Development and Testing of an Intrusion Detection

System for Unmanned Aerial Systems

Jeremy Straub
Department of Computer Science
North Dakota State University
Fargo, ND, USA
[email protected]

Abstract—This paper discusses the development, testing and If the attacker is able to gain control of the craft (instead of
prospective use of an intrusion detection system (IDS) for just influencing or impairing it), he or she has the potential to
unmanned aerial vehicles (UAVs) and systems (UASs). Intrusion be able to turn the craft into a targeted munition.
detection systems are typically used in computer networking and
other applications to detect and respond to attempts to In addition to the obvious safety and mission implications,
compromise computers, servers, firewalls and other network breaches will erode public trust in UASs and deny society
resources. In the context of the development of an IDS for some or all of the benefits that they can offer.
UAV/UAS applications, several topics are considered. These
Intrusion detection systems (IDSs) have historically been
include what an IDS is and how it is used, why do UAVs/UASs
need an IDS and attack detection expectations for IDSs used in used to identify prospective attacks on networks and networked
UAV/UAS applications. Because UAVs and UASs operate in the resources. To do this, they identify attacks by signature, by
real world, with numerous and varied sensory inputs, testing and sensing the presence of an abnormal behavior or by sensing the
validation of these systems is particularly problematic. IDS absence of a desired normal behavior. More recently, IDSs
Training challenges and the use of automated training to validate have been proposed for use by cyber-physical systems, which
UAV/UAS IDS systems is, thus, a major consideration and also interact with the real-world environment. These systems
covered. The use of adaptive testing, in particular, is discussed. introduce a multitude of new types of data to prospectively
process to detect attacks and other undesirable behavior. The
Keywords—unmanned aerial vehicle, unmanned aerial system, introduction of this wealth of data, while necessary for system
UAV, UAS, intrusion detection systems, automated testing, testing functionality, increases the complexity of the systems
automation, adaptive testing, autonomous testing exponentially and makes the assurance of the system’s
performance problematic.
I. INTRODUCTION Intrusion Detection Systems (IDSs) have been used in
In [1], work on an the development of an intrusion network security for some time to detect security breaches. In
detection system and its automated testing was presented. This this context, they look for suspect patterns of network traffic,
paper builds upon this previous work (while re-presenting a server loads and other tell-tale signs that something is amiss.
significant amount of it to provide context) and discusses its These same symptoms are relevant to UAS applications;
application to the domain of unmanned aerial systems. however, they represent only a part of the data that an IDS is
able to consider.
Unmanned aerial systems (UASs) provide significant
capabilities in numerous application areas. They have been With any cyber-physical system (a software-hardware
used to capture real estate photographs, study wildlife and system that interacts with the real world), the nature of these
survey fields. In these applications, a malfunction or command interactions can be taken into account when looking for
or control failure poses minimal danger. However, in prospective attacks. Instead of just analyzing traffic data,
numerous other applications (such as sports photography, law commands, mission expectations, UAV behavior and other
enforcement uses, military applications and even recreation), factors can be juxtaposed. The system can search for
drone failure can result in the potential for significant injury. symptoms of particular attacks, the presence of unexpected
behaviors and/or the absence of expected behaviors.
In addition to the potential for an accidental mishap or
inadvertent or negligence-attributable failure, there is a very This paper proposes the use of intrusion detection systems
real potential for the command systems to be attacked. These for UAVs and UASs and discusses how to test these systems,
attacks may target the command and control software and building off previous work related to UAV/UAS testing
system onboard the unmanned aerial vehicle (UAV), ground presented in [2]. Formal verification is not possible, as the
control (or, in the longer term, traffic coordination) stations or systems must consume real-world data from sensors (which
the data link between the craft and the ground. Breaching (or may have their own idiosyncrasies, failure modes and other
denying access to) any of these points could potentially have limitations). Given the multitude of types of data that the
catastrophic results. system may be subjected to and a very real potential that an

978-1-5386-0365-9/17/$31.00 ©2017 IEEE

attacker may attempt to supply data to explicitly deceive the AI will be evaluated. Felgenbaum [4], for example, reviewed
system (to cover an attack or trigger an IDS warning / response artificial intelligence systems designed for diagnosis based on
in the absence of an attack), testing under a broad variety of medical case studies and concluded that the modularity of the
conditions is required. ĀSituation ė Actionā technique allowed for rules to be
A Blackboard Architecture [3] (a technique where an changed or added easily as the expertÿs knowledge of the
expert systems-like framework is used to make data-driven domain grew. This allowed more advanced cases to be used for
decisions and trigger actions, using an adaptable rule-fact- validation.
action network) based system is proposed that combines these Chandrasekaran [5] suggests that the evaluation of an AI
three types of detection. The proposed system would be multi- must not be based only on the final result. In [5], an approach
homed, with capabilities located on both the UAV and ground to the validation of Artificial Intelligence Medical (AIM)
control / coordination systems. It uses the concept of partial systems for medical decision-making is presented. The paper
membership (where a value is not simply categorized as true or also examines some of the problems encountered during AIM
false, but the level of belief in its status is maintained) to allow evaluations. During performance analysis of AI systems,
it to weigh levels of alarm across the three detection paradigms evaluating success or failure based upon the final result may
(and between individual detection mechanisms within each not show the entire picture. Intermediate execution could show
area). acceptable results even though the final result is unsatisfactory.
The system also incorporates a ruleset to allow it to respond Evaluating important steps in reasoning can help alleviate this
to detected intrusions (and intrusion-like anomalies). This issue.
ruleset is also membership-level aware, allowing responses to Another example of AI testing with test cases is presented
be shaped not only by what is believed to be occurring, but also by Cholewinski et al. [6] who discuss the Default Reasoning
the severity of the occurrence and level of trust in the System (DeReS) and its validation through test cases derived
identification of the attack. from TheoryBase, a benchmarking system “designed to
An autonomous testing unit is proposed and detailed which support experimental investigations of nonmonotonic
is trained with data collected from normal, abnormal non- reasoning systems based on the language of default logic or
attack and simulated attack conditions. This training data is logic programming”. Through the use of TheoryBase-
used to populate a base set of tests which are then modified via generated default theories, DeReS was shown to be a success.
an expert system rule set and both random and intentional Cholewinski et al. also proffer that TheoryBase can be used as
manipulation to generate scenarios. These scenarios are a standalone system and that any non-monotonic reasoning
presented (via simulation) to the IDS under test and its actions system can use it as a benchmarking tool.
are recorded. As IDSs are also (typically) learning systems, a Brooks [7] comments on the use of simulation testing. In
mechanism is provided to supply the IDS with feedback [7] the possibility of controlling mobile robots with programs
regarding the simulated attack, facilitating its own learning. that evolve using artificial life techniques is explored. Brooks
The IDS testing automation system is capable of running tests has not implemented or tested the ideas presented; however,
in both real time and on a faster-than-real-time, turn-based some intriguing notions regarding simulation and testing of
basis to facilitate both rapid testing and training of the IDS, physical robots are discussed. Using simulated robots for
respectively. testing, before running the programs on physical robots, has
generally been avoided for two reasons [8]–[10]: First, for real-
II. BACKGROUND world autonomous systems, there is a risk that the time
This section, reprinted with modifications from [2], involved in resolving issues identified in a simulated
discusses the use of autonomous testing to ensure the success environment will be wasted due to dissimilarities between the
of an autonomous system. For systems of any size and types of events occurring in simulation versus the real
complexity, an efficient method of validation is required. A operating space. Second, emulating real-world dynamics in a
sufficient number of test cases need to be developed in order to simulated environment is difficult due to differences in real
show that the system can perform acceptably in the real world world sensing. This increases the chance of the program
environment in which it was designed to operate. There is a behaving differently in the real world. The use of simulated
significant body of research related to validation and test case robots for testing may uncover basic issues impairing a control
generation techniques for artificial intelligence systems and program. However, this approach tends not to uncover some
their evaluation. Existing work in four areas (testing artificial problems encountered when tested in a real-world
intelligence systems using test cases, artificial intelligence- environment.
based test case generation, testing as a search problem, and The previous studies have related to validation methods and
software and artificial intelligence failures) is now reviewed. test cases used to assess AI systems designed for practical or
A. Testing Artificial Intelligence (AI) with Test Cases complex tasks in everyday life. Billings et al. [11], alternately,
explores the use of an AI designed for competition rather than
An intrusion detection system is an application of AI the performance of particular jobs. Poki is an AI driven
techniques to cyber security. One of the most basic forms of program built as an autonomous substitute for human players
testing an autonomous system is with manually generated test in world-class poker tournaments, (specifically, Texas
cases. This involves a human tester creating scenarios that will Hold’em tournaments). In Poker, players are constantly
be presented to the AI, or under which the performance of the
adapting across playing many hands. Two methods are review and provide feedback on the proposed network.
discussed to validate the program: self-play and live-play. Pitchforth and Mengersen proffer, however, that these
approaches fail to fully test the networks’ validity.
Self-play tests are a simple method of validation where an
older version of the tested program is pitted against the current While Pitchforth and Mengersen do not provide a specific
version. This allows a great variety of hands to be played in a method for the development of use and test cases, their analysis
short amount of time. Live-play tests seek to alleviate this of the validation process required for a Bayesian network
problem and are, thus, considered by Billings et al. as essential informs the process of creating them. It appears that use cases
for accurate evaluation. Implementing the poker AI as part of are relevant throughout their validation framework and test
an online game is one of the more effective ways to test cases are specifically relevant to the analysis of concurrent and
performance, as thousands of players are able to play at any predictive validity. Moreover, the convergent and divergent
given time. analysis processes may inform the types of data that are
required and well suited for test case production.
In testing Poki, Billings et al. tested each version of the
program for 20,000 hands using the average number of small The use of AI in software development and debugging is
bets won per hand as a performance measurement before also considered by Wotawa, Nica, and Nica [14], who discuss
translating the results. the process of debugging via localizing faults. Their proposed
approach, based on model-based diagnosis, is designed to
The work done on the Poki poker system shows that repetitively test a program or area of code to determine
validating an AI through testing its function against another AI whether it functions properly. To this end, they propose an
(itself in this case) is a helpful tool for evaluating system approach that involves creating base test cases and applying a
performance. Real world application test cases are also shown mutation algorithm to adapt them.
to be critical in validating the utility of the AI-based validation
process. While Wotawa, Nica, and Nica’s work is quite limited (as
they note) in the context of line-by-line review of program
B. AI Test Case Generation code, the fundamental concept is exceedingly powerful. Input
While manual test case generation may be suitable for a parameters can be mutated extensively without having to create
system where the scope of performance is limited, systems that a mechanism to generate an associated success condition.
have to operate in a real-world environment, such as intrusion AdiSrikanth et al. [15], on the other hand, deal with a more
detection systems, must function under a large variety of generalizable approach. They propose a method for test case
systems. Given this, a more efficient approach to test case creation based upon an artificial bee colony algorithm. This
generation is desirable. algorithm is a swarm intelligence approach where three classes
Dai, Mausam and Weld [12] deal with a similar problem, of virtual bees are utilized to find an optimal solution:
except in the context of evaluating human performance on a employed, onlookers, and scouts. Bees seek to identify “food
large scale. They look at using an AI adaptive workflow, based sources” with the maximum amounts of nectar.
on their TurKontrol software, to increase the performance of a In the implementation for optimizing test cases, a piece of
decision making application. Their workflow controller is code is provided to AdiSrikanth et al.’s tool. This software
trained with real world cases from Amazon’s Mechanical Turk. creates a control flow graph, based on the input. The software
Mechanical Turk utilizes humans to perform repetitive tasks then identifies all independent paths and creates test cases,
such as image description tagging. For this, a model of which cause the traversal of these paths. Optimization is
performance and iterative assessment is utilized to ensure achieved via a fitness value metric.
appropriate quality. Through autonomously determining
whether additional human review and revision was required, This work demonstrates the utility of swarm intelligence
TurKcontrol was able to increase quality performance by 11%. techniques for test case generation and refinement. AdiSrikanth
Dai, Mausam, and Weld note that the cost of this increased et al., regrettably, fail to consider the time-cost of their
performance is not linear and that an additional 28.7% increase proposed approach. While an optimal solution for a small
in cost would be required to achieve a level of comparable program can be generated fairly quickly, the iterative approach
performance. that they utilize may be overly burdensome for a larger
codebase.
The work performed by Dai, Mausam, and Weld provides
an implementation framework for autonomously revising AI Similar to the bee colony work performed by AdiSrikanth
performance, based upon their work in assessing and refining et al. is the ant colony optimization work performed by Suri
human performance. The approach can be extended to and Singhal [16]. Suri and Singhal look at using ant colony
incorporate AI workers and evaluators, for applications where optimization (ACO) for performing regression analysis.
these tasks can be suitably performed autonomously. Specifically, they look at how regression tests should be
prioritized to maximize the value of regression testing, given a
Pitchforth and Mengersen [13] deal with the problem of specific amount of time to perform the testing within.
testing an AI system. Specifically, they look at the process of
validating a Bayesian network, which is based on data from a The time requirements for ACO-selection-based execution
subject matter expert. They note that previous approaches to ranged between 50% and 90% of the time required to run the
validation either involved the comparison of the output of the full test suite. It appears that the average is around the 80%
created network to pre-existing data or relied upon an expert to mark.
 A more general view is presented by Harman [17], who list of nodes to avoid. The approach is open-ended and allows
reviews how artificial intelligence techniques have been used exploration of less-optimal-than-current solutions to allow the
in software engineering. He proffers that three categories of search to leave local minimums in search of the global
techniques have received significant use: optimization and minimum.
search, fuzzy reasoning, and learning. The first, optimization
and search, is utilized by the field of “Search Based Software Fundamentally, as an improvement method, the Tabu
Engineering” which converts software engineering challenges Search visits adjacent solutions to the current solution and
into optimization tasks. Fuzzy reasoning is used by software selects the best one to be the new current solution. Because of
engineers to consider real-world problems of a probabilistic this, it can be initialized with any prospective solution (even an
nature. Finally, with “Search Based Software Engineering” infeasible one). Gendreau, Hertz, and Laporte evaluate this
(SBSE) the wealth of solution-search knowledge in the AI search in the context of TABUROUTE, a solution to the
optimization domain is brought to bear on software vehicle routing problem. They conclude that the Tabu Search
engineering problems. Harman proffers that the continued outperformed the best existing heuristic-based searches and
integration of AI techniques into software engineering is all but that it frequently arrives at optimal or best known solutions.
inevitable, given the growing complexity modern programs. Finally, Yang and Deb [24] propose a search based upon
the egg-laying patterns of the cuckoo. This bird lays eggs in the
C. Testing as a Search Problem
nests of other birds of different species. The bird that built the
Validation can also be conceived of as a search problem. In nest that the cuckoo lays its egg in may, if it detects that the
this case, the search’s ‘solution’ is a problem in the system egg is not its own, destroy it or decide to abandon the nest. The
being tested. Several search approaches relevant to this are Cuckoo Search parallels this. Each automated cuckoo creates
now reviewed. The use of these approaches in testing in most an egg, which is a prospective problem solution, which is
cases remains to be tested and future work in this area may placed into a nest at random. Some nests that have the
include the comparison of these approaches and their generation’s best solutions will persist into the next generation;
evaluation in terms of performance across various testing a set fraction of those containing the worst performing
applications. solutions will be destroyed. There is a defined probability of
each nest being destroyed or the egg removed (paralleling the
Pop et al. [18], for example, present an enhancement of the discovery of the egg by the host bird in nature). New nests are
Firefly search algorithm that is designed to elicit optimal, or created at new locations (reached via Levy flights) to replace
near-optimal, solutions to a semantic web service composition the nests destroyed (and maintain the fixed number of nests).
problem. Their approach combines the signaling mechanism
utilized by fireflies in nature with a random modification Walton, Hassan, Morgan, and Brown [25] refine this
approach. approach. Their Modified Cuckoo Search incorporates two
changes designed to increase the speed of convergence at an
Pop et al. compare the firefly solution with a bee-style optimal solution. First, they change the distance of the Levy
solution. The bee-style solution took 44% longer to run, flight from a fixed value to a value that declines on a
processing 33% more prospective solutions during this time. generation-by-generation basis, with each generation having a
The firefly approach had a higher standard deviation (0.007 value that is the initial value divided by the square root of the
versus 0.002). Pop et al. assert that their work has generation. Second, they create a mechanism to seed new eggs
demonstrated the feasibility of this type of approach. that are based upon the best currently known performing eggs.
Shah-Hosseini [19] presents an alternate approach, called To do this, a collection of top eggs is selected and two of these
the Intelligent Water Drop (IWD) approach, to problem solving eggs are selected for combination. Walton, Hassan, Morgan,
that utilizes an artificial water drop with properties mirroring and Brown assert that the Modified Cuckoo Search
water drops in nature. Two properties of water drops are outperformed the Cuckoo Search in all test cases presented and
important. The first important aspect is its soil carrying that it also performed comparably to or outperformed the
capability. The water drops, collectively, pick up soil from fast- Particle Swarm Optimization approach.
moving parts of the river and deposit it in the slower parts. Bulatovic, Dordevic, and Dordevic [26] demonstrate the
Second, the water drops choose the most efficient (easiest) path utility of the Cuckoo Search to real-world problems. They
from their origin to their destination. The IWD method can be
utilize it to optimize 20 design variables as part of solving the
utilized to find the best (or near-best) path from source to six-bar double dwell linkage problem in mechanical
destination. It can also be utilized to find an optimal solution engineering. Gandomi, Yang, and Alavi [27] demonstrate its
(destination) to a problem that can be assessed by a single utility on a second set of real-world problems related to design
metric. Duan, Liu, and Wu [20] demonstrate the IWD’s real- optimization in structural engineering.
world application in the application of route generation and
smoothing for an unmanned combat aerial vehicle (UCAV). D. Software and AI Failures
Yet another search technique is presented by Gendreau, The need for verification and validation of AI systems is
Hertz, and Laporte [21] who discuss an application of a now reviewed. Clearly, not all systems require the same level
metaheuristic improvement method entitled the Tabu Search, of extensive validation. The impact and likelihood of systems’
which was developed by Glover [22], [23]. This approach takes failure are key considerations in determining how much testing
its name from the use of a ‘Tabu List’, which prevents and other validation is required. Halawani [28] proffers that too
redundant visits to recently visited nodes via placing them on a much reliance is placed in software, including artificial
intelligence control systems. Several examples of highly Some IDSs draw conclusions about whether an attack had/has
impactful failures illustrate and support this. A nearly- not occurred and can even take actions in response to a
catastrophic error occurred in 1983 when software running a believed attack. Other IDSs leave conclusions and actions up
Soviet early warning system misidentified sunlight reflection to human administrators and just issue reports / alerts when
from clouds as a prospective U.S. missile strike [28], [29]. The conditions dictates. Even with a believed intrusion and an IDS
Mars Climate Orbiter, a $125 million dollar spacecraft, crashed that is empowered to take responsive actions, typically more
due to a units mismatch between two systems [28], [30]. One analysis of the intrusion is required beyond the initial
was using and expecting metric units, while the other used and identification. This includes confirming the assertion of the
expected imperial units. A similar (easily correctable if caught) attack occurring and learning more about the attack (to target
issue resulted in the loss of the Mariner I probe [28], [31]. The the response and prepare for similar or derivative attacks in the
initial 1996 launch of the Ariane 5 rocket failed due to an futures).
integer conversion issue at a cost of approximately one-half
billion dollars [28], [29]. A radiation therapy machine, the Testing the basic software functionality of an IDS is
Therac-25, subjected two patients to lethal doses of radiation relatively easy. To do this, one must test its scanning
during a treatment [28], [32]. capabilities, test its pattern recognition capabilities, test its
notification capabilities and test other relevant portions of the
E. Blackboard Architecture software. However, after this one may know that the software
is working as expected. However, this doesn’t answer the
This section, reprinted with minor revisions from [33], question of whether the system works or not or whether the
provides an overview of the Blackboard Architecture system learns effectively. The system must also be given
developed by Hayes-Roth in 1985 [3] (based on the Hearsay-II training to perform well right out of the box (or shortly
system [34], [35]). This architecture expands the capabilities of thereafter) and to be useful while it is learning more about its
an expert system (see [36]) to include actuation, in addition to environment.
typical decision/recommendation-making capabilities. The
basic premise of the Blackboard Architecture was that two rule
/ fact / action networks would be utilized. One would deal with V. DEVELOPMENT OF A UAV/UAS IDS
decisions specific to the problem domain, while the other The use of an intrusion detection system for UAV and UAS
would deal with control decision-making. Applications in applications presents a number of challenges. The first is the
homeland security [37], robotics [38], data fusion [39], distributed nature of the UAV / UAS application, itself. To be
production scheduling [40] and software testing [41], in effective, an attack should be able to be detected at any part of
addition to numerous other areas, have been demonstrated. the network and responded to with knowledge of this initial
Work has also been performed to allow the architecture to detection at all parts of the network.
operate in a distributed manner [42], [43]. This has included
the development of storage mechanisms [44], [45], a A distributed Blackboard paradigm is, thus, required for
hierarchical analysis approach [46] and communications [47] / this. Figure 1 demonstrates this concept, for a control
replication [48] mechanisms. application. However, irrespective of its use for control (or
not), a distributed Blackboard approach is needed for the IDS.
III. WHAT IS AN INTRUSION DETECTION SYSTEM?
Intrusion detection systems (IDSs) [49], [50] are used to
detect network attacks. They typically look for the presence or
absence of patterns. This includes a pattern that matches a
known attack (i.e., an attack signature), elements that don’t
match a pattern of normal behavior and the lack of elements of
a pattern of normal behavior. When an anomaly is found, they
can take action to alert a user / administrator and / or take
further action on their own in response.
IDSs can be used to protect high-value systems or network
segments. They can be on the device that they’re monitoring
for intrusion. They can be on a device that observes the device
or network segment that they’re monitoring for intrusions.
IDSs can serve both as early warning systems and last lines of
defense. They can be placed to monitor the perimeter of a
network for early signs of attack. They can be placed to watch
key areas of a network or key systems to ascertain when a
breach has occurred.
Figure 1. Distributed Control Using a Blackboard Architecture
(adapted from [33]).
IV. IDS CHALLENGES
Intrusion detection isn’t absolute. IDSs can provide both A number of paradigms for implementing a distributed
false positive and false negative reports of a network intrusion. Blackboard Architecture have been proposed (see [51] for one
approach and a discussion of others). In addition to data
synchronization, the IDS must have the capability to detect or attack conditions.
attacks upon the UAVs and UASs it is protecting.
In the latter (attack) case, the system can then take pre-
Unlike conventional network applications, intrusions into programmed response actions. These can include disregarding
UAV/UAS systems may have both network and physical some commands, requiring enhanced identification and
movement symptoms. The recognition of network symptoms authentication for some commands, changing its engagement
is well established in prior work. In [33], an IDS was proposed posture and other potential types of response. Adaptive
for use by a multi-tier architecture (including UAVs, satellites response techniques may also be considered. This is a topic
and ground craft) which is applicable to the UAV IDS that will require extensive future work.
challenge. The key contribution of this work is the
identification of attack symptoms from non-network A key consideration in each response technique that is
characteristics. implemented is to ensure that a pathway for manual
intervention remains, should the UAV / UAS incorrectly
Figure 4 presents this system, which considers information ascertain that it is being attacked. The use of one-time override
including position, proximity, radio frequency (RF) codes (or similar) that are not automatically generated (and
handshakes, commands being received and status information thus difficult to predict) may be suitable for this.
to enable the UAV / UAS to make an informed and context-
aware decision regarding whether it is operating under normal

Figure 4. Blackboard Architecture Based Intrusion Detection System [33].

 VI. AUTOMATED TESTING VIII. USE OF REAL WORLD ‘SEED’ DATA
The IDS of a UAV / UAS is, as the previous section shows, Data from normal and abnormal (attack) and non-attack
not just dealing with network data. While network data is abnormal conditions can be used as an input to the system for
more easily and accurately sensed, sensing of the real world training and testing. Data can be automatically modified to
poses numerous challenges. Inaccurate data, thus, is a create multiple dissimilar, but derivative scenarios to train from
significant threat to UAV/UAS operations, whether it is being and use for testing. A similar automated training process may
incorrectly sensed due to a system error, unusual terrain and be needed for some systems that are entirely learning-based
other conditions or due to an attempt to confuse the UAV / (i.e., no definitions are used) to rapidly acclimate them to new
UAS is part of an attack strategy. desired behaviors (i.e., system use changes) and to help them to
recognize new types of attack.
Inaccurate data is also a threat to the IDS, as this inaccurate
data can cause the IDS to take or fail to take appropriate
actions. A testing plan for an IDS that will operate in the real IX. AUTOMATED ATTACKS & DEFENSES
world, such as a UAV / UAS IDS must, thus, incorporate Significant discussion has surrounded the use of AI systems
mechanisms to ensure the system’s performance under and automation for attacks against cybersecurity and network
numerous operating conditions, including those with security mechanisms and systems. Many of these attack
equipment deterioration and other system issues. Automated paradigms make use of methodologies from the testing and
and particularly adaptive automated testing present a solution automated testing community. Fundamentally, attackers are
to this problem. Under this paradigm, testers create a sandbox, trying to find a defect in the system (a testing activity) and
provide input and evaluate the responses. Figure 1 depicts this. exploit it. Detection systems can be trained by an automated
security testing system that is similarly looking for defects.
Multiple testing systems / methodologies can be used during
this training to aid in the detection of different attack
methodologies.
Over time, the attack / defense process may grow to a speed
Figure 2. Automated Testing Process. where human response times are too slow to be effective
against an adversary (see [52] for a discussion of this problem
Automated adaptive testing can further advance the in a different context). In this circumstance, IDS training and
achievement of the testing goals. It adjusts the test scenarios verification of functionality and efficacy will need to be
programmatically, based on the change in results. It avoids conducted automatically to keep pace with the enemy.
spending a lot of time in areas where the software is shown to
be working well. It refines the testing focus based on
exploring new untested areas. It also refines the testing focus X. CONCLUSION
based targeting testing on areas where performance seems to be This paper has discussed the use of automated testing and
getting worse or moving towards failure. training for an intrusion detection system. It has explained
how, in many environments and circumstances, the use of
automated testing to train and test an IDS makes sense. The
development of an automated IDS testing system is not just
useful now but also in the future, as well. The automated test
system serves multiple beneficial and interrelated roles, in the
immediate term. In the longer term, a head-to-head protector
versus defender scenario may develop where a rapid speed of
Figure 3. Adaptive Automated Testing Process. training and response may be needed to keep the defending
system capable of effective response.
VII. ADAPTIVE TESTING AS TRAINING
ACKNOWLEDGEMENTS
In addition to testing system performance, the automated
testing system can supply inputs that can be used to facilitate This paper revises and extends and applies the work
machine learning. When using the testing system in this way, presented in [1] to a particular application area.
care must be taken to ensure that these inputs are accurate.
Relevant patterns, including attack definitions, desirable & REFERENCES
undesirable behaviors, and such, must be presented. Care must [1] J. Straub, “Testing Automation for an Intrusion Detection System,” in
also be taken as to not train away functionality due to Proceedings of the 2017 Autotestcon Conference, 2017.
providing inaccurate or otherwise problematic inputs. As an
added benefit, while being used for training, the testing system [2] J. Straub and J. Huber, “A Characterization of the Utility of Using
is also learning about the system under test and how to better Artificial Intelligence to Test Two Artificial Intelligence Systems,”
test it. Multiple AI and computational intelligence techniques Computers, vol. 2, no. 2, pp. 67–87, 2013.
can be used for both systems (see [2] for more details). [3] B. Hayes-Roth, “A blackboard architecture for control,” Artif. Intell.,
vol. 26, no. 3, pp. 251–321, 1985.
[4] E. A. Felgenbaum, “THE ART OF ARTIFICIAL INTELLIGENCE,” in no. 4, pp. 74–94, Aug. 1990.
Proceedings of the International Joint Conference on Artificial [24] X.-S. Yang and S. Deb, “Cuckoo search via Lévy flights,” in Nature &
Intelligence, 1977. Biologically Inspired Computing, 2009. NaBIC 2009. World Congress
[5] B. Chandrasekaran, “On Evaluating Artificial Intelligence Systems for on, 2009, pp. 210–214.
Medical Diagnosis,” AI Mag., vol. 4, no. 2, p. 34, Jun. 1983. [25] “Modified cuckoo search: A new gradient free optimisation algorithm,”
[6] P. Cholewiński, V. W. Marek, M. Truszczyński, and A. Mikitiuk, Chaos, Solitons & Fractals, vol. 44, no. 9, pp. 710–718, Sep. 2011.
“Computing with default logic,” Artif. Intell., vol. 112, no. 1, pp. 105– [26] “Cuckoo Search algorithm: A metaheuristic approach to solving the
146, 1999. problem of optimum synthesis of a six-bar double dwell linkage,” Mech.
[7] R. A. Brooks, “Artificial Life and Real Robots,” pp. 3–10, 1992. Mach. Theory, vol. 61, pp. 1–13, Mar. 2013.
[8] “Elephants don’t play chess,” Rob. Auton. Syst., vol. 6, no. 1–2, pp. 3– [27] A. H. Gandomi, X.-S. Yang, and A. H. Alavi, “Cuckoo search
15, Jun. 1990. algorithm: a metaheuristic approach to solve structural optimization
[9] R. A. Brooks and R. A. Brooks, “Intelligence Without Reason,” pp. 569- problems,” Eng. Comput., vol. 29, no. 1, pp. 17–35, Jan. 2013.
-595, 1991. [28] S. Halawani, “Safety Issues of computer Failure.”
[10] R. A. Brooks, “Articles New Approaches to Robotics.” [29] T. Huckle, “Collection of Software Bugs,” Institut für Informatik TU
[11] D. Billings, A. Davidson, J. Schaeffer, and D. Szafron, “The challenge München: Munich, Germany.
of poker,” Artif. Intell., vol. 134, no. 1, pp. 201–240, 2002. [30] J. P. Laboratory, “Mars Climate Orbiter,” Jet Propulsion Laboratory,
[12] P. Dai and D. S. Weld, “Artificial intelligence for artificial artificial Pasadena, CA.
intelligence,” in Twenty-Fifth AAAI Conference on Artificial [31] N. Dershowitz, “Software Horror Stories,” Tel Aviv University School
Intelligence, 2011. of Computer Science, Tel Aviv, Israel.
[13] “A proposed validation framework for expert elicited Bayesian [32] P. Jorgensen, Software testing: a craftsman’s approach. CRC press,
Networks,” Expert Syst. Appl., vol. 40, no. 1, pp. 162–167, Jan. 2013. 2002.
[14] F. Wotawa, S. Nica, and M. Nica, “Debugging and test case generation [33] J. Straub, “Cybersecurity methodology for a multi-tier mission and its
using constraints and mutations,” in Intelligent Solutions in Embedded application to multiple mission paradigms,” in IEEE Aerospace
Systems (WISES), 2011 Proceedings of the Ninth Workshop on, 2011, Conference Proceedings, 2016, vol. 2016–June.
pp. 95–100. [34] V. R. Lesser and L. D. Erman, “A Retrospective View of the Hearsay-II
[15] B. Suri and S. Singhal, “Analyzing test case selection & Architecture.,” in IJCAI, 1977, vol. 5, pp. 790–800.
prioritization using ACO,” ACM SIGSOFT Softw. Eng. Notes, vol. 36, [35] L. Ermann, “Organization of the Hearsay II Speech Understanding
no. 6, p. 1, Nov. 2011. System,” Work. Pap. Speech Recognit., 1974.
[16] AdiSrikanth, N. J. Kulkarni, K. V. Naveen, P. Singh, and P. R. [36] D. Waterman, A guide to expert systems. Reading, MA: Addison-
Srivastava, “Test Case Optimization Using Artificial Bee Colony Wesley Pub. Co., 1986.
Algorithm,” in Advances in Computing and Communications, Springer, [37] S. H. Rubin, M. H. Smith, and L. Trajkovic, “A blackboard architecture
2011, pp. 570–579. for countering terrorism,” in Systems, Man and Cybernetics, 2003. IEEE
[17] M. Harman, “The role of artificial intelligence in software engineering,” International Conference on, 2003, vol. 2, pp. 1550–1553.
in Proceedings of the First International Workshop on Realizing AI [38] H. Xu and H. Van Brussel, “A behaviour-based blackboard architecture
Synergies in Software Engineering, 2012, p. 61. for reactive and efficient task execution of an autonomous robot,” Rob.
[18] C. B. Pop, V. Rozina Chifu, I. Salomie, R. B. Baico, M. Dinsoreanu, and Auton. Syst., vol. 22, no. 2, pp. 115–132, 1997.
G. Copil, “A Hybrid Firefly-inspired Approach for Optimal Semantic
[39] E. Shahbazian, J. R. Duquet, and P. Valin, “A Blackboard Architecture
Web Service Composition,” Scalable Comput. Pract. Exp., vol. 12, no.
for Incremental Implementation of Data Fusion Applications,” in
3, 2011.
FUSION, 1998, vol. 98, pp. 455–461.
[19] H. Shah-Hosseini, “Problem solving by intelligent water drops,” in [40] T. J. Laliberty et al., “A blackboard architecture for integrated process
Evolutionary Computation, 2007. CEC 2007. IEEE Congress on, 2007, planning/production scheduling,” Proc. ASME Des. Manuf., 1996.
pp. 3226–3231.
[41] H.-D. Chu, “A Blackboard-based Decision Support Framework for
[20] H. Duan, S. Liu, and J. Wu, “Novel intelligent water drops optimization Testing Client/Server Applications,” in Software Engineering (WCSE),
approach to single UCAV smooth trajectory planning,” Aerosp. Sci. 2012 Third World Congress on, 2012, pp. 131–135.
Technol., vol. 13, no. 8, pp. 442–449, 2009.
[42] E. Compatangelo, W. Vasconcelos, and B. Scharlau, “The ontology
[21] M. Gendreau, A. Hertz, and G. Laporte, “A Tabu Search Heuristic for
versioning manifold at its genesis: a distributed blackboard architecture
the Vehicle Routing Problem,” Manage. Sci., vol. 40, no. 10, pp. 1276–
for reasoning with and about ontology versions,” Technical report, 2004.
1290, Oct. 1994.
[43] E. Compatangelo, W. Vasconcelos, and B. Scharlau, “Managing
[22] F. Glover, “HEURISTICS FOR INTEGER PROGRAMMING USING ontology versions with a distributed blackboard architecture,” in
SURROGATE CONSTRAINTS,” Decis. Sci., vol. 8, no. 1, pp. 156– Research and Development in Intelligent Systems XXI, Springer, 2005,
166, Jan. 1977. pp. 44–57.
[23] F. Glover, “Tabu Search: A Tutorial,” Interfaces (Providence)., vol. 20, [44] F. Jurado, M. A. Redondo, and M. Ortega, “Blackboard architecture to
 integrate components and agents in heterogeneous distributed eLearning [48] M. K. Saxena, K. K. Biswas, and P. C. P. Bhatt, “Knowledge
systems: An application for learning to program,” J. Syst. Softw., vol. representation in distributed blackboard architecture—Some issues,” in
85, no. 7, pp. 1621–1636, 2012. Knowledge Based Computer Systems, Springer, 1990, pp. 230–239.
[45] A. Kerminen and K. Jokinen, “Distributed dialogue management in a [49] J. F. Maddox, M. B. Kadonoff, W. G. I. I. Robert, and R. A. Wendt,
blackboard architecture,” in Proc. Workshop on Dialogue Systems: “Intrusion detection system,” US4772875 A, 1988.
Interaction, Adaptation and Styles of Management. 10th Conf. of the [50] M. Dass, J. Cannady, and W. D. Potter, “A blackboard-based learning
EACL, 2003. intrusion detection system: a new approach,” in Developments in
[46] M. Weiss and F. Stetter, “A hierarchical blackboard architecture for Applied Artificial Intelligence, Springer, 2003, pp. 385–390.
distributed AI systems,” in Software Engineering and Knowledge [51] J. Straub, “A Distributed Blackboard Approach Based Upon a Boundary
Engineering, 1992. Proceedings., Fourth International Conference on, Node Concept,” J. Intell. Robot. Syst., vol. 82, no. 3–4, pp. 467–478,
1992, pp. 349–355. Jun. 2016.
[47] Y. C. Jiang, Z. Y. Xia, Y. P. Zhong, and S. Y. Zhang, “An adaptive [52] J. Straub, “Consideration of the use of autonomous, non-recallable
adjusting mechanism for agent distributed blackboard architecture,” unmanned vehicles and programs as a deterrent or threat by state actors
Microprocess. Microsyst., vol. 29, no. 1, pp. 9–20, 2005. and others,” Technol. Soc., vol. 44, 2016.