DronLomaly: Runtime Log-based Anomaly Detector for DJI Drones

We present an automated tool for realtime detection of anomalous behaviors while a DJI drone is executing a flight mission. The tool takes sensor data logged by drone at fixed time intervals and performs anomaly detection using a Bi-LSTM model. The model is trained on baseline flight logs from a successful mission physically or via a simulator. The tool has two modules --- the first module is responsible for sending the log data to the remote controller station, and the second module is run as a service in the remote controller station powered by a Bi-LSTM model, which receives the log data and produces visual graphs showing the realtime flight anomaly statuses with respect to various sensor readings on a dashboard. We have successfully evaluated the tool on three datasets including industrial test scenarios. DronLomaly is released as an open-source tool on GitHub [10], and the demo video can be found at [17].


Introduction
Drones have been increasingly used in missions such as military operations, surveillance, infrastructure inspection, package delivery, emergency response, etc.As more and more drones are flying in public airspace, safety concerns are also rising.While conducting a flight mission, several factors such as input validation vulnerabilities in the drone controller program [5,6], harsh environmental conditions causing the drone to deviate significantly from the planned flight path [13], a remote cyber-attack that intentionally produces noises to confuse the sensors may affect the drone physical stability [16], etc.Hence, conducting flight missions in populated areas poses serious risks, as also highlighted by several incidents [2].Therefore, it is important to monitor drone behaviors and detect anomalies while it is executing safety-critical missions so that appropriate measures, such as evasive maneuver or mission abort, can be taken in time.
Drones, especially industrial and military grade drones, usually record flight data at runtime.Given a baseline data, these runtime log data can be leveraged to detect anomalies during the drone flight.Therefore, in our previous work [14], we proposed an approach for runtime detection of anomalous drone Behaviors via log analysis and deep learning.
In this demonstration paper, we present DronLomaly, a tool that implements our runtime anomaly detection approach.The design and implementation of DronLomaly focuses on DJI drones.Alternatively, we could have targeted other drone platforms like Ardupilot and PX4.As these platforms differ significantly in terms of the SDK, the communication protocol, and the log format, the implementation has to be platform-specific.We chose to support DJI drones because DJI holds 76% of the global drone market according to Statista [15] and to our knowledge, none of the existing approaches provides such an anomaly detection tool for DJI drones.
DronLomaly takes as input a list of time series flight log data of a good drone which successfully executed a given flight mission repeatedly, which is used for learning a baseline model.Each log entry contains a timestamp, flight status (e.g., flight mode), and state units (e.g., GPS and gyroscopic readings).During the runtime, DronLomaly produces a graph that shows the deviation of the predicted drone state with respect to the baseline model, from the current state.DronLomaly comprises of 2 components: 1) Telemetry Subscriber that listens a set of Telemetry topics (velocity, angular pose, etc.) measured by drone's sensors; 2) Anomaly Detector listens to the sensor readings retrieved by the Telemetry Subscriber and predicts the next sensor readings using the baseline model.
The source code of DronLomaly is available at GitHub [10].

Tool Design
DronLomaly is the tool supporting our approach described in our research paper [14].It is designed and implemented as a service at the remote station.It can also be deployed in the drone itself by embedding the anomaly detector in a Raspberry Pi device.Figure 1 shows the overall architecture of DronLomaly.
The tool consists of two main components -(1) Telemetry Subscriber and (2) Anomaly Detector.During runtime, the telemetry subscriber fetches the telemetry data from the DJI drone simultaneously as the drone is conducting a mission.The telemetry data is a time series data that characterize the physical states of the drone.At any given time, the telemetry subscriber stores a sequence of log data corresponding to ℎ+1 time units, where ℎ is the configured time window.This log buffer is fed to a pre-trained bidirectional Long Short-Term Memory (Bi-LSTM) for anomaly detection .Given a sequence ℎ of feature vectors corresponding to ℎ time units, the model predicts the next possible feature vector at ℎ + 1 time unit.More specifically, each feature vector  in ℎ consists of flight status  and state units  such that  = {flight mode, gain, velocity  , velocity  , velocity  }. (1) Flight status refers to flight status information such as flight mode and gain configuration value; state units refers to sensor readings such as velocity at X-axis, Y-axis, and Z-axis.In short, we shall refer to this vector as  = { , }.
If the L1 (Manhattan) distance of the ground truth feature vector (representing the physical state of the drone) differs from that of the predicted feature vector by a threshold of 3 standard deviations, an anomaly is reported, together with visualized graphs showing the anomalous sensor readings.

Implementation
3.1 Telemetry Subscriber DJI Onboard SDK's Telemetry module [3] provides various kinds of log data.We wrote a C/C++ script to collect the log data through this SDK during runtime.For the sake of our experiments, we collected GPS coordinates, velocity, acceleration, angular position and angular rate and ran this tool as a service at the remote station.Our telemetry subscriber tool can also be run in an embedded device such as Raspberry Pi which could already be attached to a Physical DJI drone for autonomous operations.In our proof-of-concept, we installed the tool in Raspberry Pi 4 Model B with 8 GB memory and report its runtime performance results (Figure 5).

Baseline log extraction.
For a given mission, we setup the drone to conduct the mission three times under different but normal operating conditions.We use the telemetry subscriber tool to collect flight logs, which essentially capture the baseline behavior of the drone for a given mission.

Anomaly Detector Model Training
We train a Bi-LSTM model on the baseline log data collected by telemetry subscriber.The following explains how the model is implemented.

Input.
Let Ω = {( 1 ,  1 ), ( 2 ,  2 ), . . .(  ,   )}) be the whole set of feature vectors, extracted from a given log of a flight mission.The sequence for detection is a sliding window of the ℎ most recent feature vectors.This is the input to our prediction model.As an example, Figure 2 shows the sequential patterns of certain flight states, where ℎ = 2.As we can observe from Figure 2, our data is a multi-variate time series data where (bidirection) LSTM model can be applied.We normalize the values in each vector by the average and the standard deviation of all values from the same parameter position from the training data.

Model
. The model has one bidirectional LSTM layer with a drop out of 0.1, one fully-connected linear layer with 128 neurons and 'ReLU' activation function, and one output layer whose size (# of neurons) is the number of drone sensor values to be predicted.

Objective function for training.
In order to minimize the error between the predicted and observed feature vectors, we adjust the weights of the Bi-LSTM model using Mean Squared Error (MSE) loss and 'Adam' optimization function.This process is done in an iterative manner, which is determined by the Epoch value.We set Epoch to 2000 with Early Stopping which is reached when the validation loss does not decrease below 0.001 continuously for 20 iterations.We implement the above model using several Python libraries such as Numpy, Pandas, Scikit-learn, and PyTorch.Numpy, Pandas, and Scikit-learn are used for data processing and PyTorch is used for implementing the model.We leverage the yaml library for configurations such as specifying which sensor data to monitor, threshold for determining anomalies, etc.The trained model is saved as model.ptfile.

Deployment
We deploy the model model.ptas a web service via Visual Studio Code IDE running in a remote controller machine.The web service provides REST API endpoint for Anomaly Detector, which accepts GET and POST requests from Telemetry Subscriber.The endpoint is built on XML-RPC module and is implemented in Python, encompassing the necessary code for API setup, route definition, and request handling and importing various Python modules for data processing, invocation of the Bi-LSTM model for the regression task, and visualization.Each request sent to the endpoint is expected to contain a flight record.The endpoint service processes the flight record to extract the relevant information (e.g., sensor data that is being monitored).It then invokes the Bi-LSTM model providing the extracted sensor values as an input, where the model generates prediction of the next possible state.It is also possible to run Anomaly Detector in the embedded system along with our Telemetry Subscriber.However, the web service approach allows Anomaly Detector to be decoupled from Telemetry Subscriber as seperate applications, so that the anomaly detector can be readily reused with different telemetry subscribers from other drone development platforms that may be implemented in different programming languages.

Visual Aid Generation
We implement the visualization tool for showing the deviation in terms of L1-distance between predicted and actual sensor values in realtime.We use the Python library Plotly to generate a live graph that simultaneously displays the multiple state values using multiple differently colored lines that are updating in realtime to visualize the realtime deviations.As an example, Figure 3 shows the visualization of predicted state deviation from the actual state.Y-axis value represent the percentage of threshold the current time window's deviation is at.The threshold is represented by the horizontal line that denotes y-axis value of 1. Crossing this value means that the deviation has exceeded 100% of the threshold.

Usage Scenario
As a proof of concept, we have demonstrated the following usage scenario of detecting anomalous behaviors caused by harsh weather, control program bugs, faulty configurations and safety/privacy regulation infringement to our industry partner: Figure 4 shows the experiment setup we applied to demonstrate DronLomaly to our industry partner.Firstly, we collected DJI logs by flying a physical DJI drone, DJI Matrice 300.We used the Waypoint Mission module provided in DJI OSDK [1] to upload randomly generated waypoints into the drone.During the flight, we used the telemetry program to subscribe to the logs for realtime information on the drone's physical state.Next, we simulated an anomalous flight condition where there is an abnormally strong wind.We use DJI's Assistant 2 software for Hardware-in-the-loop simulation, and for mutation of environmental factors such as wind speed and direction.In Figure 3, DronLomaly 's visualization graph reports the anomalies with respect to the 'Roll' sensor readings at certain time periods.This anomaly is due to the drone having to produce a significantly higher Roll to compensate for the heavy wind.In our research paper [14], we also evaluated two other scenarios (as required by our industry partner) -sensor failure and communication failure.Sensor failure may occur due to hardware fault or software configuration issue.For example, sensors need to be recalibrated after flying through extreme environmental conditions.Otherwise, it may lead to false sensor values.Communication failure between the remote controller and the drone can also occur due to long distance, encapsulated surroundings, or signal jamming, etc.We simulated such sensor failure and communication failure behaviors by injecting faulty sensor and GPS coordinate values into the DJI flight logs.
The recall, precision, and F-measure of DronLomaly for detecting anomalies in these three scenarios is reported in Table 1.On average, it achieves 0.986 recall, 0.948 precision, and 0.967 F-measure.The experiments were also run in a Raspberry Pi device for measuring its practical runtime performance.DronLomaly takes about 2 minutes to load a model, but this is a one time cost.Figure 5 shows the boxplot of the time taken for predicting the next state of the drone.The medium time taken is about 1.5 ms and the maximum is 3 ms.The total time taken may be longer due to the network latency because the alert signal needs to be sent to the drone operator.In our experience with flying DJI drones physically, the network latency is in the range of a few milliseconds to 2 seconds when operating within the visual line of sight.We believe that this should still give the operator ample time to take an appropriate action.

Related Work
There are several anomaly detection approaches in the domain of Cyber Physical systems, for example, for detecting machine wear and predictive maintenance [4] and for detecting anomalies in traffic data [11].However, to our knowledge, There are drone forensic approaches such as [8,9,12] that analyze flight log data to detect anomalies.But these approaches are offline analysis approaches that are typically used after an incident has been occurred.There are also fuzzing approaches for detecting bugs in drone control programs such as RVFuzz [7], PGFuzz [6], and LGDFuzzer [5].They detect bugs such as input validation and semantic bugs.While fuzzing approaches are certainly useful, they cannot handle unstable physical states in drones when undetected bugs are activated at runtime.Therefore, our runtime anomaly detection approach complements these approaches.

Conclusion
This demonstration presents DronLomaly, a runtime anomaly detection tool for DJI drones.The tool has two main components -one for fetching realtime flight log data and the other for detecting anomalies reflected in the log.Dron-Lomaly leverages DJI's onboard SDK to fetch realtime flight logs.It also leverages normal flight logs of successful drone missions to train a Bi-LSTM model.The model is then used to detect deviations from the learnt state values, as the new log entries are fetched at runtime.We demonstrated that this tool can be practically used in scenarios such as strong wind condition, sensor failure, and communication failure.In terms of accuracy, DronLomaly achieved 0.967 F-measure.In terms of efficiency, DronLomaly, when deployed on a Raspberry Pi device that can actually be used to control a drone, were able to generate a prediction within a few milliseconds.In future, we plan to extend this work by developing a mobile app leveraging DJI's mobile SDK so that DronLomaly can be deployed in the mobile phone, for more practical runtime monitoring purposes.We also plan to look into other kinds of scenarios, such as remote cyber-attacks and infringement of safety or privacy regulations, which were not considered in this work.

Figure 2 .
Figure 2. Sample sequential patterns of flight log data.ATTI refers to 'Altitude Hold' flight mode.'RTH' refers to 'Return to Home' mode, whereas the values represent sensor readings of velocity at Z-axis in m/s.Note that the actual feature vectors consists of more than one set of readings with respect to flight status and state units.

3. 2 . 4
Output.The output is a real value vector as a prediction for the next state units, based on a sequence of feature vectors from recent history (Time Window).

Figure 3 .
Figure 3. Visualization of deviation of predicted Roll, Pitch, Yaw sensor values from the actual ones for a duration of 60 seconds