Professional Documents
Culture Documents
net/publication/321736587
CITATIONS READS
14 977
3 authors, including:
All content following this page was uploaded by Sungchul Lee on 27 November 2018.
Figure 1.
ADS-B operation.
Figure 2.
Current ADS-B message format.
Even without attacks, ADS-B lacks a secondary mechanism that can protect the communication and prevent the attacks in a broad-
can confirm the location in case of a transmitter malfunction. There cast network. It includes noncryptographic schemes on the physi-
have been a number of device malfunctions reported in ACAS and/ cal layer and cryptographic methods. Secure location verification
or other avionics systems that have led to dangerous situations [11], authenticates the claimed location using the data from the senders
[12]. Such unverified ADS-B data can cause a significant hazard in and other ADS-B participants.
air transportation or inefficiency in ATC. Now, with the prolifera-
tion of the unmanned aircraft system (UAS) and their integration
to the National Airspace System, the role of ADS-B is becoming SECURE BROADCAST AUTHENTICATION WITH
increasingly important as a growing number of UAS will employ
ADS-B [13], [14]. The ADS-B devices in UAS pose a special chal-
CRYPTOGRAPHY
lenge as they may use lower quality electronics, suffer from less Cryptography is one of the common methods to secure commu-
rigorous maintenance, and malfunctions can be overlooked. This nications in wireless networks, which requires distribution of en-
could cause wrong ADS-B data to be transmitted inadvertently. cryption keys to the participants of ADS-B systems. One of the
Without a mechanism to correct these problems, the unverified proposed methods is the use of public key cryptography with a
ADS-B data could cause a significant hazard to air transportation. It challenge/response format [16]. Retroactive key publication is a
is important to correct these shortcomings as the number of ADS-B variation of public key cryptography, which sends a partial public
units will grow continuously due to Federal Aviation Administra- key with every message [17]. The receivers can buffer all the mes-
tion (FAA) installation requirements for ADS-B. sages and decrypt them using the collected public key. A recent
study suggests the use of Staged Identity-Based Encryption, which
uses receiving parties' identities as public keys for encryption [15].
CHALLENGES FOR DEVELOPING ADS-B SECURITY However, cryptographic methods generally require a large space
METHODS within the ADS-B message frame to store the encrypted data or
hash values, making them rather impractical.
First, the ADS-B frequency space is already crowded with not only
ADS-B but also with Mode-S radars and transponders. Due to the
limited bandwidth capacity, increasing the ADS-B packet size with SECURE BROADCAST AUTHENTICATION WITH
any kind of security data is very difficult. Second, a protocol stan-
dard change in ADS-B will require retrofitting the existing devices,
NONCRYPTOGRAPHY
including onboard ADS-B devices, ACAS with embedded ADS-B, Noncryptographic schemes are used to identify suspicious activi-
ADS-B ground stations, and the radar systems. This will require sig- ties. Fingerprinting identifies what they are based on the unique
nificant investment of money and time, making it impractical. Third, characteristics of devices such as the operating system, drivers,
the solutions that do not require a protocol standard change tend to clocks, and radio circuit [18]. There are three possible techniques
be bulky and expensive, making it less suitable for on-board use. that may be employed in ADS-B, namely software-based finger-
printing, hardware-based fingerprinting, and channel/location-
based fingerprinting [19]. Software-based fingerprinting uses
SOLUTIONS FOR ADS-B SECURITY distinctly different patterns or behavior of software operating on
A number of security methods on ADS-B have been studied, equipment. Hardware-based fingerprinting is to identify devices
but it has been challenging to apply them to a practical use due based on unique hardware differences such as differences in turn-
to various shortcomings. In achieving ADS-B security, there are on/off transient, modulation of a radio signal, and clock skew.
two groups of approaches, i.e., secure broadcast authentication and Channel/location-based fingerprinting is based on received signal
secure location verification [15]. Secure broadcast authentication strength, channel impulse response, or the carrier phase. However,
these methods require sophisticated devices and higher manufac- acteristics. While they offer ADS-B data filtering capability to
turing cost, and have a nonzero false positive ratio due to their some degree, it is not complete for a number of reasons.
statistical approach.
1. Radar system data: The location accuracy of radar is much
coarser (5 to 300 meters) than ADS-B (up to 5.1 meters) and it
SECURE LOCATION VERIFICATION is infrequently updated (6 to 12 seconds) due to its mechani-
cal rotation. This introduces a significant delay and inaccuracy.
These techniques include multilateration, group verification, dis-
Therefore, not all ADS-B data can be verified effectively us-
tance bounding, Kalman filtering, data fusion, traffic modeling,
ing radar surveillance data. Furthermore, it is envisioned that
using received signal strength or angle of arrival of signal. Mul-
the ADS-B system can eliminate the use of radar in the future.
tilateration technique can geometrically calculate an unknown
Continued use of radar systems can diminish the benefit of
location from a precise distance between four or more known lo-
ADS-B.
cations [20]. The time difference of arrival can be obtained from
several antennas in different locations that receive the same signal 2. There are about 650 ADS-B ground stations in the U.S., and
at different times. Another way of utilizing multilateration is group they are equipped with TDOA measurement features [24].
verification. It verifies the location claimed by a nongroup aircraft They are very accurate down to a few nanoseconds (roughly
using multilateration by a group of aircraft [7]. Distance bounding equivalent to a few feet in distance), so in theory, the multilat-
finds the upper bound of locations by sending a challenge to the eration should be able to filter out all invalid packets. However,
receiver and getting a response [7]. The upper bound is calculated as explained before, ADS-B requires an even and odd packet
based on the speed of radio wave. The actual location can be cal- pair to decode the CPR data. During this time, the aircraft
culated using the differences in distance among the measurements could have moved significantly. In a crowded airspace with
from the various ground stations. Other methods use received sig- a lot of ADS-B transmission, packet losses due to collisions
nal strengths and calculate the source location or use directional among ADS-B packets are quite common. If one of the pair
antenna to triangulate [7]. However, most of these methods require is lost, the receiver must get another from the next 10 packets.
real-time communication and additional bandwidth. The commu- This process can introduce a lot of error, possibly hundreds of
nication link itself can be attacked, and more importantly, they can- meters of error. If there are bogus ADS-B messages within the
not function as a standalone unit. Increased manufacturing cost and error range, it is difficult to verify their accuracy.
lack of backward compatibility make them less practical. Another
3. UAT signals offer some verification capability with timing of
method based on Doppler frequency shift compares the predicted
the signal, but it still has some limitations: 1) it only allows for
Doppler shift amount with the actually observed one, and identi-
a roughly 1 Hz range update rate; 2) it only allows transmission
fies spoofed ADS-B frames from the discrepancy [21], [22]. This
timing variations of up to 500 nanoseconds (ns) off Coordinat-
method can work alone without a third party assistance, but will
ed Universal Time; and 3) it may have significant multipath er-
require a hardware modification.
rors [25]. Besides, it can cover only the systems using UAT, but
Kalman filtering is already used to filter and smoothen GPS
not the more common ones based on Mode S ES 1090 MHz.
position data in messages in ADS-B [23]. It is an important tool
for filtering out noisy signals and smoothing over missing data for Finally, the verified signal may be safely used by the ATC, but
multilateration approach. Data fusion verifies the data obtained not by the aircraft in the air. To make the filtered ADS-B data avail-
within the system by comparing it with the data coming from other able to them, it should be rebroadcast over Automatic Dependent
independent sources, e.g., the fusion of ADS-B and radar. Traffic Surveillance-Rebroadcast (ADS-R) or Traffic Information Sys-
modeling can be created from historical data and machine learn- tem-Broadcast (TIS-B), which consumes significant bandwidth
ing methods to detect deviations from normal ADS-B behavior and also causes a delay. As these protocols do not have any security
[7]. The technique can also be applied to establish red flags for measure either, they could also be attacked, which leaves the vic-
intrusion detection system so that the technically and physically tim aircraft to sustain an attack continuously. So, a reliable onboard
impossible data are reasonably dropped to reduce the strain on the ADS-B security system is still needed.
ADS-B system and prevent spoofing or DoS attacks. While these
algorithms offer cost-effective screening method, they cannot be
used by themselves to verify ADS-B signal completely.
NEW CHALLENGES FOR UTM
The proliferation of UAS introduces a new problem for ADS-B
signal verification. Although Beyond Visual Line of Sight (BV-
CURRENT PRACTICE AND LIMITATIONS LOS) flights are not approved yet, it will bring a lot of benefit to
UAS community once approved. In the UAS Traffic Management
FAA APPROACHES FOR ADS-B SECURITY (UTM) for BVLOS operation, ADS-B will be essential for track-
FAA currently uses the ground infrastructure to evaluate the in- ing purposes.
tegrity of the received ADS-B messages using three methods: 1) However, the current methods are not effective in UTM environ-
Comparison with the radar tracking data, 2) Multilateration with ment. Small UASs generally fly at lower altitudes than large manned
Time Difference Of Arrival (TDOA) at multiple ground stations, aircraft and their transmission power is very limited (e.g., less than
and 3) Ranging to a ground station based on the UAT signal char- 1 watt), so it is difficult for ground stations to receive their ADS-B
messages. (There are only 650 ADS-B ground stations in the U.S.
and the distance from the UAS to the ground stations may be dozens
of miles.) Conventional radar systems cannot track them effectively
either. UASs also fly shorter distances and more densely populated
in the airspace than their manned counterparts, potentially as close
as hundreds of feet. Therefore, a more fine-grain control and more
frequent location update are necessary for their traffic control. How-
ever, ADS-B ground stations are intended only for high-flying com-
mercial aircraft and are too sparsely located for UAS. Their purpose
is to separate aircraft by 5 to 10 nautical miles, not hundreds of feet
as required in UTM. Thus, it is difficult to use multiple ground sta- Figure 3.
tions for UASs with low-power ADS-B transmitters. Furthermore, ADS-B frame transmission.
the rebroadcast scheme also introduces a further delay, which is not
desirable for UASs flying in close proximity. frames, it will be ignored. Second, the locations in those frames
To cope with the special requirements in UTM, we need an must follow a reasonable path. If the locations are random, the
onboard ADS-B verification method that can immediately filter frames can be easily rejected.
out attack messages without being dependent on expensive and/or In a legitimate ADS-B transmission, an ADS-B device receives
bulky hardware. For BVLOS operation of UAS, we cannot allow the GPS signal, calculates the current location, encodes the ADS-B
a high false positive or false negative ratio due to a high collision data, creates the message frame, and transmits it over the air. Let
risk, which requires a very reliable method. Tsender be the time for this internal processing, i.e., from the time of
GPS signal reception to the time of departure for the ADS-B mes-
sage. The time to reach the destination is denoted by Tpropagation (see
OUR PROPOSED METHOD: ADS-BT Figure 3). In other words, the total transmission delay (Ttransmission)
is defined as,
THE BASIC CONCEPT
A radio wave travels at a constant speed, i.e., at the speed of light. Ttransmission = Tsender + Tpropagation
Therefore, for a given distance, the time-of-flight can be precisely
determined. Since all ADS-B frames contain the sender's GPS Figure 4 shows a situation with two legitimate aircraft. Let Ls1
coordinates, we can calculate the corresponding time-of-flight be the sender's current location, and Lr1 be the receiver's location.
between the sender and receiver. In a naïve approach, we can com- The propagation delay in seconds for the distance (Ls1, Lr1) in me-
pare the following two and check if there is any discrepancy. ters is determined as,
1. Observed time-of-flight: Time at sender (ts) → Time at receiver Tpropagation ( Ls1 , Lr1 ) = dist ( Ls1 , Lr1 ) / 299,792, 458
(tr)
2. Calculated time-of-flight from GPS coordinates: Location at Let ts1 be the GPS data reception time at location Ls1, and tr1 be
sender (ls) → Location at receiver (lr) the ADS-B reception time at Lr1. Then,
If they don't match, the ADS-B frame may have been spoofed. tr1 – ts1 = Tsender ( Ls1 ) + Tpropagation ( Ls1 , Lr1 )
However, because of the internal processing time and various er-
rors, the time-of-flight values may not match. As each ADS-B de-
Therefore, the unknown value, Tsender (Ls1), can be calculated
vice has different operating characteristics, the internal processing
trivially. For subsequent pairs of locations, (Ls2, Lr2), (Ls3, Lr3), etc.,
time is different for each device. So, the time-of-flight comparison
we observe a similar relationship as,
alone cannot be used for identifying a spoofed ADS-B message
and we will need a more elaborate approach. Our method is based tr 2 – ts 2 = Tsender ( Ls 2 ) + Tpropagation ( Ls 2 , Lr 2 )
on the premise that an attacker can spoof the GPS coordinates in
the ADS-B messages but not the time-of-flight correctly in mul-
tiple frames. Out of the four input data above, the time at sender tr 3 – ts 3 = Tsender ( Ls 3 ) + Tpropagation ( Ls 3 , Lr 3 )
(ts) is currently not available in ADS-B, so Automatic Dependent
Surveillance-Broadcast with Timestamp (ADS-BT) introduces a
For all ADS-B frames from a specific ADS-B Out device (i.e.,
new timestamp field to record the time of transmission.
having the same aircraft ID), the Tsender value should be relatively
stable, so we get,
Figure 4. Figure 5.
Time-of-flight for ADS-B signal. Spoofed flight path.
ate under attack? Figure 5 shows a situation with one legitimate of-flight based on the locations (Ls1, Lr1). As both are impossible
aircraft and one spoofed aircraft. physically, we can immediately reject them.
In Figure 5, an attacker creates a fake path and broadcasts its
fake locations, s1, s2, s3, etc. A legitimate aircraft is receiving the Case 2) tr1 – ts1 > Tsender (Ls1 ) + Tpropagation (Ls1 , Lr1 )
fake messages at locations, r1, r2, r3, etc. Let a1 be the attacker's
Let us define the rates of change for the distances in two ADS-B
true but unknown location, and we assume that the attacker inserts
frames, one for true distances (CRs) and the other for fake distances
the timestamp values observed at his true location. When a legiti-
(CRa). Except for some special cases, they are different.
mate aircraft receives these bogus messages, it tries to confirm the
propagation delays as usual. T ( L , L ) T ( L , L )
CRs = propagation s 2 r 2 ≠ propagation a 2 r 2 = CRa
Tpropagation ( Ls1 , Lr1 ) Tpropagation ( La1 , Lr1 )
tr1 – ts1 = Tsender ( Ls1 ) + Tpropagation ( Ls1 , Lr1 )
tr1 – ts1 = Tsender ( La1 ) + Tpropagation ( La1 , Lr1 ) However, the receiving airplane believes that the message is
coming from Ls2, and observes the following discrepancy in the
second frame.
tr 2 – ts 2 = Tsender ( La1 ) + Tpropagation ( La1 , Lr 2 ) tr 2 – ts 2 = Tsender ( Ls 2 ) + Tpropagation ( Ls 2 , Lr 2 )
= Tsender ( Ls1 ) + Tpropagation ( Ls1 , Lr1 ) × CRs
Since the locations Ls1 and La1 are different, we get
≠ Tsender ( Ls1 ) + Tpropagation ( Ls1 , Lr1 ) × CRa
Figure 6.
Simulation screenshot.
location. However, spoofing works only for one victim airplane, as subsequent frames changed at the rate of about 60 meters (= 200
it is physically impossible to fake the values for any other airplanes. ns) per 0.5-second tick. This is a very large value and we can claim
The attacker may also try to send out multiple bogus messages with it a spoof.
different timestamp values in a hope that some of them match, but An attacker will probably create thousands of ghost airplanes
such a massive transmission can be detected and rejected easily due in order to make the ADS-B system useless. We simulated 100
to the discrepancy among the frames. No matter how many ghost ghost airplanes by the attacker. Additionally, to test the false posi-
airplanes are injected, all of them can be identified simultaneously. tive ratio, we included 100 legitimate airplanes. In each scenario,
we ran the simulation 10 times and Figure 8 shows the results.
Since our method monitors the changes in Tsender values, it requires
EVALUATION multiple frames. We monitor three or more frames to see if the
To test the feasibility of the concept, we have developed a simula- change amount goes over a threshold value. Within 5 ticks (= 2.5
tion program and tested a variety of cases. seconds), 99% of the fake airplanes are detected and eventually
Figure 6 shows a screenshot that shows the airplane locations all are detected within 25 seconds in case of a static attacker in
and configuration parameters. In this simulation, all airplanes Figure 8a. In the case of a mobile attacker in Figure 8b, all fake
transmit their location in every 0.5 seconds, and we ignore the airplanes were detected within 20 seconds. In all cases, none of the
frame collisions. All airplanes are moving in random directions at legitimate airplanes were affected, i.e., false positive ratio was 0%.
constant speed. We introduced a small amount of random error in
their broadcast locations. An attacker creates ghost airplanes either
from a fixed location or while moving. Figure 7 shows the trend of
DISCUSSIONS
Tsender values over multiple ADS-B frames. In the case of a legiti-
mate airplane's ADS-B, it fluctuates within a small range (several
NEED FOR CLOCK HARDWARE SUPPORT
meters in distance) due to the random errors. But in the case of ADS-B doesn't need to maintain a synchronous clock among the
ghost airplanes, it either converges or diverges. If the difference ADS-B devices. But to measure the time of arrival for the received
of the values between two frames is beyond a certain threshold packets, it should maintain a local oscillator of above 100 MHz at
value, it can be considered a spoof. In this case, the Tsender values in 10 to 20 ppb accuracy (10 to 20 ns error per second). Fortunately
ADVANTAGES OF ADS-BT
ADS-BT does not rely on cryptographic
processing, so the additional data is very
small and no cryptographic operation is
needed. It works without any third-party
stations and can detect bogus messages
with nearly 100% accuracy based on
the geometric property of mobile ob-
jects instead of probability. All ADS-BT
functions are implemented in the digital
domain (no signal strength measure-
ment, directional finder, or frequency
shift measurement), so it can be imple-
mented practically and cost-effectively.
Once the timing information is gath-
ered, the detection can be done slowly
in the background as it can detect the
fake aircraft within a reasonable period,
e.g., a few seconds. So, there is no need
for real-time processing and the detec-
tion algorithm can be implemented in Figure 7.
software on a slow computing platform, Trend of Tsender values.
which makes it cost-effective.
Figure 8.
Performances for spoofed message detection. (a) Static attacker. (b) Mobile attacker.
REFERENCES
[1] Fiorino, F. ADS-B ins and outs. FAA Safety Briefing, (Jul./Aug. 2014),
30–35
[2] Francis, R., Vincent, R., Noe, J.-M., Tremblay, P., Desjardins, D.,
Cushley, A., et al. The flying laboratory for the observation of ADS-B
signals. International Journal of Navigation and Observation, (Aug.
2011), 1–5.
[3] Smith, D. Getting compliant with the looming ADS-B mandate. Fly-
ing Magazine, Mar. 17, 2016. [Online] http://www.flyingmag.com/
getting-compliant-with-looming-ads-b-mandate.
Figure 9. [4] Anderson, C. Google producing low-cost ADS-B transponders for
ADS-B vs. ADS-BT packet format. (a) Current ADS-B format. (b) drones. DIY Drones, Mar. 25, 2015. [Online] http://diydrones.com/
Proposed ADS-BT format.
profiles/blogs/google-producing-low-cost-adsb-transponders-for-
drones.
[5] NexAir Avionics. ADS-B. [Online] http://www.nexairavionics.com/
TRANSITION TO ADS-BT hot-topics/ads-b.
[6] Flightrader24. How it works. [Online] https://www.flightradar24.
We find that 8-bit is enough for timestamp size. This value can
com/how-it-works.
be integrated into the current ADS-B structure without increasing
[7] Strohmeier, M., Lenders, V., and Martinovic, I. On the security of
the packet size. The current ADS-B uses the 112-bit mode-S ex-
the automatic dependent surveillance-broadcast protocol. 2015 IEEE
tended squitter message format (Figure 9a). The last 24 bits are
Communications Surveys & Tutorials, Vol. 17, 2 (second quarter
used for Cyclic Redundancy Check (CRC) checksum, which can
2015), 1066–1087.
be reduced to 16 bits without any noticeable degradation of the
[8] Flightrader24. Live air traffic. Available: http://www.flightradar24.com.
error detection performance. It is known that the error checking
[9] Federal Aviation Administration. Introduction to TCAS II, version
performances of CRC-16 and CRC-24 are virtually identical for
7.1. Feb. 28, 2011.
data smaller than 256 bits [26].
[10] TCAS Traffic Display—Airline Pilots Forum and Resource. [Online]
Thus the 8-bit timestamp value in ADS-BT can be safely em-
http://www.theairlinepilots.com/ forumarchive/flightsafety/tcastraf-
bedded in the first 8 bits of the CRC checksum (Figure 9b), which
ficdisplay.php.
keeps the ADS-BT data size same as ADS-B. Its first 5 bits are for
[11] Australian Government. Loss of separation between Airbus A330 VH-
downlink format (DF), and the value of 17 is assigned to ADS-B.
EBO and Airbus A330 VH EBS. ATSB Transport Safety Report, Avia-
As some of the DF values are not used currently, a new value (e.g.,
tion Occurrence Investigation, Mar. 5, 2015. [Online] https://www.
15) can be assigned to ADS-BT. This allows coexistence of ADS-
atsb.gov.au/media/5214362/AO-2013-161%20final.pdf.
B and ADS-BT without any disruption. The devices that do not
[12] Hansen, A. Book review for Tracon by Paul McElroy. American Avia-
understand the new downlink code can simply ignore the packet. A
tion Historical Society, Celebrating over 60 Years of Service. [Online]
device with a firmware upgrade can decode the ADS-BT message
http:// www.aahs-online.org/bk_review.php?ibook=45.
using the new 16-bit CRC.
[13] Moore, J. ADS-B for drones: Tiny transceiver developed. Aircraft
Owners and Pilots Association, May 4, 2016. [Online] https://www.
aopa.org/news-and-media/all-news/2016/may/04/nextgen-for-drones.
CONCLUSIONS [14] Snow, C. New research: ADS-B and its use for small drone traffic
ADS-B is the foundation of NextGen ATC and a trustworthy management. sUAS NEWS, Nov. 2, 2015. [Online] http://www. suas-
ADS-B system will make the NextGen system more reliable. In news.com/2015/11/new-research-ads-b-and-its-use-for-small-drone-
this research we have developed the ADS-BT method that mea- traffic-management.
sures the time of flight for the message between the aircraft and [15] Hableel, E., Baek, J., Byon, Y., and Wong, D. S. How to protect ADS-
compares that with the time of flight derived from the distance B: Confidentiality framework for future air traffic communication. In
between the aircraft. To enable time measurements, the ADS- Proceedings of the 2015 IEEE Conference on Computer Communica-
B messages will include a timestamp value. In spoofed ADS-B tions Workshops, Apr. 26, 2015–May 1, 2015, 155–160.
messages, there is a discrepancy between the times of flight, [16] Viggiano, M., Valovage, E., Samuelson, K., and Hall, D. Secure ADS-
which grows or shrinks over time continuously. By observing the B authentication system and method, U.S. Patent 7730307 B2, Jun.
change, we can detect all spoofed ADS-B frames with very high 1, 2010.
accuracy. Although ADS-BT requires some change in the ADS-B [17] Kwon, T., and Hong, J. Secure and efficient broadcast authentication
packet format, it can coexist with the existing ADS-B. ADS-BT in wireless sensor networks. IEEE Transactions on Computers, Vol.
can especially offer a practical location verification capability for 59, 8 (Aug. 2010), 1120–1133.
UAS traffic management. Although some upgrade effort is nec- [18] Danev, B., Zenetti, D., and Capkun, S. On physical-layer identifica-
essary, the assurance attained by the adoption of ADS-BT may tion of wireless devices. ACM Computing Surveys, Vol. 45, 1 (Nov.
outweigh the cost. 2012), 1–-29.
[19] Zeng, K., Govindan, K., and Mohapatra, P. Non-cryptographic au- [23] da Silva, J. L. R., Brancalion, J. F. B., and Fernandes, D. Data fusion
thentication and identification in wireless networks. IEEE Wireless techniques applied to scenarios including ADS-B and radar sensors
Communications, Vol. 17, 5 (Oct. 2010), 56–62. for air traffic control. In Proceedings of the 12th International Con-
[20] Nijsure, Y., Kaddoum, G., Gagnon, G., Gagnon, F., Yuen, C., and ference on Information Fusion, 2009 (FUSION '09), July 6–9, 2009,
Mahapatra, R. Adaptive air-to-ground secure communication system 1481–1488.
based on ADS-B and wide area multilateration. IEEE Transactions on [24] Esler, D. Global advance of ADS-B. Aviation Week, Dec. 11, 2015. [On-
Vehicular Technology, Vol. 65, 5 (2016), 3150–3165. line] http://aviationweek.com/connected-aerospace/global-advance-ads-b.
[21] Ghose, N., and Lazos, L. Verifying ADS-B navigation information [25] Lo, S., Chen, Y. H., Enge, P., Narins, M. Techniques to provide resil-
through doppler shift measurements. In Proceedings of the IEEE/ ient alternative positioning, navigation, and timing (APNT) using au-
AIAA 34th Digital Avionics Systems Conference (DASC), Sept. tomatic dependent surveillance—Broadcast (ADS-B) ground stations.
2015. In Proceedings of the 2015 International Technical Meeting of The
[22] Park, P., Khadilkar, H., Balakrishnan, H., and Tomlin, C. High con- Institute of Navigation, Jan. 26–28, 2015.
fidence networked control for next generation air transportation sys- [26] Maxino, T. C. and Koopman, P. J. The Effectiveness of Checksums for
tems. IEEE Transactions on Automatic Control, Vol. 59, 12 (Aug. Embedded Control Networks, IEEE Transactions on Dependable and
2014), 3357–3372. Secure Computing, Vol. 6, 1 (Jan. - Mar. 2009), 59–72.