accuracy will be affected. RF has low computational overhead and powerful performance in many real-world tasks. For imbalanced datasets, it can balance the errors. However, random forest has demonstrated that it will overfit for certain classification or regression problems with high noise. GBDT has high prediction accuracy. It can deal with nonlinear data and flexibly deal with various types of data including continuous and discrete values. However, it is difficult to train the data in parallel due to the dependency between the weak learners. DT is simple and easy to understand and can handle multiple output problems. However, it is easy to overfit, the generation of decision trees is unstable, and small data changes may lead to different generated decision trees. MLP has a good recognition rate and faster classification speed. However, it may lose the spatial information between pixels and only accept vector inputs. XGBoost can solve both the linear classification and logistic regression problems. XGBoost allows custom loss functions as long as the function supports first- and second-order derivatives. However, the space complexity of the pre-sorting process is too high and it needs to store not only the feature values but also the index of the gradient statistics of the corresponding sample of the feature, which consumes twice the memory. The dataset obtained through the data acquisition, data preprocessing, and feature selection steps was used as the input of the ML algorithms. The dataset was divided into two parts: 70% of the data were used for training and 30% of the data were used for testing and evaluation.
(6) Model evaluation and selection. Various ML algorithms were used in this paper and they had different detection performances. To demonstrate the effectiveness of the trained models and determine which was the best model, we performed a model evaluation. ConstDet evaluated the trained models using several assessment criteria including accuracy, precision, recall, missing, mistake, and the F1-measure. Moreover, the receiver operating curve (ROC) function was used to demonstrate the discriminative potential of the classifiers. Based on the evaluation, the best classifier was selected as the detector of the ConstDet to detect GPS spoofing attacks on UAVs.
(7)
Deployment. To apply
ConstDet on a real UAV, we deployed the classifier on the companion computer of the UAV. Onboard detection was executed using real-time flight data, which were gathered from the flight controller via the MAVLink communication [
33]. The original onboard flight data needed to be preprocessed before they were detected by the classifier because some feature data had different units to the training data from the flight log. Moreover, these real-time data also needed to be scaled as with the preprocessing of the training data so that the classifier was suitable for detection with these onboard data. After the deployment, the UAVs could detect GPS spoofing attacks during flight.
The purpose of our approach is for onboard detection of GPS spoofing attacks. We implemented the best classifier in a real UAV. After the detector was deployed in the UAV, it could detect GPS spoofing attacks during flights in real time. The detector was able to read real-time data from the flight controller and then preprocess these data to obtain the same data types and format as the trained data. Using the real-time and preprocessed data, the classifier computed and output the results about whether there were existing GPS spoofing attacks on the UAV.