Analysis of Attack Intensity on Autonomous Mobile Robots

Abstract

Autonomous mobile robots (AMRs) combine a remarkable combination of mobility, adaptability, and an innate capacity for obstacle avoidance. They are exceptionally well-suited for a wide range of applications but usually operate in uncontrolled, non-deterministic environments, so the analysis and classification of security events are very important for their safe operation. In this regard, we considered the influence of different types of attacks on AMR navigation systems to subdivide them into classes and unified the effect of attacks on the system through their level of consequences and impact. Then, we built a model of an attack on a system, taking into account five methods of attack implementation and identified the unified response thresholds valid for any type of parameter, which allows for creating universal correlation rules and simplifies this process, as the trigger threshold is related to the degree of impact that the attack has on the finite subsystem. Also, we developed a methodology for classifying incidents and identifying key components of the system based on ontological models, which makes it possible to predict risks and select the optimal system configuration. The obtained results are important in the context of separating different types of destructive effects based on attack classes. Our study showed that it is sometimes difficult to divide spoofing attacks into classes by assessing only one parameter since the attacker can use a complex attack scenario, mixing the stages of the scenarios. We then showed how adding an attack intensity factor can make classification more flexible. The connections between subsystems and parameters, as well as the attack impact patterns, were determined. Finally, a set of unique rules was developed to classify destructive effects with uniform response thresholds for each parameter. In this case, we can increase the number of parameters as well as the type of parameter value.

1. Introduction

Currently, autonomous mobile robots (AMRs) are becoming increasingly common. We can define an autonomous mobile robot as a robotic system that operates without the need for direct control by a human operator, instead relying on its sensor and/or navigation systems to determine its location in space [1]. Here, we will consider an AMR that operates autonomously, relies on a global navigation system for positioning, and performs a monitoring mission by moving through space along a predetermined route.

Loganathan and Ahmad talk about the growing popularity of AMRs, especially due to the COVID-19 pandemic [2]. Robots have been used for various purposes to reduce the number of interactions between people. They also talk about a navigation system as the main one for mobile robots. Yaacoub et al. identified various information security challenges facing autonomous robots [3]. They also consider the scope of application of such robots, point to the growth in the number of robots, the growth in their sales, and also link this fact to the pandemic. Among the common security problems, they name problems with network security and the lack of intrusion detection systems for robots. Although they discuss various attack scenarios in some detail, they miss attacks on navigation systems. Although they classify unmanned aerial vehicles (UAVs), cars, and marine robots as AMRs, the vector of attacks on navigation systems is not considered. Moreover, despite the existence of alternative navigation methods for industrial robots, a GPS is the main system that gives the least error.

Elikhchi et al. also talk about a significant growth of the AMR market by 30% since 2019 [4]. They consider attacks and their vectors like previous studies, but they also miss attacks on navigation systems. At the same time, as in previous research, attacks on communication systems are mentioned only in the context of Wi-Fi. However, today, the use of Wi-Fi is not universal for robots. There are special standards and chat cells, and the LoRaWAN protocol is being actively implemented.

Botta et al. provide an extensive overview of attacks on different types of robots, including the consideration of autonomous robots [5]. They note the relevance of attack vectors on the GPS system specifically in relation to autonomous robots.

Classifying signs of an attack is a very relevant task for an AMR. Typically, an AMR operates in an uncontrolled, non-deterministic environment, and therefore, the analysis and classification of security events is very important. The system must be able to choose the correct incident response plan, so it is necessary to correctly establish the incident’s cause and predict further consequences depending on the cause.

Typical information systems usually use Security Information and Event Management (SIEM) systems to collect event data and define response plans [6]. They have the advantage of being able to collect data from various monitoring subsystems and protocols. For example, data sources can be intrusion detection systems, firewalls, antivirus programs, and others [7]. Thus, the operator receives comprehensive information about the system, and thanks to correlation rules, the relationship between events can be established [8].

However, a disadvantage is that most correlation rules are set manually, and incident response is also carried out manually according to the response plan. In the case of an AMR, such methods are not sufficiently suitable and may not be effective. First, this is due to the fact that for an AMR, there may be no standard protection means and system components from which alerts come, and the data formats may be completely different. Second, when an information security incident occurs, it is necessary to respond immediately since it can completely block or destabilize the operation of the AMR, which could ultimately lead to an accident or crash.

Thus, the development of an intelligent cyber security incident management system for AMRs is an urgent task, and it is important to correctly determine and classify events. Since AMRs have a fairly wide range of applications and implementations, in this study, we focused on aircraft and autonomous robots for which movement in a non-deterministic environment is important. This is the most general case and therefore easier to adapt to other cases in the future.

Most publications on anomalous events or attack detection for AMRs or unmanned aerial vehicles (UAVs) focus on detecting Global Positioning System (GPS) spoofing attacks. Mens et al. proposed a method to detect attacks on small UAVs [9]. They proposed joint attack detection by a group of UAVs. Based on GPS signal characteristics, they use three-dimensional (3D) data to determine location. The mutual location of UAVs is one of the key foundations for building a formation. Attack detection is based on cross-checking UAV location data.

Sun et al. proposed a method for detecting GPS signal spoofing using neural networks [10]. As a data set, they proposed recording the GPS signal or, rather, the 36 parameters included in the data sets. Parameters include UAV position data, coordinates, speed, altitude, the number of satellites, GPS accuracy, temperature, and many others.

They identify five classes of attacks: jamming attacks, spoofing attacks, hijacking attacks, man-in-the-middle attacks, and denial-of-service attacks. These attacks have serious consequences, such as compromising the confidentiality, integrity, and availability of the drone swarm’s mission and data. They propose an approach based on assessing changes in the state of drones and the possibility of transition from one state to another based on a combination of factors using a timed probabilistic automata (TPA) model.

A drone’s state is determined by feature vector (x_i, y_i, z_i, θ_i, v_i, w_i), where x_i, y_i, and z_i are the x, y, and z coordinates of the drone’s position in three-dimensional space, θ_i is the drone’s course angle, v_i is the drone’s speed, and w_i is its angular speed. To detect a denial-of-service attack, an estimate of the number of incoming packets per unit of time is used. To detect a replay attack, they propose monitoring timestamps. The disadvantage is the presence of strict threshold values, which are initially set based on normal data.

Sajid et al. proposed a security system for drones used in agriculture [11]. When building a threat model, they start with the fact that the attacker’s goal is to destabilize and disorient the drone as well as mislead it about the information being collected. The following types of attacks are considered: distributed denial of service, heart bleed (unauthorized access to a communication channel), password guessing, and penetration attacks (network compromise). Data collection is proposed via a broker and a fog platform as a source of aggregation of resources and data from sensors and UAVs. To detect intrusions, they used the ready-made CICIDS2017 data set, which includes data such as flow duration, protocol, source and destination IP addresses, source and destination port numbers, and the number of packets and bytes.

Zhou et al. proposed an approach for troubleshooting UAVs [12]. UAV flight data sets include navigation control, electrical, engine, steering, flight control, and flight dynamics data sets. They detect spoofing and jamming attacks by analyzing the following parameters: UAV control message, such as longitudinal and roll, transverse and pitch, and vertical and yaw motions for controlling UAV attitude; the switching states; and the received signal strength as an indicator of switching states.

Nayfeh et al. proposed a machine learning (ML) modeling to detect and classify GPS spoofing in UAVs [13]. They implemented three scenarios to carry out static and dynamic attacks. In these scenarios, genuine sets of GPS signal parameters are collected, followed by other sets obtained while the UAV is subject to spoofing attacks launched by a software-defined radio (SDR) transceiver module. All sets are standardized, analyzed for correlation, and reduced according to feature importance before using them in training, validating, and testing various ML classifiers. The final performance evaluation of these classifiers shows that the detection rate (DR), missed discovery rate (MDR), and false alarm rate (FAR) exceed 92%, 13%, and 4%, respectively, and the detection time is less than a millisecond.

Other methods for detecting attacks on AMRs are summarized in

Table 1. A review of some related works related to the detection of attacks on AMRs.

Research	Attacks	Attributes	Methods	Results
ROSIDS23: Network intrusion detection data set for a robot operating system [14]	DoS, unauthorized publish, unauthorized subscribe, and sub-scriber flood	84 attributes to detect an attack, which are mainly related to packet parameters	To create the data set, the authors used the method of full-scale modeling in laboratory conditions	The data set only covers four types of attacks. The study focuses primarily on TCP/UDP and HTTP protocols, which are the default in ROSs
Machine learning modeling of GPS features with applications to UAV location spoofing detection and classification [13]	Two spoofing attack types are investigated in this work: static and dynamic	27 extracted features from the GPS module	ML-based approach for real-time detection and classification of GPS spoofing attacks	The resulting performance evaluation of these classifiers shows a detection rate (DR), misdetection rate (MDR), and false alarm rate FAR) better than 92%, 13%, and 4%, respectively, together with a sub-millisecond detection time
Exhaustive distributed intrusion detection system for UAV attacks detection and security enforcement (E-DIDS) [15]	GPS spoofing attack, GPS jamming attack, MiTM attack, UAVCAN replay attack, UAVCAN flooding attack, injection attack, and DoS attack	12 state components behavior standards	Distributed intrusion detection systems (DIDS) are a specialized subset of conventional IDSs designed for implementation in distributed environments	E-DIDS efficiently detects multiple attacks on different UAVs subsets with good global accuracy that reached 98.6% and low resource consumption. The authors worked only with ready-made data sets and did not test the work in real time
Detection and isolation of sensor attacks for autonomous vehicles: Framework, algorithms, and validation [16]	GPS DoS attack, GPS FDI attack, GPS stealthy attack, and LiDAR replay attack	13 experimental parameters	This module analyzes online measurements of GPS and LiDAR through three attack detectors, each of which combines an EKF-based pose estimator with a CUSUM discriminator	The proposed approach has a much higher alarm accuracy and a shorter detection time than the conventional approach in GPS stealthy attack scenarios. The attack identification still depends on the detector for each sensor
An intrusion detection method based on hybrid machine learning and neural networks in industrial control [17]	DDoS, SQL injection, XSS attacks, Brute Force, BENIGN	The data set contains 78 columns and 1,048,575 rows	An ETM-TBD model based on hybrid machine learning and neural network models, a hyperparameter optimization method based on Bayesian optimization used to optimize the parameters of the four basic machine learners in the model	The detection accuracy rate of the data set is 97.24%, and the average F1 score is 0.9665. The approach cannot handle unknown network traffic attacks well. If they are system encounters an unknown type of attack, it is generally categorized as a known, but similar, attack type
Knowledge distillation-based GPS spoofing detection for a small UAV [18]	GPS spoofing	12 parameters	The approach is to obtain a lightweight detection model in the UAV system so that GPS spoofing attacks can be detected from a long distance. With long-short term memory (LSTM), a lightweight detection model on the ground control stations is proposed	Only one type of attack is detected, the attack is detected using the base station
Detecting maritime GPS spoofing attacks based on NMEA sentence integrity monitoring [19]	GPS spoofing: replay attacker, the meaconing attacker, and the simulator attacker	11 attributes	MAritime Nmea-based Anomaly detection (MANA), a novel low-cost framework for GPS spoofing detection. MANA monitors NMEA-0183 data and advantageously combines several software-based methods	MANA’s detection capabilities in many scenarios. Although the approach is sufficient for many scenarios, there is a limitation: all methods are weighted equally, requiring strict thresholds to avoid false positives
ConstDet: Control semantics-based detection for GPS spoofing attacks on UAVs [20]	GPS spoofing	12 flight data features	ConstDet, based on the control semantics using ML algorithms. The control semantics represent the principles of the UAV control process using flight data	The detection rate of ConstDet is 97.70%

.

However, the main problem with methods based on neural networks is the need to prepare valid data for training. In addition, some classes of security events are difficult to separate from each other. It is also important to correctly associate each kind of event with a certain type of impact and the degree of its impact. The use of neural networks can be justified only at the classification stage, when information about the processes of the system has already been studied and the initial conditions have been determined. For example, a strong wind that blows away a UAV coupled with a spoofing attack can have a different effect than an attack when there is no wind.

It is also important to evaluate man-made noise that may affect the operation of the system. A negative consequence may not always result from an attack. In addition, different AMR models may be equipped with a different set of sensors, which ultimately will also have a different effect on the behavior of the AMR.

Specifically, we focused on an in-depth analysis of parameters and their changes under different scenarios. Our main goal was to identify dependencies between AMR subsystems, processes, and the types of impacts on the AMR. We conducted an in-depth analysis of attack scenarios on the navigation system, identified the types of attacks, and associated the initial impact with its consequences. The key contributions of this manuscript are as follows:

• The influence of different types of attacks on the navigation system was considered, which made it possible to subdivide them into classes;
• The effect of attacks on the navigation system were unified and ultimately represented through their levels of consequences and impact;
• A model of an attack on a navigation system was built, taking into account five methods of attack implementation;
• The unified response thresholds valid for any type of parameter were identified, which allows us to create universal correlation rules and simplify this process, as the trigger threshold is related to the degree of impact that the attack has on the finite subsystem;
• A methodology for classifying incidents and identifying key components of the system based on ontological models was developed, which makes it possible to predict risks and select an optimal system configuration.

The manuscript is organized as follows: Section 1 introduces the readers to the problem of the development of an intelligent cyber security incident management system for AMRs; Section 2 describes the model of destructive impact on an AMR and methodology for assessing the impact of attacks on AMRs; Section 3 presents our results of testing the effectiveness of the proposed method for detecting attacks and anomalies for an experimental AMR and their discussion; and the obtained results are summarized in Section 4.

2. Materials and Methods

In this section, we define the types of attacks that can be performed on an AMR, the observable effects of such attacks, and our methodology for detecting such attacks.

2.1. AMR Model

Our approach included a full-scale AMR model, which consisted of the following basic components. First was a communication system that included two communication channels at different frequencies: one for transmitting telemetry and another for transmitting control commands. The communication system also included communication protocols. For this part of the model, the MAVLink protocol was used to transmit commands and telemetry between the control program and the Pixhawk autopilot. In addition, to transmit information to the operator and exchange data between software modules, a publisher–subscriber model was implemented using the MQTT protocol.

Data exchange with the operator was supported only for the purpose of informing the operator about the current situation. All calculations and adjustments were performed by the on-board computer. The operator also had the opportunity to create a task for execution, which included a plan for moving the AMR on the ground, indicating the coordinates and speed of movement.

An autopilot based on PIXHawk can be used to control airborne, ground, surface, and underwater vehicles. In our study, it was assumed that AMRs can be any of these. The main distinguishing features of an AMR are autonomy (performing operations independently without ongoing instructions from the operator), mobility (the ability to move in three-dimensional or two-dimensional space depending on the type of AMR), and robotization (performing human-like actions but without human involvement).

Thus, our research covered a fairly wide range of devices. However, we assumed an open, external environment, not an indoor one, because the device used a global navigation system for positioning. In this specific study, the AMR used GPS in combination with GLONASS. In addition, an inertial measurement unit (IMU) was used, including an accelerometer, barometer, gyroscope, and compass.

The AMR testbed architecture is presented in Figure 1.

The flight controller has a set of topics through which it publishes updates using the uORB module. Some of these updates can be obtained through the MAVLink protocol. Such data includes information from the navigation system, communication system, and all sensors. In our software model, we included only topics and data sets that could signal an attack. The rationale for data selection is presented in Section 2.2 below. The software also included an attack analyzer that worked based on anomalies. The idea is that an anomaly is detected for each analyzed parameter, and based on this, the first assumption about the problem is made. Next, based on the correlation rules, which are also presented below, the specific type of impact is determined. The layer between the operator, flight controller, and attack analyzer is the control program. It receives a task from the operator and downloads it to the controller (it can also develop control actions and correct the execution of a task, but this is beyond the scope of this manuscript). The attack analysis module, in turn, also publishes information about detected anomalies and attacks.

2.2. Model of Destructive Impact on an AMR

When developing attack detection technology, it is necessary to provide a classification of different types of attacks and their consequences. In this case, it was necessary to clearly understand which attack vectors may be relevant for the security assessment object (AMRs in this case), in particular for navigation channels, communication, and control systems.

Thus, it is important to specifically highlight attacks that can affect navigation and communication channels. Here, we considered only active attacks on the object being assessed. Active attacks include those that violate the integrity and availability properties of the system. Active attacks can lead to three main types of consequences for the object being assessed: complete destabilization of the object, partial destruction/impairment of the functions of the object, or a minor impact on the object and its parameters. Let us highlight four types of impacts that an attack has on AMR subsystems:

• Blocking, which is associated with complete destabilization of subsystems and loss of control over an object, which leads to its loss or destruction;
• Destabilization, which is associated with a violation of the key functions of the object and which can result in incorrect execution or failure of the task by objects as well as damage to its components or subsystems;
• Violation, which is associated with a minor impact on parameters when deviations from target indicators are possible;
• Allowable fluctuations, which are natural fluctuations that occur during normal operation of the system, which can be associated both with errors in individual modules and with the presence of natural and man-made influence factors.

External influences are described by an n-dimensional vector of features:

$$d_i=F(di,a,w,t,i_{di},n_i,p_i),$$

(1)

where d_i is the n-dimensional vector of various types of destructive effects that can be exerted on the object of assessment, defined in space $D{I}^n$; a is the r-dimensional vector of attack sets, taking values from the set $A^r$; w is the m-dimensional vector of sets of weather conditions and environmental states affecting the system, taking values from the set $W^m$; t is the period of time during which the destructive effect was detected; $i_{di}$ is the impact type taking values from a set I; $n_i$ is the set of parameters of the victim node affected by the attack; and $p_i$ is the a set of parameters that are used to implement the attack.

Thus, based on the categorization of the types of impact on the object, we can conclude that depending on the capabilities of the attacker and the scenario for implementing the attack on the object, consequences of different levels may occur for the object [21].

In order to correlate attack types with consequences and subsystems, a method based on ontological models was chosen. Ontological schemes make it possible to determine connections between concepts of different classes. In this case, we had classes of impacts on the system and classes of subsystems of the object; the relationships between them were determined through the types of impacts. Figure 2 shows a scheme of the impact of attacks on object subsystems.

The scheme in Figure 2 generally outlines the methods of implementing attacks and the degree of their influence on AMR subsystems. In addition, it makes clear how risks can be reduced by modifying the AMR platform. The left side shows two categories of attacks that can be carried out on an AMR. A peculiarity of the attacks is that spoofing attacks should not completely destabilize the device; it should remain in working order and at the same time perform the functions that the attacker needs. Jamming attacks are generally designed to destabilize and block the operation of a system so that legitimate users or processes cannot influence the execution of assigned tasks. In some cases, an attacker can block or disable the operation of the system so that when the system is turned on, the attacker will pose as a legitimate source of data or commands to control the system on his behalf. Based on this logic, jamming attacks have a blocking effect on those subsystems that do not use redundancy and are directly controlled by the operator. It is easy to implement an attack for such systems; they are highlighted with red rectangles on the right side of the figure. If backup channels or redundant subsystems are used, then it is more difficult for an attacker to carry out an attack, and it may not be possible to disable the system, so the impact on such subsystems can be described as destabilizing. Systems subject to destabilizing effects are shown in orange rectangles on the right in Figure 2. This diagram and the one presented in Figure 3 have been modified based on previous research by the authors of [22]. Finally, as well as the goals of the attack, it is necessary to take into account the factors influencing its implementation. For example, the attacker may not have sufficient competence or equipment, and there may be other factors that reduce the effect of the attack. In addition, as discussed below, attack scenarios that adapt to legitimate systems and imitate the operation of external systems unnoticed by an AMR can be carried out by an attacker.

In our framework, scenarios of attacks directed at navigation and communication channels were considered. To formalize the description of the attack model on GPS signals, the attacks can be subdivided into several types depending on the attacker’s capabilities and goals.

Previously a classification of navigation signal spoofing attacks was presented by Merwe et al. [23]; three types of attacks were considered: meaconing, asynchronous, and synchronous attacks.

Non-coherent or asynchronous attacks are the easiest to implement and do not require significant knowledge and skills from the attacker. The attack consists of amplifying the attacker’s signal in order to override that of the victim. However, the characteristics of the spoofing signal, such as a pseudo-random noise (PRN) code, must be very close to the genuine characteristics of the signal for the attack to succeed [24].

Therefore, to increase the effectiveness of the attack, the attacker can first perform a jamming attack on the victim receiver to make the receiver lose the genuine Global Navigation Satellite System (GNSS) signal and then transmit fake signals to fool the receiver. The spoofer signal is formulated as follows, which is similar to the legitimate signal of the navigation system, except that the characteristics of the signal differ from the legitimate one:

$$y(t)=\mathrm{Re}\left\{{\displaystyle \sum _{i=1}^n\sqrt{P_{si}}{D}_{si}(t-{\tau }_{si}(t))\hspace{0.17em}{C}_i(t-{\tau }_{si}(t))e^{i\left[2\pi f_{c}t-{\varphi }_{si}(t)\right]}}\right\}.$$

(2)

Here, i is the GPS satellite number, i = 1, 2, …, 32; $P_{si}$ is the fake signal amplitude; $D_{si}$ is the bit of data or false signal messages; ${\tau }_{si}\left(t\right)$ is the code delay (due to signal transmission from satellite to receiver) of a fake signal; ${\phi }_{si}\left(t\right)$ is the phase noise of a false signal carrier; and $C_i\left(t\right)$ is its distribution code (often a Binary Phase Shift Keying (BPSK) PRN code or a Binary Offset Carrier (BOC) PRN code).

To carry out an effective asynchronous attack, it is necessary to first disrupt the recipient’s tracking of genuine signals. Typically, this is achieved by increasing the power of the spoofer. Consequently, the power of the generated signals at the receiver antenna phase center is 40–50 dB higher than that of authentic satellite signals.

A synchronous attack differs from an asynchronous one in that the attacker tries to adjust his signal to the legitimate one so that the victim cannot tell the difference and smoothly switches to the attacker’s signal. At the first stage of a synchronous attack, the signals are similar to legitimate ones, with a low level of power. The power is then increased to be at least 4 dB higher than the power of the true signals. In this way, the correlator is “captured”, and the attacker can apply a smooth movement of coordinates and/or time. In order to generate a signal that the victim will consider legitimate, the attacker synchronizes its false code phases ${\tau }_{s1}\left(t\right),\dots ,{\tau }_{sNs}\left(t\right)?$ so that the victim does not disregard the false signal. The spoofed beat carrier phases ${\varphi }_{s1}\left(t\right),\dots ,{\varphi }_{Nss}\left(t\right)$ are typically designed to vary consistently with the spoofed code phases so that $\omega c\left[{\tau }_{si}\left(tb\right)-{\tau }_{si}\left(ta\right)\right]=\left[{\varphi }_{si}\left(tb\right)-{\varphi }_{si}\left(ta\right)\right]$ for any two times ta and tb and for every spoofed signal i.

To implement a meaconing attack, it is necessary to record signals from navigation satellites and to reproduce them. It is possible to carry out an attack in both synchronous and asynchronous scenarios. The meaconer simply retransmits the received GNSS signals. Therefore, the position, velocity, and time (PVT) of the receiver will be equal to the PVT of the transmitter but with an added time delay [25].

In addition, it is important to understand that the GPS navigation system can operate on several frequencies and that the Global Navigation Satellite System (GLONASS) navigation system operates on other frequencies. Therefore, if the receiver uses several frequencies for communication at once, then this must be taken into account when assessing the effectiveness of the attack being implemented. Thus, from the point of view of the GNSS spoofing attack model, this attack can be defined as follows:

$$a_{gi}=H_1(N_i,P_{si},G_i,D_{si},{\tau }_{si},{\phi }_{si},i_{di},PV{T}_{si},C{H}_{si},t),$$

(3)

$$a_m=H_2(N_i,P_{mi},G_i,C_{mi},PV{T}_i,t),$$

(4)

where a_gi is the n-dimensional vector of signs of a navigation signal spoofing attack; $H_i$ is the function that describes the change in these parameters relative to each other; $N_i$ is the type of intruder performing the attack; $P_{si}$ is the spoofed signal power; $i_{di}$ is the impact type taking values from set I; $PV{T}_{si}$ is the position, velocity, and receiver time; $C{H}_{si}$ is number of spoofed channels; and $G_i$ is the transmitting antenna’s gain.

These parameters take different values depending on the type of attack being implemented. Generating a fake signal can be performed by modulating the frequency of a continuous wave (CW) signal using some type of tone-sweeping technique to create broadband interference. Most interference sources use “chirp” signals.

In addition to spoofing attacks, it is important to consider jamming attacks; they can also be implemented in different ways. The main essence of the jamming attack is the generation of a more powerful signal at the same frequency as a legitimate signal with the same oscillation frequency. The interference signals are usually generated by frequency modulation of a continuous wave, although other methods can be used. The jamming efficiency is determined by the power of the jammer J, which increases as the distance r decreases. To assess the effectiveness of interference, we can use the ratio of carrier density to noise C/N₀ [26]:

$${(C/N_0)}_{eff}=\frac{1}{\frac{1}{C/N_0}+\frac{J/S}{Q{R}_c}}=J_{eff},$$

(5)

where ${(C/N_0)}_{eff}$ is the effective carrier-to-noise ratio, $J/S$ is the jammer-to-signal ratio at the receiver, R_c is the basic code rate of pseudo random noise (PRN) in chips per second, and Q is the parameters of the spectral distribution of external radio emission relative to the spectrum of the useful signal (Q = 2.22 for broadband Gaussian interference) [27].

As mentioned earlier, an important factor that influences jamming is the distance to the affected object. At a constant transmitted jammer power J_t, the received jammer power J(r) increases with a decrease in the distance to the object r according to the free-space loss equation when the jammer moves towards the receiver:

$$J\left(r\right)=J_t {\left(\frac{c}{4\pi rf} \right)}^2 ,$$

(6)

where f is the frequency of the jammer and c is the speed of light. Equation (6) shows the dependence of the jammer power on the distance to the jamming object. As the distance is in the denominator, if it increases, the received jammer power will decrease.

Thus, based on the formulas presented above, it can be concluded that the carrier-to-noise ratio will decrease as interference occurs. In this case, the useful signal becomes weaker, and the signal-to-noise ratio (SNR) also decreases. Therefore, the receiver will not be able to correctly determine the location during an attack.

Under idealized conditions when the path loss is excluded, the power received by the object antenna P_r in decibels (which consequently helps to estimate the effectiveness of jamming attack) can be found in decibels as [28]:

$$P_r=P_t+G_t+G_r+20\log \frac{\lambda }{4\pi r},$$

(7)

where P_t is the transmitted power, G_t is the transmitting antenna’s gain, G_r is the receiving antennas gain, and λ is the carrier wavelength.

Now, let us define a jamming attack model:

$$a_j=H_3(N_i,P_{ji},G_{ji},i_{di},J_{eff},r,C{H}_{ji},t),$$

(8)

where $a_j$ is the n-dimensional vector of signs of a navigation signal spoofing attack, $H_i$ is the function that describes the change in given parameters relative to each other, $N_i$ is the type of intruder carrying out the attack, $P_{ji}$ is the jamming signal power, $i_{di}$ is the type of impact taking values from set I, and $G_{ji}$ is the jammer’s antenna gain.

Next, it is necessary to evaluate how each type of attack affects navigation and communication channels. The idea of a spoofing attack is to spoof parameters or data to change the behavior of the AMR. At the same time, the system itself must continue to function. A jamming attack inherently affects the receiver in such a way that it loses the ability to perceive useful signals.

The scheme presented in Figure 2 explains which combinations of subsystems are most vulnerable to attacks. In addition to factors associated with attacks on an AMR, it may also be affected by natural phenomena. Being in the natural environment, an AMR is very vulnerable not only to the presence of factors associated with moving and stationary obstacles but also to weather conditions. We therefore considered environmental factors associated with natural disturbances that may affect an AMR. Let us consider the influence of natural factors using a UAV as an example, as shown in Figure 3.

When attacking a communication system and command system, an attacker needs to influence the AMR at several levels at once. First, it is necessary to understand at the physical level which channel and communication system is used in order to select the appropriate equipment for the attack. Second, it is necessary to know the data format of the attack victim, in particular the network link layer addresses and what protocol stack is used, what application layer protocol is used, as well as message formats. Pu et al. consider counterfeiting attack scenarios on smart manufacturing [29]. They highlight two main privacy vulnerabilities related to the possibility of forging authentication data and packet spoofing. They also consider packet forgery features at the transport layer. When using the Transmission Control Protocol (TCP) as transport for spoofing segments, it is necessary to spoof sequence numbers, acknowledgment numbers, ports, and flags. Typically, such protocols can be Message Queuing Telemetry Transport (MQTT) [30] and Modbus [31].

At the same time, there are other data exchange protocols, in particular telemetry, which can use TCP or the User Datagram Protocol (UDP) as transport, for example, the MAVLink protocol [32]. In addition, there are a number of attacks on routing protocols, where an attacker can also falsify service information about route quality, routing prefix, and so on [33]. Therefore, as an indicator that an attacker is faking, we will define a general indicator of checksums or integrity indicators and service parameters of the package:

$$a_{sdi}=H_4(N_{sdi},i_{di},C{H}_{sdi},CS{I}_{si},T{M}_{si},Aut{h}_{si},Add{r}_{si},Ms{g}_{si},t),$$

(9)

where $a_{sdi}$ is the generalized vector of spoofing attacks on channel and communication protocols, $C{H}_{si}$ is the number of communication channels attacked, $Add{r}_{si}$ is the set of addresses that an attacker spoofs, $CS{I}_{si}$ is the part of the packet header responsible for checksums and integrity parameters forged by an attacker, $T{M}_{si}$ is the service parameters of the package forged by the attacker, and $Ms{g}_{si}$ is the payload, telemetry data, or commands spoofed by the attacker.

Let us consider implementing a jamming attack on the communication channel between AMR and the operator. As described in previous work [34,35,36], for effective jamming, it is necessary to know the frequency and the modulation method, and for effective algorithm selection, it is necessary to know the tuning of the jamming frequency, the width of the jamming spectrum, and the power of the suppression signal:

$$a_{jdi}=H_5(N_{jdi},P_{jdi},G_{jdi},i_{di},C{H}_{jdi},\omega (k),t),$$

(10)

where $a_{jdi}$ is the generalized vector of jamming attacks on a communication channel and $\omega (k)$ is the noise model. In addition to jamming attacks, two types of denial-of-service attacks are possible. These are attacks aimed at breaking connections and flooding the communication medium with packets. In this case, the frequency of sending packets and correct falsification of protocol service data are important:

$$a_{ddi}=H_6(N_{ddi},i_{di},C{H}_{ddi},T{M}_{di},Add{r}_{si},s{r}_{ddi},t),$$

(11)

where $a_{ddi}$ is the generalized vector of denial-of-service attacks on a communication channel and $s{r}_{ddi}$ is the message level.

An important system concept for assessing the intensity of an attack is the intruder itself. Depending on the capabilities of the intruder, he can use a larger number of channels during the attack, obtaining more accurate knowledge about the protocols, type of modulation, and equipment of the attack victim.

2.3. Methodology for Assessing the Impact of Attacks on an AMR

The object of assessment or the overall system (S), which is the AMR, is a complex structure. From a mathematical point of view, one can consider the AMR model as a finite set of elements. Each subsystem includes a large number of sensors and subsystems that are subsets. Within the framework of this study, only three main subsystems were considered: management system (MS), navigation system (NS), and communication system (CS).

Sets of AMR subsystems are associated with specific sets of sensors. The AMR control system is a set of computer equipment, a communication channel, sets of commands, and an operator who controls relevant objects. Table 1 below presents the relationship between the subsystems presented in Figure 2 and the actuators within these subsystems. This table is compiled primarily for autonomous aircraft based on the Pixhawk open architecture flight controller [37].

From

Table 2. A comparison of the AMR systems and actuating mechanisms.

AMR Systems	Considered Units/Systems	Actuating Mechanisms
Remote control system	Control Unit (CU) (required)	☐ AMR operator (O) ☐ AMR operator control panel (OCP) ☐ AMR control channel (control_channel)
	Data Transmission System (DTS) (required)	☐ Quality of data transmission over the radio channel (radio-status, rc_channels) ☐ Quality of data transmission over the telemetry channel (telemetry_status)
	Flight Controller (FC) (optional)	☐ Flight condition monitoring subsystem (commander_state, vehicle_status) ☐ Flight control subsystem, control of inputs and outputs from the operator console (actuator_controls, actuator_outputs) ☐ Motor control subsystem (test_motor, actuator_motors) ☐ Takeoff control (takeoff_status) ☐ Manual control (manual_control_setpoint, manual_control_switches) ☐ Airspeed control (airspeed) ☐ Battery control (battery_status)
	Global Navigation Satellite System (GNSS) (optional)	☐ Control of the number of satellites (satellite_info) ☐ GPS control (sensor_gps)
	Inertial Navigation System (INS) (required)	☐ Gyroscope readings (sensor_gyro) ☐ Accelerometer readings (sensor_accel) ☐ Barometer readings (sensor_baro)
	Computer Vision System (CVS) (optional)	☐ Video stream transmission (optical_flow)
Autonomous control system	Onboard computer (OC) (optional)	☐ CPU control (cpu_load) ☐ RAM control (ram_load) ☐ Monitoring the status of the on-board computer (onboard_computer_status)
	Autopilot (AU) (required)	☐ Motor control subsystem (test_motor, actuator_motors) ☐ Airspeed control (airspeed) ☐ Battery control (battery_status) ☐ Mission control (mission) ☐ Mission result (mission_result) ☐ Home position (home_position) ☐ Control of flight mission points (position_setpoint, position_setpoint_triplet) ☐ Takeoff control (takeoff_status)
	Global Navigation Satellite System (GNSS) (optional)	☐ Control of the number of satellites (satellite_info) ☐ GPS control (sensor_gps)
	Inertial Navigation System (INS) (required)	☐ Gyroscope readings (sensor_gyro) ☐ Accelerometer readings (sensor_accel) ☐ Barometer readings (sensor_baro)
	Computer Vision System (CVS) (optional)	☐ Optical flow estimation (estimator_optical_flow_vel)

, it can be seen that some actuators for different types of control systems overlap, but as a result, the combination of parameters and executive mechanisms for each subsystem is unique. Table 2 presents only the ratio of control subsystems and the key executive mechanisms with which they are provided. In order to assess the impact of attacks on subsystems, it was necessary to determine the sets of parameters that ensure the operation of the actuators.

Figure 3 shows an example of the hierarchical structure of an assessment object, from a high-level representation to an indication of the specific parameters that are associated with each subsystem. Having established connections between subsystems and attacks that can affect them, it is necessary to determine a finite set of parameters that are associated with each subsystem. Establishing this dependence is necessary to construct correlation rules. As can be seen from Figure 4, $DTS\subset CS$ and the correlation rules we ultimately produced appear in Figure 5 below.

A detailed comparison of subsystems and parameters allowed us to highlight the processes that occur in an AMR. Since it was autonomous, the following processes presented in

Table 3. Distinguished processes in an AMR.

Process	Description
Process 1.0. Launch the AMR	This process includes checking the functionality of all components. We do not detail this process here.
Process 2.0. Fulfillment of the AMR’s target task	This “work process” is subdivided into several subprocesses.
Process 2.1. Loading a target job for execution	At this stage, the operator issues a starting job to the AMR or a target function that the AMR performs. Here a data substitution attack can be especially significant since an attacker can change the AMR’s operation by replacing the operator’s message. For an AMR that performs a task remotely, attack vector $a_{sdi}$ will be relevant throughout Process 2.0. If the target function or task is issued remotely over the network, then vectors $a_{jdi}$ and $a_{ddi}$ are also relevant. The intensity of the impact of the attack depends on the level of the intruder.
Process 2.2. Implementation of the target task	At this stage, the AMR is in autonomous or remote mode and performs the target task.
Process 2.2.1. AMR terrain awareness during flight mission	At the same time, and most critical for an AMR which operates without operator communication, are attack vectors $a_j$ and $a_{gi}$.
Process 2.2.2. Current information exchange with the operator	Despite the fact that an AMR can act completely autonomously, it may be necessary to transmit relevant information to the operator, who in turn can adjust the target task, so the attack vectors $a_{sdi}$ and $a_{jdi}$ are relevant. In the case of remote control, these attacks are critical for an AMR. In addition, if the attacker knows the command structure, then he can send his own fake commands without changing the real one.
Process 2.2.3. Adjustment of the AMR target	This procedure can be performed by the AMR itself based on on-board calculations, or it can be performed by the operator even if the AMR operates autonomously. In this case, attack vectors $a_{sdi}$, $a_{jdi}$, and $a_{ddi}$ are relevant. In the case of autonomous correction, attacks of the type are relevant, since they can affect the task being corrected.
Process 3. Completion of the target task	When the AMR achieves a goal or performs a target function, then certain further actions need to be taken.
Process 3.1. Return to original state	The AMR, having completed its task, must return to its original position. For such a scenario, the most significant attack vectors are $a_j$ and $a_{gi}$ as well as $a_{sdi}$, $a_{jdi}$, and $a_{ddi}$ denial-of-service attacks, since the AMR exchanges data with the operator.
Process 3.2. Completion of the task to achieve the target function	In this scenario, the most dangerous attacks are physical access and impact attacks if the AMR is outside the controlled area, but these attacks are beyond the scope of the study.
Process 3.3. Emergency completion of a task	This can be caused by natural factors, when there are objective preconditions (e.g., weather conditions), by critical AMR errors, or due to an attack. Thus, all attack vectors and weather conditions are relevant.

can be distinguished.

Once we have associated processes with attacks and subsystems that are necessary for their execution, we can build an ontology of the impact of attacks with varying degrees of influence on AMR subsystems.

In order to determine the sets of parameters necessary to detect the impact on the navigation and communication subsystems of the AMR, the set of parameters should be universal for most AMRs, and the parameters must be subject to attack vectors or anomalies.

Thus, you can leave the data associated with the Inertial Navigation System (INS). However, we find out that the INS is not subject to attack. Thus, these parameters can only be used to detect natural anomalies or hardware failures. In this study, attack vectors related to hardware failures are not considered since this is related to the development of the components and firmware themselves as well as the process of debugging and testing.

Next come two optional systems: CVS and GNSS. In the case of CVS, we can say that there is no single standard for these subsystems; different protocols, algorithms, and components can be used. In the case of GNSS, although different hardware platforms are used, there is a single protocol and standard, as well as data sets that can be obtained from most sensors. As for data transmission channels, the data set obtained also depends significantly on what is available to a particular receiver.

Depending on what kind of attack is carried out on the AMR, it will have different levels of impact. For example, as can be seen from Figure 2, a navigation signal jamming attack blocks the GNSS, and a navigation signal substitution attack destabilizes the GNSS; therefore, the influence of the first attack will be stronger. The presence of wind and clouds can disrupt GNSS operations.

Thus, it becomes possible to assess the impact of attacks or natural factors on groups of parameters or individual parameters. At the same time, by imposing the extent of influence of an attack or a natural factor on the representation of the impact vector, the sets of parameters for each type of impact become unique. A complete example of the rules for correlating parameters and impact types is presented in Figure 5.

From Figure 5, it can be seen that the types of consequences from different sources are a kind of filter through which a “security event” passes and has a corresponding level of influence on a particular parameter, group of parameters, or class of parameters. In this case, the class of parameters is determined by the system (for example, the communication system); the group of parameters is determined by the “executive mechanism”, and eventually, this is determined by specific sets of parameters.

Below are equations describing the correlation rules for classifying the types of impact on the object of assessment. These rules are compiled on the basis of expert assessment and a review of works on this topic and are also confirmed by experimental studies. Thus, using a set of the same parameters in combination with an assessment of the external impact value on these parameters, we obtained a set of unique vectors that allowed us to classify types of influence. Using set theory, we formalized ontological schemes and obtain final expressions, as shown by Equalities (12)–(22):

$$JNS=B\cap \left\{GNSS\right\},$$

(12)

$$JMC=(D\cap \{telem\_channel\left\}\right)\cup (D\cap \{pos\_ctrl\left\}\right)\cup (B\cap \{traffic\_control\})\cup (B\cap \{Mng\_channel\}),$$

(13)

$$JTC=(B\cap \{telem\_channel\left\}\right)\cup (D\cap \{pos\_ctrl\left\}\right)\cup (B\cap \{traffic\_control\})\cup (D\cap \{Mng\_channel\}),$$

(14)

$$SNS=D\cap \left\{GNS\right\},$$

(15)

$$SMC=(D\cap \{pos\_ctrl\left\}\right)\cup (V\cap \{traffic\_control\})\cup (D\cap \{Mng\_channel\}),$$

(16)

$$STC=(D\cap \{pos\_ctrl\left\}\right)\cup (V\cap \{traffic\_control\})\cup (D\cap \{telem\_channel\}),$$

(17)

$$CA=(A\cap \{pos\_ctrl\left\}\right),$$

(18)

$$CH=(A\cap \{pos\_ctrl\left\}\right)\cup (A\cap \{CS\left\}\right)\times (A\cap \{satellites\_used\}),$$

(19)

$$N=(A\cap \{pos\_ctrl\left\}\right)\cup (A\cap \{CS\left\}\right)\cap (A\cap \{jamming\_indicator\})\cap (A\cap \{noise\}),$$

(20)

$$WA=(A\cap \{pos\_ctrl\left\}\right),$$

(21)

$$WH=(V\cap \{\mathrm{pos}\_\mathrm{ctrl}\left\}\right),$$

(22)

where $JNS$ is the jamming navigation signal attack, B is the blocking influence type, $JMC$ is the jamming of control channel with the operator attack, $GNSS$ is the set of parameters connected with a Global Navigation Satellite System, $\mathrm{telem}\_\mathrm{channel}$ is the number of parameters connected with the quality of data transmission over the telemetry channel, $\mathrm{pos}\_\mathrm{ctrl}$ is the number of parameters connected with position controlling, $JTC$ is the jamming of video stream and telemetry attacks, $\mathrm{traffic}\_\mathrm{control}$ is the number of parameters connected with estimation of traffic transmission control, $\mathrm{Mng}\_\mathrm{channel}$ is the number of parameters connected with estimation of channel control, $D$ is the destabilization influence type, $SNS$ is the navigation signal spoofing attacks, $SMC$ is the control signal spoofing attack, V is the violation influence type, $STC$ is the video stream/telemetry spoofing attack, $CA$ is cloudiness in the range 60–79%, $A$ is the allowable influence type, $CH$ is cloudiness in the range 80–100%, N is the technogenic destructive impact type, $WA$ is the wind speed in the range 5–9.9 m/s, and $WH$ is the wind speed in the range 10–18 m/s.

In this case, we suggest measuring the degree of impact of an attack or of the environment on a parameter based on an analysis of changes in information series. The idea is that to determine the degree of destructive impact on a parameter, it is necessary to evaluate the degree of change in the parameter itself. At the same time, in order to avoid the need to adjust to a specific individual parameter, it is proposed to normalize the parameters and then evaluate the difference between the normalized series of values. Entropy estimation is a standard approach that is used to analyze the differences between certain sets of information. In this case, we obtained normalized series of parameter sets as sets of information. We presented this approach in previous studies [38,39]. A conceptual diagram of the attack detection and classification method is presented in Figure 6.

Detection thresholds were determined based on several factors. First, we used the proposed ontological degree assessment model, where the attack impact intervals parameters are indicated. Thus, after normalizing the data and calculating the entropy value, we can identify ranges of entropy values. Entropy is a measure of the difference between sets of information; the higher this value, the higher the degree of difference between the normalized series of parameters. Therefore, it is possible to standardize these thresholds regardless of the dimension of the parameters:

$$\begin{gathered} A\hspace{0.33em}:n_i\le 0.04 \\ V:0.04<n_i\le 0.1 \\ D:0.1<n_i\le 1 \\ B:n_i>1 \end{gathered}$$

(23)

Thus, having an ontological model and rules for classifying attacks as well as rules for determining thresholds, it was possible to build an attack detection system. Second, these threshold values were confirmed by tests.

Our research methodology workflow is presented in Figure 7. It allowed us to understand clearly how building an ontology, analyzing processes, and analyzing subsystems ultimately allow for creating a system to classify attacks.

3. Results and Discussion

In this section, we present the results of our experimental study and discuss them.

To prove the effectiveness of our solution, an experimental study was conducted using full-scale modeling. To test the effectiveness of the proposed method for detecting attacks and anomalies for cyber–physical systems, an experimental AMR in the form of a quadcopter-type flying autonomous mobile robot (FAMR) was used. The FAMR was subject to destructive influences both from the environment and from the alleged attacker.

Since the AMR considered in this study had several communication channels and a combination of navigation systems for operation, the maximum level of impact for the navigation system could be destabilizing, and for the communication channel, it would be a violation. An intruder, who has increased capabilities, can cause significant harm to such a system. We consider only an attacker with average capabilities who is capable of carrying out simple attack scenarios against one communication channel and one navigation system. Therefore, in the experiments, we only evaluated the effect on the navigation system. In addition, since the properties of the AMR indicate that it operates without an operator and communication is needed only for information gathering, the threat of communication disruption is not relevant and critical. Therefore, such threats were not considered in this study. At the same time, the method for assessing the degree of impact is applicable for different types of data and different attacks. In future studies, we will separately consider the network attacks method for another type of the system where communication is critical.

The AMR prototype is operated without an operator; therefore, as part of the detailed study, only attacks related to influencing communication channels are considered. The prototype is a generic UAV platform based on the PX4 controller [37]. Four scenarios have been considered.

Scenario 1. The AMR performs a flight in mission mode. The attack is not carried out. During the flight mission, the wind speed is at least 2 m/s. This scenario tests for normal variations in AMR flight parameters that may be caused by weather conditions. In this case, the flight mission is carried out with allowed fluctuations in flight parameters.

Scenario 2. The AMR is flying in mission mode. A synchronous attack is carried out to spoof the GPS navigation signal. During the flight mission, the wind speed is at least 2 m/s. During the execution of the scenario, changes in AMR flight parameters are checked, which can be caused by a synchronous attack that spoofs the GPS navigation signal. In this case, the flight mission is carried out with unacceptable fluctuations in flight parameters [40].

Scenario 3. The AMR is flying in mission mode. An asynchronous GPS navigation signal spoofing attack is carried out. During the flight mission, the wind speed is at least 3 m/s. During the execution of the scenario, a strong change in the AMR flight parameters is checked, which is caused by an asynchronous attack that spoofs the GPS navigation signal. In this case, the flight mission is not completed, and the AMR crashes [40].

Scenario 4. The AMR performs a flight in mission mode. A GPS navigation signal jamming attack is underway. During the flight mission, the wind speed is at least 3 m/s. During the execution of this scenario, a strong change in AMR flight parameters is tested, which is caused by a jamming attack on the GPS navigation signal. In this case, the flight mission is not completed, and the AMR crashes [41].

The experiment was carried out in field conditions far from urban areas. The object of the study was the apparatus described in Section 2.1. The on-board computer is a Raspberry Pi 4 model B with 8 GB of RAM and a flash card with recorded program modules. An operator module installed on a laptop was also used. The operator module was used to transfer a task to the device for execution and monitoring. Monitoring was carried out using an operator module, to which data was transmitted over a 915 MHz channel using a LoRaWAN communication module. A 433 MHz module was used as a backup. MAVLink was used as the transmission protocol. The attack was carried out using the HackRF tool. Attack files were created with gps-sdr-sim, which uses the satellite ephemeris data and the coordinates of the fake location to generate a file containing the bit stream of the attack. Ephemeris data are available at Daily GPS Broadcast Ephemeris Files.

The task for the object included four key waypoints, and while the intruder was located between points 1 and 2, he began the attack after the object began to move from point 1 at least for a 2 m distance. The attacker was motionless. Throughout the experiment, the device collected and analyzed data to detect an attack.

For each parameter, entropy was calculated, and the triggering level was determined. Next, according to rules (12)–(22), a set of parameters was determined for which the trigger occurred, and based on the rules, the type of attack was determined. During the experimental study, navigation signal spoofing attacks were divided into two classes.

The operator could observe parameter changes and view flight logs. As can be seen from Figure 8, the parameters change to varying degrees depending on the type of impact being implemented. Normal behavior is also characterized by very minor deviations that do not exceed any threshold. For an asynchronous attack, the deviations are most significant. The final behavior of an object under the influence of an attack is quite interesting. As you can see in the asynchronous scenario, it starts to go astray, and in the end, it crashes because it cannot lock on to the intruder’s satellites. The antenna prevents the signal from being too powerful for further attack. During a synchronized attack, the intruder manages to divert the object from the route, but again, due to the power, the device crashes in the end. When jammed, the device immediately moves in the wrong direction and crashes.

This is because they affect the system differently. In a synchronous attack, the attacker tries to be unnoticed, which requires an attacker with high skill levels, but the attack allows for the AMR to be removed smoothly. In an asynchronous attack, the victim is essentially disconnected from the satellites, and therefore, the attack is more noticeable. As can be seen from Figure 9, the attack in Scenario 3 first completely disables the satellites, and the entropy value is very high since the value of the parameter has changed dramatically. In Scenario 4, once jamming is performed, the device can no longer continue the mission, and therefore, only peaks at the end of the graph can be observed.

Next, we considered what impact the attack from each scenario had on the position parameter. We decided to use latitude and longitude as parameters for analyzing the external destructive influence on the FAMR. However, in their pure form, these parameters provide insufficient information to assess the impact. Therefore, based on these data, the movement of the AMR during the time of the receipt of new data was calculated.

The displacement is a geodetic distance that is calculated relative to previous and current global AMR coordinates from the World Geodetic System 1984 (WGS 84) ellipsoidal earth model and is represented in meters. Changes in the entropy values of the displacement parameter are presented in Figure 10. In the absence of external destructive influence, the AMR moves about 1.25 m during the time of the receipt of new data (0.25 s) at a speed of 5 m/s. Under normal conditions, the movement of the AMR according to data from the GPS receiver is approximately 0.02 m.

However, in the presence of an external destructive influence on the AMR, depending on its strength, during the same period of time when reading data from a GPS receiver, the movement parameter can vary from several tens of meters to an unlimited value in the case of a navigation signal spoofing attack. Thus, an analysis of the AMR movement parameter makes it possible to detect external destructive influences, which can be associated both with attacks of substitution or the jamming of the navigation signal, and with less dangerous anomalies associated with weather conditions, e.g., heavy cloudiness, due to which the quality of the received signal decreases and “jumps” of movement may occur; high wind speeds, which have a direct impact on the speed of AMR movement; etc.

To analyze the collected data from the logs, the entropy value was calculated for each scenario and each parameter assessed. Next, the maximum entropy value was selected, and graphs were drawn for each parameter with an assessment of the intersection of response levels, as shown in Figure 11 for the SNR parameter.

As described in Section 2, a jamming attack helps reduce the SNR at the receiver since legitimate signals are turned off and only noise remains, and so, the graph looks fairly uniform. We record only the fact of the start of the attack. In synchronous and asynchronous attacks, the attacker must persuade the receiver to switch to his signal, so he sends a clearly more powerful signal, but for a synchronous spoofing attack, this signal should not sharply “interrupt” the legitimate one. The resulting picture for different logs reflects this situation.

The standard deviation of horizontal position error (EPH) and the standard deviation of vertical position error (EPV) values are calculated by the flight controller based on the root mean square values of the horizontal dilution of precision (HDOP) and vertical dilution of precision (VDOP). These parameters are used in the flight controller firmware to evaluate the signal quality and the amount of data received. They determine the “thresholds” of trust in the signal and the data in it as well as the very possibility of using a GPS sensor for positioning and determining coordinates and other parameters.

A similar analysis was carried out for all parameters that are necessary to evaluate the parameters of the navigation system to detect an attack. In total, about 100 flight records were analyzed. As a result, correlation rules were detailed to detect the following cases of impact on AMR:

$$Async=(hdop\ge B)\cap (vdop\ge B)\cap (numSats\ge B)\cap ((EPH>V)\cup (EPV>V)\cap ((Position>V)\cup (SNR>V))\cap (numSats>B),$$

(24)

$$Sync=((hdop\ge D)\cup (vdop\ge D))\cap (numSat\ge V)\cap ((EPH>V)\cup (EPV>V)\cup (V\le Position<B))\cup (SNR>V),$$

(25)

$$Anomaly\_GPS=(((hdop\ge D)\cup (vdop\ge D))\cup ((numSat\ge V)(SNR\ge V)))\cap ((EPH\ge V)\cup (EPV\ge V))\cup (Position\ge V))),$$

(26)

$$GPS\_Jamm=(hdop\ge B)\cap (vdop\ge B)\cap (numSats\ge B)\cap (EPH\ge D)\cap (EPV\ge V)\cap (SNR>D)\cap (numSats>B)\cap (Position>D)$$

(27)

These rules allow us to group parameters to evaluate their changes and classify attacks. Some parameters are more important for determining a certain type of attack. For example, to determine a synchronous attack, it is important that at least one of the parameters that determine the change in position works because the attack is carried out quite smoothly.

For a jamming attack, all parameters must work because this attack will completely destabilize the device. To evaluate the accuracy of the correlation rules, a test sample was collected, including 10 flight logs for each class. The evaluation results are presented in

Table 4. Correlation rules test results.

Scenario	Type I Error	Type II Error	Detection Time, s	Probability of Detecting an Attack or Anomaly
Scenario 1	0	0.01	0.25	0.99
Scenario 2	0.03	0	0.25	0.97
Scenario 3	0.08	0	0.25	0.92
Scenario 4	0.1	0	0.25	0.9
Average value	0.05	0.0025	0.25	0.95

. To assess the quality of detection, an approach based on the assessment of type I and type II errors as well as detection time was used [42].

The presence of an anomaly was assessed for each parameter. It determined which response level the parameter has crossed. Next, if the set of parameters has crossed the required response threshold, then the type of attack was determined according to classification rules (12)–(22). Taking into account the fact that four types of scenarios were carried out and data were collected in the results of the scenarios, we know what impact on the AMR occurred in which case. For each case, compliance or non-compliance with the expected scenario was determined, and errors were calculated. In this case, each parameter was analyzed, each time and the degree of its change as well as the expected change were assessed.

The average detection time was 0.25 s; this is due to the frequency of data updates. We read data four times per second to detect signs of impact at the first update package. There are very few cases where an attack is not detected correctly; they are mainly because the attack was not executed as expected. It did not have the desired effect on the parameters, so it was noticed, but an attack of a lower level was identified. There were practically no errors of the second type, that is, there were no false positives. This is very important if, after classifying an attack, we need to make a decision on how to respond, and a false positive can lead to some additional unnecessary actions.

As was evident from the review of related works, other researchers do not distinguish different types of spoofing attack scenarios. This division is very important because it allows for assessing the capabilities of the intruder who carries out the attack and predicting how the attack may develop. By understanding the type of attacker and the attack vector, we can develop a plan to respond or counteract more accurately. For example, if we know that a synchronous spoofer is acting against us, the attacker usually uses two antennas: one to receive GPS signals and another to fake them. Thus, we can influence the spoofer in response.

In general, our method is not limited to only considering spoofing and jamming scenarios; they are presented here mainly as an example and for testing the method. Basically, existing methods detect attacks based on artificial intelligence. For this purpose, data are collected, preprocessed, and classified. Having studied the data collected as a result of implementing various types of attack scenarios, we came to the conclusion that these data are poorly separable on their own. Adding an impact factor allows us to work with data more flexibly. In addition, we can assess the degree of susceptibility of the system to a given attack.

It can happen that an attack is implemented, but it does not harm the system. In addition, in our study, we determined how two attack vectors are related to each other: the first vector represents the initial impact of the intruder, what he changes in the environment to influence the victim, and the second vector is the number of signs that change under the influence of the intruder. Thus, if we carry out comprehensive monitoring, for example, listening to the broadcast and analyzing parameters at the same time, we can increase the speed and accuracy of attack detection.

4. Conclusions

As a result of the study, types of attacks on autonomous mobile robots were identified and detailed. It has been determined that spoofing attacks can affect an AMR in different ways. The final impact on an AMR’s parameters depends on the level of training. An important step in creating an attack classification system is the selection of parameters to evaluate as well as the method for their normalization. If machine learning methods are used, the attack classes should be clearly distinguishable. At the same time, asynchronous, synchronous, and jamming attacks may overlap. This is due to the fact that an asynchronous attack can be implemented through initial jamming to disconnect from legitimate satellites. It is important to evaluate the intensity and moments of changes in parameters, and so, it is necessary to build chains of correlation rules. For example, an asynchronous attack will begin with an increase in the SNR because the attacker is trying to produce a more powerful signal for the receiver. As a result, there will be a decrease in the number of satellites accessible and of positioning accuracy. However, during a jamming attack, the SNR does not change dramatically because the desired signal does not reach the receiver. As a rule, the horizontal position error (EPH) and vertical position error (EPV) parameters change together with the position change since these parameters evaluate the positioning accuracy.

An important result of the study is the identification of parameter sets with AMR subsystems. As can be seen from the ontological diagrams, some parameters overlap in different subsystems. The introduction of response thresholds and the degree of influence of attacks on parameters makes it possible to separate classes of attacks and anomalies. Determining the right set of parameters for classification is a key task to avoid redundancy and the correlation of parameters. For example, altitude and speed data were excluded from the assessment. This is due to the fact that the altitude and speed of flight are often affected by weather anomalies; in addition, the intruder, in fact, does not directly affect these parameters. The intruder only replaces the coordinates of the satellites transmitted to the victim, and based on these data, the flight parameters calculated by the controller are determined. The resulting rules show that by applying the degree of change in parameters, it is possible to obtain a unique set of correlation rules for different types of attacks, even those that are similar to each other. In the future, this could be used to assess the likelihood of an incident and the type of intruder. In addition, uniform response thresholds were obtained that can be applied to different parameters, which allows for the method to be scaled for any subsystem of any AMR. Unified response thresholds are a universal tool for analyzing the intensity of an attack. Thus, the presented attack models, including sets of parameters that the attacker uses when influencing the victim, and the resulting correlation rules connect the initial and final attack vectors on the victim. The results obtained can be used for separating different types of destructive effects on classes to detect and counter attacks on an AMR.

The main idea is that by adding the factor of intensity or degree of impact to the description of the attack vector, we can more flexibly separate different types of attacks as well as predict the consequences. Based on this approach, it is planned in the future to separate denial-of-service attacks and determine their intensity and degree of impact on the system. Internal stability for AMRs and cyber–physical systems is primary. The concept of cyber resilience and security by design is now actively developing. Many classes of attacks themselves are poorly separable since they affect the same parameters and cause a similar system response. In this case, one attack can bring the system down, while another can cause a temporary failure, as in the example of spoofing attacks. Any change in the system can become critical, and by correlating the parameters and the degree of their changes, such events can be identified. In the future, it is also planned to introduce a time factor. During the study, a certain consistency in the operation of the parameters was also noticed. Adding a time factor will allow us to detect an attack at an early stage.

The method we presented here is limited only by the set of rules that can be created. The new attack will likely show up as one of the types of attacks introduced in the rules or as an anomaly. Therefore, in the future, it is planned to solve this problem through the use of artificial intelligence. Thus, the combination of methods can give a new effect in detecting attacks.