Empirical analysis of cyber-attacks to an indoor real time localization system for autonomous robots

Abstract

Real Time Location Systems (RTLSs) are critical components of many mobile robots that rely on them to safely operate in different environments, and their cyber-security is a growing concern. The goal of this paper is to demonstrate that there are statistically meaningful differences in the data provided by beacon-based RTLSs between the case when there is an attacker or none, which can be used to detect attacks. A procedure to choose the more discriminant distribution of beacons is presented, as well as its empirical validation, based on data provided by a commercial RTLS used by a mobile robot for indoor navigation. In the evaluation, three basic alternatives to define the distribution of beacons were considered to see which one was more discriminant, that is, the one with more differences. Statistical differences in the data gathered by the mobile robot, when the localization system is under attack, and when it is not, have been found. It has been also verified that these differences are larger or smaller depending on the location of the beacons.

Introduction

Cyber-security of robotic systems is an emerging and necessary field of research (see Morante et al., 2015). Specifically, cyber-security on autonomous systems is becoming increasingly necessary. New security and safety problems have appeared with the introduction of autonomous systems, such as robots, drones, and automobiles, into our daily lives, especially in critical fields involving humans, as for instance in medical robotics (Bonaci et al., 2015).

Conventional Intrusion Detection Systems (IDSs) are not usually suitable for autonomous systems. They often do not take into account physical aspects, such as mobility or energy consumption. Some work to adapt conventional IDSs have been done. For instance Vuong et al. (2015) propose a method to detect cyber-attacks by using the data gathered by on-board systems and processes to improve IDS performance.

Real Time Location Systems (RTLSs) systems are critical components of many robotic systems. For example, mobile robots use them to navigate autonomously, which has been one of the classical problems in robotics. Robots use them to obtain their relative location in a given map which allow calculating routes, planning next actions, etc. There are other alternatives for self-locating mobile robots. Simultaneous Localization and Mapping (SLAM) (Dissanayake et al., 2001) has been one of the hot topics in robotics for many years (visual SLAM, laser SLAM, etc.). Although efficient algorithms have been developed to solve the SLAM problem, these algorithms demand a lot of computing power that is not usually available in mobile robots. So, many industrial applications of mobile robots rely on external RTLSs, instead of using self-localization techniques, thereby converting RTLSs into a vector of cyber-attacks in robotic systems.

Different approaches are used to implement RTLS for robotic systems. They can be classified (see Liu et al., 2007) as ones based on range estimation, and those that are not. Most popular ones are range-based. Localization algorithms for range-based RTLSs involve measuring physical properties that can be used to calculate the distance between a mobile transceiver and several beacons whose locations are known. The distance between the mobile transceiver and the beacon can be calculated as Time of Arrival (TOA), as used in Global Positioning System (GPS); Time Difference of Arrival (TdOA) is also widely used, as well as the Angle of Arrival (AOA), and other properties of arriving signals. Beacons must be located close enough for the mobile transceiver to receive the distance from sufficient beacons to estimate the location. Usually, at least three beacons are needed to get a 2D-location estimate, and four for a 3D-location estimate. The location estimate obtained has an associated error, depending on the precision of the system.

In particular, UWB-based localization systems are used in robotics because they offer an affordable and low-cost computational solution for indoor localization (González et al., 2009). These systems estimate the location using the range between the mobile transceiver on-board the robot and several beacons distributed in the area where the robot is moving. The distribution of beacons must be carefully chosen when deploying a UWB-based RTLS, because it may have an impact on the ability to obtain accurate location estimates.

There are three basic alternatives to define the distribution of beacons according to coverage. Each one has its own advantages and disadvantages. The first one tries to maximize the coverage area. The second alternative tries to maximize precision by reducing the coverage area and increasing the density of beacons. The third one is a compromise solution between coverage and precision.

RTLSs have reportedly been cyber-attacked. The resilience of RTLSs to Denial of Service (DoS) and distance spoofing attacks have been analyzed in the literature, and different methods for secure positioning have been proposed. For instance Capkun and Hubaux (2005) propose a statistical method for position verification, called Verifiable Multilateration (VM), that determines the location of a mobile transceiver from a set of reference points whose locations were known using the distances between the reference points and the device. This method requires that the location of the reference points be given by a ground-truth system in real time, which could also be a vector of attack. Our method does not require a ground-truth system, only data gathered by a RTLS, even if it is suffering an attack.

Cyber-attacks to outdoor localization services, such as GPS, have been reported and analyzed (see Psiaki and Humphreys, 2016). In this work, we focus on RTLSs for indoor environments, also known as Indoor Positioning Systems (IPSs). A survey of wireless indoor positioning techniques and systems is shown in Liu et al. (2007). Those attacks on IPS studied in the scientific literature have to do with sensor networks. For instance Van Phuong et al. (2006), propose an algorithm for detecting a series of attacks in Wireless Sensor Networks (WSNs) by looking for anomalies using the Cumulative Sum (CUSUM) algorithm. Our proposal is somewhat similar, as we look for differences between the expected locations and the location estimates gathered by a mobile transceiver. In our case, we are not analyzing the sequence of packets, but their content.

Several proposals have been made to detect stealthy attacks. Urbina et al. (2016) present a survey on attack detection schemes in Industrial Control Systems (ICSs). They propose a new metric to measure the impact of stealthy attacks and show that the impact of such attacks can be mitigated in several cases by the proper combination and configuration of detection schemes. Sabaliauskaite et al. (2016) propose a method using a CUSUM algorithm to detect stealthy attacks on a robotic system. Attacks consist of changing the readings obtained from one of the robot sonar sensors when transmitted to the wireless control system. This is similar to spoofing attacks we analyze in this work, in which the signals of beacons are modified. However, in our proposal, different statistical methods have to be used because data gathered by RTLSs do not follow a normal distribution as happens in the sonar sensor readings used in Sabaliauskaite et al. (2016).

With respect to security problems on UWB-based localization systems, attacks on beacons are the most common because they are physically exposed. Jamming or spoofing the signal of one or more beacons affects the mobile transceiver location estimate, which may have dangerous consequences for robot behavior. DoS attacks on one or more of the beacons or spoofing attacks on the signal of the beacons are easy to carry out, so methods for detecting attacks are required. Table 1 enumerates different properties that are used by localization algorithms, along with different threats that may be employed against them (Li et al., 2005). The vulnerabilities can be used to carry out a DoS attack by temporarily or definitively interrupting the signal of one or more radio beacons. A spoofing attack can also be performed by changing the signal of the radio beacons.

We focus on these kinds of attacks. First, we want to demonstrate that there are statistically meaningful differences in the data provided by beacon-based RTLSs between the case when there is an attacker or not, which can be formulated as:

Question 1

Given a distribution of beacons, are there statistically meaningful differences between the location estimates gathered by an RTLS when the system operates normally and when it is under attack?

If the answer is positive, it should be possible to get a classification model to detect DoS and spoofing attacks simply by analyzing the data gathered by the mobile transceiver.

There are some precedents to detecting attacks through sensor data by using statistical and Machine Learning techniques. Livadas et al. (2006) present a method using machine learning-based classification techniques to identify botnet traffic, Shon and Moon (2007) use a Support Vector Machine (SVM) to classify abnormal behaviors in the traffic of a network. Regarding WSNs Xie et al. (2013) use the K-Nearest Neighbors (KNN) algorithm to detect anomalies, while Shahid et al. (2015) use an SVM, and Xie et al. (2015) use a segment-based method. All the above methods depend on specific features in their input data and may not work properly in different environments. We call feature one of the properties of the input data used to estimate the location, for instance, the distance of different beacons in RTLSs. The selection of the proper features is not always an easy task, as shown in Abu-Mostafa et al. (2012), although there are Machine Learning algorithms that allow feature selection (see Frank, Wolfe, 1956, Guyon, Elisseeff, 2003, Shalev-Shwartz et al, 2010). Our work will help to decide if something similar to those proposals could be achieved by using the data provided by RTLSs, before facing feature selection. In addition, this could be applied to any RTLS, regardless of its implementation, because only location estimates are used, not specific features.

In the case where the above answer is positive, the question arises whether the distribution of beacons affects these differences. This issue can be formulated as:

Question 2

If it is possible to find different distributions with statistically meaningful differences, which one is the most discriminant?

Analyzing the differences among different distribution of beacons helps to select the one that shows more differences. This is the one that best differentiates an attack from a device precision error. In order to study these differences we evaluate the three beacon location alternatives previously mentioned.

The procedure that we are proposing can work with different significance levels (α) in order to fit the confidence restrictions of our tests.

The rest of this paper is organized as follows: Section 2 describes the systems and the environment where the experiments were carried out. It also specifies the procedure and tools employed in the analysis. Section 3 goes into the statistical analysis carried out in depth and presents our procedure. Section 4 summarizes the data gathered and the information that can be used. Section 5 discusses the results that can be extracted from the data analysis. Finally, the last section summarizes conclusions and future work envisioned.

All datasets and scripts used in this research are available in a public git repository.¹