Practical Software Defense for GPS Spoofing on a Hobby UAV

Autonomous systems, such as unmanned aerial vehicles (UAVs) and self driving cars, operate by reacting to physical phenomena captured by onboard sensors. Current UAVs rely on the Global Positioning System (GPS), or other global navigation satellite system, to determine their location on Earth. Consequently, the GPS receiver can be used as an implicit control channel for autonomous systems. We propose a software defense that uses observations from independent sensor systems to detect GPS spoofing. We modify an open source UAV control program to incorporate our defense and evaluate our defense on hobby-grade drone hardware using simulated GPS spoofing. In our field tests we demonstrate that built-in sensor fusion mechanisms were unable to detect GPS spoofing and that our method could detect subtle GPS spoofing using multiple different sensors.


INTRODUCTION
Unmanned aerial vehicles (UAVs) are use for autonomous tasks from automatic delivery systems [2] to unsupervised mobile security cameras [1].Modern UAVs rely heavily on global navigation satellite systems, often the Global Positioning System (GPS), leaving them vulnerable to GPS spoofing attacks where an adversary introduces a series of false GPS readings to the UAV.GPS spoofing give an adversary control over the vehicle without compromising its hardware or software since the navigation system will fly based on adversary-controlled readings, potentially flying off-course or crashing [8,10,12,20].Despite prior research identifying GPS spoofing as a threat to autonomous navigation [11,14,15,22,25], the lack of alternatives for location information on Earth makes spoofing detection an important problem [19].
Recent work [9,10,21,24] tries learning models of UAV behavior from data recorded during normal flight, often referred to as a physics-based detection (PBAD) model.A popular approach is to create a control invariant that estimates the state space of the system and identifies patterns of GPS readings inconsistent with those during normal flight.The Control Invariant (CI) defense has proven effective in detecting attacks that influence GPS readings significantly.A necessary assumption of the CI defense is inconsistencies within the stream of data from the GPS receiver must be a result of GPS sensor spoofing.
However, An important limitation of PBAD models and by extension CI defenses is having to account for natural variation and errors that occur during flight.To prevent the integration of errors from triggering a false alarm PBAD models periodically reset their state to an absolute position, the GPS.The "reset" provides an opportunity for a subtle attacker to introduce small deviations that mimic normal flight and accumulate over the course of the UAV's flight.All PBAD models detect sensor spoofing by some variation of prediction and expect an attacker to raise the noise above their threshold before the reset.The detection threshold of these defenses acts as a "noise floor" for detectable attacks which we posit a subtle attacker would be effective against.
We propose a defense against GPS spoofing that foregoes state estimation and prediction.For an attack to be effective the spoofed data must change the UAV's in-flight behavior.The change in behavior will be detectable by other sensors deployed on the UAV.Our key observation is that spoofed GPS data, even within expected error bounds, must become inconsistent with the observations of other sensors deployed on the UAV.We are not proposing reconstructing a sensors data from other sensors to detect inconsistencies but instead to use consistent measurable behavior found in other sensors correlated with the GPS.In realizing our defense we address two key technical challenges.The first is that UAVs have no credible alternative source of absolute location.We identify sensor readings that can confirm GPS readings even without accurately reconstructing location.The second challenge is UAV control software fuses other sensor readings with GPS readings to reduce drift and error.We disentangle these readings from the GPS to provide an independent measurement.The system checks for consistency between the GPS and other onboard sensors and can detect adversarial influence without relying on pre-trained models, state estimation, or having to handle accumulating error in the UAV state.A benefit of our approach is that is is complementary to other defenses and can run alongside those to cover more attack surfaces.
To evaluate our defense we modify ArduPilot 4.2.0, an opensource UAV control program, to check GPS data for consistency with (i) velocity computed from an optical flow sensor and (ii) yaw rate reported by a gyroscope.We implement software-level GPS spoofing to simulate real GPS attacks allowing us to perform controlled field testing outside a sealed environment.We install our modified ArduPilot on a commodity UAV and test attacks of varying strength during four flight missions and two loiter missions.We find that attacks that were undetected by other defenses could be detected by our approach with only 1 in 6 of the test flights showing any false positives.The two systems that we evaluate also show how some sensors are more viable with the less noisy pair demonstrating more consistent detection time, faster time-to-detection, and less observed deviation.Contributions.In summary, this paper contributes: • A defense against spoofing based on sensor consistency (Section 3), which does not rely on pre-trained models or internal inconsistency in spoofed data, and is not affected by accumulated error or integration drift.• A practical implementation of our defense in an open-source control program (Section 3.4), which checks for consistency between GPS, optical flow, and gyroscope data, and can detect spoofing of any of those sensors.• An evaluation of our implementation on a hobby-class UAV, based on real flight data, showing that attacks that were undetected by ArduPilot or a Control Invariant defense can be detected with ours (Sections 5 and 6).Section 2 introduces previous sensor spoofing work, Section 3 describes our threat model and defense, Section 4 details the experimental challenges and setup, Section 5 presents our empirical findings, and we finish with a discussion of our findings in Section 6 and related work in Section 7.

BACKGROUND
Sensor Spoofing.Attacks against UAVs with GPS receivers have been shown to be feasible in practice by spoofing-transmitting fake data into the sensor.A significant body of work has demonstrated sensor spoofing attacks on the GPS in a variety of circumstances.Zeng et al. [26] brute-force with signal strength a GPS receiver on a phone to divert road navigation with a device whose components cost approximately $223.Humphreys et al. [11] demonstrate the ability to perform a subtle takeover of a GPS receiver with a receiverspoofer that can track and capture the local GPS signals which cost them approximately $1500.Kerns et al. [12] further demonstrate subtle spoofing of the GPS on a UAV is possible (though it requires greater precision).All of the previously mentioned spoofing devices can be built from commodity components.The low barrier to getting an effective sensor spoofer makes the attack vector a realistic threat.Taken together these factors motivate the need for precise low-cost defenses for sensor spoofing attacks against GPS.

DEFENSE
The goal of our work is to build a software defense against GPS spoofing that does not rely on predicting plausible GPS readings but instead on consistency between GPS readings and other independent sensors.In this section we describe why such a defense is necessary by considering an adversary that subverts the assumptions of state-of-the-art spoofing detection.We then describe our defense mechanism how it can be applied using sensor hardware that is already present on popular UAV platforms.

Threat Model
As described in Section 2, practical GPS spoofing is possible with only low-price commodity components.Consequently, it is reasonable to expect that an adversary may exercise complete control over the readings of a commercial GPS sensor, such as those used in popular UAVs.Even allowing partial trust of the GPS is insufficient when the adversary has complete control over what the GPS is reading.To fully capture the threat of GPS spoofing we introduce a powerful threat model placing the fewest constraints over the adversary of any threat model in the literature.Adversary Objectives.The goal of a sensor spoofing adversary is to indirectly control the behavior of a system and cause it to behave irregularly.While an adversary may be able to cause small deviations from the benign behavior of the target, we only consider the attacker to be successful if the deviation has an appreciable effect.The effect varies based on the type of system being attacked but we include denial of service, damage to the target system or its environment, or deviation from an intended route.Adversary Capabilities.Practical GPS spoofing is possible using only commodity hardware (Section 2).As such, we assume an adversary has complete control over the GPS signal, e.g., by radio transmission or malicious firmware, for any duration of time during UAV flight.While prior work has shown that UAV sensors other than the GPS are also vulnerable to adversarial control [8,23], the requirements are different than GPS spoofing.Consequently, the complexity of maintaining consistent spoofing across different independent sensors is significantly more difficult than spoofing a single sensor.To realistically model our adversary we limit sensor spoofing to a single sensor.As GPS is the most important sensor in determining UAV behavior, we will assume that GPS is being spoofed; however, we believe that our defense is equally applicable to detecting spoofing of other sensors.
These capabilities are sufficient to attack CI defenses such as that of Choi et al. [7].The implementation of the Choi et al. defense is publicly available [6] and was recreated for testing against our adversaries.We evaluate the defense with our overt and subtle attackers in Section 5 and find that neither attacker was detected as a result of noisy sensor data degrading the defenses performance.We infer that other approaches based on modeling the behavior of single sensors will also be unable to detect subtle attackers, even with tighter bounds.

Detecting GPS Spoofing
The power of our threat model is that it assumes GPS readings are malicious and requires that we place no trust in the GPS sensor.Unfortunately, the GPS is central to the operation of current UAV control software.Designing a defense with no reliance on the GPS introduces two major challenges.Identification of GPS-independent signals that indicate adversarial influence and disentangling those signals from the GPS in the UAV's control software.Challenge 1: Identifying adversary-sensitive signals.Our first challenge is to identify sensors that would confirm GPS readings.UAVs have no practical alternative source of location information and cannot directly confirm the output of the GPS receiver.Nevertheless, the physical changes reflected in the GPS updates must be consistent with the physical changes observed by other sensors.Thus, sensors that detect motion can be used to confirm change in GPS readings even without being able to independently compute the position of the UAV.Such a sensor would need to be sensitive enough to detect a difference between benign flight, i.e., a flight without GPS spoofing, versus a malicious flight, i.e. a flight with GPS spoofing.Challenge 2: Disentangling multi-sensor fusion.The second major challenge of our work is that UAV control programs fuse most sensor observations to suppress noise and avoid drift.In particular, many sensors use GPS as a reference sensor to calibrate their readings.Under our attack model such recalibration is suspicious so we assume that GPS data is malicious and taints any data flow following the calibration.For example, in Fig. 1 a magnetic field is measured by the compass which is parsed by the ArduPilot AP_Compass library to calculate the UAVs attitude.A malicious radio transmission that is spoofing a GPS signal indirectly taints the heading stored in the internal AP_Compass object because the GPS is used for heading correction.If we compare the heading from AP_Compass to the ground course from AP_GPS they would appear the same, allowing an adversary to spoof the direction of travel while maintaining consistency across two different sensors.
Thus, to overcome this challenge we disentangle the sensor readings internally in ArduPilot.While unfused values may initially appear to be less accurate, we note that the goal of our work is not to completely recreate the state of the GPS using other sensors.It is sufficient for our defense to indicate that the sensors disagree, even if an independent sensor has no independent use for navigation.Effectively, unfused sensor values can be highly useful as attack detectors even if they are useless for actual navigation.

Correlating Independent Onboard Sensors
We present the high-level details of two mechanisms for confirming GPS readings: one using the optical flow sensor, which measures velocity, and another using the gyroscope, which measures attitude.
The optical flow sensor (OF) derives flow rate (a measurement similar to angular rate) from sequential ground images.Flow rate is combined with distance above ground level, as determined by a ranging sensor, to derive velocity.In turn, the velocity reported by the OF must be consistent with the change in locations reported by the GPS: if the GPS reports no change in position then the OF should similarly report no velocity.Thus, even though the OF system can not provide all of the information a GPS does, it is possible for the GPS and OF system to operate together to verify some consistency in the environment.An important property of the OF and GPS pairing is orthogonality, relying on different physical phenomenon representing different attack surfaces.
The gyroscope is a sensor that reads angular rates and can be used to determine attitude relative to an initial position.If we were to integrate the yaw rate provided by the gyroscope we would get the change in the direction the UAV is facing.A similar indication of direction is the GPS ground course which is a measurement of which way the UAV is moving by calculating the angle between the North and East velocity components.Change in ground course (as derived from the GPS) is interconnected with the gyroscope yaw (as derived from integrating the gyroscope yaw rate): if the GPS ground course changes by an amount of degrees then it would necessarily be accompanied by a similar change in yaw from the gyroscope.The gyroscope and GPS are orthogonal to each other as the gyroscope used in our implementation relies on the Coriolis effect while the GPS uses timing information from radio messages.

Implementation
Our test platform is a quadcopter equipped with a Cube Orange autopilot, a Here3 GPS receiver, HereFlow optical flow sensor, and a LIDAR-Lite v3 lidar.ArduPilot supports our sensors without modification with backends available for input parsing, calibration, biasing, and error correction.We implement our defense and embed GPS spoofing by modifying ArduPilot 4.2.0, an open-source UAV control program [4].There are 2 problems we address with modifying ArduPilot, separating sensor readings from GPS-based error correction and asynchronous sensor updates.Separation.As discussed before in Challenge 2 we need to disentangle the sensors that are relevant to our experiment with the gyroscope, OF, and GPS.Fig. 1 describes how the GPS and Compass are entangled but similar sensor corrections in ArduPilot are difficult to locate and without an analysis like taint analysis can easily be missed, leaving implicit channels for an adversary to attack.To address the separation issue we add additional data buffers to ArduPilot's backend that will only be updated by the intended sensor.Results derive from these buffers, e.g., rotation matrices, will only be influenced by the sensor connected to the buffer, removing implicit control channels that may not have been known.Timing.Another important consideration in implementing our defense are the different sensor update rates.If we were to check the sensor readings when one sensor updates against other sensors, the other sensors would most likely have stale readings.The stale readings would cause additional false positives or require enough error tolerance that our defense would be slow or entirely unable to detect an attack.To minimize error in a given pair of sensors we only check for inconsistency when the slower of the pair updates.

Sensor Error
For our defense we determine the amount of disagreement between sensors that indicates an attack.Our first approach was to use the manufacturer-reported error bounds in the datasheets as this would not require any training or field testing.During early implementations of the defense the use of datasheet reported errors was found to be problematic for several reasons.Some sensors, such as the HereFlow optical flow sensor, do not provide error bounds.For others, like the LIDAR, the errors we observed in testing were not consistent with the bounds reported by the manufacturer.If we were to rely on the datasheets our defense effectiveness would decrease as a result of increased false positives from poorly defined thresholds.Instead of using the errors of the individual sensors we treated the sensor hardware as a black box and measured the divergence between sensor outputs in a variety of live flight scenarios.
We only consider alerts when there are no attacks, i.e., false positives, as a potential cost of our system during benign flight.The UAV can fly even in the face of alerts but we note that alerts would involve an operator being forced to take control of the vehicle and should be avoided.We consider a false positive to be when the disagreement between the GPS and one of the validating sensors crosses the alert threshold during benign flight.To minimize the cost of our approach we set the alert thresholds based on the disagreement distribution of the sensor pairs.We analyze the disagreements during Benign 1-5 to derive our alert thresholds of 7.35   and 13.96 • for the OF and gyroscope respectively.The analysis and flight logs for Benign 1-5 are available and can be found in our Open Science Framework repository.

METHODOLOGY
We evaluate the efficacy of our proposed defense along two aspects, which we explore in the following research questions: • RQ1 (Necessity): Does the technique address a credible attack that is undetected by current approaches?We demonstrate that an adversary in our threat model does avoid detection under state-of-the-art defenses, but does not evade our technique.• RQ2 (Validity): Does the technique accurately detect attacks within our threat model?We find that each of our attack scenarios are detected with both implemented sensors.Furthermore, attacks are detected quickly.In the remainder of the section we describe our GPS spoofing method that we use to evaluate our defense and a CI defense.

Embedded GPS Spoofing
We employ two GPS spoofing strategies that characterize 2 different types of attacks: an overt attack and a subtle attack.The overt attack transmits GPS readings that are significantly different than the true values (previous work has used deviations as high as 500 [13]).In contrast, the subtle attack transmits readings that are initially close to the underlying values and gradually deviates over time.The subtle attack has 3 different phases with 2 distinct goals, slowing down or speeding up the UAV.The attack logic takes two parameters, distance offset and acceleration, to determine where the GPS spoofing should go to and how quickly.We embed GPS spoofing in ArduPilot's GPS backend, overwriting parsed GPS information as it is read from the receiver.A benefit of embedding the spoofing code in the backend is the spoofed values get to propagate through ArduPilot similar to how over-the-air GPS spoofing would.The embedded GPS spoofing code is also made available with the ArduPilot modifications.

EVALUATION
We evaluate our system using test flights designed to capture a variety of autonomous flight patterns 1 In total we performed 11 test flights in varied wind, lighting, and temperature conditions, 5 benign flights (Benign 1-5) with no adversary present and 6 adversarial flights (L-Overt, L-Subtle, Flight 1-4) under GPS spoofing.The benign flights include multiple waypoints with turns, straight lines, and loitering.For the adversarial cases we run a set of 2 loiter flights, only loitering in place, and 4 adversarial flights with similar test conditions as the benign flights.The loiter missions are split based on attack parameters into overt, a 2 offset and unbound offset rate, and subtle, a 2 offset and 1   2 offset rate.The adversarial flights are offset by 2.5 at a rate of 0.1   2 .The modifications to ArduPilot, embedded GPS spoofing, flight logs from our evaluation, and Jupyter Notebooks detailing our analysis are provided in an Open Science Framework (OSF) repository 2 . 1 Extensive safety precautions are taken, further details found in the OSF repository. 2 https://osf.io/qj97w/?view_only=721a3b784e004465a0f8bbd548da09c6

Assessing Necessity -RQ1
We use our attack strategies against two detection mechanisms to determine if new GPS spoofing detection techniques are necessary.First, we evaluate the innovation checks that are deployed in ArduPilot.Second, we evaluate a CI defense that uses a similar linear model as our own.Other defenses are not implemented for evaluation as they fall outside the scope of our adversarial model by trusting the sensor hardware or firmware, adding additional hardware, or using a different control model.Innovation Checks.ArduPilot implements innovation checks in their sensor fusion algorithm to determine if an estimate is healthy.During GPS spoofing the innovation of the estimates can increase to the point of ArduPilot flagging the sensor as unhealthy, potentially engaging failsafes.To determine if new GPS spoofing detection methods are necessary the innovation checks must fail to detect the subtle adversary.
In our preliminary evaluations we found the position and velocity variance metrics must meet certain conditions to trigger a failsafe, e.g., when the velocity variance is greater than 1.6 for a period of time.We also find that when the velocity variance is below 0.8 the system never engages a failsafe, behavior an adversary can use.Live flight tests show overt spoofing can avoid the innovation checks as variances would quickly grow then fall as the spoofed position became the trusted position.Eventually the overt spoofing would be detected as the UAV would speed up as a result of spoofing and trigger the velocity variance.Subtle spoofing however remains below the detection threshold indefinitely while causing appreciable responses.Both the overt and subtle spoofing tests demonstrate the necessity of a new defense against spoofing attacks.Our analysis of the variance response to spoofing in both the L-Overt and L-Subtle flights are available in the OSF repository.Control Invariants.Several existing defense techniques train a model of plausible GPS behavior, an implementation of the PBAD model, and consider violations of the model to be an attack.It is infeasible to re-evaluate every PBAD defense in our tests so we implement a representative model from recent work that assumes a linear model like our own for fair comparison, Choi et al. [7], that we will refer to as the Choi defense.We train the Choi defense on five benign flights, Benign 1 -Benign 5, using the Target North and Current North data from ArduPilot's Extended Kalman Filter since GPS spoofing is along the North-South axis.Choi et al. provide MATLAB scripts for training the model, yielding an error threshold of 10262 and a window size of 110 when fit to Benign 1 -5.The Choi defense had no false positives but was unable to detect the adversary in our adversarial flight tests when using the parameters from training.We believe these results justify the need for an alternative approach.More information about our training data and offline evaluation of the Choi defense are available in the OSF repository.

Assessing Validity -RQ2
In our 4 adversarial flights we look at the number of false positives, the disagreement before and after the attack, the time-to-detection (TTD), and the displacement according to the OF before being detected if applicable.A summary of our results for the OF and GPS pairing and the gyroscope and GPS pairing can be found in Table 1: Detection rate of our defense during missions with adversarial influence.Check points = sensor comparisons, false alarms = deviation above threshold with no adversarial input, Δ-pre = max disagreement before attack, Δ-atk = max disagreement during attack, TTD = time from attack start to detection, Disp.= displacement observed during attack.
Each flight behaves in a similar manner with variations coming from noise in the system and environment.We will only present F-Subtle 1 in detail and discuss the abnormalities in the other flights but provide similar analysis and figures for each flight in our OSF repository.F-Subtle 1 demonstrates the expected noise during the benign portion of the flight as observed during the rectangle flights.The OF and GPS velocity total disagreement can be seen in Fig. 2. The system detects the attack on the GPS after 3.90 and a deviation of 21.54.The divergence the GPS spoofing causes can be seen even with the noise present in the signals.The combined disagreement from the East and North axis shown in Fig. 2 demonstrate this, showing the peak disagreement of 3.39   before the attack and quickly climbing to 10.26   after.The gyroscope and GPS yaw rate signals can be seen in Fig. 3.The system detects the attack faster using the yaw rate, taking 0.70 compared to the OF and GPS system's 3.90, and only allows the UAV to displace 2.42.We attribute the faster detection to the attacker trying to diverge the quadcopter's direction more than the speed.
F-Subtle 2-4 all have different interesting behaviors that are worth discussing.F-Subtle 2 shows an incredibly fast TTD, 0.01, which should not be enough time for the UAV to start corrective action in response to GPS spoofing.An analysis of the flight logs of F-Subtle 2 shows that at the time of the attack being initiated the GPS receiver reported an outlier in position that is then picked up by the attack to calculate the offsets.The outlier and offset combined lead to the spoofed values to start from a deviation great enough to trigger the defense at the first check after the attack.F-Subtle 3 did not have the attack get detected with the OF and GPS, shown as N/A in  .1a.The trend of the attack indicates that eventually it would have been detected but the experiment was ended early, before detection, as the UAV deviated from the testing site and needed to be forcefully landed.We note however that the Gyroscope and GPS were capable of detecting the attack in 0.70 highlighting the importance of having multiple pairs of sensors that can confirm readings.F-Subtle 4 has the only false alarm of the set of flight tests with 1 by the OF and GPS pair and 2 by the Gyroscope and GPS pair.A manual analysis of the flights logs shows several high peaks that caused the false alarm for the OF and GPS coinciding with rapid changes in the rangefinder readings.The OF velocity is susceptible to rapid changes in the rangefinder which can be unpredictable as ground terrain changes during flight.As for the 2 false alarms from the Gyroscope and GPS the problem comes from the difference in yaw rate both initially aligning poorly and then also having the gyroscope steadily drift further during the test.The alarm thresholds are derive heuristically from a set of 4 flights making false alarms from untested cases expected.
The last two missions are L-Overt and L-Subtle.Due to the loiter missions not having significant speed the yaw rate has little to offer as the GPS velocity is below the noise threshold.We only look at the OF and GPS system for detecting attacks during loiter.In Table .1a, the overt attack shows a maximum disagreement of 0.55   before the attack and a maximum disagreement of 22.50   after the attack.The large deviation in velocity happens only during one update, as the attack starts, while subsequent updates hold the GPS in position with a perceived 0   velocity.Our approach detects the overt attack as it happens in 0.10 because of the sudden deviation but would also detect the attack again after 11.10 of the UAV speeding away.In contrast the subtle attack took 6.10 to detect as there was no sudden deviation but did have a faster eventual detection as the system readily responded to a perceived "drift" and accelerated at a higher rate.The results show that the overt attack is easy to detect due to the spike in disagreement while the subtle attack goes unnoticed by the built-in innovation checks.Our approach was able to detect the overt attack quickly and the subtle attack before the adversary could capture or crash the UAV.

DISCUSSION
In Section 5, we show that our technique is not only effective in detecting attacks in a wide variety of circumstances and flight contexts, but does so without incurring appreciable false positives.We also show that our defense overcomes limitations of existing detection techniques, motivating the need for new approaches to detecting malicious GPS values.The overt and subtle attacks went undetected by both ArduPilot and the Choi defense with the subtle attack impacting the metrics used for detection the least.Only 1 in 4 of the GPS spoofing tests exhibited false positives, shown to be an anomaly in sensor readings that represented less than 1% of data points in flight.The overt and subtle attacks were detected using both our implementations, with the gyroscope and GPS system demonstrating the most consistent detection results, most frequently limiting the attacker to 2 of deviation before detection.We now discuss the practical effect of these findings.

Handling False Positives
We encountered three false positives in F-Subtle 4 when the vehicle was already in an abnormal state.Although these volatile readings were not due to adversarial influence, a human operator would likely be interested in knowing them.Alternatively, these false positives could be eliminated by only raising an alert if the sensors disagree for a span of several updates.This approach could delaying the time to detection, and may cause a sensor spoofing attack to be missed entirely.In practice, requiring 2 sequential updates of disagreement removes all false positives in our experiments without incurring false negatives, though it raises the time to detection by 200ms.We also note that the parameters for our defense are derived from a set of 5 benign flights representing a lower bound on performance and that additional flights would help with anomalies and improve on the false positives.

Limiting Adversarial Capabilities
We demonstrate that sensor fusion is insufficient to stop an attacker from controlling the system in Section 5 when evaluating the innovation checks.Beyond showing that our technique detects attacks, we also show that the defense significantly limits the control that the adversary can exert over the target before detection.In the worst case scenario, an adversary can slowly displace a UAV in loiter mode by 17.53 meters over the course of 6.10 and a UAV in flight by 2.42 over 0.70.The impact of such an attack ultimately depends on the context of the vehicle's deployment.For a delivery UAV, it is unlikely that the target will loiter long enough for the subtle influence to take hold and the limitation during flight will prevent the attacker from controlling the UAV or crashing it.For a surveillance UAV, 6.10 seconds is a miniscule window of time to sneak by but would most likely be enough to prevent the UAV from leaving the premise being surveyed.Given these constraints, the time to detection and displacement performance of the UAV are acceptable.

RELATED WORK
Multi-satellite Tracking.Multi-satellite tracking defenses propose tracking more than one possible authentic signal and attenuate potentially malicious ones.Sathaye et al. [18] propose both a method for detecting and defending against GPS spoofing with multi-satellite tracking and challenge-response.The approach builds on prior work in auxiliary peak tracking [17] to detect a subtle adversary and use challenge-response to identify the malicious GPS signals.The simulations demonstrate good results but challenge-response protocols are dangerous for UAV deployments and by themselves may lead to crashing.Auxiliary peak tracking approaches also require modifications to receiver firmware which falls outside the scope of our threat model as we consider sensor and their firmware to be untrusted.Automatic Gain Control Monitoring.Several previous works use automatic gain control (AGC) feature of multi-bit GNSS receivers to detect GPS spoofing [3,5].Akos [3] proposes AGC monitoring and power analysis to detect attacks and evaluates the approach with live tests using a GPS repeater.The author notes that AGC should not be used alone as the evaluation indicated that noise from hardware and other radio transmission would degrade detection performance.We see our work as complementary to AGC since both defenses can be run together without interference.Multi-sensor Defense.A subset of defense research also proposes using multiple sensors to mitigate the threat of sensor spoofing.Closest to our proposed defense is Meng et al. [13] who propose comparing the displacement of GPS and OF derived position to monitor for sensor spoofing.However, the extent of their work is limited, only concerned with displacement over the whole mission with an adversary that spoofs 100m from the true position.Tharayil et al. propose a machine-learning based anomaly detector and a defensive fusion combining the gyroscope and magnetometer to detect sensor spoofing, but note their approach would not detect subtle sensor spoofing and limit their defensive fusion to angular rates on a mobile device [21].Physics-Based Attack Detection.Some defense work propose the use of PBAD models where the physics of the UAV are added as a constraint to the system and used to detect sensor spoofing.One approach from Choi et al. [7] uses a linear model and time windowing with a PID controller for their predicted state while later Quinonez et al. [16] use a nonlinear model and CUSUM with an Extended KF for their predicted state.Both approaches were unable to detect subtle attacks derived from their threshold metrics but the nonlinear implementation showed better limitation of an attackers influence.Recent work from Zhang et al. [27] focuses on making the time window size adaptive by determining reachability to an unsafe state, allowing for a trade-off between soundness and TTD.We note however the underlying defense is the same as the Choi defense which we have shown to be susceptible to subtle sensor spoofing.

Figure 1 :
Figure 1: Propagation of malicious GPS signals through the flight controller to the control logic.

Figure 2 :
Figure 2: Disagreement in velocity for the OF and GPS.

Figure 3 :
Figure 3: GPS spoofing makes the relative yaw inconsistent Table.1a.The trend of the attack indicates that eventually it would have been detected but the experiment was ended early, before detection, as the UAV deviated from the testing site and needed to be forcefully landed.We note however that the Gyroscope and GPS were capable of detecting the attack in 0.70 highlighting the importance of having multiple pairs of sensors that can confirm readings.F-Subtle 4 has the only false alarm of the set of flight tests with 1 by the OF and GPS pair and 2 by the Gyroscope and GPS pair.A manual analysis of the flights logs shows several high peaks that caused the false alarm for the OF and GPS coinciding with rapid changes in the rangefinder readings.The OF velocity is susceptible to rapid changes in the rangefinder which can be unpredictable as ground terrain changes during flight.As for the 2 false alarms from the Gyroscope and GPS the problem comes from the difference in yaw rate both initially aligning poorly and then also having the gyroscope steadily drift further during the test.The alarm thresholds are derive heuristically from a set of 4 flights making false alarms from untested cases expected.The last two missions are L-Overt and L-Subtle.Due to the loiter missions not having significant speed the yaw rate has little to offer as the GPS velocity is below the noise threshold.We only look at the OF and GPS system for detecting attacks during loiter.In Table.1a, the overt attack shows a maximum disagreement of 0.55   before the attack and a maximum disagreement of 22.50   after the attack.The large deviation in velocity happens only during one update, as the attack starts, while subsequent updates hold the GPS in position with a perceived 0   velocity.Our approach detects the Table.1a and Table.1b respectively.