UAVs in Cyber Warfare

13.
UAVs in Cyber Warfare

chapter 1: Introduction to UAVs in Cyber Warfare
[mh]Understanding Unmanned Aerial Vehicles (UAVs)
UAVs are aircraft that are guided autonomously, by remote control, or by both means and that carry
some combination of sensors, electronic receivers and transmitters, and offensive ordnance. They are
used for strategic and operational reconnaissance and for battlefield surveillance, and they can also
intervene on the battlefield—either indirectly, by designating targets for precision-guided munitions
dropped or fired from manned systems, or directly, by dropping or firing these munitions themselves.
The earliest UAVs were known as remotely piloted vehicles (RPVs) or drones. Drones were small
radio-controlled aircraft first used during World War II as targets for fighters and antiaircraft guns.
They fell into two categories: small, inexpensive, and often expendable vehicles used for training; and,
from the 1950s, larger and more sophisticated systems recovered by radio-controlled landing or
parachute. The vehicles were typically fitted with reflectors to simulate the radar return of enemy
aircraft, and it soon occurred to planners that they might also be used as decoys to help bombers
penetrate enemy defenses.
It also occurred to planners that RPVs could be used for photographic and electronic reconnaissance.
One result of this idea was the AQM-34 Firebee, a modification of a standard U.S. target drone built in
various versions since about 1951 by the Ryan Aeronautical Company. First flown in 1962, the
reconnaissance Firebee saw extensive service in Southeast Asia during the Vietnam War. It was also
used over North Korea and, until rapprochement in 1969, over the People’s Republic of China. A
swept-wing, turbojet-powered subsonic vehicle about one-third the size of a jet fighter, the AQM-34
penetrated heavily defended areas at low altitudes with impunity by virtue of its small radar cross
section, and it brought back strikingly clear imagery. Firebees fitted with receivers to detect electronic
countermeasures returned intelligence about Soviet-built surface-to-air missiles that enabled American
engineers to design appropriate detection and jamming equipment.
AQM-34s operated with the limitations of 1960s technology: they carried film cameras, were launched
from underwing pylons on a C-130 Hercules transport plane, and were recovered by parachute—
snagged from the air by a harness hung from a helicopter. The full advantages of UAVs were to remain
unexploited on a large scale until the 1980s, when reliable miniaturized avionics combined with
developments in sensors and precision-guided munitions to increase the capabilities of these vehicles
dramatically. One critical development was small high-resolution television cameras carried in
gimbaled turrets beneath a UAV’s fuselage and remotely controlled via a reliable digital downlink and
uplink. Often, the vehicles also carried a laser designator for homing munitions. Global positioning
system (GPS) sensors provided precise location information for both the UAVs and their guided
munitions. Employing these new technologies, the United States has fielded strategic-range UAVs,
using communications satellites to relay control signals and sensor readouts between UAVs and
control centres over global distances. For instance, in 2003 Ryan produced the first of a series of RQ-4
Global Hawk UAVs. The Global Hawk is capable of carrying a wide array of optical, infrared, and
radar sensors and takes off from and lands on a runway. Its service ceiling of 65,000 feet (20,000
metres), its relatively small size, and the reach of its sensors render it effectively immune to surface-
based defensive systems. Prototype Global Hawks were pressed into wartime use over Afghanistan in
2002 and over Iraq as early as 2003. They are currently the most important strategic-range UAVs in
service.
The advantages of strategic UAVs notwithstanding, the emergent technologies described above were
first exploited in war by Israeli battlefield UAVs. The first of these was the Tadiran Mastiff, a twin-
boom aircraft introduced in 1975 that resembled a large model airplane weighing just over 90 kg (200
pounds) with a boxy fuselage and a pusher propeller driven by a small piston engine. It could be
catapulted from a truck-mounted ramp, launched by rocket booster, or operated from a runway. The
Mastiff and the larger but similar Scout, produced by Israeli Aircraft Industries (IAI), proved effective
in identifying and locating surface-to-air missiles and marking them for destruction during hostilities in
Lebanon in 1982. The U.S. Marine Corps procured the Mastiff, and it followed up this vehicle with the
IAI-designed and U.S.-built RQ-2 Pioneer, a slightly larger vehicle with secure up- and downlink. The
Pioneer, fielded in 1986, was used by the Marine Corps and Navy in the Persian Gulf War of 1990–91.
Meanwhile, the U.S. Army promoted the development of a similar but still larger UAV, the Israeli-
designed RQ-5 Hunter, which had a gross weight of 1,600 pounds (720 kg) and was propelled by both
pusher and tractor propellers. Although not procured in quantity, Hunters served in the 2003 invasion
of Iraq.
Following the lead of Israel, the United States has aggressively developed UAVs. The most important
UAV in operational use is the General Atomics MQ-1 Predator, powered by a piston engine driving a
pusher propeller. The Predator entered service in 1995 and, after initial problems, developed into a
capable surveillance craft carrying a wide variety of optical, infrared, electronic, and radar sensors. The
first operational use of armed UAVs involved Predators carrying antitank missiles and operated by the
Central Intelligence Agency during the 2001 invasion of Afghanistan. However, Predators are operated
mainly by the U.S. Air Force, often to locate and mark targets for heavily armed fighter-bombers or
gunships. Supplementing the MQ-1 is General Atomics’ MQ-9 Reaper, a larger version of the Predator
powered by a turboprop engine. The Reaper can carry some 3,000 pounds (1,360 kg) of ordnance and
external fuel and has a significantly higher service ceiling than the Predator. It entered operations over
Afghanistan in the autumn of 2007. Predators and Reapers have been purchased by allies of the United
States, notably the United Kingdom.
All major military powers and even some militia groups employ battlefield surveillance UAVs to
extend the view of ground and naval forces and to enhance the reach and accuracy of their supporting
fire. For example, in its conflict with Israel, the Lebanese group Hezbollah has used the Iranian-built
Ababil (“Swallow”), a vehicle with a wingspan of 3.25 metres (10 feet 8 inches) that is powered by a
pusher propeller and launched either from a truck-mounted pneumatic launcher or by a booster rocket.
Tactical surveillance craft range in sophistication from vehicles that, like the Ababil, loiter over
battlefields acquiring and designating targets to hand-launched “mini-UAVs” carrying a single visible-
or infrared-spectrum television camera. An early example of the latter is the U.S. AeroVironment
FQM-151 Pointer, a UAV weighing less than 10 pounds (4.5 kg) and resembling a powered model
sailplane. The Pointer first saw service with the U.S. Marine Corps in the Persian Gulf War. It is being
replaced by the Puma, a development of the Pointer with more-advanced sensors, by the RQ-11 Raven,
a scaled-down version of the Puma, and by the Wasp, a tiny vehicle weighing about 1 pound (less than
half a kilogram) with a wingspan of 2 feet 4.5 inches (72 cm); the last is being issued to air force
ground combat control teams as well as marines down to the platoon level.
Hovering UAVs have entered service—for example, the U.S. Honeywell RQ-16 T-Hawk, a ducted-fan
vehicle weighing 18.5 pounds (8 kg), fielded in 2007 and used to locate improvised explosive devices,
and the Russian Kamov Ka-137, a 280-kg (620-pound) helicopter powered by coaxial contrarotating
blades and carrying a television camera for border patrol. The much larger Northrop Grumman MQ-8
Fire Scout, a 3,150-pound (1,420-kg) single-rotor craft resembling an unmanned helicopter, has been
operational with the U.S. Navy since 2009; it was first used in anti-drug-smuggling operations off the
coasts of the United States.
In 1997 the U.S. Defense Advanced Research Projects Agency (DARPA) began to fund feasibility
studies of extremely small “micro UAVs” no larger than 6 inches (15 cm). These studies (and similar
studies conducted since 2003 in Israel) have produced a bewildering variety of designs powered by
electric motors or tiny gas turbines the size of a watch battery, but no publicly acknowledged use has
yet been found for them.
The next wave of UAV development is likely to be so-called uninhabited combat air vehicles
(UCAVs). If the experimental Boeing X-45 and Northrop Grumman X-47 are representative of these
vehicles, they will resemble small B-2 Spirit stealth bombers and will vary in size from one-third to
one-sixth the gross weight of a single-seat fighter-bomber. They will most likely supplement or even
replace piloted fighter-bombers in the attack role in high-threat environments. Finally, large, extremely
light solar-powered “endurance UAVs” have been flown in order to test the feasibility of
communications and surveillance vehicles that would stay on station at high altitude for months or
even years at a time.
F-15, twin-engine jet fighter produced by the McDonnell Douglas Corporation of the United States.
Based on a design proposed in 1969 for an air-superiority fighter, it has also been built in fighter-
bomber versions. F-15s were delivered to the U.S. Air Force between 1974 and 1994; they have also
been sold to U.S. allies in the Middle East and have been assembled under contract in Japan.
Figure: U.S. Air Force F-15E Strike Eagle fighter-bomber over Afghanistan, 2006.
The F-15 has a wingspan of 42 feet 9.75 inches (13.05 m) and a length of 63 feet 9 inches (19.43 m). It
is powered by two Pratt & Whitney or General Electric turbofan engines, which with afterburning can
generate from 23,000 to 29,000 pounds of thrust, accelerating the aircraft to more than twice the speed
of sound. The single-seat air-superiority version is armed with a 20-millimetre rotary cannon and an
array of short-range and medium-range air-to-air missiles. In the fighter-bomber version, known as the
Strike Eagle, a weapons officer seated behind the pilot controls the delivery of a number of guided
missiles and bombs. The Strike Eagle carried out much of the nighttime precision bombing of Iraqi
installations during the Persian Gulf War of 1990–91.
B-26, U.S. medium bomber used during World War II. It was designed by the Glenn L. Martin
Company Aviation in response to a January 1939 Army Air Forces requirement calling for a fast
heavily-armed medium bomber; the result was an exceptionally clean design with a high wing, a
torpedo-shaped fuselage, conventional tail surfaces, and tricycle landing gear. The B-26 first flew in
November 1940, and the aircraft entered production “off the drawing board,” there being no prototype
as such, in February 1941.
Powered by two 2,000-horsepower Pratt & Whitney engines, the B-26 had a wingspan of 65 feet (20
metres) and was 56 feet (17 metres) long. It could carry 4,000 pounds (1,800 kg) of bombs internally
and had a ceiling of just under 20,000 feet (6,100 metres); its range was approximately 1,100 miles
(1,750 km). Early B-26s had a heavy defensive armament for that time, with turrets in the tail and
upper rear fuselage mounting twin 0.50-inch (12.7-mm) machine guns. The rear fuselage turret was the
first powered turret ever fitted to a U.S. aircraft. Early versions of the bomber were exceptionally fast,
with a maximum speed of 315 miles (507 km) per hour. However, the speed came at a price. The short
low-drag wings that were responsible for the Marauder’s top speed called for takeoff and landing
speeds much higher than service aviators were accustomed to. The result was a rash of accidents, so
that the B-26 soon acquired a reputation as a “hot” aircraft and was given the nickname
“Widowmaker.” The problem was rectified in later versions by fitting longer wings at the sacrifice of
some of the Marauder’s speed. Later versions also were armed with as many as 12 0.50-inch machine
guns.
The B-26 first saw combat in the Southwest Pacific, where it was used in New Guinea from the spring
of 1942. However, the Army Air Forces replaced the Marauder with B-25 Mitchells in that theatre, and
most B-26s served in Europe and the Mediterranean. After a disastrous debut as a low-level bomber in
Europe—an entire formation of 10 Marauders was lost to German flak and fighters in a May 1943
attack on targets in the Netherlands—the B-26 was relegated to relatively short-range, medium-altitude
operations with heavy fighter escort and served well in that role. Marauders also played a significant
role in the Italian campaign and in bombing bridges and rail yards in preparation for the D-Day
landings of the Normandy Invasion. They were used in small numbers by Britain’s Royal Air Force
and by the Free French.
Some 5,000 B-26s were manufactured during the war. Though it was faster than the B-25 and carried a
larger bomb load, the B-26 was less well liked by those who flew it. It was dropped from service after
the war.
Spitfire, the most widely produced and strategically important British single-seat fighter of World War
II. The Spitfire, renowned for winning victory laurels in the Battle of Britain (1940–41) along with the
Hawker Hurricane, served in every theatre of the war and was produced in more variants than any
other British aircraft.
The Spitfire was designed by Reginald Mitchell of Supermarine Ltd., in response to a 1934 Air
Ministry specification calling for a high-performance fighter with an armament of eight wing-mounted
0.303-inch (7.7-mm) machine guns. The airplane was a direct descendant of a series of floatplanes
designed by Mitchell to compete for the coveted Schneider Trophy in the 1920s. One of these racers,
the S.6, set a world speed record of 357 miles (574 km) per hour in 1929. Designed around a 1,000-
horsepower, 12-cylinder, liquid-cooled Rolls-Royce PV-12 engine (later dubbed the Merlin), the
Spitfire first flew in March 1935. It had superb performance and flight characteristics, and deliveries to
operational Royal Air Force (RAF) squadrons commenced in the summer of 1938. A more radical
design than the Hurricane, the Spitfire had a stressed-skin aluminum structure and a graceful elliptical
wing with a thin airfoil that, in combination with the Merlin’s efficient two-stage supercharger, gave it
exceptional performance at high altitudes.
The version of the Spitfire that fought in the Battle of Britain was powered by a Merlin engine of 1,030
horsepower. The plane had a wingspan of 36 feet 10 inches (11.2 metres), was 29 feet 11 inches (9.1
metres) long, and reached a maximum speed of 360 miles (580 km) per hour and a ceiling of 34,000
feet (10,400 metres). Faster than its formidable German opponent the Bf 109 at altitudes above 15,000
feet (4,600 metres) and just as maneuverable, Spitfires were sent by preference to engage German
fighters while the slower Hurricanes went for the bombers. More Hurricanes than Spitfires served in
the Battle of Britain, and they were credited with more “kills,” but it can be argued that the Spitfire’s
superior high-altitude performance provided the margin of victory.
Meanwhile, Supermarine was developing more-capable versions of the Spitfire driven by progressively
more-powerful Merlins. The eight 0.303-inch machine guns gave way to four 0.8-inch (20-mm)
automatic cannons, and by war’s end the Spitfire had been produced in more than 20 fighter versions
alone, powered by Merlins of up to 1,760 horsepower. Though outperformed by the German Fw 190
upon that aircraft’s introduction in 1941, the Spitfire restored parity the following year and eventually
regained the advantage. It remained a first-line air-to-air fighter throughout the war. Spitfires were used
in the defense of Malta, in North Africa and Italy, and, fitted with tail hooks and strengthened tail
sections, as Seafires from Royal Navy aircraft carriers from June 1942. Spitfires helped to provide air
superiority over the Sicily, Italy, and Normandy beachheads and served in the Far East from the spring
of 1943. Fighter-bomber versions could carry a 250- or 500-pound (115- or 230-kg) bomb beneath the
fuselage and a 250-pound bomb under each wing.
One of the Spitfire’s most important contributions to Allied victory was as a photo-reconnaissance
aircraft from early 1941. Superior high-altitude performance rendered it all but immune from
interception, and the fuel tanks that replaced wing-mounted machine guns and ammunition bays gave it
sufficient range to probe western Germany from British bases.
In late 1943 Spitfires powered by Rolls-Royce Griffon engines developing as much as 2,050
horsepower began entering service. Capable of top speeds of 440 miles (710 km) per hour and ceilings
of 40,000 feet (12,200 metres), these were used to shoot down V-1 “buzz bombs.” During World War
II, Spitfires were exported in small numbers to Portugal, Turkey, and the Soviet Union, and they were
flown by the U.S. Army Air Forces in Europe. When production ceased in 1947, 20,334 Spitfires of all
versions had been produced, 2,053 of them Griffon-powered versions.
[mh]The Intersection of UAVs and Cyber Warfare

UAV has significance in our lives due to their potential applications. Single UAVs are restricted to
limited power, capabilities, sensing, and flight time. This has raised a requisite for employing swarms
of UAV systems. UAV swarm conquers the exploitations and restrictions of an unaccompanied UAV
and assists larger teams to cooperate for successful aerial missions. Swarm has benefits and brings
versatile possibilities as the strength lies in numbers. Many of them are task completion in less time,
redundancy, and collaborative task execution.
Swarming is not a contemporary conception. It existed in nature and was motivated by the cooperation
and mutual communication of biological populations. Studying the flocking of birds, movement of the
ant colony, cooperation of bees, schools of fish, and predation of wolves the concept of the swarm of
UAVs came into existence. The unity of the animal kingdom makes it possible to achieve a common
challenging and complex goal.
Nevertheless, swarming is not restricted to a natural phenomenon. It is also inspired by a military tactic
in which many units from multiple axes coverage attack a common target in a coordinated and
deliberately structured form. Since the fourth century, swarming has been observed throughout military
history. However, today swarming has changed the traditional concepts of command and control into
innovative ones. Moreover, a single person is capable to command and control several UAVs at a time.
Swarm of UAVs is evolving because of its significant capabilities of long-range operations, enhanced
robustness, and flexibility. Swarm intelligence has a high impact on many fields such as technology,
science, society, and various systems like inspection, tracking, transporting, and many others. For the
motion planning of UAV swarms, many improvements in terms of control designs, path planning
algorithms, communication structure, monitoring and tracking architectures, and safe flight protocols
are considered in different studies.
The researchers combined computational techniques with mathematical models in to examine the
communication effects. The modeling process was simplified through this approach, but the process of
modeling was slow and run out of memory. In a controller based on a decentralized, leader-follower
strategy, and a geometry of the tree-based network were suggested. This study achieved the arrival of
multi-UAVs at a common spot with maintained synchronization. Moreover, the suggested design
showed flexibility and robust performance. However, this study was bounded to a limited number of
UAVs. In researchers developed a framework for novel path planning of UAV swarm. This proposed
algorithm resulted in efficient path planning with a reduction in energy and inspection time.
Additionally, it provided the guidelines for determining various parameters.
In the study presented an algorithm for computing the control of swarm and modeling their distributed
behavior. The examination and simulations have shown the communication latency effects on different
scenarios. In an improved algorithm with resilience metric is proposed while considering the limited
communication range effects. This strategy is implemented in a surveillance mission, which showed its
significance as a more realistic method that can face efficiently the external disturbance and threats. In
a recent study , the concepts of PIO algorithm, proportional-integral controller, and proportional
integral differential controller are employed for the formation control of UAV clusters. This strategy
has outperformed the traditional methods and provided a safe flight protocol. Further extensive
reflection on how this technology has evolved is in the section of the related survey.
[h] Motivation and contribution
The motivation for this paper is to gather multiple challenges, which can hinder the performance of a
UAV swarm, on a single platform. Moreover, to provide appropriate approaches as the solutions to
achieve optimal motion planning. This study can assist researchers in exploring multiple motion
planning strategies with their contributions and limitations. The appropriate selection of the motion
planning techniques and models can complete the complex tasks quickly and targets the applications
dotage as well. Following are the significant contributions of this paper:
 To provide an explanation of swarm intelligence and the challenges it faces.

 To present a detailed analysis of the motion planning techniques with their contributions and
limitations from several research s from more than the last decade.
 To recommend future directions to guide the researchers.
[h]Organization of the Paper
The paper is organized into many sections. Section 2 provides the state-of-the-art of UAV swarms.
Section 3 evaluates the concept of swarm intelligence. Section 4 presents challenges faced by the UAV
swarm. Section 5 reflects on an extensive survey of the techniques and models used to address many
challenges concerning the UAV swarm. Section 6 discusses the key findings and limitations. Section 7
gives the conclusion, and Section 8 recommends some future work for further research and
development.
[h]State-of-the-art
The swarm makes decisions collectively and completes its aerial mission using relatively simple
instructions due to the Artificial Intelligence (AI) technology and edge computing. Features like
following the leader and missions, path planning, sensing, and avoiding are already developed in the
Veronte Autopilot. This advancement in the features makes teamwork possible and ensures task
success. Surveillance and attack induction is a milestone event in the swarm globally. This game-
changing capability of the swarm of UAVs is benefitting both larger as well as smaller nations. Other
significant aspects of swarming include combined decision-making, self-healing, and adaptive
formation flying. The swarm of UAVs is still in the progressing phase as further research is being
conducted to further enhance the systems. Further focus includes the expansion of capability of
artificial swarm intelligence, increase in the autonomy state among the swarm agents, and
commodification to reduce the cost impacts.
The most amazing aspect of the UAV swarm is its application for both civilian and military purposes
using swarm intelligence. The civilian agencies are using the swarm technology for bigger plans. The
National Aeronautics and Space Administration (NASA) is also employing this AI-based swarm
technology for climate change analysis. This results in the accomplishment of the required things,
which were not possible while using one. Moreover, many developed nations have passed regulations
to widespread the commercial application of UAV swarms. The swarm shows tremendous
performance in power line and structure inspections, precision agriculture, surveying, search and
rescue operations, and others.
However, the swarm of UAVs gained the spotlight for its potential and efficiency in military usage. If
in combat, some of the UAVs of the swarm get shot down then still the remaining ones complete the
mission with similar tactics, power, and flexibility. Raytheon demonstrated this by employing swarm
operation during a field exercise of the US Defense Advanced Research Projects Agency (DARPA)
program. The Raytheon swarm had the communication and coordination ability. Moreover, all the
individuals had sensors, cameras, and Tactical Assault Kit (TAK) integration capability for
environmental explorations.
The swarm technology is enhancing the capabilities of the military in complex environmental tasks.
Many militaries, like the US and China militaries, are in a lead in testing and observing the simulations
for swarm operations on the highest levels. Some militaries, like the British military, are using this
technology for real-time operations. The UK has also experimented with Leonardo’s Brite Cloud for
swarming that contained electronic warfare jammers. Similarly, soon Russia aims large UAV swarm
induction, “Flock 93,” in its army. Moreover, it is trying to fill the gap by 2025. Iran, Turkey, and India
are also attempting efforts to mature and proliferate this technology using distributed intelligence and
edge computing. Swarms of UAVs are the future of aerial wars, and the future is now.
[h]Preliminaries of swarm intelligence (SI)
In this world, we observe that all individuals wish to amplify their intelligence. For this goal, they think
and prefer working together, like a bee swarm, fish scull, and birds flock together. This is because they
believe that they are smarter in a group rather than being alone. A new intelligence that is formed due
to the deep interconnection of the real system having feedback loops is known as swarm intelligence.
In simple words, a swarm is a brain of all the brains that are smarter than individual ones. Swarm
intelligence is an evolving area of bio-inspired artificial intelligence.
Moreover, using swarm intelligence, many heads follow a single mind. All the individuals follow clear
rules and interact not with each other but with the environment as well. This adaptive strategy requires
a large mass of individuals. It is capable of scheduling, clustering, optimizing, and routing a cluster of
similar individuals. Swarm intelligence emphasizes the task’s relative position in the schedule. It
follows the summation evaluation rule for scheduling. A collaboration of all the similar individuals in a
swarm is known as clustering. For example, UAVs of a swarm are different from other clusters’
UAVs. It is capable to provide the best and low-cost solution from all the feasible outcomes through
optimization. Moreover, it has potential capabilities of routing. It imitates the principle of ants in which
forward ants gather the information while the backward ants utilize that information.
[h]Aspects of SI
Major aspects of swarm intelligence include distribution, stigmergy, cooperation, self-organization,

emergence, and imitating natural behavior. Distribution is the prime characteristic of swarm
intelligence as all the individuals are capable to select their actions and perform them. The
phenomenon with which the agents interact through environmental alteration indirectly is called
stigmergy. This phenomenon provides them with awareness of their surroundings and disconnects the
interactions of the individuals. Another significant behavior is the cooperation of all the UAVs in a
swarm. UAVs cooperate for solving complex tasks and show their collective behavior using swarm
intelligence. Another aspect of swarm intelligence is self-organization. This behavior is based on
positive feedback, negative feedback, fluctuations amplification, and different social interactions.
Positive feedback is the amplification that gives better outcomes by allocating more UAVs to them.
Negative feedback is to stabilize so that not all the UAVs converge to a similar state. The self-
organization phenomena usually observe a tension between both the feedbacks, such as complex
networks, markets, cellular automata, and many others. Another characteristic is emergence, which can
be weak or strong. The emergence is said to be weak if the individual behavior is traceable from the
emergent properties. The emergence is said to be strong if the individual behavior cannot be traced
from the properties of emergence. Moreover, a swarm of UAVs is modeled by taking inspiration from
natural swarm behavior. Generally, swarm behavior includes foraging, constructing a nest, and moving
together in the environment. Hence, imitating these natural swarm behaviors is another key aspect of
swarm intelligence.
[h]Levels of SI
There are two levels of swarm intelligence. The first level employs a positive feedback pheromone for
marking shorter paths and an entry signal for others. Whereas the second level of swarm intelligence
employs a negative pheromone for marking unpleasant routes and no entry signal for others.
[h]Principles to follow in SI
A swarm follows five principles generally. The proximity principle, the quality principle, diverse
response principle, stability principle, and adaptability principle. Following the proximity principle, the
basic swarm individuals can easily respond to the environmental variance that is caused by interactions
among them. The quality principle allows a swarm to respond to quality factors like location safety
only. The diverse response principle enables to design of the distribution in such a way that all the
individuals are protected from environmental fluctuations to a maximum level. The stability principle
restricts the swarm to show a stable behavior with the changes in the environment. The adaptability
principle shows the sensitivity of a swarm as the behavior of the swarm changes with the change in
environment. The most widely used principles are attraction between all individuals, collision
avoidance, and self-organization. While following attraction they come closer and focus on a similar
direction. While following the collision avoidance principle, they keep a particular distance between
them to avoid collisions. Whereas, in self-organization rule, they interact with the neighbors but do not
trust all.
[h]Mechanism of SI
The mechanisms of swarm intelligence are regarding the environment, interactions, and activities of
the individuals in a swarm. No direct communication takes among the individuals in a swarm. They
interact with each other through environmental alterations. Thus, environmental alterations serve as
external memory. This simulation of work is done by applying the stigmergy behavior of all the swarm
members. Moreover, the individuals choose their actions with an equilibrium between a perception-
reaction model and any random model. Then, they react and move according to this perception-
reaction model while perceiving and affecting the local environmental properties.
[h]Languages used for SI
Proto-swarm, swarm, Star-Logo, and growing point are some programming languages for swarm
intelligence. The proto-swarm language uses amorphous medium abstraction to program the swarm.
This amorphous medium abstraction is obtained by utilizing a language that is from the continuous
space-time model of Proto and a runtime library that estimates the model on the provided hardware.
Another language for swarm intelligence is a distributed programming language called a swarm. The
basic concept for it is to move the computation rather than the data. Swarm is analogous to the Java
bytecode interpreter with a primitive version. Now it is applied as a Scala library. Star-Logo is not only
a programming language but also a programmable modeling environment of a decentralized system.
By utilizing this programming language, different real-life scenarios can be modeled like market
economies, bird flocks, traffic jams, etc. Whereas, to program amorphous computing medium growing
point language is essential. This programming language has the capacity of generating pre-specified
and complex patterns like the interconnection form of an arbitrary electrical circuit.
[h]Significance of SI
There is much significance of swarm intelligence; some of them are discussed here. It enables the
swarm to be flexible while responding to external challenges and internal disturbances. It completes
the tasks with robust performance even with the failure of some agents. It allows the scalability to
range from a few to a million individuals in a swarm. No central authority or control lies in the
flocking of individuals. It is completely adaptable and provides self-organized solutions only. The
propagation of changes is very rapid in the networks. All these are beneficial for clusters of
individuals.
[h]Swarm control
The basis of a UAV swarm is to control all the individual UAVs during the planned path. To solve the
reconstruction, anti-collision, search, and tracking issues in the swarm formations the development of
proper control system frameworks and controllers is required. Centralized and distributed are the two
major control platforms for the automation-equipped clusters. The main advantage of the centralized
platform is achieving higher quality in outputs but with the limitation of limited scalability. Whereas
the main contribution of the decentralized platform is its enhanced scalability, which is less complex.
The network of the UAV swarm guarantees the nodes’ connectivity and simplifies the application
designs. Sensor inputs with the environmental and target’s prior knowledge are the essentials for the
traditional models.
Various research overcome these issues using multi-layer distributed control frameworks. The
designing of the controller is crucial in the process design of the UAVs. Many studies suggest using the
ANFIS controller for the learning error reduction and quality improvement of the controller. During
the movement of UAVs following a specific path, the target tracking performance is directly affected
by the control of the airborne gimbal system. Some studies propose the nonlinear Hammerstein block
structure for modeling gimbal systems to enhance the efficiency of the model predictive controller
(MPC). This also improves the performance of the target tracking under external interference in real-
time. Other approaches for formation control are leader-follower strategy, consensus theory, virtual
structure method, behavior method, etc. Figure represents the concept of distributed guidance model
using a leader-follower controller as given in. The leader guidance algorithm is given in the first
column of this figure, whereas the other two columns represent the followers. The preassigned
topology in this model cannot be altered.
Figure. Distributed guidance model using leader-follower controller.
[h]Swarm path planning
The path planning of a UAV swarm is quite challenging. To solve this NP-hard problem many studies
suggest path-planning algorithms. These algorithms are categorized into classic algorithms and meta-
heuristic algorithms as shown in Figure. Classic algorithms require environmental information while
meta-heuristic algorithms require information on the real-time position and measured environmental
elements. Road map algorithm (RMA), A* algorithm, and artificial potential field (APF) method are
some examples of classic algorithms as presented in Figure. P swarm optimization (PSO), pigeon-
inspired optimization algorithm (PIO), fruit fly optimization algorithm (FOA), and gray wolf
optimization algorithm (GWO) are some examples of meta-heuristic algorithms as given in Figure.
Figure. Path planning algorithms for UAV swarm.
The swarm path planning can be categorized into dynamic path planning, 3D path planning, area
coverage path planning, and optimal path planning. Dynamic path planning is essential for the task
performance of a UAV swarm in a complex environment. To ensure dynamic path planning many
researchers suggest using collision probability with Kalman Filter, the artificial potential field (APF)
with the wall-follow method (WFM) method, trail detection, scene-understanding frameworks, and so
on. All these methods provide better direction estimation, better performance, and avoid path conflicts.
3D path planning is complicated, but many studies apply meta-heuristic algorithms for dealing with it.
Like the GWO algorithm realizes the feasible flight trajectory, the FOA algorithm performs local
optimization and PIO optimizes the initial path.
All these algorithms work efficiently for 3D path planning of UAV swarms under threats and
emergencies. Path planning in which UAVs can move at all the areas of interest points is area coverage
path planning. Many studies suggest a five-state Markov chain model, improved potential game theory,
and a cyber-physical system for it. For optimal path planning battery capacity of UAVs, matching
performance, and energy consumption are serious considerations. Studies suggest a coupled and
distributed planning strategy, mobile crowd perception system (MCS), and energy-efficient data
collection frameworks for optimal path planning.
[h]Swarm architecture
For swarm implementations, the architecture of UAVs is of much importance. Architecture is a

combination of design, management, and optimization techniques. Swarm architecture can be based on
communication, mission doctrine, control, etc. Communication-based swarm architecture has two
forms. Ad-hoc network-based architecture and infrastructure-based swarm architecture. Both are
promising architectures and perform well under complex environments.
Considering the operational mission for designing a swarm architecture is also important. Studies
consider it imprudent if the mission doctrine is not considered. Current approaches include bottom-up
modeling approaches and top-down design approaches for designing swarm systems. Similarly,
control-based architectures are also beneficial for the swarm. Figure gives a mission-based architecture
for swarm composability (MASC) as presented in. This framework focuses on the phases, tactics,
plays, and algorithms. According to this figure, mission explains the entire task, phases evaluate
specific periods, tactics are the individuals’ usage in a particular order for task performance, the play
describes the swarm behavior and algorithms are the procedures. Moreover, linking distributed
behavior control methods with centralized coordination can efficiently work for swarm aerial missions.
The aerospace architecture can perform the thinking task, execution task, reaction task, and
socialization task efficiently. Moreover, the Internet of Things (IoT) supports swarm architectures and
facilitates interactions as well.
Figure. MASC framework.
[h]Swarm monitoring and tracking
Another prime challenge for a swarm is monitoring and tracking. All the UAVs’ positions, status, and
the external environment change concerning time during a swarm’s operation. Moreover, the swarm
adapts to these changes and adjusts its behavior accordingly. For this, continuous monitoring and
tracking are essential. Many researchers propose different control models, simulation models, and
simulation tools for solving monitoring and tracking challenge. Dynamic Data-Driven Application
System (DDDAS) is a solution, which assists in the environment and the mission’s adaptation.
Target searching requires consideration of effective methods and control strategies. If the target knows
about the mobility and position of the searcher, then the searching complexity will be enhanced. The
distributed strategy also provides solutions to the Automatic Target Recognition (ATR) issue. Many
researchers suggest layered detection solutions, learning-edge software, and optimal technology for
tracking UAVs in a swarm. Figure represents spatial distribution using an improved bean optimization
algorithm (BOA) that is based on the population evolution model as developed in. In this figure, the
swarm space is distributed into three layers, a temporary dispatch layer, an individual layer, and a
parent layer. BOA shows effective target search capabilities, emerging group intelligence, and
distributed collaborative interaction. The individuals’ distribution using BOA can be given as,
Figure. Spatial distribution of individual UAVs.
Here, the parent i generates the position of individual j and is denoted by Xij(t+1), the Xi(t) denotes the
parent i, and G(Xi(t)) gives the distributed function.
[h]Swarm communication
Communication is one of the prime challenges for UAV swarms. Under a noisy and complex
environment, a swarm requires accurate and efficient data communication for the task executions. Data
communication depends upon an appropriate structured network. Figure shows that wireless ad-hoc
networks are capable to provide efficient communications as presented in. A base station is connected
with two UAVs in this figure. Both of these UAVs are further connected to a different group of UAVs.
The intraconnection of UAVs is independent but the interconnection is dependent on the base station.
Three forms of networks include Flying Ad-hoc Network (FANET), Mobile Adhoc Network
(MANET), and Vehicle Adhoc Networks (VANET). FANET network provides a network for
communication between a few UAVs with GCS, while the rest of the UAVs communicate with each
other. FANET enhances the range of communication as well as the connectivity in areas with limited
cellular infrastructure and obstacles. Whereas MANET and VANET are interlinked with FANET.
Therefore, FANET possesses similar features to both the other forms except a few ones like mobility,
better connectivity, energy constraints, etc. MANET does not require any support from the
infrastructure of the internet and is formed with a required number of mobile devices. Whereas the
VANET consists of terrestrial vehicles.
Figure. Ad-hoc network for multi-group UAV.
For quick deployment UAVs act as aerial base stations in a swarm to support the infrastructure of the
communication. This wireless networking is implemented successfully between UAV and Internet of
Things (UAV-IoT), UAV and cellular unloading (UAV-CO), UAV and emergency communications
(UAV-EC), and others. These improve transmission efficiency and reduce response delays. Moreover,
efficient communication can also solve other challenges like cooperation, control, and path planning.
Hence, the foundation of a UAV swarm is effective communication.
[h]Swarm safe distance protocol
In UAV swarm collaboration, the self-organization behavior becomes essential for each UAV. Transfer
of data and communication take place among all the UAVs for appropriate decision-making during
self-organizing swarm flights. But there is a risk of collision among UAVs in complex flight
conditions. Hence, one of the key challenges is to provide a collision avoidance protocol for safe
flights. These protocols are necessary because of the continuous mobility of UAVs, limited resources,
and air links instability. All the UAV members of a swarm must know each other’s positions using a
multi-hop connection. Most of these require a global positioning system (GPS) and in the absence of
GPS, the location of a UAV can be estimated using the Euclidean distance formula with three nodes of
known positions. Several kinds of research provide safe flight protocols using goose swarm algorithms,
Reynolds rule, and pigeon flock algorithm. Other than this, many optimization algorithms can promote
the UAV swarm consensus. Reynolds protocol uses three flocking behavioral rules. First is the
separation rule in which a UAV attempts to move away from neighboring UAVs in a swarm. Second is
the alignment rule in which UAV attempts to align the velocity with the neighboring UAV to avoid
collisions. The third is the cohesion rule-following which the UAV tries to share the same position by
coming closer to the neighboring UAVs to form clusters. A self-organized flight model using Reynolds
Rules is given using the idea of. All these rules are summarized in the following equation,
Here N shows the number of UAVs in a swarm, sij is the position of two UAVs i, and j in time t and 𝑗
∈ N𝑖 (𝑡) with 𝑉 represents an attractive–repulsive potential function with a local minimum. These rules
provide a proper safe flight protocol among the UAV swarm but still have limitations, which should be
improved to achieve safer trajectory planning.
Successful motion planning of UAV swarms requires significant optimization algorithms with relevant
infrastructures or models. Table provides a comprehensive exploration of techniques and models
applied for the motion planning of a swarm of UAVs. This review will provide a detailed and better
understanding of appropriate techniques for challenges faced by UAV flocks used in previous and
current studies.
Author Applied Challenges

Ref. Contributions Limitation
(Year) Technique/Model Addressed
 Shows weaving
 Enhances the
Kalman filter with behavior
tracking accuracy
CI and smoothing  Requires
Kim et al. Monitoring and  Reduces the
Boyer-Moore decision-
(2010) tracking tracking error by
algorithm making
50%
HMM integrations
Vector field  Has many

 Gives standoff
guidance implementation
group tracking
approach issues
successfully
Two-phase  Shows
 Allows local
approach. imperfect
Oh et al. replanning and
K-means Target tracking communication
(2015) keeps all the
clustering with effects and
targets of interest
FIM and measurement
within the
Cooperative data association
sensor’s FOV
standoff tracking effects
method
Sampedro et GMP Architecture,  Gives a complete  Does not focus
al. (2016) AMP target detection, operative, robust, on various
and exploration scalable, and behavior
flexible functionalities
 Does not
framework include time-
 Performs based or
automatically autonomy-
many high-level based
missions optimization
approaches
 Does not
consider
parameter
 Explains features
optimization
and principles of
and swarm
many SI
robot
algorithms
application
Yang et al. Management and  Analyzes SI
SI  Does not focus
(2017) task assignments combinations and
on algorithms
task assignments
for
for multiple
computational
UAVs
cost and
convergence
speed
 Focuses on the
human-system
interface and
 More effective
human factors
interfaces are
Hocraffer concerns
Human-system Human-system required
and Nam  Provides a basis
interface interfaces  Requires more
(2017) to start research
research
and gives efficient
results
 Enhances SA
Lee and Kim Multirotor Trajectory  Linear controllers  Linear

(2017) dynamic models tracking control are easily controllers
Linear and non- applicable, robust, require more
linear controllers and provide modification,
optimality and some have
 Some non-linear limited
controllers are applications
easily applicable,  Some non-
intuitive, and give linear
global stability controllers do
not work if
noise or model
error exists and
lack robustness
 Converges faster
and avoids
premature
 Requires
convergence
adjustment of
Cooperation,  Lessens the
Yang et al. information
MCPSO-K searching, and computational
(2017) interaction at
path planning costs
the swarm level
 Ensures the
uniform
distribution of ps
 Reduces the
computational
time
 No visible path
 Improves path
Guastella et Modified A* for the two
Path planning trajectories
al. (2018) algorithm UAVs
 Improves targets’
automatic
redistribution
 Optimizes the
path routing
 Does not
 Gives highly
consider
effective results
Duan et al. delivery and
MA with VND Path planning  Solves CVRP
(2018) pickup issues
even NP-hard
simultaneously
problems
efficiently
 Plans the future

 Shows higher
tracking trajectory
computational
EKF  Enhances the
costs
Recursive performance
Koohifar et Localization and  Non-convex
Bayesian  CRLB and the
al. (2018) path planning optimization
estimator Bayesian
can be more
CRLB estimator
significant
outperform
 Tackles the
lumped
 Does not
RISE-ESO disturbance issues
include real-
Shao et al. controller Trajectory  Achieves tracking
time flight
(2018) Residual tracking control accuracy,
experiment
estimation error effectiveness, and
superiority
 Alleviates
Cellular mobile limiting factors
infrastructure for previous  Does not apply
Machine learning Communication studies practically on a
Campion et
Distributed and control  Enhances commercial
al. (2018)
control algorithms architecture efficiency of the level
M2M and 5G swarm and
networks commercial usage
 Shows effective  Requires

ESO-based robust and superior further
controllers results in tracking modifications
Shao et al. Trajectory
DSC design  Shows increased for output
(2018) tracking control
DOB control anti-disturbance feedback–based
techniques capability controllers
 Deals efficiently
with noise and
parametric
uncertainty  May require an
Mammarella SMPC Guidance Trajectory  Guarantees real- onboard fellow
et al. (2018) algorithm tracking control time tracking computer
 Ensures
performance with
good stability
 Improves the
 Requires
ability to search
further
and avoids the
improvements
local minimum
Huang and in terms of
GBPSO Path planning  Provides the
Fie (2018) accuracy and
feasible optimal
searching
path with superior
efficiency
quality and speed
 Does not
consider non-
Bandwidth
orthogonal
hungry and delay-
transmission
tolerant
 Increases the while applying
applications
Path planning stopping locations μ-wave
Ghazzai et mm-Wave and μ-
and  Minimizes the  Requires
al. (2018) Wave
communication service time limiting the
communication
interference
modules
effect during
Hierarchical
extra
iterative approach
coordination
 Convenient for  Requires
the formations of algorithm
arbitrary, time- extension for
Distributed
varying 3D situations
formation control
prescribed shapes having
Liu et al. algorithm
Control  Achieves a different
(2018) MPC
balanced obstacles
Disturbance
configuration on a  Needs human
estimation method
prescribed 2D or operator
3D shape directions
 Provides the
stability of the  Designing of
closed-loop for landing
system quadrotor in
 Bounds the moving
tracking errors platform
Xuan-Mung RAS-BSC Trajectory
and ESO errors  Not applicable
et al. (2019) Lyapunov theory tracking control
 Rapid and robust in multi-agent
in the systems
uncertainties  Slow response
 Gives superior time
performance
 Achieves swarm
cohesion with a
high degree under  Does not
multiple validate the
conditions proposed
Fabra et al. Coordination and
MUSCOP  Allows least protocol with
(2019) synchronization
synchronization different
delays with low formations
position offset
errors
 Decreases the
computation time
and entire mission
time
Multi-GNSS
 Provides a rapid  Has high
constellation
Causa et al. solution to the computational
approach Path planning
(2019) task assignment cost
Edge cost
issue and planning
estimation
for offline and in
near real-time
scenarios
Brown and Quintic Trajectory  Gives maximum  Requires

number of better
polynomials trajectories
trajectory  Reduces the time
excessive fuel
generation to revisit and fuel
Anderson optimization and to fly at higher
method consumption and
(2019) surveillance altitudes
OMOPSO enhances the
Area search radar detection
model probability
 Provides a more
stable, efficient,
and quick optimal
solution
 Avoids obstacles  Requires more
and overcomes energy
Searching and
Mehiar et al. the conservation
QRDPSO obstacle
(2019) communication and enhanced
avoidance
constraints lifetime
 Reaches the
global best for
search and rescue
operations
 Predicts the
 Not extended to
Leader-following changes in the
nonlinear
model leader’s state
systems
Routh–Hurwitz  Lessens the
Wang et al. Control and  Does not
criterion consensus
(2020) stability consider
Consensus achievement time
disturbance
protocol  Keeps the
issue
MPC formation shape
 Performs the best

for multiple
geometric paths
 Quickly
determines the
controller
 Does not focus
parameters
on model-based
PSO Control and path  HHO outperforms
Altan (2020) controller
HHO following and overcomes
design
the stabilization
issues
 HHO gives the
least settling and
peak time and
overshoot
 Improves the
position detection
 Does not
performance
consider the
 Projects the
height
motion in 3D
information
space into a 2D
Wang et al. NRI model Trajectory  Does not
plane
(2020) Mapping Table prediction include
 The designed
trajectory
algorithm predicts
prediction in
the trajectory and
3D space
gives high
accuracy
 BS outperforms
for yaw error and
 Does not
path distance
BS and FL consider
 CC needs fewer
Rubí et al. algorithms Path following experimental
data and proves to
(2020) NLGL control platform
be easily
CC algorithms features
applicable for any
path type
 Adjusts
automatically the  limitations of
ANFIS classical
parameters control laws are
 Minimizes solved in the
Selma et al. Trajectory
ANFIS-PSO tracking error by absence of
(2020) tracking control
improving the model
controller quality parameters not
 Gives high found
performance
 Can perform a  Does not

Kinetic controller neighbor selection consider delay,
The BAT-based  Reduces the interference,
Liu et al. Control and
topology control communication and other
(2020) communication
algorithm overhead communication
FANET significantly constraints
Madridano 3D PRM Control and  Generates optimal  Requires

et al. (2020) algorithm communication solutions using producing a
ROS architecture minimum time node and
MavLink protocol  Lessens the developing an
Pixhawk autopilot computational MRTA
Hungarian time algorithm for
method  Reduces the total allocation
traveling distance efficiently
 Does not mount
onboard
sensors for
dynamics
obstacles
detection
 Requires
 Categorizes the
expensive loads
Decision- major
Hierarchical for high
making, path technologies with
Zhou et al. control performance
planning, control, trends, future
(2020) framework  Needs to
communication, research, and
SI improve safety
and application limitations
relation
 Handles the loss

of a leader and
 Does not
backup leaders
MUSCOP address swarm
Wubben et Resilience and efficiently
protocol split-up
al. (2020) synchronization  Introduces an
Ardu-Sim situation
ignorable flight
times delay
 Proves the
superior
performance
 Reduces the
errors, MSE and  Applicable to
Selma et al. Hybrid ANFIS- Trajectory RSE significantly only a 2D
(2020) IACO controller tracking control  Allows the UAVs vertical plane.
to reach the
desired trajectory
in a minimum
period
Newton–Euler  Tracks the target

method-based 3- with stability
Altan and axis gimbal  Shows robustness  Does not track
Control and
Hacıoğlu system even under an aerial target
target tracking
(2020) Hammerstein external
model disturbances
MPC
Sanalitro et Fly-Crane system Control  Deals with  Needs to keep
al. (2020) Optimization- parametric the motion low
based tuning uncertainties  Requires
method  Performs rotating relaxation in
Inner or outer and translating of the structure
loop approach particular
trajectories
 Guarantees
stability and
enhances the
performance of
H∞
 Enables self-
organization for
UAV arrays
 Requires big-
 Allows
data cloud
Tactical reconfiguration of
Chen and SI centers to
deployment and the UAVs into
Rho (2020) SOMs handle huge
communication hubs or terminals
data
 Shares
information
efficiently
 Gives optimal
results for
IACO decision-making  Does not
Qing et al. Minimum-snap Collision in real-time perform in the
(2021) algorithm avoidance  Evaluates real flight
ZCBF collision-free
effectiveness
A multi-hop
mobile relay  Does not
system  Guarantees the include channel
MSEE convergence models, real-
Secrecy and
maximization  Provides major time
Miao et al. energy
transmission improvements in communication
(2021) efficiency, and
scheme energy efficiency s, and unknown
communication
BCD and secrecy rate nodes’
SCA locations
Dinkelbach
method
 Increases obtained  Does not select
solution collocation
optimality points
Trajectory
Multi-segment  Generates high-  Does not
Shao et al. planning and
strategy quality generate
(2021) obstacle
IPSO-GPM trajectories trajectory with
avoidance
 Takes minimum dynamic
running time obstacles
Gu et al. NIT Identification  Gives a quick  Sensitive to

(2021) response, nuance
accuracy
 Proves to be  Only suitable
effective, fault- for high-
tolerant, and dimensional
stable in complex trajectories
environments
 Does not
consider
 Works in noise additional
and unstable mode
Out-of-the-box Communication,
communication functionalities
trajectory plotting estimation,
Ling et al.  Proves to be and
Multi-round perception
(2021) useful for reinforcement
Monte Carlo fusion, and path
cooperative learning-based
simulation planning
swarm application cooperative
planning
algorithm
 Controls the
UAVs effectively
Swarm
 Improves the
intelligence-based
autonomy and  Does not avoid
Yao et al. automatic Inspection and
inspection path repetition
(2021) inspection communication
efficiency
optimization
 Minimizes the
algorithm
cost of inspection
 Allows making
intelligent flight
decisions
 Reduces the
power
consumption  Not valid for
Xia et al. Monitoring and  Enhances the different
MARL-MUSAC
(2021) target tracking tracking success formations
rates
 Gives high
performances for
detection
coverage
Nnamani et Grid-structured Communication  Improves the  No real-time

al. (2021) approach secrecy rate of communication
ground s
communications
 Improves physical
layer security
 Evaluates the
optimal radius of
the
eavesdropper’s
unknown location
 Achieves high
 Does not
waypoint tracking
suppress
accuracy
Communication- Trajectory Cochannel
 Decentralized
Xu et al. aware centralized tracking control noise
controller
(2021) and decentralized and  Does not ignore
outperforms
controllers communication multipath
 Maintains the
effects
stability
 PSO has a low

 Needs to
computational
Environmental explore an
complexity
knowledge, improved,
 ACO possesses
Sharma et al. communication, hybrid
SI good scalability
(2021) obstacle optimization
 Firefly utilizes a
avoidance, and algorithm with
single operator for
target tracking no limitations
solution searching
 Performs well to
detect parasite
devices and  Requires a
backscatter separate parasite large number of
communication signals antennas to
Han et al. system  Reduces the reduce the
Communication
(2021) MIMO energy channel
CLT-based consumption distribution
approach  Optimizes the error
trajectory
planning
 Reduces the
execution
MTT system  Reduces the
complexity and
Cooperative consumption of
energy
tracking algorithm Target tracking energy of the
Zhou et al. consumption
Multi-objective and collision system only if
(2021)  Improves the
Lyapunov avoidance the episodes
prediction
optimization increase
accuracy of
model
trajectory
Brown and Reactive tracking Formation,  Shows superior  Requires

Raj (2021) Reactive tracking tracking, and tracking offsetting the
angular
orientation of
surveillance’s
with predictive performance
communication adjacent rings
pre-positioning
for the voids’
size-reduction
 Allows the
computation time
optimization
 Ensures safe
 Requires more
distancing
Improved CSTH reduction in
 Improves the time
CED_CSTH Take-off and take-off time
Sastre et al. required for take-
ArduSim collision and the number
(2022) off
simulator avoidance of resulting
 KMA proves to
VTOL with KMA UAV batches
be the most
reasonable choice
for realistic
conditions
 Achieves
scalability
 Guarantees  Requires
SHOTS
physical security further
PUFs
Communication,  Resists against reduction in the
Bansal et al. Mao Boyd’s logic
physical security, various attacks attestation and
(2022) approach
and scalability  Outperforms and computation
Christofides
reduces time
algorithm
computational
costs
Table. A comprehensive review of the motion planning of the swarm of UAVs applying various
techniques and models.
Kim et al. considered the Kalman filter with Covariance Intersection (CI) algorithm and smoothing,
and string-matching methodologies to observe the airborne monitoring using a swarm of UAVs. The
researchers employed the hidden Markov model (HMM) for path planning and achieved an increment
in the tracking accuracy and a reduction in the tracking error. Oh et al. suggested a vector field
guidance approach to track the moving objects. The study further introduced a two-phase approach; K-
means clustering with Fisher information matrix (FIM) and cooperative standoff tracking method for
this purpose. The results showed standoff group tracking successfully, allowed local replanning, and
kept all the targets of interest within the sensor’s field-of-view (FOV). Sampedro et al. presented
Global Mission Planner (GMP) and Agent Mission Planner (AMP) for a UAV swarm. Their proposal
gave a complete operative, robust, scalable, and flexible framework that automatically performed many
high-level missions.
Yang et al. analyzed eleven swarm intelligence (SI) algorithms for UAV swarm. This research
explained the features and principles of these algorithms and analyzed different algorithm
combinations and task assignments for multiple UAVs. Hocraffer and Nam performed a meta-
examination of the human-system interface concerning human factors. The analysis provided a basis to
start research, enhanced situation awareness (SA), and yielded efficient results. Lee and Kim studied
multirotor dynamic models with linear and nonlinear controllers for trajectory tracking control of
multi-UAVs. The study showed that linear controllers were easily applicable, robust, and provide
optimality and some nonlinear controllers were also easily applicable, intuitive, and gave global
stability. Yang et al. linked an orthogonal multi-swarm cooperative p swarm optimization algorithm
with a knowledge base model (MCPSO-K). This technique converged faster, avoided premature
convergence, lessened the computational costs, and ensured the uniform distribution of ps.
Guastella et al. considered operating space as a 3-directional (3D) grid and applied the modified A*
algorithm for path planning of multi-UAVs. The researchers found a reduction in computational time,
improvement in planned trajectories, and automatic redistribution of targets. Duan et al. gave a novel
hybrid metaheuristic approach by linking memetic algorithm (MA) with variable neighborhood
descend (VND) algorithm for path planning of multiple UAVs. The results yielded an optimization in
routes, gave highly effective results, and solved capacity vehicle routing problems (CVRP) and even
Non-deterministic Polynomial-time hard (NP-hard) problems efficiently. Koohifar et al. applied the
extended Kalman filter (EKF) with recursive Bayesian estimator, and Cramer-Rao lower bound
(CRLB) path planning for UAV swarms. The analysis showed that the proposed method planned the
future tracking trajectory successfully. Moreover, CRLB outperformed and enhanced the performance
as well.
Shao et al. combined a robust integral of the sign of the error (RISE) feedback controller with an
extended state observer (ESO) and used residual estimation error. This strategy tackled the lumped
disturbance issues and achieved tracking accuracy, effectiveness, and superiority. Campion et al.
studied cellular mobile infrastructure, machine learning and distributed control algorithms, machine-to-
machine (M2M) communication, and 5th generation (5G) networks for UAV swarm. This study
showed that the applied techniques alleviated limiting factors for previous studies and enhanced the
efficiency of the swarm and commercial usage. Shao et al. proposed extended state observer (ESO)-
based robust controllers with dynamic surface control (DSC) design and disturbance observer-based
(DOB) control techniques. This proposal showed effective and superior results in tracking with
increased anti-disturbance capability. Mammarella et al. applied sample-based stochastic model
predictive control (SMPC) and guidance algorithm for tracking control of UAV swarm. The applied
algorithms dealt efficiently with noise and parametric uncertainty and guaranteed real-time tracking
and performance with good stability.
Huang and Fie introduced the global best path with a competitive approach to p swarm optimization
(GBPSO). This developed strategy improved the ability to search, avoided the local minimum, and
provided the feasible optimal path with superior quality and speed. Ghazzai et al. suggested
applications of bandwidth-hungry and delay-tolerant and exploited typical microwave (μ-Wave) and
the high-rate millimeter wave bands (mm-Wave) for trajectory optimization. Further, the research also
implemented a hierarchical iterative approach. The dual-band increased the stopping locations and
minimized the service time of multi-UAVs. Liu et al. implemented distributed formation control
algorithm with a fast model predictive control method and disturbance estimation method. This
strategy was convenient for the formations of arbitrary, time-varying prescribed shapes and achieved a
balanced configuration on a prescribed 2-directional (2D) or 3D shape.
Xuan-Mung et al. used a robust saturated tracking backstepping controller (RAS-BSC) and Lyapunov
theory. The researchers found that the proposed mechanisms provided the stability of the closed-loop
system and bounded the tracking errors and extended state observer (ESO) errors. Moreover, it was
rapid and robust in the uncertainties and gave a superior performance. Fabra et al. suggested a Mission-
based UAV Swarm Coordination Protocol (MUSCOP) for a swarm of UAVs. This study achieved
swarm cohesion with a high degree under multiple conditions and allowed the least synchronization
delays with low position offset errors. Causa et al. employed a multi-global navigation satellite system
(multi-GNSS) constellation approach and edge cost estimation method for path planning of multiple
UAVs. These approaches decreased the computation time and entire mission time providing a rapid
solution to the task assignment issue and planning for offline and in near real-time scenarios.
Brown and Anderson applied the Quintic polynomials trajectory generation method, multi-objective p
swarm optimization (OMOPSO) and area search radar model to optimize the trajectories for the UAV
swarm. This combination gave a maximum number of better trajectories, reduced the time to revisit
and fuel consumption, and enhanced the detection probability. Mehiar et al. developed Quantum Robot
Darwinian p swarm optimization (QRDPSO) for UAV flocks. This optimization algorithm provided a
more stable, efficient, and quick optimal solution, avoided obstacles, and overcome communication
constraints. Moreover, it reached the global best for search and rescue operations. Wang et al.
suggested a Leader-following model, Routh–Hurwitz criterion, a consensus protocol, and a model
predictive controller for multiple UAVs. The applied approaches predicted the changes in the leader’s
state, reduced the consensus achievement time, and kept the formation shape.
Altan proposed metaheuristic optimization algorithms, Harris Hawks Optimization (HHO), and P
Swarm Optimization (PSO) for UAV swarm. His suggested methods performed the best for multiple
geometric paths and quickly determined the controller parameters. HHO outperformed, overcome the
stabilization issues, and gave the least settling, peak time, and overshoot. Wang et al. developed Neural
Relational Inference (NRI) model along with a Mapping Table between the UAV swarm and the spring
ps. The results of the developed method were able to improve the position detection performance.
Moreover, it projected the motion in 3D space into a 2D plane and the designed algorithm predicted the
trajectory and gave high accuracy. Rubí et al. employed four PF algorithms namely, backstepping (BS)
and feedback linearization (FL) algorithms, Non-Linear Guidance Law (NLGL) algorithm, and Carrot-
Chasing (CC) geometric algorithms for UAV swarms. In comparing, the results of path following BS
outperformed for yaw error and path distance and the CC algorithm needed fewer data and proved to
be easily applicable for any path type. Selma et al. used a hybrid controller, adaptive neuro-fuzzy
inference system (ANFIS), and PSO algorithms for trajectory tracking of multiple UAVs. The results
evaluated that the PSO algorithm adjusted automatically the ANFIS parameters, minimized tracking
error by improving the controller quality, and gave a high performance.
Liu et al. suggested a kinetic controller, distributed β-angle test (BAT)-based topology control
algorithm, and Flying ad-hoc network (FANET) for UAV flocking. This mechanism could perform
neighbor selection and reduce the communication overhead significantly. Madridano et al. applied the
3D probabilistic roadmaps (PRM) algorithm, Robot Operating System (ROS) architecture, Mav-Link
protocol, Pixhawk autopilot, and Hungarian method for trajectory planning in 3D. This combination
generated optimal solutions using minimum time and lessened the computational time and the total
traveling distance. Zhou et al. analyzed the Hierarchical control framework with different SI
algorithms. This analysis categorized the major technologies with trends, future research, and
limitations. Wubben et al. employed MUSCOP protocol and an emulation tool, Ardu-Sim, to provide
resilience to multiple UAVs. This protocol handled the loss of leaders and backup leaders efficiently
and introduced an ignorable flight time delay.
Selma et al. applied an adaptive-network-based fuzzy inference system (ANFIS) and improved ant
colony optimization (IACO) for controlling trajectory tracking tasks. This strategy proved its superior
performance, reduced the mean squared error (MSE) along with root mean squared error (RMSE)
significantly, and allowed the UAVs to reach the desired trajectory in a minimum period. Altan and
Hacıoğlu used Newton–Euler method-based 3-axis gimbal system, the Hammerstein model, and the
model predictive control (MPC) algorithm for target tracking. This mechanism tracked the target with
stability and showed robustness even under external disturbances. Sanalitro et al. suggested a Fly-
Crane system with an optimization-based tuning method and an inner or outer loop approach. This
system dealt with parametric uncertainties performed by rotating and translating trajectories,
guaranteed stability, and enhanced the performance of H∞. Chen and Rho introduced the SI technique
with self-organizing maps (SOMs) based on requests from end-users (EUs). This technique allowed
self-organization for UAV arrays and reconfiguration of the UAVs into hubs or terminals. Moreover, it
shared information efficiently.
Qing et al. applied improved ant colony optimization (ACO), minimum-snap algorithm, and zeroing
control barrier function (ZCBF) for multiple swarms. The results evaluated that the proposed
algorithms gave optimal results for decision-making in real-time. Moreover, it efficiently provided
collision and avoidance-free trajectories. Miao et al. proposed a multi-hop mobile relay system, the
minimum secrecy energy efficiency (MSEE) maximization transmission scheme, and generated an
algorithm using the block coordinate descent method (BCD), successive convex approximation (SCA)
techniques, and Dinkelbach method for multiple UAVs. The results guaranteed the convergence and
provided major improvements in energy efficiency and secrecy rate. Shao et al. linked multi-segment
strategy with improved p swarm optimization-Gauss pseudo-spectral method (IPSO-GPM) for UAV
swarms. The outcomes evaluated that the applied mechanisms increased obtained solution optimality,
generated high-quality trajectories, and took minimum running time.
Gu et al. suggested Network Integrated trajectory clustering (NIT) for determining subgroups of a
flock of UAVs. This clustering showed a quick response and accuracy and proved to be effective,
fault-tolerant, and stable in complex environments. Ling et al. presented a planning algorithm; out-of-
the-box trajectory plotting with multi-round Monte Carlo simulation for UAV swarms. This developed
algorithm worked in noise and unstable communication and proved to be useful for cooperative swarm
applications. Yao et al. employed swarm intelligence and optimization algorithms for UAV swarms.
The results showed that the proposed algorithm controlled the UAVs effectively improved the
autonomy and inspection efficiency and minimized the cost of the inspection. Xia et al. suggested
multi-agent reinforcement learning (MARL) with multi-UAV soft actor-critic (MUSAC) for the UAV
swarm. The suggested mechanism allowed to make intelligent flight decisions, reduced the power
consumption, enhanced the tracking success rates, and gave high performances for detection coverage.
Nnamani et al. applied a grid-structured approach to the UAV swarm. The outcomes showed
improvement in the secrecy rate of communications and physical layer security and evaluated the
optimal radius of the eavesdropper’s unknown location. Xu et al. designed communication-aware
centralized and decentralized controllers for UAV swarm. Their proposed controllers achieved high
waypoint tracking accuracy. Between both controllers, the decentralized controller outperformed and
maintained stability. Sharma et al. studied multiple SI algorithms for path planning of UAV swarm.
This analysis showed that PSO had low computational complexity, ACO possessed good scalability,
and Firefly utilized a single operator for solution searching. Han et al. employed a backscatter
communication system with the massive multiple-input multiple-output (MIMO) and Central limit
theorem (CLT)-based approach to analyze the performance and optimize the trajectory. This
combination performed well to detect parasite devices and separate parasite signals. Moreover, it
reduced energy consumption and optimized trajectory planning.
Zhou et al. used Multi-Target Tracking (MTT) system, an intelligent UAV swarm-based cooperative
tracking algorithm, and a multi-objective Lyapunov optimization model. The results showed a
reduction in the execution in the complexity and energy consumption with an improvement in the
prediction accuracy of trajectory. Brown and Raj applied reactive tracking and reactive tracking with
predictive pre-positioning to study the effects of initial swarm formation. The tracking gave a superior
performance.
Sastre et al. applied collision-less swarm take-off heuristic (CSTH) with two improvements and
Euclidean distance-based CSTH (ED-CSTH) algorithms to analyze the trajectory and batch
generations. This study also used the ArduSim simulator and vertical take-off and landing (VTOL)
techniques with Kuhn-Munkres Algorithm (KMA) for UAV swarms. The proposed method showed
the computation time optimization, ensured safe distancing, and improved the time required for take-
off. Whereas KMA proved to be the most reasonable choice for realistic conditions. Bansal et al.
proposed a scalable authentication-attestation protocol, SHOTS, with Physical Unclonable Functions
(PUFs), Mao Boyd logic approach, and Christofides algorithm for UAV swarms. The authors
suggested a lightweight authentication and attestation mechanism for UAV swarms that makes use of
Physical Unclonable Functions (PUFs) to ensure physical security as well as the necessary trust in a
lightweight manner.
chapter 2: Cybersecurity in UAV Systems

[mh]Vulnerabilities in UAV Communication Systems
An uncrewed aerial vehicle (UAV), commonly known as a drone, is an aircraft without any human
pilot, crew, or passengers on board. UAVs were originally developed through the twentieth century for
military missions too "dull, dirty or dangerous" for humans, and by the twenty-first, they had become
essential assets to most militaries. As control technologies improved and costs fell, their use expanded
to many non-military applications. These include aerial photography, area coverage, precision
agriculture, forest fire monitoring, river monitoring, environmental monitoring, policing and
surveillance, infrastructure inspections, smuggling, product deliveries, entertainment, and drone racing.
[h]Terminology
Many terms are used for aircraft which fly without any persons on board.
The term drone has been used from the early days of aviation, some being applied to remotely flown
target aircraft used for practice firing of a battleship's guns, such as the 1920s Fairey Queen and 1930s
de Havilland Queen Bee. Later examples included the Airspeed Queen Wasp and Miles Queen
Martinet, before ultimate replacement by the GAF Jindivik. The term remains in common use. In
addition to the software, autonomous drones also employ a host of advanced technologies that allow
them to carry out their missions without human intervention, such as cloud computing, computer
vision, artificial intelligence, machine learning, deep learning, and thermal sensors. For recreational
uses, an aerial photography drone is an aircraft that has first-person video, autonomous capabilities, or
both.
An unmanned aerial vehicle (UAV) is defined as a "powered, aerial vehicle that does not carry a
human operator, uses aerodynamic forces to provide vehicle lift, can fly autonomously or be piloted
remotely, can be expendable or recoverable, and can carry a lethal or nonlethal payload". UAV is a
term that is commonly applied to military use cases. Missiles with warheads are generally not
considered UAVs because the vehicle itself is a munition, but certain types of propeller-based missile
are often called "kamikaze drones" by the public and media. Also, the relation of UAVs to remote
controlled model aircraft is unclear, UAVs may or may not include remote-controlled model aircraft.
Some jurisdictions base their definition on size or weight; however, the US FAA defines any uncrewed
flying craft as a UAV regardless of size. A similar term is remotely piloted aerial vehicle (RPAV).
UAVs or RPAVs can also be seen as a component of an unmanned aircraft system (UAS), which also
includes a ground-based controller and a system of communications with the aircraft. The term UAS
was adopted by the United States Department of Defense (DoD) and the United States Federal
Aviation Administration (FAA) in 2005 according to their Unmanned Aircraft System Roadmap 2005–
2030. The International Civil Aviation Organization (ICAO) and the British Civil Aviation Authority
adopted this term, also used in the European Union's Single-European-Sky (SES) Air-Traffic-
Management (ATM) Research (SESAR Joint Undertaking) roadmap for 2020. This term emphasizes
the importance of elements other than the aircraft. It includes elements such as ground control stations,
data links and other support equipment. Similar terms are unmanned-aircraft vehicle system (UAVS)
and remotely piloted aircraft system (RPAS). Many similar terms are in use. Under new regulations
which came into effect 1 June 2019, the term RPAS has been adopted by the Canadian Government to
mean "a set of configurable elements consisting of a remotely piloted aircraft, its control station, the
command and control links and any other system elements required during flight operation".
[h]Classification types
UAVs may be classified like any other aircraft, according to design configuration such as weight or
engine type, maximum flight altitude, degree of operational autonomy, operational role, etc. According
to the United States Department of Defense, UAVs are classified into five categories below:
Group: Group 1 Group 2 Group 3 Group 4 Group 5
Size Small Medium Large Larger Largest
< 20 lb >1,320 lb >1,320 lb
Max take-off wt > 20 & < 55 > 55 & < 1320
(9.1 kg) (600 kg) (600 kg)
< 1,200 ft < 3,500 ft < 18,000 ft < 18,000 ft > 18,000 ft
Operating altitude
(370 m) (1,100 m) (5,500 m) (5,500 m) (5,500 m)
< 100 kn < 250 kn < 250 kn
Speed Any speed Any speed
(190 km/h) (460 km/h) (460 km/h)
Other classifications of UAVs include:
Range and endurance
There are usually five categories when UAVs are classified by range and endurance:
Very close range Close range Short range Medium range Long range
Category:
UAVs UAVs UAVs UAVs UAVs
Range (km): <5 > 5 & < 50 > 50 & < 150 > 150 & < 650 > 650
Endurance
0.5 – 0.75 1–6 8–12 12 – 36 or 48 > 36 or 48
(hr):
Size
There are usually four categories when UAVs are classified by size, with at least one of the dimensions
(length or wingspan) meet the following respective limits:
Category: Micro/Very small UAVs Mini/Small UAVs Medium UAVs Large UAVs
Length/Wingspan: < 50 cm > 50 cm & < 2 m 5 –10 m > 10 m
Weight
Based on their weight, drones can be classified into 5 categories—
Micro air vehicles Miniature UAV or Small Large

Category: Nano Medium UAVs
(MAV) (SUAV) UAVs
< >= 25 kg & <150
Weight: >= 250 gm & <02 Kg >= 02 Kg & <25 Kg >=150 kg
250 gm Kg
[h]Degree of autonomy
Drones could also be classified based on the degree of autonomy in their flight operations. ICAO
classifies uncrewed aircraft as either remotely piloted aircraft or fully autonomous. Some UAVs offer
intermediate degrees of autonomy. For example, a vehicle may be remotely piloted in most contexts
but have an autonomous return-to-base operation. Some aircraft types may optionally fly manned or as
UAVs, which may include manned aircraft transformed into uncrewed or Optionally Piloted UAVs
(OPVs). The flight of UAVs may operate under remote control by a human operator, as remotely
piloted aircraft (RPA), or with various degrees of autonomy, such as autopilot assistance, up to fully
autonomous aircraft that have no provision for human intervention.
[h]Altitude
Based on the altitude, the following UAV classifications have been used at industry events such as
ParcAberporth Unmanned Systems forum:
 Hand-held 2,000 ft (600 m) altitude, about 2 km range

 Close 5,000 ft (1,500 m) altitude, up to 10 km range
 NATO type 10,000 ft (3,000 m) altitude, up to 50 km range
 Tactical 18,000 ft (5,500 m) altitude, about 160 km range
 MALE (medium altitude, long endurance) up to 30,000 ft (9,000 m) and range over 200 km
 HALE (high altitude, long endurance) over 30,000 ft (9,100 m) and indefinite range
 Hypersonic high-speed, supersonic (Mach 1–5) or hypersonic (Mach 5+) 50,000 ft (15,200 m)
or suborbital altitude, range over 200 km
 Orbital low Earth orbit (Mach 25+)
 CIS Lunar Earth-Moon transfer
 Computer Assisted Carrier Guidance System (CACGS) for UAVs
[h]Composite criteria
An example of classification based on the composite criteria is U.S. Military's unmanned aerial
systems (UAS) classification of UAVs based on weight, maximum altitude and speed of the UAV
component. Early drones
The earliest recorded use of an unmanned aerial vehicle for warfighting occurred in July 1849, with a
balloon carrier (the precursor to the aircraft carrier) in the first offensive use of air power in naval
aviation. Austrian forces besieging Venice attempted to launch some 200 incendiary balloons at the
besieged city. The balloons were launched mainly from land; however, some were also launched from
the Austrian ship SMS Vulcano. At least one bomb fell in the city; however, due to the wind changing
after launch, most of the balloons missed their target, and some drifted back over Austrian lines and the
launching ship Vulcano.
The Spanish engineer Leonardo Torres Quevedo introduced a radio-based control-system called the
Telekino at the Paris Academy of Science in 1903, as a way of testing an airship of his own design
without risking human lives.
Significant development of drones started in the 1900s, and originally focused on providing practice
targets for training military personnel. The earliest attempt at a powered UAV was A. M. Low's "Aerial
Target" in 1916. Low confirmed that Geoffrey de Havilland's monoplane was the one that flew under
control on 21 March 1917 using his radio system. Following this successful demonstration in the
spring of 1917 Low was transferred to develop aircraft controlled fast motor launches D.C.B.s with the
Royal Navy in 1918 intended to attack shipping and port installations and he also assisted Wing
Commander Brock in preparations for the Zeebrugge Raid. Other British unmanned developments
followed, leading to the fleet of over 400 de Havilland 82 Queen Bee aerial targets that went into
service in 1935.
Nikola Tesla described a fleet of uncrewed aerial combat vehicles in 1915. These developments also
inspired the construction of the Kettering Bug by Charles Kettering from Dayton, Ohio and the Hewitt-
Sperry Automatic Airplane – initially meant as an uncrewed plane that would carry an explosive
payload to a predetermined target. Development continued during World War I, when the Dayton-
Wright Airplane Company invented a pilotless aerial torpedo that would explode at a preset time.
The film star and model-airplane enthusiast Reginald Denny developed the first scaled remote piloted
vehicle in 1935.
Soviet researchers experimented with controlling Tupolev TB-1 bombers remotely in the late 1930s.
[h]World War II
In 1940, Denny started the Radioplane Company and more models emerged during World War II –
used both to train antiaircraft gunners and to fly attack-missions. Nazi Germany produced and used
various UAV aircraft during the war, like the Argus As 292 and the V-1 flying bomb with a jet engine.
Fascist Italy developed a specialised drone version of the Savoia-Marchetti SM.79 flown by remote
control, although the Armistice with Italy was enacted prior to any operational deployment.
[h]Postwar period
After World War II development continued in vehicles such as the American JB-4 (using
television/radio-command guidance), the Australian GAF Jindivik and Teledyne Ryan Firebee I of
1951, while companies like Beechcraft offered their Model 1001 for the U.S. Navy in 1955.
Nevertheless, they were little more than remote-controlled airplanes until the Vietnam War. In 1959,
the U.S. Air Force, concerned about losing pilots over hostile territory, began planning for the use of
uncrewed aircraft. Planning intensified after the Soviet Union shot down a U-2 in 1960. Within days, a
highly classified UAV program started under the code name of "Red Wagon". The August 1964 clash
in the Tonkin Gulf between naval units of the U.S. and the North Vietnamese Navy initiated America's
highly classified UAVs into their first combat missions of the Vietnam War. When the Chinese
government showed photographs of downed U.S. UAVs via Wide World Photos, the official U.S.
response was "no comment".
During the War of Attrition (1967–1970) in the Middle East, Israeli intelligence tested the first tactical
UAVs installed with reconnaissance cameras, which successfully returned photos from across the Suez
Canal. This was the first time that tactical UAVs that could be launched and landed on any short
runway were developed and tested in battle.
In the 1973 Yom Kippur War, Israel used UAVs as decoys to spur opposing forces into wasting
expensive anti-aircraft missiles. After the 1973 Yom Kippur war, a few key people from the team that
developed this early UAV joined a small startup company that aimed to develop UAVs into a
commercial product, eventually purchased by Tadiran and leading to the development of the first
Israeli UAV.
In 1973, the U.S. military officially confirmed that they had been using UAVs in Southeast Asia
(Vietnam). Over 5,000 U.S. airmen had been killed and over 1,000 more were missing or captured. The
USAF 100th Strategic Reconnaissance Wing flew about 3,435 UAV missions during the war at a cost
of about 554 UAVs lost to all causes. In the words of USAF General George S. Brown, Commander,
Air Force Systems Command, in 1972, "The only reason we need (UAVs) is that we don't want to
needlessly expend the man in the cockpit." Later that year, General John C. Meyer, Commander in
Chief, Strategic Air Command, stated, "we let the drone do the high-risk flying... the loss rate is high,
but we are willing to risk more of them...they save lives!"
During the 1973 Yom Kippur War, Soviet-supplied surface-to-air missile-batteries in Egypt and Syria
caused heavy damage to Israeli fighter jets. As a result, Israel developed the IAI Scout as the first UAV
with real-time surveillance. The images and radar decoys provided by these UAVs helped Israel to
completely neutralize the Syrian air defenses at the start of the 1982 Lebanon War, resulting in no
pilots downed. In Israel in 1987, UAVs were first used as proof-of-concept of super-agility, post-stall
controlled flight in combat-flight simulations that involved tailless, stealth-technology-based, three-
dimensional thrust vectoring flight-control, and jet-steering.
[h]Modern UAVs
Figure: The STM Kargu was the first lethal autonomous weapon to attack enemy combatants in
warfare.
With the maturing and miniaturization of applicable technologies in the 1980s and 1990s, interest in
UAVs grew within the higher echelons of the U.S. military. The U.S. funded the CTC or counterterror
center within the CIA which sought to fight terrorism with the aid of modernized drone technology. In
the 1990s, the U.S. DoD gave a contract to AAI Corporation along with Israeli company Malat. The
U.S. Navy bought the AAI Pioneer UAV that AAI and Malat developed jointly. Many of these UAVs
saw service in the 1991 Gulf War. UAVs demonstrated the possibility of cheaper, more capable
fighting-machines, deployable without risk to aircrews. Initial generations primarily involved
surveillance aircraft, but some carried armaments, such as the General Atomics MQ-1 Predator, that
launched AGM-114 Hellfire air-to-ground missiles.
CAPECON, a European Union project to develop UAVs, ran from 1 May 2002 to 31 December 2005.
As of 2012, the United States Air Force (USAF) employed 7,494 UAVs – almost one in three USAF
aircraft. The Central Intelligence Agency also operated UAVs. By 2013 at least 50 countries used
UAVs. China, Iran, Israel, Pakistan, Turkey, and others designed and built their own varieties. The use
of drones has continued to increase. Due to their wide proliferation, no comprehensive list of UAV
systems exists.
The development of smart technologies and improved electrical-power systems led to a parallel
increase in the use of drones for consumer and general aviation activities. As of 2021, quadcopter
drones exemplify the widespread popularity of hobby radio-controlled aircraft and toys, however the
use of UAVs in commercial and general aviation is limited by a lack of autonomy and by new
regulatory environments which require line-of-sight contact with the pilot.
In 2020, a Kargu 2 drone hunted down and attacked a human target in Libya, according to a report
from the UN Security Council's Panel of Experts on Libya, published in March 2021. This may have
been the first time an autonomous killer-robot armed with lethal weaponry attacked human beings.
Superior drone technology, specifically the Bayraktar TB2, played a role in Azerbaijan's successes in
the 2020 Nagorno-Karabakh war against Armenia.
Figure: Artist's concept of Ingenuity landing on Mars

UAVs are also used in NASA missions. The Ingenuity helicopter is an autonomous UAV that operated
on Mars from 2021 to 2024. Current the Dragonfly spacecraft is being developed, and is aiming to
reach and examine Saturn's moon Titan. Its primary goal is to roam around the surface, expanding the
amount of area to be researched previously seen by landers. As a UAV, Dragonfly allows examination
of potentially diverse types of soil. The drone is set to launch in 2027, and is estimated to take seven
more years to reach the Saturnian system.
Miniaturization is also supporting the development of small UAVs which can be used as individual
system or in a fleet offering the possibility to survey large areas, in a relatively small amount of time.
[h]Design
Figure: General physical structure of a UAV
Crewed and uncrewed aircraft of the same type generally have recognizably similar physical
components. The main exceptions are the cockpit and environmental control system or life support
systems. Some UAVs carry payloads (such as a camera) that weigh considerably less than an adult
human, and as a result, can be considerably smaller. Though they carry heavy payloads, weaponized
military UAVs are lighter than their crewed counterparts with comparable armaments.
Small civilian UAVs have no life-critical systems, and can thus be built out of lighter but less sturdy
materials and shapes, and can use less robustly tested electronic control systems. For small UAVs, the
quadcopter design has become popular, though this layout is rarely used for crewed aircraft.
Miniaturization means that less-powerful propulsion technologies can be used that are not feasible for
crewed aircraft, such as small electric motors and batteries.
Control systems for UAVs are often different from crewed craft. For remote human control, a camera
and video link almost always replace the cockpit windows; radio-transmitted digital commands replace
physical cockpit controls. Autopilot software is used on both crewed and uncrewed aircraft, with
varying feature sets.
[h]Aircraft configuration
UAVs can be designed in different configurations than manned aircraft both because there is no need
for a cockpit and its windows, and there is no need to optimize for human comfort, although some
UAVs are adapted from piloted examples, or are designed for optionally piloted modes. Air safety is
also less of a critical requirement for unmanned aircraft, allowing the designer greater freedom to
experiment. Instead, UAVs are typically designed around their onboard payloads and their ground
equipment. These factors have led to a great variety of airframe and motor configurations in UAVs.
For conventional flight the flying wing and blended wing body offer light weight combined with low
drag and stealth, and are popular configurations for many use cases. Larger types which carry a
variable payload are more likely to feature a distinct fuselage with a tail for stability, control and trim,
although the wing configurations in use vary widely.
For uses that require vertical flight or hovering, the tailless quadcopter requires a relatively simple
control system and is common for smaller UAVs. Multirotor designs with 6 or more rotors is more
common with larger UAVs, where redundancy is prioritized.
[h]Propulsion
Traditional internal combustion and jet engines remain in use for drones requiring long range.
However, for shorter-range missions electric power has almost entirely taken over. The distance record
for a UAV (built from balsa wood and mylar skin) across the North Atlantic Ocean is held by a
gasoline model airplane or UAV. Manard Hill "in 2003 when one of his creations flew 1,882 miles
across the Atlantic Ocean on less than a gallon of fuel" holds this record.
Besides the traditional piston engine, the Wankel rotary engine is used by some drones. This type
offers high power output for lower weight, with quieter and more vibration-free running. Claims have
also been made for improved reliability and greater range.
Small drones mostly use lithium-polymer batteries (Li-Po), while some larger vehicles have adopted
the hydrogen fuel cell. The energy density of modern Li-Po batteries is far less than gasoline or
hydrogen. However electric motors are cheaper, lighter and quieter. Complex multi-engine, multi-
propeller installations are under development with the goal of improving aerodynamic and propulsive
efficiency. For such complex power installations, Battery elimination circuitry (BEC) may be used to
centralize power distribution and minimize heating, under the control of a microcontroller unit (MCU).
[h]Ornithopters – wing propulsion
Flapping-wing ornithopters, imitating birds or insects, have been flown as microUAVs. Their inherent
stealth recommends them for spy missions.
Sub-1g microUAVs inspired by flies, albeit using a power tether, have been able to "land" on vertical
surfaces. Other projects mimic the flight of beetles and other insects.
Computer control systems
Figure: A flight controller run on either CleanFlight or BaseFlight firmware for multirotor UAVs
UAV computing capability followed the advances of computing technology, beginning with analog
controls and evolving into microcontrollers, then system-on-a-chip (SOC) and single-board computers
(SBC).
System hardware for small UAVs is often called the flight controller (FC), flight controller board
(FCB) or autopilot. Common UAV-systems control hardware typically incorporate a primary
microprocessor, a secondary or failsafe processor, and sensors such as accelerometers, gyroscopes,
magnetometers, and barometers into a single module.
[h]Sensors
Position and movement sensors give information about the aircraft state. Exteroceptive sensors deal
with external information like distance measurements, while exproprioceptive ones correlate internal
and external states.
Non-cooperative sensors are able to detect targets autonomously so they are used for separation
assurance and collision avoidance.
Degrees of freedom (DOF) refers to both the amount and quality of sensors on board: 6 DOF implies
3-axis gyroscopes and accelerometers (a typical inertial measurement unit – IMU), 9 DOF refers to an
IMU plus a compass, 10 DOF adds a barometer and 11 DOF usually adds a GPS receiver.
In addition to the navigation sensors, the UAV (or UAS) can be also equipped with monitoring devices
such as: RGB, multispectral, hyper-spectral cameras or LiDAR, which may allow providing specific
measurements or observations.
[h]Actuators
UAV actuators include digital electronic speed controllers (which control the RPM of the motors)
linked to motors/engines and propellers, servomotors (for planes and helicopters mostly), weapons,
payload actuators, LEDs and speakers. The software running on a UAV is called the autopilot or the
flight stack. The purpose of the flight stack is to fly the mission autonomously or with remote-pilot
input. An autopilot achieves this by obtaining data from sensors, controlling the motors to make
progress along a path, and facilitate communications with ground control and mission planning.
UAVs are real-time systems that require high-frequency to changing sensor data. As a result, UAVs
rely on single-board computers for their computational needs. Examples of such single-board
computers include Raspberry Pis, Beagleboards, etc. shielded with NavIO, PXFMini, etc. or designed
from scratch such as NuttX, preemptive-RT Linux, Xenomai, Orocos-Robot Operating System or
DDS-ROS 2.0.
Flight stack overview

Layer Requirement Operations Example
From machine code to processor
Firmware Time-critical ArduCopter-v1, PX4
execution, memory access
Flight control, navigation, radio
Middleware Time-critical PX4, Cleanflight, ArduPilot
management
Operating Computer- Optical flow, obstacle avoidance, ROS, Nuttx, Linux
system intensive SLAM, decision-making distributions, Microsoft IOT
Due to the open-source nature of UAV software, they can be customized to fit specific applications.
For example, researchers from the Technical University of Košice have replaced the default control
algorithm of the PX4 autopilot. This flexibility and collaborative effort has led to a large number of
different open-source stacks, some of which are forked from others, such as CleanFlight, which is
forked from BaseFlight and from which three other stacks are forked.
[h]Loop principles
Figure: Typical flight-control loops for a multirotor
UAVs employ open-loop, closed-loop or hybrid control architectures.
 Open loop – This type provides a positive control signal (faster, slower, left, right, up, down)
without incorporating feedback from sensor data.
 Closed loop – This type incorporates sensor feedback to adjust behavior (reduce speed to reflect
tailwind, move to altitude 300 feet). The PID controller is common. Sometimes, feedforward is
employed, transferring the need to close the loop further.
[h]Communications
UAVs use a radio for control and exchange of video and other data. Early UAVs had only narrowband
uplink. Downlinks came later. These bi-directional narrowband radio links carried command and
control (C&C) and telemetry data about the status of aircraft systems to the remote operator.
In most modern UAV applications, video transmission is required. So instead of having separate links
for C&C, telemetry and video traffic, a broadband link is used to carry all types of data. These
broadband links can leverage quality of service techniques and carry TCP/IP traffic that can be routed
over the Internet.
The radio signal from the operator side can be issued from either:
 Ground control – a human operating a radio transmitter/receiver, a smartphone, a tablet, a

computer, or the original meaning of a military ground control station (GCS).
 Remote network system, such as satellite duplex data links for some military powers.
Downstream digital video over mobile networks has also entered consumer markets, while
direct UAV control uplink over the cellular mesh and LTE have been demonstrated and are in
trials.
 Another aircraft, serving as a relay or mobile control station – military manned-unmanned
teaming (MUM-T).
Modern networking standards have explicitly considered drones and therefore include optimizations.
The 5G standard has mandated reduced user plane latency to 1ms while using ultra-reliable and low-
latency communications.
UAV-to-UAV coordination supported by Remote ID communication technology. Remote ID messages

(containing the UAV coordinates) are broadcast and can be used for collision-free navigation.
The level of autonomy in UAVs varies widely. UAV manufacturers often build in specific autonomous
operations, such as:
 Self-level: attitude stabilization on the pitch and roll axes.

 Altitude hold: The aircraft maintains its altitude using barometric pressure and/or GPS data.
 Hover/position hold: Keep level pitch and roll, stable yaw heading and altitude while
maintaining position using GNSS or inertial sensors.
 Headless mode: Pitch control relative to the position of the pilot rather than relative to the
vehicle's axes.
 Care-free: automatic roll and yaw control while moving horizontally
 Take-off and landing (using a variety of aircraft or ground-based sensors and systems; see also
"autoland")
 Failsafe: automatic landing or return-to-home upon loss of control signal
 Return-to-home: Fly back to the point of takeoff (often gaining altitude first to avoid possible
intervening obstructions such as trees or buildings).
 Follow-me: Maintain relative position to a moving pilot or other object using GNSS, image
recognition or homing beacon.
 GPS waypoint navigation: Using GNSS to navigate to an intermediate location on a travel path.
 Orbit around an object: Similar to Follow-me but continuously circle a target.
 Pre-programmed aerobatics (such as rolls and loops)
One approach to quantifying autonomous capabilities is based on OODA terminology, as suggested by

a 2002 US Air Force Research Laboratory report, and used in the table on the right.
Figure: A Northrop Grumman X-47B unmanned combat aircraft demonstrator of the US Navy refuels
in flight from a tanker aircraft.
Full autonomy is available for specific tasks, such as airborne refueling or ground-based battery
switching.
Other functions available or under development include; collective flight, real-time collision
avoidance, wall following, corridor centring, simultaneous localization and mapping and swarming,
cognitive radio and machine learning. In this context, computer vision can play an important role for
automatically ensuring flight safety.
[h]Flight envelope
UAVs can be programmed to perform aggressive maneuvers or landing/perching on inclined surfaces,

and then to climb toward better communication spots. Some UAVs can control flight with varying
flight modelisation, such as VTOL designs.
UAVs can also implement perching on a flat vertical surface.
[h]Endurance
Figure: UEL UAV-741 Wankel engine for UAV operations
Flight time against mass of small (less than 1 kg) drones

UAV endurance is not constrained by the physiological capabilities of a human pilot.
Because of their small size, low weight, low vibration and high power to weight ratio, Wankel rotary
engines are used in many large UAVs. Their engine rotors cannot seize; the engine is not susceptible to
shock-cooling during descent and it does not require an enriched fuel mixture for cooling at high
power. These attributes reduce fuel usage, increasing range or payload.
Proper drone cooling is essential for long-term drone endurance. Overheating and subsequent engine
failure is the most common cause of drone failure.
Hydrogen fuel cells, using hydrogen power, may be able to extend the endurance of small UAVs, up to
several hours.
Micro air vehicles endurance is so far best achieved with flapping-wing UAVs, followed by planes and
multirotors standing last, due to lower Reynolds number.
Solar-electric UAVs, a concept originally championed by the AstroFlight Sunrise in 1974, have
achieved flight times of several weeks.
Solar-powered atmospheric satellites ("atmosats") designed for operating at altitudes exceeding 20 km

(12 miles, or 60,000 feet) for as long as five years could potentially perform duties more economically
and with more versatility than low Earth orbit satellites. Likely applications include weather drones for
weather monitoring, disaster recovery, Earth imaging and communications.
Electric UAVs powered by microwave power transmission or laser power beaming are other potential
endurance solutions.
Another application for a high endurance UAV would be to "stare" at a battlefield for a long interval
(ARGUS-IS, Gorgon Stare, Integrated Sensor Is Structure) to record events that could then be played
backwards to track battlefield activities.
Lengthy endurance flights

Flight time
UAV Date Notes
hours:minutes
The aircraft is currently in the Hiller Aviation Museum.
Boeing Condor 58:11 1989
General Atomics
40:00 1992
Gnat
11 August Smallest UAV to cross the Atlantic

TAM-5 38:52
2003
QinetiQ Zephyr September

54:00
Solar Electric 2007
RQ-4 Global 22 March Set an endurance record for a full-scale, operational
33:06
Hawk 2008 uncrewed aircraft.
QinetiQ Zephyr 82:37 28–31 July
Solar Electric 2008
Solar electric powered. Remained aloft for 14 days.
9–23 July
QinetiQ Zephyr 7 336:22 Also filed for FAI altitude record of 70,740 ft (21,561
2010
m)
The delicacy of the British PHASA-35 military drone (at a late stage of development) is such that
traversing the first turbulent twelve miles of atmosphere is a hazardous endeavor. It has, however,
remained on station at 65,000 feet for 24 hours. Airbus' Zephyr in 2023 has attained 70,000 feet and
flown for 64 days; 200 days aimed at. This is sufficiently close enough to near-space for them to be
regarded in "pseudo-satellites" as regards to their operational capabilities.
[h]Reliability
Reliability improvements target all aspects of UAV systems, using resilience engineering and fault
tolerance techniques.
Individual reliability covers robustness of flight controllers, to ensure safety without excessive
redundancy to minimize cost and weight. Besides, dynamic assessment of flight envelope allows
damage-resilient UAVs, using non-linear analysis with ad hoc designed loops or neural networks.
UAV software liability is bending toward the design and certifications of crewed avionics software.
Swarm resilience involves maintaining operational capabilities and reconfiguring tasks given unit
failures.
As of 2020, seventeen countries have armed UAVs, and more than 100 countries use UAVs in a
military capacity. The global military UAV market is dominated by companies based in the United
States, Turkey, China, Israel and Iran. By sale numbers, the US held over 60% military-market share in
2017. Top military UAV manufactures are including General Atomics, Lockheed Martin, Northrop
Grumman, Boeing, Baykar, TAI, IAIO, CASC and CAIG. China has established and expanded its
presence in military UAV market since 2010. Turkey also established and expanded its presence in
military UAV market.
Of the 18 countries that are known to have received military drones between 2010 and 2019, the top 12
all purchased their drones from China. According to a report of 2015, Israeli companies mainly focus
on small surveillance UAV systems and by quantity of drones, Israel exported 60.7% (2014) of UAV
on the market while the United States export 23.9% (2014). Between 2010 and 2014, there were 439
drones exchanged compared to 322 in the five years previous to that, among these only small fraction
of overall trade – just 11 (2.5%) of the 439 are armed drones. The US alone operated over 9,000
military UAVs in 2014; among them more than 7000 are RQ-11 Raven miniature UAVs. General
Atomics is the dominant manufacturer with the Global Hawk and Predator/Mariner systems product-
line.
For intelligence and reconnaissance missions, the inherent stealth of micro UAV flapping-wing
ornithopters, imitating birds or insects, offers potential for covert surveillance and makes them difficult
targets to bring down.
Unmanned surveillance and reconnaissance aerial vehicle are used for reconnaissance, attack,
demining, and target practice.
Following the 2022 Russian invasion of Ukraine a dramatic increase in UAV development took place
with Ukraine creating the Brave1 platform to promote rapid development of innovative systems.
[h]Suppliers
Figure: Zipline's aircraft being launched from a base in Rwanda to deliver blood products
The civilian (commercial and general) drone market is dominated by Chinese companies. Chinese
manufacturer DJI alone had 74% of the civil market share in 2018, with no other company accounting
for more than 5%. Following increased scrutiny of its activities, the US Interior Department grounded
its fleet of DJI drones in 2020, while the Justice Department prohibited the use of federal funds for the
purchase of DJI and other foreign made UAVs. DJI is followed by Chinese company Yuneec, US
company 3D Robotics and French company Parrot. As of May 2021, 873,576 UAVs had been
registered with the US FAA, of which 42% were categorized as commercial and 58% as recreational.
2018 NPD point to consumers increasingly purchasing drones with more advanced features with 33
percent growth in both the $500+ and $1000+ market segments.
The civil UAV market is relatively new compared to the military one. Companies are emerging in both
developed and developing nations at the same time. Many early stage startups have received support
and funding from investors as is the case in the United States and by government agencies as is the
case in India. Some universities offer research and training programs or degrees. Private entities also
provide online and in-person training programs for both recreational and commercial UAV use.
Consumer drones are widely used by military organizations worldwide because of the cost-effective
nature of consumer product. In 2018, Israeli military started to use DJI Mavic and Matrice series of
UAV for light reconnaissance missions. DJI surveillance drones have been used by Chinese police in
Xinjiang since 2017.
Drones are ideally suited to capturing aerial shots in photography and cinematography, and are widely
used for this purpose. Small drones avoid the need for precise coordination between pilot and
cameraman, with the same person taking on both roles. However, big drones with professional cine
cameras, there is usually a drone pilot and a camera operator who controls camera angle and lens. For
example, the AERIGON cinema drone which is used in film production in big blockbuster movies is
operated by 2 people. Drones provide access to dangerous, remote or otherwise inaccessible sites.
[h]Environmental Monitoring
UASs or UAVs offer the great advantage for environmental monitoring to generate a new generation
of survey at very-high or ultra-high resolution both in space and time. This gives the opportunity to
bridge the existing gap between satellite data and field monitoring. This has stimulated a huge number
of activities in order to enhance the description of natural and agricultural ecosystems. Most common
applications are:
 Topographic surveys for the production of orthomosaics, Digital Surface Model (DSM), 3D
Models;
 Monitoring of natural ecosystems for biodiversity monitoring, habitat mapping, detection of
invasive alien species and study of ecosystem degradation due to invasive species or
disturbances;
 Precision Agriculture which exploits all available technologies including UAV in order to
produce more with less (e.g., optimisation of fertilizers, pesticides, irrigation);
 River monitoring several methods have been developed to perform flow monitoring using image
velocimetry methods which allow to properly describe the 2D flow velocity fields.
 Structural integrity of any type of structure whether it be a dam, railway or other dangerous,
inaccessible or massive locations for building monitoring.
These activities can be carried out with different approaches that include: photogrammetry, SfM,
thermography, multispectral images, 3D field scanning, NDVI maps, etc.
[h]Agriculture, forestry and environmental studies
As global demand for food production grows exponentially, resources are depleted, farmland is
reduced, and agricultural labor is increasingly in short supply, there is an urgent need for more
convenient and smarter agricultural solutions than traditional methods, and the agricultural drone and
robotics industry is expected to make progress. Agricultural drones have been used to help build
sustainable agriculture all over the world leading to a new generation of agriculture. In this context,
there is a proliferation of innovations in both tools and methodologies which allow precise description
of vegetation state and also may help to precisely distribute nutrients, pesticides or seeds over a field.
The use of UAVs is also being investigated to help detect and fight wildfires, whether through
observation or launching pyrotechnic devices to start backfires.
UAVs are also now widely used to survey wildlife such as nesting seabirds, seals and even wombat
burrows.
[mh]Threats Posed by Cyber Attacks on UAVs
[h]Cyber-Terrorism: An Appraisal of the Dimensions of the New Face of Terrorism
It has been over 20 years since the Global War on Terrorism (GWOT) was declared by President Bush
following the 9/11 attacks. The term ‘war on terrorism’ was first used by President Bush in his address
to the United States (U.S) Congress on the 20th of September 2001 as a rallying call for a global
campaign against Al-Qaeda and its affiliates. Since then, terrorist organizations have gradually
changed their modus operandi and style, especially in the way they launch their threats or attacks
against States, organizations, and even the public. In recent years, we have seen a complete shift away
from the traditional suicide bombings, hijacking of aircraft, use of explosives, kidnapping of diplomats
etc. usually by state actors to non-state actors as perpetrators of terrorism. We have also seen less
sporadic and unplanned attacks, with a shift towards a more sophisticated, coordinated, and
institutionalized attack being carried out, especially online. Although encouragement of terrorist acts
through inciteful comments and extremist teachings on the internet is not a new trend, what is new is
the online attacks that are gradually replacing the traditional hostage-taking, suicide bombings, and
kidnappings that were hitherto commonplace.
This new face of terrorism raises serious concerns, especially when one considers the magnitude of
destruction that could be caused by one online attack. Terror groups and violent extremists now use
cyberspace for communicating, coordinating their attacks, spreading propaganda, fundraising,
radicalization, and recruitment, providing them with an unprecedented opportunity to access a wider
global community. To put this into context, imagine the catastrophic events that could happen if a
terror group remotely gains control of the flight control systems of a country or shuts down the entire
network system of public health providers like the United Kingdom’s (U.K) National Health Service
(NHS). With heavy reliance on the internet by most agencies, the denial of access to critical online
services could have devastating economic consequences and negatively affect the safety and well-
being of citizens.
In 2007, the world watched in shock as the Estonian government computer systems were attacked and
completely shut down. This politically motivated cyber-attack which lasted 22 days resulted in the
degradation and complete loss of government servers including public websites, emails, online
banking, and Domain Name System (DNS). The cyber-attacks ranged from manually launching pings
to botnet DDoS to exploiting specific vulnerabilities in router software. Many of the detected attacks
were described in detail on various Russian language forums and websites, which were easily available
to those interested in finding a way to participate in the attacks. Although the Russian government has
consistently denied direct involvement in the attacks. No organization or group has claimed
responsibility for the cyber-attacks. Following the Estonian attack, other countries have experienced
similar cyber-attacks that have negatively impacted their citizens. These include the 2012 ‘Flame’
attacks on Middle Eastern countries where audio, skype conversation, and keyboard activities were
recorded; Canada in 2011; India in 2012; and Israel in 2012 amongst others.
A report published in 2021 by the European Organization for the Safety of Air Navigation
(Eurocontrol) highlighted the increasing challenge of keeping the European aviation industry safe from
cyber-attacks. Although no impact on flight safety has been reported yet, the report revealed that
cyber-attacks (especially ransomware attacks) on European aviation management systems rose by
530% between 2019 and 2020 alone. The report also stated that the price of ransomware mitigation
measures is expected to cost global companies over 20 billion EUR a year going forward.
A major contributing factor to this rapid upsurge in online attacks by terror groups is the COVID-19
pandemic. The lockdowns and restriction of movements imposed by many countries created an avenue
for terror organizations to re-strategize. But even before the COVID-19 pandemic, cyber-terrorism had
gradually replaced the traditional hostage-taking, suicide bombings, and kidnappings adopted by terror
groups. Equally, advancements in technology, especially the increase in the use of artificial intelligence
have no doubt improved the capabilities and reach of terror groups and further worsened the cyber-
terrorism landscape. It has therefore become increasingly difficult to ignore the threats posed online by
terror groups. It will be safe to conclude that cyber-attacks have emerged as the new battleground for
the war on terrorism.
As its central question, this book reviews the effectiveness of the GWOT that has been in effect since
2001 and assesses whether the GWOT narrative is still appropriate or needs to be revised. This chapter
therefore appraises the effectiveness and coherence of the mechanisms put in place by the U.S. and its
allies in addressing cyber-terrorism under its so-called GWOT. This chapter also assesses some of the
challenges created by the GWOT to the promotion of global peace. Although extensive research has
been carried out on the GWOT, particularly from the Watson Institute of International & Public
Affairs, Brown University. This Centre has published research on the consequences of the U.S. and
NATO’s wars in Afghanistan, Iraq, and elsewhere. However, very little has been published on the
threat of cyber-terrorism and how this has been addressed under the GWOT.
Before appraising the effectiveness of the GWOT, it is important to provide a context for the scope of
cyber/online terrorism for this study. This contextualization is particularly imperative as terrorism is a
broad phenomenon that could mean different things to different people in different situations. First, it
is important to note that the controversy about what is considered terrorism has raged on for many
years. This problem is further compounded by the absence of an international court or tribunal with
specific jurisdiction over terrorist offenses. States are then left to define what constitutes terrorist acts
within their jurisdiction. Hence, the phrase one man’s terrorist is another freedom fighter has become
commonplace. The debate about whether cyber-attacks should be regarded as an act of terrorism has
further compounded this definitional controversy. The question then is – will online/cyber-attacks
against unarmed civilians, a State or an organization constitute an act of terror?
The answer to this question will largely depend on the aim of the attack. Without addressing the
fraught question of what will constitute terrorism, if the cyber/online attack aims to ‘influence,’
‘intimidate’ or ‘spread fear’ for political, religious, or ideological reasons then it will be considered
terrorism. To put it simply, if it can create fear of terror or further a terror group’s agenda online, then
it will be terrorism. This conclusion is premised on the fact that most national governments regard
terrorism as an act intentionally perpetrated to influence, or intimidate the government, organization or
the public to advance a political, religious or ideological cause etc.. There is, therefore, no doubt that
cyber-terrorism (also known as digital terrorism) could be defined as ‘disruptive attacks by recognized
terrorist organizations against the computer systems with the intent of generating alarm, panic, or the
physical disruption of the information system’ will fall under the ambit of terrorism. If there was any
doubt about the place and use of cyber-attacks by terror organizations, the U.S. discovery of an Al-
Qaeda safehouse in Pakistan during a raid in 2002 devoted to solely training for cyberwarfare and
computer hacking. The U.S. officials referred to the suspects arrested in the safehouse as ‘electronic
jihadists.’
For the current purposes, if the purpose of the attack on the computer systems of a State or an
organization is to further some ideological, religious, or political objectives, it will be considered
terrorism. It is also important to note that the focus here is on non-state actors and terror groups. Since
the GWOT encompasses all terrorist acts that fall outside the traditional classification of war, it would
be expected that cyber-terrorism is included within the scope. It is also important to note that the focus
here is on non-state actors.
This non-empirical assessment has been divided into four parts. The first part gives a brief overview of
the significance of 9/11 and the emergence of the GWOT. This is followed by a quick reflection on the
GWOT and an assessment of the continued use of the ‘GWOT’ metaphor. The third section reviews
cyber-terrorism as the new face of terror. The fourth section assesses the response of NATO, the EU,
and the U.S. responses to cyber-terrorism. In so doing, the coherence and the effectiveness of the
current binding international instrument on cyber-terrorism is addressed.
[h]Sept 9/11: the turning point
There is no gainsaying that terrorism is a global phenomenon which transcends every continent.
Cyberterrorism is classed as one of the highest security threats in the world, thus it is always top of the
security agenda for most countries. States put in place counter-terrorism strategies to deal with terrorist
attacks even before they happen. A typical example of this is the United Kingdom’s (U.K.) CONTEST
strategy which is built around for main strands – ‘Pursue,’ ‘Prevent,’ ‘Protect,’ and ‘Prepare’ against
terror attacks.
One could argue that there was no holistic approach to fighting terrorism on the international front
before the 9/11 attacks. That event single-handedly changed the United States (U.S.) and its allies’
attitude to fighting terrorism. On September 11, 2001, nineteen members of Al Qaeda (an international
terrorist organization) hijacked four American commercial aircraft and attacked the World Trade
Centre in New York and the Headquarters of the U.S. Department of Defense (Pentagon). These
attacks resulted in the death of nearly 3000 people with many more severely injured. It should be noted
that Al-Qaeda had in the past committed several terrorist attacks against the U.S., its allies, as well as
civilians, and military targets in other countries before the 9/11 attacks. However, 9/11 was the
deadliest terror attack on U.S. soil which marked a significant turning point in the U.S. approach to
fighting terrorism. President Bush, buoyed by overwhelming support from Americans and its allies,
announced a comprehensive plan to go after Al-Qadea and every terrorist group of global reach. That
declaration is now commonly referred to as the “global war on terrorism.” The declaration is ‘global’
in the sense that, for the first time in its history, the North Atlantic Treaty Organization (NATO) an
intergovernmental military alliance between twenty-nine European Union Countries, Canada and the
U.S., invoked 5, which provides for its members to respond collectively in self-defense when one of
them is attacked. One month after 9/11, the U.S. and its allies began an extensive military campaign
against Al-Qadea in Afghanistan marking the beginning of a combined effort by international forces
against terror groups which spanned more than two decades. The initial war aimed at Al Qaeda and
militant Islamists in Afghanistan and Pakistan later extended to other militant groups such as the
Taliban, the Islamic State of Iraq and the Levant (ISIL or IS) and their affiliates in countries like Iraq,
Syria, Yemen and Niger.
The primary goal of the GWOT is to coordinate a single multinational force that is aimed at fighting
terrorists as well as international cooperation of nations and intelligence sharing for countering -
terrorism. This involved large-scale military deployment to countries perceived as harboring terrorists.
Another important aspect of the GWOT is the combined international efforts at tracking and
intercepting terrorist funds and the prevention of all forms of terror attacks.
[h]A quick reflection on the GWOT and continued use of the metaphor
As we pause and reflect on the GWOT, questions have been asked about the effectiveness of the war.
One of the most significant discussions on the GWOT over the past two decades is whether the
campaign was a success or a complete failure. The U.S. and its allies’ sudden withdrawal from Kabul
further ignited the question of whether the aim of the war was achieved.
The answer to this question depends on who you ask. On one hand, we have proponents who will argue
that the war has gone a long way in bringing peace to the world. This belief is premised on the
successful prevention of large-scale terrorist attacks on U.S soil and other countries, the toppling of the
Taliban regime in Afghanistan, the dispersal of terror cells and networks, tracking and intercepting
terrorists’ financiers, the arrest or elimination of senior members of terrorist organizations, as well as
collective international collaboration in fighting terrorists.
On the other hand, we have critics who argue that the GWOT was a monumental failure that did not
achieve the desirable result. Other critics argue that failures recorded in the fight against terror
outweigh its successes. As emphasized by Richard Jackson, the GWOT military operations in
Afghanistan and Iraq have greatly increased deep-rooted hatred for America within the region and the
Muslim world at large thereby strengthening the message of militant Islam. The attacks have also
fostered a common cause amongst divided terrorist groups thereby encouraging more terrorist acts.
Another interesting argument put forward by critics is that the GWOT is an excuse for the pursuit of a
larger U.S. agenda for controlling global oil reserves, expanding U.S. and allied forces’ military
presence, and curtailing some regional powers and repressive regimes within the Arab world. Those
who argue that the GWOT was a monumental failure often cite the civil war and sectarian clashes that
followed the overthrow of the regime of Saddam Hussein in 2004. The U.S. had misjudged the power
exercised by Saddam Hussein in holding the country together, albeit through repressive means. The
chaos and civil war that followed the overthrow of the Saddam regime with thousands of Iraq killed
further enunciates the failure of the GWOT. In addition, the hurried withdrawal from Kabul and the
rate at which the Taliban took back control of the country after 20 years ultimately confirmed the
failure of the war campaign. Some top politicians from NATO member countries criticized the hasty
withdrawal from Kabul as “the biggest debacle that NATO has suffered since its founding”. The UK
Defense Secretary, Ben Wallace, described the speed at which the Taliban took over Afghanistan as
the “failure of the international community.” Wallace explained that the mission in Afghanistan was
not finished, even after over 20 years.
More objectively, a cursory look at some of the significant successes recorded by the allied forces
during the GWOT campaign includes the killing of top Al-Qaeda leaders and top masterminds of the
9/11 attack like Osama Bin Laden, Ayman Al-Zawahiri, Fazul Abdullah Mohammed, Abdullah
Ahmed Abdullah as well as several other wanted terrorists. More important is the reduction in the
number of terror attacks by international terrorist groups in the U.S. Another significant ‘success’ is the
toppling of the Taliban regime in Afghanistan which protected terrorists and the annihilation of terror
cells across the region. On a global level, it can be argued that the GWOT contributed to a more
peaceful world by reducing violent acts in many countries/.
However, these successes came at a huge price, both financially and in terms of the number of lives
lost during the campaign. It is difficult to provide a precise figure of the total number of lives that have
so far been lost because of direct or indirect consequences of the GWOT. Statistics provided by the
Watson Institute for International and Public Affairs, suggest that over 937,000 people have died in the
post-9/11 war violence. These figures include U.S. military members, allied fighters, journalists,
interpreters, and humanitarian/United Nations (UN) aid workers who were killed because of the war.
The Report estimated that about 3.7 million people were killed indirectly in the post9/11 war zones,
bringing the total death toll to at least 4.5–4.6 million, so far.
In terms of the financial cost, there has been no official government estimate on the total cost spent on
Post 9/11 military operations. Professor Neta Crawford however estimates that about 8 trillion Dollars
have so spent on post-9/11 war-related military activity by the U.S. alone up until 2022. A huge chunk
of this amount is said to have gone to unknown contractors resulting in massive fraud, wastage and
abuse. There were also reports of massive corruption around overcharging for the fuel supplied to the
U.S. forces by Kellogg, Brown and Root (KBR). Analysts have said that we will still be dealing with
the high societal cost of the wars in Afghanistan and Iraq 20 years from now. Another ‘dark side’ of
GWOT is the extraordinary rendition of individuals to a third country as part of an extensive
interrogation program. Although the U.S. continually deny this, the New York Times reported that
about one hundred and fifty people were captured by the U.S. Central Intelligence Agency (CIA) and
transported to countries where they were tortured.
Whilst the debate continues about the effectiveness of the GWOT and why the war took so long, many
observers have also questioned the relevance of the ‘GWOT’ narrative and its continued usage.
It is interesting to note that the U.K. government was the first to question the use of the term ‘war on
terrorism.’ The UK’s Secretary for International Development, Hilary Benn, in 2007 stated that the UK
would no longer use the phrase ‘war on terror. Before this announcement, a memo was leaked to the
Parliamentary Committee on Armed Services advising that they should avoid using colloquial
expressions like ‘global war on terrorism – GWOT,’ instead, staff are advised to be specific in their
references to the ‘war in Afghanistan’ or the ‘war in Iraq’ or simply say ‘ongoing military operations
The U.K’s position was later confirmed by the Former Head of the UK intelligence M15, Lady Eliza
Manningham-Buller, who argued that the 9/11 attacks were a crime, not an act of war, therefore the
term ‘war on terror was essentially an erroneous terminology.
President Barack Obama rarely used the term ‘GWOT’ throughout his tenure. The GWOT narrative
was also questioned by his administration as not the appropriate description of the military campaign
against terror. A leaked memo from the White House to the Pentagon Défense Department Office of
Review suggested that the Obama administration was not prepared to carry on the use of the term
“GWOT’, but rather the use of the term ‘Overseas Contingency Operation’. This in itself is symbolic.
If there were any doubts from that memo, a 2013 remark by President Barack Obama at the National
Défense University laid bare a shift in the U.S. approach away from the GWOT. President Obama
openly questioned the strategy adopted by the U.S. during the war. He remarked– “I believe we
compromised our basic values - by using torture to interrogate our enemies and detaining individuals in
a way that ran counter to the rule of law”. Obama stated further that America must define its effort not
as a boundless, “global war on terror,” but rather as a series of persistent, targeted efforts to dismantle
specific networks of violent extremists that threaten America. These remarks signaled a gradual close
of the curtain to the GWOT, with a move towards targeted killings carried out by drones.
To add to that, the U.S. Department of Defense announced in June 2022 that it will stop awarding the
Global War on Terrorism Service Medal hitherto given to all military service members for their efforts
in the military operations in the war. This medal is now only awarded to service members directly
serving in counter-terrorism operations instead of any type of war. These two events signify a new
epoch in the GWOT and a shift in focus by the U.S. Although fighting terrorism remains a priority for
the U.S. government, more efforts are now being channeled away from the GWOT to the Russian war
in Ukraine.
[h]Cyber-terrorism: the new face of terror
There is no doubt that technology plays an important role in contributing to the global socio-economic
order. For decades now, terrorists have used the online space to promote, propagandize, attack, and
even livestream their attacks. Unlike the traditional forms of attack, cyber-attacks could be done with
relative anonymity, except the attacker chooses to reveal their identities. More importantly, the internet
allows terror groups to spread their message to a bigger audience. As Calafato and Carauna argue,
cyber-terrorism has now evolved from being a support strategy to commit an attack to the attack itself.
When President Obama declared in his 2013 address that terrorism ‘has shifted and evolved from the
one that came to our shores in 9/1,’ he was also referring partly to the increased use of automated
attacks by terrorist groups. Cyber-space has become a readily available tool for terrorists to launch
their attacks. The increased use of cyber-attacks as a terrorist tool has heightened the need for an
appraisal of the place of cyber-terrorism within the GWOT.
It was reported as far back as 2008 that hackers and cybercriminals made alliances with drug
traffickers in Afghanistan where their activities and proceeds were used to support terrorist groups. The
Increased use of encryption keys for peer-to-peer traffic has made it difficult to track criminality over
the internet thereby creating a conducive atmosphere to terror to commit their atrocities.
Despite the increased use of the internet as a tool for terror attacks, it appears that there was no holistic
strategy for cyber-terrorism under the GWOT. In other words, cyber-terrorism was not included in the
so-called GWOT strategy. The truth is that cyber-terrorism has simply not been treated the same as
other traditional terrorism despite the physical and serious attacks and disruptions to infrastructure that
could arise from this. The fight against cyber-terrorism has been restricted within the realm of national
and regional responses. This conclusion is premised on the lack of a holistic strategy for cyber-
terrorism and the disagreement amongst the nuclear powers which makes the implementation of any
international strategy on cyber-terrorism a mere paper tiger. Whilst admitting that the United Nations
has put in place several measures to address cyber-terrorism including putting together a global
Counter-terrorism Strategy (UNGCTS) and creating the United Nations Office of Counterterrorism
(UNOCT) in 2017 to lead and coordinate all U.N. approaches to preventing and countering terrorism
and violent extremism. Despite all these measures, there is no consensus definition of cyber-terrorism
by the international community making the application of any law difficult to apply in practice. In
practical terms, States and regional blocs are left to develop their strategies against cyber-terror attacks.
For instance, the UK Cyber Security Strategy presented to Parliament in 2009 refers to the
establishment of a cross-government program to address the country’s strategic cyber security
objectives which include working closely with the wider public sector, industry, civil liberties groups,
the public and with international partners amongst other things. The strategy simply recommends that
the UK work closely with its international partners in addressing this menace without a clear strategy
as to how this will be done. The Report does not specify in plain terms the strategy it would adopt on
the international front in cases of cyber-terrorism. Similarly, the recent UK Government Cyber-security
strategy 2022–2030 also mirrors the 2009 strategy, with no mention of any holistic, international
strategy for cyber-terrorism. The core of the recent strategy rests on public sector organizations,
including government departments, arms-length bodies, agencies, local authorities, and other wider
public sector organizations.
The reason behind the lack of a ‘concrete’ ‘collective’ strategy for cyber-terrorism like what we see
under the ‘GWOT’ by Western countries and the U.S. is simple and not far-fetched. First, cyber-
terrorism is an act committed within cyberspace and the ‘battle’ needs to be on the internet which has
no limits and physical enemies. The cyber-terrorism methods adopted by most countries are therefore
shrouded in secrecy so as not to allow the terrorists or hackers to maneuver their way through the
defenses. More importantly, as the global dependency on digital and connectivity continues to grow,
new vulnerabilities that threaten the political and economic systems emerge every day. Nations are
therefore extremely careful about sharing sensitive information and data, especially about their national
security. The implications of releasing national security data also raise questions about national
sovereignty and the consequences attached could be far-reaching.
Also, the complexity and vulnerability of sharing online data as well as the potential scope and reach of
online attacks deter countries from collaborating on this issue. In addition, states like China and Russia
are viewed by the U.S. and the West as active actors that engage in mining data of other countries to
assess their weaknesses, influence the activities within the country, or push out their propaganda and
global market strength. Hacking claims by the U.S. against Russia have continued for decades. For
instance, it was alleged that Russia executed several cyber-attacks on 21 U.S. states during the last
election to help Donald Trump win the election. Russia has repeatedly denied the allegations. The U.S.
Department of Justice in 2021 charged four Russians, who worked for the Russian government with
cyber offenses including attempting, supporting, and conducting computer intrusions against the global
energy sector between 2012 and 2018 resulting in the hacking of thousands of computers belonging to
hundreds of companies and organizations in approximately 135 countries. The defendants were
accused of planning to disrupt, if not paralyze, the delivery of critical energy services to hospitals,
homes, businesses, and other locations essential to sustaining communities. The U.S. Deputy Attorney
General Lisa O. Monaco described the accused as “Russian state-sponsored hackers who pose a serious
and persistent threat to critical infrastructure both in the United States and around the world”. On the
other hand, Russia also accuses the U.S. intelligence agencies of hacking thousands of iPhones
belonging to Russian users including foreign diplomats. The ‘cold war’ between Western countries and
the U.S. against Russia and China has hurt cyber-terrorism on the international front. That said, there
have been several instances where States have joined forces to address cyber-attacks. A good example
of this was the joint effort by 13 countries including the UK’s National Crime Agency, the U.S.
Federal Bureau of Intelligence, and Germany’s security agency to shut down a prolific ransomware
called HIVE. The law enforcement agencies from these countries were able to identify the decryption
keys used by HIVE and managed to share them with many of the victims, helping them regain access
to their data without paying the cyber criminals. This company had hitherto extorted more than $100
million in ransom payments within 2 years. In a similar operation, the UK’s security agency, in an
unprecedented operation involving 17 countries collaborated and successfully took down Genesis
Market, one of the most dangerous marketplaces selling stolen account credentials to hackers
worldwide. This was the first time a large number of countries were coming together for a cyber/online
operation. That operation also resulted in transitional operations across the globe against the users of
this platform, resulting in 119 arrests, 208 property searches and 97 knock-and-talk measures. The
significance of Genesis Market takedown cannot be over-emphasized. Genesis was a major cyber-
criminal that would offer the sale of what is referred to as ‘bots’ that had infected victims’ computers
and organizations’ devices through malware or account takeover attacks. Upon purchase of the bots,
criminals would automatically get access to the data by using saved login, cookies, and autofill from
data. What this tells us is that major collaborative efforts against cyber-terrorism might never be
revealed to the public due to the pervasiveness of the internet until, perhaps arrests have been made.
This is almost certainly due to the sophisticated nature of cyber warfare, where bombs and gunfire are
not used but rather it is a warfare that requires experts and highly trained experts who try to prevent
large-scale disruptions of computer networks and systems. Since there is no holistic strategy under the
GWOT that encompasses cyber-terrorism, it is therefore important to assess how the U.S., the E.U.,
and NATO T have responded to this. In so doing, some of the challenges and impediments against a
holistic strategy for cyber-terrorism will be highlighted. To be clear, what is discussed below is not
included in the GWOT, but they are ancillary to the global war against terrorism. As earlier established
the fight and the battlefield for cyber-terrorism take place in a completely different sphere -
cyberspace.
[h]NATO, the EU, and the U.S. responses to cyberterrorism
As a military alliance at the forefront of the GWOT, NATO’s main priority is to protect its members
from any form of attack. NATO recognized that all threats, including cyberterrorism, are part of its
core assignment of defense and deterrence. In 2016 the organization reaffirmed its defensive mandate
and recognized cyberspace as an area of its operations. NATO’s response to cyber-terrorism is also
enshrined in its collective defense clause as set out in 5 of the North Atlantic Treaty - an attack on one
is an attack on all. As earlier mentioned, the only time Art. 5 was triggered was after 9/11. It is almost
impossible for Art 5. To be triggered because of a cyber-attack on member nations because cyber-
terrorism is much more complex and difficult in comparison to a bomb blast or drone attack. To
demonstrate its seriousness and readiness against the growing sophistication of cyber threats against its
members, NATO created a Cyberspace Operations Centre in Belgium in 2018. NATO acknowledged
that war within cyberspace must be as effective as it is in the air, land, and sea. However, NATO’s
response to cyber-terrorism is different from its response to traditional terrorist attacks. Again, this is
due to the nature of cyber-warfare which according to the organization requires a comprehensive
approach through unity of effort at the political, military, and technical levels. NATO sees itself as a
platform for its allies to consult politically, exchange national responses and if possible, consider
collective responses for cyber-terrorism attacks. To achieve this objective, NATO works with, the
European Union, the U.N, and the Organization for Security and Co-operation in Europe (OSCE) on
cyber defense amongst others. NATO also defines targets for Allied countries’ implementation of
national cyber defense capabilities via the organizations’ Defense Planning Process. The defense
method and strategy include regular such as annual cyber coalition exercises, crisis management
exercises, and provision and training for dealing with cyber-attacks as well as high-level meetings of
military decision-makers. NATO also have several practical tools to enhance point of contact in cases
of cyber-attacks in all its allied capitals. These contacts are trained in cyber-defense assistance
including provisions and response capabilities. Another important strategy used by NATO against
cyber-terrorism is that ‘technical information is also exchanged through NATO’s Malware Information
Sharing Platform, which allows indicators of compromise to be shared rapidly among Allied cyber
defenders, reinforcing the Alliance’s overall defense posture.’. The E.U. and NATO share protected
information relating to cyber responses including best practices for each situation. Both organizations
also have enhanced cooperation in several areas including training, research, and exercises, with
tangible results in countering cyber threats. The Technical Arrangement on Cyber Defense between the
NATO Computer Incident Response Capability (now known as the NATO Cyber Security Centre) and
the Computer Emergency Response Team for the EU institutions, bodies, and agencies (CERT-EU)
provides a framework for exchanging information and sharing best practices between emergency
response teams.
When Estonia became a target of cyber-attack in April 2007 NATO swung into action. NATO and the
U.S. sent experts to the country to help recover data and reinforce their cyber-security capabilities.
After restoring access to the internet, NATO in 2008 established a world-class cyber defense center in
Tallinn, Estonia. This effort made Estonia one of the top countries in cyber defense and cyber-security.
[h]The EU
It is important to note that the European Union was the first regional body to call for a strategy to
address terrorist use of the internet. The European Commission in 2013 approved the creation of the
European Cybercrime Centre (EC3) to function within Europol. The primary aim of the European
Cybercrime Centre is to have a coordinated approach to cyber-attacks and to support its Member States
in establishing operational and analytical capacity for investigating and assisting its international
partners in fighting cyber/online attacks. The EC3 is strategically created to become the central point
for the EU’s fight against cybercrime including cyber-terrorism attacks that could affect critical
infrastructure and information systems of E.U member states.
On the international front, for the first time an international Convention on Cybercrime, also known as
the Budapest Convention on Cybercrime or the Budapest Convention came into effect in July 2004.
The following year, the Council of Europe’s Convention on the Prevention of Terrorism of 2005 was
passed.
It is important to note that the Budapest Convention on Cybercrime was drawn up by Europe. Even
though the Convention was drawn up by the Council of Europe, it has been ratified by the United
States. The significance of this Convention is that it was the first multilateral legally binding
international instrument for the international community to address cybercrime with powers and
procedures for computer network searches and interceptions. So far 68 countries have ratified the
Convention. However, countries like Russia and China have refused to ratify the Convention. Russia
argues that adopting the Convention would violate its sovereignty and the rights of its citizens. Besides
the ‘cold war’ earlier alluded to, Russia’s main concern is that ratifying the Convention will give
agencies like the FBI covert power to come to the country for searches. President Putin was holding on
to the transborder search of Russian computers by the FBI during the investigation of two Russian
citizens Alexey Ivanov and Vasily Gorshko in 2001, hence the reference by Russia to its citizens’
rights. Another nuclear power that has refused to sign the Convention is India. India’s main reservation
is that they were not included during the drafting process of the Convention and have also raised some
concerns about sharing their data with Western countries. Apart from that, the biggest obstacle under
the Budapest Convention is the provision of Art Art 32(b) which permits a party to the Convention to
only ‘access or receive, through the computer system in its territory, stored computer data located in
another party, if the Party obtains lawful and voluntary consent of the person who has the lawful
authority to disclose the date to the Party through that computer system.’
The implication of Art 32 (B) is that consent must be given voluntarily given. This could engage
sovereignty and create a lot of political disputes amongst countries that have ratified the Convention,
especially given the risk associated with allowing security agents from another country to access or
search the computer system of their country. This provision could also potentially engage the domestic
laws of signatories. Another lacuna in the Budapest convention is the lack of a clear statement
regarding mutual assistance from signatories. Although the Convention obliges parties to cooperate in
the best possible way, it does not impose an immediate obligation to offer information. All these raise
questions about the effectiveness of the Convention, especially its enforcement in practice.
[h]The U.S.A.
As the world leader in the fight against terrorism under the GWOT, the U.S. also play a leading role in
the fight against cyber-terrorism. Much of all the cyber-terrorism operations highlighted in this chapter
include the direct contribution of the U.S. agents. In addition to spearheading the GWOT as well as
cyber-terrorism prevention. The U.S. has made several contributions both domestically as well as on
the international front. To better respond to cyber threats, President Obama signed an Executive order
that gives the U.S. powers to impose sanctions on cyberterrorism. The Executive Order authorizes the
Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to
impose sanctions on individuals or entities that engage in significant malicious cyber-enabled activities
that are reasonably likely to result in, or have materially contributed to, a significant threat to the
national security, foreign policy, or economic health or financial stability of the United States. On the
domestic front, the US Department of Defense (DoD) deals with cyberterrorism and protecting its
information grid. For instance, the U.S. created the Air Force Cyber Command (AFCYBER command)
in 2008 to assist the DoD in preserving U.S. cyberspace from all forms of cyber-attack. In 2021
President Biden announced a new Executive order to improve U.S. cyber security. The new Executive
order has 10 comprehensive strategies for defending the U.S. against cyber-attacks.
The U.S. has also imposed comprehensive sanction packages against more than a dozen Russian-
speaking cyber criminals who targeted institutions across the world, including the NHS during the
height of the pandemic. As global dependency on digital services and connectivity grows, the U.S.
continues to assist countries hit by Cyber-attack. These include improving the detection of
Cybersecurity Vulnerabilities and Incidents on Federal Government Networks, and establishing a
cyber–Safety Review Board, modernizing Federal Government Cybersecurity amongst others.
Besides the measures, sanctions, and judicial intervention that are shared with the public, much of the
details and methods used by the U.S. in countering cyber-terrorists are kept secret for obvious reasons.
chapter 3: UAV Reconnaissance and Surveillance

[mh]Data Collection Techniques and Technologies
In today’s world, users are highly dependent on the cyberspace to perform all day-to-day activities.
With the widespread use of Internet technology, cloud computing plays a vital role by providing
services to the users. Cloud computing services enable vendors (Amazon EC2, Google, etc.) to provide
on-demand services (e.g., CPU, memory, network bandwidth, storage, applications, etc.) to the users
by renting out physical machines at an hourly basis or by dynamically allocating virtual machine (VM)
instances and software services. Cloud computing moves application software and databases to large
data centers, where the outsourcing of sensitive data and services is not trustworthy. This poses various
security threats and attacks in the cloud. For instance, the attackers use employee login information to
access the account remotely with the usage of cloud. Besides attacking cloud infrastructure, adversaries
can also use the cloud to launch an attack on other systems. For example, an adversary can rent
hundreds of virtual machine (VM) instances to launch a distributed denial-of-service (DDoS) attack. A
criminal can also keep secret files such as child pornography, terrorist documents, etc. in cloud storage
to remain clean. To investigate such crimes involved in the cloud, investigators have to carry out
forensic investigations in the cloud environment. This arises the need for cloud forensics, which is a
subset of network forensics. Cloud forensics is an application of scientific principles, practices, and
methods to reorganize the events through identification, collection, preservation, examination, and
reporting of digital evidence. Evidence can reside anywhere in the cloud and it is more complex to
identify the traces located in the cloud server.
The advancement of new technologies, frameworks, and tools enables the investigator to identify the
evidence from trusted third parties, that is, cloud service provider (CSP). There are numerous
techniques in cloud forensics that arises on the basis of cloud service models and deployment models.
In the Software as a Service (SaaS) and Platform as a Service (PaaS) models, the customer does not
have any control of the hardware and they need to depend on CSP for collecting the evidence, whereas,
in the case of Infrastructure as a Service (IaaS) model, customers can acquire the virtual machine (VM)
image and logs.
The forensic examiner isolates the attacked system in the virtualized environment by segregating and
protecting the information from a hard disk, RAM images, log files, etc. This evidence is analyzed
based on the artifacts of the attack traces left by the attacker. The forensic investigator relies on finding
a series of information such as where, why, when, by whom, what, and how attack has happened. This
chapter details the challenges in cloud forensics and also details the data collection techniques in the
cloud.
[h]Types of forensics
The forensic process is initiated after the crime occurs as a post-incident activity. It follows a set of
predefined steps to identify the source of evidence. It is categorized into five groups, namely digital
forensics, network forensics, Web forensics, cloud forensics, and mobile forensics.
 Digital forensics: According to National Institute of Standards and Technology (NIST)

standards, it is the application of science to the identification, collection, examination, and
analysis of data while preserving the integrity of the information and maintaining a strict chain
of custody for the data.
 Network forensics: It identifies and analyzes the evidence from the network. It retrieves
information on which network ports are used to access the information.
 Web forensics: It identifies the evidence from the user history, temporary log files, registry, chat
logs, session log, cookies, etc. as digital crimes occur on the client side with the help of Web
browser.
 Cloud forensics: It is the application of digital forensics in the cloud and it is a subset of
network forensics. It is harder to identify evidence in cloud infrastructure since the data are
located in different geographical areas. Some examples of evidence sources are system log,
application log, user authentication log, database log, etc.
 Mobile forensics: It is the branch of digital forensics that identifies evidence from mobile
devices. The evidence is collected from the mobile device as call history, SMS, or from the
memory.
[h]Cloud forensic process flow
The cloud forensic process flow is shown in Figure, which is described as follows:
 Identification: The investigator identifies whether crime has occurred or not.
 Evidence collection: The investigator identifies the evidence from the three different sources of
cloud service model (SaaS, IaaS, and PaaS). The SaaS model monitors the VM information of
each user by accessing the log files such as application log, access log, error log, authentication
log, transaction log, data volume, etc. The IaaS monitors the system level logs, hypervisor logs,
raw virtual machine files, unencrypted RAM snapshots, firewalls, network packets, storage logs,
backups, etc. The PaaS model identifies the evidence from an application-specific log and
accessed through API, patch, operating system exceptions, malware software warnings, etc.
 Examination and analysis: The analyst inspects the collected evidence and merges, correlates,
and assimilates data to produce a reasoned conclusion. The analyst examines the evidence from
physical as well as logical files where they reside.
 Preservation: The information is protected from tampering. The chain of custody has been
maintained to preserve the log files since the information is located in a different geographical
area.
 Presentation and reporting: An investigator makes an organized report to state his findings about
the case.
Figure. Cloud forensic process flow.
[h]Evidence collection
Evidence collection plays a vital role to identify and access the data from various sources in the cloud
environment for forensic investigation. The evidence is no longer stored in a single physical host and
their data are distributed across a different geographical area. So, if a crime occurs, it is very difficult
to identify the evidence. The evidence is collected from various sources such as router, switches,
server, hosts, VMs, browser artifacts, and through internal storage media such as hard disk, RAM
images, physical memory, etc., which are under forensic investigation. Evidence is also collected
through the analysis of log files, cloud storage data collection, Web browser artifacts, and physical
memory analysis.
[h]Cloud log analysis
Logging is considered as a security control which helps to identify the operational issues, incident
violations, and fraudulent activities. Logging is mainly used to monitor the system and to investigate
various kinds of malicious attacks. Cloud log analysis helps to identify the source of evidence
generated from various devices such as the router, switches, server, and VM instances and from other
internal components, namely hard disk, RAM images, physical memory, log files etc., at different time
intervals. The information about different types of attacks is stored in various log files such as
application logs, system logs, security logs, setup logs, network logs, Web server logs, audit logs, VM
logs, etc., which are given as follows:
 Application log is created by the developers through inserting events in the program.
Application logs assist system administrators to know about the situation of an application
running on the server.
 System log contains the information regarding date and time of the log creation, type of
messages such as debug, error, etc., system-generated messages related to the occurrence, and
processes that are affected by the occurrence of an event.
 Firewall log provides information related to source routed packets, rejected IP addresses,
outbound activities from internal servers, and unsuccessful logins.
 Network log contains detailed information related to different events that happened on the
network. The events include recording malicious traffic, packet drops, bandwidth delays, etc.
The network administrator monitors and troubleshoots daily activities by analyzing network
logs for different intrusion attempts.
 Web server log records entries related to the Web pages running on the Web server. The entries
contain history for a page request, client IP address, date and time, HTTP code, and bytes served
for the request.
 Audit log records unauthorized access to the system or network in a sequential order. It assists
security administrators to analyze malicious activities at the time of attack. The information in
audit log files includes source and destination addresses, user login information, and timestamp.
 VM log records information specific to instances running on the VM, such as startup
configuration, operations, and the time VM instance finishes its execution. It also records the
number of instances running on VM, the execution time of each application, and application
migration to assist CSP in finding malicious activities that happen during the attack.
Due to the increase in usage of network or new release of software in the cloud, there is an increase in
the number of vulnerabilities or attacks in the cloud and these attacks are reflected in various log files.
Application layer attacks are reflected in various logs, namely access log, network log, authentication
log, etc., and also reflected in the various log file traces stored on Apache server. These logs are used
for forensic examination to detect the application layer attacks. Table indicates the various attack
information and the tools used for log analysis of different types of attacks. Figure shows the sample
access log trace.
 Sample Network Log Entry
SNMP trap udp 03/12–15:14:09.082119 192.168.1.167:1052 - > 172.30.128.27:162 UDP

TTL:118 TOS:0x0 ID:29101 IpLen:20 DgmLen:87.
 Sample Firewall Log Entry
03/12/2015 8:14:07 AM,"Rule ““Block Windows File Sharing”“ blocked ).”,"Rule ““Block
Windows File Sharing”“ blocked ). Inbound TCP connection. Local address,service is ,netbios-
ssn(139)). Remote address,service is. Process name is ““System”“.”
03/12/2015 9:04:04 AM,Firewall configuration updated: 398 rules., Firewall configuration

updated: 398 rules.
 Sample Syslog Entries
Mar 1 06:25:43 server1 sshd: Accepted publickey for server2 from 172.30.128.115 port 21,011
ssh2.
Mar 1 07:16:42 server1 sshd: Accepted password for murugiah from 10.20.30.108 port 1070
ssh2.
Mar 1 07:16:53 server1 sshd: reverse mapping checking getaddrinfo for ip10.165.nist.gov failed
- POSSIBLE BREAKIN ATTEMPT!
Mar 1 07:26:28 server1 sshd: Accepted public key for server2 from 172.30.128.115 port 30,606
ssh2.
Mar 1 07:28:33 server1 su: BAD SU kkent to root on /dev/ttyp2.
Mar 1 07:28:41 server1 su: kkent to root on /dev/ttyp2.
Types of log Attacks Tools for log analysis

This is not a log file, but this is used for determining
DMesg log —
anomalous activity from recent bots.
Stack tracing to determine the nature of application and
Debugging log —
service-based attacks.
Event Log Analyzer, event
Firewall log Direct method for auditing the firewall. logging and monitoring
services
Determines if someone is trying or has executed buffer Syslog-ng, Log & Event
System log
overflow. Manager
Network log Determining Web-based attacks and DDoS attacks. Splunk, Log4j2
Determining Web-based attacks (XSS, XSRF, SQLI),
Web server
remote file inclusion, local file inclusion and flooding Nihuo Web Log Analyzer
access log
attacks.
Web server error
Determining Web-based attacks. Nihuo Web Log Analyzer
log
Virtual Machine Log
VM log Determining hypervisor-related attacks.
Auditor, JVM controller
Authentication Auditing of attacks on credentials and determines the
log unauthorized access.
Determining unauthorized user access to the system and
WP Security Audit Log,
Audit log network. Includes destination addresses, user login
auditpol.exe
information, and timestamp.
Splunk, Nihuo Web Log
Database log Determining database-related attacks.
Analyzer
Table. Different types of logs, attacks, and the log analysis tool.
Figure. Sample access log trace as evidence.
S. No. Fields Value Description
Remote IP address of the HTTP user who makes
1 10.1.3.122
Host HTTP resource request
2 Rfc931 — Identifier used to determine client
3 Username — User name or user id used for authentication
Date: time
4 [17-Mar-2015: 10: 49: 33 + 530] Date and timestamp of the HTTP request
Timezone
HTTP request containing
(a) HTTP method—GET
HTTP
5 GET/scripts/root.exe?/c+dir/HTTP/1.0 (b) HTTP request resource
request
scripts/root.exe?/c+dir/ and
(c) HTTP protocol version −1.0
Status of HTTP request, i.e., success or
6 Status code 200
failure
Number of bytes of data transferred during
7 Bytes 578
the HTTP request
8 Referral https://www.nitt.edu/ Referrer header of the HTTP request
URL OLCLD/view.php?q = book/ (containing URL of the page from which
this request was initiated) if present, and “-”
S. No. Fields Value Description
otherwise
9 User agent Mozilla/4.08 [en] (Win98; I; Nav) Browser Identification String
Table. Description of the access log format.
[h]Evidence collection from cloud storage
It is the process of collecting evidence from cloud storage such as Dropbox, Microsoft SkyDrive,
Google drive, etc., using the Web browser and also by downloading files using existing software tools.
This helps to identify the illegal modification or access of cloud storage during the uploading or
downloading of file contents in storage media and also checks whether the attacker alters the
timestamp information in user’s accounts. The Virtual Forensic Computing (VFC) tool is used by
forensic investigators to identify evidence from VM image file. The evidence is accessed for each
account using the Web browser running in the cloud environment by recording the encoded value of
VM image. The packets are captured using network packet tools, namely Wireshark, snappy, etc., of
each VM instance running in hosts. The account information is synchronized and downloaded using
client accessing software of each device which is used to identify the source of evidence. The evidence
is isolated from the files found in VM using “C:\Users\\ Dropbox\” for Dropbox as shown in Figure.
The zip file contains the name of the folder that can be accessed via the browser to determine the effect
of a timestamp in a drive. If an attacker modifies the contents of a file, the evidence is found by
analyzing the VM hard drive, history of files stored in the cloud, and also from a cache. It can also be
analyzed by computing the hash value of the VM image. The evidence of Google Drive cloud storage
is depicted in Figure.
Figure. Dropbox evidence.
Figure. Google Drive evidence.
[h]Evidence collection via a Web browser
The clients communicate with the server in the cloud environment with the help of a Web browser to
do various tasks, namely checking email and news, online shopping, information retrieval, etc.. Web
browser history is a critical source of evidence. The evidence is found by analyzing the URLs in Web
browser history, timeline analysis, user browsing behavior, and URL encoding, and is recovered from
deleted information.
Similarly, the evidence stored in Web browser cache at the root directory of a Web application is used
to identify the source of an attack. Table indicates the evidence collection process and recovery method
for various Web browsers.
Information to be Tools for forensic

Web browser Recovery method for evidence identification
analyzed investigation
Pasco
Recovery from internet files
Web historian 6.13
Index.dat Analyzing the index.dat files weekly/daily
Index.dat analyzer 2.5
Internet History history
Net analysis 1.52
Explorer Cache Recovery of the evidence from index.dat file
Encase 6.3
Cookies through carving method
FTK 3.3
Recovery from cookies
WEFA
Google Bookmark history Chrome analysis 1.0 Recovery of session file through carving
Chrome Bookmark Net analysis 1.52 method
downloads Cache back 3.17
Cookies WEFA
List of search words
Information to be Tools for forensic
Web browser Recovery method for evidence identification
analyzed investigation
Cache
Firefox forensic 2.3
History
Net analysis 5.2
Cookies history
Mozilla Cache back 3.17
Download list Recovery of cache files
Firefox Encase 6.3
Cache
FTK 3.3
Bookmarks
WEFA
Web historian 6.13
Net analysis 1.52
History
Cache back 3.17
Safari Cache Recovery of session files, cookies
Encase 6.3
Cookies
FTK 3.3
WEFA
Web historian 6.13
History
Net analysis 1.52
Cache
Opera Cache back 3.17 Recovery of cookies
Cookies
Encase 6.3
Bookmarks
WEFA
Table. Evidence collection process and recovery method for different Web browsers.
Here is an example of a Chrome forensic tool that captures and analyzes data stored in Google Web
browser. It analyzes the data from the history, web logins, bookmarks, cookies, and archived history. It
identifies the evidence from C:\Users\USERNAME\Appdata\Local\Google chrome\UserData\Default.
Figure depicts the Google Chrome analysis forensic tool.
Figure. Chrome forensic analysis tool.
[h]Physical memory analysis
This has the ability to provide caches of cloud computing usage that can be lost without passive
monitoring such as network socket information, encryption keys, and in-memory database. They are
analyzed from the physical memory dump using the “pslist” function, which recovers the process
name, process identifier, parent process identifiers, and process initiation time. The processes can be
differentiated using the process names ©exe© on the Windows, and ©sync© on the Ubuntu and Mac
OS. Table indicates the evidence collection process for cloud forensics in cloud storage and cloud log
analysis.
Forensic
analysis Evidence collection for cloud storage Evidence collection for cloud log analysis
framework
Identification of evidence from cloud
Evidence storage (Dropbox, iCloud, SkyDrive
Identification of evidence from cloud log files
identification and Google Drive, etc.) and also from
user account information
Collecting the evidence from VM
image to access the cloud storage
account, using packet analysis tools
such as Ethernet cap, Wireshark tool,
Burp suite, etc. to capture packets
between the client and server
Collecting evidence from VM
Collecting the evidence from various sources in
browser such as Google Chrome,
VM as log files, namely network log, access
Evidence chromium browser, Internet Explorer,
log, authentication log, error log, database log,
collection Apple Safari, Mozilla Firefox, etc.
etc. and through network analysis tools such as
Collecting the evidence from cloud
Wireshark, Snort, Snappy tool, Burp Suite, etc.
storage namely, user account and
password
Collecting the evidence from client
software to access the VM hard drive
and also to synchronize the user
account to retrieve the files and
folders in VMs
Identifying patterns from the evidence Determining the attack patterns from cloud log
Evidence collection process to determine the files and analyzing these patterns using cloud
analysis source of attacks in cloud traceback mechanism to identify the source of
environment evidence.
Evidence Forensic investigator examines the
Identifying the evidence from analysis and
presentation and evidence and presents the evidence in
reporting the evidence
reporting court
Table. Evidence collection process for cloud forensics.

[h]Cloud forensics challenges
This section elucidates the forensic challenges in private and public cloud. It is observed from the
literature that most of the challenges are applicable to the public cloud while fewer challenges are
applicable to the private cloud environment.
[h]Accessibility of logs
Logs are generated in different layers of the cloud infrastructures. System administrators require
relevant logs to troubleshoot the system, developers need logs for fixing up the errors, and forensic
investigators need relevant logs to investigate the case. With the help of an access control mechanism,
the logs can be acquired from all the parties, that is, from a user, CSP, and forensic investigator.
[h]Physical inaccessibility
The data are located in different geographical areas of the hardware device. It is difficult to access
these physical access resources since the data reside in different CSPs and it is impossible to collect the
evidence from the configured device. If an incident occurs, all the devices are acquired immediately in
case of a private cloud environment since an organization has full control over the resources. The same
methods cannot be used to access the data in case of a public cloud environment.
[h]Volatility of data
Data stored in a VM instance in a cloud will be lost when the VM is turned off. This leads to the loss of
important evidence such as syslog, network logs, registry entries, and temporary Internet files. It is
important to preserve the snapshot of the VM instance to retrieve the logs from the terminated VMs.
The attacker launches an attack and turns off the VM instance, hence these traces are unavailable for
forensic investigation.
[h]Identification of evidence at client side
The evidence is identified not only in the provider’s side but also the client side. The user can
communicate with the other client through the Web browser. An attacker sends malicious programs
with the help of a Web browser that communicates with the third parties to access the services running
in the cloud. This, in turn, leads to destroying all the evidence in the cloud. One way of collecting the
evidence is from the cookies, user agent, etc., and it is difficult to obtain all the information since the
client side VM instance is geographically located.
[h]Dependence of CSP trust
The consumers blindly depend on CSPs to acquire the logs for investigation. The problem arises when
CSPs are not providing the valid information to the consumer that resides in their premises. CSPs sign
an agreement with other CSPs to use their services, which in turn leads to loss of confidential data.
[h]Multitenancy
In cloud infrastructures, multiple VMs share the same physical infrastructure, that is, the logs are
distributed across various VMs. The investigator needs to show the logs to court by proving the
malicious activities occurring from the different service providers. Moreover, it also preserves the
privacy of other tenants.
[h]Decentralization
In cloud infrastructures, the log information is located on different servers since it is geographically
located. Multiple users’ log information may be collocated or spread across several layers and tiers in
the cloud. The application log, network log, operating system log, and database log produce valuable
information for a forensic investigation. The decentralized nature of the cloud brings the challenge for
cloud synchronization.
[h]Absence of standard format of logs
Logs are available in heterogeneous formats from different layers of a cloud at CSP. The logs provide
information such as by whom, when, where, and why some incidents occurred. This is an important
bottleneck to provide a generic solution for all CSPs and all types of logs. Table indicates the survey of
literature that deals with the challenges of cloud forensics mainly for evidence collection process.
Authors Discussion Forensic process

Sang et al. Log accessibility for SaaS & PaaS Evidence collection
Zawood et al. Focus on the integrity of log files Evidence collection
Dystra et al. Log collection and accessibility of logs Evidence collection
Thorpe et al. VM kernel logs for forensic investigation Log contention
Boeck et al. Confidentiality and log integrity Evidence collection
Zaferulla
Uses Eucalyptus logs for forensic investigation Evidence analysis
et al.
Marty et al. Collection of logs from different cloud components Log retention
Uses data mining techniques to collect logs for forensic
Sibiya et al. Evidence collection
investigation
Patrascu et al. Collection of specific logs Evidence collection
Nakahara Evidence collection and log
Evidence identification from different types of logs
et al. retention
Table. Challenges of cloud forensics.
[h]Open research problems in cloud forensics
Many researchers have proposed various solutions to mitigate the challenges of cloud forensics. Some
of the researchers have proposed new approaches to test the attacks in real-time environment. CSPs
have not adopted the proposed solutions yet. Customers or investigators rely on CSPs to collect the
necessary logs since they do not have direct physical access. Customers or investigators depend on
CSP to collect the various information from the registry, hard disk, memory, log files etc. Even though
various forensic acquisition process is proposed still the dependence of CSP remain unsolved. The
critical issue is the usage of bandwidth resources. If the cloud storage is too high, then it results in
more utilization of bandwidth. There is insufficient work evolved to preserve the chain of custody to
secure provenance. There is no ideal solution for cybercrime scene reconstruction and preservation of
evidence. Another critical issue is based on the modification of existing forensic tools that may lose
evidence. Some researchers have proposed logging as a service to provide confidentiality, integrity,
and authentication. This solution is not suitable for IaaS cloud.
chapter 4: Offensive UAV Operations in Cyberspace

[mh]Weaponization of UAVs: Current Capabilities
In recent years, unmanned aerial vehicles (UAVs) have become a powerful tool for diverse missions
including polymerase chain reaction (PCR) samples transportation between hospital and laboratories ,
UAV-based healthcare system to control COVID-19 pandemic , infectious diseases containment and
mitigation , traffic condition analysis in co-operation with deep learning approaches , and human
behavior understanding via multimedia data analytics in a real-time , to name a few. Currently, UAVs
integration with the emerging technologies such as block chain, internet of things, cloud computing,
and artificial intelligence can pave the way to serve mankind effectively compared to the recent past.
Further, the peculiarity of UAVs in terms of performing operations in 3D (dull, dirty, and dangerous)
environments, they can play a vital role in realization of the smart cities. Furthermore, UAVs are
inevitable tool during emergency planning and disaster management due to their abilities to perform
missions aerially. Besides the UAVs applications and use cited above, they can be highly beneficial for
military purposes including information collection and analysis, border surveillance, and transporting
warfare items. The role of UAVs in agriculture from multiple perspectives have already been
recognized across the globe. Recently, world’s leading commerce company (i.e., Amazon) has started
using UAVs for delivering their products to customers. Generally, the use of UAVs is expected to rise
in many emerging sectors in the near future. We present actual and innovative use of the UAVs during
the ongoing pandemic in Figure. Majority of the applications given in Figure employed multiple UAVs
in order to accomplish the desired tasks.
Figure. Innovative applications of the UAVs during the ongoing pandemic.
Although UAVs are highly beneficial for mankind through their innovative applications, but there exist
plenty of challenges that can hinder their use at a wider scale. For example, payload constraints and
power issues can limit their carrier abilities. Similarly, decision making during flight to ensure UAVs
safety by avoiding obstacles with sufficient accuracy is a non-trial task mainly due to no human-
onboard control. Furthermore, communication from long distances, and co-ordination among multiple
UAVs to perform complex tasks jointly are main barriers in the true realization of the UAVs
technology. Besides the challenges and issues given above, many issues concerning software and
hardware also exist that need rigorous developments and testing. Many solutions have been proposed
to address these issues via cross disciplinary approaches. Meanwhile, extensive testing and analysis of
these solutions is yet to be explored, especially in urban environments. In this chapter, we mainly focus
on the ‘navigation’ that is one of the core challenges in the UAVs technology. The navigation
quandary is classified into three cases: (i) where am I now?, (ii) where do I go?, and (iii) How do I get
there?. The first two cases belong to the localization and mapping, and the third case is about path
planning (PP). In this work, we cover third case comprehensively, and provide concepts and
developments in this regard. We present a comprehensive overview about changing dynamics of the
UAV applications in recent times, challenges of the UAV technology, recent developments in the UAV
technology, and future research trends in the PP area in Figure. With this concise overview, we aim to
aid researchers in extracting the contents enclosed in this chapter conveniently.
Figure. Overview of changing dynamics of the UAV applications, challenges, recent developments,
and future research trends in the PP area.
The rest of this chapter is structured as follows. Section 2 discusses the basic concept of the path
planning, and categorizes the path planning approaches based on the information available about
underlying environment, and UAV used for the aerial mission. Section 3 describes the three essential
components of the PP. Section 4 critically analyzes various approaches that were proposed to lower the
computing time of the PP for UAVs. The future prospects of the research in the PP area are discussed
in Section 5. Finally, this chapter is concluded in Section 6.
[h]Path planning and categorization of the path planning approaches
PP is to find a safe (i.e., collision-free) path between two pre-determined locations (e.g., source and
destination, denoted with s and t, respectively) by optimizing certain performance objectives. The
performance objectives can be energy consumption, computing time, distance, path smoothness, and
turns etc. depending upon the mission type, operating environment, and UAVs’ type. The most
important part of the PP is to identify the environment where the pathfinding is carried out for UAVs.
In this work, we categorize the PP approaches based on the type of environment’s information, and
UAVs strength, respectively.
[h]Categorization of the path planning approaches based on information about environment
Generally, there are three possibilities about the availability of information regarding environment
where UAVs tend to operate. The operating environment can be fully known in advance (e.g.,
obstacles’ geometry information is known.), it can be completely unknown, and/or it can be partially
known (e.g., few portions are known, and some portions are explored and modeled during the flight.).
Based on the degree of information about environment, PP approaches are mostly classified into two
categories, local PP (LPP) and global PP (GPP). In LPP, the environment is not known, and UAVs use
sensors or other devices in order to acquire information about the underlying environment. In GPP, PP
is performed in a fully known environment, meaning all information about environment is known in
advance. Based on the availability of the information regarding underlying environment, GPP
approaches have lower complexity compared to the LPP approaches. Recently, some PP approaches
have jointly employed LPP and GPP concepts in order to find a path for UAVs. In literature, GPP and
LPP approaches are also classified as offline and online PP approaches, respectively. Based on the
extensive review of the literature, we present a categorization of the PP approaches based on
information about environment in Figure. We refer interested readers to gain more insights about the
LPP approaches in the previous studies.
Figure. Categorization of the PP approaches based on the availability of information about operating
environment.
Apart from the categorization provided above, environment can be classified into rural and urban
environments. The tendency of UAVs applications were high in the non-urban environments in the
past. Moreover, due to the significant development in control domain, UAVs are increasingly
employed in the urban environment these days. For instance, in urban environments, they can be used
to monitor people compliance with the social guidelines given by the respective governments in order
to control the COVID-19’s spread.
[h]Categorization of the path planning problems
Based on the mission’s type, either one or multiple UAVs can be employed. The scenarios in which
only one UAV is deployed are referred as single agent PP problem. In contrast, those scenarios in
which multiple UAVs are used are called multiple agent PP problems. PP for multiple agents is
relatively complex since UAVs need to avoid collision with the companion UAVs, and obstacles
present in an underlying operating environment. In addition, allocating target areas for coverage and
optimizing throughput also remain challenging, especially while operating at lower altitudes in urban
environments.
[h]Essential components of the path planning for UAVs
Generally, there are three essential components of the PP: (i) modeling of the environment with
geometrical shapes by utilizing the obstacles/free spaces knowledge provided by a real-environment
map, (ii) task modeling with the help of graphs/trees keeping source and target locations in contact, and
(iii) applying search algorithm inclusive of the heuristic function to determine a viable path.
[h]Modeling of the environment with geometrical shapes
In the first step, a raw environment map is converted into a modeled one, in which obstacles are
represented with the help of geometrical shapes. For example, poles information provided by a real
environment map can be modeled with the help of cylinders in the modeled map. Similarly, buildings
can be modeled with the help of rectangles or polyhedron. In some cases, UAVs do not model the
whole environment map, and utilize sense and avoid (SAA) abilities to operate safely in the airspace.
We present an example of environment modeling, and well-known obstacles’ representation techniques
used for the PP in Figure. Each obstacles representation technique has different complexity and
accuracy in terms of real environment obstacles representations. In addition, each representation can be
adopted considering the UAV operating environment. For example, polygons can be used to model an
urban environment populated by various buildings.
Figure. Overview of environment modeling and obstacles’ representation techniques.
[h]Task modeling with the graphs/trees
After modeling environment with the help of geometrical shapes, the next step is task modeling (e.g.,
generating network of paths with a graph/tree or selecting a desired portion to be modeled). For
example, road-map approach is a well-known task modeling approach for the PP, in which a graph is
constructed from the starting location to destination location by capturing the connectivity of free
spaces and obstacles’ corners. Apart from it, cell-decomposition and potential field are promising
solutions for the task modeling. We present most widely used task modeling methods in Figure.
Figure. Overview of the famous task modeling methods used in the PP adopted from.
Recently, trees-based task modeling methods have been widely used for the task modeling due to their
quick convergence in the final solution. We present an overview of the task modeling with the help of
tree in Figure. Furthermore, in some cases, more than one methods are jointly used to model the tasks
on a provided map. In addition, some approaches use task modeling and path searching
simultaneously.
Figure. Overview of task modeling with a random tree.
[h]Applying path search algorithm to determine a viable path
In the last step, a search algorithm is employed on the graph/tree to find a viable path. During the path
search, a heuristic function usually accompany the path search. For example, in the A* algorithm, the
low-cost nodes are determined leveraging distance as a heuristic function. Similarly, the heuristic
function can be energy consumption or smoothness depending upon the scenario. In literature, many
techniques have been suggested to find reliable paths. The path search algorithms, such as differential
evolution , firefly algorithm , ant colony optimization , genetic algorithms , artificial bee colony , p
swarm optimization , fuzzy logic , central force optimization , gravitational search algorithm ,
simulated annealing and their advanced variants are used in the PP. Every algorithm has numerous
distinguishing factors over others regarding conceptual simplicity, computational complexity,
robustness, and convergence rates etc. We categorize the existing path search methods into five
categories, and present representative methods of each category in Figure.
Figure. Categorization of path searching methods/algorithms.
[h]Performance objectives of the path planning approaches
Every PP approach tends to optimize one or more performance objectives (PO) while finding a viable
path for UAVs. The PO can be related to hardware and software. These PO are considered in the
previous three components (i.e., environment modeling, task modeling, and path searching) related to
the PP. For instance, in order to lower the PS computing time, only some portion of a map can be
modeled and a sparse tree/graph can be constructed/used while finding a path. Similarly, memory can
be preserved by exploring some portions of a graph/tree rather than loading and exploring whole
graph/tree at a same time. The selection of PO solely depend on the nature and urgency of the mission.
For example, in search and rescue missions, the PO can be path computing time in order to reach the
affected regions quickly. In contrast, in normal circumstances, the PO can be the path length in order to
reach the target location in a most economical way by preserving UAV’s resources. We describe
various most commonly used PO in Table.
PO Concise description
Computing time It denotes overall time required to find a path using a graph/tree.
Path length It denotes the Euclidean distance between two locations.
It denotes amount of energy required/consumed while reaching to target from
Energy
source.
Turns It denotes number of turns (infeasible curvature) a path has in total.
Smoothness It denotes a turns in a path with a feasible curvatures.
Memory It denotes amount of memory used while computing a path.
Path nodes It denotes set of nodes that a UAV follows during flight.
No. of obstacles It denotes set of obstacles to be processed during path search.
Accuracy It denotes accuracy of obstacles modeling or path clearance from obstacles.
Problem size It denotes size of problem on which path is determined.
PO Concise description
Graph size It denotes size of graph (no. of nodes, edges) employed to find a path.
Convergence rate It denotes how quickly a feasible solution can be obtained.
Constraints handling It denotes the effective resolution of constrains UAV faces during mission.
Completeness It denotes availability/non-availability of solution in a finite time.
Flexibility It denotes efforts/time required to make a solution usable for different missions.
Path re-configuration It denotes efforts/time required to gain the control of a lost path.
Path following It denotes the ability to keep following a path despite disturbances.
Path safety It denotes the ability to avoid collisions with static/dynamic obstacles.
Hyper parameter It denotes the number and variety of parameters to find a path.
Obstacle avoidance It denotes the ability to avoid static/dynamic obstacles with low-cost.
Generalization It denotes the ability of a method to be applicable for different types of UAVs.
Application-
It denotes the ability of a method to yield superior performance in some context.
speciality
It denotes the ability of a UAV to fly for a long period of time with low-cost
Endurance
planning.
Table. Overview of the PO improved by the PP approaches.
Some PO are positively co-related. For example, finding path with less turns can save energy.
Improving two negatively co-related PO (speed and time) require optimization of another PO (problem
size).
These PO are usually considered during PP irrespective of the environment whether it is known or
unknown. Furthermore, plenty of techniques have been proposed to improve these PO with innovative
techniques or employing cross-disciplinary concepts. In addition, many PP approaches have targeted
optimizing multiple objectives rather than one/two for practical UAVs application. These PO can be
expressed as a functional model while finding a path P between two locations s and t. Some algorithms
tend to optimize more than one POs. The overview of two PO to be optimized by a PP approach is
mathematically expressed as follows.
[h] Path planning algorithms that were proposed in the past five years
In this section, we discuss various PP algorithms that were proposed to lower the time complexity of
the PP process. We selected various algorithms that were proposed in last five years (i.e., 2016–2021),
and have somewhat identical concepts in terms of space restrictions and problem size reduction etc.
We provide brief overview, and technically evaluation of all algorithms and highlight their
deficiencies. Consequently, this analysis can pave the ways to improve PP algorithms for future UAVs’
applications.
[h]Brief overview of the selected path planning algorithms
We present brief overview of the selected algorithms in Table. These algorithms have become state-of-
the-art for many practical applications of the UAVs in the urban/non-urban environments. They are
famous due to their novel working mechanisms, and conceptual simplicity. In addition, they have
mainly focused on the UAV applications in urban environments that is focus of research across the
globe. Also, the UAVs’ applications in the urban environments are likely to increase in the coming
years.
Ref. Publication year Environment used PO improved

Maini et al. 2016 3D Computing time and collision-free paths.
Frontera et al. 2017 3D Computing speed and solution quality.
Ahmad et al. 2017 3D Computing speed and energy-optimized paths.
Majeed et al. 2018 3D Computing speed and path quality.
Han et al. 2019 3D Feasible paths with reduced time.
Ghambari et al. 2020 3D Computing time and memory consumption.
Majeed et al. 2021 3D Computing speed and path quality.
Table. Overview of the latest GPP approaches that were proposed to reduce the computing time of PP
process.
All these approaches have used concepts related to search space reduction in order to find time-
efficient paths.
[h]Technical evaluation of the selected path planning algorithms
In this subsection, we provide concise description of the selected algorithms, and highlight their
technical problems. We mainly describe the key steps of the proposed algorithms.
 Maini et al. algorithm computes a low-cost path using two-steps approach. In the first step,
modified version of the Dijkstra algorithm is used to find an initial path. In the second step,
initial path is optimized more by considering the initial path nodes, and reverse path search.
 Frontera et al. algorithm computes a low-cost path using three-steps approach. First, the
proposed method reduce the search space by considering the obstacles that are on the straight
axis between s and t. Later, a visibility graph is generated solely from the corners of the selected
obstacles. In the last step, A* algorithm is employed to compute a shortest path incrementally.
 Ahmad et al. algorithm computes a low-cost path using four-steps approach. Firstly, search
space is bounded using obstacles of the straight line only. Later, the bounded space is extended
to next level by using the obstacles that hit the boundary of the first bounded space. In the third
step, a relatively dense visibility graph is generated from the bounded spaces. In the final step,
A* algorithm is employed to find an energy-optimized path.
 Majeed et al. algorithm computes a low-cost path using five-steps approach. First, the space is
reduced into a half-cylinder form with path guarantees between s and t. In the second step,
multi-criteria based method is employed to check the suitability of the reduced space for low-
cost pathfinding. Later space is extended if needed, and sparse visibility graph is generated that
ensure connectivity between s and t, and path is computed. Moreover, in some cases, path is
improved by adding more nodes around the initial path’s nodes.
 Han et al. algorithm computes a low-cost path using three-steps approach. First, critical
obstacles are identified through straight-axis between s and t. In the second step, a node set is
generated around the corners of the critical obstacles only. In the last step, a feasible path is
obtained by exploring nodes set. This approach is beneficial by resolving constraints related to
obstacles shapes.
 Ghambari et al. computes a global and local path with the help of four-steps. In the first step,
search space is reduced around the straight axis. In the second step, differential evolution
algorithm is applied to construct a graph. Later, A* algorithm is used to find a path from a graph
constructed in the first step. In the third step, subspace is divided into small portions with
alternate routes in each subspace. In the last step, a mechanism is suggested to avoid collision
with the dynamic obstacles that may appear unexpectedly during the flight.
 Majeed et al. recently proposed a PP method for low-cost pathfinding for UAVs based on the
constrained polygonal space and a waypoint graph that is extremely sparse. In proposed
approach, search space is restricted into a polygonal form, and its analysis is performed from
optimality point of view with the help of six complexity parameters. Later, space can be
extended to next level if needed, else a very sparse graph is generated by exploiting the
visibility, far-reachability, and direction guidance concepts. The suggested approach computes
time-efficient paths without degrading path quality while finding paths from urban
environments.
Besides the computing time, these algorithms can indirectly optimize certain PO listed in Table. For
example, Ahmad et al. PP approach reduces the number of turns also in order to lower the energy
consumption. Han et al. PP approach can be applied to the environments with arbitrary shaped
obstacles (e.g., there exist no constraint related to the obstacles’ geometries). Hence, it can be applied
in different settings (e.g., areas with sparse obstacles or areas with dense obstacles) of the urban
environment. Similarly, Majeed et al. PP approach can significantly reduce the problem size, thereby
memory requirements can be magnificently lower. Ghambari et al. approach can be used to re-
configure paths during the flight when a UAV finds an unexpected obstacle. Hence, this approach can
be used in both (i.e., local, and global) environments. Despite the utility of these approaches in many
real-world applications, they often yield poor performance due to the local/global constraints. Based on
the in-depth review of all studies, we identified potential problems of all approaches that may hinder
their use in actual deployment. We describe technical challenges of the existing approaches in Table.
Ref. Technical problems in the proposed approach
The performance cannot be ensured in each scenario due to heavy reliance on specific
maps.
Maini et al.
Overheads can increase exponential with the problem size.
It models the whole map thereby path exploration cost is very high.
Path can collide with the nearby obstacles.
In some cases, proposed approach fails to find a path even though it exists.
Frontera et al.
Visibility graph can contain many needless and redundant nodes.
Memory consumption is higher due to loading of whole visibility map in the memory.
Two bounded spaces are used that can increase the computing time of the PP.
Visibility graph is constructed using layered approach with many redundant nodes and
Ahmad et al. edges.
Visibility check function is expensive since visibility in all directions and nodes is
checked.
Path can contain turns due to the strict boundary of the search space.
Majeed et al.
Path optimization cost may increase if initial path has many nodes.
Path quality cannot be ensured in all scenarios if obstacles’ sizes are large.
Path cost can increase exponentially with the point set.
Han et al.
Both time and optimality can be impacted if diverse shape obstacles exist in a map.
Since this is grid-based approach thereby memory consumption is higher.
Path computing time can rise with the distance between s and t.
Recognition and avoiding obstacles in realtime can be costly.
Ghambari et al.
Fidelity of the proposed approach were analyzed with limited testing.
Since path searching is carried out twice, thereby computing time can rise.
Accurate modeling of the tiny obstacles is not possible.
Majeed et al.
Excessive calculations are performed in space analysis thereby complexity can rise.
Table. Overview of the technical problems in the proposed GPP approaches.
All these problems have been highlighted by existing studies or reported by the authors.
These challenges lay foundation for the future research in the UAVs area. Furthermore, they can assist
researchers to devise better and practical PP approaches in order to address these technical problems.
Apart from the challenges provided in Table, it is paramount to take into account the local constraints
while devising PP methods that have been mostly assumed in the existing approaches.
[h]Local path planning algorithms
Majority of the approaches discussed above are the GPP approaches, and LPP approaches have not
been discussed. To cover this gap, we discuss various representative LPP approaches in Table along
with the methodological specifics.
Ref. UAV used Technical aspects of the approach
Stecz et al. Multiple Indicated sensors based LPP approach.
Wojciech et al. Single EO/IR systems and SARs based navigation.
Siemiatkowska et al. Multiple MILP based LPP using EO/IR camera and SARs.
Hong et al. Multiple MILP-based multi-layered hierarchical architecture.
Hua et al. Multiple Multi-target intelligent assignment model based LPP.
Cui et al. Single Reinforcement learning (RL)-based LPP approach.
Maw et al. Single Graph and learning based LPP approach.
Wei et al. Single Improved ACO for LPP.
Zhang et al. Single Markov decision process (MDP) based LPP approach.
Zammit et al. Multiple LPP in the presence of uncertainties.
Wu et al. Single Interfered fluid dynamic system (IFDS) based LPP.
Bayerlein et al. Multiple Multi-agent reinforcement learning (MARL) approach for LPP.
Jamshidi et al. Single LPP based on improved version of Gray Wolf Optimization.
Yan et al. Single Sampling based LPP approach in urban environments.
Sangeetha et al. Single Gain-based dynamic green ACO (GDGACO) LPP approach.
Sangeetha et al. Single Fuzzy gain-based dynamic ACO (FGDACO) LPP approach.
Choi et al. Single Improved CNN based LPP approach for UAV.
Table. Overview of the latest LPP approaches used for UAVs.
All these approaches have used the unknown environment during the PP.
These approaches perform PP in environments that are mostly unknown, and are complex compared to
the GPP approaches. These approaches enable UAVs to perform tasks in complex environments in real
time leveraging low-cost sensors, and robust artificial intelligence (AI) techniques. In addition, these
techniques have abilities to co-work with the emerging technologies including cloud, edge, and fog
computing etc. for variety of applications. The role of UAVs was dominant during the ongoing
pandemic in different countries across the globe. To this end, LPP approaches contributed
significantly, and enhanced UAVs role in curbing the pandemic spread via online missions. Barnawi et
al. proposed an IoT-based platform for COVID-19 scanning in which UAVs were used as a main
source of temperature data collection in the outdoor environments. Apart from the COVID-19
scanning, UAVs were extensively used for spraying and disinfecting multi-use facilities and
contaminated places. In some countries, they were used for alerting people to wear masks properly, and
stay indoors. The true realization of these innovative application is possible through LPP approaches.
[h]Coverage path planning: a subtopic of the path planning

Besides the LPP and GPP, another important subtopic of the PP is coverage path planning (CPP). In
the CPP, a path is determined that enables UAV to cover a target area fully with the help of a
device/tool mounted on it. The attached tool/device can be a sensor, camera, speaker, and/or a spray
tank depending upon the mission. We present overview of the CPP in Figure. In Figure(a), a target area
in the form of a rectangle is given that need to be covered with a UAV. In In Figure(b), a coverage path
is shown that a UAV follows in order to cover the target area.
Figure. Overview of coverage path planning for UAVs in a 3D urban environments.
In the CPP, most of the POs are identical with that of the PP, but path overlapping, and coverage
guarantees are two additional POs. Moreover, ensuring consistent path quality with respect to shape of
the target area is very challenging. Therefore, shape of the target area is considered while finding a
coverage path. CPP can be performed in five steps, modeling of the operating environment, locating
target area on the modeled map, decomposition of the target area into disjoint sub parts, task modeling
(mainly traversal order of the sub parts) with the help of a graph, and covering each sub-part using
motion pattern (e.g., back and forth, spiral, and circular etc.). In recent years, UAVs’ coverage
applications in the urban environments have significantly increased, and a substantial number of CPP
approaches have been proposed.
[mh]Cyber-Enabled Attacks Using UAV Platforms
cyberwar, war conducted in and from computers and the networks connecting them, waged by states or
their proxies against other states. Cyberwar is usually waged against government and military networks
in order to disrupt, destroy, or deny their use. Cyberwar should not be confused with the terrorist use of
cyberspace or with cyberespionage or cybercrime. Even though similar tactics are used in all four types
of activities, it is a misinterpretation to define them all as cyberwar. Some states that have engaged in
cyberwar may also have engaged in disruptive activities such as cyberespionage, but such activities in
themselves do not constitute cyberwar.
Computers and the networks that connect them are collectively known as the domain of cyberspace.
Western states depend on cyberspace for the everyday functioning of nearly all aspects of modern
society, and developing states are becoming more reliant upon cyberspace every year. Everything
modern society needs to function—from critical infrastructures and financial institutions to modes of
commerce and tools for national security—depends to some extent upon cyberspace. Therefore, the
threat of cyberwar and its purported effects are a source of great concern for governments and
militaries around the world, and several serious cyberattacks have taken place that, while not
necessarily meeting a strict definition of cyberwar, can serve as an illustration of what might be
expected in a real cyberwar of the future.
One of the first references to the term cyberwar can be found in “Cyberwar Is Coming!,” a landmark
by John Arquilla and David Ronfeldt, two researchers for the RAND Corporation, published in 1993 in
the journal Comparative Strategy.
[h]Attacks in cyberspace
The cyberspace domain is composed of three layers. The first is the physical layer, including hardware,
cables, satellites, and other equipment. Without this physical layer, the other layers cannot function.
The second is the syntactic layer, which includes the software providing the operating instructions for
the physical equipment. The third is the semantic layer and involves human interaction with the
information generated by computers and the way that information is perceived and interpreted by its
user. All three layers are vulnerable to attack. Cyberwar attacks can be made against the physical
infrastructure of cyberspace by using traditional weapons and combat methods. For example,
computers can be physically destroyed, their networks can be interfered with or destroyed, and the
human users of this physical infrastructure can be suborned, duped, or killed in order to gain physical
access to a network or computer. Physical attacks usually occur during conventional conflicts, such as
in the North Atlantic Treaty Organization’s (NATO’s) Operation Allied Force against Yugoslavia in
1999 and in the U.S.-led operation against Iraq in 2003, where communication networks, computer
facilities, and telecommunications were damaged or destroyed.
Attacks can be made against the syntactic layer by using cyberweapons that destroy, interfere with,
corrupt, monitor, or otherwise damage the software operating the computer systems. Such weapons
include malware, malicious software such as viruses, trojans, spyware, and worms that can introduce
corrupted code into existing software, causing a computer to perform actions or processes unintended
by its operator. Other cyberweapons include distributed denial-of-service, or DDoS, attacks, in which
attackers, using malware, hijack a large number of computers to create so-called botnets, groups of
“zombie” computers that then attack other targeted computers, preventing their proper function. This
method was used in cyberattacks against Estonia in April and May 2007 and against Georgia in August
2008. On both occasions it is alleged that Russian hackers, mostly civilians, conducted denial-of-
service attacks against key government, financial, media, and commercial Web sites in both countries.
These attacks temporarily denied access by the governments and citizens of those countries to key
sources of information and to internal and external communications.
Finally, semantic cyberattacks, also known as social engineering, manipulate human users’ perceptions
and interpretations of computer-generated data in order to obtain valuable information (such as
passwords, financial details, and classified government information) from the users through fraudulent
means. Social-engineering techniques include phishing—in which attackers send seemingly innocuous
e-mails to targeted users, inviting them to divulge protected information for apparently legitimate
purposes—and baiting, in which malware-infected software is left in a public place in the hope that a
target user will find and install it, thus compromising the entire computer system. In August 2010, for
example, fans of the Anglo-Indian movie star Katrina Kaif were lured into accessing a Web site that
was supposed to have a revealing photograph of the actress. Once in the site, visitors were
automatically forwarded to a well-known social-networking site and asked to enter their login and
password. With this information revealed by users, the phishing expedition was successfully
completed. An example of baiting involves an incident in 2008 in which a flash memory drive infected
with malware was inserted into the USB port of a computer at a U.S. military base in the Middle East.
From there the computer code spread through a number of military networks, preparing to transfer data
to an unnamed foreign intelligence service, before it was detected. As these above examples suggest,
semantic methods are used mostly to conduct espionage and criminal activity.
[h]Cybercrime, cyberespionage, or cyberwar?
The term cyberwar is increasingly controversial. A number of experts in the fields of computer security
and international politics question whether the term accurately characterizes the hostile activity
occurring in cyberspace. Many suggest that the activities in question can be more accurately described
as crime, espionage, or even terrorism but not necessarily as war, since the latter term has important
political, legal, and military implications. For example, it is far from apparent that an act of espionage
by one state against another via cyberspace equals an act of war—just as traditional methods of
espionage have rarely, if ever, led to war. Allegations of Chinese cyberespionage bear this out. A
number of countries, including India, Germany, and the United States, believe that they have been
victims of Chinese cyberespionage efforts. Nevertheless, while these incidents have been a cause of
tension between China and the other countries, they have not damaged overall diplomatic relations.
Similarly, criminal acts perpetrated in and from cyberspace by individuals or groups are viewed as a
matter for law enforcement rather than the military, though there is evidence to suggest that Russian
organized-crime syndicates helped to facilitate the cyberattacks against Georgia in 2008 and that they
were hired by either Hamas or Hezbollah to attack Israeli Web sites in January 2009. On the other
hand, a cyberattack made by one state against another state, resulting in damage against critical
infrastructures such as the electrical grid, air traffic control systems, or financial networks, might
legitimately be considered an armed attack if attribution could be proved.
Some experts specializing in the laws of armed conflict question the notion that hostile cyberactivities
can cause war (though they are more certain about the use of hostile cyberactivities during war). They
argue that such activities and techniques do not constitute a new kind of warfare but simply are used as
a prelude to, and in conjunction with, traditional methods of warfare. Indeed, in recent years cyberwar
has assumed a prominent role in armed conflicts, ranging from the Israeli-Hezbollah conflict in
Lebanon in 2006 to the Russian invasion of Georgia in 2008. In these cases cyberattacks were
launched by all belligerents before the actual armed conflicts began, and cyberattacks continued long
after the shooting stopped, yet it cannot be claimed that the cyberattacks launched before the start of
actual hostilities caused the conflicts. Similarly, the cyberattacks against Estonia in 2007 were
conducted in the context of a wider political crisis surrounding the removal of a Soviet war memorial
from the city centre of Tallinn to its suburbs, causing controversy among ethnic Russians in Estonia
and in Russia itself.
Such qualifications aside, it is widely believed that cyberwar not only will feature prominently in all
future conflicts but will probably even constitute the opening phases of them. The role and prominence
of cyberwar in conventional conflicts continues to escalate.
[h]Cyberattack and cyberdefense
Despite its increasing prominence, there are many challenges for both attackers and defenders
engaging in cyberwar. Cyberattackers must overcome cyberdefenses, and both sides must contend with
a rapid offense-defense cycle. Nevertheless, the offense dominates in cyberspace because any defense
must contend with attacks on large networks that are inherently vulnerable and run by fallible human
users. In order to be effective in a cyberattack, the perpetrator has to succeed only once, whereas the
defender must be successful over and over again.
Another challenge of cyberwar is the difficulty of distinguishing between lawful combatants and
civilian noncombatants. One of the significant characteristics of cyberspace is the low cost of entry for
anyone wishing to use it. As a result, it can be employed by anyone who can master its tools. The
implications of this openness for cyberwar are that civilians, equipped with the appropriate software,
are capable of mounting and participating in cyberattacks against state agencies, nongovernmental
organizations, and individual targets. The legal status of such individuals, under the laws of armed
conflict and the Geneva Conventions, is unclear, presenting additional difficulty for those prosecuting
and defending against cyberwar. The cyberattacks against Estonia and Georgia are examples of this
challenge: it is alleged that most, if not all, of those participating in the attacks were civilians perhaps
motivated by nationalist fervour.
Perhaps the greatest challenge for states defending against cyberattacks is the anonymity of
cyberspace. Mention is made above of the low cost of entry into cyberspace; another major attribute is
the ease with which anyone using the right tools can mask his identity, location, and motive. For
example, there is little solid evidence linking the Russian government to the Estonia and Georgia
cyberattacks, and so one can only speculate as to what motivated the attackers if they did not act
directly on orders from Moscow. Such easy anonymity has profound implications for states or agencies
seeking to respond to—and deter—cyberwar attacks. If the identity, location, and motivation of an
attack cannot be established, it becomes very difficult to deter such an attack, and using offensive
cybercapabilities in retaliation carries a strong and often unacceptable risk that the wrong target will
face reprisal.
Despite these challenges, defending against cyberwar has become a priority for many nations and their
militaries. Key features of any major cyberdefense structure include firewalls to filter network traffic,
encryption of data, tools to prevent and detect network intruders, physical security of equipment and
facilities, and training and monitoring of network users. A growing number of modern militaries are
creating units specifically designed to defend against the escalating threat of cyberwar. For example, in
the United States, the Twenty-fourth Air Force has been set up to defend Air Force networks.
Similarly, the U.S. Navy has formed the Fleet Cyber Command, part of the recommissioned Tenth
Fleet, in order to protect its networks. Both of these commands are directly under U.S. Cyber
Command, based at Fort Meade, Md., which is charged with conducting all U.S. military
cyberoperations. In the United Kingdom the Government Communications Headquarters (GCHQ)
created a Cyber Security Operations Centre (CSOC) in September 2009, and France set up its Network
and Information Security Agency in July 2009.
Finally, while the present focus is on defending against cyberattacks, the use of offensive
cybercapabilities is also being considered. There are legal, ethical, and operational implications in the
use of such capabilities stemming from many of the challenges mentioned above. Hence, in many
Western countries such capabilities are proscribed extensively by law and are alleged to be the
preserve of intelligence agencies such as the National Security Agency (NSA) in the United States and
GCHQ in the United Kingdom. In China, where the legal, ethical, and operational implications differ
(or at least appear to), it is believed that organizations such as the General Staff Department Third and
Fourth Departments, at least six Technical Reconnaissance Bureaus, and a number of People’s
Liberation Army (PLA) Information Warfare Militia Units are all charged with cyberdefense, attack,
and espionage. Similarly, it is thought that in Russia both the Federal Security Service (FSB) and the
Ministry of Defense are the lead agencies for cyberwar activities.
The controversy over Pegasus spyware highlights the ethical implications of these developing
cybercapabilities. Although the creator of Pegasus, the Israeli cyber-intelligence firm NSO Group
(founded in 2010), claims its product is sold exclusively to government security and law enforcement
agencies and only for the purpose of aiding rescue operations and battling criminals, such as money
launderers, sex- and drug-traffickers, and terrorists, the spyware has been used to track politicians,
government leaders, human rights activists, dissidents, and journalists. It was even used to track Saudi
journalist and U.S. resident Jamal Khashoggi months before his murder and dismemberment by Saudi
agents in October 2018.
chapter 5: Defensive Strategies against UAV Cyber Threats

[mh]Detecting and Mitigating UAV-Based Cyber Attacks
Given the frequency and the intensity of healthcare-related incidents, Artificial intelligence (AI)
applications and cybersecurity threats in healthcare are all the rage now. Cybersecurity is the process of
protecting computer systems, networks, and programs from any unauthorized access. Cyberattacks
have become more sophisticated using AI to get past cyber defenses. The AI is also being used to
constantly manage and secure the increasing number of healthcare Internet of Things (IoT) sensor
nodes and Cyber Physical Systems (CPS) devices as they connect and disconnect from hospital
networks. The CPS is intelligent system consisting of cyber and physical components which is
controlled and monitored by AI algorithm. With the development of smart multisensory systems,
sensorial media, smart things, and cloud technologies, “Smart healthcare” is getting notable attention
from academia, government, industry, caregivers, and healthcare communities. In the recent smart
health technological revolution, IoT technology playing an important role in healthcare for it’s ability
to predict, prevent, and intelligently control the the emerging infectious diseas like, Coronavirus
(Covid-19). Also, IoT has introduced the vision of a smarter world into a reality with large datasets and
services. The AI-driven IoT has become more popular in smart healthcare system by utilizing machine
learning algorithms and by providing a better understanding of healthcare information to support
improved personalized healthcare during the epidemic of Covid-19. Also, it can support powerful
processing and storage capacity of enormous datasets from IoT sensors and actuators as well as to
provide automated decision making in real-time. A very little attention is given to developing a secure
affordable healthcare system while the study of AI and cybersecurity for smart healthcare have been
making great innovations in the age of Covid-19. The AI-driven IoT (AIIoT) for smart healthcare has
the potential to revolutionize many aspects of our healthcare industry. AI-based analytics for secure
smart health infrastructure is shown in Figure.
Figure. AI-based Analytics for Secure Smart Health Infrastructure.
The importance of secure transformation in medical, public health, and healthcare delivery approaches
have been recognized by numerous organizations. The Networking and Information Technology
Research and Development (NITRD) program recently has published the Federal Health Information
Technology Research and Development Strategic Framework. This framework has explained the
importance of the integration between the computing, engineering, mathematics and statistics,
behavioral and social science, and public health research communities to explore the essential
innovation to improve the services in the healthcare system. Recent significant advances in machine
learning (ML), artificial intelligence (AI), deep learning, high-performance cloud computing, and the
availability of new datasets make such integration achievable.
Transformative approach can help to develop computational approaches for the analysis of multilevel
and multiscale personal and clinical health data to maximize the accuracy of data implications. The
transformative data science, mainly focuses on science and engineering innovations by
interdisciplinary teams and utilize the advance sensing methods to intuitively and intelligently collect,
connect, analyze and interpret data from individuals, device, and systems. Also, this integrated and
intelligent data collection will help to optimize the healthcare services. The challenges include a
number of issues from data collection, synchronization, fusion, and visualization of multisensory
systems, electronic health records (EHRs), and medical and consumer devices. Underlying these
challenges are many fundamentals issues, such as interoperability, integration, and reuse of
heterogeneous data, feature selection, optimization, uncertainty quantification, robustness, model
validation and evaluation, data privacy, and most importantly physical and cybersecurity. A robust
research study might help to address how predictive, rigorous models with uncertainty can be build
from sensory or EHR data for validation and testing and to improve the reproducibility of model
building and simulations.
The World Health Organization (WHO) defines Smarthealthcare as “Information and Communication
Technology applications in the healthcare, including disease control and monitoring, education, and
research”. Additionally, scientists state that “Smart Healthcare” is the integration of health informatics,
public health, and business applications through the internet and related AI and data mining techniques.
The above mentioned techniques can provide more security and high accuracy in personalized
healthcare and health informatics. Though the deep learning concept becomes popular, the scientists
have rarely used this technique to predict outcomes from multisensory health data. They prefer to make
the healthcare prediction using algorithm based on statistical methods and regression analysis. In this
chapter, the authors discussed the importance and challenges of using AI for cybersecurity
vulnerabilities that have compromised the confidentiality, integrity, and availability of data for the
affected healthcare systems in the age of Covid-19.
[h]Cybersecurity for smart health
Healthcare is one of the most vulnerable industries when it comes to cybersecurity. The healthcare
system around the globe has become more susceptible to cyber attacks in the age of COVID-19. Many
cyber-security organizations are reporting a rapid increase in cyber attacks since the start of the
COVID-19 pandemic. The healthcare system, including nursing home, has always been one of the key
target of cyberattacks. Recent string of attacks in several major hospitals and healthcare systems, have
exposed the security vulnerabilities of most trusted healthcare institutions. The healthcare industries
are at forefront of global efforts to fight the virus (COVID-19) during the pandemic. As such, this
critical sector should be secure by cybercriminals, but that is not what has happened. The COVID-19
era is characterized by a steep rise in cyber attacks, from different perpetrators and for different
motivations, and the healthcare sector has not been secure. The smart health pipeline for data
processing and security analytics using AI is shown in Figure.
Figure. Smart Health Pipeline.
Security and privacy in the healthcare industry are very crucial as they involve a patient’s/user’s
personal information and private medical records. During the last few decades, the healthcare provider
has increased the use of advanced technologies, like Artificial Intelligence (AI), machine learning
techniques to secure patients’ health profiles, storing data in the cloud, advanced medical devices, etc.
These technological advancements have reduced the work of healthcare providers and have led to a
paperless environment. But in return, the risk of cyber-attacks has increased. In most of the cases, there
are no appropriate security systems installed to protect the hospital database, and the healthcare
provider are often unaware of the cybersecurity threats lie in the shadows. Information Technology
(IT) in healthcare systems is vulnerable to the point that it can take even several weeks before a
cyberattack is acknowledged. The healthcare providers continue working with a hacked system without
having any knowledge of the attacks. This could result in spending billions of dollars and affect
millions of patients each year.
In the last few years, the healthcare industry has been exposed to several cyberattacks. The most
significant cyberattacks among them are:
[h]Cyberattack on UVM Health Network
The University of Vermont (UVM) Healthcare system was shut down after identifying a cyberattack
on Oct. 28, 2020. The hospital was losing about $1.5 million per day, including lost revenue from
postponed services and expenses needed to recover from the attack. The healthcare system was shut
down for about 40 days including electronic health records (HER). More than 5000 computers were
infected as they all were connected to the same network. In November, about three hundred employees
were not able to work during this outage. UVM Medical Center President and COO Stephen Leffler,
MD, said the health system expects the entire incident will cost more than $63 million by the time it
resolves.
[h]Ryuk and NHSD ransomware attack
On Oct. 26, 2020, an adversary attack (Ryuk ransomware) affected the network systems of six hospital
systems from New York to California over 24 hours. A few hospitals self-reported IT outages due to
ransomware during that time. The attackers have demanded more than $1 million from unknown
hospitals. According to the New York Times, the hackers are known to set the ransom at 10% of the
organization’s annual income. The federal government wants the hospital systems and healthcare
providers to boost protection networks, ensure all the software updates are made, back up data, monitor
access to their systems closely. Ryuk has been deployed as a payload from banking. Ryuk was first
introduced in August 2018 as a derivative of Hermes 2.1 ransomware. One of the key reasons the
attackers target healthcare organizations to get the monetary benefits in terms of ransom. In May 2017,
National Health Services (NHS) in the UK were one of the victims of the ransomware attack. Almost
200,000 computers at 16 healthcare facilities affected by the WannaCry attack at that time. Thousands
of patients were suffered from the outcomes of the attack as it stop down the many vital medical
equipments.
[h]Nebraska medicine in Omaha attack
In September 2020, Nebraska Medicine first reported the outage, and the health system anticipates its
computer network will remain down. The adversary incident affected the Nebraska Medicine IT
system and required many patient’s appointments to be postponed or rescheduled. The attack also
affected the EHRs and computer systems for several other Regional Health Services because Nebraska
Medicine powers their EHRs. Also, from Feb. to May 2020, there are more than 46 hospitals and
health systems that had patient information exposed in a security hole at Blackbaud, a company that
stores donor information for organizations, including health systems.
[h]DDoS attack at Boston’s Children Hospital
Distributed Denial of Service (DDoS) occurs when the network is overloaded and it starts denial of
availability to its recipients. There are a few times the DDoS attack happens unintentionally. But most
of the time the cybercriminals created DDoS attack to get access the critical data, including the
financial information of an organization. The healthcare system is one of the main targets for the
hackers. In 2014, one of the most remarkable DDoS attacks targeted Boston’s Children Hospital. The
hospital system was attacked by DDoS when dealing with the case of parental withdrawal of a 14-year-
old girl. The hospital had an about $300,000 loss to overcome the damage caused by the DDoS
cyberattack.
[h]Data breach at Montpellier University Hospital
Data breaches at the healthcare system have been rampant for the last decades as data breach is also a
common types of cyberattacks. Almost all Attackers use phishing emails and manipulative web links to
trick the user. The attacker will get access to the account as well as the network system when the user
click on the suspicious web link receive in their email. On March 2019, the healthcare provider at the
Montpellier University Medical Center found out that an outsider can access one of the employee
email accounts. The employee of this medical center unintentionally clicked on a malicious link in the
phishing email. As a result attacker got accessed in his/her account and as well as to the hospital
network. Around 600 computers were affected due to this data breach. The healthcare provider
discovered that the affected account had sensitive patient information, including name, social security
number, date of birth, insurance details, etc.
[h]Internal threats
Besides external cybersecurity threats, healthcare providers sometimes have to face internal threats as
well. These internal threats to the organizations are either due to human error or as a result of a breach
of an employment contract. According to several case studies, there are three types of internal attacks:
the carelessness/negligence of employee or contractor, the criminal or malicious insider, and the
credential thief (imposter risk).
[h]Medjacking
Medjacking is the practice of attacking and manipulating a medical device and instrument with the
intent to harm a patient. The malfunctioning of any medical instruments at hospital and/or clinic is very
distressing and might have severe fatal consequences. The faulty diagnostic results from any medical
instruments could lead to the wrong prescription. If any medical devices are not operating properly, it
might cause harm to patients that lead to death, rather than help. Medjacking is often targeted,
especially to harm influential personalities, and to damage the reputation of the healthcare
organization. Artificial Intelligence (AI) can support and help to improve the security aspect of
manipulating medical devices and instruments.
[h]How artificial intelligence helps in healthcare security and cybersecurity
Artificial intelligence (AI) can provide a device or software program the ability to interpret complex
data, including images, video text, and speech, or other sounds and to work on that interpretation to
achieve the goal. Since AI-driven computers are programmed to make decisions with little human
intervention, some wonder if machines will soon make the difficult decisions we now entrust to our
doctors. It is important to separate fact from science fiction, because AI is already here and it is
fundamentally changing medicine, according to David B. Agus, MD, a professor of medicine and
engineering at the University of Southern California Keck School of Medicine and Viterbi School of
Engineering.
AI has been employed in applications in various domains of healthcare including cancer research,
cardiology, diabetes, mental health, identification of Alzheimer’s disease, stroke-related studies,
identification of cardiovascular disease, etc. Rather than robotics, AI in healthcare mainly refers to
doctors and hospitals accessing vast data sets of potentially life-saving information. The recent
advancement of computing power can analyze the different features from the multisensory data for
predictive analytics to identify the potential health outcomes through the machine learning techniques.
The artificial intelligence and machine learning techniques use statistical methods to analyze incoming
sensory and network data to identify patterns and security threat and make a decision with a minimum
human interaction.
[h]AI in mobile heath (m-Health)
Mobile health (m-Health) is the employment of smartphones and mobile devices with their
communication to assist healthcare. M-Health comprises a combination of mobile devices, medical
sensors, and smartphones. There is plenty of research that has shown that the application of AI in
healthcare systems can significantly improve the security of patient health analysis. Like, the author in
proposed an AI-based smartphone application for predicting heart failures and alert the users.
Currently, the researchers and healthcare providers are use and apply the simple methods for
generating alerts in case of emergency. But, there are a high number of false alerts generated in the
present methodology. The authors of this work used predictive models to avoid the impact of these
false alerts. The proposed predictive models built based on the 44 months clinical data collected from
242 patients’ smartphone who had experienced a heart failure at least once. In this work, the best
predictive model developed using an application of a Naïve Bayes Classifier based on integration of
observing data and a set of questions from the various alerts. The author claimed that their proposed
model can lower the yearly rate of false alerts for a heart patient from 28.64 to 7.8 gradually.
Another m-Health based approach for speech recognition of users who are affected with dysarthria
proposed in. In this work, the author showed that their approach can assist in the process of voice
message generation. The Hidden Markov Model approach was employed to measure the overall
proximity of a word used in a speech model and is personalized for a particular user. The Hidden
Markov Models are used to build AI to estimate the unknown parameters in a mobile target moving in
a define environment. The speech recognition accuracy of their methodology is only 67% based on the
real life study of nine test subjects. The authors of this work showed that the difficulties in the process
of communication with users decreased significantly by using their proposed technology compared to
the already available methods in the market. The drawback of this approach is the lower accuracy in
speech recognition hardware and need usual aid for the voice-output communication.
[h]Internet of Things (IoT) and Cyber-Physical System (CPS) in the era of AI
Healthcare systems in hospitals/clinics are one of the key targets of attackers for carrying out Internet-
of-Things (IoT) and Cyber-physical System (CPS)-focused cyberattacks. The most critical endpoints
from the hospital security viewpoint are patient health monitoring, ventilation, anesthesia, infusion
pumps, etc. There is increasing use of IoT in healthcare settings, including mobile devices, wearables,
robots, drones, and contactless devices. IoT is enabling the control of coronavirus.
Early detection of Covid-19, isolation of infected people, and tracing possible contacts are critical to
stopping the spread of the virus. IoT and CPS protocols, GPS, and Wi-Fi are providing solutions to the
challenges that distance and accessibility would have posed. Using the IoT to fight virus outbreaks has
been effective during Covid-19. Interconnected tech devices, such as smart thermometers to test a
patient’s temperature, are used to build up detailed datasets for more accurate analysis and diagnosis.
Quarantine compliance is also greatly assisted by the use of IoT. By using a patient’s existing
smartphone or wearable devices, it is easier to ensure compliance with quarantine rules and establish
patterns via track-and-trace methods.
A Cyber-Physical System (CPS) is a collection of sensors/devices interacting with each other and
communicating with the physical world. Many CPS application is based on the medical devices used in
smart healthcare technology. Advances in CPS will enable capability, adaptability, scalability,
resiliency, safety, security, and useability that will expand the horizon of critical application in the
healthcare system with cybersecurity. The ideas in CPS-based research are being challenged by the
new research concepts emerging from AI and machine learning. The integration of AI with CPS
especially with real-time secure health care operation creates new research opportunities with major
societal implications. The application of AI and smart m-Health with the workflow including IoT and
CPS communicate with a smartphone via Bluetooth or Wi-Fi is shown in Figure.
Figure. AI for Smart m-Health (the workflow with IoT and CPS communicate with a smartphone via
Wi-Fi or Bluetooth).
[h]Cybersecurity for AI
Artificial Intelligence (AI) and machine learning are playing an important role in cybersecurity. AI-
based cybersecurity systems can provide a clear knowledge of global and healthcare industry security
threats to help make critically important decisions in a critical situation. AI techniques are expected to
enhance cybersecurity by assisting human system managers with automated monitoring, analysis, and
responses to adversarial attacks.
The research outcomes from the integrated AI and cybersecurity can lead to an extensive change in the
understanding of the basis of cybersecurity. Also, this integrated results can help to motivate and
educate healthcare providers about cybersecurity in the age of AI in an innovative way. Fundamental
research in AI together with cybersecurity research might expand existing AI opportunities and
resources in cybersecurity analytics and workforce development. AI relies on innovations like Machine
Learning, Deep Learning, Natural Language Processing, and so forth to make it hard for malicious
actors to access servers and other important data. AI has crossed many milestones and now it is turning
towards cybersecurity. According to MIT, AI can detect about 85% of cyberattacks and help to secure
IoT and CPS systems including the healthcare industry from cyberattacks. The prototype AI-based
cybersecurity system is shown in Figure.
Figure. AI-based Cybersecurity System.
AI, Machine Learning (ML), and Deep Learning (DL) are overlapping and someone can easily get
confused with these terminologies. The AI technique can help computers to mimic human behavior.
The machine learning is a subset of AI, which give computers to automatically learn models and
representation of the data sets. The deep learning is a subset of machine learning that help computers to
solve multi-layer neural network complex problems. Use AI and leveraging machine learning and deep
learning techniques are the smart choice to extract and analyze the sensory data from a smart IoT
system. The researchers in evaluate the performance of eleven famous ML and DL algorithms using
six IoT related data sets. The authors of this paper showed that considering their performance
evaluation matrics, including precision, recall, f1-score, accuracy, execution time, area under receiver
operating characteristic curve (ROC-AUC) score, and confusion matrix, Random Forest performed
better than other ML models. Also, they showed that ANN and CNN have interesting results
comparing with other deep learning models.
[h]How AI is helpful in cybersecurity
AI is changing the game for cybersecurity, analyzing massive data sets to improve response times and
augment under-resourced security operations. AI and machine learning are playing a key role in
cybersecurity to identify potential threats. AI can use to remove noise as well as unwanted data from
any signals or data sets. Also, currently most of the security experts utilize AI to understand the cyber
environment.
[h]Network security
For network security in the healthcare system, AI can confidently navigate HIPAA privacy law and
prevent patient data from wearable devices or public system from ending up in the hands of
unauthorized personnel. The three important ways to use AI for network security are to use machine
learning to detect AI-based cyberthreats, use AI to enhance human judgment, and use AI as a tool to
save security policy and network architecture. AI can detect new threats based on the identification and
analysis of threats before they exploit vulnerabilities in the network. Also, a human can become
complacent and reliant on AI and machine learning to handle the cybersecurity of their network.
[h]Faster response times
A key benefit of AI in cybersecurity is AI can immediately identify any anomalous behavior and
suspected problems and prevent the healthcare systems from a potential cyber threat. The ability to
detect a threat and respond to it quickly can improve the security system of any organization that costs
resources and reputation. Three important strategies to improve detection and response before threats
damage a critical healthcare system are managed security service, getting ahead with AI, and
centralizing the response. Managed security service providers offer outsourced monitoring of security
devices and systems. The cyberattack and ransomware attacks lead the healthcare industry to use AI to
better and faster detect threats by recognizing patterns and anomalies. Centralization is very important
as most of the healthcare industry faces a lack of centralization when dealing with a cyberattack.
Human digital security specialists will even now make the approaches the needs of the episodes to be
taken care of. However, it can be additionally helped by AI frameworks that consequently recommend
plans for improving reactions.
[h]Phishing detection and prevention
Phishing attacks are one of the most common security challenges for an individual and a company in
keeping their information secure, where malicious actors attempt to convey their payload utilizing a
phishing assault. AI and machine learning may assume a noteworthy job in forestalling and deflecting
phishing assaults. Computer-based intelligence machine learning can recognize and follow over 10,000
dynamic phishing sources. Additionally, AI-machine learning works at filtering phishing dangers from
everywhere throughout the world. Phishing attacks can have several different goals, including malware
delivery, stealing money, and credential theft. Most phishing scams are designed to steal personal
information. There is no limitation in its comprehension of phishing efforts to a particular geological
territory. Computer-based intelligence has made it conceivable to separate between a phony site and a
real one rapidly.
[h]Secure authentication
Security provisioning or authentication has become a key issue in wireless networks due to their vital
roles in supporting numerous services. The Physically recognizable proof in which AI used to explore
the various security elements to distinguish a user could be the primary way to security verification. A
smartphone can utilize the scanner for unique fingerprint and facial expression to permit for a secure
login of a user. The smartphone application examines the fingerprint and facial expression to identify if
the login is true. Also, AI technique can investigate the different features to verify the user
authentication and allow the user to access information from any device.
[h]Behavioral analytics
One of the important uses of AI in cybersecurity originates from its ability to analyze behavior. This
means the machine learning calculations can learn and make an example of your conduct by breaking
down how you utilize your gadget and online stages. The use of AI in healthcare like DNA/genome
research is truly captivating to read. People are involved in the behavior part of cybersecurity. Also,
machine behavior plays a significant role in cyber events. AI is changing our lifestyle, including the
way we live, work, and play. With more and more healthcare data being collected from multisensory
system and medical instruments and being processed, predict and behavioral analytics allow to
generate insight and take a necessary action.
In conclusion, AI techniques have experienced quick change and progress from being inconsequential
specialized. This will help cybersecurity specialists in managing moves identified with the discovery
and avoidance of cyberattacks. AI can help to detect cybersecurity dangers and advise the specialists to
take proper actions. The job of AI is expanding different parts of data innovation like AI in
Cybersecurity, Software Testing, and Data Security.
[mh]Intrusion Detection and Response Systems
[h]Anomaly Detection in Intrusion Detection Systems
An intrusion detection system (IDS) is a security tool designed to monitor network or system activities
to detect and respond to unauthorized or malicious activities. It serves as an additional layer of defense
in a comprehensive cybersecurity strategy.
The primary goal of an IDS is to identify and alert security administrators about potential security
incidents, such as unauthorized access attempts, malware infections, or suspicious network traffic
patterns. By analyzing network packets, log files, system activities, and other relevant data, IDS can
help detect and respond to security threats in real-time.
There are two main types of IDS:
Network-based intrusion detection systems (NIDS) : NIDS monitors network traffic in real-time,
analyzing packets to identify suspicious or malicious activity. It operates at the network layer and can
detect threats such as port scanning, denial-of-service (DoS) attacks, and network intrusions. NIDS can
be deployed as a standalone device or as part of a network security infrastructure.
Host-based intrusion detection systems (HIDS) : HIDS monitors the activities occurring on individual
hosts or endpoints, such as servers or workstations. It analyzes system logs, file integrity, and user
activities to identify unauthorized access attempts, privilege escalations, or suspicious behavior at the
host level. HIDS is particularly useful for detecting insider threats or malware infections that may
bypass network-based defenses.
IDS employs different detection techniques to identify potential threats:
Signature-based detection : This technique relies on a database of known attack signatures or patterns.
IDS compares the incoming network traffic or system activities against these signatures to identify
known attacks. While effective against known threats, signature-based detection may struggle with
detecting new or zero-day attacks.
Anomaly-based detection : Anomaly detection involves establishing a baseline of normal behavior for
a network or system and then identifying deviations from this baseline. It analyzes traffic patterns,
system performance, user behavior, and other metrics to detect anomalies that could indicate a
potential security breach.
When an IDS detects an intrusion or suspicious activity, it generates an alert or notification for security
administrators. These alerts provide information about the nature of the incident, the affected system or
network, and any additional details to aid in the response and mitigation process.
It is important to note that IDS is not a standalone solution but works in conjunction with other security
measures like firewalls, antivirus software, and security policies. Additionally, intrusion prevention
systems (IPS) are often used in conjunction with IDS to not only detect but also actively block or
prevent detected threats.
In summary, Intrusion Detection Systems play a crucial role in identifying and responding to potential
security incidents in real-time. By monitoring network and system activities, IDS helps organizations
strengthen their overall security posture and minimize the potential impact of cyber threats.
[h]Anomaly detection techniques in IDS
Table shows Anomaly detection techniques with pros and cons.
Anomaly Detection Techniques in IDS

Techniques Models Pros Cons
 High accuracy for  Inability to detect New or
 Pattern matching known attacks unknown attacks
Signature-  Protocol analysis  Low false alarm rate  Dependency on signature
based  Content inspection  Easy deployment update
 Log analysis  Low computational  Lack of flexibility
overhead  Limited coverage
 Limited ability to detect

 Well-established complex or sophisticated
 Outlier detection
method with a solid anomalies
 Time series
Statistical- theoretical foundation  Sensitivity to data
analysis
based  Suitable for detection distribution and
 Statistical
simple anomalies assumptions
Modeling
 Interpretable results  Difficulties in handling
high-dimensional data
 Ability to handle
complex and non-linear  Requirement of large
patterns labeled training datasets
 Effective for  Overfitting if no properly
 Clustering identifying subtle tuned or validated
Machine  Classification anomalies  Computationally
Learning  Neural Networks  Adaptability to intensive for complex
changing environments algorithms
 Can learn from  Black-box nature may
unlabeled or partially lack interpretability
labeled data
 Leveraging the
strengths of both  Increase complexity and
statistical and machine potential for integration
learning techniques challenges
Hybrid Statistical + Machine  Improved detection  Higher computational
Approaches learning methods accuracy and requirements
robustness  Potential trade-off
 Enhanced ability to between interpretability
handle diverse and performance
anomalies
Table. Anomaly detection techniques with pros and cons.
[h]Signature-based detection vs. anomaly detection

Signature-based detection, also known as rule-based detection, relies on pre-defined signatures or
patterns of known attacks to identify intrusions. However, signature-based detection has limitations as
it can only detect known attacks for which signatures have been defined. New or unknown attacks can
easily evade signature-based detection. Anomaly detection techniques, on the other hand, focus on
identifying deviations from normal behavior, without relying on predefined signatures. This makes
anomaly detection more effective in detecting unknown or novel attacks that do not have specific
signatures. Figure shows the concept of signature-based IDS.
Figure. Concept of signature based IDS.
[h]Statistical approaches for anomaly detection
Statistical approaches are commonly employed for anomaly detection in IDS. These techniques
involve the use of statistical methods to establish normal behavior baselines and detect deviations from
these baselines. Outlier detection algorithms, such as the statistical outlier detection method or the Z-
score method, are used to identify data points that significantly deviate from the expected behavior.
Time series analysis techniques, such as autoregressive integrated moving average (ARIMA) models ,
are used to detect anomalies in temporal data. Statistical modeling approaches, such as Gaussian
mixture models or hidden Markov models, are utilized to capture the statistical characteristics of
normal behavior and detect anomalies based on deviations from the learned models.
[h]Machine learning approaches for anomaly detection
Machine learning algorithms play a crucial role in anomaly detection for IDS. These algorithms can
learn patterns and behaviors from historical data and apply that knowledge to detect anomalies in real-
time. Clustering algorithms, such as k-means or DBSCAN, group similar instances together and flag
instances that do not fit into any cluster as anomalies. Classification algorithms, such as support vector
machines (SVM) or random forests, learn from labeled data to classify instances as normal or
anomalous. Neural networks, including deep learning models like convolutional neural networks
(CNN) or recurrent neural networks (RNN) , can capture complex patterns and relationships to identify
anomalies. Figure shows machine learning approaches in IDS.
Figure. Machine learning approaches in IDS.
[h]Hybrid approaches
Hybrid approaches combine both statistical and machine learning techniques to improve the accuracy
and effectiveness of anomaly detection in IDS. By leveraging the strengths of different approaches,
hybrid models can provide enhanced detection capabilities. For example, a hybrid approach may use
statistical techniques to establish baseline behavior and machine learning algorithms to classify
instances as normal or anomalous. This combination allows for a more comprehensive and robust
anomaly detection system.
Intrusion detection systems (IDS) rely on various sources of data to detect anomalies and potential
security breaches. Some common data sources used in IDS include:
1. Network traffic logs: IDS can analyze network traffic logs to monitor incoming and outgoing
network packets, protocols used, source and destination IP addresses, ports, and other relevant
information. Network traffic logs provide valuable insights into communication patterns and can
help to detect anomalies such as unusual traffic volumes, suspicious connections, or protocol
violations.
2. System logs: System logs record events and activities within the operating system or specific
applications. IDS can analyze system logs to identify abnormal system behavior, such as
unauthorized access attempts, changes to system configurations, or unexpected system errors.
System logs may include information about login attempts, file access, process execution, or
resource utilization.
3. Audit trails: Audit trails capture detailed information about user activities and actions within a
system. They record events such as file access, privilege changes, user authentication, or
administrative actions. Analyzing audit trails can help to identify unauthorized actions, unusual
user behavior, or privilege escalation attempts.
Data preprocessing techniques.
Data preprocessing plays a crucial role in preparing the data for effective anomaly detection in IDS.
Several techniques are commonly used in the preprocessing stage, including:
1. Data cleaning : Data cleaning involves removing or correcting inconsistent, irrelevant, or noisy
data. This process may include handling missing values, dealing with outliers, and resolving
inconsistencies in the data. Cleaning the data helps to ensure the quality and reliability of the
input data for anomaly detection.
2. Feature selection : Feature selection aims to identify the most relevant and informative features
for anomaly detection. In IDS, this involves selecting the attributes or variables that provide the
most discriminative information about normal and anomalous behavior. Feature selection can
help to reduce computational complexity, improve detection accuracy, and eliminate redundant
or irrelevant features.
3. Normalization : Normalization is the process of scaling data to a common range or distribution.
It ensures that different features are on a comparable scale, which is essential for certain
anomaly detection algorithms that rely on distance or similarity measures. Normalization
techniques include min-max scaling, z-score normalization, or logarithmic transformations.
4. Dimensionality reduction : Dimensionality reduction techniques aim to reduce the number of
features while preserving the most important information. High-dimensional data can be
computationally expensive and prone to overfitting. Techniques such as principal component
analysis (PCA), linear discriminant analysis (LDA), or t-distributed stochastic neighbor
embedding (t-SNE) can help to reduce the dimensionality of the data while retaining its
essential characteristics.
[h]Unsupervised anomaly detection in IDS
Unsupervised anomaly detection techniques in intrusion detection systems (IDS) aim to identify
anomalies in data without relying on pre-labeled instances of normal and anomalous behavior. These
techniques are particularly useful in scenarios where labeled training data is scarce or unavailable,
making it challenging to train supervised models. Unsupervised anomaly detection methods utilize
statistical, clustering, or density-based approaches to identify patterns that deviate from normal
behavior. Here are some commonly used unsupervised anomaly detection techniques in IDS and
Figure shows a summary of these techniques:
1. Statistical-based techniques: Statistical-based techniques are commonly used for unsupervised

anomaly detection in intrusion detection systems (IDS). As we said before, these techniques
analyze the statistical properties of the data to identify instances that deviate significantly from
the expected behavior. The underlying assumption is that normal behavior follows a certain
statistical distribution, and any deviation from this distribution is considered anomalous. Here
are some commonly used statistical-based techniques:
o Gaussian distribution: The Gaussian distribution, also known as the normal distribution,
is frequently used in statistical-based anomaly detection. It assumes that the normal
behavior of the data follows a bell-shaped curve. Anomalies are identified as instances
that fall outside a specified range or threshold based on the estimated mean and standard
deviation of the data. Instances that lie in the tails of the distribution, beyond a certain
number of standard deviations from the mean, are considered anomalies.
o Mahalanobis distance: The Mahalanobis distance measures the distance between a data
point and the center of a distribution, taking into account the correlation between
variables. It accounts for the covariance structure of the data and is particularly useful
when the variables are correlated. The Mahalanobis distance can be used to detect
anomalies by comparing the distance of each data point to a threshold value. Points with
a large Mahalanobis distance are considered anomalies.
o Z-score method: The Z-score method is a simple statistical technique for anomaly
detection. It calculates the standard deviation from the mean for each data point and
expresses it as a Z-score. The Z-score represents the number of standard deviations a data
point is away from the mean. Anomalies are identified as data points with a Z-score
exceeding a specified threshold. This method is particularly useful when the data is
normally distributed.
o Hypothesis testing: Hypothesis testing is a statistical technique used to determine the
likelihood that an observed deviation from the expected behavior is due to chance or
represents an anomaly. Commonly used hypothesis tests include the t-test, chi-square
test, or Kolmogorov-Smirnov test. These tests compare the observed data to a reference
distribution or expected behavior and calculate a p-value. If the p-value is below a
predefined significance level, the deviation is considered significant, and the instance is
flagged as an anomaly.
Statistical-based techniques provide a solid foundation for detecting anomalies based on

deviations from expected statistical behavior. However, it is important to note that these
methods assume the data follows specific statistical distributions and may not be suitable for
data with complex or non-parametric distributions. Additionally, choosing appropriate
thresholds or significance levels is crucial and requires careful consideration and domain
knowledge.
2. Clustering-based techniques: Clustering-based techniques as shown in Figure are commonly

used for unsupervised anomaly detection in intrusion detection systems (IDS). These techniques
aim to partition the data into clusters based on the similarity or density of instances. Anomalies
are identified as instances that do not belong to any cluster or are located far from the clusters.
Here are some commonly used clustering-based techniques:
o K-means clustering: K-means clustering is a popular technique that aims to partition the
data into K clusters. The algorithm iteratively assigns data points to the nearest cluster
centroid based on distance measures such as Euclidean distance. Anomalies are typically
identified as instances that do not fit well into any cluster or are located far from the
cluster centroids. However, K-means alone may not be sufficient for anomaly detection
as it assumes that all clusters have similar sizes and shapes, which may not hold true for
anomalous instances.
o Density-based spatial clustering of applications with noise (DBSCAN): DBSCAN is a
density-based clustering algorithm that identifies clusters based on the density of
instances. It groups together instances that are close to each other and have a sufficient
number of nearby neighbors. Anomalies are typically instances that do not have enough
nearby neighbors to form a cluster and are considered noise points. DBSCAN can
effectively identify clusters of different shapes and sizes, making it suitable for detecting
anomalies that do not conform to regular cluster patterns.
o Ordering points to identify the clustering structure (OPTICS): OPTICS is an extension of
DBSCAN that provides a hierarchical view of the clustering structure. It orders instances
based on their density and identifies core points, reachability distances, and clusters.
Anomalies are typically instances that have low density and are located in regions with
sparse or no clusters. OPTICS allows for flexible parameterization, making it more
adaptive to different datasets and providing a richer characterization of the data structure.
o Hierarchical clustering: Hierarchical clustering methods create a hierarchy of clusters by
successively merging or splitting clusters based on their similarity. Agglomerative
hierarchical clustering starts with each instance as a separate cluster and iteratively
merges similar clusters until a single cluster is formed. Divisive hierarchical clustering
starts with all instances in one cluster and iteratively splits the cluster into smaller
clusters. Anomalies can be identified as instances that do not fit well into any cluster or
do not conform to the hierarchical structure.
Clustering-based techniques offer flexibility in detecting anomalies by identifying instances that

do not conform to regular cluster patterns. However, these techniques require careful
consideration of parameters such as the number of clusters or density thresholds, and the
interpretation of anomalies may depend on the dataset and the clustering algorithm used.
3. Density-based techniques: Density-based techniques are commonly used for unsupervised

anomaly detection in intrusion detection systems (IDS). These techniques focus on estimating
the density distribution of the data and identify anomalies as instances that lie in regions of low
density. Here are some commonly used density-based techniques:
o Kernel density estimation (KDE): Kernel density estimation is a non-parametric
technique used to estimate the underlying density distribution of the data. It places a
kernel function on each data point and sums them to estimate the density at any given
point. Anomalies are typically identified as instances with significantly lower density
values compared to the majority of the data. The choice of kernel function and bandwidth
parameter affects the smoothness and accuracy of density estimation.
o Local outlier factor (LOF): The local outlier factor measures the deviation of an
instance’s density compared to its neighboring instances. It calculates a local density for
each data point based on the distances to its k nearest neighbors. Anomalies are identified
as instances with significantly lower local densities compared to their neighbors. LOF
takes into account the local density variations in the data, making it robust to varying
densities and useful for detecting anomalies in clusters or regions of different densities.
o Distance-based techniques: Distance-based density estimation techniques measure the
distances between instances and identify anomalies based on deviations from the
expected distance distribution. For example, the nearest neighbor distance (NND)
approach calculates the average distance to the k nearest neighbors for each instance.
Anomalies are identified as instances with significantly larger or smaller distances
compared to the majority of the data. Distance-based techniques are effective in
identifying anomalies that exhibit unusual distance patterns.
o Density-based clustering : Density-based clustering algorithms, such as DBSCAN, can
also be used for anomaly detection. These algorithms identify clusters based on the
density of instances and label as anomalies the instances that do not belong to any
cluster. Anomalies are typically located in regions with low density or as individual
points far from the clusters.
Density-based techniques provide flexibility in detecting anomalies by focusing on regions of

low density or deviations from expected distance patterns. These techniques are effective in
identifying anomalies that do not conform to regular density distributions or exhibit unusual
distance patterns. However, careful parameter selection, such as the neighborhood size or
density thresholds, is important to ensure accurate anomaly detection.
4. Reconstruction-based techniques : Reconstruction-based techniques are a class of anomaly

detection techniques that aim to reconstruct the normal behavior of the data and identify
anomalies based on the errors or deviations from this reconstruction. These techniques typically
employ autoencoders shown in Figure or similar models to learn the underlying patterns in the
data and use them to reconstruct or generate the data. Here are some commonly used
reconstruction-based techniques:
o Autoencoder-based anomaly detection: Autoencoders are neural network models that are
trained to reconstruct their input data. They consist of an encoder that compresses the
input data into a lower-dimensional representation and a decoder that reconstructs the
data from this representation. During training, autoencoders learn to minimize the
reconstruction error by capturing the patterns and regularities in the data. Anomalies are
identified as instances that result in high reconstruction errors, indicating deviations from
the learned normal behavior.
o Variational autoencoders (VAEs): Variational autoencoders are a type of generative
model that learns a low-dimensional representation of the data and generates new
samples by sampling from this learned representation. VAEs consist of an encoder that
learns the parameters of a probability distribution in the latent space and a decoder that
generates samples from this distribution. Anomalies can be identified based on the
reconstruction error or by measuring the dissimilarity between the original data and the
generated samples. VAEs can capture the underlying distribution of the data and detect
anomalies that deviate significantly from this distribution.
o Generative adversarial networks (GANs) : Generative adversarial networks are another
type of generative model that consists of a generator network and a discriminator
network. The generator network learns to generate realistic samples that resemble the
normal behavior of the data, while the discriminator network learns to distinguish
between real and generated samples. Anomalies can be identified as instances that are not
well captured by the generator network or are classified as fake by the discriminator
network. GANs can learn complex data distributions and detect anomalies that differ
significantly from the learned distribution.
Figure. Summarize of unsupervised techniques.
Figure. Clustering.
Figure. Structure of autoencoders.
Reconstruction-based techniques offer the advantage of learning the normal behavior of the data and
identifying anomalies based on deviations from this learned behavior. They can capture complex
patterns and variations in the data, making them effective for detecting anomalies that do not conform
to specific statistical or density distributions. However, these techniques require a representative
dataset of normal behavior for training the models and may be sensitive to the choice of model
architecture and training parameters.
[h]Supervised anomaly detection in IDS
Supervised anomaly detection in intrusion detection systems (IDS) involves training a model on
labeled data, where both normal and anomalous instances are explicitly identified. The model learns
the patterns and characteristics of normal behavior during the training phase and can subsequently
classify new instances as either normal or anomalous based on the learned knowledge. Here are some
commonly used techniques for supervised anomaly detection in IDS:
1. Supervised machine learning algorithms : Supervised machine learning algorithms, such as

decision trees , random forests, support vector machines (SVM), and neural networks, can be
applied to train models for supervised anomaly detection in IDS. These algorithms learn from
labeled data, where the labels indicate whether an instance is normal or anomalous. The trained
models can then classify new instances as either normal or anomalous based on the learned
patterns and decision boundaries.
2. Ensemble methods : Ensemble methods combine multiple models to improve the accuracy and
robustness of supervised anomaly detection. Techniques such as bagging, boosting, and stacking
can be employed to create an ensemble of models that collectively make predictions. Each
individual model may use a different algorithm or have different parameter settings, and the
final prediction is often determined through voting or averaging. Ensemble methods can
effectively handle complex data distributions and improve the overall detection performance.
3. Deep learning : Deep learning techniques, such as convolutional neural networks (CNNs)
shown in Figure, recurrent neural networks (RNNs) shown in Figure, and deep autoencoders,
have shown promising results in supervised anomaly detection. These models can learn
complex representations of the input data, capture intricate patterns, and generalize well to
unseen instances. Deep learning approaches require large amounts of labeled data and can be
computationally intensive but can achieve high accuracy in detecting anomalies in IDS.
4. Feature engineering: Feature engineering plays a crucial role in supervised anomaly detection. It
involves selecting relevant features from the data or designing new features that can effectively
discriminate between normal and anomalous instances. Domain knowledge and expertise are
often employed to identify informative features that can capture the distinguishing
characteristics of anomalies. Feature engineering techniques, such as dimensionality reduction,
feature selection, and feature transformation, can improve the detection performance of
supervised anomaly detection models.
5. One-class support vector machines (SVM): One-class support vector machines (SVM) is a
popular technique for anomaly detection that falls under the category of supervised learning.
Unlike traditional SVMs that are designed for binary classification tasks, One-class SVM is
specifically designed for the task of learning a model of normal data and identifying anomalies
based on deviations from this model. Here’s how One-class SVM works:
o Training phase: In the training phase, One-class SVM learns a decision boundary that
encloses the majority of the training data points, representing the normal class. The goal
is to find a hyperplane that maximally separates the normal data instances from the origin
or the center of the feature space.
o Decision function: Once the model is trained, the decision function of the One-class
SVM is used to classify new instances as either normal or anomalous. The decision
function assigns a score or distance to each instance, indicating how well it fits within the
learned model. Instances with positive scores are considered normal, while instances with
negative scores are classified as anomalies.
o Kernel trick: One-class SVM can make use of the kernel trick to handle nonlinear data
distributions. By mapping the input data into a high-dimensional feature space, the One-
class SVM can find a nonlinear decision boundary that better separates normal instances
from anomalies. Commonly used kernel functions include the radial basis function (RBF)
kernel and the polynomial kernel.
Figure. Structure of convolutional neural network.
Figure. Structure of recurrent neural network.
One-class SVM offers several advantages for anomaly detection:
 It can handle data with high-dimensional feature spaces effectively.

 It is robust to outliers in the training data.
 It can capture complex decision boundaries, including nonlinear ones, through the use of the
kernel trick.
 It does not require labeled anomalies for training, as it focuses solely on learning the normal
class.
However, One-class SVM also has certain limitations:
 It may struggle when the normal class exhibits significant variations or when the normal data
distribution is not well-represented in the training set.
 It may be sensitive to the choice of kernel function and its hyperparameters, requiring careful
tuning for optimal performance.
 It does not provide direct probabilistic outputs, making it challenging to interpret the anomaly
scores as probability estimates.
Supervised anomaly detection in IDS offers the advantage of explicitly labeled data for training and
can achieve high detection accuracy. However, it relies on the availability of accurately labeled
training data and may face challenges when dealing with evolving or previously unseen anomalies.
Moreover, supervised approaches may not capture novel or unknown anomalies that were not present
in the training data.
[h]Challenges in anomaly detection for IDS
1. Curse of dimensionality : The curse of dimensionality refers to the phenomenon where the
effectiveness of certain algorithms and techniques deteriorates as the dimensionality of the data
increases. In the context of intrusion detection systems (IDS), the curse of dimensionality poses
a significant challenge for anomaly detection.
Anomaly detection in IDS often involves analyzing high-dimensional data, such as network
traffic logs, system logs, or audit trails. Each data instance is typically represented by a large
number of features or attributes that describe various aspects of the network or system behavior.
However, as the number of features increases, the available data becomes increasingly sparse in
the high-dimensional space.
The curse of dimensionality has several implications for anomaly detection in IDS:
o Insufficient data: As the number of dimensions (features) increases, the amount of

available data decreases exponentially. In other words, the data becomes sparse, and the
number of instances representing normal and anomalous behavior becomes limited. This
scarcity of data can lead to poor generalization and inaccurate anomaly detection.
o Increased complexity: With a high number of dimensions, the complexity of the anomaly
detection problem also increases. Anomaly detection algorithms may struggle to
effectively capture patterns and relationships among the features, leading to decreased
detection accuracy.
o Increased computational cost : The computational cost of processing high-dimensional
data is significantly higher than processing data with a lower dimensionality. Anomaly
detection algorithms may require more computational resources and time to analyze and
classify instances accurately, affecting the real-time performance of IDS.
To mitigate the curse of dimensionality in IDS, various techniques can be employed:

o Dimensionality reduction: Dimensionality reduction methods aim to reduce the number
of features while preserving the most relevant information. Techniques such as principal
component analysis (PCA) and t-distributed stochastic neighbor embedding (t-SNE) can
be used to reduce the dimensionality of the data, making it more manageable for anomaly
detection algorithms.
o Feature selection: Feature selection techniques help to identify the most informative and
discriminative features that contribute to anomaly detection. By selecting a subset of
relevant features, the curse of dimensionality can be alleviated, reducing computational
complexity and improving detection accuracy.
o Feature engineering: In addition to dimensionality reduction and feature selection, feature
engineering involves transforming or creating new features that better represent the
underlying characteristics of normal and anomalous behavior. This process can help to
extract more meaningful information from the high-dimensional data and enhance the
performance of anomaly detection algorithms.
Overall, addressing the curse of dimensionality in IDS requires careful consideration of data
representation, feature selection, and dimensionality reduction techniques. By reducing the
dimensionality of the data and focusing on relevant features, anomaly detection algorithms can
be more effective in accurately identifying anomalies in high-dimensional data.
2. Concept drift : Concept drift refers to the phenomenon where the underlying data distribution,
which defines what is considered normal or anomalous, changes over time. In the context of
intrusion detection systems (IDS), concept drift poses a significant challenge for anomaly
detection.
In IDS, anomaly detection models are trained on historical data to learn patterns of normal
behavior and identify deviations from those patterns as anomalies. However, the characteristics
of network traffic and system behavior can evolve over time due to various factors such as
changes in network infrastructure, software updates, and emerging attack techniques. As a
result, the learned model may become outdated and less effective in detecting new types of
anomalies.
Concept drift in IDS can occur in different forms:
o Gradual concept drift: In gradual concept drift, the change in the underlying data
distribution is relatively slow and progressive. The statistical properties of the data
gradually shift over time, leading to a gradual degradation in the performance of the
anomaly detection model. This type of concept drift requires continuous monitoring and
adaptation of the model to maintain its effectiveness.
o Sudden concept drift: In sudden concept drift, the change in the underlying data
distribution occurs abruptly and unpredictably. This can happen due to sudden changes in
network conditions, system configurations, or the introduction of new attack techniques.
Sudden concept drift poses a significant challenge as the model needs to quickly adapt to
the new data distribution to accurately detect anomalies.
Addressing concept drift in IDS is essential to maintain the effectiveness of anomaly detection
over time. Several techniques can be employed:
o Online learning: Online learning approaches allow the anomaly detection model to
continuously adapt to new data as it arrives. By updating the model with each new data
point or in small batches, online learning can capture and respond to concept drift in real-
time. Techniques such as incremental learning, ensemble methods, and adaptive models
can be used to achieve online learning.
o Change detection: Change detection techniques monitor the statistical properties of the
data and detect significant changes that indicate concept drift. By periodically comparing
the current data distribution with the historical distribution, these methods can trigger
model retraining or adaptation when a significant change is detected. Statistical methods
like control charts, cumulative sum (CUSUM), and change point detection algorithms
can be used for change detection.
o Ensemble methods: Ensemble methods combine multiple anomaly detection models or
algorithms to improve detection performance and resilience to concept drift. By
aggregating the decisions of multiple models, ensemble methods can adapt to changing
data distributions and make more robust anomaly predictions. Techniques like ensemble
averaging, boosting, and stacking can be applied to create ensemble models.
It is important to note that concept drift detection and adaptation in IDS is an ongoing research
area, and the development of effective techniques to handle concept drift remains an active
research topic.
3. Adversarial attacks : Adversarial attacks in IDS refer to deliberate attempts by adversaries to

exploit vulnerabilities in the system and manipulate its behavior in order to evade detection or
cause misclassification of normal or malicious activities. These attacks are specifically designed
to target the anomaly detection capabilities of IDS and can have serious consequences for the
security of the network.
There are different types of adversarial attacks that can be launched against IDS:
 Evasion attacks: Evasion attacks aim to manipulate the input data in a way that the IDS fails to
detect or correctly classify the malicious activities. Attackers carefully craft the input features to
deceive the IDS into treating them as normal behavior, thus evading detection. Evasion attacks
often involve carefully modifying or adding features to manipulate the decision boundary of the
IDS.
 Poisoning attacks: Poisoning attacks occur during the training phase of the IDS and involve
injecting malicious or manipulated data into the training set. By poisoning the training data,
attackers aim to manipulate the learning process of the IDS, compromising its detection
capabilities. The poisoned data can introduce biases or alter the statistical properties of the
training set, leading to degraded performance or increased false positives/negatives.
 Stealth attacks: Stealth attacks aim to exploit the specific weaknesses or blind spots of the IDS
to remain undetected. These attacks often involve carefully crafted sequences of activities that
exploit temporal or contextual vulnerabilities, making it difficult for the IDS to identify them as
anomalies. Stealth attacks can leverage timing patterns, bursty activities, or sophisticated
evasion techniques to bypass detection.
 Data injection attacks: Data injection attacks involve injecting malicious or unauthorized data
into the network or system monitored by the IDS. These attacks can disrupt the normal
operation of the IDS by overwhelming it with excessive or irrelevant data, triggering false
alarms, or causing system failures. Data injection attacks can exploit vulnerabilities in data
handling mechanisms or target specific weaknesses in the IDS architecture.
Addressing adversarial attacks in IDS is a challenging task. Some strategies and techniques that can
help to mitigate the impact of these attacks include:
 Adversarial training: Adversarial training involves training the IDS on both normal and
adversarial examples to make it more robust against adversarial attacks. By exposing the IDS to
various adversarial scenarios during training, it can learn to recognize and classify adversarial
behavior more effectively.
 Defense mechanisms: Implementing defense mechanisms such as input sanitization, feature
engineering, and anomaly detection ensembles can enhance the resilience of the IDS against
adversarial attacks. These techniques focus on improving the robustness of the IDS to handle
manipulated or malicious inputs.
 Monitoring and response: Continuous monitoring of the network and system activities can help
to detect and respond to adversarial attacks in a timely manner. Real-time analysis, incident
response, and adaptive countermeasures can aid in mitigating the impact of attacks and
preventing further exploitation.
 Collaboration and information sharing: Sharing information and collaborating with other IDS
systems, security researchers, and organizations can help to create a collective defense against
adversarial attacks. Sharing knowledge about attack techniques, patterns, and countermeasures
can lead to more effective defense strategies.
It is worth noting that adversarial attacks and defense mechanisms in IDS are evolving research areas,
and new attack techniques and defense strategies are continuously being developed.
chapter 6: Psychological Warfare and UAVs

[mh]Influence Operations Using UAVs
Psychological warfare (PSYWAR), or the basic aspects of modern psychological operations (PsyOp),
has been known by many other names or terms, including Military Information Support Operations
(MISO), Psy Ops, political warfare, "Hearts and Minds", and propaganda. The term is used "to denote
any action which is practiced mainly by psychological methods with the aim of evoking a planned
psychological reaction in other people".
Various techniques are used, and are aimed at influencing a target audience's value system, belief
system, emotions, motives, reasoning, or behavior. It is used to induce confessions or reinforce
attitudes and behaviors favorable to the originator's objectives, and are sometimes combined with black
operations or false flag tactics. It is also used to destroy the morale of enemies through tactics that aim
to depress troops' psychological states.
Target audiences can be governments, organizations, groups, and individuals, and is not just limited to
soldiers. Civilians of foreign territories can also be targeted by technology and media so as to cause an
effect on the government of their country.
Mass communication such as radio allows for direct communication with an enemy populace, and
therefore has been used in many efforts. Social media channels and the internet allow for campaigns of
disinformation and misinformation performed by agents anywhere in the world.
Since prehistoric times, warlords and chiefs have recognized the importance of weakening the morale
of their opponents. According to Polyaenus, in the Battle of Pelusium (525 BC) between the Persian
Empire and ancient Egypt, the Persian forces used cats and other animals as a psychological tactic
against the Egyptians, who avoided harming cats due to religious belief and superstitions.
Currying favor with supporters was the other side of psychological warfare, and an early practitioner of
this was Alexander the Great, who successfully conquered large parts of Europe and the Middle East
and held on to his territorial gains by co-opting local elites into the Greek administration and culture.
Alexander left some of his men behind in each conquered city to introduce Greek culture and oppress
dissident views. His soldiers were paid dowries to marry locals in an effort to encourage assimilation.
Genghis Khan, leader of the Mongolian Empire in the 13th century AD employed less subtle
techniques. Defeating the will of the enemy before having to attack and reaching a consented
settlement was preferable to facing his wrath. The Mongol generals demanded submission to the Khan
and threatened the initially captured villages with complete destruction if they refused to surrender. If
they had to fight to take the settlement, the Mongol generals fulfilled their threats and massacred the
survivors. Tales of the encroaching horde spread to the next villages and created an aura of insecurity
that undermined the possibility of future resistance.
Genghis Khan also employed tactics that made his numbers seem greater than they actually were.
During night operations he ordered each soldier to light three torches at dusk to give the illusion of an
overwhelming army and deceive and intimidate enemy scouts. He also sometimes had objects tied to
the tails of his horses, so that riding on open and dry fields raised a cloud of dust that gave the enemy
the impression of great numbers. His soldiers used arrows specially notched to whistle as they flew
through the air, creating a terrifying noise.
Another tactic favored by the Mongols was catapulting severed human heads over city walls to frighten
the inhabitants and spread disease in the besieged city's closed confines. This was especially used by
the later Turko-Mongol chieftain.
The Muslim caliph Omar, in his battles against the Byzantine Empire, sent small reinforcements in the
form of a continuous stream, giving the impression that a large force would accumulate eventually if
not swiftly dealt with.
During the early Qin dynasty and late Eastern Zhou dynasty in 1st century AD China, the Empty Fort
Strategy was used to trick the enemy into believing that an empty location was an ambush, in order to
prevent them from attacking it using reverse psychology. This tactic also relied on luck, should the
enemy believe that the location is a threat to them.
In the 6th century BCE Greek Bias of Priene successfully resisted the Lydian king Alyattes by
fattening up a pair of mules and driving them out of the besieged city. When Alyattes' envoy was then
sent to Priene, Bias had piles of sand covered with wheat to give the impression of plentiful resources.
This ruse appears to have been well known in medieval Europe: defenders in castles or towns under
siege would throw food from the walls to show besiegers that provisions were plentiful. A famous
example occurs in the 8th-century legend of Lady Carcas, who supposedly persuaded the Franks to
abandon a five-year siege by this means and gave her name to Carcassonne as a result.
During the Granada War, Spanish captain Hernán Pérez del Pulgar routinely employed psychological
tactics as part of his guerrilla actions against the Emirate of Granada. In 1490, infiltrating the city by
night with a small retinue of soldiers, he nailed a letter of challenge on the main mosque and set fire to
the alcaicería before withdrawing.
In 1574, having been informed about the pirate attacks previous to the Battle of Manila, Spanish
captain Juan de Salcedo had his relief force return to the city by night while playing marching music
and carrying torches in loose formations, so they would appear to be a much larger army to any nearby
enemy. They reached the city unopposed.
During the Attack on Marstrand in 1719, Peter Tordenskjold carried out military deception against the
Swedes. Although probably apocryphal, he apparently succeeded in making his small force appear
larger and feed disinformation to his opponents, similar to the Operations Fortitude and Titanic in
World War II.
The start of modern psychological operations in war is generally dated to World War I. By that point,
Western societies were increasingly educated and urbanized, and mass media was available in the form
of large circulation newspapers and posters. It was also possible to transmit propaganda to the enemy
via the use of airborne leaflets or through explosive delivery systems like modified artillery or mortar
rounds.
At the start of the war, the belligerents, especially the British and Germans, began distributing
propaganda, both domestically and on the Western front. The British had several advantages that
allowed them to succeed in the battle for world opinion; they had one of the world's most reputable
news systems, with much experience in international and cross-cultural communication, and they
controlled much of the undersea communications cable system then in operation. These capabilities
were easily transitioned to the task of warfare.
The British also had a diplomatic service that maintained good relations with many nations around the
world, in contrast to the reputation of the German services. While German attempts to foment
revolution in parts of the British Empire, such as Ireland and India, were ineffective, extensive
experience in the Middle East allowed the British to successfully induce the Arabs to revolt against the
Ottoman Empire.
In August 1914, David Lloyd George appointed a Member of Parliament (MP), Charles Masterman, to
head a Propaganda Agency at Wellington House. A distinguished body of literary talent was enlisted
for the task, with its members including Arthur Conan Doyle, Ford Madox Ford, G. K. Chesterton,
Thomas Hardy, Rudyard Kipling and H. G. Wells. Over 1,160 pamphlets were published during the
war and distributed to neutral countries, and eventually, to Germany. One of the first significant
publications, the Report on Alleged German Outrages of 1915, had a great effect on general opinion
across the world. The pamphlet documented atrocities, both actual and alleged, committed by the
German army against Belgian civilians. A Dutch illustrator, Louis Raemaekers, provided the highly
emotional drawings which appeared in the pamphlet.
In 1917, the bureau was subsumed into the new Department of Information and branched out into
telegraph communications, radio, newspapers, magazines and the cinema. In 1918, Viscount
Northcliffe was appointed Director of Propaganda in Enemy Countries. The department was split
between propaganda against Germany organized by H.G Wells, and propaganda against the Austro-
Hungarian Empire supervised by Wickham Steed and Robert William Seton-Watson; the attempts of
the latter focused on the lack of ethnic cohesion in the Empire and stoked the grievances of minorities
such as the Croats and Slovenes. It had a significant effect on the final collapse of the Austro-
Hungarian Army at the Battle of Vittorio Veneto.
Aerial leaflets were dropped over German trenches containing postcards from prisoners of war
detailing their humane conditions, surrender notices and general propaganda against the Kaiser and the
German generals. By the end of the war, MI7b had distributed almost 26 million leaflets. The Germans
began shooting the leaflet-dropping pilots, prompting the British to develop unmanned leaflet balloons
that drifted across no-man's land. At least one in seven of these leaflets were not handed in by the
soldiers to their superiors, despite severe penalties for that offence. Even General Hindenburg admitted
that "Unsuspectingly, many thousands consumed the poison", and POWs admitted to being
disillusioned by the propaganda leaflets that depicted the use of German troops as mere cannon fodder.
In 1915, the British began airdropping a regular leaflet newspaper Le Courrier de l'Air for civilians in
German-occupied France and Belgium.
At the start of the war, the French government took control of the media to suppress negative coverage.
Only in 1916, with the establishment of the Maison de la Presse, did they begin to use similar tactics
for the purpose of psychological warfare. One of its sections was the "Service de la Propagande
aérienne" (Aerial Propaganda Service), headed by Professor Tonnelat and Jean-Jacques Waltz, an
Alsatian artist code-named "Hansi". The French tended to distribute leaflets of images only, although
the full publication of US President Woodrow Wilson's Fourteen Points, which had been heavily edited
in the German newspapers, was distributed via airborne leaflets by the French.
The Central Powers were slow to use these techniques; however, at the start of the war the Germans
succeeded in inducing the Sultan of the Ottoman Empire to declare 'holy war', or Jihad, against the
Western infidels. They also attempted to foment rebellion against the British Empire in places as far
afield as Ireland, Afghanistan, and India. The Germans' greatest success was in giving the Russian
revolutionary, Lenin, free transit on a sealed train from Switzerland to Finland after the overthrow of
the Tsar. This soon paid off when the Bolshevik Revolution took Russia out of the war.
[h]World War II
Adolf Hitler was greatly influenced by the psychological tactics of warfare the British had employed
during World War I, and attributed the defeat of Germany to the effects this propaganda had on the
soldiers. He became committed to the use of mass propaganda to influence the minds of the German
population in the decades to come. By calling his movement The Third Reich, he was able to convince
many civilians that his cause was not just a fad, but the way of their future. Joseph Goebbels was
appointed as Propaganda Minister when Hitler came to power in 1933, and he portrayed Hitler as a
messianic figure for the redemption of Germany. Hitler also coupled this with the resonating
projections of his orations for effect.
Germany's Fall Grün plan of invasion of Czechoslovakia had a large part dealing with psychological
warfare aimed both at the Czechoslovak civilians and government as well as, crucially, at
Czechoslovakia's allies. It became successful to the point that Germany gained support of UK and
France through appeasement to occupy Czechoslovakia without having to fight an all-out war,
sustaining only minimum losses in covert war before the Munich Agreement.
At the start of the Second World War, the British set up the Political Warfare Executive to produce and
distribute propaganda. Through the use of powerful transmitters, broadcasts could be made across
Europe. Sefton Delmer managed a successful black propaganda campaign through several radio
stations which were designed to be popular with German troops while at the same time introducing
news material that would weaken their morale under a veneer of authenticity. British Prime Minister
Winston Churchill made use of radio broadcasts for propaganda against the Germans. Churchill
favoured deception; he said "In wartime, truth is so precious that she should always be attended by a
bodyguard of lies.".
Figure: Map depicting the targets of all the subordinate plans of Operation Bodyguard.
During World War II, the British made extensive use of deception – developing many new techniques
and theories. The main protagonists at this time were 'A' Force, set up in 1940 under Dudley Clarke,
and the London Controlling Section, chartered in 1942 under the control of John Bevan. Clarke
pioneered many of the strategies of military deception. His ideas for combining fictional orders of
battle, visual deception and double agents helped define Allied deception strategy during the war, for
which he has been referred to as "the greatest British deceiver of WW2".
During the lead-up to the Allied invasion of Normandy, many new tactics in psychological warfare
were devised. The plan for Operation Bodyguard set out a general strategy to mislead German high
command as to the date and location of the invasion, which was obviously going to happen. Planning
began in 1943 under the auspices of the London Controlling Section (LCS). A draft strategy, referred
to as Plan Jael, was presented to Allied high command at the Tehran Conference. Operation Fortitude
was intended to convince the Germans of a greater Allied military strength than was the case, through
fictional field armies, faked operations to prepare the ground for invasion and "leaked" misinformation
about the Allied order of battle and war plans.
Elaborate naval deceptions (Operations Glimmer, Taxable and Big Drum) were undertaken in the
English Channel. Small ships and aircraft simulated invasion fleets lying off Pas de Calais, Cap
d'Antifer and the western flank of the real invasion force. At the same time Operation Titanic involved
the RAF dropping fake paratroopers to the east and west of the Normandy landings.
Figure: A dummy Sherman tank, used to deceive the Germans.
The deceptions were implemented with the use of double agents, radio traffic and visual deception.
The British "Double Cross" anti-espionage operation had proven very successful from the outset of the
war, and the LCS was able to use double agents to send back misleading information about Allied
invasion plans. The use of visual deception, including mock tanks and other military hardware had
been developed during the North Africa campaign. Mock hardware was created for Bodyguard; in
particular, dummy landing craft were stockpiled to give the impression that the invasion would take
place near Calais.
The Operation was a strategic success and the Normandy landings caught German defences unawares.
Continuing deception, portraying the landings as a diversion from a forthcoming main invasion in the
Calais region, led Hitler into delaying transferring forces from Calais to the real battleground for nearly
seven weeks.
[mh]Public Opinion and UAV Deployments
Unmanned aerial vehicles (UAVs), colloquially called drones, are currently the most innovative
element used in support of various industrial sectors. The development rate of this industrial sector is
catching up with expansion of the cellular or IT sector.
UAVs may be used in various types of activities of the public and private sector, namely:
 Public administration: border guards or services providing assistance after disasters or military
services
 Enterprises: monitoring and maintenance of buildings, power companies, construction sites,
agricultural facilities, farms, geological discoveries or aerial photographs
 Clients: deliveries of goods, advertising, guided trips and games
To put shortly each UAV is assumed to consist of two main components—the machine as such and the
terrestrial control station or a mobile one. On the other hand, the drone comprises a system controlled
in real time, control software, interface module to simplify the exchange of data, sensors connected
with the software and the avionics. Optionally it may also have an arm control system (if equipped
with weapons) or an autopilot. The terrestrial control station comprises control software, interface
modules and the controlling person.
Such public services, for example, the fire service, are executing their operations in many fields
connected with prevention, rescuing and civil protection. This is a great advancement as compared to
the scope of obligations dating a few decades back. The dynamics of those changes has required (and
still requires) continuous staff advancement, modernisation of the equipment base and revising adopted
solutions with respect to rescue actions.
Given a certain natural division, selected fire service units are specialised in specific domains:
technical rescuing, high rescuing, chemical and ecological rescuing, etc. There is also an area
connected with elimination of consequences of events of a greater magnitude. Search and rescue
groups may go into the state of combat readiness in a few dozen of hours. If means and resources of
local communities are insufficient to handle the disaster, the state can formally apply for assistance by
launching, for example, a heavy urban search and rescue (HUSAR) group, which has the most
extensive scope of competencies and a developed equipment base. The activity of the group may be
proven by the most recent dispatches of the Polish HUSAR group:
[h]Earthquake in Nepal (May 2015)
Polish rescuers along with 12 dogs trained to search for survivors and 6 tonnes of equipment were used
to search Nepal devastated by the earthquake. The action lasted 11 days. Almost 9000 persons have
lost their lives during this incident. For each urban search and rescue group that reached the scene, a
particular area to be searched has been assigned. Taking into consideration the size of the disaster, the
whole operations required immensely well-coordinated organisation. In fact, the survival of the victims
was depending on hours between the incident and the USAR teams to localise the victim. In total, not
many alive victims has been found. It is clear that the most valuable resource in case of man-made or
natural disaster, where many victims need to be found and rescued, is time.
[h]Earthquake in Haiti (January 2010)
An earthquake of 7° in the Richter scale caused a few hundred thousand victims. A group of Polish
rescuers comprising 54 officers and 10 snuffer dogs arrived in Port-Au-Price. High temperatures were
not supportive for work of the rescuers. As there were many USAR teams invited to support the
operations, it was a difficult coordination task for local authorities. With extraordinary damages to the
infrastructure, it caused significant delays in reaching some areas, especially distant, as the
accessibility was limited.
Previously described disasters took place a couple of years ago. In both cases, but also in smaller
incidents of regional/national range, the rescuers were fighting with the toughest enemy—the time. It is
impossible to improve the deployment time; as the equipment must be prepared, members of USAR
team must gather, and some further organisational arrangements must be made. The time necessary to
transport these resources on the scene is also unavoidable. After arrival, reaching the scene might also
be difficult, due to the infrastructural damages. That is why every minute after arrival might be crucial
for the victims’ survival. If we cannot shorten the described above deployment/transportation time, it
seems that the most important aspect to be considered is the effectiveness of the search and rescue
operations.
Search and rescue action groups are generally considered a certain type of “elite units” in the fire
service. They remain in constant readiness, go through training courses lasting several hours and also
personally train their rescue dogs that are allowed to participate in the actions once they have passed a
special exam. Together with such equipment, as inspection cameras or geophones, this is a highly
effective way of searching for surviving victims, e.g. in the cited earthquakes. Can modern
technologies replace those infallible traditional search methods? Absolutely not. Yet quite clearly they
may enhance the effectiveness of conducted search actions. UAVs are a good example. At times of
universal access to different types of mobile devices, almost every person carries a mobile phone. This
could be used for search needs. A victim lying under the rubble may have a cell phone which would
remain switched on until the battery becomes empty, provided it has not become damaged during the
event as such. The telephone will try getting a connection with the closest base station. The question is,
does having an own base station allow supporting rescue actions?
The response to this question will be presented in subsequent subchapters. It should be emphasised that
although this chapter focuses primarily on the use of UAVs in the operation of search and rescue
groups, the proposed solutions will easily facilitate implementation in the activity in other public
services, such as protecting facilities of particular importance, control of state borders, and assuring
security during mass events.
[h]S&R operations: typical activities
Actions of search and rescue groups are implemented according to strictly defined procedures, which
may be basically divided into two categories: local (domestic) and international ones (e.g. under UN-
INASARAG). Those procedures regulate among others such aspects as operating readiness and
equipping and also regulate among others such aspects as operating readiness, equipping and the size
of groups. In general terms, the operation performed by groups during an action may be divided into
four basic phases :
1. Mobilisation
2. Action
3. Demobilisation
4. End of mission
The second phase (action), which takes place on the area afflicted by the disaster, requires coordination
of actions of all specialised groups present on the spot. To be able to provide effective help to victims,
rescue activities performed on the disaster scene are divided into five consequent stages:
1. Reconnaissance, including identification of hazards and determination of the size of the hazard
zone
2. Initial determination of the number of missing persons
3. Securing, including lighting of the scene
4. Finding persons present in inaccessible places
5. Reaching victims with the use of available equipment, granting competent first aid, evacuation
of victims and persons at risk from the hazard zone
Each stage should be properly planned and implemented. The first step to be executed on the scene is
among others the determination of the size of hazard zone. Given the nature of the activities, in many
cases this stage may not be executed quickly or accurately. During large-scale building disasters,
caused in particular by earthquakes, the size of hazard zones is considerable, and as an effect, reaching
and identifying all areas requiring intervention, for example, owing to cutting off of transport routes, as
a rule tend to be hindered.
For this reason one of the implementation methods of this task is a surface search, in other words an
accelerated one. It consists in a rapid extensive surface search of the area afflicted by the disaster in
order to find areas characterised by high survivability level, like persons immobilised by minor rubble.
This solution is strictly connected with restrictions concerning the number of rescuers.
It is assumed that this state would remain unchanged, i.e. the number of rescuers on the scene would
not be increased, and so to optimise the search process, it is necessary to have increasingly novel
solutions deployed.
[h]Innovations in fire service
Advanced search methods with the use of modern technologies, such as geographic information system
(GIS), rescuers’ communication and positioning systems, thermal vision, modern off-road vehicles or
unmanned aerial vehicles, clearly improve the possibility of effective execution of a rescue action.
Correct and effective search actions may be performed by thorough planning of activities and
maximum usage of the available resources and means.
It should be assumed that at present modern solutions adopted by specialised search and rescue groups
should comprise the following.
[h]Making use of precise digital maps (GIS) with the GPS technology (or an optional one)
This type of maps may take into consideration all-terrain obstacles and the location of available
resources and means, as well as data bases related to potential trends in the behaviour of missing
persons, which in combination with local terrain and weather conditions at disposal of professional
rescuers from the given region may significantly accelerate making appropriate decisions. Maps should
be available at the command stand, both stationary ones and also of the mobile type, to allow handling
data received from communication module-based GPS systems (or different ones) and their transfer to
the base and to the database serving as the centre of the GIS. Particular elements may be visualised in
the system and enable accurate identification of their type by verifying the equipment ID and its
current position. The map displays the position of rescuers determined based on a signal sent from
radiotelephones with an installed GPS receiver. The effectiveness of this type of solution is
nevertheless limited by the necessity of preparing maps prior to the occurrence of the hazard. However
during actions performed on the same area, this solutions gains on effectiveness with the number of
events occurring on the area under protection. Consequently digital maps should be dedicated to rescue
groups protecting the defined area, for example, mountain rescue service.
[h]. Ground units used in search and rescue actions
The equipping of search and rescue groups that facilitates the process of searching and locating
missing persons, as well as their safe evacuation, comprised all types of mechanical vehicles having
diverse type of drive equipped with wheels or tracks. Also, in this respect, novel structures are being
developed to support rescuers in their actions. Evacuation may be executed also by air with the use of
rescue helicopters; nevertheless difficult weather conditions, relatively high usage costs, lack of
available landing place or safe handling of the victims and a considerably low number of such
equipment units available make it necessary to seek other solutions that would be much cheaper and
more resistant to adverse weather conditions and difficult terrain conditions. Such accessories comprise
road vehicles or track and wheel vehicles, such as off-road vehicles, quads, all-terrain vehicles or
amphibians (Figure).
Figure.Example of ground units (a) adapted to driving in a complex terrain trailer pulled by Land
Rover Defender 110 , (b) all-terrain vehicle Swincar and (c) ARGO 8 × 8 amphibious vehicle in a track
and wheel version.
[h]. Unmanned aerial vehicles (UAVs)
The use of unmanned aerial vehicles is becoming increasingly popular in actions performed by rescue
groups. Most frequently used unmanned aerial vehicles are multicopters, which are capable of vertical
take-off and hovering, as well as airplanes or motor gliders, which take off from roads or a special
catapult. Selecting the appropriate type of UAVs entails certain advantages and drawbacks. The main
drawback of multi-propeller airplanes is their available flight time, which as a rule tends to be within
the range of 15–60 minutes depending on the battery size. On the other hand, the main advantage of
multi-propeller airplanes is their manoeuvrability, which in combination with their furnishing with a
dedicated camera may considerably reduce the impact of terrain conditions with the use of UAV for
search activities, and their furnishing with thermal vision cameras allows finding people even after
twilight (Figure). Unmanned aerial vehicles may also be used for drawing up orthophotos or to provide
the view of the scene of actions from a close distance.
Figure. View from thermal vision camera provided on UAV—looking for missing persons.
[h]A gap for dedicated UAV applications?
The application of modern technologies in rescuing is highly desirable. Search and rescue groups, the
specific nature of actions of which is connected with carrying out actions in difficult terrain conditions,
have been found to have particular needs. Given the increasingly frequent access to modern
technologies, more and more frequently use is being made of geolocation technologies, and the usage
of unmanned aerial vehicles in actions, and consequently the combination of both strategies seems to
be a natural step in the implementation of those solutions in rescue actions. The MOBNET system is
implementing this trend by using cellular phone signals, the GALILEO system, the European
navigation system to localise signals with an accuracy of even 10 cm and unmanned aerial vehicles.
The rate and accuracy of localising offered by the system, which is made possible thanks to the fact
that according to the Digital in 2017 Global Overview Report ca. 66% people worldwide use their
mobile phones every day, are aimed at finding a tool to support considerable search and/or rescue
actions.
Preface
In the ever-evolving landscape of modern conflict, the convergence of unmanned aerial vehicles
(UAVs) and cyber warfare represents a paradigm shift in military strategy and technological
innovation. As nations and non-state actors alike seek to gain strategic advantages in an increasingly
interconnected world, the fusion of aerial platforms with cyber capabilities has emerged as a defining
feature of contemporary warfare. This book delves into the intricate interplay between UAVs and
cyber warfare, exploring the multifaceted dimensions of their integration and the implications for
global security. At the intersection of physical and digital domains, UAVs equipped with sophisticated
sensor arrays and communication systems have revolutionized reconnaissance, surveillance, and
offensive operations. From remote-controlled drones to autonomous aerial vehicles, these unmanned
platforms offer unparalleled versatility and agility, reshaping the dynamics of military engagements
across land, sea, and air. However, with the proliferation of UAV technology comes a new frontier of
vulnerabilities and challenges in cybersecurity. As UAVs rely on interconnected networks for
command, control, and data transmission, they become susceptible to cyber threats ranging from data
breaches to remote hijacking. The exploitation of these vulnerabilities by malicious actors poses
significant risks not only to military operations but also to civilian infrastructure and privacy. Against
this backdrop, this book seeks to provide a comprehensive examination of UAVs in the context of
cyber warfare, addressing key themes such as cybersecurity measures, offensive and defensive
strategies, ethical considerations, and future trends. Through a combination of theoretical analysis, case
studies, and expert insights, it aims to equip readers with the knowledge and critical perspectives
needed to navigate the complex nexus of UAVs and cyber operations. As we stand on the precipice of
a new era of warfare defined by technological prowess and digital resilience, understanding the
capabilities and limitations of UAVs in cyber warfare is paramount. This book endeavors to illuminate
this evolving landscape, offering a timely and indispensable resource for scholars, policymakers,
military practitioners, and anyone concerned with the intersection of technology and security in the
21st century.
About the book
In contemporary warfare, the integration of unmanned aerial vehicles (UAVs) and cyber warfare marks
a significant shift, reshaping military strategies and technological advancements. This book explores
the intricate relationship between UAVs and cyber warfare, investigating how these technologies
intersect and influence global security dynamics. UAVs, ranging from remote-controlled drones to
autonomous systems, have revolutionized reconnaissance, surveillance, and offensive capabilities,
operating across diverse environments with unparalleled agility. However, alongside their
advancements, UAVs introduce new vulnerabilities in cybersecurity. Reliant on interconnected
networks for communication and control, they become susceptible to cyber threats such as hacking and
data breaches, posing risks to both military operations and civilian infrastructure. This book aims to
provide a comprehensive examination of UAVs within the context of cyber warfare, addressing topics
like cybersecurity measures, offensive and defensive strategies, ethical implications, and future trends.
Through theoretical analysis, case studies, and expert insights, it seeks to equip readers with the
understanding needed to navigate this complex landscape. As we enter a new era of warfare defined by
technological innovation and digital resilience, grasping the capabilities and challenges of UAVs in
cyber warfare becomes increasingly crucial. This book serves as an essential resource for scholars,
policymakers, military professionals, and anyone interested in the evolving intersection of technology
and security.

UAVs in Cyber Warfare

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

UAVs in Cyber Warfare

Uploaded by

Copyright:

Available Formats

13.

UAVs in Cyber Warfare

[mh]The Intersection of UAVs and Cyber Warfare

[h] Motivation and contribution

 To provide an explanation of swarm intelligence and the challenges it faces.

[h]Organization of the Paper

[h]Preliminaries of swarm intelligence (SI)

Major aspects of swarm intelligence include distribution, stigmergy, cooperation, self-organization,

[h]Languages used for SI

[h]Swarm path planning

For swarm implementations, the architecture of UAVs is of much importance. Architecture is a

[h]Swarm monitoring and tracking

Figure. Ad-hoc network for multi-group UAV.

[h]Swarm safe distance protocol

Author Applied Challenges

Vector field  Has many

Lee and Kim Multirotor Trajectory  Linear controllers  Linear

 Plans the future

 Shows effective  Requires

Brown and Quintic Trajectory  Gives maximum  Requires

 Performs the best

 Can perform a  Does not

Madridano 3D PRM Control and  Generates optimal  Requires

 Handles the loss

Newton–Euler  Tracks the target

Gu et al. NIT Identification  Gives a quick  Sensitive to

Nnamani et Grid-structured Communication  Improves the  No real-time

 PSO has a low

Brown and Reactive tracking Formation,  Shows superior  Requires

chapter 2: Cybersecurity in UAV Systems

Other classifications of UAVs include:

Range and endurance

Based on their weight, drones can be classified into 5 categories—

Micro air vehicles Miniature UAV or Small Large

 Hand-held 2,000 ft (600 m) altitude, about 2 km range

Figure: Artist's concept of Ingenuity landing on Mars

Figure: General physical structure of a UAV

[h]Ornithopters – wing propulsion

Computer control systems

Flight stack overview

Figure: Typical flight-control loops for a multirotor

UAVs employ open-loop, closed-loop or hybrid control architectures.

 Ground control – a human operating a radio transmitter/receiver, a smartphone, a tablet, a

UAV-to-UAV coordination supported by Remote ID communication technology. Remote ID messages

 Self-level: attitude stabilization on the pitch and roll axes.

One approach to quantifying autonomous capabilities is based on OODA terminology, as suggested by

UAVs can be programmed to perform aggressive maneuvers or landing/perching on inclined surfaces,

UAVs can also implement perching on a flat vertical surface.

Figure: UEL UAV-741 Wankel engine for UAV operations

Flight time against mass of small (less than 1 kg) drones

Solar-powered atmospheric satellites ("atmosats") designed for operating at altitudes exceeding 20 km

Lengthy endurance flights

11 August Smallest UAV to cross the Atlantic

QinetiQ Zephyr September

[h]Agriculture, forestry and environmental studies

[mh]Threats Posed by Cyber Attacks on UAVs

[h]Cyber-Terrorism: An Appraisal of the Dimensions of the New Face of Terrorism

[h]Sept 9/11: the turning point

[h]Cyber-terrorism: the new face of terror

[h]NATO, the EU, and the U.S. responses to cyberterrorism

chapter 3: UAV Reconnaissance and Surveillance

 Digital forensics: According to National Institute of Standards and Technology (NIST)

[h]Cloud forensic process flow