A Systems Analysis of Energy Usage and Effectiveness of a Counter-Unmanned Aerial System Using a Cyber-Attack Approach

: Existing counter-unmanned aerial system (C-UAS) defensive mechanisms rely heavily on radio frequency (RF) jamming techniques that require a large amount of energy to operate. The effects of RF jamming result in undesirable consequences, such as the jamming of other nearby friendly radio devices as well as the increase in RF footprint for local operators. Current cybersecurity analysis of commercial off-the-shelf (COTS) UASs have revealed multiple vulnerabilities that give rise to opportunities to conduct C-UAS operations in the cyber domain. This is achieved by performing cyber-attacks on adversarial UASs through hijacking the device-speciﬁc communication’s link on a narrow RF band and without the need for broad-spectrum RF energy bursts during C-UAS operations, which can result in lower energy usage to accomplish the same outcome. This article validates the cyber-attack C-UAS (CyC-UAS) concept through reviewing recent C-UAS operational experimental scenarios and conducting analysis on the collected data. Then, a simulation model of a defense facility is constructed to analyze and validate speciﬁc mission scenarios of interest and several proposed concepts of operation. A comparison of the energy requirements between CyC-UAS and existing C-UAS techniques is performed to assess energy efﬁciency and trade-offs of different C-UAS approaches. In this article, the comparison of energy requirements between the CyC-UAS prototype and existing C-UAS products that utilize RF jamming methods reveals that CyC-UAS achieves signiﬁcant energy savings while not affecting other telecommunication devices operating at the same frequencies. While both the C-UAS techniques adopt the denial-of-service strategy, the CyC-UAS is able to achieve the same mission by consuming much less energy. Therefore, the CyC-UAS concept shows promise as a new, lower energy, and lower collateral damage approach to defending against UAS. comparisons of the energy consumption of existing C-UASs versus a proposed CyC-UAS. Further, this research analyzes the effectiveness of CyC-UAS versus existing C-UAS approaches. Through the attainment of energy readings extracted from the conduct of physical experiments with a CyC-UAS prototype as well as the comparison of energy consumption between existing C-UAS methods and CyC-UAS, the results indicate that CyC-UAS can signiﬁcantly reduce C-UAS energy consumption and can serve as a useful portion of a broader C-UAS for many of


Introduction
Current counter-unmanned aerial systems (C-UASs) used against smaller unmanned aerial systems (UASs) rely largely on radio frequency (RF) jamming and denial-of-service (DoS) against adversarial UAS [1]. C-UAS used on installations, for example, realize this via RF jamming or communication link jamming. However, this paradigm not only contradicts well-established tactics, techniques, and procedures (TTPs) for defense of installations and bases, but it also underutilizes potential cyber-attack C-UAS (CyC-UAS) measures [2,3].
In addition, current UAS defense mechanisms rely heavily on DoS (either jamming, laser, or device destruction) [4]. RF jamming via energy bursts and laser mechanisms requires enormous amounts of energy, which necessarily affects usage for expeditionary forces or in energy constrained environments [5]. Furthermore, undesirable consequences such as jamming of nearby friendly devices, increased RF footprint for local operators, and unintentional loss/destruction of the adversary UAS may occur [6,7].
In contrast, cybersecurity analysis of low-cost UASs has pointed to many vulnerabilities ripe for exploitation that would provide a C-UAS with both energy improvements and scalpel-edge accuracy in defense mechanisms, such as through cyber-attack hijacking the adversary UAS or forms of jamming that utilize the device-specific communication link frequency band instead of broad-spectrum RF energy bursts, and therefore have highly controlled effects [2,8,9].
In recent studies, the application of cyber-attacks in the C-UAS domain has indicated both energy improvements and scalpel-edge accuracy in defense mechanisms [10], such as through cyber-attacks to hijack adversary UAS, or in the form of jamming that utilizes device-specific communication link frequencies instead of broadband jamming, and therefore achieves highly controlled effects on the malign device [2].
Techniques used to employ existing C-UAS by the military, state governments, federal agencies, and private companies consume high levels of energy during operation. Certain C-UAS techniques such as frequency jamming may not always be suitable in an environment where operating machines utilize RF transmission for communication, such as a military airbase, a major sporting event, or anywhere in a crowded urban area [11]. The US Navy, Department of Defense (DoD), civilian airports, sporting venues, wildland firefighters, and other facilities and users that may be targets of adversarial UAS may benefit from the research presented in this paper.
This paper performs comparisons of the energy consumption of existing C-UASs versus a proposed CyC-UAS. Further, this research analyzes the effectiveness of CyC-UAS versus existing C-UAS approaches. Through the attainment of energy readings extracted from the conduct of physical experiments with a CyC-UAS prototype [10], as well as the comparison of energy consumption between existing C-UAS methods and CyC-UAS, the results indicate that CyC-UAS can significantly reduce C-UAS energy consumption and can serve as a useful portion of a broader C-UAS defense strategy for many types of installations and expeditionary situations.
The remainder of this paper contains the following: Section 2 surveys existing literature to identify threats that arise from the use of UAS to motivate the need for C-UAS. Section 3 presents a literature review of existing available C-UASs to determine (1) concept of operations (CONOPS), (2) capabilities and limitation, and (3) specifications. Section 4 presents a literature review and study of current developments of CyC-UAS with specific focus on energy consumption and effectiveness, and reviews a recent CyC-UAS experiment. Then, we provide an analysis of data collected in several experimental scenarios for the conducting of CyC-UAS operations where data on the physical behavior of the CyC-UAS system and adversarial UASs are documented. In Section 5, a simulation model of a defense facility is constructed to analyze and validate specific mission scenarios of interest and proposed CyC-UAS CONOPS. In Section 6, comparison of the energy requirements between CyC-UASs and existing C-UAS techniques are performed to assess the energy efficiency of CyC-UASs. Finally, the paper concludes in Section 7 with a discussion of the results and broad conclusions, recommendations, and future work.

UAS Threat Analysis and Vulnerability Assessment
The use of UASs in the military domain has produced enormous advantages and benefits in military operations [12]. Such military operations include electronic warfare attacks, precision strikes, intelligence, surveillance, and reconnaissance (ISR) missions, and resupply missions [13,14]. The effectiveness of UASs was proven and validated during military operations such as Operation Iraqi Freedom and Operation Enduring Freedom [15,16], and, more recently, the military conflict between Ukraine and Russia [17]. In the commercial domain, the use of UAS to fulfill recreational or leisure purposes, such as imaging and video capturing for social events, has further expanded into businesses across different industries. Businesses have integrated the use of UAS to transform daily tasks [18]. For example, some insurance companies have adopted UASs to perform inspection of damaged assets for claims, and in the farming industry, farmers use UASs to monitor crops in the field to achieve labor savings [19,20]. The commercial sector within the United States has been investing heavily in UAS development over the years, due in part to the positive economic growth in UAS-related patents. A study conducted by Mckinsey and Company suggests that by 2026, the usage and investment in UASs in the commercial sector will reap a profit between USD 31 billion and USD 46 billion [21]. The upward trends suggest that the utility of UASs will continue to gain popularity among consumers and that the use of UASs for industrial and defense applications will continue to expand and grow.

Malicious Use of UASs
On the other hand, with the ease of access to small commercial off-the-shelf (COTS) UASs through the commercial market, organized crime and terrorist groups have started to adopt UASs to conduct malicious activities [22]. These activities include the illegal intrusion of UASs into restricted infrastructure, such as the civil airport facilities with the intent of disrupting the services and operations. For example, the Gatwick Airport situated in London largely stopped flight operations between 19 and 21 December 2018 due to a deliberate UAS attack that affected about 140,000 passengers, with about 1000 flights diverted or canceled [23]. Terrorist groups such as the Islamic State (ISIS) were found to be using weaponized UASs on the battlefield in Iraq and elsewhere [24]. Many of the UASs that ISIS and other terror organizations have employed are weaponized COTS UASs where explosives or munitions have been attached to an otherwise consumer-grade UAS [25]. These malicious attacks coupled with the rapid growth of UASs in the commercial and military domains pose significant challenges and concerns to safety and security within the civil and military domains [26].

Classification of UASs
Different classes of UAS are grouped based on the designed "max gross take-off weight (MGTOW)", "maximum operating altitude", and "top speed", as shown in Table 1. Typical COTS UASs that are readily available for procurement in the commercial market are relatively smaller in size and lighter in weight, and often fall under the Group 1 category.

Existing UAS Capabilities-Payload-Enabled
A typical UAS is equipped with a camera to enable a UAS operator with situational awareness of the UAS's surroundings and environment [28]. Depending on the payload weight limit (determined in part by the MGTOW) of the UAS, the UAS can carry a payload to meet a desired operational outcome. The different types of payload configurations can be classified into three distinct classifications, namely, (1) non-sensing, (2) sensing, and (3) counter measure payload [29]. For (1) with adversarial UASs, these payloads can comprise homemade explosives, biological, and radiological weapons (e.g., chemical, biological, radiological, and explosives (CBRE)). For (2), these types of payloads enable live video feeds for the purpose of surveillance and intelligence gathering or precision strikes on a specific target. Lastly, for (3), these types of payloads enable the disruption of telecommunication devices through RF jamming and similar. The list of payload-enabled capabilities is summarized in Table 2. While the development of payload capabilities is usually developed based on good intentions and for legitimate uses, malicious entities may utilize these capabilities to conduct malicious UAS activities against the public. Table 2. Types of UAS payload-enabled capabilities. Source: [29].

Non-Sensing Payload
Payload Release The payload is carried to a certain altitude and is released upon hovering above the target.

Kamikaze
Both the payload and UAS crash into the target.

Sensing Payload
Electro-Optic Imagery and video recording functions to support ISR operations.

Light Detection and Ranging (LIDAR)
The pulsing of a laser that enables distance measurements.
Countermeasure Payload

RF Jammer
The payload overloads sensor and RF control inputs which causes disruption to operations.

Spoofers
The spoofing capability payload disrupts navigational or command and control receiver systems, such as those that rely on Global Navigation Satellite System (GNSS), for instance.

Emerging UAS Threats-Swarm Capabilities
The concept of a swarm in the context of UAS operations comprises a group of UASs working as a system, collaborating, and communicating with each other to achieve the desired mission objective [30]. In addition, swarm technology adopts an automation architecture to achieve self-maneuvers so as to assist the UAS operator in controlling multiple UASs to achieve a common goal [31]. The integration of micro-UASs coupled with the concept of a swarm poses challenges to existing C-UAS measures [32]. This is due to the small radio-cross-section (RCS) of micro-UASs where detection at large distances with existing radar would be challenging [32]. While the concept of swarms for UASs is still in the testing and development phase [33], it is essential to assess the effectiveness of existing C-UAS techniques and emerging C-UAS techniques, such as the CyC-UAS concept, in anticipation of the emerging threats posed by a swarm of UASs.
One of the main threats to installations today is small COTS UASs (Groups 1 and 2), as these UASs are often easily accessible in the commercial market, inexpensive, and are difficult to detect and neutralize [34]. A near-future threat is swarms of COTS UASs used to target strategic and critical infrastructure.
The threats imposed by UASs were defined and discussed in this section. To gain insight on the impact on the threats, various capabilities were also discussed.

Literature Review of Existing C-UAS Techniques
As discussed in Section 2, the infiltration of adversary UASs into restricted areas to perform malicious activities may cause severe consequences or threaten the interests of a facility. For this reason, it is critical to develop effective methods to deter any potential intrusion into restricted areas by adversarial UASs. Since the early 2000s, the need for C-UAS capabilities has been defined and developed through the adoption of engineering techniques to derive feasible solutions. This section seeks to (1) introduce the C-UAS processing chain (also known as the kill-chain) operating in a defined area, (2) provide a broad overview of the main existing C-UAS techniques and their capability trade-offs, and (3) introduce the need for a command and control (C2) system within C-UAS networks to enhance C-UAS operation.

C-UAS Processing Chain and Techniques
The C-UAS processing chain encompasses the following phases as shown in Figure 1. These phases include the need to "detect", "locate/track", "classify/identify", and then to "mitigate" [29,35]. At the initial phase, the C-UAS must be capable of performing detection and providing the location of the adversary UAS. While the location of the UAS is being "tracked", the C-UAS attempts to identify and classify the unknown UAS such that "mitigation" actions could be taken against the adversary UAS. These mitigating actions may include the use of "kinetic" and/or "non-kinetic" techniques to prevent the adversary UAS from performing any malicious activities within the protected area. To achieve the various C-UAS functions at the different phases, several engineering solutions have been adopted. 3.2. "Detect", "Locate", and "Track" Techniques Table 3 shows a list of commonly adopted engineering techniques to enable the functions of detection, to locate, and to track an adversary UAS. A brief description of the system capabilities and its limitations is also given. Table 3. "Detection", "locate", and "tracking" techniques.

Radar
The radar sensor is capable of detecting a UAS if the UAS is within the range of the radar sensor. This is achieved through the receipt of reflected pulses of RF energy from the UAS. Additional information about the UAS, such as the location and the velocity of the UAS, can also be obtained through the radar sensor. In advanced radar sensors, "tracking" the location and "classifying" the type of UAS is achievable through advanced signal processing algorithms.
Due to the "small" radar-cross-section of some COTS Groups 1 and 2 UASs, detection and tracking remain a challenge [36]. The ability to accurately "detect" and "track" a small target could be degraded due to unfavorable weather conditions such as the effect of rainfall.

Radio Frequency
RF sensors are capable of detecting the frequencies transmitted by other telecommunication devices in the RF spectrum. By integrating the RF sensor with other UAS software algorithms and devices, the system is able to differentiate between a UAS and other RF devices. Therefore, detection of a UAS can be achieved.
Many advanced UASs have recently adopted frequency-hopping-spread spectrum (FHSS) techniques instead of using a single set frequency for communications [37]. This approach has added additional complexity for the RF detection sensor to effectively determine transmitting frequencies and the sequence of transmission of a UAS using FHSS. RF detection sensors can also be less effective in crowded RF environments due to other RF transmitting devices [38].

Electro-Optical (EO) and Infrared (IR) Cameras
An EO/IR sensor is capable of capturing images during the day and night using visible and infrared sensors. An EO/IR sensor is usually coupled with computer vision algorithms to differentiate between a UAS and other objects.
EO/IR detection sensors can consume large amounts of electrical power due to the nature of the sensors used. The cost to include EO/IR sensors in the system is much higher as compared to other existing UAS detection systems. This sensor is also limited by range, given the nature of the sensors [39].

Acoustic Sensor
Acoustic sensors are capable of detecting sound emitted by an object of interest. Coupling an acoustic sensor with UAS audio comparison algorithms, detection of a UAS is achievable by matching the detected sound with the sound recorded in existing databases.
The detection range of acoustic detection sensors is negatively affected if the surrounding environment is noisy, such as a densely populated area or an environment with high winds condition [40].

Mitigation Techniques: Non-Kinetic
Non-kinetic mitigation measures in C-UAS operations seek to deny, degrade, or disrupt the capability of a UAS without the need for physical destruction [41]. Table 4 shows a list of commonly adopted non-kinetic mitigation measures used in C-UAS missions. Table 4. List of non-kinetic mitigation measures.

Techniques Capabilities Limitations
Frequency Jamming A frequency jammer transmits large amounts of electrical power over a range of predefined RF frequencies to interfere with and disrupt the communication link between the UAS and the ground control station over a period of time. This action forces the UAS to trigger the "return home" algorithm or to perform an emergency landing based on the default UAS safety protocol.
Typical RF jammers consume large amounts of electrical power. To meet this requirement, RF jammers are typically bulky due to the heavy and large electronic components used. This restricts the ease of deployability of the device. Jamming on a single frequency may not be effective to counter UAS operations if the UAS uses FHSS [42]. In addition, other friendly communication devices operating at the jammed frequency may also be affected [11].
Global Navigation Satellite System (GNSS) Jamming The GNSS jamming technique attempts to disrupt the GPS communication link between the UAS and GPS satellites.
This technique may not be effective for UASs that do not require GPS for navigation.

GNSS Spoofing
The GNSS spoofing technique enables "impersonation" by feeding the UAS with false navigation information and then eventually taking over the role as the host of the UAS for control.
This method may be ineffective with adversarial UASs equipped with inertial measurement unit sensors. It is not suitable for use in places where satellite navigation is required by other systems [43].

Mitigation Techniques: Kinetic
Kinetic mitigation techniques in C-UAS operations seek to degrade the UAS through inflicting damage on the physical components of the UAS [41]. Table 5 shows a list of commonly adopted kinetic mitigation measures used in C-UAS missions. Table 5. List of kinetic mitigation measures.

Techniques Capabilities Limitations
Net Capture This technique adopts the concept of a "firing gun". Upon triggering of the firing gun, netting embedded within the weapon is deployed to capture the UAS. The firing gun can be deployed on a UAS or mounted on a handheld device.
This capturing device needs to attain close enough range to the adversarial UAS in order to be effective [43].

Directional Electromagnetic Pulse (EMP)
This technique uses an electromagnetic pulse to damage onboard radio electronic system on the UAS. The directional EMP adopts the similar concept of a "firing gun" and can be deployed on a handheld device.
Since EMP at different frequencies requires different transmission distances, the EMP method to take down a UAS may not be effective if the required distance is not met, even though an adversary UAS is detected [5].
The C-UAS processing chain is complete with the integration of various detection and mitigation techniques mentioned in this section. For example, the radar UAS detection system is responsible for the detection, identification, and tracking of the location of an adversarial UAS. Then, it is the responsibility of the frequency jammer to mitigate the adversarial UAS to prevent it further infiltrating into a facility.

Command and Control (C2) System
The function of the command and control (C2) system in the C-UAS network aims to provide the stakeholders with (1) a holistic overview of the situation within the operating environment, (2) the ability to analyze the situation, and (3) to execute the necessary decisions based on the assessment made [44]. This is achieved through the integration of various detection and mitigation devices with the C2 system.

C-UAS Network
As illustrated in Figure 2, the C-UAS network includes three functional blocks, namely, (1) "detection and tracking", (2) "react", and (3) "mitigate". The "detection and tracking" functional block comprises a single or a set of UAS detection devices to detect and track adversarial drones within a defined boundary. The information such as the location and speed of the detected adversarial drones would then be sent as output information to the "react" functional block for further analysis. In the "react" block, since the outputs from the various UAS detection devices are in different form, a data fusion unit would be required to process the incoming information and output a standardized and coherent set of data to the C2 system, such that the information presented to the stakeholders is consistent and accurate for the purpose of decision-making [5,45]. Based on the profile of the adversarial drone, the C2 system selects and triggers the most suitable mitigating technique to neutralize the adversarial drone. The functions at the different phases of the C-UAS processing chain were discussed in this section. To achieve the goals of a C-UAS mission, various detection and mitigation techniques are adopted, as discussed in this section. The introduction of a C2 system within the C-UAS network enhances the ability for the stakeholders to analyze the situation such that the most appropriate actions are applied against the adversarial UAS.

Literature Review on C-UAS Acquiring Cyber-Attack Techniques
In recent studies, the application of cyber-attacks in the C-UAS domain show the scalpel-edge accuracy that such attacks can produce when defending against an adversarial UAS. Many CyC-UAS approaches work by either denying or disrupting adversary UAS RF communications without the need for jamming [3,46]. This section seeks to provide (1) a broad overview of the main existing cyber-attack methods on C-UAS operations and (2) the proposed concept of operations based on a CyC-UAS system's capabilities and architecture.

Existing Cyber-Attack Techniques
The current literature on C-UASs using cyber-attack techniques focuses on identifying the vulnerability within the seven-layer open systems interconnection (OSI) model of the communication network protocols [47]. Specifically, the cyber-attack scheme attempts to manipulate or tamper with the information flowing into the transport (layer 4), network (layer 3), data Link (layer 2), or physical (layer 1) layer of the OSI model, with the intent to deny the use of communication network services [48].

Distributed Denial of Service Attack
The denial-of-service (DoS) attack is classified as one type of cyber-attack technique and aims to suspend or to interrupt the use of a communication network [49]. This is accomplished through disrupting the network connection services by flooding the network with data packets such that the network becomes overwhelmed, and results in the inability of any host to establish communications with other telecommunication devices within the network [50].
In wireless communications, a typical construct of a UAS consists of an aerial device (also known as a drone) and a ground control station (GCS) that communicate via a set of operating frequencies [51]. In the context of CyC-UAS operation, the DoS cyber-attack technique can be performed against wireless networks [52].
In the context of CyC-UASs, the C-UAS adopts the DoS attack technique on the UAS through the wireless network linking the GCS and drone (henceforth, we will simplify terminology and also refer to the aerial component of the system as simply the UAS). Commercial UASs that operate using WiFi network protocols such as 802.11 (usually in the 2.4 GHz and 5 GHz frequency ranges) are extremely vulnerable to such attacks because the operating radio frequencies are known and are easily targeted using network interface cards [53].

User Datagram Protocol Flood Attack
The User Datagram Protocol (UDP) uses a connectionless communication model with minimal packet ordering mechanisms to enable data package transfer within a network [54]. In C-UAS operations, the UDP flood attack technique attempts to degrade UAS wireless network performance by flooding the network with data packets, forcing the adversary UAS to trigger internal safety protocols such as the "return to base" algorithm or to perform an emergency landing based on the UAS's default safety protocol [55].

TCP SYN Flood Attack
Unlike the UDP protocol, the Transmission Control Protocol (TCP) protocol is a connection-oriented communication model, where a three-way handshake between the client and the server must be established first before commencing data package transfers within the network, as shown in Figure 3 [56]. For the sender to establish communications with the receiver, the sender first sends a synchronization (denoted by SYN) request with the sender's IP address to the receiver. Then, the receiver sends a synchronization acknowledgment (denoted SYN ACK) to the sender's IP address. The sender then replies to the receiver with an acknowledgment (denoted ACK) to complete the establishment process [56]. In the case of a TCP flood attack, the attacker initiates the TCP protocol with the receiver with a spoofed IP address [57]. The receiver then replies with an SYN ACK to the IP address that was provided by the attacker. Then, the attacker repeats the same attack approach on the receiver multiple times. As a result, the network is flooded, causing the server to be unable to communicate with the network due to memory exhaustion [55]. In the context of CyC-UAS operations, the C-UAS and the adversarial UAS act as the attacker (sender) and receiver, respectively. The TCP flood attack causes the wireless network of the adversarial UAS to collapse, forcing the UAS to activate its return-to-base protocol, conduct an emergency landing, or other internal safety protocol [58].

Deauthentication Attack in Wireless Network
The IEEE 802.11 technical standard governs local area network (LAN) technical specification and describes the set of media access control (MAC) protocols for the implementation of wireless LAN [59]. The deauthentication attack exploits the OSI layer two vulnerabilities in wireless access points to prevent legitimate users from accessing a network [60]. With information such as the MAC address of the telecommunication devices available openly within the wireless network, an attacker is able to identify the targeted device. Then, the attacker can launch a deauthentication attack on the targeted device in an attempt to cut off the wireless connection between the targeted device and the network by sending continuous deauthentication frames to the targeted device [61]. Because a deauthentication attack can disrupt the connection between a client and its host with only one forged frame for every six legitimate frames between a client and its host [60], deauthentication attacks are especially useful when limited power is available in countering adversarial UASs [10]. In the context of CyC-UAS operations, the C-UAS may adopt the deauthentication cyberattack technique by sending continuous deauthentucation frames to the adversary UAS over the wireless network, so as to deny communications between the adversarial GCS and its UAS [61]. Similar to the attacks against WiFi networks, in the context of a CyC-UAS, deauthentication attacks are only carried out against UASs using the 802.11 wireless standard [10]. Thus, these attack types will not be effective against UASs that use frequency hopping spread spectrum or other communication schemes that operate outside the 2.4 and 5 GHz WiFi frequency bands. Table 6 summarizes and compares the three cyber-attack techniques for the CyC-UAS operation. While the list of mentioned cyber-attack techniques can be used for CyC-UAS operation, the deauthentication attack is the most effective mode of attack since (1) the technique is able to identify a specific UAS target with the identification of its MAC address from the WiFi network, and (2) it has less coding complexity to identify the IP address of the target. Table 6. List of cyber-attack techniques for CyC-UAS operation.

User Datagram Protocol Flood Attack
Easy to implement since the communication between the CyC-UAS and adversarial UAS is connectionless and session-less.
CyC-UAS gains limited access to the adversarial UAS since the connection is connectionless. For example, CyC-UAS is unable to take over control or to intercept information transmitted by the adversarial UAS.

TCP SYN Flood attack
With the IP address of a particular adversarial UAS known, a dedicated TCP/SYN flood attack can be performed on a specific adversarial UAS.
The complexity of a TCP/SYN flood attack is relatively higher as additional algorithm must be integrated within the CyC-UAS to identify the IP address of the desired adversarial UAS. This may result in higher processing time during the C-UAS process.

Deauthentication Attack
Easy to implement since the information on MAC address of the adversarial UAS can be obtained in the wireless network.
This attack is effective only against adversarial UASs that use wireless access points.

CyC-UAS Physical Setup
The essential hardware of a CyC-UAS system comprises a micro-controller, transceiver, and an RF antenna [61]. The source-code of the cyber-attack algorithm embedded in the micro-controller launches a detection algorithm to scan for adversarial UASs within the surrounding environment. Upon successful detection of an adversarial UAS, the C-UAS launches the mitigation attack algorithm on the UAS. The CyC-UAS transceiver and the RF antenna serve as the intermediary between the micro-controller and the RF environment to complete the processing chain of the CyC-UAS. Figure 4 shows a simple CyC-UAS prototype setup. In recent studies, the application of cyber-attacks in the C-UAS domain has shown potential improvements in energy consumption in comparison with other existing conventional C-UAS techniques [10]. For example, the CyC-UAS technique is capable of disrupting the communication link of a specific adversarial UAS target instead of transmitting across a range of frequencies with a high amount of energy adopted by conventional frequency jamming C-UAS. Through the conduct of these experiments, the effectiveness and efficiency of the cyber-attack technique applied on COTS UASs that operate in the 2.4 GHz and 5 GHz WiFi frequency bands were validated [10]. The experiments are specifically scoped towards seeking an understanding on the amount of energy consumed during C-UAS operation. In particular, the deauthentication cyber-attack technique was used in various attack experiment scenarios. These experiments were conducted in an outdoor environment with the use of various telecommunication equipment.

Experiment Setup
We follow the experiment setup from [10]. Table 7 shows the list of equipment used and the respective roles of the equipment during the experiments. The equipment and testing focus is based on targeting commercial UASs that use the IEEE 802.11 standard.

Experimental Scenarios
The experiment scenarios were designed based on the information required to validate the performance of the CyC-UAS system at various ranges and altitudes. There were three distinct scenarios, namely, (1) CyC-UAS and adversarial UAS are both stationary, (2) CyC-UAS is stationary and adversarial UAS is in motion, and (3) CyC-UAS is mobile (attached to a friendly UAS) and adversarial UAS is in motion.

Observations from Scenario 1-CyC-UAS and Adversarial UAS at Stationary Positions
In this scenario, both the CyC-UAS system and the single adversarial UAS were held at stationary fixed positions during the "detection" and at the "attack" phases at stand-off distances of 10, 100, 250, and 400 m, as shown in Figure 5. The CyC-UAS system used in the experiments has a maximum detection range in a ground-to-air configuration of approximately 250 m and is capable of detecting intrusion of adversarial UASs that falls within the detection range. The CyC-UAS system scans the environment consistently to detect adversarial UAS intrusions. Upon a successful detection, the CyC-UAS initiates a deauthentication cyber-attack technique on the adversarial UAS. It was observed that the CyC-UAS system was successful in (1) detecting and attacking the adversarial UAS at distances of 10, 100, 250, and 400 m and that (2) the time taken upon a detection till the neutralization of an adversarial UAS is estimated to be 15 s, consuming about 1.1 W of electrical power. At the end of the attack, the adversarial UAS returned to its last known connection point and landed subsequently. At about 400 m away, the CyC-UAS was unable to detect the adversarial UAS situated at 400 m away. It was deduced that the transmitted signal of the CyC-UAS was not strong enough to reach the adversarial UAS at a distance of 400 m, which was primarily limited by interference from buildings, trees, and power lines in the area as well as the transmission power that the Raspberry Pi 4 and the wireless network card were designed to output.

Observations from Scenario 2-C-UAS at Stationary Position and Adversarial UAS in Motion
In this scenario, both the CyC-UAS and adversarial UAS started at stationary positions, having a separation distance of 250 m just beyond the effective range of the CyC-UAS system used in these experiments, as shown in Figure 6. The CyC-UAS begins scanning the environment to detect the adversarial UAS. Then, the adversarial UAS commences its operations by flying towards the CyC-UAS. Upon a successful detection of the adversarial UAS, the CyC-UAS initiates the deauthentication cyber-attack technique on the adversarial UAS. It was observed that the adversarial UAS (1) came to a halt and hovered at a stationary position for about 10 s before (2) returning to its last known connection point and landing subsequently. It was observed that the GCS of the adversarial UAS was unable to control the adversarial UAS due to the loss of telecommunications between the GCS and UAS caused by the deauthentication cyber-attack [10].

Observations from Scenario 3-CyC-UAS and Adversarial UAS Both in Motion
In this scenario, the CyC-UAS was fitted onto a proprietary UAS, called the AquaQuad [62], to turn the CyC-UAS into a mobile C-UAS. Both the mobile CyC-UAS and the adversarial UAS moved in the same direction, having a separation distance of about 20 m [10]. While both UASs were in motion, the mobile CyC-UAS performed the deauthentication cyber-attack on the adversarial UAS. It was observed that the (1) mobile CyC-UAS was able to detect the adversarial UAS while both the UASs were in motion and that (2) during the deauthentication cyber-attack process, the adversarial UAS came to a halt (while hovering for about 10 s) before returning to its last known connection point and landing subsequently.
The experiments performed in the scenarios above provide insights into the effectiveness and efficiency of CyC-UAS operations. The use of the deauthentication cyber-attack technique in all the experiments was successful in neutralizing the adversarial UAS by severing the telecommunication link between the adversarial UAS and the GCS. In addition, the conduct of the experiments provided essential information to assess system performance of the deauthentication cyber-attack technique. The information attained from the experiments, as well as the physical behavior of the adversarial UAS observed in the experimental scenarios, was then used to define the system performance of the CyC-UAS system in the subsequent section.

Proposed Concept of Operation
Given the system description of the capability of the CyC-UAS, two CONOPs schemes are proposed and elaborated for further discussion in this subsection; namely, defensive deployment and aggressive deployment.

Defensive CyC-UAS Deployment
In the defensive deployment scenario, the mission of the CyC-UAS is to prevent the infiltration of adversarial UASs within a defined protected area to protect a specific installation or infrastructure. In this setup, several CyC-UASs are deployed in stationary positions to defend against infiltration of adversarial UASs into the protected area, as shown in Figure 7. The defensive deployment concept aims to provide a permanent defensive mechanism to prevent potential adversarial UAS attacks. Upon a successful detection of an adversarial UAS, the CyC-UAS automatically launches the mitigation algorithm in an attempt to neutralize the adversarial UAS. Since the CyC-UAS alone is capable of fulfilling the functions of the C-UAS processing chain, and because the CyC-UAS has the ability to perform a mitigation attack on the UAS immediately upon a successful adversarial UAS detection, the lag-time between detection and mitigation is minimized. The CyC-UAS can be deployed on ground mobile platforms, such as military vehicles maneuvering at the battlefront or police or national defense vehicles protecting civilians, as shown in Figure 8.

Aggressive CyC-UAS Deployment
In this CONOPS, the CyC-UAS employs an aggressive approach in the attempt to neutralize any potential adversarial UASs, as shown in Figure 9. To enable CyC-UAS with the ability to maneuver within the operating area, the CyC-UAS is integrated on an air mobile platform. For example, by integrating the CyC-UAS onto a friendly UAS, the system can rapidly maneuver in three dimensions such that it enhances the CyC-UAS's ability to detect, track, and mitigate adversarial UASs. This section discussed various DoS cyber-attack techniques that are adopted for C-UAS operations. The existing literature validates the effects of cyber-attacks on adversarial UASs based on physical experiments. With a good understanding of the system architecture and the capabilities of the CyC-UASs, two feasible CONOPS were proposed.

Modeling and Simulation
This section develops a simulation model to represent CyC-UAS operations based on the proposed CONOP presented in Section 4.9. The simulation seeks to gain an understanding of the CyC-UAS system performance and limitations using the deauthentication cyber-attack technique. In particular, the simulation is used to better understand the estimated energy consumption for a given simulated scenario of CyC-UAS operations. The experimental results achieved during the experiments, as well as the physical observations attained from the various experimental scenarios presented in Section 4.7.1, are applied as system parameters to the CyC-UAS simulation model. The CyC-UAS software model and simulations were constructed and conducted in ExtendSim10 [63].

Mission Scenario for C-UAS Operation
The aim of the CyC-UAS system was to prevent the intrusion of adversarial UASs into a defined protected area, as shown in Figure 10. There were two CyC-UAS systems deployed at stationary positions beyond the protected area such that the systems could potentially detect and neutralize any incoming adversarial UASs. On the other hand, the aim of the adversarial UASs was to penetrate the protected area. In this scenario, it is assumed that (1) the protected area may be subjected to concurrent intrusion attempts by multiple adversarial UASs (a swarm attack) and that (2) the adversarial UASs would move in a straight-line direction, represented by the red arrows in Figure 10.

Modeling Setup
The area of operation (AO) was divided into three different zones (Zone 1, 2, and 3), as represented in Figure 11. The ability to detect and to perform a cyber-attack is dependent on whether the adversarial UAS falls within the detection range of the CyC-UAS systems. In this case, since the region in Zone 2 was overlapped by two CyC-UAS systems, the chance of detecting and neutralizing an adversarial UAS that enters the region is doubled, since either one of the CyC-UAS systems could perform the detection or attack on the adversarial UAS. In addition, it was assumed that the three different zones have equal chance (Zone 1, 2, and 3 = probability of 0.333) for an adversarial UAS to appear in the respective regions. In this model, it was assumed that both the CyC-UAS systems would be scanning the environment actively to detect any number of adversarial UASs. The CyC-UAS would then initiate the deauthentication cyber-attack on the adversarial UASs based on a firstin-first-out attack sequence. It was assumed that an adversarial UAS would come to a halt and hover at a stationary position for about 10 s once the cyber-attack was initiated. Should the attack on an adversarial UAS be successful, the adversarial UAS would land. On the other hand, if the attempt to neutralize the adversarial UAS was unsuccessful, the adversarial UAS would continue to traverse in the initial direction towards the protected area. In addition, the CyC-UAS is capable of re-engagement with an adversarial UAS if attack attempt is unsuccessful and if the adversarial UAS remains within detection range of the CyC-UAS. The CyC-UAS has the ability to perform both the role of detection and attack concurrently. These assumptions mentioned above were applied to the simulation model. Table 8 shows the system performance parameters of the CyC-UAS and adversarial UAS applied in the ExtendSim10 simulation model. The model was also designed to record the power consumed by both CyC-UAS systems throughout the detection and attack phases. Once the first adversarial UAS falls within the detection range of the CyC-UAS systems, data collection of the power consumed by the CyC-UAS commences and is terminated when the last-detected adversarial UAS is neutralized. The overall power consumption of the CyC-UAS is the summation of power consumed by both the CyC-UAS systems deployed in the model. To simplify the simulation model, experimental values measured at a separation distance of 250 m between the CyC-UAS and the adversarial UAS performed in Section 4.7.1 were applied in this simulation model. This model assumed that the adversarial UASs traverse the AO with a constant speed of 30 km/h. Further, it was assumed that the CyC-UAS has a detection range of 250 m, and that the overall detection region was in the form of a circular shape having a diameter of 500 m. Assuming that the adversarial UAS traverses (1) across the detection region of 500 m and (2) at a constant speed and direction, the adversarial UAS would be present in the detection region for about 60 s, as shown in Figure 12. The flowchart in Figure 13 provides an overview of the sequence of activities and decision points upon detection of an adversarial UAS. With the system descriptions as well as the system parameters presented above, a simulation model was built in ExtendSim10 to understand the CyC-UAS system performance.

Simulation
In alignment with the aim of the mission objective of the CyC-UAS system presented in the scenario, four performance metrics, as shown in Table 9, were identified to measure the effectiveness and the capability of the CyC-UAS system. Table 9. Metrics of analysis for the CyC-UAS system.

# of adversarial UASs neutralized
The primary objective of the C-UAS system was to prevent the intrusion of adversarial UASs entering the protected area. To achieve this objective, the C-UAS system must first detect and then subsequently neutralize the adversarial UASs.

# of adversarial UAS penetrations into protected area
It is assumed that an adversarial UAS has successfully penetrated the protected area if the adversarial UAS was not neutralized by the C-UAS. # Accumulated energy consumed by C-UAS The power consumed by the C-UAS during the entire detection and attack phases is accumulated and recorded.
# Accumulated C-UAS operating period (s) The overall time taken for C-UAS operations is recorded. To simulate a swarm attack, the group of adversarial UASs is represented as a salvo attack in ExtendSim10. Three salvo attacks that consist of 8, 10, and 12 adversarial UASs are simulated independently. In each of the salvo attacks, the adversarial UASs are injected into the model as inputs. In addition, each salvo simulation run is repeated 100 times to achieve sufficient samples to attain an average value for the metrics stated above. Table 10 shows the average results of the metrics for the C-UAS across the different numbers of adversarial UASs in a single swarm attack.

Simulation Results
Based on the 100 simulation runs performed in each scenario, the C-UAS system that comprises two CyC-UAS systems was capable of neutralizing between eight and nine adversarial UASs in a single swarm attack for all scenarios. However, as the number of adversarial UASs in the swarm attack increases beyond nine (10, 12, and 14), the number of adversarial UAS misses increases as well. Therefore, based on the C-UAS deployment layout and the assumptions stated above, the C-UAS system is effective in neutralizing nine adversarial UASs in a swarm attack. The average accumulated energy consumed and the C-UAS operating period taken by the C-UAS management system to neutralize nine adversarial UASs in each swarm attack scenario (10, 12, and 14 adversarial UASs) are as shown in Table 11. A C-UAS management system simulation model was built based on (1) the application of deauthentication cyber-attack technique, (2) proposed CONOPs, (3) mission scenario, and (4) the applied C-UAS system parameters attained during the physical experiment. A swarm attack on the C-UAS management system was also simulated to observe the capabilities and the limitations of the system. In addition, the simulations that were conducted also provide information on the overall energy consumed and the period taken for the entire C-UAS operation.
The mission scenario presented in this section and the set of simulated results shown can be used as a baseline to compare and analyze the effectiveness and efficiency of some other convention C-UAS techniques. This is performed in the next section.

Comparison of Energy Consumption and Performance between C-UAS Techniques
The experiments performed in Section 4.7.1 provided insights into the energy consumption requirement for CyC-UAS operations. The aim for this section is to assess the energy efficiency of CyC-UAS by (1) understanding the energy requirement from existing C-UAS techniques through the review of technical specifications of existing products, as well as to (2) compare the energy consumption requirements between CyC-UAS and existing C-UAS techniques. In addition, this section also aims to compare the system performance of various C-UAS techniques.

Existing Products
The EAGLE108 is an existing C-UAS that is capable of performing detection and mitigation on an adversarial UAS through RF signal detection and RF jamming [64]. Table 12 shows the system specifications of EAGLE108. While there are several C-UAS systems that use RF jamming, the EAGLE108 is representative of many available systems. Some C-UAS systems that use RF jamming operate at much higher output transmission powers. However, this article limits analysis to the EAGLE108 because data are readily available in open source literature and it is a system commonly used by civilian organizations in addition to national security organizations.

Energy Consumption Comparison
Based on the experimental setup using the CyC-UAS prototype, it was shown that the CyC-UAS has an effective detection range of about 250 m. To enable a comparison of energy requirements between the CyC-UAS prototype and the EAGLE108, the following assumptions were made: (1) the scanning environment has clear line-of-sight; (2) there is negligible frequency interference. Based on the system specifications of EAGLE108, the system has a transmission output power rating of about 375 W for frequency jamming. Based on the literature provided by the company, it is assumed that the EAGLE108 operates at maximum power during frequency jamming operations. In addition, the company lists a power consumption of 2 A at 12 V for the detection module [64]. Using Ohm's law of P = V · I yields a result of 24 W for detection. Thus, it is assumed that maximum total power consumption for the EAGLE108 is around 400 W, inclusive of both detection and mitigation.
In comparison, the CyC-UAS depicted in Table 7 uses 1.1 W to power the network interface card (Alpha AWUS036ACH), as found in the experiments detailed in [10]. The Raspberry Pi 4 B consumes between 3.8 W and 6 W [65]. Thus, it is assumed that maximum total power consumption for the CyC-UAS is around 7 W. It is clear that the CyC-UAS power consumption is much more favorable than the broadband RF jamming of the EAGLE108.
Ignoring the detection module of the EAGLE108 for both power consumption and time to go through the C-UAS kill-chain (detect, locate and track, classify, and identify, as per Figure 1), the EAGLE108 mitigation system requires about 15 s on average for the system to complete the C-UAS processing chain on an adversarial drone. While the mitigation system can operate for up to two minutes continuously, it is assumed that this is a rare occurrence. Thus, it is estimated that a total of 1.565 W/h is required to complete the mitigation step of the C-UAS kill-chain.
The CyC-UAS engaged the mitigation subsystem for 15 s during experimentation [10]. However, the amount of time required can change based upon details of the adversarial UAS. Thus, the most appropriate comparison between the EAGLE108 and the CyC-UAS is to look solely at the mitigation subsystems over the 15 s engagement window. Table 13 shows the estimated, consolidated transmission power and energy consumed for the CyC-UAS prototype and the EAGLE108 mitigation subsystems.

Energy Comparison Analysis
Based on (1) the transmission power required for the EAGLE108 and (2) that the EAGLE108 requires about 15 s to complete the mitigation portion of the C-UAS kill-chain, the EAGL108 requires far more transmission energy, in comparison to the transmission energy required for the CyC-UAS prototype, to achieve the same C-UAS outcome.
In the case of EAGLE108, since RF jamming is employed as the mitigation technique, a large amount of power is required to overcome the adversarial UAS's communications signal, such that the signal is disrupted and terminates the operations of the UAS. On the other hand, the requirement for having a large amount of transmission power is not required for CyC-UAS. Instead, the CyC-UAS technique only requires sufficient transmission power such that the transmission signal can reach the adversarial UAS to establish communications with the UAS to conduct the C-UAS operation.
Based on the comparison and benefit analysis made, it is concluded that the CyC-UAS technique utilizes much less transmission energy as compared to the RF jamming technique, which yields great improvement in energy-savings, resulting in better energy efficiency.

Performance Comparison Analysis
While both the CyC-UAS prototype and EAGLE108 adopt the DoS mitigation method to disrupt the use of adversarial UASs, CyC-UAS uses a dedicated attack approach on a specific target and does not affect or disrupt other telecommunication devices that are operating within the environment during the C-UAS operation. In contrast, the EAGLE108 transmits a large amount of energy on a particular frequency to the environment to jam the telecommunication link between the adversarial UAS and GCS. This approach may potentially affect other friendly communications devices that operate in the jammed frequency within the same environment.
The energy efficiency of the CyC-UAS was validated through the comparison of energy consumption between the CyC-UAS and other popular existing C-UAS techniques, such as the RF jamming method. The result from the comparison shows that CyC-UAS achieves significant energy-saving as compared to conventional RF jamming methods. In addition, in comparison with the RF jamming technique, the CyC-UAS is capable of achieving the same C-UAS mission objective without disrupting other nearby telecommunication devices.

Conclusions
The effectiveness and performance of the CyC-UAS concept was validated through the conduct of experiments and simulations revealed in this article. The literature review suggested that COTS UASs that operate in the WiFi frequency band (2.4 GHz and 5 GHz) are extremely vulnerable to CyC-UAS attacks, since the operating frequency is known. In the context of CyC-UASs, the cyber-attack scheme attempts to manipulate or tamper with the information flowing within the OSI model, with the intent to deny the use of the communication network. The DoS technique, which aims to suspend or to interrupt the use of a communication network, is accomplished by flooding the communication network with data packets such that the network becomes overwhelmed.
The deauthentication attack DoS method makes use of deauthentication frames in a wireless network. This technique was used in the construction of a CyC-UAS prototype that consists of a micro-controller (with transceiver integrated within) and an RF WiFi antenna that was used to conduct a set of experiments to validate the effectiveness of the deauthentication attack technique applied on COTS UASs that operate in the 2.4 GHz and 5 GHz WiFi frequency bands. The results from the experiments revealed (1) the physical behavior of the adversarial UAS upon a successful CyC-UAS attack, (2) the range limitations of the CyC-UAS prototype, and (3) the transmission power and energy requirement for the CyC-UAS. This information was essential for the development of the CyC-UAS simulation model.
Given the system description and physical behavior of the CyC-UAS, two feasible CONOP schemes were investigated, including defensive deployment and aggressive de-ployment. In the defensive deployment CONOP, the CyC-UAS is used to defend against provocative adversarial UASs on stationary or mobile infrastructure. In the aggressive deployment CONOP, the CyC-UAS achieves the ability to maneuver in three dimensions to enable the CyC-UAS to be able to operate as the aggressor in an attempt to seek, locate, and mitigate potential adversarial UASs.
A simulation model to mimic the proposed defensive deployment CONOP was developed and exercised. The simulation model was modeled based upon the information attained from the experiments and the physical responses gathered based on the deauthentication cyber-attack technique. To simulate the responsiveness of the CyC-UAS based on a swarm attack, the group of adversarial UASs were represented by a salvo in the simulation. The result from the simulation runs revealed the estimated number of adversarial UASs that the CyC-UAS was capable of eliminating, as well as the estimated energy consumed during the C-UAS operation.
Energy efficiency analysis of the CyC-UAS was achieved through the comparison of energy consumption between CyC-UAS and other popular existing C-UAS techniques, such as the RF jamming method. The comparison between the CyC-UAS prototype and the EAGLE108 showed that CyC-UAS achieved significant energy-saving as compared to the conventional RF jamming method.

Recommendations
The results attained through (1) review of the existing literature, (2) conduct of experiments, (3) simulations, and (4) comparison of energy requirements and performance between C-UAS techniques validate the concept and effectiveness of the application of cyber-attacks in the C-UAS domain. The CyC-UAS concept demonstrates a high level of potential that may supersede some conventional C-UAS techniques, specifically in the domain of energy-saving. Therefore, it is recommended to continue research and development efforts on the application of cyber-attacks in the C-UAS domain to maximize its potential in C-UAS operation.

Future Work
To further enhance the realism and the effectiveness of CyC-UAS operation presented in this article, it is recommended to (1) enhance the existing simulation model as well as to (2) integrate the CyC-UAS concept with other existing technologies.

Simulation of CyC-UAS Performance with Differing or Variable Traversing Speed of Adversarial UASs
To simplify the current simulation model in this article, it was assumed that all the simulated adversarial UASs traverse towards the target at a constant speed. To increase the realism of the simulation model, it is recommended to model the speed of the adversarial UASs traversing towards the target to be at (1) different and (2) variable speeds.

Creation of a C2 Network to Link Multiple CyC-UAS Systems during C-UAS Operation
The intent of linking multiple CyC-UAS is to provide stakeholders with a holistic overview of the battle environment. This application is essential in the event of a concurrent attack by multiple UASs. The creation of a simulation model is recommended to simulate the integration of a C2 network and the CyC-UAS systems to gain insights into the capability and limitations of the system.

Integration of CyC-UAS with FHSS System
Existing commercial UASs that utilize the WiFi frequency bands (2.4 GHz and 5 GHz) are extremely vulnerable to CyC-UAS attack. Therefore, the manufacturers of commercial UASs are moving towards adopting FHSS protocols as part of the transmission schemes. It is recommended to explore existing FHSS decoding schemes and integrate them with CyC-UAS techniques.