The application generally relates to a method for validating aircraft traffic control data, and more specifically to a method for verification and validation of ADS-B data on aircraft.
Current air traffic management systems suffer from poor radar coverage and a highly centralized architecture. Under heavy traffic loads the deficiencies may overwhelm Air Traffic Control (ATC) centers. Such limitations can lead to inefficient use of the available airspace capacity and insecure scenarios such as low-visibility landings. Air transportation systems with e-enabled aircraft and networked technologies, such as Automatic Dependent Surveillance Broadcast (ADS-B), are computer-based communications systems developed to assist in reducing traffic congestion and air traffic control inefficiencies by enabling exchange of precise surveillance data in shared airspace. E-enabled aircraft means an aircraft with advanced computing, sensing, control, and communications, which is capable of communicating in a global information network, e.g., as a network node. Cyber security is a concern with highly accurate surveillance of aircraft navigating in a shared space. A framework is necessary to protect traffic data for both ground and airborne surveillance of aircraft. The framework must identify major threats and vulnerabilities from cyber exploits, specify security requirements and mitigation solutions.
Automatic Dependent Surveillance Broadcast (ADS-B) is a position indication message or signal that allows an e-enabled aircraft to periodically broadcast, e.g., once or twice every second, traffic beacons containing its current state vector, i.e., position, altitude, velocity, time, etc. and intent, which combined describe the aircraft's motion in airspace. The aircraft uses the ADS-B OUT mode to broadcast traffic beacons. Ground controllers and aircraft one communication hop away use the ADS-B IN mode for performing ground surveillance and airborne surveillance, respectively. In ground surveillance the ground air traffic controllers utilize these aircraft traffic beacons to monitor aircraft in airspace. In airborne surveillance the traffic beacons can be used by neighboring aircraft in the shared airspace. The overall enhancements in situational awareness and information sharing can help to optimize time and costs of air travel. ADS-B can be implemented over several different data link technologies, including Mode-S Extended Squitter (1090 ES), Universal Access Transceiver (978 MHz UAT), and VHF data link (VDL Mode 4).
Critical air traffic control tasks depend on the integrity of ADS-B data received over a shared data link. Intruders may attempt to intentionally create errors in ground and airborne surveillance, for example, by corrupting or spoofing ADS-B data, thereby incurring unwarranted flight delays, unnecessary safety concerns and operational costs in the air traffic control system. For instance, creating false conflicts by broadcast of false data from a general aviation aircraft equipped with a Universal Access Transceiver or an unattended ground ADS-B station. Ground and airborne surveillance may be vulnerable to such errors associated with ADS-B data.
Multilateration-based solutions can mitigate major vulnerabilities in ground surveillance by using at least four ground stations to receive the ADS-B messages. However, multilateration-based solutions are not effective for mitigating vulnerability in airborne surveillance, because of the infeasibility of using time-of-arrival based multilateration in a single mobile aircraft for verifying positions of ADS-B message sources as well as potential for easy spoofing over the ADS-B data link.
Until now, existing methods for verifying integrity of ADS-B positions are available for ground surveillance system. For airborne surveillance an aircraft can independently verify integrity of ADS-B data in the presence of errors and missing data points using existing methods, but it is not currently possible to verify the integrity of ADS-B data in the presence of malicious intruders. There is currently no solution to enable a trustworthy, high confidence verification and validation of ADS-B position information in airborne surveillance in the presence of malicious attackers.
For ground surveillance systems, multilateration is a well-established method for verifying aircraft position data. Multilateration-based methods have been proposed to verify position information received at the ground controllers via ADS-B. Two multilaterations may be combined at a ground controller, one multilateration from use of time-of-arrival of the aircraft traffic beacons and another multilateration from that enabled by ADS-B. This method works in well-covered regions, such as terminal areas, where at least four ground controllers are available to verify an aircraft's three dimensional (3-D) position in space. Another means for verifying ADS-B data terminal areas is the use of secondary surveillance radar. For remote regions with lesser ground-based coverage, an alternate existing method for position verification of aircraft is the use of ADS-B enabled multilateration in combination with Kalman filter estimation of the flight trajectory. Kalman filter estimation is based on the bearing information of the source aircraft making the position claim. This approach however requires a dedicated omni-directional antenna onboard the aircraft for deriving the heading information of the source, and a dedicated omni-directional onboard antenna may not be provided on all aircraft.
Multilateration in some situations may have weaknesses, since it is possible to simulate virtual transmitters at a given position by varying the timing of multiple transmitters or offset the position calculation by disrupting clock synchronization of the ground receivers. In such cases, additional position verification mechanisms, such as primary surveillance radar, and cryptographic mechanisms, e.g., symmetric-key based solutions which require the aircraft and the ground controller to share a secret code or password in advance can help to protect the integrity of ADS-B data received at the ground controllers.
However, both symmetric and asymmetric cryptography are not viable for protecting ADS-B data received by aircraft in airborne surveillance. Major challenges include the impracticality of sharing a secret code between two aircraft and managing onboard digital certificates in a future air traffic system that is highly dense and interactive with aircraft spanning global routes. While ground controllers may authenticate signed ADS-B broadcasts from an aircraft using a common shared key or digital certificate of that aircraft, this authentication capability does not currently extend to aircraft themselves because of trust, scalability, real-time and regulatory constraints. Therefore, use of multilateration, ground radar, and cryptography solutions apply only to verification of positions in ADS-B data in ground surveillance, where ground controllers use received ADS-B messages to monitor the airspace. None of the solutions described above enables an aircraft to verify position information in ADS-B data received from other aircraft in airborne surveillance, because an aircraft cannot independently estimate 3-D position of another aircraft using received signal measurements. Further, global mobility and high density of airspace impede aircraft from exchanging secret codes to enable secure communications.
One proposed method in which an aircraft may independently verify integrity of received ADS-B data despite missing or erroneous data points, without an additional source of surveillance information such as heading or bearing of the position claimer, uses a Kalman filter to estimate a target aircraft's state as well as analyze the aircraft intent from successfully received ADS-B messages of the target. This method verifies that the target aircraft conforms to the intent included in its ADS-B messages. Such methods fail to provide trustworthy verification and validation in the presence of malicious attackers that may be capable of spoofing, corrupting or blocking any number of ADS-B messages received, to bias the computed state estimate and intent analysis of one or more target aircraft.
Multilateration-based methods for verifying ADS-B data have to date not been applied to airborne surveillance because of the infeasibility of using multilateration in a single mobile aircraft for verifying positions of ADS-B message sources. Furthermore, the existing Kalman filter based position estimation method is not robust against malicious attackers who can spoof, corrupt or block ADS-B data sufficient number of times to intentionally bias the estimation results.
Intended advantages of the disclosed systems and/or methods satisfy one or more of these needs or provide other advantageous features. Other features and advantages will be made apparent from the present specification. The teachings disclosed extend to those embodiments that fall within the scope of the claims, regardless of whether they accomplish one or more of the aforementioned needs.