Navigation Data Anomaly Analysis and Detection
- We propose a novel systematic approach for anomaly detection in NMEA messages.
- We present an analysis of possible anomalies in NMEA messages and their cause-and-effect relationship with a range of cyber-attacks.
- We propose a method for creating synthetic datasets with both normal and maliciously tampered with NMEA messages, and we implement and use a software package to create such experimental datasets.
- We use the datasets within the context of two use cases to evaluate the performance of anomaly detection approaches specifically designed for the purpose.
2. Background and Related Work
3.1. Step 1—Navigational Functions (i.e., Tasks)
3.2. Step 2—Message Types
3.3. Step 3—Message Fields
3.4. Step 4—Anomalies
3.5. Step 5—Attack Techniques
3.6. Step 6—Detection Algorithms
4. Systematic NMEA Analysis Considering APS and INS Use Cases
4.1. Step 1—Navigational Tasks and Functions
4.1.1. Navigational Tasks of the INS
- Route Monitoring (INS-RM): continuous monitoring of the own vessel as per the planned route .
- Route planning (INS-RP): capability of route planning (e.g., store and load, import, export, documentation), route checking based on minimum under keel clearance, drafting and refining the route plan against meteorological information .
- Collision Avoidance (INS-CA): detecting and plotting other ships and objects in the vicinity in order to prevent collisions .
- Navigation Control Data (INS-NCD): providing data to the task station for the manual and automatic control of the ship .
- Navigational Status and Data Display (INS-NSDD): displaying several information (e.g., AIS data, Maritime Safety Information (MSI) messages, INS configuration), and providing management functions .
- Alert management (INS-AM): centralized alert management on the bridge for the monitoring, handling, distribution, and presentation .
4.1.2. The Functions of the APS
- Engine Monitoring and Control functions: the monitoring and control of APS engine. They can be conducted by the APS itself (APS-AEMC), a Remote Control Center (RCC) (APS-REMC), or an Emergency Control Team (ECT) (APS-EEMC).
- Navigation Functions: establishing situational awareness. They can be conducted by the APS itself based on the sensor data (APS-AN), at the RCC based on the sensor data transmitted from the APS (APS-RN), or by the ECT based on the sensor data transmitted from the APS (APS-EN).
4.2. Step 2—Message Types
4.3. Step 3—Message Fields
4.4. Step 4—Anomalous Patterns
4.5. Step 5—Attack Techniques
- DoV attacks entail denying the seafarers or the depending systems the ability to render a live perception of the physical environment. This is achieved by dropping one or several NMEA messages to hinder the relevant navigational functions.
- MoV attacks entail the modification of the live perception of the physical environment. This can be done in several ways:
- Fixed: the attacker modifies the values in original NMEA messages to specific fixed values. For example, no matter what is the real speed reflects another fixed speed value. This emulates a simple threat actor using simple Man-in-the-Middle (MitM) attack rules (i.e., filters).
- Context attacks: the attacker manipulates the messages based on the values observed in the original messages to create a gradual change. This emulates a more advanced threat actor using more sophisticated MitM attack rules. Avoiding detection is among the attacker’s objectives.
- Confusion attacks: the attacker sends crafted or repeated messages in addition to the original messages.
- Replay attacks: the attacker replays a fixed set of messages instead of the original stream of messages.
4.6. Step 6—Detection Algorithms
- Signature-based detection refers to the utilization of a specific signature or event for the detection of a specific malicious activity . This would require documented attacks against NMEA messages to generate suitable signatures.
- Anomaly-based detection refers to the observing of real-time activities in a system and comparing them to normal behavior and raising an alarm when a deviation of normal behavior is observed . This approach includes machine learning, frequency, statistical, and hybrid-based approaches. We argue that the machine learning and statistical approaches require a large set of data to effectively train robust models and, consequently, they are currently not viable options in our case. We have reached this conclusion after experimenting with a one-class support vector machine, and decision trees for detecting anomalies. The model evaluation has reflected poor performance mostly associated with the limited size of the data set. Since there exists no publicly available data set for the NMEA messages in the scope of our analysis, we have not pursued machine learning and statistical based approaches any further. On the other hand, frequency-based detection, considering message arrival frequency, was found relevant and is further considered for evaluation.
- Specification-based detection refers to the application of suitable thresholds and rules for describing the well-known behavior of a component . We argue that this approach is the most suitable in the scope of our analysis because it does not require a large amount of data for learning. Moreover, considering the dynamic, yet predictable nature of NMEA messages, their behavior might be confined within a set of rules and thresholds (i.e., specifications). We have identified several categories of specifications, namely, physical, system, protocol, and environment specifications. A brief description of each category is provided below:
- Physical specifications restrict the manner in which the values change over time among consecutive messages (e.g., maximum change in distance). This is related to the physical environment the NMEA messages are intended to reflect.
- System specifications restrict the values in the NMEA fields and their evolution over time for each system (e.g., maximum engine rpm, SOG acceleration, etc.). This needs to be defined for each target system.
- Protocol specifications restrict the format of the NMEA messages and their fields (e.g., UTC format in the UTC field of GGA, GGL, and RMC). This needs to be defined for each target protocol; in our analysis, NMEA0183 is utilized.
- Environment specifications restrict a range of values that are related to the operational environment. This includes time, date, longitude, latitude, datum code, and others.
5. Data Generation and Preparation
5.1. Data Generation
- A combination of different MoV attacks, namely, fixed and context attacks was conducted in an attempt to invoke five anomalies, namely sudden unexpected change, nonexistent value, unexpected value, incorrect value, and data field evolution. The attack scenarios targeted several messages and message fields such as going back in time 1 day by changing UTC fields in GGA and GLL messages. Another example is increasing the distance of RADAR targets as well as other fields in the TTM message, to create a collision scenario.
- Several MoV context attacks and DoV attacks were conducted to invoke data field evolution and under reporting anomalies, respectively.
- A combination of different MoV attacks was conducted, namely fixed, confusion and replay attacks. The goal is to invoke several anomalies, including conformity issues and over reporting.
5.2. Preparation and Enrichment of Data
6. Evaluation and Discussion
6.1. Specification-Based Detection
6.1.1. Protocol Specifications
6.1.2. Environment Specifications
6.1.3. System Specifications
6.1.4. Physical Specifications
6.2. Frequency-Based Detection
6.3. Communication of Risk Associated with Detection
- An inconsistency is identified by a physical-based specification concerning the heading information in HDT messages; this is due to steps 6 and 3. In step 3 the heading field was designated for identifying relevant anomalies, attacks, and detection methods. In step 6 the detection methods for the heading field were proposed.
- The anomalous messages are arriving from the gyro compass; this is known through the TalkerID identified in step 2.
- This might indicate a data field evolution anomaly; identified in step 4.
- This might be a result of a MoV attack; the relationship between the anomaly and the attack that possibly causes it is identified in step 5 (see Table 5).
- This could impact the Route Monitoring, Navigation control data and Navigational status and data display functions in the INS which might cause safety, financial and reputation loss and environmental damage; the relationships between the targeted message and the relevant functions are identified in step 1 (see Table 2).
6.4. Identified Limitations
- False positives: weakly configured specifications can generate false positive alerts. For instance, a system specification for one simulated ship is a range for RPM change of 100 between two consecutive RPM messages. Using the same specification in another ship with a different RPM change range would generate a false positive. Therefore, it is highly encouraged to fine-tune the system specifications for each target system. Another aspect to consider is the sensor error or noise. A noise in the sensor might invoke an anomaly and a false indication of malicious behavior. An instance of this issue has been observed in one of the experiments. A glitch in the simulator caused the speed of the vessel to abnormally change due to low water depth. An anomaly in the data is observed which is not caused by malicious behavior. These issues need to be considered during the development of the anomaly detection system.
- False negatives: malicious behavior operating within the thresholds defined in the specifications will not be detected but still can cause an impact. For instance, reducing the RPM value by 50 while the change threshold is 100 will not generate an alert, but, the speed value will appear less than what is expected, this can cause a speed increase command which in turn can cause an issue in safe navigation.
- The number of analyzed messages is limited to those supported by the available simulator. Still, four message types, namely, GLL, RMC, GGA, ZDA are among the top 10 NMEA messages observed on the internet during a scan in Shodan . Future work should focus on more message types.
- Our analysis only considers attacks with objectives to impact navigational tasks by denying and manipulating the view that is rendered using the NMEA messages. Other attack techniques that can cause anomalies can be investigated in future work.
- We utilized the ATT&CK framework for the threat modeling. Using other threat modeling techniques might identify other attacks. Still, our considered attacks are in line with the attacks discussed in the literature.
- We utilized certain categories of anomalies during our analysis based on the observed anomalies in the literature. Other anomalies can exist. If new anomalies are identified in the future, this would require another iteration of the analysis process to consider relevant messages, fields, attacks, and detection methods.
7. Deployment Options
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
|NMEA||National Marine Electronics Association|
|APS||Autonomous Passenger Ship|
|INS||Integrated Bridge System|
|IMO||International Maritime Organization|
|AIS||Automatic Identification System|
|ECDIS||Electronic Chart Display and Information System|
|GPS||Global Positioning System|
|CAN||Controller Area Network|
|MoV||Manipulation of View|
|DoV||Denial of View|
|ARG||Attack Rules File|
|NMF||NMEA Messages File|
|UTC||Coordinated Universal Time|
|CSV||Comma Separated Valu|
|SOG||Speed Over Ground|
|COG||Course Over Ground|
|DTM||Datum Reference Message|
|GLL||Geographic position Message|
|RMC||Recommended Minimum specific GNSS data Massage|
|RPM||Revolutions Per Minute Message|
|TTM||Tracked Target Message|
|GGA||Global positioning system (GPS) fix data Massage|
|HDT||Heading true Massage|
|ROT||Rate of Turn Massage|
|RSA||Rudder Sensor Angle Massage|
|ZDA||Time and Date Massage|
Appendix A. NMEA Messages and Their Fields
Appendix B. Interaction of NMEA Messages
|Msg||Fields||Related Msg||Related Fields|
|DTM||Local datum||GGA, GLL, RMC||Longitude, E/W, Latitude, N/S|
|GGA||Longitude, E/W, Latitude, N/S||RMC||COG, Longitude, E/W, Latitude, N/S|
|ROT||Rate of turn|
|GLL||Longitude, E/W, Latitude, N/S|
|GLL||Longitude, E/W, Latitude, N/S||GGA||Longitude, E/W, Latitude, N/S|
|RMC||COG, Longitude, E/W, Latitude, N/S|
|ROT||Rate of turn|
|ROT||Rate of turn|
|GLL, GGA||Longitude, E/W, Latitude, N/S|
|TTM||Bearing Time to CPA, Distance of CPA|
|RMC||COG, Longitude, E/W, Latitude, N/S||RSA||Rudder angle|
|Longitude, E/W, Latitude, N/S||DTM||Local datum|
|COG||ROT||Rate of turn|
|COG Longitude, E/W, Latitude, N/S||GLL, GGA||Longitude, E/W, Latitude, N/S|
|SOG||RPM||RPM (if FPP) Propeller pitch (if CPP)|
|ROT||Rate of turn||RMC||COG|
|GLL, GGA||Longitude, E/W, Latitude, N/S|
|TTM||Bearing Time to CPA, Distance of CPA|
Appendix C. The Identified Anomalies
|RPM||RPM in FPP||Unexpected|
|Propeller pitch in CPP||Time until CPA|
|GGA||Location (long. & lat.)||DTM||All Fields|
|GPS Quality Indicator||Local zone minutes|
|Age of differential GPS data||RMC||SOG|
|GLL||Location (long. & lat.)||Magnetic Variation|
|UTC||GGA||GPS Quality Indicator|
|Status||Number of satellites|
|ZDA||Time (UTC, day, month, year, zone,|
and zone minutes)
|T = True||Geoidal separation|
|ROT||Rate Of Turn||Age of differential GPS data|
|Status||ROT||Rate Of Turn|
|RSA||Starboard rudder sensor||Incorrect|
|Port rudder sensor||ZDA||UTC|
|RMC||Location (long. & lat.)||Day|
|TTM||Distance, bearing, speed, course,|
distance of CPA, time until CPA,
units, and target status
|Data field evolution||All|
|DTM||All fields||Over Reporting|
|Bearing from own ship|
|T or R|
|Distance of CPoA|
|Speed/ distance units|
|DTM||Local datum code|
|Local datum subcode|
|RPM (i.e., speed)|
|RSA||Starboard rudder sensor|
|Port rudder sensor|
|T = True|
Appendix D. Data Generation Experiments
|RPM||Fixed RPM to (60) and propeller pitch to (10) and|
Fixing True field in HDT to (R)
|MoV: Context||GGA, GLL,|
|Changing position: Decreasing latitude and|
longitude by 45 degrees (4500) and minutes by (30.000)
|RPM, RSA||Changing source of RPM to Engine and number of source to 4.|
Streaming two sensor values for RSA starboard and port
|GGA, ROT||Fixed HDoP to (50.0) and increase ROT by 100|
|MoV: Context||GGA, GLL||Go back in time 1 day by changing the UTC field|
|TTM, DTM||Increase target distance by app 460 meters or 0.25 nautical miles|
(0.25), distance of CPA by (0.25), time until CPA by (1.0) and
Modify Datum specs for default datum
|RPM||Increment RPM by (10)|
|2||MoV: Context||Data field|
|RMC||Decreasing SOG by (10.0) and Increasing COG by (45.0)|
|ROT||Increasing ROT by 10|
|HDT||Increasing heading by 5|
|TTM||Losing/recovering targets fluctuation|
|RPM and RSA status fields to M. DTM offsets to string. GGA|
number of sat. to x
|MoV: Confusion||Over reporting||All||Confusiona attack|
|Mov: Replay||Several||All||Replay attack|
- Fruth, M.; Teuteberg, F. Digitization in maritime logistics—What is there and what is missing? Cogent Bus. Manag. 2017, 4, 1411066. [Google Scholar] [CrossRef]
- Levander, O.; Marine, R.R. Ship intelligence—A new era in shipping. In Proceedings of the Royal Institution of Naval Architects, Smart Ship Technology, International Conference Proceedings, London, UK, 26–27 January 2016; pp. 26–27. [Google Scholar]
- IMO. Autonomous Ships: Regulatory Scoping Exercise Completed. Available online: https://bit.ly/3gFLigk (accessed on 18 February 2022).
- Autonomous All-Electric Passenger Ferries for Urban Water Transport. Available online: https://www.ntnu.edu/autoferry (accessed on 18 February 2022).
- N.M.E. Association. NMEA0183 Standard. 2002. Available online: https://www.nmea.org/content/STANDARDS/NMEA_0183_Standard (accessed on 18 February 2022).
- Luft, L.A.; Anderson, L.; Cassidy, F. Nmea 2000 a digital interface for the 21st century. In Proceedings of the 2002 National Technical Meeting of The Institute of Navigation, San Diego, CA, USA, 28–30 January 2002; pp. 796–807. [Google Scholar]
- Jethwa, B.; Panchasara, M.; Zanzarukiya, A.; Parekh, R. Realtime Wireless Embedded Electronics for Soldier Security. In Proceedings of the 2020 IEEE International Conference on Electronics, Computing and Communication Technologies (CONECCT), Bangalore, India, 2–4 July 2020; pp. 1–6. [Google Scholar]
- Singh, A.K.; Balamurugan, S.; Aroul, K.; Marimuthu, R. Design of universal module for personal security. Indian J. Sci. Technol. 2016, 9, 99031. [Google Scholar] [CrossRef]
- Aishwarya, K.; Manjesh, R. A Novel Technique for Vehicle Theft Detection System Using MQTT on IoT. In International Conference on Communication, Computing and Electronics Systems; Springer: Singapore, 2020; pp. 725–733. [Google Scholar]
- Tran, K.; Keene, S.; Fretheim, E.; Tsikerdekis, M. Marine Network Protocols and Security Risks. J. Cybersecur. Priv. 2021, 1, 239–251. [Google Scholar] [CrossRef]
- Kavallieratos, G.; Katsikas, S.; Gkioulos, V. Cyber-Attacks Against the Autonomous Ship. In Computer Security; Lecture Notes in Computer Science; Katsikas, S.K., Cuppens, F., Cuppens, N., Lambrinoudakis, C., Antón, A., Gritzalis, S., Mylopoulos, J., Kalloniatis, C., Eds.; Springer International Publishing: Cham, Switzerland, 2019; Volume 11387, pp. 20–36. [Google Scholar]
- Vinnem, J.E.; Utne, I.B. Risk from cyberattacks on autonomous ships. In Safety and Reliability—Safe Societies in a Changing World; Haugen, S., Barros, A., van Gulijk, C., Kongsvik, T., Vinnem, J.E., Eds.; Taylor & Francis: London, UK, 2018. [Google Scholar]
- Svilicic, B.; Rudan, I.; Jugović, A.; Zec, D. A Study on Cyber Security Threats in a Shipboard Integrated Navigational System. J. Mar. Sci. Eng. 2019, 7, 364. [Google Scholar] [CrossRef][Green Version]
- Loukas, G.; Karapistoli, E.; Panaousis, E.; Sarigiannidis, P.; Bezemskij, A.; Vuong, T. A taxonomy and survey of cyber-physical intrusion detection approaches for vehicles. Ad Hoc Netw. 2019, 84, 124–147. [Google Scholar] [CrossRef]
- Krile, S.; Kezić, D.; Dimc, F. NMEA Communication Standard for Shipboard Data Architecture. Int. J. Marit. Sci. Technol. 2013, 60, 68–81. [Google Scholar]
- De Sousa, J.P.C.; Gondim, J.J.C. Extraction and analysis of volatile memory in android systems: An approach focused on trajectory reconstruction based on nmea 0183 standard. In Proceedings of the 2016 11th International Conference on Availability, Reliability and Security (ARES), Salzburg, Austria, 31 August–2 September 2016; pp. 328–337. [Google Scholar]
- Cantelli-Forti, A. Forensic Analysis of Industrial Critical Systems: The Costa Concordia’s Voyage Data Recorder Case. In Proceedings of the 2018 IEEE International Conference on Smart Computing (SMARTCOMP), Taormina, Italy, 8–20 June 2018; pp. 458–463. [Google Scholar]
- Lee, D.K.; Miralles, D.; Akos, D.; Konovaltsev, A.; Kurz, L.; Lo, S.; Nedelkov, F. Detection of GNSS Spoofing using NMEA Messages. In Proceedings of the 2020 European Navigation Conference (ENC), Dresden, Germany, 23–24 November 2020; pp. 1–10. [Google Scholar]
- Sivkov, Y. Transformation of NMEA ship network from sensor-based to information-based model. In Proceedings of the 2018 20th International Symposium on Electrical Apparatus and Technologies (SIELA), Bourgas, Bulgaria, 3–6 June 2018; pp. 1–4. [Google Scholar]
- Fiorini, M. Maritime awareness through data sharing in VTS systems. In Proceedings of the 2012 12th International Conference on ITS Telecommunications, Taipei, Taiwan, 5–8 November 2012; pp. 402–407. [Google Scholar]
- Seong, K.T.; Kim, G.H. Implementation of voyage data recording device using a digital forensics-based hash algorithm. Int. J. Electr. Comput. Eng. 2019, 9, 5412. [Google Scholar] [CrossRef]
- Boudehenn, C.; Jacq, O.; Lannuzel, M.; Cexus, J.C.; Boudraa, A. Navigation anomaly detection: An added value for Maritime Cyber Situational Awareness. In Proceedings of the 2021 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), Dublin, Ireland, 4–18 June 2021; pp. 1–4. [Google Scholar] [CrossRef]
- Furumoto, K.; Kolehmainen, A.; Silverajan, B.; Takahashi, T.; Inoue, D.; Nakao, K. Toward automated smart ships: Designing effective cyber risk management. In Proceedings of the 2020 International Conferences on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData) and IEEE Congress on Cybermatics (Cybermatics), Rhodes, Greece, 2–6 November 2020; pp. 100–105. [Google Scholar]
- Hemminghaus, C.; Bauer, J.; Padilla, E. BRAT: A BRidge Attack Tool for Cyber Security Assessments of Maritime Systems. TransNav 2021, 15, 35–44. [Google Scholar] [CrossRef]
- IMO. Resolution A.1106(29) Revised Guidelines for the Onboard Operational Use of Shipborne Automatic Identification Systems (AIS); IMO: London, UK, 2015.
- IMO. SOLAS Ch. V Safety of Navigation, Regulation 19 Carriage Requirements for Shipborne Navigational Systems and Equipment; IMO: London, UK, 2013.
- ITU. Recommendation ITU-R M.1371-5 Technical Characteristics for an Automatic Identification System Using Time Division Multiple Access in the VHF Maritime Mobile Frequency Band; ITU: Switzerland, Geneva, 2014. [Google Scholar]
- Iphar, C.; Ray, C.; Napoli, A. Data integrity assessment for maritime anomaly detection. Expert Syst. Appl. 2020, 147, 113219. [Google Scholar] [CrossRef]
- Blauwkamp, D.; Nguyen, T.D.; Xie, G.G. Toward a Deep Learning Approach to Behavior-based AIS Traffic Anomaly Detection. Dynamic and Novel Advances in Machine Learning and Intelligent Cyber Security (DYNAMICS) Workshop, San Juan, PR. 2018. Available online: http://faculty.nps.edu/Xie/papers/ais_analysis_18.pdf (accessed on 18 February 2022).
- Bosch, R. CAN Specification Version 2.0; Rober Bousch GmbH: Postfach, Germany, 1991; Volume 300240, p. 72. [Google Scholar]
- Lokman, S.F.; Othman, A.T.; Abu-Bakar, M.H. Intrusion detection system for automotive Controller Area Network (CAN) bus system: A review. EURASIP J. Wirel. Commun. Netw. 2019, 2019, 1–17. [Google Scholar] [CrossRef][Green Version]
- Sabaliauskaite, G.; Adepu, S.; Mathur, A. A six-step model for safety and security analysis of cyber-physical systems. In International Conference on Critical Information Infrastructures Security; Springer: Cham, Switzerland, 2016; pp. 189–200. [Google Scholar]
- Hareide, O.S.; Jøsok, Ø.; Lund, M.S.; Ostnes, R.; Helkala, K. Enhancing navigator competence by demonstrating maritime cyber security. J. Navig. 2018, 71, 1025–1039. [Google Scholar] [CrossRef]
- Strom, B.E.; Applebaum, A.; Miller, D.P.; Nickels, K.C.; Pennington, A.G.; Thomas, C.B. Mitre ATT&Ck: Design and Philosophy. Technical Report. 2018. Available online: https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf (accessed on 16 February 2022).
- Loshin, D. The Practitioner’s Guide to Data Quality Improvement; Morgan Kaufmann Publishers Inc.: Burlington, NJ, USA, 2010. [Google Scholar]
- IMO. Resolution MSC.252(83) Adoption of the Revised Performance Standards for Integrated Navigation Systems (INS) Introduction Contents Module A-B; IMO: London, UK, 2018.
- Amro, A.; Gkioulos, V.; Katsikas, S. Communication architecture for autonomous passenger ship. Proc. Inst. Mech. Eng. Part O J. Risk Reliab. 2021. [Google Scholar] [CrossRef]
- IMO. Resolution MSC.252(83) Adoption of the Revised Performance Standards for Integrated Navigation Systems (INS)—Appendices; IMO: London, UK, 2018.
- Rødseth, Ø.J.; Kvamstad, B.; Porathe, T.; Burmeister, H.C. Communication architecture for an unmanned merchant ship. In Proceedings of the OCEANS-Bergen, 2013 MTS/IEEE, Bergen, Norway, 10–14 June 2013; pp. 1–9. [Google Scholar]
- DNV GL. DNVGL-CG-0264: Autonomous and Remotely Operated Ships. 2018. Available online: https://rules.dnv.com/docs/pdf/DNV/cg/2018-09/dnvgl-cg-0264.pdf (accessed on 16 February 2022).
- Amro, A.; Gkioulos, V.; Katsikas, S. Assessing Cyber Risk in Cyber-Physical Systems Using the ATT&CK Framework. Submitted for Review to ACM Transactions on Privacy and Security (TOPS). Available online: https://www.researchgate.net/publication/355203975 (accessed on 16 February 2022).
- Commission I.I.E. IEC 61162-1. 2010. Available online: https://webstore.iec.ch/publication/25754 (accessed on 16 February 2022).
- Manipulation of View—ATT&CK ICS. 2021. Available online: https://cutt.ly/MoV (accessed on 16 February 2022).
- Denial of View—ATT&CK ICS. 2021. Available online: https://cutt.ly/DoV (accessed on 16 February 2022).
- Kruegel, C.; Toth, T. Using decision trees to improve signature-based intrusion detection. In International Workshop on Recent Advances in Intrusion Detection; Springer: Berlin/Heidelberg, Germany, 2003; pp. 173–191. [Google Scholar]
- Garcia-Teodoro, P.; Diaz-Verdejo, J.; Maciá-Fernández, G.; Vázquez, E. Anomaly-based network intrusion detection: Techniques, systems and challenges. Comput. Secur. 2009, 28, 18–28. [Google Scholar] [CrossRef]
- Tseng, C.Y.; Balasubramanyam, P.; Ko, C.; Limprasittiporn, R.; Rowe, J.; Levitt, K. A specification-based intrusion detection system for AODV. In Proceedings of the 1st ACM Workshop on Security of Ad Hoc and Sensor Networks, Fairfax, VA, USA, 30 October 2003; pp. 125–134. [Google Scholar]
- Amro, A.; Gkioulos, V. Communication and Cybersecurity Testbed for Autonomous Passenger Ship. In Computer Security, ESORICS 2021 International Workshops; ESORICS 2021; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2021; Volume 13106. [Google Scholar] [CrossRef]
- Orebaugh, A.; Ramirez, G.; Beale, J. Wireshark & Ethereal Network Protocol Analyzer Toolkit; Elsevier: Amsterdam, The Netherlands, 2006. [Google Scholar]
- Amro, A. Cyber-Physical Tracking of IoT Devices: A Maritime Use Case. In Norsk IKT-Konferanse for Forskning og Utdanning; Number 3; 2021; Available online: https://ojs.bibsys.no/index.php/NIK/article/view/961 (accessed on 16 February 2022).
- OneNet Standard for IP Networking of Marine Electronic Devices. Available online: https://www.nmea.org/content/STANDARDS/OneNet (accessed on 7 February 2022).
- Jacq, O.; Brosset, D.; Kermarrec, Y.; Simonin, J. Cyber attacks real time detection: Towards a cyber situational awareness for naval systems. In Proceedings of the 2019 International Conference on Cyber Situational Awareness, Data Analytics Furthermore, Assessment (Cyber SA), Oxford, UK, 3–4 June 2019; pp. 1–2. [Google Scholar]
|DTM||Datum reference||GGA||Global positioning system (GPS) fix data|
|GLL||Geographic position—Latitude/longitude||HDT||Heading true|
|RMC||Recommended minimum specific GNSS data||ROT||Rate of turn|
|RPM||Revolutions per minute||RSA||Rudder sensor angle|
|TTM||Tracked target message||ZDA||Time and date|
|Sudden unexpected change||an abnormal change in a field value in a certain period of time.|
|Nonexistent value||a value that does not match the system specification.|
|Unexpected value||a field value that is outside the usual norm.|
|Incorrect value||a value that does not match a reference value (e.g., time).|
|Data field evolution||an abnormal pattern in a field value over time.|
|Conformity issues||values that are not within the protocol specifications.|
|Unusual reporting||reduced or increased reporting rate over a period oftime|
|Sudden unexpected change||RMC||SOG||The Speed over Ground (SOG) has abnormally changed.|
|Nonexistent value||TTM||Target Distance||Target distance larger than radar range|
|Unexpected value||ROT||Rate Of Turn||Abnormal rate of turn value|
|Incorrect value||RMC||UTC||The UTC timestamp is not correct compared to a reference|
|Data field evolution||TTM||Target Status||Abnormal patter in the target status over time|
|Conformity issue||RPM||Source||The source field contains values that are not either E|
(Engine) or S (Shaft).
|Under Reporting||RMC||-||The rate of receiving RMC messages is less than usual|
|Over Reporting||DTM||-||The rate of receiving DTM messages is more than usual|
|Sudden unexpected change||✓||✓||✓|
|Data field evolution||✓||✓||✓||✓|
|Sudden unexpected change||✓||✓||✓|
|Data field evolution||✓||✓|
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Amro, A.; Oruc, A.; Gkioulos, V.; Katsikas, S. Navigation Data Anomaly Analysis and Detection. Information 2022, 13, 104. https://doi.org/10.3390/info13030104
Amro A, Oruc A, Gkioulos V, Katsikas S. Navigation Data Anomaly Analysis and Detection. Information. 2022; 13(3):104. https://doi.org/10.3390/info13030104Chicago/Turabian Style
Amro, Ahmed, Aybars Oruc, Vasileios Gkioulos, and Sokratis Katsikas. 2022. "Navigation Data Anomaly Analysis and Detection" Information 13, no. 3: 104. https://doi.org/10.3390/info13030104