IDENTIFYING CONSUMER DRONES VIA ENCRYPTED TRAFFIC

Date
2022
Authors
Liang, David Vincent
Contributor
Advisor
Dong, Yingfei
Department
Electrical Engineering
Instructor
Depositor
Speaker
Researcher
Consultant
Interviewer
Annotator
Journal Title
Journal ISSN
Volume Title
Publisher
Volume
Number/Issue
Starting Page
Ending Page
Alternative Title
Abstract
While consumer drones have been broadly adopted for many recreational applications, they have also become a low-cost and versatile tool for malicious activities. To address these threats, we need effective drone management and counter-drone measures. Identifying the concrete type of an invading drone is the crucial initial step. While most existing drone identification methods leverage radar, acoustic, or image processing, to the best of our knowledge, almost none of these investigate the unique communication patterns of drones for detection. In this thesis, we focus on the communication protocol between a drone and its controller and conduct an in-depth analysis of both encrypted and plaintext drone traffic. We propose a framework for identifying a specific type of drone among a known set of drones by analyzing its encrypted Wi-Fi communication traffic between a drone and its controller. The main idea of this approach is to utilize our understanding of drone communication details to match communication patterns in encrypted traffic to communication patterns in plaintext traffic. To explore the common cases on popular consumer drones, we select drones equipped with the most popular open-source drone control system, ArduPilot. Because the communications on these drones use the most popular communication protocol, MAVLink, we are able to conduct in-depth analysis of their plaintext communication traffic and identify patterns for our detection and classification. Collecting drone traffic and identifying concrete patterns in plaintext traffic is the first focus of this thesis. However, communication between a drone and its controller often is encrypted with a state-of-art protocol (802.11 WPA2 or WPA3). We will need a method to discover the communication patterns in such encrypted traffic and match them with patterns discovered in plaintext communication. This is the second focus of this thesis. In the first focus, we capture the encrypted traffic between our drones and their controllers, decrypt the traces, and analyze the corresponding plaintext traces to build a profile for each type of drone. We discovered that, as traffic in many control systems, the plaintext communications contain many messages with Unique and Non-Varying (UNV) sizes across multiple traces; such UNV messages also show strong periodical patterns, which make them ideal candidates for building traffic patterns. Furthermore, looking into the encryption protocols, we notice that 802.11 WPA2 (or WPA3) uses the AES-CCMP (Counter Mode CBC MAC Protocol) for encryption, which encrypts a plaintext into a ciphertext with a fixed 44-byte size increase. Using this fact, we can easily infer the plaintext message size based on the size of an encrypted message. Therefore, based on our analysis of both plaintext and ciphertext traffic, we have identified a set of UNV message sizes that helps us associate message patterns in the encrypted traffic with the message patterns in plaintext traffic. Specifically, we collect Wi-Fi traffic traces for three ArduPilot drones (3DR Solo, Intel Aero, and SkyViper Journey), and build their corresponding profiles. In the second focus, we propose two classification methods utilizing the drone profiles built in the first focus. To match the patterns in a target trace with the drone profiles, we first propose similarity-based methods to classify the target drone. Furthermore, we utilize well-known machine learning methods to compare the detected patterns in the target encrypted traffic with patterns in the drone class profiles. By utilizing our knowledge of the intricacies of the drone communication protocol, we are able to develop these unique methods which differ from existing approaches. We have conducted a concrete performance evaluation with our collected data to evaluate the proposed classification methods. Our results show that the similarity-based methods work well in many cases but also have clear limitations; the machine-learning-based methods have shown very high accuracy for all testing cases, proving the effectiveness of the proposed framework. In addition, we have implemented an existing method that uses the short-term statistics of encrypted traffic for detection. We compare the method with the proposed method with our data traces. The results show that the proposed framework has significant advantages over the existing method. It confirms that utilizing the details of both encrypted and plaintext drone traffic can further improve the performance of our method. In summary, we have proposed a drone classification framework based on our understanding of the unique characteristics of drone traffic, and the performance evaluation has shown the effectiveness of the proposed framework. In the meantime, there are several directions we like to explore to further improve the current methods and evaluation, e.g., collecting more traces under various flight patterns and modes, and expanding the proposed idea to other automated devices (e.g., self-driving cars).
Description
Keywords
Electrical engineering, Drone Identification, Machine Learning, MAVLink, Wi-Fi Traffic Classification
Citation
Extent
57 pages
Format
Geographic Location
Time Period
Related To
Table of Contents
Rights
All UHM dissertations and theses are protected by copyright. They may be viewed from this source for any purpose, but reproduction or distribution in any format is prohibited without written permission from the copyright owner.
Rights Holder
Local Contexts
Email libraryada-l@lists.hawaii.edu if you need this content in ADA-compliant format.