Characterizing Radar Network Traffic: a first step towards spoofing attack detection

Abstract

International audience; An Air Traffic Management (ATM) Surveillance System is used to provide services to perform Air Traffic Control (ATC) (e.g., horizontal separation between aircraft). This sytem carries messages containing aircraft's position from a collection of radars of an Air Navigation Service Provider (ANSP) through its network. Then Radar traffic is one of the most important sources of information for this system. The format of the radar messages is defined by a specific application-layer protocol entitled ASTERIX. The evolution of the security policy and technologies used makes existing radar systems, once considered safe, now potentially open to attack. Both safety and security of ATM system could be impacted by any kind of attack into the network traffic, who could maliciously modified information about aicrafts, in particular thanks to Spoofing Attack. To counter this risk, there is need to detect intrusion and then to have anomaly detection modules for this safety-critical network traffic, that can be deployed in a security appliance. In order to design this module, we did a statistical analysis to have an overview of the traffic to better know what we need to protect. Specifically, we studied radar network traffic in order to extract high level statistic characteristics of normal radar traffic. This allowed us to identify a trend in the evolution of this traffic. We were then able to inject a spoofing attack (when a malicious party impersonates another device or network user for the purpose of altering the data) into this traffic to modify the nominal traffic. Thereafter, we were able to detect this attack using our method, which consists of the use of a machine learning detection method, using a Long-Short Term Memory (LSTM) mechanism. This is the subject of our paper, an overview of radar traffic and a method to detect spoofing attack in this traffic. This would help to develop an ATM IDS especially as this type of attack could remain invisible for air traffic controller.