Data mining for anomaly detection in maritime traffic data

For the past few years, oceans have become once again, an important means of communication and transport. In fact, traffic density throughout the globe has suffered a substantial growth, which has risen some concerns. With this expansion, the need to achieve a high Maritime Situational Awareness (MSA) is imperative. At the present time, this need may be more easily fulfilled thanks to the vast amount of data available regarding maritime traffic. However, this brings in another issue: data overload. Currently, there are so many data sources, so many data to obtain information from, that the operators cannot handle it. There is a pressing need for systems that help to sift through all the data, analysing and correlating, helping in this way the decision making process. In this dissertation, the main goal is to use different sources of data in order to detect anomalies and contribute to a clear Recognised Maritime Picture (RMP). In order to do so, it is necessary to know what types of data exist and which ones are available for further analysis. The data chosen for this dissertation was Automatic Identification System (AIS) and Monitorização Contínua das Atividades da Pesca (MONICAP) data, also known as Vessel Monitoring System (VMS) data. In order to store 1 year worth of AIS and MONICAP data, a PostgreSQL database was created. To analyse and draw conclusions from the data, a data mining tool was used, namely, Orange. Tests were conducted in order to assess the correlation between data sources and find anomalies. The importance of data correlation has never been so important and with this dissertation the aim is to show that there is a simple and effective way to get answers from great amounts of data.Nos últimos anos, os oceanos tornaram-se, mais uma vez, um importante meio de comunicação e transporte. De facto, a densidade de tráfego global sofreu um crescimento substancial, o que levantou algumas preocupações. Com esta expansão, a necessidade de atingir um elevado Conhecimento Situacional Marítimo (CSM) é imperativa. Hoje em dia, esta necessidade pode ser satisfeita mais facilmente graças à vasta quantidade de dados disponíveis de tráfego marítimo. No entanto, isso leva a outra questão: sobrecarga de dados. Atualmente existem tantas fontes de dados, tantos dados dos quais extrair informação, que os operadores não conseguem acompanhar. Existe uma necessidade premente para sistemas que ajudem a escrutinar todos os dados, analisando e correlacionando, contribuindo desta maneira ao processo de tomada de decisão. Nesta dissertação, o principal objetivo é usar diferentes fontes de dados para detetar anomalias e contribuir para uma clara Recognised Maritime Picture (RMP). Para tal, é necessário saber que tipos de dados existem e quais é que se encontram disponíveis para análise posterior. Os dados escolhidos para esta dissertação foram dados Automatic Identification System (AIS) e dados de Monitorização Contínua das Atividades da Pesca (MONICAP), também conhecidos como dados de Vessel Monitoring System (VMS). De forma a armazenar dados correspondentes a um ano de AIS e MONICAP, foi criada uma base de dados em PostgreSQL. Para analisar e retirar conclusões, foi utilizada uma ferramenta de data mining, nomeadamente, o Orange. De modo a que pudesse ser avaliada a correlação entre fontes de dados e serem detetadas anomalias foram realizados vários testes. A correlação de dados nunca foi tão importante e pretende-se com esta dissertação mostrar que existe uma forma simples e eficaz de obter respostas de grandes quantidades de dado

Analysis Of Possible Authentication Strategies For The Automated Identification System

Automatic Identification System, commonly known as AIS, is a maritime communication system that is used to keep track of positions and activities of ships. It is widely implemented all around the world, and mandated on vessels over a certain size according to the International Maritime Organization. It is a signal broadcast over radio frequencies that contains ship characteristics, position, speed, and other information. AIS is also being implemented in aids to navigation, supplementing and in some cases replacing traditional aids such as lighthouses and buoys. The protocol standard contains no security, leaving AIS vulnerable to spoofing, hijacking, and denial of service attacks. This paper explores the possible consequences of AIS exploitation, as well as options to mitigate risk. Digital signature authentication of AIS signals is examined with particular attention paid to the feasibility and challenges of wide scale implementation. Ultimately the potential benefits of digital signature authentication are considered to be outweighed by the challenges of implementation

Attacking (and defending) the Maritime Radar System

Operation of radar equipment is one of the key facilities used by navigators to gather situational awareness about their surroundings. With an ever increasing need for always-running logistics and tighter shipping schedules, operators are relying more and more on computerized instruments and their indications. As a result, modern ships have become a complex cyber-physical system in which sensors and computers constantly communicate and coordinate. In this work, we discuss novel threats related to the radar system, which is one of the most security-sensitive component on a ship. In detail, we first discuss some new attacks capable of compromising the integrity of data displayed on a radar system, with potentially catastrophic impacts on the crew' situational awareness or even safety itself. Then, we present a detection system aimed at highlighting anomalies in the radar video feed, requiring no modifications to the target ship configuration. Finally, we stimulate our detection system by performing the attacks inside of a simulated environment. The experimental results clearly indicate that the attacks are feasible, rather easy to carry out, and hard-to-detect. Moreover, they prove that the proposed detection technique is effective

Enhanced cyberspace defense with real-time distributed systems using covert channel publish-subscribe broker pattern communications

In this thesis, we propose a novel cyberspace defense solution to the growing sophistication of threats facing networks within the Department of Defense. Current network defense strategies, including traditional intrusion detection and firewall-based perimeter defenses, are ineffective against increasingly sophisticated social engineering attacks such as spear-phishing which exploit individuals with targeted information. These asymmetric attacks are able to bypass current network defense technologies allowing adversaries extended and often unrestricted access to portions of the enterprise. Network defense strategies are hampered by solutions favoring network-centric designs which disregard the security requirements of the specific data and information on the networks. Our solution leverages specific technology characteristics from traditional network defense systems and real-time distributed systems using publish-subscribe broker patterns to form the foundation of a full-spectrum cyber operations capability. Building on this foundation, we present the addition of covert channel communications within the distributed systems framework to protect sensitive Command and Control and Battle Management messaging from adversary intercept and exploitation. Through this combined approach, DoD and Service network defense professionals will be able to meet sophisticated cyberspace threats head-on while simultaneously protecting the data and information critical to warfighting Commands, Services and Agencies.http://archive.org/details/enhancedcyberspa109454049US Air Force (USAF) author.Approved for public release; distribution is unlimited

AIS CYBERSECURITY SYSTEM FOR REDUCING THE ATTACK SURFACE OF VOYAGE NETWORKS

U.S. Navy and commercial vessels use modern navigation technology consisting of computers and electronic systems that are highly interconnected and create a cyber terrain that is vulnerable to novel cyberattacks. Previous research proved that voyage networks are vulnerable to radio frequency attacks. One especially vulnerable component is the Automatic Identification System (AIS), a navigation and safety tool required on all vessels with a gross weight of 300 tons or greater. Previous security researchers were able to transmit data packets through the AIS receiver. The AIS blindly accepted packets as long as they followed ITU-R M.1371-5 standard protocol. This work aims to design a low-cost AIS data validation system that will reduce the attack surface of voyage networks. In this work, we leverage the NMEA-0183 and ITU-R M.1371-5 standards to implement two cybersecurity strategies, allow-listing and validating inputs, based on the quality dimensions of the data. The threat models that this security system attempts to address are contact spoofing attacks and arbitrary data injection attacks. We believe that a minimalist security system that is standalone, is not resource intensive, and can handle large volumes of AIS traffic is necessary for an effective design. The system proposed in this work fulfills these objectives. The resulting security system is implemented and validated using Python.Navy Cyber Warfare Development Group, Suitland, MDEnsign, United States NavyApproved for public release. Distribution is unlimited

RadArnomaly: Protecting Radar Systems from Data Manipulation Attacks

Radar systems are mainly used for tracking aircraft, missiles, satellites, and watercraft. In many cases, information regarding the objects detected by the radar system is sent to, and used by, a peripheral consuming system, such as a missile system or a graphical user interface used by an operator. Those systems process the data stream and make real-time, operational decisions based on the data received. Given this, the reliability and availability of information provided by radar systems has grown in importance. Although the field of cyber security has been continuously evolving, no prior research has focused on anomaly detection in radar systems. In this paper, we present a deep learning-based method for detecting anomalies in radar system data streams. We propose a novel technique which learns the correlation between numerical features and an embedding representation of categorical features in an unsupervised manner. The proposed technique, which allows the detection of malicious manipulation of critical fields in the data stream, is complemented by a timing-interval anomaly detection mechanism proposed for the detection of message dropping attempts. Real radar system data is used to evaluate the proposed method. Our experiments demonstrate the method's high detection accuracy on a variety of data stream manipulation attacks (average detection rate of 88% with 1.59% false alarms) and message dropping attacks (average detection rate of 92% with 2.2% false alarms)

Machine Learning for Enhanced Maritime Situation Awareness: Leveraging Historical AIS Data for Ship Trajectory Prediction

In this thesis, methods to support high level situation awareness in ship navigators through appropriate automation are investigated. Situation awareness relates to the perception of the environment (level 1), comprehension of the situation (level 2), and projection of future dynamics (level 3). Ship navigators likely conduct mental simulations of future ship traffic (level 3 projections), that facilitate proactive collision avoidance actions. Such actions may include minor speed and/or heading alterations that can prevent future close-encounter situations from arising, enhancing the overall safety of maritime operations. Currently, there is limited automation support for level 3 projections, where the most common approaches utilize linear predictions based on constant speed and course values. Such approaches, however, are not capable of predicting more complex ship behavior. Ship navigators likely facilitate such predictions by developing models for level 3 situation awareness through experience. It is, therefore, suggested in this thesis to develop methods that emulate the development of high level human situation awareness. This is facilitated by leveraging machine learning, where navigational experience is artificially represented by historical AIS data. First, methods are developed to emulate human situation awareness by developing categorization functions. In this manner, historical ship behavior is categorized to reflect distinct patterns. To facilitate this, machine learning is leveraged to generate meaningful representations of historical AIS trajectories, and discover clusters of specific behavior. Second, methods are developed to facilitate pattern matching of an observed trajectory segment to clusters of historical ship behavior. Finally, the research in this thesis presents methods to predict future ship behavior with respect to a given cluster. Such predictions are, furthermore, on a scale intended to support proactive collision avoidance actions. Two main approaches are used to facilitate these functions. The first utilizes eigendecomposition-based approaches via locally extracted AIS trajectory segments. Anomaly detection is also facilitated via this approach in support of the outlined functions. The second utilizes deep learning-based approaches applied to regionally extracted trajectories. Both approaches are found to be successful in discovering clusters of specific ship behavior in relevant data sets, classifying a trajectory segment to a given cluster or clusters, as well as predicting the future behavior. Furthermore, the local ship behavior techniques can be trained to facilitate live predictions. The deep learning-based techniques, however, require significantly more training time. These models will, therefore, need to be pre-trained. Once trained, however, the deep learning models will facilitate almost instantaneous predictions

Emerging Risks in the Marine Transportation System (MTS), 2001- 2021

How has maritime security evolved since 2001, and what challenges exist moving forward? This report provides an overview of the current state of maritime security with an emphasis on port security. It examines new risks that have arisen over the last twenty years, the different types of security challenges these risks pose, and how practitioners can better navigate these challenges. Building on interviews with 37 individuals immersed in maritime security protocols, we identify five major challenges in the modern maritime security environment: (1) new domains for exploitation, (2) big data and information processing, (3) attribution challenges, (4) technological innovations, and (5) globalization. We explore how these challenges increase the risk of small-scale, high-probability incidents against an increasingly vulnerable Marine Transportation System (MTS). We conclude by summarizing several measures that can improve resilience-building and mitigate these risks