1

High Confidence Networked Controlfor Next Generation Air Transportation Systems

Pangun Park, Harshad Khadilkar, Hamsa Balakrishnan, and Claire Tomlin

Abstract—This paper addresses the design of a secure andfault-tolerant air transportation system in the presence of at-tempts to disrupt the system through the satellite-based nav-igation system. Adversarial aircraft are assumed to transmitincorrect position and intent information, potentially leadingto violations of separation requirements among aircraft. Wepropose a framework for the identification of adversaries andmalicious aircraft, and then for air traffic control in the pr esenceof such deliberately erroneous data. The framework consistsof three mechanisms that allow each aircraft to detect attacksand to resolve conflicts: fault detection and defense techniquesto improve Global Positioning System (GPS)/inertial navigation,detection and defense techniques using the Doppler/receivedsignal strength, and a fault-tolerant control algorithm. A Kalmanfilter is used to fuse high frequency inertial sensor informationwith low frequency GPS data. To verify aircraft position thr oughGPS/inertial navigation, we propose a technique for aircraftlocalization utilizing the Doppler effect and received signalstrength from neighboring aircraft. The control algorithm isdesigned to minimize flight times while meeting safety con-straints. Additional separation is introduced to compensate forthe uncertainty of surveillance information in the presence ofadversaries. We evaluate the effect of air traffic surveillanceattacks on system performance through simulations. The resultsshow that the proposed mechanism robustly detects and correctsfaults generated by the injection of malicious data. Moreover,the proposed control algorithm continuously adapts operationsin order to mitigate the effects these faults. The ability oftheproposed approaches to defend against attacks enables reliableair traffic operations even in highly adversarial surveillanceconditions.

Index Terms—Next Generation Air Transportation Systems,Misbehavior Detection, Intelligent Control, Automatic DependentSurveillance - Broadcast.

I. I NTRODUCTION

The Next Generation Air Transportation System (NextGen)plan supported by the Federal Aviation Administration (FAA)aims to enhance the safety and efficiency of air transportationsystems [1], [2]. The air traffic surveillance network is a

Pangun Park is with the Electronics and TelecommunicationsResearch In-stitute, Korea, e-mail:pgpark@etri.re.kr. He was with the Departmentof Electrical Engineering and Computer Science, University of California atBerkeley, when contributing to this work. Harshad Khadilkar is with IBMResearch, India, e-mail:harshadk@mit.edu. He was with the Departmentof Aeronautics and Astronautics, Massachusetts Instituteof Technology, whencontributing to this work. Hamsa Balakrishnan is with the Department ofAeronautics and Astronautics, Massachusetts Institute ofTechnology, Cam-bridge, MA, e-mail:hamsa@mit.edu. Claire Tomlin is with the Departmentof Electrical Engineering and Computer Science, University of California atBerkeley, Berkeley, CA, e-mail:tomlin@eecs.berkeley.edu.

This work has been supported in part by NSF under CPS:ActionWebs(CNS-931843), by ONR under the HUNT (N0014-08-0696) and SMARTS(N00014-09-1-1051) MURIs and by grant N00014-12-1-0609, by AFOSRunder the CHASE MURI (FA9550-10-1-0567).

critical part of NextGen operations, responsible for safety,traffic efficiency, and pilot assistance [3]. In NextGen, aircraftwill carry new wireless communication and computing plat-forms, and have enhanced sensing capabilities. Interconnectedaircraft not only collect information about themselves andtheir environment, but they also exchange this informationinreal time with other nearby aircraft. Wireless communicationcan operate beyond the line-of-sight constraints of radar andvision solutions, and thus enables cooperative approachesforair traffic management.

Security is an essential consideration for upgrades in theair transportation system, because there is the risk of makingmalicious behavior easier [2], [4]. The high level of decentral-ization in NextGen has both advantages and disadvantages:a rich set of tools is offered to pilots and authorities, buta formidable set of vulnerabilities also develops. There arepotentially many hundreds of millions of communication de-vices in nationwide NextGen. It is recognized that in sucha system, each communication component represents a newpoint of system vulnerability, and the system must be an-alyzed to understand and mitigate the impact of an attackat such points.For instance, an adversary may induce lossof separation between aircraft by injecting incorrect datainthe satellite-based navigation system. These adversariesinjectfalse surveillance information to create a “malicious” aircraftwithout the aircraft’s knowledge.This misinformation may bere-transmitted by the aircraft, thus spreading to the rest ofthe network. As programmable sensors and actuators becomemore pervasive in NextGen, implementing appropriate securitymechanisms will become even more critical to the overallsafety and performance of the system.

The primary obstacle for designing a secure air transporta-tion system is the tight coupling between communication,computation, and control. There are several challenges insecuring NextGen air traffic management. First, many ofthe envisioned safety and pilot-assistance applications imposestrict deadlines on message delivery. Security mechanismsmust take these constraints into consideration and work withlow processing and messaging overhead. Otherwise, it wouldsuffice for an adversary to generate a high volume of false mes-sages and overload resources. Second, since position dissemi-nation is crucial for air traffic management, incorrect positioninformation has severe impact on both safety and efficiency.Each aircraft needs to know not only its own position but alsothose of other aircraft in its neighborhood. Global PositioningSystem (GPS) signals are weak, can be spoofed, and are proneto jamming [5], [6]. Existing solutions such as frequencyhopping do not completely solve the problem [7]. Third, to

2

locate the aircraft in three-dimensional space, a minimumof four distance measurements to neighboring aircraft arerequired for triangulation. However, it is hard to obtain reliablemeasurements in the presence of adversaries across an airtraffic surveillance network.

Finally, employing defense-in-depth methodologies, includ-ing fail-safe devices and fail-secure functionality, is a neces-sary part of any serious effort to protect NextGen. However,even a robust combination of such security systems is notsufficient for addressing the vulnerabilities of such a complexcontrol system. The above is especially true when reliableoperations must continue despite failures in the system. Toaddress this complex problem and provide comprehensivesecurity, all of the communication, computation, and controlsystems must be safeguarded in NextGen.

This paper addresses the fault detection and defense prob-lem of air traffic surveillance networks in enroute areas.Ground infrastructure in these areas is sparse, and severalregions are not covered by ground stations. Hence, the maindetection and defense mechanisms are implemented onboardaircraft. We assume that aircraft regularly broadcast their status(e.g., position, speed, and direction) along with warningsabout potential dangers using wireless communication [3].Further, to simplify the presentation in this paper, all aircraftare assumed to fly at the same altitude. This assumption isgenerally valid in enroute areas, yet the analysis is straight-forward to generalize to the case in which aircraft changealtitude. We propose mechanisms combining the detectionand defense algorithms of surveillance networks with a fault-tolerant control algorithm. Specifically, this consists ofthreemechanisms that allow aircraft to detect attacks and to resolveconflicts(violations of minimum separation requirements): (1)Fault detection of the GPS signal that increases the integrityof the GPS/Inertial Navigation System (INS) navigation loopin adversarial environments; (2) Distributed detection anddefense techniques using the Doppler effect and the ReceivedSignal Strength (RSS) measurement of received messages inorder to verify aircraft position through the GPS/INS system;and (3) A fault-tolerant control algorithm that accounts forthe uncertainty of surveillance information by introducingadditional separation. In contrast to other position verifica-tion approaches, our detection and defense mechanisms aredesigned for a general network environment where nodes orbeacons can move and no special hardware for ranging isavailable.

The remainder of this paper is organized as follows. Sec-tion II summarizes related work including localization tech-niques and control algorithms. Section III describes the modelsused for the air traffic and surveillance systems. Section IVpresents the proposed system architecture. In Section V, wepresent the state and measurement dynamics. Section VIexplains the GPS/INS loop that estimates the position ofaircraft. Section VII proposes a self-localization algorithmusing the Doppler effect and RSS measurements. Section VIIIpresents a fault detection technique using RSS measurements.Section IX describes a static verification algorithm to detectmalicious aircraft. Section X presents the control algorithm,and the system performance is evaluated in Section XI. Finally,

Section XII summarizes the contributions of the paper.

II. RELATED WORK

During recent years, many localization techniques have beenproposed for a variety of wireless network applications [8].We only provide a brief survey on localization techniquessuitable for air traffic surveillance networks. The localizationapproaches of air traffic networks differ in their assumptionsabout network deployment and hardware capabilities.

Centralized localization techniques would be impracticalforair traffic surveillance networks because of the high communi-cation costs and inherent delay, hence we focus on distributedlocalization techniques [9]. Distributed localization methodsuse only limited communication with nearby nodes [10]. Thesemethods can be classified as range-based or range-free. Range-based techniques use distance estimates or angle estimatesinlocation calculations, while range-free solutions dependonlyon the contents of received messages.Range-based approachesutilize time of arrival [11], time difference of arrival of twodifferent signals [12], angle of arrival [13], RSS [14], andDoppler shifts [15], [16].Some of these techniques requireexpensive separate hardware [11], [12], [13]. Moreover, sta-tionary models of radio signals are not realistic assumptionssince RSS measurements can be very sensitive to the channelenvironment [14].The range-based approach using Dopplershifts is less susceptible to multi-path propagation than theRSS-based ranging approach [14], [17], since reflections donot change the frequency of the signal. The Doppler effecthas been used extensively to estimate the velocity of trackedobjects or to improve the accuracy of tracking systems [15],[16]. In [15], the self-localization of sensors is developedbased on measuring Doppler shifts in a tone that is emittedfrom a mobile beacon. Each static node updates its locationinformation by using the location and heading of the beaconas well as the frequency of the acoustic tone. On the otherhand, in [16], the tracked node transmits a signal and stationarynodes measure the Doppler shifts of the transmitted signal.Anumber of stationary nodes are deployed around the trackednode and the tracked node cooperates with the tracking system.

None of these schemes address the problem encounteredin air traffic surveillance, in which both the nodes and thebeacons can move.They can be adapted for mobile networksby refreshing location estimates frequently, but are not de-signed with any explicit consideration for how mobility affectsthe localization performance. The only work we are awareof that considers localization with mobile nodes and beaconsis in [18]. They use the sequential Monte Carlo Localizationmethod for the random waypoint mobility model. Althoughit is very frequently used in mobile ad hoc networks, thismobility model is not realistic. The particle set can becomeeasily diffused, dispersing across the image plane in the LOPof the enroute layout. Moreover, this localization technique isvulnerable to internal adversaries, since range-free localizationdepends only the contents of received messages. In addition,the particle-based approximation of filtered density is notsufficient to characterize the tail behavior of true density. Thisproblem becomes more severe when the outliers are existent.

3

Previous localization techniques are vulnerable to severalkinds of attacks, and an attacker may be able to disrupt theintegrity or availability of all known localization techniques. Asecure range-free localization technique was developed in[19].However, it cannot detect and remove compromised beaconnodes. A number of authors have proposed using time-of-fightmeasurements and the speed of light to securely gain locationinformation about untrusted parties. A time-bounded protocolis proposed as a defense against man-in-the-middle attackson cryptographic identification schemes [20]. This protocolcan be used to verify the proximity of two devices connectedby a wired link. A protocol using temporal packet leashesis proposed for wireless networks to defend against similarattacks [21]. A new distance bounding protocol is proposedbased on ultrasound and radio wireless communication in [22].The protocol can only make an approximate decision aboutwhether or not a claimer is within a certain region. Thesesystems either require specific hardware or rely on an in-frastructure of verifiers to check positions. However, theseassumptions are not likely to hold in air traffic surveillancenetworks. It is desirable to be able to verify neighbors’ positionwithout any additional or dedicated devices. Furthermore,mosttechniques require beacon nodes to be numerous and evenlydistributed so that they can cover the whole network. Weare interested in performing localization in a more generalnetwork environment where no special hardware for rangingis available, the prior deployment of beacon nodes is unknown,the beacon density is low, and the node distribution is irregular.

Jamming attacks have been used as Denial-of-Service (DoS)attacks against different applications using wireless commu-nications. In [23], several techniques for the detection ofvarious jamming attacks are proposed and evaluated at MAClayer. The structure of this problem has been investigated inorder to identify tradeoffs and capture the impact of differentparameters on performance [24]. Optimal attack and networkdefense strategies were derived for the case of a single-channelwireless sensor network. The authors assume that all networknodes are uniformly distributed and that the topology is static.Countermeasures for coping with jammed regions in wirelessnetworks have been studied in [25], [7]. In [25], the use oflow density parity check codes was proposed to cope withjamming. Further, an anti-jamming technique was proposedfor 802.11b that involved the use of Reed-Solomon codes.In [7], a three-dimensional modulation scheme, known asmessage-driven frequency hopping (MDFH), was proposed.The basic idea of MDFH is that part of the message acts asthe pseudo-random sequence for carrier frequency selection atthe transmitter. The selection of carrier frequencies is directlycontrolled by the encrypted information stream rather thanbya predefined pseudo-random sequence as in conventional FH,in order to improve the system spectral efficiency.

The increasing importance of security in vehicular networkshas attracted [26]. Sybil attacks [27], in which an adversarycreates an illusion of traffic congestion by claiming multipleidentities, are known always be possible except under unreal-istic assumptions of resource and coordination among entitieswithout a logically centralized authority. Several techniquesto detect Sybil attacks in ad hoc networks, including radio

A2A communication

ADS-B ground station

A2I communication

Ground radar systemGround infrastructure

system

Airborne system

Satellite system

Safety msg Cryptographic materialADS-B

avionics

GPS

receiver

INS

Fig. 1: Proposed framework in enroute airspace.

resource testing, registration, and position verificationhavebeen studied [28]. Position verification is a more promisingapproach for vehicular networks, since radio resource testingrelies on specific assumptions on radio modules and registra-tion alone is not effective. A distributed detection schemeofSybil attacks is proposed for networks in which a set of fixedbase stations overhear a malicious node [29]. This schemewill not suit enroute air traffic management, since ground basestations are sparse, and several regions are not even covered.

Several studies in the past decade have addressed the controlof air traffic in a distributed setting [30]–[33]. However, thesestudies have not considered a combination of decentralizedcontrol with measurement and state uncertainty, nor havethey addressed security issues with the proposed protocols.Eulerian models of air traffic such as [32] are useful whenthe perspective is strategic rather than tactical. Centralizedalgorithms such as those proposed in [34] can handle thecomputational requirements, but such approaches are limitedin their scope when individual aircraft need to carry outconflict detection and resolution. In order to guarantee safetyin the presence of uncertainty, the theory of reachable setshasbeen shown to be highly effective [31]. However, the com-putational requirements of this method are too prohibitiveforfast distributed control. To the best of the authors’ knowledge,this paper is the first one to propose a framework combiningdetection and defense surveillance with robust control. Theproposed protocol is both computationally light and robustto uncertainty, as well as accidental or deliberate faults inmeasurement.

III. F RAMEWORK

The proposed framework with its components is illustratedin Fig. 1. The direction of the arrows represents the flowof information. The infrastructure of NextGen is comprisedof the mobile units (aircraft) and ground facilities. Aircraft-to-Aircraft (A2A) and Aircraft-to-Infrastructure (A2I) com-munication will enable safety-critical applications thatpro-vide warnings about accidents, traffic conditions and otherevents [2]. Secure air transportation systems are assumed torely on public key cryptography and digital signatures toprotect A2A and A2I messages in NextGen.

A. Communication Protocols

Automatic Dependent Surveillance-Broadcast (ADS-B) isdesigned to increase the safety, capacity, and efficiency ofthe

4

INS (V-B)

Doppler (V-C)

GPS (V-B)

KF (VI)

TX

RXRSS (V-C)

EKF (VII)

MMSE (VII)

Control (X)+

-

+

-

Verification (IX)

Verification (IX)

Distance

Position

Receive ADS-B msg

Transmit ADS-B msg

GPS/INS System

Doppler/RSS System

Position

KF

RS

S D

etection

(VIII)

Fig. 2: System architecture of Misbehavior Detection System. We add the section number corresponding to the explanation of each component.

airspace by enhancing information sharing between aircraftand ground facilities [3]. This system provides transmissionranges of typically60 to 100 nm, with data rates in the1 Mbpsrange. ADS-B uses1090 MHz frequency band, different fromthe operation bandwidth of GPS systems [6]. Safety messagesare signed and include the coordinates and time stamp ofthe sender. When an aircraft validates a certificate, it checkswhether its credential has been revoked. If the credential is notrevoked, it verifies the key used to sign the message and, oncethis is done correctly, it verifies the message. After validatingan ADS-B message, an aircraft stores the information in itslocation table. Since our detection and defense mechanismsare distributed and localized, we assume that most neighboringaircraft in the airspace can be trusted. This allows aircraft touse information from reliable neighbors in order to identifymalicious aircraft. It is reasonable to expect that only arelatively small percentage of aircraft (less than 10%) wouldbe malicious.

B. Adversary Model

The reliability of safety-critical control systems can bethreatened by a wide variety of failure modes, including fail-ures of the communication links, sensors, controllers, and/oractuators. While some failure modes result in complete lossof control, others would only result in loss of reliable control.

In this paper, we consider adversaries or attackers thatdisrupt the air traffic management by attacking the satellite-based navigation system.Any of these attacks can affect airtraffic management. There is a difference between maliciousand non-malicious misbehavior. Non-malicious misbehavior istypically random, and can be detected easily. On the otherhand, it is difficult to handle a sophisticated attack that ex-ploits weaknesses in the satellite-based navigation system. Anattacker can sufficiently modify messages to pass outlier detec-tion tests.For example, adversaries could jam satellite signalswithin their range and thus selectively or completely preventthe GPS updates.Further, a GPS spoofing attack broadcastsa slightly more powerful signal that the legitimate one, and

then slowly deviates away towards the position desired bythe attacker [5]. Therefore, the system needs to provide morecomprehensive protection from malicious misbehavior. Theproposed defense mechanisms apply to both malicious andnon-malicious misbehavior.

IV. SOLUTION OVERVIEW

This section provides an overview of the proposed archi-tecture of the Misbehavior Detection System (MDS) whoserole is to detect off-nominal aircraft. Each aircraft executesthis system, which functions in a distributed and localizedmanner. The details of each component are given in subsequentsections.

A necessary part of the design of autonomous systems is theinclusion of fault detection and identification algorithmswhichensure that aircraft operate in a safe and reliable manner. TheMDS protects the interface between aircraft networks, onboardcontrol units, and data and services required by other aircraft,as illustrated in Fig. 2. This system constantly monitors thestatus of onboard systems and provides real-time detectionof attacks. Further, the MDS controls the data flow fromexternal sources to the aircraft. We consider two approachesfor position verification in the MDS: a GPS/INS integratedsystem and a Doppler/RSS fusion process. A Kalman filter isused to fuse high frequency inertial sensor information withlow frequency GPS data in the GPS/INS integrated system.The Kalman filter estimates the errors in position and velocityusing the difference between external GPS sensor informationand inertial indicated information. An error propagation modelis used to fuse the observed and predicted positions andvelocities. These parameters are fed back to the INS unit. Toverify aircraft position through GPS/INS system, the detectionand defense mechanisms are designed using the Doppler effectand RSS measurements of received ADS-B messages. An Ex-tended Kalman Filter (EKF) is used to estimate the distance toneighboring aircraft. Given an adequate number of neighbors,the current position is obtained by using the Minimum MeanSquare Estimate (MMSE). Then, a Kalman filter predicts the

5

position of an aircraft based on the model of state dynamics.Once the Doppler/RSS-based position is obtained, predictedpositions are compared to the ones estimated by the GPS/INSsystem. If the two differ by more than a predefined threshold,the GPS/INS position is deemed adversarial and rejected.

The estimated distance to neighboring aircraft is also usedto verify neighbors’ reported position through ADS-B. If theestimated distance does not match with distance informationof a received ADS-B message, the verifying aircraft discardsthat message. Furthermore, we propose a simple detectiontechnique using the history of RSS measurements to verifyaircraft position. The control algorithm is responsible forcomputing the control action of an aircraft based upon the newobservation. The control algorithm accounts for the uncertaintyof the surveillance information in the detected malicious data.We emphasize that our mechanisms rely on the availabilityof prior information collected during periods of time whenit deems it is not under attack. In contrast to other positionverification approaches, we do not rely on special hardware oron preinstalled infrastructure [11], [12], [13], [29].

V. SYSTEM MODEL

This section presents the modeling of aircraft dynamics andvarious measurement models. As discussed in the previoussection, two different measurement models are used to designthe detection and defense mechanisms: GPS/INS system andDoppler/RSS system.

A. System Dynamics

The state of a moving aircraft at timek is defined by thevectorx(k) = (x(k), y(k), x(k), y(k), x(k), y(k)) wherex(k)andy(k) specify the position,x(k) andy(k) specify the speed,and x(k) and y(k) specify the acceleration in thex and ydirections in a two-dimensional space. The aircraft dynamicscan be described by a discrete-time linear time-invariant model

x(k) = Fx(k − 1) +w(k) (1)

wherex(k) ∈ R6 is the state vector,F is the state transition

matrix, andw(k) ∈ R6 is white Gaussian noise with zero

mean and covariance matrixQ(k) > 0, i.e. E[w(k)] = 0and E[w(k)w(k)T ] = Q(k). The covariance matrixQ(k)of w(k) is Q(k) = σ2

wI, where I denotes the unit matrixandσw is the standard deviation.Note that the system modeldoes not include the input set. The control input is based onthe information of GPS/INS system. However, the informationresource of GPS/INS system is not secure under attack.

The time scale for reaction to events as described in thispaper is of the order of several seconds. We therefore assumethat the changes in velocity are accomplished by the nexttime step of the simulation. Maximum and minimum velocityis specified in the optimization problem, and includes thephysical limits of the aircraft at the given altitude in Section X.Furthermore, since the time scale for reaction is long, it isnot required to capture computationally intensive equationsof state dynamics, such as the six degree of freedom modelsused in simulators.The state dynamics in this paper aremodeled as a Wiener-sequence acceleration model [35]. This

model provides a good compromise between complexity andperformance in the modeling of aircraft dynamics. In such amodel,F andw are equal to:

F =

I2 ∆tI2∆2

t

2 I2O2 I2 ∆tI2O2 O2 I2

and w(k) =

∆2t

2 B∆tBB

ψ(k) where∆t is the elapsed time

since the last time step, andψ(k) ∈ R is zero mean whiteGaussian noise with assumed known covariance.I2 ∈ R

2×2 isthe identity matrix,O2 ∈ R

2×2 is a zero matrix, andB ∈ R2×1

is a matrix for which all elements are equal to1. The stateerror depends on the length of time between two calibrationsusing surveillance information, which in turn depends on thenetwork performance and security. For instance, adversariescan jam GPS signals within their range to increase the timeinterval between calibrations of GPS receivers.Since controlstability is expected to be subject to a maximum latency inthe sensing layer of the network, it is necessary to ensurethat the time difference between two calibrations satisfiesthe maximum latency acceptable to the control algorithm.We derive the value of the maximum allowable latency inSection X-F.

The general measurement model is represented as

z(k) = Hx(k) + v(k) , (2)

wherez(k) ∈ Rm is the measurement vector of the sensor and

H ∈ Rm×n is the measurement matrix.v(k) ∈ R

m is whiteGaussian observation noise with zero mean and with assumedknown covariance matrixR(k) = E[v(k)v(k)T ].

In the next subsections we will describe the two specificmeasurement models that we use in the proposed architecture.Accurate analysis of measurement error is essential to ensuringeffective data fusion of GPS/INS system and Doppler/RSSsystem, as we will discuss in Sections VI and VII. Fur-thermore, the error bound of measurement error is criticalfor controller design. Additional separation is introduced tocompensate for the uncertainty of surveillance informationdue to adversaries. Hence, it is essential to characterize theuncertainties in position and velocity for aircraft. This isdiscussed in detail in Section X.

B. Measurement Dynamics of the GPS/INS

A simple measurement model for GPS is,

zgps(k) = Hgps(k)x(k) + vgps(k) (3)

whereHgps =

I2 O2 O2

O2 I2 O2

O2 O2 O2

, zgps(k) ∈ R6 is the GPS

measurement vector, andvgps(k) ∈ R6 is zero mean white

Gaussian noise with known covarianceRgps(k).The observed variable from the inertial sensor is the acceler-

ation for the Inertial Measurement Unit (IMU) in an absoluteframe of reference. A simplified IMU measurement model is,

zimu(k) = Himux(k) + vimu(k) (4)

6

where Himu =

O2 O2 O2

O2 O2 O2

O2 O2 I2

, zimu(k) ∈ R6 is the

IMU measurement vector, andvimu(k) ∈ R6 is zero mean

white Gaussian noise having known covarianceRimu(k). Theprocessed acceleration measured by the IMU is integrated toobtain velocity and position. Each aircraft estimates the statex(k) using the measurement model in Eqs. (3) and (4).

The error bounds of IMU sensors provide an explicitmeasure of the IMU performance, when it is the sole meansof navigation (due to GPS outage) [36], [37]. The stochasticerrors in inertial sensors cause the subsequent numericalintegrations of the measurements to exhibit an ever increasingvariance. By using Euler’s method, the variance of doubleintegrated wide-band noise is

σ2x = t4sσ

2ω

k(k + 1)(2k + 1)

6,

wherets is the sampling interval,σω is the standard deviationof wide-band noise, andk is the number of samples. Notethat the variance in position error due to wide-band noise isafunction of the sampling interval, the noise variance and time.Thus, without any external resetting properties, white noisewill cause an unbounded error growth in the IMU sensors.

C. Measurement Dynamics of Doppler Effect and RSS

To verify aircraft position through GPS/INS system, wepropose a technique for the self-localization of aircraft usingthe Doppler effect and the RSS measurements. This sectiondescribes the measurement dynamics of Doppler effect andRSS of received ADS-B messages for aircraft localization.

A well known phenomenon that is observed when objectsmove relative to each other is the Doppler effect. The Dopplereffect describes this situation in which an object transmits asignal and moves relative to an observer, the frequency ofthe observed signal will be shifted and the magnitude of theshift depends on the frequency of the signal and the velocityof the transmitter and observer relative to each other. In themethod proposed, the frequency offset in the receiver is usedas the observed state for distance estimation and localization.Modern air traffic control radars use the Doppler effect todiscriminate moving aircraft from stationary targets [38]. Eventhough several localization techniques based on Doppler effecthave been proposed, none of these schemes target the casewhen nodes and beacons can move [15], [16].Using theDoppler effect in our proposed architecture as a verification ofGPS/INS is attractive since it relies on the smoothness of theDoppler shift and the ability to predict it with low, essentiallyconstant errors over long periods of time. This is in contrast tothe IMU sensors, whose error grows exponentially with time.Further, this approach is robust, since reflections do not changethe frequency of the signal.

The frequency of the signal observed by a receiver movingrelative to a transmitter can be written as follows:

fr = ft −ftc

(

~vij ·~rijrij

)

(5)

wherefr is the detected frequency,ft is the frequency of thetransmitted radio signal,c is the speed of the light,~vij is the

θij(k)

θji(k)

θij(k + 1)

θji(k + 1)

d(k)d(k + 1)

!vi

!vj

Fig. 3: Geometry for calculating the distance and relative anglebetween aircraft using the Doppler effect.

relative velocity of the receiver,~rij is the range vector fromthe transmitteri to the receiverj, and ~rij

rijis the unit length

vector. Eq. (5) allows us to compute the relative speed of thetracked aircraft to the receiver, if the transmitted frequencyft is known. Note that estimating the transmitted frequencywith sufficient accuracy is required in the ADS-B standard [3].Eq. (5) can be written in a scalar form as follows:

fr = ft −ftcvij cos θij ,

wherevij is the relative scalar velocity between the receiverand the transmitter andθij is the angle between the rangevector and the direction of travel of the receiver. Therefore,

∆f =vij cos θij

−λt(6)

where∆f = fr − ft and wavelengthλt = cft

. Consequently,we use Eq. (6) to compute the relative angle of the transmitterand the receiver, if the difference between the two frequenciesas well as the relative speed are known. Note that estimatingthe frequency difference is possible using the radio transceiveron the aircraft. We assume that aircraft communicate theirspeeds as measured by the IMU sensors via ADS-B.

Consider the geometrical layout shown in Fig. 3. Let thedistance between aircrafti and j at time k be d(k), theirrespective velocity vectors be~vi(k) and~vj(k), and the relativeangles beθij(k) andθji(k). Then, the distance between themis given by

d(k + 1) =[(d(k)− vi∆t cos θij − vj∆t cos θji)

2

+(vi∆t sin θij + vj∆t sin θji)2]0.5

(7)

where∆t is the elapsed time since the last time step. More-over, the update equation for the relative angleθij is

θij(k + 1) =

π

2+ θij(k)− cos−1

(vi∆t sin θij(k) + vj∆t sin θji(k)

d(k + 1)

)

.

Sinced≫ |vi∆t sin θij(k)+vj∆t sin θji(k)|, we approximate

cos−1

(vi∆t sin θij(k) + vj∆t sin θji(k)

d(k + 1)

)

≈

cos−1

(vi∆t sin θij(k) + vj∆t sin θji(k)

d(k)

)

.

By using the Taylor series expansion for the arccos function,the approximated update of the relative angleθij is

θij(k + 1) = θij(k)−vi∆t sin θij(k) + vj∆t sin θji(k)

d(k).

7

We can derive a similar iterative update equation for the otherrelative angle,θji.

We define the new state vector at timek as xdop(k) =(d(k), θij(k), θji(k)) where d(k) specifies the distance be-tween aircrafti and j, θij and θji specify the relative anglein a two-dimensional space. The distance between aircraft canbe described by a discrete-time nonlinear model

xdop(k + 1) = fdop(xdop(k)) +wdop(k) (8)

zdop(k) = hdop(xdop(k)) + vdop(k) (9)

wherexdop(k) ∈ R3 is the state vector,fdop(xdop(k)) is the

state transition matrix,wdop(k) ∈ R3 is white Gaussian noise

with zero mean and covarianceQdop(k) > 0. The covariancematrix Qdop(k) is given byQdop(k) = σ2

dI, whereI denotesthe unit matrix andσd is the standard deviation.zdop(k) ∈ R

2

is the measurement vector of the sensor,vdop(k) ∈ R2 is

the white Gaussian observation noise with zero mean and aknown covarianceRdop(k) = E[vdop(k)vdop(k)

T ]. Finally,hdop(xdop(k)) is the measurement matrix.

The state model is

fdop(xdop(k + 1)) =

d(k + 1)

θij(k)− vi∆t sin θij(k)+vj∆t sin θji(k)d(k) + w1

θji(k)− vi∆t sin θij(k)+vj∆t sin θji(k)d(k) + w2

(10)

where d(k + 1) is given in Eq. (7). The error in distanceestimation depends on the length of time between two cal-ibrations, which depends on the performance of ADS-B. Themeasurement model for the Doppler effect is

hdop(xdop(k)) =

(vij cos θij(k)

−λt+ v1

~vji cos θji(k)−λt

+ v2

)

. (11)

Now, we present a widely-used radio signal propagationmodel considering two factors that may incur signal attenu-ation: path loss and shadowing [17]. The received powerPr

(measured in dB) that the aircraft receives from a particulartransmitter at timetk can be modeled as,

Pr(tk) = Pt(tk)− PL0 − 10α(tk) log

(d(tk)

d0

)

+Xg (12)

where Pt(tk) is the transmission power indBm, d0 is areference position,d(tk) is the position where the signalstrength is measured,PL0 is a correction constant whichdescribes the additional loss at a reference position,α(tk) iscalled the path loss exponent, andXg is a Gaussian randomvariable with zero mean and standard deviationσg. The pathloss exponent normally ranges from2 to 6 (default valueα = 2in ADS-B network [39]).

VI. SENSORFUSION FORGPSAND INS

A Kalman filter is used to fuse GPS and INS information.The GPS/INS loop uses a full two-dimensional inertial navi-gation unit as an internal sensor and a differential GPS unitasan external sensor. The actual implementation proposed fortheGPS/INS integration loop is presented in Fig. 2. The Kalmanfilter is extensively used for GPS/INS data fusion [36], [37].

We adapt the standard GPS/INS integration loop for an adver-sarial environment: in particular, we include fault detection ofthe GPS signal by designing an error threshold derived fromstatistical reasoning and a condition on the Geometric Dilutionof Precision (GDOP) [40] value to determine whether the GPSdata is valid. The validation procedure uses the innovations andtheir associated covariances evaluated by the filter to determinethe whiteness and unbiasedness of the innovations. The chi-squared distribution test provides a validation process whichutilizes the theoretical properties of the innovation sequence.The threshold value is determined prior to the fusion processand represents the probability that a particular observationlies within an ellipsoid.The GDOP error mechanism ariseswhen the trilateration geometry of the measurement sensorsgenerates Lines-of-Position (LOP) which are nearly collinear(i.e., not orthogonal). Two positions are nearly collinearif theylie almost on the same line, that is, if the angle between themis small. When such a condition exists, the measurement errorscan be blown up to determine a position.

The uncertainty in the GPS fix, or reported position, canincrease depending on the aircraft’s environment, that is,theuncertainty increases when the system is under attack throughjamming or injection of malicious navigation messages. TheGPS fixes have to be constantly monitored in order to de-termine if they are faulty. The GDOP indicator is consideredto determine the rejection threshold of the measurement, de-pending on the geometry of the satellites. During the rejectionof erroneous position GPS fixes, the fusion process remainsat the prediction stage, and subsequently, the INS determinesthe navigation states. For GPS/INS-based navigators, theseanalytical results provide simple predictions of the robustnessof the systems to temporary GPS outage.

VII. D ATA FUSION IN DOPPLER/RSS LOOP

This section describes an approach to the self-localization ofaircraft using the Doppler effect and the RSS measurements.The objective of this algorithm is to verify GPS positionsusing independently received ADS-B messages. Each aircraftbroadcasts its own location to its neighbors using ADS-B. Neighboring aircraft measure their separation from theirneighbors and use the Doppler effect and RSS measurementsto estimate their own positions. The fusion process estimatesaircraft position in three phases as illustrated in Fig. 2. An EKFis first used to estimate the distance to neighboring aircraftusing the Doppler effect and RSS measurements. We use theEKF because we are dealing with a nonlinear relationshipbetween observed frequency and inter-aircraft distance asexplained in Section V-C. The EKF utilizes RSS observationsin order to determine the distance error, and this is then usedto correct the distance estimated using the Doppler effect.

We calibrate the path loss exponent factor of the RSS-basedranging technique. Assuming that the path loss exponent isslowly varying, the RSS is used to estimate the current distanceand the path loss factor can be calculated from the estimateddistance using the EKF. Givend0 andPL0, the distanced andthe path loss factorα are computed from Eq. (12). Given aranging technology that estimates aircraft separation, a MMSE

8

Algorithm 1: Estimation of distance and channel model.Input : Initialization k = 0, w = 0.9, α = 2Output : d, α, σg

beginfor ever do

// RSS VerificationPL(k) ;// Path loss exponent update

α =PL(k)−PL0

10 log

(

d(k)d0

) ;

α(k + 1) = wα(k) + (1 − w)α// Current distance update using RSS

d = d010PL(k)−PL010α(k+1) ;

// Distance update using EKFd(k + 1) = EKF(d(k),∆f, d)// Variance update

P r(k) = Pt(k) − PL0 − 10α(k + 1) log(

d(k)d0

)

;

σ2g = 1

N

∑Ni=1

(

Pr(k) − P r(k))

;k = k + 1

is used to estimate the actual position of the aircraft. In orderto construct confidence intervals, we estimate the covariancematrix of the estimated position. We use the exponentiallyweighted moving standard deviation since the sample size maybe small in enroute areas [41]. Finally, a Kalman filter is usedto predict the position by using the model for state dynamicsdescribed in Section V-A.

VIII. RSS DETECTION

In this section, we investigate the feasibility of usingsignal strength measurement to verify aircraft position. Bysuccessively measuring RSS variations, we obtain an estimateof the evolution of relative position between aircraft. Thisrough localization gives a sufficiently accurate indication ofthe coherence of the RSS measurements. The objective of thedetection algorithm is to allow aircrafti to estimate the signalstrength received from an aircraftj, based on previous RSSmeasurements. Such an approach can detect the intrusion of amalicious aircraft in the network. Let us consider the situationin which the aircrafti measures the strength of the receivedsignal Pr from aircraft j at tk−1. The possible locations ofaircraft j with velocity vj in the future form a circle whosecenter is the previous position of aircrafti and whose radiusis equal tovj∆t at tk = tk−1 + ∆t. Aircraft i measures themaximum RSS,Pmax

r (tk), when aircraftj is at the nearestposition to aircrafti, and the minimum RSS,Pmin

r (tk), whenthe aircraft j is at the most distant position from aircrafti , Pmin

r (tk) ≤ Pr(tk) ≤ Pmaxr (tk). The maximum velocity

of aircraft is limited by physical laws tovmax. Therefore, aclaimed position update should be within a predicted spacewindow, calculated around the aircraft’s previous position anda radius of2vmax∆t. From the radio propagation model, theRSS at timetk is

Pr(tk) = Pr(tk−1) + log

(d(tk−1)

d(tk)

)

+Xg . (13)

The RSS measured by the aircrafti should belong to theinterval of(Pmin

r (tk), Pmaxr (tk)) at tk = tk−1+∆t. If the RSS

differs from the predicted signal strength for each neighboringaircraft by more than the defined thresholds, the receiver can

deem the received signal as the product of an attack. Ourlocalization technique uses only the history of RSS to delivera reliable and fast detection. We verify the RSS measurementby using one sample z-test [42].

IX. POSITION VERIFICATION

We present a simple statistical algorithm to detect whetheran aircraft is transmitting its actual position. Various model-based fault detection techniques have been discussed in [43].Each aircraft executes this algorithm when enough measure-ments from a neighbor are collected. We divide the observationperiod,T , into discrete time intervals,t1, . . . , tn. The claimedpositions of an aircrafti form a sequence:ρ(t1), . . . , ρ(tn),and the estimated positions:ρ(t1), . . . , ρ(tn) wheren is thesample size. Assuming thati is a nominal aircraft, the esti-mated positionρ(ti) contains only random errors and shouldfollow a normal distribution. The differencedi = ρ(ti)−ρ(ti)should follow the standard normal distribution with meanµ0 = 0 and varianceσ2

0 . Since the mean should beµ0, thetwo-tailed t-test [42] is

|t| =∣∣∣∣

d− µ0

σ/√n

∣∣∣∣

where d is the mean of the samples andσ is the standarddeviation of the samples. The number of degrees of freedomin this test isn− 1.

X. CONTROL ALGORITHM

The different detection and defense mechanisms presentedin this paper significantly limit the options of adversaries,but these mechanisms are still insufficient for addressingsome vulnerabilities. Whether due to inadvertent failure,error,or malicious action, reliable control also requires correctivemechanisms and fault-tolerant algorithms.

Fig. 4 shows a simplified model of a small section ofenroute airspace. It depicts the intersection of four jet routesat the same altitude. This results in four intersection points100 kilometers apart, and a total of 12 links. Designatedintersections of two or more paths in the airspace are known asfixes, while the straight-line paths between two fixes are calledlinks. Assuming that the jet routes are unidirectional, theflightpath of each aircraft includes two orthogonal intersections.

A. Objectives and Constraints

We propose a control algorithm to minimize the flighttimes of aircraft from origin to destination points in theairspace representation. The primary control variable in thisformulation is a change in velocity. A minimum separationrequirement between each pair of aircraft is imposed for safety.The primary objective of the control algorithm is to meet thisseparation standard with a predefined minimum probability inadversarial environments. From an implementation perspec-tive, it is also desirable to reduce the number of trajectorymodifications [44]. An aircraft is sent to a holding pattern(assumed to be an elliptical trajectory designed to introduceseparation between aircraft) only if no feasible velocity isfound to resolve a projected conflict. The proposed control

9

Kilometer East

Kilo

me

ter

Nor

th

Fig. 4: A simplified layout of enroute airspace, which we use in oursimulations.

algorithm is considered to be automatically implementablebythe aircraft implicated in a potential conflict. This would be inthe form of advisories from the onboard algorithm providinginformation to the pilot. We assume that the aircraft underattack will not make any aggressive maneuvers, that is, itsheading and velocity changes will be small.

The relative geometry between a given pair of aircraftdepends on the links that they currently occupy. Broadly, anytwo links in the network in Fig. 4 can be classified as beingpaired or unpaired. Two links are said to be paired if theylead to the same fix, otherwise they are said to be unpaired.This distinction is important when considering the separationrequirement between aircraft. If two aircraft are on pairedlinks, the point of closest approach between them may occurbefore the merge point. In the next section, a geometricalconstraint on the velocity of the trailing aircraft in a pairedmerge is derived.

B. Velocity Constraint for Paired Merges

Consider the geometrical layout shown in Fig. 5.Let usdefine the “time of contact” to be the time instance whenaircraft B receives a broadcast from aircraft A for the firsttime. Let the relative position of aircraft A with respect to Bat the time of contact be~r0, their respective velocity vectorsbe~vA and~vB, and the merge angle beθ = π

2 . Let the relativevelocity be given by~vr = ~vA − ~vB and the angle between~r0and~vr by φ. Then the distance and time of closest approachbetween A and B can be calculated using the relations derivedin [45]. The time of closest approach is given by

tc = −(~r0 · ~vr~vr · ~vr

)

,

and the relative position at the instant of closest approachis

~rc = ~r0 + ~vr tc = ~r0 − ~vr

(~r0 · ~vr~vr · ~vr

)

.

The magnitude of the distance of closest approach is given by

r2c = ~rc · ~rc = r20 sin 2φ.

Let the minimum separation required between two aircraftat any time besmin. The maximum allowable value ofφ isdefined by the minimum separation requirementsmin and anadditional valueǫ, and is given by

r20 sin 2φ = (smin + ǫ)2 ⇒ sinφ =smin + ǫ

r0. (14)

θ

!vA

!vB

A

B !vB

!vA!vA − !vB

φ!r0

Fig. 5: Geometry for calculating the distance of closest approach.

The additional separationǫ is added tosmin in order tomeet the separation constraint with a probabilityβ. Thefunction of this additional separation is to compensate forthe effect of adversaries. The value ofǫ is a function of theuncertainties in position and velocity for the two aircraft. Ifthe uncertainties are assumed to be Gaussian and independent,ǫ = σΦ−1(1−β

2 ), whereσ is the standard deviation of theposition andΦ is the cumulative Gaussian function. The higherthe value ofβ and/or the measurement uncertainty, the moreconservative the control strategy. Note that the initial distancebetween A and B should be more than(smin+ ǫ) for Eq. (14)to be valid. The value ofφ decreases monotonically afterinitial contact, and the point of closest approach is reachedwhenφ = π

2 . Therefore, if the initial value ofφ is less thanπ2 , the distance between A and B increases monotonically.To maximizevB while still maintaining separation, it shouldsatisfy Eq. (14) withφ > π

2 . Finally, this constraint is notactive if φ < π

2 , or if the projected point of closest approachis beyond the merge point.

C. Optimal Velocities for Paired Merges

Suppose aircraft A and B are at a distancesA and sBrespectively from the merge point in Fig. 5. The optimalvelocities vA and vB that minimize the time at which thetrailing aircraft B reaches the merge point are given by:

minvA,vB

sBvB

(15)

s.t. vA ≤ vA,max, vB ≥ vB,min (Feasibility)

vB ≤ f(vA, sA, sB). (Separation)

Here, the constraintf on vB considers the uncertainty ofsurveillance information due to adversaries, as explainedinSection X-B. Optimal values ofvA andvB can be calculatedusing Lagrange multipliers, and are given byvA = vA,max,with vB satisfying the separation constraint with equality.Note that this result simplifies the implementation of thedecentralized version of the problem. Since aircraft A alwaysflies at the maximum feasible velocity (subject to physicalconstraints and upstream traffic) and transmits thisvA,max aspart of its ADS-B broadcast, aircraft B is able to compute itsown optimal velocity unilaterally.

D. Synthesized Control Strategy

The nominal control algorithm uses local information re-ceived from ADS-B transmissions. In this paper, each ADS-Bmessage is assumed to include a time stamp, and the maximumand minimum achievable velocities of the aircraft. Position andvelocity reports are included in ADS-B by default. Conflict

10

detection is carried out in a pairwise fashion for each pair ofaircraft. When an aircraft A receives a broadcast from aircraftB for the first time, it first decides whether the new aircraft islikely to be a factor in its own trajectory. Only two types ofengagements carry the risk of a conflict: aircraft that are onthe same link, or on intersecting links approaching the sameintersection point. In the above scenario, if aircraft B is on thesame link and ahead of aircraft A, conflict resolution is theresponsibility of aircraft A. It ensures that its own velocity islow enough to not risk a breach of the separation standard withaircraft B. On the other hand, if aircraft B is on another linkbutheading to the same intersection point, a pairwise precedenceorder first needs to be calculated. Aircraft A has precedenceifits projected time at the intersection is earlier than that foraircraft B. In that case, aircraft A does not carry out anyresolution maneuver. If aircraft B is expected to cross theintersection before aircraft A, the optimal velocity for aircraftA is calculated. Hence, resolution maneuvers (if required)arecomputed for the aircraft that are lower in the priority order.Consequently, an aircraft that isith in the priority order couldhave up to(i − 1) downward adjustments of its computedvelocity while the control algorithm is processing data. Ifthecomputed velocity is less than the least feasible velocity,it iscommanded to enter a holding pattern in order to maintainseparation. Finally, in addition to the detection of a newaircraft, an aircraft recalculates its velocity if there isa changein state (link, velocity or hold) of another aircraft already beingtracked. Since each pair of aircraft decides on a mutual orderat the merge point, a unique ordering of all aircraft headingto a given merge point is developed.

Due to stochastic transmission times and possible packetloss, state updates between aircraft are asynchronous. How-ever, the time stamp within each ADS-B message allows theestimation of the current state of each aircraft, and also reducesthe likelihood of inconsistent calculations in the distributedalgorithm. Additionally, it guards against a mismatch causedby the clocks on two aircraft not being synchronized. As longas all aircraft use the transmitted time stamps, computationswill be consistent.

E. Handling Untrustworthy Aircraft

When a transmitting aircraft is judged to be untrustworthy,only the distance to the aircraft and the relative velocity isassumed to be reliable. The distance to the aircraft is obtainedby using the Doppler effect and RSS of received ADS-Bmessages as illustrated in Algorithm 1. A modified version ofthe nominal control algorithm is used by the receiving aircraft,in order to ensure separation from the compromised aircraft.A projection of the expected relative distance and velocityismade using the last known reliable report. The uncertainty inthis position and velocity is then estimated using the differencefrom the measured distance and velocity. The uncertainty instate for the aircraft under attack is much larger than theaircraft which has nominal navigational performance.

When an aircraft determines that it is under attack, thecontrol algorithm commands it to fly straight and level at thecurrent velocity. While this strategy may not be feasible in

congested arrival airspace with predefined approach paths,itis reasonable for enroute airspace. Moreover, it ensures that theaircraft does not make any maneuvers that are not expectedby the surrounding traffic. It retains maximum accuracy ofthe INS as explained in Section VI. Finally, it also guaranteesthat the aircraft will fly out of the area under attack in a finiteamount of time.

F. Challenges to Control Implementation

There are several issues to overcome before the proposedalgorithm can be implemented in practice. There is a non-zeroprobability that two aircraft are projected to reach their mergepoint at exactly the same time. In this case, the asynchronousnature of ADS-B transmissions proves beneficial [3]. Thecontrol algorithm is set to give precedence to the otheraircraft in case of deadlock. Since it is very likely that oneaircraft receives a state update before the other, it will alreadyhave slowed down by the time the other aircraft begins itscomputations. Even if message delivery is nearly simultaneousand both aircraft reduce their own velocities, a small timedifference between the adjustments will be sufficient to resolvethe deadlock in the next computation cycle.

The same logic can be extended to non-cooperative aircraftin the airspace. If an aircraft that is expected to slow downdoes not do so, other aircraft can modify their own velocitiesin order to deconflict with it. This control logic can be usedin the case of mixed ADS-B equipage or malicious ADS-Bsystem. Actual non-cooperative behavior can be differentiatedfrom message reception failure by using the State UpdateInterval (SUI) to calculate the probability of no messagesbeing received by the aircraft in a given time window. Wedefine the SUI as the elapsed time between successive statevector reports. The SUI is important from the point of viewof stability of the control algorithm, for example, if an aircrafthas to slow down suddenly.

The maximum allowable SUI that retains network stabilityis derived below. It is assumed that aircraft arriving earlier atthe merge point have higher priority, and that they can changetheir velocities without considering the aircraft behind them.Suppose aircraft A, flying at velocitiesvA, and B, flying atvB,from Fig. 5 have previously made contact while at distancessA andsB from the merge point, and aircraft A has priority.Aircraft A reduces its velocity tov′A ≤ vA while at a distancedA from the merge point. Aircraft B, which is at distancedB from the merge point, needs to adjust its own velocityto maintain separation with aircraft A. Nominally, aircraft Awould reach the merge point after a further timetA = dA

vA,

which is changed tot′A = dA

v′

A

≥ tA. The instant of closestapproach can be approximated by assuming that aircraft B isgoing to be in conflict with aircraft A at a time(t′A − tA),before aircraft A arrives at the merge point.ηA denotes themaximum allowable SUI after which aircraft B can receive anupdate from aircraft A, and still not have to enter a holdingpattern. In other words, aircraft B flies at its original velocityfor a further timeηA, after which it slows tovB,min untilaircraft A is at the merge point. At this time, aircraft B needsto be at a distancesmin + ǫ from it, whereǫ is the additional

11

padding required due to adversaries. Equating the distancecovered by aircraft B up to timetA in the nominal case andup to timet′A under the actual case, yields:

dB − smin− ǫ = vB ηA + vB,min

(dAv′A

− ηA

)

︸ ︷︷ ︸

Actual scenario

= vBdAvA.

︸ ︷︷ ︸

Original scenario

Simplifying the above equation, the maximum allowable SUIfor communication from aircraft A to aircraft B is

ηA =

dA

vAvB − dA

v′

A

vB,min

vB − vB,min. (16)

Eq. (16) suggests that asdA decreases, that is, as aircraft Aapproaches the merge point, it needs to provide faster updatesin case of velocity changes. If aircraft B is already flying atits minimum speed (vB = vB,min), then v′A = vA, that is,aircraft A cannot slow down without causing aircraft B tochange its trajectory to maintain separation. In the nominalcase,vA = v′A and Eq. (16) impliesηA = dA

vA. Aircraft A

only needs to transmit an update when it reaches the mergepoint, supporting the assumption that control computationsneed only be run when aircraft transition from one link toanother. For anyv′A < vA, the maximum allowable SUI isless thandA

vA, that is, there must be an update before aircraft

A arrives at the intersection. Note that the minimum updateinterval is independent of position uncertainty. This is becausethe uncertainties are introduced into the formulation as anadditive term to the minimum separation, they cancel out whenconsidering only a change in aircraft velocity.

XI. PERFORMANCEEVALUATION

We evaluate the performance of the proposed system interms of the congestion and instability of air traffic man-agement along with the performance of the detection anddefense algorithms under attack.The simulations are carriedout using a simple model of air traffic operations, depictedin Fig. 4. For the simulations presented in this section, weassume that an adversary is located in the center of the enroutelayout in Fig. 4. We consider a nominal rangeR, withinwhich adversarial transmissions can be received. We fix themaximum attack rangeR = 100 km that covers the mostcongested area of the enroute layout. We call this the areaunder attack. The more powerful radios an adversary has, thehigher its potential impact can be. For instance, adversaries canlock on actual GPS signals for a period of time when enteringan area under attack. We abstract the physical properties ofthe adversarial equipment and consider the periods of timeit can cause unavailability and keep the receiver locked onthe spoofed signal. We conjecture that persistent disruptionof data transmission is the worst form of attack, as it hasthe most severe impact. Further, a sophisticated attacker couldselectively inject malicious data while avoiding detection.

We evaluate the effectiveness of the detection and thedefense algorithms in a variety of setups, to gain insight intothe role of each component of the system. We capture theuncertain nature of air traffic demand by the assumption thataircraft appear at the boundary of the simulated region as a

0 0.2 0.4 0.6 0.8 1

0

10

20

30

40

50

60

70

80

λ=100s

λ=200s

λ=300s

Attack probability

Ave

rage

posi

tion

err

or(m

)

(a)

0 0.2 0.4 0.6 0.8 1−50

0

50

100

150

200

250

300

350

400

450

λ=100s

λ=200s

λ=300s

Attack probability

Ave

rage

num

ber

ofho

lds

per

hour

(b)

Fig. 6: Average position error and average number of holds perhour as a function of different attack probabilitiesp = 0, . . . , 1 fordifferent traffic loadsλ = 100, 200, 300 s. The vertical bars indicatethe standard deviation as obtained from6 experimental runs of 5.5hours each.

Poisson process with average inter-arrival timeλ = 300 s. Toaccount for future traffic levels, 1.5 times(λ = 200 s) and 3times the current traffic level(λ = 100 s) are also simulated.Individual flights are simulated from their initial appearance200 km from the center, until their arrival to the fixes in Fig. 4.The simulation data was obtained from6 experiments, witheach repetition lasting5.5 hours.

A. GPS Jamming Attack

An adversary jams the GPS signal in a nominal rangeR = 100 km with a certain attack probability per second.Whenever an aircraft gets GPS data, it either uses it to estimatethe position or it rejects the GPS data if it deems it unreliable.

Fig. 6 shows the average position error and average numberof holds per hour as a function of different attack probabilitiesp = 0, . . . , 1 for traffic loads λ = 100, 200, 300 s, withthe vertical bars indicating the standard deviation of thesamples around the average. The attack probabilityp = 1has the most severe impact since GPS system is completelyjammed. The key metric for evaluating a defense technique isthe accuracy of the position estimates under attack. Further,holding patterns in the airspace are an indicator of congestionand instability within the network.We see that the onset ofinstability is immediate for the highest traffic case, indicating

12

200 400 600 800 1000 1200 1400 1600

0

0.2

0.4

0.6

0.8

1

Time (s)

Jam

min

ga

ttack

sequ

enc

e

(a)

200 400 600 800 1000 1200 1400 16000

2

4

6

8

10

12

14

16

18

Time (s)

Pos

ition

err

or(m

)

(b)

Fig. 7: Jamming attack sequence and position error of GPS/INSintegrated system.

that the nominal stability margin is quite small.These holdsare necessary when just a velocity change by an aircraft cannotguarantee safety. In dense traffic, one holding pattern typicallycauses a cascade of holding patterns upstream, affecting a largesection of the airspace.

In Fig. 6(a), the average position error increases as the attackprobability increases due to the GPS jamming attack. Thegate function of the GPS/INS system rejects jammed GPSsignals. The position error increases quadratically when it isthe sole means of navigation as explained in Section V-B.During the affected portion of the trajectory, the filter remainsin the prediction stage and the IMU runs stand-alone. As theuncertainties of position and velocity increase, the control al-gorithm increases the separation between aircraft to guaranteethe safety. Fig. 6(b) emphasizes the unstable nature of thenetwork as the frequency of GPS jamming attack increases.We observe the increase in position error as the air traffic loadincreases under GPS jamming attack. The position of aircraftsuddenly changes when it enters the holding mode under thehigh traffic load. Hence, the uncertainty in the observed errorof the IMU increases as the traffic load increases under GPSjamming attack. However, the error of the Kalman filer is notsignificant around several meters.

In Fig. 6(b), the proposed detection and defense algorithmefficiently stabilizes the traffic for nominal traffic arrival ratesλ = 200, 300 s. The average number of holds increases as the

traffic arrival rate increases. The current architecture cannotcope with higher traffic loadλ = 100 s, and experiences acontinuous increase in the number of holds in the airspace,most of which have been delayed in the central region. Whileholding patterns are generated in bursts, low to moderatetraffic loads allow the airspace to recover and resume smoothoperations. However, traffic accumulates if more holds aregenerated before this recovery is complete for high trafficloads. Furthermore, the effect of attack probability is signifi-cant for smaller interval of air traffic generationλ = 100 s dueto the higher traffic loads. The benefits of using a GPS/INSintegrated system are seen to be quite small for high trafficloads. Hence, the system with high traffic demand becomesunstable even by a relatively unsophisticated jamming attack.

At the normal air traffic loadλ = 200, 300 s, the proposedsystem yields essentially the same level of average numberof holds, because the conflict detection and resolution timeissimilar due to the similar position accuracy forλ = 200, 300 s.Overall, for short unavailability periods, the GPS/INS inte-grated system can be effective. As long as the position errordoes not grow significantly, the GPS jamming attack can bedetected and efficiency defended.

Fig. 7 shows the evolution of position error due to ajamming attack, for a single aircraft with attack probabilityp = 0.8 and traffic loadλ = 200 s over the duration of theflight. The aircraft starts at a location50 km North, 200 kmEast of the origin and moves towards50 km North, −200km East. In Fig. 7(a), the spikes are time instances wherepackets are received. Fig. 7(b) presents the fused result ofthenavigation loop onboard the aircraft. After the aircraft crossesthe boundary of the region under attack, errors build up untilthe aircraft leaves the vulnerable region. The gate functionrejects the incorrect GPS fixes until the end of the vulnerableregion where there is a slight adjustment since the uncertaintyin the IMU solution is, at this stage, greater than that of theGPS fix. It shows the effectiveness of the Kalman filter, whichkeeps the position error less than20 m. Even at this veryhigh attack probability, the estimator and controller are ableto guarantee safety.

B. Sophisticated GPS Attack

Even though INS can be effective for short unavailabilityperiods of GPS signals, a sophisticated adversary can remainundetected if the system only relies on GPS and INS. Theadversary could interfere with GPS messages and inject mali-cious navigation messages while avoiding detection [5].

Therefore, we now evaluate the Doppler/RSS system and itscontrol performance by measuring how its estimated positionerrors, detection delay, and number of holds vary for differentscenarios. Fig. 8 shows the error in the estimated trajectory,attack sequence, true trajectory, and estimated trajectory of asingle aircraft with the fraction of malicious aircraftp = 0.1and traffic loadλ = 200 s. The aircraft starts in a position50 km North, 200 km East and moves to a direction50 kmNorth,−200 km East. As the aircraft approaches the boundaryof the vulnerable region, GPS/INS errors will increase due tothe GPS spoofing attack. GPS fixes occur when the aircraft

13

0 0.02 0.04 0.06 0.08 0.10

2

4

6

8

10

12

14

16

18

20

22

λ=100s

λ=200s

λ=300s

Fractions of malicious aircraft

Ave

rage

posi

tion

err

or(m

)

(a)

0 0.02 0.04 0.06 0.08 0.120

40

60

80

100

120

140

160

λ=100s

λ=200s

λ=300s

Fractions of malicious aircraft

Ave

rage

dete

ctio

nde

lay

(s)

(b)

0 0.02 0.04 0.06 0.08 0.1−0.2

0

0.2

0.4

0.6

0.8

1

1.2

λ=100s

λ=200s

λ=300s

Fractions of malicious aircraft

Ave

rage

num

ber

ofho

lds

per

hour

(c)

Fig. 9: Average position error, average detection delay, and average number of holds per hour as a function of different fractions of maliciousaircraft p = 0, . . . , 0.1 for traffic loadsλ = 100, 200, 300 s.

departs from this region. Fig. 8(a) presents an enhanced viewof the attack sequence. The spikes are time instances wherecorrect GPS signals are received. Fig. 8(b) shows a two-dimensional projection of the true trajectory and estimatedtrajectory using the GPS/INS system and the Doppler/RSSsystem. The estimated position presents the fused result usingeither GPS/INS system or Doppler/RSS system. Since a simplefault detection of the GPS/INS system is not able to rejectthe sophisticated GPS attack, the fused data is drawn intothe vulnerable region. A significant position error is createdbecause of the spoofing attack over a short period of time.However, the fusion algorithm of the Doppler/RSS loop isrobust in its position estimates since it relies on the receivedsignal information from neighboring aircraft instead of GPSsignals.

In Fig. 8(b), the estimated position switches from GPS/INSsystem to Doppler/RSS system when the position verificationfails at time580 s. By comparing with the attack sequence,we see that the detection delay of GPS spoofing is70 s. Thedetection delay, which is the time required for the detectionof an adversary by a receiver, is an important metric forevaluating the performance of the detection algorithm. Whenthe trajectory difference between the GPS/INS system andDoppler/RSS system is small, the estimated position reliesonthe estimated position of GPS/INS system. Fig. 8(a) showsthe spikes in error corresponding to switches between different

systems.

Fig. 9 shows the average position error in the Doppler/RSSestimate, average detection delay, and average number of holdsper hour for traffic loadsλ = 100, 200, 300 s, as a functionof different fractions of malicious aircraftp = 0, . . . , 0.1.Fig. 9(a) shows the average error in the position estimatesfrom the Doppler/RSS system when the aircraft density varies.By comparing position errors for traffic loadsλ = 200, 300 s,increasing the density of aircraft improves the position accu-racy using the Doppler/RSS system since aircraft will receivemore location messages from neighboring aircraft. Note thatincreasing the density of aircraft makes localization easier,but it also increases the number of malicious aircraft in oursetup. The number of correct aircraft available for estimatingthe position decreases as the fraction of malicious aircraftincreases. Hence, the average position error of Doppler/RSSsystem increases as the fraction of malicious aircraft increases.When the filter detects a malicious aircraft, it rejects theinformation from this aircraft when it estimates its position.

Fig. 9(b) shows how the detection delay of malicious aircraftcorrelates with network density. Each aircraft verifies itsownposition using the hypothesis test based on received neighborinformation. Since the accuracy of the Doppler/RSS systemimproves as aircraft density increases, the detection delay issignificantly improved.In Fig. 9(c), even though the trafficarrival rate increases, the average number holds does not

14

200 400 600 800 1000 1200 1400 1600

0

0.2

0.4

0.6

0.8

1

200 400 600 800 1000 1200 1400 1600

0

2

4

6

8

10

Attack sequence

Position error

Time (s)

Pos

ition

err

or(m

)

Atta

ckse

que

nce

(a)

−2 −1.5 −1 −0.5 0 0.5 1 1.5 2

x 105

−5.755

−5.754

−5.753

−5.752

−5.751

−5.75

−5.749

−5.748

−5.747

−5.746

−5.745

x 104

True trajectory

Estimated trajectory

GPS/INS

Doppler/RSS

Kilometer East

Kilo

me

ter

Nor

th

GPS/INS Doppler/RSS GPS/INS

(b)

Fig. 8: Error of estimated position, attack sequence, true trajectory,estimated trajectory, GPS/INS trajectory, and Doppler/RSS trajectoryof a single aircraft for the fraction of malicious aircraftp = 0.1 andtraffic loadλ = 200 s.

significantly increase.For the two cases withλ = 200, 300 s,the average number holds are approximately equal, becausethe conflict detection and resolution time is similar due tothe similar position error and detection delay. The proposedDoppler/RSS system and control algorithm improve the detec-tion and resolution time of conflicts for the safety constraints,and also provide a high level of efficiency in the system.

C. Operation under a Challenging Scenario

The Doppler/RSS system can be effective for detectingand defending against a possibly sophisticated GPS adversary,when the fraction of malicious aircraft is small. As long as thenumber of malicious aircraft due to sophisticated GPS attacksdoes not grow significantly, a sophisticated GPS attack canbe detected. However, for a sufficiently high number of so-phisticated GPS adversaries, the attack can remain undetected.We study even extreme conditions, because the system has toremain operational under these conditions. Malicious aircraftare implemented as follows. Whenever a malicious aircraftis about to send an ADS-B message to announce its presentposition, it selects a fake position on the field and appliesit to the ADS-B message (instead of its real position). Weassume that the GPS/INS system is not able to detect thismalicious aircraft. Whenever an aircraft gets a data packet, itestimates the distance by using the Doppler/RSS system. We

0 0.02 0.04 0.06 0.08 0.1

0

500

1000

1500

2000

2500

λ=100s

λ=200s

λ=300s

Fractions of malicious aircraft

Ave

rage

num

ber

ofho

lds

per

hour

Fig. 10: Average number of holds per hour as a function of differentfractions of malicious aircraftp = 0, . . . , 0.1 for traffic loadsλ =

100, 200, 300 s.

consider a challenging scenario where the number of correctaircraft is less than three due to its poor GDOP indicator.Hence, it is not feasible to estimate the position using theDoppler/RSS system.Note that it is not trivial to directlymodify the ADS-B system since most commercial aircraft arecurrently equipped with a hardware security module, whosepurpose is to store and protect sensitive information.Thecontrol algorithm becomes conservative since it only relieson the distance estimation using the Doppler/RSS system.

Fig. 10 shows the average number of holds per hour asa function of different fractions of malicious aircraftp =0, . . . , 0.1 for various traffic loadsλ = 100, 200, 300 s. Thenumber of holds significantly increases as the fraction ofmalicious aircraft increases. The system with high traffic loadsbecomes unstable even with a small fraction of maliciousaircraft. Hence, if the ADS-B system is malicious or faulty,then the system easily becomes unstable even if the GPS/INSsystem is active.

XII. C ONCLUSIONS ANDFUTURE WORK

This paper proposes a framework for a secure and fault-tolerant system in the presence of adversaries across anair traffic surveillance network. Our detection and defensemechanism is a distributed and localized approach in whicheach aircraft can detect the reception of malicious signals, andthen reject unreliable location reports generated by the attack.A Kalman filter is used to fuse high frequency inertial sensorinformation with low frequency GPS data. We also proposea technique for the position verification and localization ofan aircraft that utilizes, the Doppler effect and RSS of thereceived ADS-B messages from neighboring aircraft. Thisestimated neighboring information is then used to verify theaircraft’s own position by means of Kalman filtering. Byaccounting for the uncertainty of surveillance information, wedesign a control algorithm to minimize the flight time whilemeeting the safety constraints in adversarial environments.We evaluate the effect of security breaches on the air trafficmanagement through simulation. Simulation results show thatthe proposed algorithms are capable of robustly detectingfaults caused by malicious aircraft. Moreover, the filter usingthe Doppler effect and the RSS is shown to be able to detect

15

sophisticated GPS attacks. The proposed control algorithmcontinuously adapts system operations to avoid and toleratemalicious faults.

The simple model considered in this paper, while provid-ing valuable insights, could be extended, for example, byconsidering control inputs. The tradeoff between computationcomplexity and efficiency of misbehavior detection systemsis important for practical implementation. Another relateddirection is the formal analysis of the proposed architecturesby considering realistic NextGen scenarios.

REFERENCES

[1] NextGen Implementation Plan, FAA, 2011, http://www.faa.gov/nextgen/media/NextGenImplementationPlan 2011.pdf.

[2] K. Sampigethaya, R. Poovendran, S. Shetty, T. Davis, andC. Royalty,“Future e-enabled aircraft communications and security: The next 20years and beyond,”Proceedings of the IEEE, vol. 99, no. 11, pp. 2040–2055, 2011.

[3] Minimum Aviation System Performance Standard for Automatic Depen-dent Surveillance Broadcast (ADS-B), RTCA, 2002, DO-242A.

[4] J. Weiss,Protecting Industrial Control Systems From Electronic Threats.Momentum Press, 2010.

[5] J. V. Carroll, “Vulnerability assessment of the transportation infrastruc-ture relying on the global positioning system,” Volpe Center for theOffice of the Secretary of Transportation, Tech. Rep., 2001.

[6] B. H. Wellenhoff, H. Lichtenegger, and J. Collins,Global PositioningSystem: Theory and Practice. Springer Verlag, 1997.

[7] Q. Ling and T. Li, “Message-driven frequency hopping: Design andanalysis,”IEEE Transactions on Wireless Communications, vol. 8, no. 4,pp. 1773–1782, 2009.

[8] N. Patwari, J. Ash, S. Kyperountas, A. Hero, R. Moses, andN. Correal,“Locating the nodes: cooperative localization in wirelesssensor net-works,” IEEE Signal Processing Magazine, vol. 22, no. 4, pp. 54–69,2005.

[9] Y. Shang, W. Ruml, Y. Zhang, and M. P. J. Fromherz, “Localizationfrom mere connectivity,” inACM MobiHoc, 2003.

[10] S. Capkun, M. Hamdi, and J.-P. Hubaux, “GPS-free positioning inmobile ad hoc networks,”Cluster Computing, vol. 5, pp. 157–167, 2002.

[11] E. Xu, Z. Ding, and S. Dasgupta, “Source localization inwireless sensornetworks from signal time-of-arrival measurements,”IEEE Transactionson Signal Processing, vol. 59, no. 6, pp. 2887–2897, 2011.

[12] A. Savvides, C.-C. Han, and M. B. Strivastava, “Dynamicfine-grainedlocalization in ad-hoc networks of sensors,” inACM MobiCom, 2001.

[13] D. Niculescu and B. Nath, “Ad hoc positioning system (APS) usingAOA,” in IEEE INFOCOM, 2003.

[14] P. Bahl and V. Padmanabhan, “RADAR: an in-building RF-based userlocation and tracking system,” inIEEE INFOCOM, 2000.

[15] R. Kozick and B. Sadler, “Sensor localization using acoustic dopplershift with a mobile access point,” inIEE/SP SSP, 2005.

[16] B. Kusy, A. Ledeczi, and X. Koutsoukos, “Tracking mobile nodes usingrf doppler shifts,” inACM SenSys, 2007.

[17] A. Goldsmith,Wireless Communications. Cambridge University Press,2005.

[18] L. Hu and D. Evans, “Localization for mobile sensor networks,” in ACMMobiCom, 2004.

[19] L. Lazos and R. Poovendran, “SeRLoc: secure range-independent local-ization for wireless sensor networks,” inACM WiSe, 2004.

[20] S. Brands and D. Chaum, “Distance-bounding protocols,” in EURO-CRYPT. Springer-Verlag, 1993.

[21] Y.-C. Hu, A. Perrig, and D. Johnson, “Packet leashes: a defense againstwormhole attacks in wireless networks,” inIEEE INFOCOM, 2003.

[22] N. Sastry, U. Shankar, and D. Wagner, “Secure verification of locationclaims,” in ACM WiSe, 2003.

[23] W. Xu, W. Trappe, Y. Zhang, and T. Wood, “The feasibilityof launchingand detecting jamming attacks in wireless networks,” inACM MobiHoc,2005.

[24] M. Li, I. Koutsopoulos, and R. Poovendran, “Optimal jamming attackstrategies and network defense policies in wireless sensornetworks,”IEEE Transactions on Mobile Computing, vol. 9, no. 8, pp. 1119–1133,2010.

[25] G. Noubir and G. Lin, “Low-power DoS attacks in data wirelessLANs and countermeasures,”ACM SIGMOBILE Mobile Computing andCommunications Review, vol. 7, no. 3, pp. 29–30, 2003.

[26] P. Papadimitratos, A. La Fortelle, K. Evenssen, R. Brignolo, andS. Cosenza, “Vehicular communication systems: Enabling technologies,applications, and future outlook on intelligent transportation,” IEEECommunications Magazine, vol. 47, no. 11, pp. 84–95, 2009.

[27] J. R. Douceur, “The sybil attack,” inIPTPS, 2002.[28] J. Newsome, E. Shi, D. Song, and A. Perrig, “The sybil attack in sensor

networks: analysis defenses,” inACM/IEEE IPSN, 2004.[29] S. Capkun and J.-P. Hubaux, “Secure positioning of wireless devices

with application to sensor networks,” inIEEE INFOCOM, 2005.[30] A. Bicchi and L. Pallottino, “On optimal cooperative conflict resolution

for air traffic management systems,”IEEE Transactions on IntelligentTransportation Systems, vol. 1, no. 4, pp. 221–232, 2000.

[31] I. Mitchell, A. Bayen, and C. Tomlin, “A time-dependentHamilton-Jacobi formulation of reachable sets for continuous dynamic games,”IEEE Transactions on Automatic Control, vol. 50, no. 7, pp. 947–957,2005.

[32] A. Bayen, R. Raffard, and C. Tomlin, “Adjoint-based control of anew Eulerian network model of air traffic flow,”IEEE Transactions onControl Systems Technology, vol. 14, no. 5, pp. 804–818, 2006.

[33] C. E. van Daalen and T. Jones, “Fast conflict detection using probabilityflow,” Automatica, vol. 45, no. 8, pp. 1903–1909, 2009.

[34] A. Alonso-Ayuso, L. F. Escudero, and F. J. Martin-Campo, “A mixed 0-1nonlinear optimization model and algorithmic approach forthe collisionavoidance in ATM: velocity changes through a time horizon,”Computers& Operations Research, vol. 39, no. 12, pp. 3136–3146, 2012.

[35] Y. Bar-Shalom, X. R. Li, and T. Kirubajan,Estimation with Applicationsto Tracking and Navigation. Wiley-Interscience, 2001.

[36] H. Liu, S. Nassar, and N. El-Sheimy, “Two-filter smoothing for accurateINS/GPS land-vehicle navigation in urban centers,”IEEE Transactionson Vehicular Technology, vol. 59, no. 9, pp. 4256–4267, 2010.

[37] A. Vu, A. Ramanandan, A. Chen, J. Farrell, and M. Barth, “Real-timecomputer vision/DGPS-aided inertial navigation system for lane-levelvehicle navigation,”IEEE Transactions on Intelligent TransportationSystems, vol. 13, no. 2, pp. 899–913, 2012.

[38] Z. Li and R. Narayanan, “Doppler visibility of coherentultrawidebandrandom noise radar systems,”IEEE Transactions on Aerospace andElectronic Systems, vol. 42, no. 3, pp. 904 –916, 2006.

[39] P. Park and C. Tomlin, “Investigating communication infrastructure ofnext generation air traffic management,” inACM/IEEE ICCPS, 2012.

[40] M. Zhang and J. Zhang, “A fast satellite selection algorithm: Beyondfour satellites,”IEEE Journal of Selected Topics in Signal Processing,vol. 3, no. 5, pp. 740–747, 2009.

[41] D. E. Knuth,Seminumerical Algorithms, The Art of Computer Program-ming. Addison-Wesley, 1981, vol. 2.

[42] E. L. Lehmann and J. P. Romano.,Testing statistical hypotheses.Springer Texts in Statistics Springer, 2005.

[43] I. Hwang, S. Kim, Y. Kim, and C. Seah, “A survey of fault detection,isolation, and reconfiguration methods,”IEEE Transactions on ControlSystems Technology, vol. 18, no. 3, pp. 636–653, 2010.

[44] M. Lupu, E. Feron, and Z.-H. Mao, “Traffic complexity of intersectingflows of aircraft under variations of pilot preferences in maneuverchoice,” in IEEE CDC, 2010.

[45] J. Krozel and M. Peters, “Strategic conflict detection and resolution forfree flight,” in IEEE CDC, 1997.