Stealthy Attacks against Robotic Vehicles Protected by Control-based Intrusion Detection Techniques

Authors:
Pritam Dash

University of British Columbia, Vancouver, Canada

University of British Columbia, Vancouver, Canada
View Profile

,
Mehdi Karimibiuki

University of British Columbia, Vancouver, Canada

University of British Columbia, Vancouver, Canada
View Profile

,
Karthik Pattabiraman

University of British Columbia, Vancouver, Canada

University of British Columbia, Vancouver, Canada
View Profile

Authors Info & Claims

Digital Threats: Research and Practice Volume 2 Issue 1Article No.: 7pp 1–25https://doi.org/10.1145/3419474

Published:22 January 2021Publication History

Digital Threats: Research and Practice

Abstract

Robotic vehicles (RV) are increasing in adoption in many industrial sectors. RVs use auto-pilot software for perception and navigation and rely on sensors and actuators for operating autonomously in the physical world. Control algorithms have been used in RVs to minimize the effects of noisy sensors, prevent faulty actuator output, and, recently, to detect attacks against RVs. In this article, we demonstrate the vulnerabilities in control-based intrusion detection techniques and propose three kinds of stealthy attacks that evade detection and disrupt RV missions. We also propose automated algorithms for performing the attacks without requiring the attacker to expend significant effort or to know specific details of the RV, thus making the attacks applicable to a wide range of RVs. We demonstrate the attacks on eight RV systems including three real vehicles in the presence of an Intrusion Detection System using control-based techniques to monitor RV’s runtime behavior and detect attacks. We find that the control-based techniques are incapable of detecting our stealthy attacks and that the attacks can have significant adverse impact on the RV’s mission (e.g., deviate it significantly from its target, or cause it to crash).

References

Sridhar Adepu and Aditya Mathur. 2016. Using process invariants to detect cyber attacks on a water treatment system. In Proceedings of the IFIP International Information Security and Privacy Conference. 91--104Google Scholar
Ekta Aggarwal, Mehdi Karimibiuki, Karthik Pattabiraman, and André Ivanov. 2018. CORGIDS: A correlation-based generic intrusion detection system. In Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy (CPS-SPC’18). ACM, New York, NY, 24--35. DOI:https://doi.org/10.1145/3264888.3264893Google Scholar
Chuadhry Mujeeb Ahmed, Jianying Zhou, and Aditya P. Mathur. 2018. Noise matters: Using sensor and process noise fingerprint to detect stealthy cyber attacks and authenticate sensors in CPS. In Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC’18). ACM, New York, NY, 566--581. DOI:https://doi.org/10.1145/3274694.3274748Google Scholar
H. Alemzadeh, D. Chen, X. Li, T. Kesavadas, Z. T. Kalbarczyk, and R. K. Iyer. 2016. Targeted attacks on teleoperated surgical robots: Dynamic model-based detection and mitigation. In Proceedings of the 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’16). 395--406. DOI:https://doi.org/10.1109/DSN.2016.43Google Scholar
Maryam Raiyat Aliabadi, Amita Ajith Kamath, Julien Gascon-Samson, and Karthik Pattabiraman. 2017. ARTINALI: Dynamic invariant detection for cyber-physical system security. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE’17). ACM, New York, NY, 349--361. DOI:https://doi.org/10.1145/3106237.3106282Google ScholarDigital Library
Amazon Prime [n.d.]. Amazon Prime Delivery. Retrieved January 24, 2019 from https://www.amazon.com/Amazon-Prime-Air/b?node=8037720011.Google Scholar
ArduPilot [n.d.]. Ardupilot—Software in the Loop. Retrieved May 24, 2018 from http://ardupilot.org/dev/docs/sitl-simulator-software-in-the-loop.html.Google Scholar
Aryn Baker. [n.d.]. Zipline Drone Delivery. Retrieved January 24, 2019 from http://www.flyzipline.com/.Google Scholar
P.-J. Bristeau, E. Dorveaux, D. Vissière, and N. Petit. 2010. Hardware and software architecture for state estimation on an experimental low-cost small-scaled helicopter. Contr. Eng. Pract. 18, 7 (2010), 733--746. DOI:https://doi.org/10.1016/j.conengprac.2010.02.014Google ScholarCross Ref
Stephen Burns. [n.d.]. Drone Meets Delivery Truck. Retrieved May 24, 2019 from https://www.ups.com/us/es/services/knowledge-center/article.page?name=drone-meets-delivery-truck8kid=cd18bdc2.Google Scholar
Alvaro Cardenas, Saurabh Amin, Bruno Sinopoli, Annarita Giani, Adrian Perrig, and Shankar Sastry. 2009. Challenges for securing cyber physical systems. In Proceedings of the Workshop on Future Directions in Cyber-physical Systems Security. DHS.Google Scholar
Y. Chen, C. M. Poskitt, and J. Sun. 2018. Learning from mutants: Using code mutation to learn and monitor invariants of a cyber-physical system. In Proceedings of the 2018 IEEE Symposium on Security and Privacy (SP’18). IEEE Computer Society, Los Alamitos, CA, 648--660. DOI:https://doi.org/10.1109/SP.2018.00016Google ScholarCross Ref
Grzegorz Chmaj and Henry Selvaraj. 2015. Distributed processing applications for UAV/drones: A survey. In Progress in Systems Engineering, Henry Selvaraj, Dawid Zydek, and Grzegorz Chmaj (Eds.). Springer International Publishing, Cham, 449--454.Google Scholar
Hongjun Choi, Sayali Kate, Yousra Aafer, Xiangyu Zhang, and Dongyan Xu. 2020. Software-based realtime recovery from sensor attacks on robotic vehicles. In Proceedings of the 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID’20). USENIX Association.Google Scholar
Hongjun Choi, Wen-Chuan Lee, Yousra Aafer, Fan Fei, Zhan Tu, Xiangyu Zhang, Dongyan Xu, and Xinyan Deng. 2018. Detecting attacks against robotic vehicles: A control invariant approach. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS’18). ACM, New York, NY, 801--816. DOI:https://doi.org/10.1145/3243734.3243752Google ScholarDigital Library
Keywhan Chung, Zbigniew T. Kalbarczyk, and Ravishankar K. Iyer. 2019. Availability attacks on computing systems through alteration of environmental control: Smart malware approach. In Proceedings of the 10th ACM/IEEE international conference on cyber-physical systems (ICCPS’19). ACM, New York, NY, 1--12. DOI:https://doi.org/10.1145/3302509.3311041Google Scholar
Keywhan Chung, Xiao Li, Peicheng Tang, Zeran Zhu, Zbigniew T. Kalbarczyk, Ravishankar K. Iyer, and Thenkurussi Kesavadas. 2019. Smart malware that uses leaked control data of robotic applications: The case of Raven-II surgical robots. In Proceedings of the 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID’19). USENIX Association, 337--351.Google Scholar
G. Dan and H. Sandberg. 2010. Stealth attacks and protection schemes for state estimators in power systems. In Proceedings of the 2010 1st IEEE International Conference on Smart Grid Communications. 214--219. DOI:https://doi.org/10.1109/SMARTGRID.2010.5622046Google Scholar
Drew Davidson, Hao Wu, Rob Jellinek, Vikas Singh, and Thomas Ristenpart. 2016. Controlling UAVs with sensor input spoofing attacks. In Proceedings of the 10th USENIX Workshop on Offensive Technologies (WOOT’16). USENIX Association.Google Scholar
Emlid. [n.d.]. Navio2. Retrieved from https://emlid.com/navio/.Google Scholar
ETH-Agile and Dexterous Robotics Lab. [n.d.]. Control Toolbox. Retrieved from https://ethz-adrl.github.io/ct/ct_doc/doc/html/index.html.Google Scholar
Fan Fei, Zhan Tu, Dongyan Xu, and Xinyan Deng. 2019. Learn-to-recover: Retrofitting UAVs with reinforcement learning-assisted flight control under cyber-physical attacks. In IEEE International Conference on Robotics and Automation (ICRA'20). 7358--7364. DOI:10.1109/ICRA40945.2020.9196611Google Scholar
Gene F. Franklin, J. David Powell, and Abbas Emami-Naeini. 2018. Feedback Control of Dynamic Systems (8th Ed.) (What’s New in Engineering). Pearson.Google Scholar
Luis Garcia, Ferdinand Brasser, Mehmet Hazar Cintuglu, Ahmad-Reza Sadeghi, Osama A. Mohammed, and Saman A. Zonouz. 2017. Hey, my malware knows physics! Attacking PLCs with physical model aware rootkit. In Proceedings of the Network and Distributed System Security Symposium (NDSS’17).Google Scholar
Ian Y. Garrett and Ryan M. Gerdes. 2020. On the efficacy of model-based attack detectors for unmanned aerial systems. In Proceedings of the 2nd ACM Workshop on Automotive and Aerial Vehicle Security (AutoSec’20). Association for Computing Machinery, New York, NY, 11--14.Google Scholar
R. M. Góes, E. Kang, R. Kwong, and S. Lafortune. 2017. Stealthy deception attacks for cyber-physical systems. In Proceedings of the 2017 IEEE 56th Annual Conference on Decision and Control (CDC’17). 4224--4230. DOI:https://doi.org/10.1109/CDC.2017.8264281Google Scholar
J. Habibi, A. Gupta, S. Carlsony, A. Panicker, and E. Bertino. 2015. MAVR: Code reuse stealthy attacks and mitigation on unmanned aerial vehicles. In Proceedings of the 2015 IEEE 35th International Conference on Distributed Computing Systems. 642--652.Google Scholar
D. Halperin, T. S. Heydt-Benjamin, B. Ransford, S. S. Clark, B. Defend, W. Morgan, K. Fu, T. Kohno, and W. H. Maisel. 2008. Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses. In Proceedings of the 2008 IEEE Symposium on Security and Privacy (SPS’08).Google Scholar
Andrew J. Hawkins. [n.d.]. UPS will use drones to deliver medical supplies in North Carolina. Retrieved May 24, 2019 from https://www.theverge.com/2019/3/26/18282291/ups-drone-delivery-hospital-nc-matternet.Google Scholar
Todd E. Humphreys. 2008. Assessing the spoofing threat: Development of a portable GPS civilian spoofer. In Proceedings of the Institute of Navigation GNSS (ION GNSS’08).Google Scholar
JSMSim [n.d.]. JSBSim Open Source Flight Dynamics Model. Retrieved May 24, 2018 from “http://jsbsim.sourceforge.net/”.Google Scholar
S. Karnouskos. 2011. Stuxnet worm impact on industrial cyber-physical system security. In Proceedings of the 37th Annual Conference of the IEEE Industrial Electronics Society (IECON’11). 4490--4494. DOI:https://doi.org/10.1109/IECON.2011.6120048Google Scholar
Kyo Hyun Kim, Siddhartha Nalluri, Ashish Kashinath, Yu Wang, Sibin Mohan, Miroslav Pajic, and Bo Li. 2020. Security analysis against spoofing attacks for distributed UAVs. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS’16). Association for Computing Machinery, New York, NY. DOI:https://doi.org/10.1145/2976749.2978388Google Scholar
Taegyu Kim, Chung Hwan Kim, Junghwan Rhee, Fan Fei, Zhan Tu, Gregory Walkup, Xiangyu Zhang, Xinyan Deng, and Dongyan Xu. 2019. RVFuzzer: Finding input validation bugs in robotic vehicles through control-guided testing. In Proceedings of the 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, 425--442.Google Scholar
Robert M. Lee, Michael J. Assante, and Tim Conway. 2016. Analysis of the cyber attack on the ukrainian power grid. Technical report. Electricity Information Sharing and Analysis Center (E-ISAC).Google Scholar
J. Li and Y. Li. 2011. Dynamic analysis and PID control for a quadrotor. In Proceedings of the 2011 IEEE International Conference on Mechatronics and Automation. 573--578. DOI:https://doi.org/10.1109/ICMA.2011.5985724Google Scholar
Yao Liu, Peng Ning, and Michael K. Reiter. 2009. False data injection attacks against state estimation in electric power grids. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09). ACM, New York, NY, 21--32. DOI:https://doi.org/10.1145/1653662.1653666Google Scholar
L. Ljung. 1979. Asymptotic behavior of the extended Kalman filter as a parameter estimator for linear systems. IEEE Trans. Automat. Contr. 24, 1 (Feb. 1979), 36--50. DOI:https://doi.org/10.1109/TAC.1979.1101943Google Scholar
K. Manandhar, X. Cao, F. Hu, and Y. Liu. 2014. Detection of faults and attacks including false data injection attack in smart grid using kalman filter. IEEE Trans. Contr. Netw. Syst. 1, 4 (Dec. 2014), 370--379. DOI:https://doi.org/10.1109/TCNS.2014.2357531Google Scholar
MATLAB. [n.d.]. System Identification Overview. Retrieved from https://www.mathworks.com/help/ident/gs/about-system-identification.html.Google Scholar
MATLAB. [n.d.]. System Identification Toolbox. Retrieved from https://www.mathworks.com/products/sysid.html.Google Scholar
S. McLaughlin and S. Zonouz. 2014. Controller-aware false data injection against programmable logic controllers. In Proceedings of the 2014 IEEE International Conference on Smart Grid Communications (SmartGridComm’14). 848--853. DOI:https://doi.org/10.1109/SmartGridComm.2014.7007754Google Scholar
Lorenz Meier, Petri Tanskanen, Friedrich Fraundorfer, and Marc Pollefeys. 2011. Pixhawk: A system for autonomous flight using onboard computer vision. In Proceedings of the 2011 IEEE International Conference on Robotics and Automation. IEEE, 2992--2997.Google Scholar
MARS 2020 Mission. [n.d.]. MARS Exploration Rover. Retrieved from https://mars.nasa.gov/mer/mission/rover/.Google Scholar
Robert Mitchell and Ing-Ray Chen. 2012. Specification based intrusion detection for unmanned aircraft systems. In Proceedings of the 1st ACM MobiHoc Workshop on Airborne Networks and Communications. 31--36.Google ScholarDigital Library
Robert Mitchell and Ing-Ray Chen. 2014. Adaptive intrusion detection of malicious unmanned air vehicles using behavior rule specifications. IEEE Trans. Syst. Man Cybernet.: Syst. 44, 5 (2014), 2014.Google ScholarCross Ref
GNU Octave. [n.d.]. GNU Octave Scientific Programming Language. Retrieved from https://www.gnu.org/software/octave/.Google Scholar
Out of Control. [n.d.]. Artificial Delay Attack Demo Video. Retrieved from https://drive.google.com/open?id=1_CHITopKSraKZXnAIyeUoQZqki8fgUXe.Google Scholar
Out of Control. [n.d.]. False Data Injection Attack Demo Video. Retrieved from https://drive.google.com/open?id=1JgrCpwspsBiYdNvKUxeKnl-bZQ9WS_Cg.Google Scholar
Out of Control. [n.d.]. Switch Mode Attack Demo Video. Retrieved from https://drive.google.com/open?id=1yUSGa5GoBQYl0GTiTbcPFN5NnjBHXL-Y.Google Scholar
Parrot.com. [n.d.]. Bebop2. Retrieved from https://www.parrot.com/us/drones/parrot-bebop-2.Google Scholar
Gazebo Project. [n.d.]. Gazebo Robot Simulation. Retrieved from http://gazebosim.org/.Google Scholar
Raul Quinonez, Jairo Giraldo, Luis Salazar, Erick Bauman, Alvaro Cardenas, and Zhiqiang Lin. 2020. SAVIOR: Securing autonomous vehicles with robust physical invariants. In Proceedings of the 29th USENIX Security Symposium (USENIX Security 20). USENIX Association.Google Scholar
Hadi Ravanbakhsh, Sina Aghli, Christoffer Heckman, and Sriram Sankaranarayanan. 2018. Path-following through control funnel functions. arXiv/1804.05288. Retrieved from https://arxiv:1804.05288.Google Scholar
Aion Robotics. [n.d.]. R1 ArduPilot Edition. Retrieved from https://docs.aionrobotics.com/en/latest/r1-ugv.html.Google Scholar
Sky Rocket. [n.d.]. Sky Viper Journey. Retrieved from https://sky-viper.com/journey/.Google Scholar
H. Sakoe and S. Chiba. 1978. Dynamic programming algorithm optimization for spoken word recognition. IEEE Trans. Acoust. Speech Sign. Process. 26, 1 (Feb. 1978), 43--49.Google ScholarCross Ref
Nicolas Sheilds. [n.d.]. Walmart Drone Delivery. Retrieved December 9, 2018 from https://www.businessinsider.com/walmart-blockchain-drone-delivery-patent-2018-9.Google Scholar
Yasser Shoukry, Paul Martin, Paulo Tabuada, and Mani Srivastava. 2013. Non-invasive spoofing attacks for anti-lock braking systems. In Proceedings of the Cryptographic Hardware and Embedded Systems (CHES’13), Guido Bertoni and Jean-Sebastien Coron (Eds.). Springer, Berlin, 55--72.Google Scholar
Yunmok Son, Hocheol Shin, Dongkwan Kim, Youngseok Park, Juhwan Noh, Kibum Choi, Jungwoo Choi, and Yongdae Kim. 2015. Rocking drones with intentional sound noise on gyroscopic sensors. In Proceedings of the 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, 881--896.Google ScholarDigital Library
Christopher Steiner. [n.d.]. Bot-In-Time Delivery. Retrieved from https://www.forbes.com/forbes/2009/0316/040_bot_time_saves_nine.html#68ee53d9b942.Google Scholar
Paparazzi Development Team. [n.d.]. Paparazzi—The Free Autopilot. Retrieved from https://wiki.paparazziuav.org/wiki/Main_Page.Google Scholar
Pixhawk Development Team. [n.d.]. Pixhawk AutoPilot. Retrieved from https://docs.px4.io/en/flight_controller/pixhawk_series.html.Google Scholar
Nils Ole Tippenhauer, Christina Pöpper, Kasper Bonne Rasmussen, and Srdjan Capkun. 2011. On the requirements for successful GPS spoofing attacks. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS’11). ACM, New York, NY, 75--86.Google ScholarDigital Library
T. Trippel, O. Weisse, W. Xu, P. Honeyman, and K. Fu. 2017. WALNUT: Waging doubt on the integrity of MEMS accelerometers with acoustic injection attacks. In Proceedings of the 2017 IEEE European Symposium on Security and Privacy (EuroSP’17). 3--18. DOI:https://doi.org/10.1109/EuroSP.2017.42Google Scholar
David I. Urbina, Jairo A. Giraldo, Alvaro A. Cardenas, Nils Ole Tippenhauer, Junia Valente, Mustafa Faisal, Justin Ruths, Richard Candell, and Henrik Sandberg. 2016. Limiting the impact of stealthy attacks on industrial control systems. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS’16). ACM, New York, NY, 1092--1105. DOI:https://doi.org/10.1145/2976749.2978388Google ScholarDigital Library
T. P. Vuong, G. Loukas, D. Gan, and A. Bezemskij. 2015. Decision tree-based detection of denial of service and command injection attacks on robotic vehicles. In Proceedings of the 2015 IEEE International Workshop on Information Forensics and Security (WIFS’15). 1--6.Google Scholar
Zhaolin Yang, Feng Lin, and B. M. Chen. 2016. Survey of autopilot for multi-rotor unmanned aerial vehicles. In Proceedings of the 42nd Annual Conference of the IEEE Industrial Electronics Society (IECON’16). 6122--6127. DOI:https://doi.org/10.1109/IECON.2016.7793820Google Scholar

Index Terms

Stealthy Attacks against Robotic Vehicles Protected by Control-based Intrusion Detection Techniques
1. Computer systems organization
  1. Embedded and cyber-physical systems
    1. Sensors and actuators
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems

Recommendations

Detecting Attacks Against Robotic Vehicles: A Control Invariant Approach
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Robotic vehicles (RVs), such as drones and ground rovers, are a type of cyber-physical systems that operate in the physical world under the control of computing components in the cyber world. Despite RVs' robustness against natural disturbances, cyber ...
Read More
Out of control: stealthy attacks against robotic vehicles protected by control-based techniques
ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

Robotic vehicles (RVs) are cyber-physical systems that operate in the physical world under the control of software functions. They are increasing in adoption in many industrial sectors. RVs rely on sensors and actuators for system operations and ...
Read More
Modeling and control of Cyber-Physical Systems subject to cyber attacks: A survey of recent advances and challenges
Highlights
- In general, the cyber-attacks in the literature can be classified into three main types: denial of service (DoS) attacks, deception attacks, and replay ...
Abstract
Cyber Physical Systems (CPS) are almost everywhere; they can be accessed and controlled remotely. These features make them more vulnerable to cyber attacks. Since these systems provide critical services, having them under attack would ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
Digital Threats: Research and Practice Volume 2, Issue 1
Special Issue on ACSAC'19: Part 2
March 2021
160 pages
EISSN:2576-5337
DOI:10.1145/3447873
Editors:
Arun Lakhotia
University of Louisiana at Lafayette and Cythereal, USA
,
Leigh Metcalf
CERT, USA
Issue’s Table of Contents
Copyright © 2021 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 22 January 2021
- Accepted: 1 August 2020
- Received: 1 May 2020
Published in dtrap Volume 2, Issue 1

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Cyber physical systems (CPS)
invariant analysis
robotic vehicle security
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 13
  Total Citations
  View Citations
- 1,572
  Total Downloads
- Downloads (Last 12 months)365
- Downloads (Last 6 weeks)29
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

Stealthy Attacks against Robotic Vehicles Protected by Control-based Intrusion Detection Techniques

Digital Threats: Research and Practice

Abstract

References

Cited By

Index Terms

Recommendations

Detecting Attacks Against Robotic Vehicles: A Control Invariant Approach

Out of control: stealthy attacks against robotic vehicles protected by control-based techniques

Modeling and control of Cyber-Physical Systems subject to cyber attacks: A survey of recent advances and challenges