Requiem for a drone: a machine-learning based framework for stealthy attacks against unmanned autonomous vehicles

TL;DR

This paper addresses the vulnerability of UAV state estimation to stealthy data injections by proposing Requiem, a software-only blackbox framework that learns surrogate models of the target estimator and anomaly detectors and trains a spoofer to craft input values that subtly steer UAV trajectories without triggering detectors. The approach is validated in PX4 SITL, using three-stage data collection, surrogate modeling, and GAN-like spoofer training, demonstrating stealthy but meaningful deviations across multiple missions. Key contributions include a novel stealthy attack paradigm, a generalizable blackbox attack workflow that does not depend on specific sensors or estimators, and practical insights into attack learnability, environmental robustness, and potential defenses. The work underscores the need for more robust anomaly detection and defense strategies in safety-critical UAV systems and highlights the broader risk of sensor-level spoofing in autonomous platforms.

Abstract

There is a space of uncertainty in the modeling of vehicular dynamics of autonomous systems due to noise in sensor readings, environmental factors or modeling errors. We present Requiem, a software-only, blackbox approach that exploits this space in a stealthy manner causing target systems, e.g., unmanned aerial vehicles (UAVs), to significantly deviate from their mission parameters. Our system achieves this by modifying sensor values, all while avoiding detection by onboard anomaly detectors (hence, "stealthy"). The Requiem framework uses a combination of multiple deep learning models (that we refer to as "surrogates" and "spoofers") coupled with extensive, realistic simulations on a software-in-the-loop quadrotor UAV system. Requiem makes no assumptions about either the (types of) sensors or the onboard state estimation algorithm(s) -- it works so long as the latter is "learnable". We demonstrate the effectiveness of our system using various attacks across multiple missions as well as multiple sets of statistical analyses. We show that Requiem successfully exploits the modeling errors (i.e., causes significant deviations from planned mission parameters) while remaining stealthy (no detection even after {tens of meters of deviations}) and are generalizable (Requiem has potential to work across different attacks and sensor types).

Figures (23)

• Figure 1: Example of stealthy attack: the vehicle thinks it is following the mission path (blue) while in actuality, it is deviating (red). A realistic example is shown on the right where the attack trajectory is offset to north.
• Figure 2: Error space exploitation. Nominal mission trace (blue) vs same mission under stealthy attack (red). Grey region is the difference being exploited ( i.e., accumulated error). By the end of the accumulation, the vehicle's true position differs from the reported GPS position. To remain stealthy, the reported GPS position becomes similar to the nominal.
• Figure 3: Process of UAV deployment.
• Figure 4: (Top) Standard software architecture of common flight controllers. (Bottom) Sequence of events during the operation of a UAV.
• Figure 5: Examples of adversary entry vectors. (\ref{['fig:ekf_task']}) shows the nominal flow. (\ref{['fig:ekf_task_mitm']}) is an example of malicious module in the system hijacking the sensor topic. (\ref{['fig:ekf_task_bad_input']}) is an example of the attacker exploiting vulnerability in the task to corrupt the input but the integrity of the target function is protected.